-
Notifications
You must be signed in to change notification settings - Fork 20
CilAvRules
Access vector rules define access control privileges for objects.
The allow statement defines the access allowed between two types.
'''Syntax:'''
(allow source target classpermissionset)
'''Syntax Explanation:''' allow:: The keyword for the allow statement. source:: The source domain - a type, typealias or typeattribute. target:: The target type - a type, typealias, or typeattribute. classpermissionset:: The classpermissionset that contains the associated object class and permission(s). This can also be declared anonymously, enclosed in parentheses.
'''Example:'''
(class file (read write execute entry_point)) (classpermissionset file_rw (file (read write))) (type foo) (type bar) (allow foo bar file_rw) ; Using an anonymous classpermissionset (allow foo bar (file (read write))
The dontaudit statement defines the access denial messages to not record.
'''Syntax:'''
(dontaudit source target classpermissionset)
'''Syntax Explanation:''' dontaudit:: The keyword for the allow statement. source:: The source domain - a type, typealias or typeattribute. target:: The target type - a type, typealias, or typeattribute. classpermissionset:: The classpermissionset that contains the associated object class and permission(s). This can also be declared anonymously, enclosed in parentheses.
'''Example:'''
(class file (read write execute entry_point)) (classpermissionset file_rw (file (read write))) (type foo) (type bar) (dontaudit foo bar file_rw) ; Using an anonymous classpermissionset (dontaudit foo bar (file (read write))
The auditallow statement defines the access allowed events to record.
'''Syntax:'''
(auditallow source target classpermissionset)
'''Syntax Explanation:''' auditallow:: The keyword for the allow statement. source:: The source domain - a type, typealias or typeattribute. target:: The target type - a type, typealias, or typeattribute. classpermissionset:: The classpermissionset that contains the associated object class and permission(s). This can also be declared anonymously, enclosed in parentheses.
'''Example:'''
(class file (read write execute entry_point)) (classpermissionset file_rw (file (read write))) (type foo) (type bar) (auditallow foo bar file_rw) ; Using an anonymous classpermissionset (auditallow foo bar (file (read write))