setools/tests/terulequery2.conf

class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7

sid kernel
sid security

common infoflow
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
	ioctl
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
	super_w
	super_r
}

class infoflow3
{
	ioctl
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
	super_w
	super_r
	super_none
	super_both
	super_unmapped
}

sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;

dominance { low_s med high_s }

category here;
category there;
category elsewhere alias lost;

#level decl
level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;

#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;


#########################################
# XPERM ioctl declarations and rules

# test 1
# ruletype: unset
# source: test1a, direct, no regex
# target: unset
# class: unset
# perms: unset
attribute test1a;
type test1s, test1a;
type test1t;
type test1FAIL, test1a;
allowxperm test1a test1t:infoflow ioctl { 0xebe0-0xebff };  # sets AVRULE_XPERMS_IOCTLFUNCTION
allowxperm test1FAIL self:infoflow ioctl { 0x8800-0x88ff }; # sets AVRULE_XPERMS_IOCTLDRIVER

# test 2
# ruletype: unset
# source: test2s, indirect, no regex
# target: unset
# class: unset
# perms: unset
attribute test2a;
type test2s, test2a;
type test2t;
allowxperm test2a test2t:infoflow ioctl { 0x5411 0x5451 };

# test 3
# ruletype: unset
# source: test3a.*, direct, regex
# target: unset
# class: unset
# perms: unset
attribute test3aS;
attribute test3b;
type test3s, test3aS;
type test3t;
type test3aFAIL, test3b;
allowxperm test3s  test3t:infoflow ioctl 0x9999;
allowxperm test3aS test3t:infoflow ioctl 0x1111;
allowxperm test3b  test3t:infoflow ioctl 0x5555;

# test 4
# ruletype: unset
# source: test4(s|t), indirect, regex
# target: unset
# class: unset
# perms: unset
attribute test4a1;
attribute test4a2;
type test4s1, test4a1;
type test4t1, test4a2;
type test4FAIL;
allowxperm test4a1 test4a1:infoflow ioctl 0x9999;
allowxperm test4a2 test4a2:infoflow ioctl 0x1111;
allowxperm test4FAIL self:infoflow ioctl 0x5555;

# test 5
# ruletype: unset
# source: unset
# target: test5a, direct, no regex
# class: unset
# perms: unset
attribute test5a;
type test5s;
type test5t, test5a;
allowxperm test5s test5a:infoflow ioctl 0x9999;
allowxperm test5s test5t:infoflow ioctl 0x9999;

# test 6
# ruletype: unset
# source: unset
# target: test6t, indirect, no regex
# class: unset
# perms: unset
attribute test6a;
type test6s;
type test6t, test6a;
allowxperm test6s test6a:infoflow ioctl 0x9999;
allowxperm test6s test6t:infoflow ioctl 0x1111;

# test 7
# ruletype: unset
# source: unset
# target: test7a.*, direct, regex
# class: unset
# perms: unset
attribute test7aPASS;
attribute test7b;
type test7s;
type test7t, test7aPASS;
type test7aFAIL, test7b;
allowxperm test7s  test7t:infoflow ioctl 0x9999;
allowxperm test7s test7aPASS:infoflow ioctl 0x1111;
allowxperm test7s  test7b:infoflow ioctl 0x5555;

# test 8
# ruletype: unset
# source: unset
# target: test8(s|t), indirect, regex
# class: unset
# perms: unset
attribute test8a1;
attribute test8a2;
type test8s1, test8a1;
type test8t1, test8a2;
type test8FAIL;
allowxperm test8a1 test8a1:infoflow ioctl 0x9999;
allowxperm test8a2 test8a2:infoflow ioctl 0x1111;
allowxperm test8FAIL self:infoflow ioctl 0x5555;

# test 10
# ruletype: unset
# source: unset
# target: unset
# class: infoflow3,infoflow4 , no regex
# perms: unset
type test10;
allowxperm test10 self:infoflow ioctl 0x9999;
allowxperm test10 self:infoflow4 ioctl 0x9999;
allowxperm test10 self:infoflow3 ioctl 0x0;

# test 11
# ruletype: unset
# source: unset
# target: unset
# class: infoflow(5|6), regex
# perms: unset
type test11;
allowxperm test11 self:infoflow ioctl 0x9999;
allowxperm test11 self:infoflow5 ioctl 0x1111;
allowxperm test11 self:infoflow6 ioctl 0x5555;

# test 14
# ruletype: dontauditxperm,auditallowxperm
# source: unset
# target: unset
# class: unset
# perms: unset
type test14;
auditallowxperm test14 self:infoflow7 ioctl 0x1234;
dontauditxperm test14 self:infoflow7 ioctl 0x4321;

# test 100
# ruletype: neverallow, neverallowxperm
# source: unset
# target: unset
# class: unset
# perms: ioctl (standard)
type test100;
neverallow test100 system:infoflow2 { ioctl hi_w };
neverallowxperm test100 self:infoflow2 ioctl 0x1234;

