xref: /third_party/selinux/secilc/docs/cil_mls_labeling_statements.md

Multi-Level Security Labeling Statements
========================================

Because there are many options for MLS labeling, the examples show a limited selection of statements, however there is a simple policy that will build shown in the [`levelrange`](cil_mls_labeling_statements.md#levelrange) section.

sensitivity
-----------

Declare a sensitivity identifier in the current namespace. Multiple [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) statements in the policy will form an ordered list.

**Statement definition:**

```secil
    (sensitivity sensitivity_id)
```

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>sensitivity</code></p></td>
<td align="left"><p>The <code>sensitivity</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>sensitivity_id</code></p></td>
<td align="left"><p>The <code>sensitivity</code> identifier.</p></td>
</tr>
</tbody>
</table>

**Example:**

This example declares three [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) identifiers:

```secil
    (sensitivity s0)
    (sensitivity s1)
    (sensitivity s2)
```

sensitivityalias
----------------

Declares a sensitivity alias identifier in the current namespace. See the [`sensitivityaliasactual`](cil_mls_labeling_statements.md#sensitivityaliasactual) statement for an example that associates the [`sensitivityalias`](cil_mls_labeling_statements.md#sensitivityalias) identifier.

**Statement definition:**

```secil
    (sensitivityalias sensitivityalias_id)
```

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>sensitivityalias</code></p></td>
<td align="left"><p>The <code>sensitivityalias</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>sensitivityalias_id</code></p></td>
<td align="left"><p>The <code>sensitivityalias</code> identifier.</p></td>
</tr>
</tbody>
</table>

**Example:**

See the [`sensitivityaliasactual`](cil_mls_labeling_statements.md#sensitivityaliasactual) statement.

sensitivityaliasactual
----------------------

Associates a previously declared [`sensitivityalias`](cil_mls_labeling_statements.md#sensitivityalias) identifier to a previously declared [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) identifier.

**Statement definition:**

```secil
    (sensitivityaliasactual sensitivityalias_id sensitivity_id)
```

**Where:**

<table>
<colgroup>
<col width="29%" />
<col width="70%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>sensitivityaliasactual</code></p></td>
<td align="left"><p>The <code>sensitivityaliasactual</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>sensitivityalias_id</code></p></td>
<td align="left"><p>A single previously declared <code>sensitivityalias</code> identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>sensitivity_id</code></p></td>
<td align="left"><p>A single previously declared <code>sensitivity</code> identifier.</p></td>
</tr>
</tbody>
</table>

**Example:**

This example will associate sensitivity `s0` with two sensitivity alias's:

```secil
    (sensitivity s0)
    (sensitivityalias unclassified)
    (sensitivityalias SystemLow)
    (sensitivityaliasactual unclassified s0)
    (sensitivityaliasactual SystemLow s0)
```

sensitivityorder
----------------

Define the sensitivity order - lowest to highest. Multiple [`sensitivityorder`](cil_mls_labeling_statements.md#sensitivityorder) statements in the policy will form an ordered list.

**Statement definition:**

```secil
    (sensitivityorder (sensitivity_id ...))
```

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>sensitivityorder</code></p></td>
<td align="left"><p>The <code>sensitivityorder</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>sensitivity_id</code></p></td>
<td align="left"><p>One or more previously declared <code>sensitivity</code> or <code>sensitivityalias</code> identifiers..</p></td>
</tr>
</tbody>
</table>

**Example:**

This example shows two [`sensitivityorder`](cil_mls_labeling_statements.md#sensitivityorder) statements that when compiled will form an ordered list. Note however that the second [`sensitivityorder`](cil_mls_labeling_statements.md#sensitivityorder) statement starts with `s2` so that the ordered list can be built.

```secil
    (sensitivity s0)
    (sensitivityalias s0 SystemLow)
    (sensitivity s1)
    (sensitivity s2)
    (sensitivityorder (SystemLow s1 s2))

    (sensitivity s3)
    (sensitivity s4)
    (sensitivityalias s4 SystemHigh)
    (sensitivityorder (s2 s3 SystemHigh))
```

category
--------

Declare a category identifier in the current namespace. Multiple category statements declared in the policy will form an ordered list.

