16cd6a6acSopenharmony_ciConditional Statements 26cd6a6acSopenharmony_ci====================== 36cd6a6acSopenharmony_ci 46cd6a6acSopenharmony_ciboolean 56cd6a6acSopenharmony_ci------- 66cd6a6acSopenharmony_ci 76cd6a6acSopenharmony_ciDeclares a run time boolean as true or false in the current namespace. The [`booleanif`](cil_conditional_statements.md#booleanif) statement contains the CIL code that will be in the binary policy file. 86cd6a6acSopenharmony_ci 96cd6a6acSopenharmony_ci[`boolean`](cil_conditional_statements.md#boolean) are not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks. 106cd6a6acSopenharmony_ci 116cd6a6acSopenharmony_ci**Statement definition:** 126cd6a6acSopenharmony_ci 136cd6a6acSopenharmony_ci```secil 146cd6a6acSopenharmony_ci (boolean boolean_id true|false) 156cd6a6acSopenharmony_ci``` 166cd6a6acSopenharmony_ci 176cd6a6acSopenharmony_ci**Where:** 186cd6a6acSopenharmony_ci 196cd6a6acSopenharmony_ci<table> 206cd6a6acSopenharmony_ci<colgroup> 216cd6a6acSopenharmony_ci<col width="25%" /> 226cd6a6acSopenharmony_ci<col width="75%" /> 236cd6a6acSopenharmony_ci</colgroup> 246cd6a6acSopenharmony_ci<tbody> 256cd6a6acSopenharmony_ci<tr class="odd"> 266cd6a6acSopenharmony_ci<td align="left"><p><code>boolean</code></p></td> 276cd6a6acSopenharmony_ci<td align="left"><p>The <code>boolean</code> keyword.</p></td> 286cd6a6acSopenharmony_ci</tr> 296cd6a6acSopenharmony_ci<tr class="even"> 306cd6a6acSopenharmony_ci<td align="left"><p><code>boolean_id</code></p></td> 316cd6a6acSopenharmony_ci<td align="left"><p>The <code>boolean</code> identifier.</p></td> 326cd6a6acSopenharmony_ci</tr> 336cd6a6acSopenharmony_ci<tr class="odd"> 346cd6a6acSopenharmony_ci<td align="left"><p><code>true | false</code></p></td> 356cd6a6acSopenharmony_ci<td align="left"><p>The initial state of the boolean. This can be changed at run time using <strong><code>setsebool</code></strong><code>(8)</code> and its status queried using <strong><code>getsebool</code></strong><code>(8)</code>.</p></td> 366cd6a6acSopenharmony_ci</tr> 376cd6a6acSopenharmony_ci</tbody> 386cd6a6acSopenharmony_ci</table> 396cd6a6acSopenharmony_ci 406cd6a6acSopenharmony_ci**Example:** 416cd6a6acSopenharmony_ci 426cd6a6acSopenharmony_ciSee the [`booleanif`](cil_conditional_statements.md#booleanif) statement for an example. 436cd6a6acSopenharmony_ci 446cd6a6acSopenharmony_cibooleanif 456cd6a6acSopenharmony_ci--------- 466cd6a6acSopenharmony_ci 476cd6a6acSopenharmony_ciContains the run time conditional statements that are instantiated in the binary policy according to the computed boolean identifier(s) state. 486cd6a6acSopenharmony_ci 496cd6a6acSopenharmony_ci[`call`](cil_call_macro_statements.md#call) statements are allowed within a [`booleanif`](cil_conditional_statements.md#booleanif), however the contents of the resulting macro must be limited to those of the [`booleanif`](cil_conditional_statements.md#booleanif) statement (i.e. [`allow`](cil_access_vector_rules.md#allow), [`auditallow`](cil_access_vector_rules.md#auditallow), [`dontaudit`](cil_access_vector_rules.md#dontaudit), [`typemember`](cil_type_statements.md#typemember), [`typetransition`](cil_type_statements.md#typetransition), [`typechange`](cil_type_statements.md#typechange) and the compile time [`tunableif`](cil_conditional_statements.md#tunableif) statement)). 506cd6a6acSopenharmony_ci 516cd6a6acSopenharmony_ci**Statement definition:** 526cd6a6acSopenharmony_ci 536cd6a6acSopenharmony_ci```secil 546cd6a6acSopenharmony_ci (booleanif boolean_id | expr ... 