Role Statements
===============

role
----

Declares a role identifier in the current namespace.

**Statement definition:**

```secil
    (role role_id)
```

**Where:**








role
The role keyword.


role_id
The role identifier.




**Example:**

This example declares two roles: `object_r` in the global namespace and `unconfined.role`:

```secil
    (role object_r)

    (block unconfined
        (role role)
    )
```

roletype
--------

Authorises a [`role`](cil_role_statements.md#role) to access a [`type`](cil_type_statements.md#type) identifier.

**Statement definition:**

```secil
    (role role_id type_id)
```

**Where:**








roletype
The roletype keyword.


role_id
A single previously declared role or roleattribute identifier.


type_id
A single previously declared type, typealias or typeattribute identifier.




**Example:**

This example will declare [`role`](cil_role_statements.md#role) and [`type`](cil_type_statements.md#type) identifiers, then associate them:

```secil
    (block unconfined
        (role role)
        (type process)
        (roletype role process)
    )
```

roleattribute
-------------

Declares a role attribute identifier in the current namespace. The identifier may have zero or more [`role`](cil_role_statements.md#role) and [`roleattribute`](cil_role_statements.md#roleattribute) identifiers associated to it via the [`roleattributeset`](cil_role_statements.md#roleattributeset) statement.

**Statement definition:**

```secil
    (roleattribute roleattribute_id)
```

**Where:**








roleattribute
The roleattribute keyword.


roleattribute_id
The roleattribute identifier.




**Example:**

This example will declare a role attribute `roles.role_holder` that will have an empty set:

```secil
    (block roles
        (roleattribute role_holder)
    )
```

roleattributeset
----------------

Allows the association of one or more previously declared [`role`](cil_role_statements.md#role) identifiers to a [`roleattribute`](cil_role_statements.md#roleattribute) identifier. Expressions may be used to refine the associations as shown in the examples.

**Statement definition:**

```secil
    (roleattributeset roleattribute_id (role_id ... | expr ...))
```

**Where:**








roleattributeset
The roleattributeset keyword.


roleattribute_id
A single previously declared roleattribute identifier.


role_id
Zero or more previously declared role or roleattribute identifiers.
Note that there must be at least one role_id or expr parameter declared.


expr
Zero or more expr's, the valid operators and syntax are:
    (and (role_id ...) (role_id ...))
    (or  (role_id ...) (role_id ...))
    (xor (role_id ...) (role_id ...))
    (not (role_id ...))
    (all)




**Example:**

This example will declare three roles and two role attributes, then associate all the roles to them as shown:

```secil
    (block roles
        (role role_1)
        (role role_2)
        (role role_3)

        (roleattribute role_holder)
        (roleattributeset role_holder (role_1 role_2 role_3))

        (roleattribute role_holder_all)
        (roleattributeset role_holder_all (all))
    )
```

roleallow
---------

Authorise the current role to assume a new role.

Notes:

-   May require a [`roletransition`](cil_role_statements.md#roletransition) rule to ensure transition to the new role.

-   This rule is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) statements.

**Statement definition:**

```secil
    (roleallow current_role_id new_role_id)
```

**Where:**








roleallow
The roleallow keyword.


current_role_id
A single previously declared role or roleattribute identifier.


new_role_id
A single previously declared role or roleattribute identifier.




**Example:**

See the [`roletransition`](cil_role_statements.md#roletransition) statement for an example.

roletransition
--------------

Specify a role transition from the current role to a new role when computing a context for the target type. The [`class`](cil_class_and_permission_statements.md#class) identifier would normally be `process`, however for kernel versions 2.6.39 with policy version \>= 25 and above, any valid class may be used. Note that a [`roleallow`](cil_role_statements.md#roleallow) rule must be used to authorise the transition.

**Statement definition:**

```secil
    (roletransition current_role_id target_type_id class_id new_role_id)
```

**Where:**








roletransition
The roletransition keyword.


current_role_id
A single previously declared role or roleattribute identifier.


target_type_id
A single previously declared type, typealias or typeattribute identifier.


class_id
A single previously declared class or classmap identifier.


new_role_id
A single previously declared role identifier to be set on transition.




**Example:**

This example will authorise the `unconfined.role` to assume the `msg_filter.role` role, and then transition to that role:

```secil
    (block ext_gateway
        (type process)
        (type exec)

        (roletype msg_filter.role process)
        (roleallow unconfined.role msg_filter.role)
        (roletransition unconfined.role exec process msg_filter.role)
    )
```

rolebounds
----------

Defines a hierarchical relationship between roles where the child role cannot have more privileges than the parent.

Notes:

-   It is not possible to bind the parent role to more than one child role.

-   While this is added to the binary policy, it is not enforced by the SELinux kernel services.

**Statement definition:**

```secil
    (rolebounds parent_role_id child_role_id)
```

**Where:**








rolebounds
The rolebounds keyword.


parent_role_id
A single previously declared role identifier.


child_role_id
A single previously declared role identifier.




**Example:**

In this example the role `test` cannot have greater privileges than `unconfined.role`:

```secil
    (role test)

    (block unconfined
        (role role)
        (rolebounds role .test)
    )
```