**Statement definition:**

```secil
    (category category_id)
```

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>category</code></p></td>
<td align="left"><p>The <code>category</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>category_id</code></p></td>
<td align="left"><p>The <code>category</code> identifier.</p></td>
</tr>
</tbody>
</table>

**Example:**

This example declares a three [`category`](cil_mls_labeling_statements.md#category) identifiers:

```secil
    (category c0)
    (category c1)
    (category c2)
```

categoryalias
-------------

Declares a category alias identifier in the current namespace. See the [`categoryaliasactual`](cil_mls_labeling_statements.md#categoryaliasactual) statement for an example that associates the [`categoryalias`](cil_mls_labeling_statements.md#categoryalias) identifier.

**Statement definition:**

```secil
    (categoryalias categoryalias_id)
```

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>categoryalias</code></p></td>
<td align="left"><p>The <code>categoryalias</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>categoryalias_id</code></p></td>
<td align="left"><p>The <code>categoryalias</code> identifier.</p></td>
</tr>
</tbody>
</table>

categoryaliasactual
-------------------

Associates a previously declared [`categoryalias`](cil_mls_labeling_statements.md#categoryalias) identifier to a previously declared [`category`](cil_mls_labeling_statements.md#category) identifier.

**Statement definition:**

```secil
    (categoryaliasactual categoryalias_id category_id)
```

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>categoryaliasactual</code></p></td>
<td align="left"><p>The <code>categoryaliasactual</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>categoryalias_id</code></p></td>
<td align="left"><p>A single previously declared <code>categoryalias</code> identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>category_id</code></p></td>
<td align="left"><p>A single previously declared <code>category</code> identifier.</p></td>
</tr>
</tbody>
</table>

**Example:**

Declares a category `c0`, a category alias of `documents`, and then associates them:

```secil
    (category c0)
    (categoryalias documents)
    (categoryaliasactual documents c0)
```

categoryorder
-------------

Define the category order. Multiple [`categoryorder`](cil_mls_labeling_statements.md#categoryorder) statements declared in the policy will form an ordered list. Note that this statement orders the categories to allow validation of category ranges.

**Statement definition:**

```secil
    (categoryorder (category_id ...))
```

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>categoryorder</code></p></td>
<td align="left"><p>The <code>categoryorder</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>category_id</code></p></td>
<td align="left"><p>One or more previously declared <code>category</code> or <code>categoryalias</code> identifiers.</p></td>
</tr>
</tbody>
</table>

**Example:**

This example orders one category alias and nine categories:

```secil
    (categoryorder (documents c1 c2 c3 c4 c5 c6 c7 c8 c9)
```

categoryset
-----------

Declare an identifier for a set of contiguous or non-contiguous categories in the current namespace.

Notes:

-   Category expressions are allowed in [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`sensitivitycategory`](cil_mls_labeling_statements.md#sensitivitycategory), [`level`](cil_mls_labeling_statements.md#level), and [`levelrange`](cil_mls_labeling_statements.md#levelrange) statements.

-   Category sets are not allowed in [`categoryorder`](cil_mls_labeling_statements.md#categoryorder) statements.

**Statement definition:**

```secil
    (categoryset categoryset_id (category_id ... | expr ...))
```

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>categoryset</code></p></td>
<td align="left"><p>The <code>categoryset</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>categoryset_id</code></p></td>
<td align="left"><p>The <code>categoryset</code> identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>category_id</code></p></td>
<td align="left"><p>Zero or more previously declared <code>category</code> or <code>categoryalias</code> identifiers.</p>
<p>Note that there must be at least one <code>category_id</code> identifier or <code>expr</code> parameter declared.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>expr</code></p></td>
<td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p>
<p><code>    (and (category_id ...) (category_id ...))</code></p>
<p><code>    (or  (category_id ...) (category_id ...))</code></p>
<p><code>    (xor (category_id ...) (category_id ...))</code></p>
<p><code>    (not (category_id ...))</code></p>
<p><code>    (range category_id category_id)</code></p>
<p><code>    (all)</code></p></td>
</tr>
</tbody>
</table>