556cd6a6acSopenharmony_ci (true 566cd6a6acSopenharmony_ci cil_statements 576cd6a6acSopenharmony_ci ...) 586cd6a6acSopenharmony_ci (false 596cd6a6acSopenharmony_ci cil_statements 606cd6a6acSopenharmony_ci ...) 616cd6a6acSopenharmony_ci ) 626cd6a6acSopenharmony_ci``` 636cd6a6acSopenharmony_ci 646cd6a6acSopenharmony_ci**Where:** 656cd6a6acSopenharmony_ci 666cd6a6acSopenharmony_ci<table> 676cd6a6acSopenharmony_ci<colgroup> 686cd6a6acSopenharmony_ci<col width="25%" /> 696cd6a6acSopenharmony_ci<col width="75%" /> 706cd6a6acSopenharmony_ci</colgroup> 716cd6a6acSopenharmony_ci<tbody> 726cd6a6acSopenharmony_ci<tr class="odd"> 736cd6a6acSopenharmony_ci<td align="left"><p><code>booleanif</code></p></td> 746cd6a6acSopenharmony_ci<td align="left"><p>The <code>booleanif</code> keyword.</p></td> 756cd6a6acSopenharmony_ci</tr> 766cd6a6acSopenharmony_ci<tr class="even"> 776cd6a6acSopenharmony_ci<td align="left"><p><code>boolean_id</code></p></td> 786cd6a6acSopenharmony_ci<td align="left"><p>Either a single <code>boolean</code> identifier or one or more <code>expr</code>'s.</p></td> 796cd6a6acSopenharmony_ci</tr> 806cd6a6acSopenharmony_ci<tr class="odd"> 816cd6a6acSopenharmony_ci<td align="left"><p><code>expr</code></p></td> 826cd6a6acSopenharmony_ci<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 836cd6a6acSopenharmony_ci<p><code> (and boolean_id boolean_id)</code></p> 846cd6a6acSopenharmony_ci<p><code> (or boolean_id boolean_id)</code></p> 856cd6a6acSopenharmony_ci<p><code> (xor boolean_id boolean_id)</code></p> 866cd6a6acSopenharmony_ci<p><code> (eq boolean_id boolean_id)</code></p> 876cd6a6acSopenharmony_ci<p><code> (neq boolean_id boolean_id)</code></p> 886cd6a6acSopenharmony_ci<p><code> (not boolean_id)</code></p></td> 896cd6a6acSopenharmony_ci</tr> 906cd6a6acSopenharmony_ci<tr class="even"> 916cd6a6acSopenharmony_ci<td align="left"><p><code>true</code></p></td> 926cd6a6acSopenharmony_ci<td align="left"><p>An optional set of CIL statements that will be instantiated when the <code>boolean</code> is evaluated as <code>true</code>.</p></td> 936cd6a6acSopenharmony_ci</tr> 946cd6a6acSopenharmony_ci<tr class="odd"> 956cd6a6acSopenharmony_ci<td align="left"><p><code>false</code></p></td> 966cd6a6acSopenharmony_ci<td align="left"><p>An optional set of CIL statements that will be instantiated when the <code>boolean</code> is evaluated as <code>false</code>.</p></td> 976cd6a6acSopenharmony_ci</tr> 986cd6a6acSopenharmony_ci</tbody> 996cd6a6acSopenharmony_ci</table> 1006cd6a6acSopenharmony_ci 1016cd6a6acSopenharmony_ci**Examples:** 1026cd6a6acSopenharmony_ci 1036cd6a6acSopenharmony_ciThe second example also shows the kernel policy language equivalent: 1046cd6a6acSopenharmony_ci 1056cd6a6acSopenharmony_ci```secil 1066cd6a6acSopenharmony_ci (boolean disableAudio false) 1076cd6a6acSopenharmony_ci 1086cd6a6acSopenharmony_ci (booleanif disableAudio 1096cd6a6acSopenharmony_ci (false 1106cd6a6acSopenharmony_ci (allow process mediaserver.audio_device (chr_file_set (rw_file_perms))) 1116cd6a6acSopenharmony_ci ) 1126cd6a6acSopenharmony_ci ) 1136cd6a6acSopenharmony_ci 1146cd6a6acSopenharmony_ci (boolean disableAudioCapture false) 1156cd6a6acSopenharmony_ci 1166cd6a6acSopenharmony_ci ;;; if(!disableAudio && !disableAudioCapture) { 1176cd6a6acSopenharmony_ci (booleanif (and (not disableAudio) (not disableAudioCapture)) 1186cd6a6acSopenharmony_ci (true 1196cd6a6acSopenharmony_ci (allow process mediaserver.audio_capture_device (chr_file_set (rw_file_perms))) 1206cd6a6acSopenharmony_ci ) 1216cd6a6acSopenharmony_ci ) 1226cd6a6acSopenharmony_ci``` 1236cd6a6acSopenharmony_ci 1246cd6a6acSopenharmony_citunable 1256cd6a6acSopenharmony_ci------- 1266cd6a6acSopenharmony_ci 1276cd6a6acSopenharmony_ciTunables are similar to booleans, however they are used to manage areas of CIL statements that may or may not be in the final CIL policy that will be compiled (whereas booleans are embedded in the binary policy and can be enabled or disabled during run-time). 