Skip to content
This repository has been archived by the owner on May 24, 2023. It is now read-only.

CilAvRules

Jump to bottom
Corey Garst edited this page Jun 9, 2014 · 1 revision

CIL Access Vector Rules

Access vector rules define access control privileges for objects.

Allow

The allow statement defines the access allowed between two types.

'''Syntax:'''

        (allow source target classpermissionset)

'''Syntax Explanation:''' allow:: The keyword for the allow statement. source:: The source domain - a type, typealias or typeattribute. target:: The target type - a type, typealias, or typeattribute. classpermissionset:: The classpermissionset that contains the associated object class and permission(s). This can also be declared anonymously, enclosed in parentheses.

'''Example:'''

        (class file (read write execute entry_point))
        (classpermissionset file_rw (file (read write)))

	(type foo)
	(type bar)

	(allow foo bar file_rw)

        ; Using an anonymous classpermissionset
        (allow foo bar (file (read write))

Dontaudit

The dontaudit statement defines the access denial messages to not record.

'''Syntax:'''

	(dontaudit source target classpermissionset)

'''Syntax Explanation:''' dontaudit:: The keyword for the allow statement. source:: The source domain - a type, typealias or typeattribute. target:: The target type - a type, typealias, or typeattribute. classpermissionset:: The classpermissionset that contains the associated object class and permission(s). This can also be declared anonymously, enclosed in parentheses.

'''Example:'''

        (class file (read write execute entry_point))
        (classpermissionset file_rw (file (read write)))

	(type foo)
	(type bar)

	(dontaudit foo bar file_rw)

        ; Using an anonymous classpermissionset
        (dontaudit foo bar (file (read write))

Auditallow

The auditallow statement defines the access allowed events to record.

'''Syntax:'''

	(auditallow source target classpermissionset)

'''Syntax Explanation:''' auditallow:: The keyword for the allow statement. source:: The source domain - a type, typealias or typeattribute. target:: The target type - a type, typealias, or typeattribute. classpermissionset:: The classpermissionset that contains the associated object class and permission(s). This can also be declared anonymously, enclosed in parentheses.

'''Example:'''

        (class file (read write execute entry_point))
        (classpermissionset file_rw (file (read write)))

	(type foo)
	(type bar)

	(auditallow foo bar file_rw)

        ; Using an anonymous classpermissionset
        (auditallow foo bar (file (read write))
Clone this wiki locally