**Examples:**

These examples show a selection of [`categoryset`](cil_mls_labeling_statements.md#categoryset) statements:

```secil
    ; Declare categories with two alias's:
    (category c0)
    (categoryalias documents)
    (categoryaliasactual documents c0)
    (category c1)
    (category c2)
    (category c3)
    (category c4)
    (categoryalias spreadsheets)
    (categoryaliasactual spreadsheets c4)

    ; Set the order to determine ranges:
    (categoryorder (c0 c1 c2 c3 spreadsheets))

    (categoryset catrange_1 (range c2 c3))

    ; Two methods to associate all categories:
    (categoryset all_cats (range c0 c4))
    (categoryset all_cats1 (all))

    (categoryset catset_1 (documents c1))
    (categoryset catset_2 (c2 c3))
    (categoryset catset_3 (c4))

    (categoryset just_c0 (xor (c1 c2) (documents c1 c2)))
```

sensitivitycategory
-------------------

Associate a [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) identifier with one or more [category](#category)'s. Multiple definitions for the same [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) form an ordered list of categories for that sensitivity. This statement is required before a [`level`](cil_mls_labeling_statements.md#level) identifier can be declared.

**Statement definition:**

```secil
    (sensitivitycategory sensitivity_id categoryset_id)
```

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>sensitivitycategory</code></p></td>
<td align="left"><p>The <code>sensitivitycategory</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>sensitivity_id</code></p></td>
<td align="left"><p>A single previously declared <code>sensitivity</code> or <code>sensitivityalias</code> identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>categoryset_id</code></p></td>
<td align="left"><p>A single previously declared <code>categoryset</code> (named or anonymous), or a list of <code>category</code> and/or <code>categoryalias</code> identifiers. The examples show each variation.</p></td>
</tr>
</tbody>
</table>

**Examples:**

These [`sensitivitycategory`](cil_mls_labeling_statements.md#sensitivitycategory) examples use a selection of [`category`](cil_mls_labeling_statements.md#category), [`categoryalias`](cil_mls_labeling_statements.md#categoryalias) and [`categoryset`](cil_mls_labeling_statements.md#categoryset)'s:

```secil
    (sensitivitycategory s0 catrange_1)
    (sensitivitycategory s0 catset_1)
    (sensitivitycategory s0 catset_3)
    (sensitivitycategory s0 (all))
    (sensitivitycategory unclassified (range documents c2))
```

level
-----

Declare a [`level`](cil_mls_labeling_statements.md#level) identifier in the current namespace and associate it to a previously declared [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and zero or more categories. Note that if categories are required, then before this statement can be resolved the [`sensitivitycategory`](cil_mls_labeling_statements.md#sensitivitycategory) statement must be used to associate categories with the sensitivity.

**Statement definition:**

```secil
    (level level_id (sensitivity_id [categoryset_id]))
```

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>level</code></p></td>
<td align="left"><p>The <code>level</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>level_id</code></p></td>
<td align="left"><p>The <code>level</code> identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>sensitivity_id</code></p></td>
<td align="left"><p>A single previously declared <code>sensitivity</code> or <code>sensitivityalias</code> identifier.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>categoryset_id</code></p></td>
<td align="left"><p>A single previously declared <code>categoryset</code> (named or anonymous), or a list of <code>category</code> and/or <code>categoryalias</code> identifiers. The examples show each variation.</p></td>
</tr>
</tbody>
</table>

**Examples:**

These [`level`](cil_mls_labeling_statements.md#level) examples use a selection of [`category`](cil_mls_labeling_statements.md#category), [`categoryalias`](cil_mls_labeling_statements.md#categoryalias) and [`categoryset`](cil_mls_labeling_statements.md#categoryset)'s:

```secil
    (level systemLow (s0))
    (level level_1 (s0))
    (level level_2 (s0 (catrange_1)))
    (level level_3 (s0 (all_cats)))
    (level level_4 (unclassified (c2 c3 c4)))
```

levelrange
----------

Declare a level range identifier in the current namespace and associate a current and clearance level.