1286cd6a6acSopenharmony_ci 1296cd6a6acSopenharmony_ciNote that tunables can be treated as booleans by the CIL compiler command line parameter `-P` or `--preserve-tunables` flags. 1306cd6a6acSopenharmony_ci 1316cd6a6acSopenharmony_ciSince [`tunableif`](cil_conditional_statements.md#tunableif) statements are resolved first, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in [`in`](cil_container_statements.md#in), [`macro`](cil_call_macro_statements.md#macro), [`optional`](cil_container_statements.md#optional), and [`booleanif`](cil_conditional_statements.md#booleanif) blocks. To simplify processing, they are also not allowed in [`tunableif`](cil_conditional_statements.md#tunableif) blocks. 1326cd6a6acSopenharmony_ci 1336cd6a6acSopenharmony_ci**Statement definition:** 1346cd6a6acSopenharmony_ci 1356cd6a6acSopenharmony_ci```secil 1366cd6a6acSopenharmony_ci (tunable tunable_id true|false) 1376cd6a6acSopenharmony_ci``` 1386cd6a6acSopenharmony_ci 1396cd6a6acSopenharmony_ci**Where:** 1406cd6a6acSopenharmony_ci 1416cd6a6acSopenharmony_ci<table> 1426cd6a6acSopenharmony_ci<colgroup> 1436cd6a6acSopenharmony_ci<col width="25%" /> 1446cd6a6acSopenharmony_ci<col width="75%" /> 1456cd6a6acSopenharmony_ci</colgroup> 1466cd6a6acSopenharmony_ci<tbody> 1476cd6a6acSopenharmony_ci<tr class="odd"> 1486cd6a6acSopenharmony_ci<td align="left"><p><code>tunable</code></p></td> 1496cd6a6acSopenharmony_ci<td align="left"><p>The <code>tunable</code> keyword.</p></td> 1506cd6a6acSopenharmony_ci</tr> 1516cd6a6acSopenharmony_ci<tr class="even"> 1526cd6a6acSopenharmony_ci<td align="left"><p><code>tunable_id</code></p></td> 1536cd6a6acSopenharmony_ci<td align="left"><p>The <code>tunable</code> identifier.</p></td> 1546cd6a6acSopenharmony_ci</tr> 1556cd6a6acSopenharmony_ci<tr class="odd"> 1566cd6a6acSopenharmony_ci<td align="left"><p><code>true | false</code></p></td> 1576cd6a6acSopenharmony_ci<td align="left"><p>The initial state of the <code>tunable</code>.</p></td> 1586cd6a6acSopenharmony_ci</tr> 1596cd6a6acSopenharmony_ci</tbody> 1606cd6a6acSopenharmony_ci</table> 1616cd6a6acSopenharmony_ci 1626cd6a6acSopenharmony_ci**Example:** 1636cd6a6acSopenharmony_ci 1646cd6a6acSopenharmony_ciSee the [`tunableif`](cil_conditional_statements.md#tunableif) statement for an example. 1656cd6a6acSopenharmony_ci 1666cd6a6acSopenharmony_citunableif 1676cd6a6acSopenharmony_ci--------- 1686cd6a6acSopenharmony_ci 1696cd6a6acSopenharmony_ciCompile time conditional statement that may or may not add CIL statements to be compiled. 1706cd6a6acSopenharmony_ci 1716cd6a6acSopenharmony_ciIf tunables are being treated as booleans (by using the CIL compiler command line parameter `-P` or `--preserve-tunables` flag), then only the statements allowed in a [`booleanif`](cil_conditional_statements.md#booleanif) block are allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. Otherwise, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. 