# test 101
# ruletype: unset
# source: unset
# target: unset
# class: unset
# perms: 0x9011-0x9013
type test101a;
type test101b;
type test101c;
type test101d;
allowxperm test101a self:infoflow7 ioctl 0x9011;
allowxperm test101b self:infoflow7 ioctl { 0x9011-0x9012 };
allowxperm test101c self:infoflow7 ioctl { 0x9011-0x9013 };
allowxperm test101d self:infoflow7 ioctl { 0x9011-0x9014 };

############# END XPERM ############################

role system;
role system types system;

#users
user system roles system level med range low_s - high_s:here.lost;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost

#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;

#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there

portcon tcp 80 system:object_r:system:low_s

netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here
setools-V4: Add updates for testing V30 xen and xperms Add updates to seinfo and sesearch to test libqpol updates added via [1]. Also include extra tests for Xen and xperms. Note, xperms cannot yet test the extended perms as needs more work on libqpol. [1] 0001-setools-V4-libqpol-policy-V30-updates-xen-xperm-stat.patch Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> 2015-12-16 16:47:14 +00:00			`class infoflow`
			`class infoflow2`
			`class infoflow3`
			`class infoflow4`
			`class infoflow5`
			`class infoflow6`
			`class infoflow7`

			`sid kernel`
			`sid security`

			`common infoflow`
			`{`
			`low_w`
			`med_w`
			`hi_w`
			`low_r`
			`med_r`
			`hi_r`
			`ioctl`
			`}`

			`class infoflow`
			`inherits infoflow`

			`class infoflow2`
			`inherits infoflow`
			`{`
			`super_w`
			`super_r`
			`}`

			`class infoflow3`
			`{`
			`ioctl`
			`}`

			`class infoflow4`
			`inherits infoflow`

			`class infoflow5`
			`inherits infoflow`

			`class infoflow6`
			`inherits infoflow`

			`class infoflow7`
			`inherits infoflow`
			`{`
			`super_w`
			`super_r`
			`super_none`
			`super_both`
			`super_unmapped`
			`}`

			`sensitivity low_s;`
			`sensitivity medium_s alias med;`
			`sensitivity high_s;`

			`dominance { low_s med high_s }`

			`category here;`
			`category there;`
			`category elsewhere alias lost;`

			`#level decl`
			`level low_s:here.there;`
			`level med:here, elsewhere;`
			`level high_s:here.lost;`

			`#some constraints`
			`mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));`

			`attribute mls_exempt;`

			`type system;`


			`#########################################`
			`# XPERM ioctl declarations and rules`

			`# test 1`
			`# ruletype: unset`
			`# source: test1a, direct, no regex`
			`# target: unset`
			`# class: unset`
			`# perms: unset`
			`attribute test1a;`
			`type test1s, test1a;`
			`type test1t;`
			`type test1FAIL, test1a;`
			`allowxperm test1a test1t:infoflow ioctl { 0xebe0-0xebff }; # sets AVRULE_XPERMS_IOCTLFUNCTION`
			`allowxperm test1FAIL self:infoflow ioctl { 0x8800-0x88ff }; # sets AVRULE_XPERMS_IOCTLDRIVER`

			`# test 2`
			`# ruletype: unset`
			`# source: test2s, indirect, no regex`
			`# target: unset`
			`# class: unset`
			`# perms: unset`
			`attribute test2a;`
			`type test2s, test2a;`
			`type test2t;`
			`allowxperm test2a test2t:infoflow ioctl { 0x5411 0x5451 };`

			`# test 3`
			`# ruletype: unset`
			`# source: test3a.*, direct, regex`
			`# target: unset`
			`# class: unset`
			`# perms: unset`
			`attribute test3aS;`
			`attribute test3b;`
			`type test3s, test3aS;`
			`type test3t;`
			`type test3aFAIL, test3b;`
			`allowxperm test3s test3t:infoflow ioctl 0x9999;`
			`allowxperm test3aS test3t:infoflow ioctl 0x1111;`
			`allowxperm test3b test3t:infoflow ioctl 0x5555;`

			`# test 4`
			`# ruletype: unset`
			`# source: test4(s\|t), indirect, regex`
			`# target: unset`
			`# class: unset`
			`# perms: unset`
			`attribute test4a1;`
			`attribute test4a2;`
			`type test4s1, test4a1;`
			`type test4t1, test4a2;`
			`type test4FAIL;`
			`allowxperm test4a1 test4a1:infoflow ioctl 0x9999;`
			`allowxperm test4a2 test4a2:infoflow ioctl 0x1111;`
			`allowxperm test4FAIL self:infoflow ioctl 0x5555;`

			`# test 5`
			`# ruletype: unset`
			`# source: unset`
			`# target: test5a, direct, no regex`
			`# class: unset`
			`# perms: unset`
			`attribute test5a;`
			`type test5s;`
			`type test5t, test5a;`
			`allowxperm test5s test5a:infoflow ioctl 0x9999;`
			`allowxperm test5s test5t:infoflow ioctl 0x9999;`