**Statement definition:**

```secil
    (levelrange levelrange_id (low_level_id high_level_id))
```

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>levelrange</code></p></td>
<td align="left"><p>The <code>levelrange</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>levelrange_id</code></p></td>
<td align="left"><p>The <code>levelrange</code> identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>low_level_id</code></p></td>
<td align="left"><p>The current level specified by a previously declared <code>level</code> identifier. This may be formed by named or anonymous components as discussed in the <code>level</code> section and shown in the examples.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>high_level_id</code></p></td>
<td align="left"><p>The clearance or high level specified by a previously declared <code>level</code> identifier. This may be formed by named or anonymous components as discussed in the <code>level</code> section and shown in the examples.</p></td>
</tr>
</tbody>
</table>

**Examples:**

This example policy shows [`levelrange`](cil_mls_labeling_statements.md#levelrange) statement and all the other MLS labeling statements discussed in this section and will compile as a standalone policy:

```secil
    (handleunknown allow)
    (mls true)

    ; There must be least one set of SID statements in a policy:
    (sid kernel)
    (sidorder (kernel))
    (sidcontext kernel unconfined.context_1)

    (sensitivitycategory s0 (c4 c2 c3 c1 c0 c3))

    (category c0)
    (categoryalias documents)
    (categoryaliasactual documents c0)
    (category c1)
    (category c2)
    (category c3)
    (category c4)
    (categoryalias spreadsheets)
    (categoryaliasactual spreadsheets c4)

    (categoryorder (c0 c1 c2 c3 spreadsheets))

    (categoryset catrange_1 (range c2 c3))
    (categoryset all_cats (range c0 c4))
    (categoryset all_cats1 (all))

    (categoryset catset_1 (documents c1))
    (categoryset catset_2 (c2 c3))
    (categoryset catset_3 (c4))

    (categoryset just_c0 (xor (c1 c2) (documents c1 c2)))

    (sensitivity s0)
    (sensitivityalias unclassified)
    (sensitivityaliasactual unclassified s0)

    (sensitivityorder (s0))
    (sensitivitycategory s0 (c0))

    (sensitivitycategory s0 catrange_1)
    (sensitivitycategory s0 catset_1)
    (sensitivitycategory s0 catset_3)
    (sensitivitycategory s0 (all))
    (sensitivitycategory s0 (range documents c2))

    (level systemLow (s0))
    (level level_1 (s0))
    (level level_2 (s0 (catrange_1)))
    (level level_3 (s0 (all_cats)))
    (level level_4 (unclassified (c2 c3 c4)))

    (levelrange levelrange_2 (level_2 level_2))
    (levelrange levelrange_1 ((s0) level_2))
    (levelrange low_low (systemLow systemLow))

    (context context_2 (unconfined.user object_r unconfined.object (level_1 level_3)))

    ; Define object_r role. This must be assigned in CIL.
    (role object_r)

    (block unconfined
        (user user)
        (role role)
        (type process)
        (type object)
        (userrange user (systemLow systemLow))
        (userlevel user systemLow)
        (userrole user role)
        (userrole user object_r)
        (roletype role process)
        (roletype role object)
        (roletype object_r object)

        (class file (open execute read write))

        ; There must be least one allow rule in a policy:
        (allow process self (file (read)))

        (context context_1 (user object_r object low_low))
    ) ; End unconfined namespace
```

rangetransition
---------------

Allows an objects level to transition to a different level. Generally used to ensure processes run with their correct MLS range, for example `init` would run at `SystemHigh` and needs to initialise / run other processes at their correct MLS range.

**Statement definition:**

```secil
    (rangetransition source_id target_id class_id new_range_id)
```

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>rangetransition</code></p></td>
<td align="left"><p>The <code>rangetransition</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>source_type_id</code></p></td>
<td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>target_type_id</code></p></td>
<td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>class_id</code></p></td>
<td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>new_range_id</code></p></td>
<td align="left"><p>The new MLS range for the object class that is a previously declared <code>levelrange</code> identifier. This entry may also be defined as an anonymous or named <code>level</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code> or <code>categoryset</code> identifier.</p></td>
</tr>
</tbody>
</table>

**Examples:**

This rule will transition the range of `sshd.exec` to `s0 - s1:c0.c3` on execution from the `init.process`:

```secil
    (sensitivity s0)
    (sensitivity s1)
    (sensitivityorder s0 s1)
    (category c0)
    ...
    (level systemlow (s0))
    (level systemhigh (s1 (c0 c1 c2)))
    (levelrange low_high (systemlow systemhigh))

    (rangetransition init.process sshd.exec process low_high)
```