setools/tests/genfsconquery.conf

class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7

sid kernel
sid security

common infoflow
{
    low_w
    med_w
    hi_w
    low_r
    med_r
    hi_r
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
    super_w
    super_r
}

class infoflow3
{
    null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
    super_w
    super_r
    super_none
    super_both
    super_unmapped
}

sensitivity s0;
sensitivity s1;
sensitivity s2;

dominance { s0 s1 s2 }

category c0;
category c1;
category c2;
category c3;
category c4;

#level decl
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;


#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;
role system;
role system types system;

role role30_r;
role role31a_r;
role role31b_r;
role role31c_r;

role role30_r types system;
role role31a_r types system;
role role31b_r types system;
role role31c_r types system;

type type40;
type type41a;
type type41b;
type type41c;
role system types { type40 type41a type41b type41c };

################################################################################
# Type enforcement declarations and rules


################################################################################

#users
user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s2:c0.c4;
user user20 roles system level s0 range s0 - s2:c0.c4;
user user21a roles system level s0 range s0 - s2:c0.c4;
user user21b roles system level s0 range s0 - s2:c0.c4;
user user21c roles system level s0 range s0 - s2:c0.c4;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:s0
sid security system:system:system:s0

#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;
fs_use_task pipefs system:object_r:system:s0;

#genfscon
# test 1:
# fs: test1, exact
# path: unset
# user: unset
# role: unset
# type: unset
# range: unset
genfscon test1 / system:system:system:s0:c0.c4

# test 2:
# fs: test2(a|b), regex
# path: unset
# user: unset
# role: unset
# type: unset
# range: unset
genfscon test2a / system:system:system:s0:c0.c1
genfscon test2b / system:system:system:s0:c2.c4

# test 10:
# fs: unset
# path: /sys, exact
# user: unset
# role: unset
# type: unset
# range: unset
genfscon test10 /sys system:system:system:s0:c2.c4

# test 11:
# fs: unset
# path: /(spam|eggs), regex
# user: unset
# role: unset
# type: unset
# range: unset
genfscon test11a /spam system:system:system:s0:c2.c4
genfscon test11b /eggs system:system:system:s0:c2.c4
genfscon test11c /FAIL system:system:system:s0:c2.c4

# test 20:
# fs: unset
# path: unset
# user: user20, exact
# role: unset
# type: unset
# range: unset
genfscon test20 / user20:system:system:s0:c0.c1

# test 21:
# fs: unset
# path: unset
# user: user21(a|b), regex
# role: unset
# type: unset
# range: unset
genfscon test21a / user21a:system:system:s0:c0.c1
genfscon test21b / user21b:system:system:s0:c0.c1
genfscon test21c / user21c:system:system:s0:c0.c1

# test 30:
# fs: unset
# path: unset
# user: unset
# role: role30_r, exact
# type: unset
# range: unset
genfscon test30 / system:role30_r:system:s0:c0.c1

# test 31:
# fs: unset
# path: unset
# user: unset
# role: role30(a|c)_r, regex
# type: unset
# range: unset
genfscon test31a / system:role31a_r:system:s0:c0.c1
genfscon test31b / system:role31b_r:system:s0:c0.c1
genfscon test31c / system:role31c_r:system:s0:c0.c1

# test 40:
# fs: unset
# path: unset
# user: unset
# role: unset
# type: type40
# range: unset
genfscon test40 / system:system:type40:s0:c0.c1

# test 41:
# fs: unset
# path: unset
# user: unset
# role: unset
# type: type41(b|c)
# range: unset
genfscon test41a / system:system:type41a:s0:c0.c1
genfscon test41b / system:system:type41b:s0:c0.c1
genfscon test41c / system:system:type41c:s0:c0.c1

portcon tcp 80 system:object_r:system:s0

netifcon eth0 system:object_r:system:s0 system:object_r:system:s0

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0
Implement genfscon query. 2014-11-02 15:47:30 +00:00			`class infoflow`
			`class infoflow2`
			`class infoflow3`
			`class infoflow4`
			`class infoflow5`
			`class infoflow6`
			`class infoflow7`

			`sid kernel`
			`sid security`

			`common infoflow`
			`{`
			`low_w`
			`med_w`
			`hi_w`
			`low_r`
			`med_r`
			`hi_r`
			`}`

			`class infoflow`
			`inherits infoflow`

			`class infoflow2`
			`inherits infoflow`
			`{`
			`super_w`
			`super_r`
			`}`

			`class infoflow3`
			`{`
			`null`
			`}`

			`class infoflow4`
			`inherits infoflow`

			`class infoflow5`
			`inherits infoflow`

			`class infoflow6`
			`inherits infoflow`

			`class infoflow7`
			`inherits infoflow`
			`{`
			`super_w`
			`super_r`
			`super_none`
			`super_both`
			`super_unmapped`
			`}`

