Limitations/rules: creating a subject

When creating a subject, the application applies rules binding the type and role of the initiating (parent) subject and the image of the started subject with the type and set of roles that are assigned to the new subject.

source_type, source_role and image elements

The create_subject element can contain multiple rules. Rules are applied sequentially (the order is important) until the first rule that does not conflict with the combination of source_type, source_role, and image values is found. In other words, to apply a rule, the following is required:

• The subject type matches one of the types indicated in source_type.
• One of the subject roles matches one of the roles indicated in source_role.
• The name of the image from which the new subject is being created matches one of the names indicated in image.

Options for assigning a type to the subject that initiated creation of the new subject (source_type element):

• Specific type: source_type: core
• List of types: source_type: [core, dispatcher]
• Any type: source_type: @any

Options for assigning a role to the subject that initiated creation of the new subject (source_role element):

• Specific role: source_role: system
• List of roles: source_role : [system, user]
• Any role: source_role: @any

Options for assigning a name to the image from which the new subject is being created (image element):

• Specific name of the image: image: core
• List of image names: image: [core, einit]
• Any image: image: @any

target_type and target_type_auto elements

The target_type and target_type_auto elements are used to determine the permissible types for the subject being created.

The target_type element is used when the desired type is indicated during subject creation, and the target_type_auto element is used when the desired type is not indicated and the policy must independently determine the permissible type.

Options for assigning permissible types if the type is explicitly indicated (target_type element):

• Specific type: target_type: core
• List of types: target_type: [core, dispatcher]
• Type corresponding to the type of initiating entity: target_type: @source_type
• Any type: target_type: @any

Assignment of the desired type to the new subject will be allowed if this type matches one of the types indicated in target_type. If the target_type element is not defined, explicit type assignment is denied.

Options for defining an automatically assigned type if the type is not explicitly indicated (target_type_auto element):

• Specific type: target_type_auto: core
• Type corresponding to the type of initiating entity: target_type_auto: @source_type

The type indicated in target_type_auto will be assigned to the subject being created. If the target_type_auto field is not defined, implicit type assignment is denied.

target_role and target_role_auto elements

The target_role and target_role_auto elements are used to determine the permissible roles for the subject being created.

The target_role element is used when the desired roles are indicated during subject creation, and the target_role_auto element is used when the desired roles are not indicated and the policy has to independently determine the necessary roles.

Options for assigning permissible roles when roles are explicitly indicated (target_role_ element):

• Specific role: target_role: core
• List of roles: target_role: [core, dispatcher]
• Roles matching the roles of the initiating entity: target_role: @source_role
• Any role: target_role: @any

Assignment of the desired roles to the new subject will be allowed if these roles are a subset of the roles indicated in target_role. If the target_role element is not defined, explicit role assignment is denied.

Options for defining automatically assigned roles if roles are not explicitly indicated (target_role_auto element):

• Specific role: target_role_auto: core
• List of roles: target_role_auto: [core, dispatcher]
• Roles matching the roles of the initiating entity: target_role_auto: @source_roles
• Any role: target_role_auto: @any

The type indicated in target_role_auto will be assigned to the subject being created. If the target_role_auto element is not defined, implicit type assignment is denied.

Example

create_subject: {

{ source_type: core // initiating subject must have the "core" type

, source_role: system // initiating subject must have the "system" role

, image: einit // image

, target_type_auto: einit // automatic type assignment is possible

, target_role_auto: @source_roles // automatic role assignment: roles matching the roles of the initiating entity

},

{ source_type: dispatcher

, source_role: [system, user]

, image: rpcservice

, target_type: [user, admin] // the type of the subject being created must be indicated, and it must be one of the types from the list

, target_role_auto : @source_roles

},

{ source: @any

, image: tls

, target_type: [@source_type, tls]

, target_role: [user, admin]

},

}

Page top