			`# test 6`
			`# ruletype: unset`
			`# source: unset`
			`# target: test6t, indirect, no regex`
			`# class: unset`
			`# perms: unset`
			`attribute test6a;`
			`type test6s;`
			`type test6t, test6a;`
			`allowxperm test6s test6a:infoflow ioctl 0x9999;`
			`allowxperm test6s test6t:infoflow ioctl 0x1111;`

			`# test 7`
			`# ruletype: unset`
			`# source: unset`
			`# target: test7a.*, direct, regex`
			`# class: unset`
			`# perms: unset`
			`attribute test7aPASS;`
			`attribute test7b;`
			`type test7s;`
			`type test7t, test7aPASS;`
			`type test7aFAIL, test7b;`
			`allowxperm test7s test7t:infoflow ioctl 0x9999;`
			`allowxperm test7s test7aPASS:infoflow ioctl 0x1111;`
			`allowxperm test7s test7b:infoflow ioctl 0x5555;`

			`# test 8`
			`# ruletype: unset`
			`# source: unset`
			`# target: test8(s\|t), indirect, regex`
			`# class: unset`
			`# perms: unset`
			`attribute test8a1;`
			`attribute test8a2;`
			`type test8s1, test8a1;`
			`type test8t1, test8a2;`
			`type test8FAIL;`
			`allowxperm test8a1 test8a1:infoflow ioctl 0x9999;`
			`allowxperm test8a2 test8a2:infoflow ioctl 0x1111;`
			`allowxperm test8FAIL self:infoflow ioctl 0x5555;`

			`# test 10`
			`# ruletype: unset`
			`# source: unset`
			`# target: unset`
			`# class: infoflow3,infoflow4 , no regex`
			`# perms: unset`
			`type test10;`
			`allowxperm test10 self:infoflow ioctl 0x9999;`
			`allowxperm test10 self:infoflow4 ioctl 0x9999;`
			`allowxperm test10 self:infoflow3 ioctl 0x0;`

			`# test 11`
			`# ruletype: unset`
			`# source: unset`
			`# target: unset`
			`# class: infoflow(5\|6), regex`
			`# perms: unset`
			`type test11;`
			`allowxperm test11 self:infoflow ioctl 0x9999;`
			`allowxperm test11 self:infoflow5 ioctl 0x1111;`
			`allowxperm test11 self:infoflow6 ioctl 0x5555;`

			`# test 14`
			`# ruletype: dontauditxperm,auditallowxperm`
			`# source: unset`
			`# target: unset`
			`# class: unset`
			`# perms: unset`
			`type test14;`
			`auditallowxperm test14 self:infoflow7 ioctl 0x1234;`
			`dontauditxperm test14 self:infoflow7 ioctl 0x4321;`

Complete TERuleQuery changes for extended permission rules. Related to #73. 2016-03-22 15:07:25 +00:00			`# test 100`
			`# ruletype: neverallow, neverallowxperm`
			`# source: unset`
			`# target: unset`
			`# class: unset`
			`# perms: ioctl (standard)`
			`type test100;`
			`neverallow test100 system:infoflow2 { ioctl hi_w };`
			`neverallowxperm test100 self:infoflow2 ioctl 0x1234;`

			`# test 101`
			`# ruletype: unset`
			`# source: unset`
			`# target: unset`
			`# class: unset`
			`# perms: 0x9011-0x9013`
			`type test101a;`
			`type test101b;`
			`type test101c;`
			`type test101d;`
			`allowxperm test101a self:infoflow7 ioctl 0x9011;`
			`allowxperm test101b self:infoflow7 ioctl { 0x9011-0x9012 };`
			`allowxperm test101c self:infoflow7 ioctl { 0x9011-0x9013 };`
			`allowxperm test101d self:infoflow7 ioctl { 0x9011-0x9014 };`

setools-V4: Add updates for testing V30 xen and xperms Add updates to seinfo and sesearch to test libqpol updates added via [1]. Also include extra tests for Xen and xperms. Note, xperms cannot yet test the extended perms as needs more work on libqpol. [1] 0001-setools-V4-libqpol-policy-V30-updates-xen-xperm-stat.patch Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> 2015-12-16 16:47:14 +00:00			`############# END XPERM ############################`

			`role system;`
			`role system types system;`

			`#users`
			`user system roles system level med range low_s - high_s:here.lost;`

			`#normal constraints`
			`constrain infoflow hi_w (u1 == u2);`

			`#isids`
			`sid kernel system:system:system:medium_s:here`
			`sid security system:system:system:high_s:lost`

			`#fs_use`
			`fs_use_trans devpts system:object_r:system:low_s;`
			`fs_use_xattr ext3 system:object_r:system:low_s;`
			`fs_use_task pipefs system:object_r:system:low_s;`

			`#genfscon`
			`genfscon proc / system:object_r:system:med`
			`genfscon proc /sys system:object_r:system:low_s`
			`genfscon selinuxfs / system:object_r:system:high_s:here.there`

			`portcon tcp 80 system:object_r:system:low_s`

			`netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s`

			`nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here`
			`nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here`