			`sensitivity s0;`
			`sensitivity s1;`
			`sensitivity s2;`

			`dominance { s0 s1 s2 }`

			`category c0;`
			`category c1;`
			`category c2;`
			`category c3;`
			`category c4;`

			`#level decl`
			`level s0:c0.c4;`
			`level s1:c0.c4;`
			`level s2:c0.c4;`


			`#some constraints`
			`mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));`

			`attribute mls_exempt;`

			`type system;`
			`role system;`
			`role system types system;`

			`role role30_r;`
			`role role31a_r;`
			`role role31b_r;`
			`role role31c_r;`

			`role role30_r types system;`
			`role role31a_r types system;`
			`role role31b_r types system;`
			`role role31c_r types system;`

			`type type40;`
			`type type41a;`
			`type type41b;`
			`type type41c;`
			`role system types { type40 type41a type41b type41c };`

			`################################################################################`
			`# Type enforcement declarations and rules`



			`################################################################################`

			`#users`
			`user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s2:c0.c4;`
			`user user20 roles system level s0 range s0 - s2:c0.c4;`
			`user user21a roles system level s0 range s0 - s2:c0.c4;`
			`user user21b roles system level s0 range s0 - s2:c0.c4;`
			`user user21c roles system level s0 range s0 - s2:c0.c4;`

			`#normal constraints`
			`constrain infoflow hi_w (u1 == u2);`

			`#isids`
			`sid kernel system:system:system:s0`
			`sid security system:system:system:s0`

			`#fs_use`
			`fs_use_trans devpts system:object_r:system:s0;`
			`fs_use_xattr ext3 system:object_r:system:s0;`
			`fs_use_task pipefs system:object_r:system:s0;`

			`#genfscon`
			`# test 1:`
			`# fs: test1, exact`
			`# path: unset`
			`# user: unset`
			`# role: unset`
			`# type: unset`
			`# range: unset`
			`genfscon test1 / system:system:system:s0:c0.c4`

			`# test 2:`
			`# fs: test2(a\|b), regex`
			`# path: unset`
			`# user: unset`
			`# role: unset`
			`# type: unset`
			`# range: unset`
			`genfscon test2a / system:system:system:s0:c0.c1`
			`genfscon test2b / system:system:system:s0:c2.c4`

			`# test 10:`
			`# fs: unset`
			`# path: /sys, exact`
			`# user: unset`
			`# role: unset`
			`# type: unset`
			`# range: unset`
			`genfscon test10 /sys system:system:system:s0:c2.c4`

			`# test 11:`
			`# fs: unset`
			`# path: /(spam\|eggs), regex`
			`# user: unset`
			`# role: unset`
			`# type: unset`
			`# range: unset`
			`genfscon test11a /spam system:system:system:s0:c2.c4`
			`genfscon test11b /eggs system:system:system:s0:c2.c4`
			`genfscon test11c /FAIL system:system:system:s0:c2.c4`

			`# test 20:`
			`# fs: unset`
			`# path: unset`
			`# user: user20, exact`
			`# role: unset`
			`# type: unset`
			`# range: unset`
			`genfscon test20 / user20:system:system:s0:c0.c1`

			`# test 21:`
			`# fs: unset`
			`# path: unset`
			`# user: user21(a\|b), regex`
			`# role: unset`
			`# type: unset`
			`# range: unset`
			`genfscon test21a / user21a:system:system:s0:c0.c1`
			`genfscon test21b / user21b:system:system:s0:c0.c1`
			`genfscon test21c / user21c:system:system:s0:c0.c1`

			`# test 30:`
			`# fs: unset`
			`# path: unset`
			`# user: unset`
			`# role: role30_r, exact`
			`# type: unset`
			`# range: unset`
			`genfscon test30 / system:role30_r:system:s0:c0.c1`

			`# test 31:`
			`# fs: unset`
			`# path: unset`
			`# user: unset`
			`# role: role30(a\|c)_r, regex`
			`# type: unset`
			`# range: unset`
			`genfscon test31a / system:role31a_r:system:s0:c0.c1`
			`genfscon test31b / system:role31b_r:system:s0:c0.c1`
			`genfscon test31c / system:role31c_r:system:s0:c0.c1`

			`# test 40:`
			`# fs: unset`
			`# path: unset`
			`# user: unset`
			`# role: unset`
			`# type: type40`
			`# range: unset`
			`genfscon test40 / system:system:type40:s0:c0.c1`

			`# test 41:`
			`# fs: unset`
			`# path: unset`
			`# user: unset`
			`# role: unset`
			`# type: type41(b\|c)`
			`# range: unset`
			`genfscon test41a / system:system:type41a:s0:c0.c1`
			`genfscon test41b / system:system:type41b:s0:c0.c1`
			`genfscon test41c / system:system:type41c:s0:c0.c1`

			`portcon tcp 80 system:object_r:system:s0`

			`netifcon eth0 system:object_r:system:s0 system:object_r:system:s0`

			`nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0`
			`nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0`