class infoflow class infoflow2 class infoflow3 class infoflow4 class infoflow5 class infoflow6 class infoflow7 sid kernel sid security common infoflow { low_w med_w hi_w low_r med_r hi_r } class infoflow inherits infoflow class infoflow2 inherits infoflow { super_w super_r } class infoflow3 { null } class infoflow4 inherits infoflow class infoflow5 inherits infoflow class infoflow6 inherits infoflow class infoflow7 inherits infoflow { super_w super_r super_none super_both super_unmapped } sensitivity s0; sensitivity s1; sensitivity s2; sensitivity s3; sensitivity s4; sensitivity s5; sensitivity s6; dominance { s0 s1 s2 s3 s4 s5 s6 } category c0; category c1; category c2; category c3; category c4; #level decl level s0:c0.c4; level s1:c0.c4; level s2:c0.c4; level s3:c0.c4; level s4:c0.c4; level s5:c0.c4; level s6:c0.c4; #some constraints mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt)); attribute mls_exempt; type system; role system; role system types system; role role30_r; role role31a_r; role role31b_r; role role31c_r; role role30_r types system; role role31a_r types system; role role31b_r types system; role role31c_r types system; type type40; type type41a; type type41b; type type41c; role system types { type40 type41a type41b type41c }; ################################################################################ # Type enforcement declarations and rules ################################################################################ #users user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s6:c0.c4; user user20 roles system level s0 range s0 - s2:c0.c4; user user21a roles system level s0 range s0 - s2:c0.c4; user user21b roles system level s0 range s0 - s2:c0.c4; user user21c roles system level s0 range s0 - s2:c0.c4; #normal constraints constrain infoflow hi_w (u1 == u2); #isids sid kernel system:system:system:s0 sid security system:system:system:s0 #fs_use fs_use_trans devpts system:object_r:system:s0; fs_use_xattr ext3 system:object_r:system:s0; fs_use_task pipefs system:object_r:system:s0; #genfscon # test 1: # fs: test1, exact # path: unset # user: unset # role: unset # type: unset # range: unset genfscon test1 / system:system:system:s0:c0.c4 # test 2: # fs: test2(a|b), regex # path: unset # user: unset # role: unset # type: unset # range: unset genfscon test2a / system:system:system:s0:c0.c1 genfscon test2b / system:system:system:s0:c2.c4 # test 10: # fs: unset # path: /sys, exact # user: unset # role: unset # type: unset # range: unset genfscon test10 /sys system:system:system:s0:c2.c4 # test 11: # fs: unset # path: /(spam|eggs), regex # user: unset # role: unset # type: unset # range: unset genfscon test11a /spam system:system:system:s0:c2.c4 genfscon test11b /eggs system:system:system:s0:c2.c4 genfscon test11c /FAIL system:system:system:s0:c2.c4 # test 20: # fs: unset # path: unset # user: user20, exact # role: unset # type: unset # range: unset genfscon test20 / user20:system:system:s0:c0.c1 # test 21: # fs: unset # path: unset # user: user21(a|b), regex # role: unset # type: unset # range: unset genfscon test21a / user21a:system:system:s0:c0.c1 genfscon test21b / user21b:system:system:s0:c0.c1 genfscon test21c / user21c:system:system:s0:c0.c1 # test 30: # fs: unset # path: unset # user: unset # role: role30_r, exact # type: unset # range: unset genfscon test30 / system:role30_r:system:s0:c0.c1 # test 31: # fs: unset # path: unset # user: unset # role: role30(a|c)_r, regex # type: unset # range: unset genfscon test31a / system:role31a_r:system:s0:c0.c1 genfscon test31b / system:role31b_r:system:s0:c0.c1 genfscon test31c / system:role31c_r:system:s0:c0.c1 # test 40: # fs: unset # path: unset # user: unset # role: unset # type: type40 # range: unset genfscon test40 / system:system:type40:s0:c0.c1 # test 41: # fs: unset # path: unset # user: unset # role: unset # type: type41(b|c) # range: unset genfscon test41a / system:system:type41a:s0:c0.c1 genfscon test41b / system:system:type41b:s0:c0.c1 genfscon test41c / system:system:type41c:s0:c0.c1 # test 50: # fs: unset # filetype: -b # path: unset # user: unset # role: unset # type: unset # range: unset genfscon test50f / -- system:system:system:s0:c0.c4 genfscon test50b / -b system:system:system:s0:c0.c4 genfscon test50c / -c system:system:system:s0:c0.c4 genfscon test50s / -s system:system:system:s0:c0.c4 genfscon test50l / -l system:system:system:s0:c0.c4 genfscon test50p / -p system:system:system:s0:c0.c4 genfscon test50d / -d system:system:system:s0:c0.c4 # test 60: # fs: unset # filetype: unset # path: unset # user: unset # role: unset # type: unset # range: equal genfscon test60 / system:system:system:s0:c1 - s0:c0.c4 # test 61: # fs: unset # filetype: unset # path: unset # user: unset # role: unset # type: unset # range: overlap genfscon test61 / system:system:system:s1:c1 - s1:c1.c3 # test 62: # fs: unset # filetype: unset # path: unset # user: unset # role: unset # type: unset # range: subset genfscon test62 / system:system:system:s2:c1 - s2:c1.c3 # test 63: # fs: unset # filetype: unset # path: unset # user: unset # role: unset # type: unset # range: superset genfscon test63 / system:system:system:s3:c1 - s3:c1.c3 # test 64: # fs: unset # filetype: unset # path: unset # user: unset # role: unset # type: unset # range: proper subset genfscon test64 / system:system:system:s4:c1 - s4:c1.c3 # test 65: # fs: unset # filetype: unset # path: unset # user: unset # role: unset # type: unset # range: proper superset genfscon test65 / system:system:system:s5:c1 - s5:c1.c3 portcon tcp 80 system:object_r:system:s0 netifcon eth0 system:object_r:system:s0 system:object_r:system:s0 nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0 nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0