1726cd6a6acSopenharmony_ci 1736cd6a6acSopenharmony_ci**Statement definition:** 1746cd6a6acSopenharmony_ci 1756cd6a6acSopenharmony_ci```secil 1766cd6a6acSopenharmony_ci (tunableif tunable_id | expr ... 1776cd6a6acSopenharmony_ci (true 1786cd6a6acSopenharmony_ci cil_statements 1796cd6a6acSopenharmony_ci ...) 1806cd6a6acSopenharmony_ci (false 1816cd6a6acSopenharmony_ci cil_statements 1826cd6a6acSopenharmony_ci ...) 1836cd6a6acSopenharmony_ci ) 1846cd6a6acSopenharmony_ci``` 1856cd6a6acSopenharmony_ci 1866cd6a6acSopenharmony_ci**Where:** 1876cd6a6acSopenharmony_ci 1886cd6a6acSopenharmony_ci<table> 1896cd6a6acSopenharmony_ci<colgroup> 1906cd6a6acSopenharmony_ci<col width="25%" /> 1916cd6a6acSopenharmony_ci<col width="75%" /> 1926cd6a6acSopenharmony_ci</colgroup> 1936cd6a6acSopenharmony_ci<tbody> 1946cd6a6acSopenharmony_ci<tr class="odd"> 1956cd6a6acSopenharmony_ci<td align="left"><p><code>tunableif</code></p></td> 1966cd6a6acSopenharmony_ci<td align="left"><p>The <code>tunableif</code> keyword.</p></td> 1976cd6a6acSopenharmony_ci</tr> 1986cd6a6acSopenharmony_ci<tr class="even"> 1996cd6a6acSopenharmony_ci<td align="left"><p><code>tunable_id</code></p></td> 2006cd6a6acSopenharmony_ci<td align="left"><p>Either a single <code>tunable</code> identifier or one or more <code>expr</code>'s.</p></td> 2016cd6a6acSopenharmony_ci</tr> 2026cd6a6acSopenharmony_ci<tr class="odd"> 2036cd6a6acSopenharmony_ci<td align="left"><p><code>expr</code></p></td> 2046cd6a6acSopenharmony_ci<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 2056cd6a6acSopenharmony_ci<p><code> (and tunable_id tunable_id)</code></p> 2066cd6a6acSopenharmony_ci<p><code> (or tunable_id tunable_id)</code></p> 2076cd6a6acSopenharmony_ci<p><code> (xor tunable_id tunable_id)</code></p> 2086cd6a6acSopenharmony_ci<p><code> (eq tunable_id tunable_id)</code></p> 2096cd6a6acSopenharmony_ci<p><code> (neq tunable_id tunable_id)</code></p> 2106cd6a6acSopenharmony_ci<p><code> (not tunable_id)</code></p></td> 2116cd6a6acSopenharmony_ci</tr> 2126cd6a6acSopenharmony_ci<tr class="even"> 2136cd6a6acSopenharmony_ci<td align="left"><p><code>true</code></p></td> 2146cd6a6acSopenharmony_ci<td align="left"><p>An optional set of CIL statements that will be instantiated when the <code>tunable</code> is evaluated as <code>true</code>.</p></td> 2156cd6a6acSopenharmony_ci</tr> 2166cd6a6acSopenharmony_ci<tr class="odd"> 2176cd6a6acSopenharmony_ci<td align="left"><p><code>false</code></p></td> 2186cd6a6acSopenharmony_ci<td align="left"><p>An optional set of CIL statements that will be instantiated when the <code>tunable</code> is evaluated as <code>false</code>.</p></td> 2196cd6a6acSopenharmony_ci</tr> 2206cd6a6acSopenharmony_ci</tbody> 2216cd6a6acSopenharmony_ci</table> 2226cd6a6acSopenharmony_ci 2236cd6a6acSopenharmony_ci**Example:** 2246cd6a6acSopenharmony_ci 2256cd6a6acSopenharmony_ciThis example will not add the range transition rule to the binary policy: 2266cd6a6acSopenharmony_ci 2276cd6a6acSopenharmony_ci```secil 2286cd6a6acSopenharmony_ci (tunable range_trans_rule false) 2296cd6a6acSopenharmony_ci 2306cd6a6acSopenharmony_ci (block init 2316cd6a6acSopenharmony_ci (class process (process)) 2326cd6a6acSopenharmony_ci (type process) 2336cd6a6acSopenharmony_ci 2346cd6a6acSopenharmony_ci (tunableif range_trans_rule 2356cd6a6acSopenharmony_ci (true 2366cd6a6acSopenharmony_ci (rangetransition process sshd.exec process low_high) 2376cd6a6acSopenharmony_ci ) 2386cd6a6acSopenharmony_ci ) ; End tunableif 2396cd6a6acSopenharmony_ci ) ; End block 2406cd6a6acSopenharmony_ci``` 241