class infoflow class infoflow2 class infoflow3 class infoflow4 class infoflow5 class infoflow6 class infoflow7 sid kernel sid security common infoflow { low_w med_w hi_w low_r med_r hi_r } class infoflow inherits infoflow class infoflow2 inherits infoflow { super_w super_r } class infoflow3 { null } class infoflow4 inherits infoflow class infoflow5 inherits infoflow class infoflow6 inherits infoflow class infoflow7 inherits infoflow { super_w super_r super_none super_both super_unmapped } sensitivity low_s; sensitivity medium_s alias med; sensitivity high_s; dominance { low_s med high_s } category here; category there; category elsewhere alias lost; #level decl level low_s:here.there; level med:here, elsewhere; level high_s:here.lost; #some constraints mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt)); attribute mls_exempt; type system; role system; role system types system; ################################################################################ # Type enforcement declarations and rules allow system system:infoflow3 null; ######################################## # # Role Query # # test 1 # name: test1 # types: unset role test1; # test 2 # name: test2(a|b) regex # types: unset role test2a; role test2b; # test 10 # name: unset # types: test10a,test10b type test10a; type test10b; type test10c; role test10r1; role test10r2; role test10r3; role test10r4; role test10r5; role test10r6; role test10r7; role test10r1 types test10a; role test10r2 types { test10a test10b }; role test10r3 types { test10a test10b test10c }; role test10r4 types { test10b test10c }; role test10r5 types { test10a test10c }; role test10r6 types test10b; role test10r7 types test10c; # test 11 # name: unset # types: test11a,test11b equal type test11a; type test11b; type test11c; role test11r1; role test11r2; role test11r3; role test11r4; role test11r5; role test11r6; role test11r7; role test11r1 types test11a; role test11r2 types { test11a test11b }; role test11r3 types { test11a test11b test11c }; role test11r4 types { test11b test11c }; role test11r5 types { test11a test11c }; role test11r6 types test11b; role test11r7 types test11c; # test 12 # name: unset # types: test12(a|b) regex type test12a; type test12b; type test12c; role test12r1; role test12r2; role test12r3; role test12r4; role test12r5; role test12r6; role test12r7; role test12r1 types test12a; role test12r2 types { test12a test12b }; role test12r3 types { test12a test12b test12c }; role test12r4 types { test12b test12c }; role test12r5 types { test12a test12c }; role test12r6 types test12b; role test12r7 types test12c; ################################################################################ #users user system roles system level med range low_s - high_s:here.lost; #normal constraints constrain infoflow hi_w (u1 == u2); #isids sid kernel system:system:system:medium_s:here sid security system:system:system:high_s:lost #fs_use fs_use_trans devpts system:object_r:system:low_s; fs_use_xattr ext3 system:object_r:system:low_s; fs_use_task pipefs system:object_r:system:low_s; #genfscon genfscon proc / system:object_r:system:med genfscon proc /sys system:object_r:system:low_s genfscon selinuxfs / system:object_r:system:high_s:here.there portcon tcp 80 system:object_r:system:low_s netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here