Section 9.1. Overview of Conditional Policies

9.1. Overview of Conditional Policies

Support for conditional policies was one of the first major functional enhancements to the SELinux policy language after its initial release. Conditional policy statements enable us to define sets of policy rules that are enabled only under the circumstances defined by a conditional expression, which is a logical expression constructed using defined variables and logical operators.

Let's look at a contrived example. Suppose we have a mobile computer and want to define policy rules that enable access for a particular program's domain type (for example, myprog_t) such that it may access only the wired Ethernet network interface when the computer is docked and the wireless network interface when the computer is undocked. To achieve this goal, we might write a conditional, such as this:

bool docked true; if (docked) {       # rules to allow my_prog_t access to wired Ethernet device } else {       # rules to allow my_prog_t access to wireless device }

In this example, we first declare a single Boolean variable, docked. We use this Boolean to indicate to SELinux whether the device is docked. As part of the declaration, we give the Boolean docked a default value of "true." We then create a conditional statement (if), which includes a conditional expression (docked) and a true and optional false list of rules. This statement allows us to write the allow rules for each case (that is, when the device is docked and when it is not docked). All we have to do is change the value of the Boolean when we dock/undock the device (for example, a running service might monitor this state and set the Boolean accordingly) to enable the appropriate set of policy rules.

This simple example illustrates the main features of conditional policies. In the rest of this section, we discuss how to define and change Boolean variables, list the syntax of conditional statements, and show example uses of conditional policies.