mirror of
https://github.com/SELinuxProject/setools
synced 2025-03-25 04:26:28 +00:00
4798e10706
Python 3.3's IPv6Network constructor does not support an expanded netmask for specifying the network, only CIDR. Convert all netmasks to CIDR. The code does not verify that the orignal expanded netmask from the policy is correct; it counts all set bits in the netmask. Also add IPv6 NodeconQuery unit tests.
219 lines
4.2 KiB
Plaintext
219 lines
4.2 KiB
Plaintext
class infoflow
|
|
class infoflow2
|
|
class infoflow3
|
|
class infoflow4
|
|
class infoflow5
|
|
class infoflow6
|
|
class infoflow7
|
|
|
|
sid kernel
|
|
sid security
|
|
|
|
common infoflow
|
|
{
|
|
low_w
|
|
med_w
|
|
hi_w
|
|
low_r
|
|
med_r
|
|
hi_r
|
|
}
|
|
|
|
class infoflow
|
|
inherits infoflow
|
|
|
|
class infoflow2
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
}
|
|
|
|
class infoflow3
|
|
{
|
|
null
|
|
}
|
|
|
|
class infoflow4
|
|
inherits infoflow
|
|
|
|
class infoflow5
|
|
inherits infoflow
|
|
|
|
class infoflow6
|
|
inherits infoflow
|
|
|
|
class infoflow7
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
super_none
|
|
super_both
|
|
super_unmapped
|
|
}
|
|
|
|
sensitivity s0;
|
|
sensitivity s1;
|
|
sensitivity s2;
|
|
|
|
dominance { s0 s1 s2 }
|
|
|
|
category c0;
|
|
category c1;
|
|
category c2;
|
|
category c3;
|
|
category c4;
|
|
|
|
#level decl
|
|
level s0:c0.c4;
|
|
level s1:c0.c4;
|
|
level s2:c0.c4;
|
|
|
|
|
|
#some constraints
|
|
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
|
|
|
|
attribute mls_exempt;
|
|
|
|
type system;
|
|
role system;
|
|
role system types system;
|
|
|
|
role role30_r;
|
|
role role31a_r;
|
|
role role31b_r;
|
|
role role31c_r;
|
|
|
|
role role30_r types system;
|
|
role role31a_r types system;
|
|
role role31b_r types system;
|
|
role role31c_r types system;
|
|
|
|
type type40;
|
|
type type41a;
|
|
type type41b;
|
|
type type41c;
|
|
role system types { type40 type41a type41b type41c };
|
|
|
|
################################################################################
|
|
# Type enforcement declarations and rules
|
|
|
|
|
|
|
|
################################################################################
|
|
|
|
#users
|
|
user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s2:c0.c4;
|
|
user user20 roles system level s0 range s0 - s2:c0.c4;
|
|
user user21a roles system level s0 range s0 - s2:c0.c4;
|
|
user user21b roles system level s0 range s0 - s2:c0.c4;
|
|
user user21c roles system level s0 range s0 - s2:c0.c4;
|
|
|
|
#normal constraints
|
|
constrain infoflow hi_w (u1 == u2);
|
|
|
|
#isids
|
|
sid kernel system:system:system:s0
|
|
sid security system:system:system:s0
|
|
|
|
#fs_use
|
|
fs_use_trans devpts system:object_r:system:s0;
|
|
fs_use_xattr ext3 system:object_r:system:s0;
|
|
fs_use_task pipefs system:object_r:system:s0;
|
|
|
|
#genfscon
|
|
genfscon proc / system:object_r:system:s1
|
|
genfscon proc /sys system:object_r:system:s0
|
|
genfscon selinuxfs / system:object_r:system:s2:c0.c4
|
|
|
|
portcon tcp 80 system:object_r:system:s0
|
|
|
|
netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
|
|
|
|
# test 20:
|
|
# network: unset
|
|
# user: user20, exact
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
nodecon 10.1.20.1 255.255.255.255 user20:system:system:s0:c0.c1
|
|
|
|
# test 21:
|
|
# network: unset
|
|
# user: user21(a|b), regex
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
nodecon 10.1.21.1 255.255.255.255 user21a:system:system:s0:c0.c1
|
|
nodecon 10.1.21.2 255.255.255.255 user21b:system:system:s0:c0.c1
|
|
nodecon 10.1.21.3 255.255.255.255 user21c:system:system:s0:c0.c1
|
|
|
|
# test 30:
|
|
# network: unset
|
|
# user: unset
|
|
# role: role30_r, exact
|
|
# type: unset
|
|
# range: unset
|
|
nodecon 10.1.30.1 255.255.255.255 system:role30_r:system:s0:c0.c1
|
|
|
|
# test 31:
|
|
# network: unset
|
|
# user: unset
|
|
# role: role30(a|c)_r, regex
|
|
# type: unset
|
|
# range: unset
|
|
nodecon 10.1.31.1 255.255.255.255 system:role31a_r:system:s0:c0.c1
|
|
nodecon 10.1.31.2 255.255.255.255 system:role31b_r:system:s0:c0.c1
|
|
nodecon 10.1.31.3 255.255.255.255 system:role31c_r:system:s0:c0.c1
|
|
|
|
# test 40:
|
|
# network: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: type40
|
|
# range: unset
|
|
nodecon 10.1.40.1 255.255.255.255 system:system:type40:s0:c0.c1
|
|
|
|
# test 41:
|
|
# network: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: type41(b|c)
|
|
# range: unset
|
|
nodecon 10.1.41.1 255.255.255.255 system:system:type41a:s0:c0.c1
|
|
nodecon 10.1.41.2 255.255.255.255 system:system:type41b:s0:c0.c1
|
|
nodecon 10.1.41.3 255.255.255.255 system:system:type41c:s0:c0.c1
|
|
|
|
# test 100:
|
|
# network: 10.1.100.0/24, equal
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
nodecon 10.1.100.0 255.255.255.0 system:system:system:s0:c0.c1
|
|
|
|
# test 101:
|
|
# network: 10.1.101.128/25, overlap
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
nodecon 10.1.101.0 255.255.255.0 system:system:system:s0:c0.c1
|
|
|
|
# test 110:
|
|
# network: 1100::/16, equal
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
nodecon 1100:: ffff:: system:system:system:s0:c0.c1
|
|
|
|
# test 111:
|
|
# network: 1110:8000::/17, overlap
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
nodecon 1110:: ffff:: system:system:system:s0:c0.c1
|