When creating an object, the application applies rules binding the type and role of the creating subject and the type of parent container to the type that is assigned to the new subject.
source_type, source_role and container_type elements
The create_object element can contain multiple rules. Rules are applied sequentially (the order is important) until the first rule that does not conflict with the combination of source_type, source_role, and container values is found. In other words, to apply a rule, the following is required:
source_type.source_role.container_type.Options for assigning a type to the subject that initiated creation of the new object (source_type element):
source_type: coresource_type: [core, dispatcher]source_type: @anyOptions for assigning a role to the subject that initiated creation of the new object (source_role element):
source_role: systemsource_role : [system, user]source_role: @anyOptions for assigning a type to the container in which the new object is being created (container_type element):
container_type: corecontainer_type : @source_typecontainer_type: [core, dispatcher, @source_type]container_type : @anytarget_type and target_type_auto elements
The target_type and target_type_auto elements are used to determine the permissible types for the object being created.
The target_type element is used when the desired type is indicated during object creation, and the target_type_auto element is used when the desired type is not indicated and the policy has to independently determine the permissible type.
Options for assigning permissible types if the type is explicitly indicated (target_type element):
target_type: coretarget_type: @source_typetarget_type: @container_typetarget_type: [core, dispatcher, @container_type]target_type: @anyAssignment of the desired type to the new subject will be allowed if this type matches one of the types indicated in target_type. If the target_type element is not defined, explicit type assignment is denied.
Options for defining an automatically assigned type if the type is not explicitly indicated (target_type_auto element):
target_type_auto: coretarget_type_auto: @source_typetarget_type_auto: @container_typeThe type indicated in target_type_auto will be assigned to the subject being created. If the target_type_auto field is not defined, implicit type assignment is denied.
target_role and target_role_auto elements
The target_role and target_role_auto elements are used to determine the permissible roles for the subject being created.
The target_role element is used when the desired roles are indicated during subject creation, and the target_role_auto element is used when the desired roles are not indicated and the policy has to independently determine the necessary roles.
Options for assigning permissible roles when roles are explicitly indicated (target_role_ element):
target_role: coretarget_role: [core, dispatcher]target_role: @source_roletarget_role: @anyAssignment of the desired roles to the new subject will be allowed if these roles are a subset of the roles indicated in target_role. If the target_role element is not defined, explicit role assignment is denied.
Options for defining automatically assigned roles if roles are not explicitly indicated (target_role_auto element):
target_role_auto: coretarget_role_auto: [core, dispatcher]target_role_auto: @source_rolestarget_role_auto: @anyThe type indicated in target_role_auto will be assigned to the subject being created. If the target_role_auto element is not defined, implicit type assignment is denied.
Example
create_object: {
{ source_type: realm
, source_role: system
, container_type: app_file
, target_type_auto: @container_type
},
{ source_type: realm
, source_role: system
, container_type: @source_type
, target_type: [app_file, secure_file]
},
}
Page top