RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-02-23 15:47:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
2bd871ae18
setools/tests/terulequery.conf
Chris PeBenito cfbedfb9f3 tests: implement ValidateRule mixin 
Simplifies testing and uncovered a couple minor bugs in unit tests.
2015-04-03 14:48:25 -04:00

379 lines
7.1 KiB
Plaintext
Raw Blame History

class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
sid kernel
sid security
common infoflow
{
low_w
med_w
hi_w
low_r
med_r
hi_r
}
class infoflow
inherits infoflow
class infoflow2
inherits infoflow
{
super_w
super_r
}
class infoflow3
{
null
}
class infoflow4
inherits infoflow
class infoflow5
inherits infoflow
class infoflow6
inherits infoflow
class infoflow7
inherits infoflow
{
super_w
super_r
super_none
super_both
super_unmapped
}
sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;
dominance { low_s med high_s }
category here;
category there;
category elsewhere alias lost;
#level decl
level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;
#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
attribute mls_exempt;
type system;
role system;
role system types system;
################################################################################
# Type enforcement declarations and rules
########################################
#
# TE Rule Query
#
# test 1
# ruletype: unset
# source: test1a, direct, no regex
# target: unset
# class: unset
# perms: unset
attribute test1a;
type test1s, test1a;
type test1t;
type test1FAIL, test1a;
allow test1a test1t:infoflow hi_w;
allow test1FAIL self:infoflow hi_w;
# test 2
# ruletype: unset
# source: test2s, indirect, no regex
# target: unset
# class: unset
# perms: unset
attribute test2a;
type test2s, test2a;
type test2t;
allow test2a test2t:infoflow hi_w;
#allow test2s test2t:infoflow low_r;
# test 3
# ruletype: unset
# source: test3a.*, direct, regex
# target: unset
# class: unset
# perms: unset
attribute test3aS;
attribute test3b;
type test3s, test3aS;
type test3t;
type test3aFAIL, test3b;
allow test3s test3t:infoflow hi_w;
allow test3aS test3t:infoflow low_r;
allow test3b test3t:infoflow med_w;
# test 4
# ruletype: unset
# source: test4(s|t), indirect, regex
# target: unset
# class: unset
# perms: unset
attribute test4a1;
attribute test4a2;
type test4s1, test4a1;
type test4t1, test4a2;
type test4FAIL;
allow test4a1 test4a1:infoflow hi_w;
allow test4a2 test4a2:infoflow low_r;
allow test4FAIL self:infoflow med_w;
# test 5
# ruletype: unset
# source: unset
# target: test5a, direct, no regex
# class: unset
# perms: unset
attribute test5a;
type test5s;
type test5t, test5a;
allow test5s test5a:infoflow hi_w;
allow test5s test5t:infoflow hi_w;
# test 6
# ruletype: unset
# source: unset
# target: test6t, indirect, no regex
# class: unset
# perms: unset
attribute test6a;
type test6s;
type test6t, test6a;
allow test6s test6a:infoflow hi_w;
allow test6s test6t:infoflow low_r;
# test 7
# ruletype: unset
# source: unset
# target: test7a.*, direct, regex
# class: unset
# perms: unset
attribute test7aPASS;
attribute test7b;
type test7s;
type test7t, test7aPASS;
type test7aFAIL, test7b;
allow test7s test7t:infoflow hi_w;
allow test7s test7aPASS:infoflow low_r;
allow test7s test7b:infoflow med_w;
# test 8
# ruletype: unset
# source: unset
# target: test8(s|t), indirect, regex
# class: unset
# perms: unset
attribute test8a1;
attribute test8a2;
type test8s1, test8a1;
type test8t1, test8a2;
type test8FAIL;
allow test8a1 test8a1:infoflow hi_w;
allow test8a2 test8a2:infoflow low_r;
allow test8FAIL self:infoflow med_w;
# test 9
# ruletype: unset
# source: unset
# target: unset
# class: infoflow2, no regex
# perms: unset
type test9;
allow test9 self:infoflow hi_w;
allow test9 self:infoflow2 super_w;
# test 10
# ruletype: unset
# source: unset
# target: unset
# class: infoflow3,infoflow4 , no regex
# perms: unset
type test10;
allow test10 self:infoflow hi_w;
allow test10 self:infoflow4 hi_w;
allow test10 self:infoflow3 null;
# test 11
# ruletype: unset
# source: unset
# target: unset
# class: infoflow(5|6), regex
# perms: unset
type test11;
allow test11 self:infoflow hi_w;
allow test11 self:infoflow5 low_w;
allow test11 self:infoflow6 med_r;
# test 12
# ruletype: unset
# source: unset
# target: unset
# class: unset
# perms: super_r, any
type test12a;
type test12b;
allow test12a self:infoflow7 super_r;
allow test12b self:infoflow7 { super_r super_none };
# test 13
# ruletype: unset
# source: unset
# target: unset
# class: unset
# perms: super_w,super_none,super_both equal
type test13a;
type test13b;
type test13c;
type test13d;
allow test13a self:infoflow7 super_w;
allow test13b self:infoflow7 { super_w super_none };
allow test13c self:infoflow7 { super_w super_none super_both };
allow test13d self:infoflow7 { super_w super_none super_both super_unmapped };
# test 14
# ruletype: dontaudit,auditallow
# source: unset
# target: unset
# class: unset
# perms: unset
type test14;
auditallow test14 self:infoflow7 super_both;
dontaudit test14 self:infoflow7 super_unmapped;
# test 100
# ruletype: unset
# source: unset
# target: unset
# class: unset
# default: test100d
type test100;
type test100d;
type_transition test100 test100:infoflow7 test100d;
# test 101
# ruletype: unset
# source: unset
# target: unset
# class: unset
# default: test101.
type test101;
type test101d;
type test101e;
type_transition test101 test101d:infoflow7 test101e;
type_transition test101 test101e:infoflow7 test101d;
# test 200
# ruletype: unset
# source: unset
# target: unset
# class: unset
# default: unset
# boolean: test200
type test200t1;
type test200t2;
bool test200 false;
bool test200a true;
if (test200) {
allow test200t1 self:infoflow7 super_w;
}
if (test200 && test200a) {
allow test200t2 self:infoflow7 super_w;
}
# test 201
# ruletype: unset
# source: unset
# target: unset
# class: unset
# default: unset
# boolean: test201a test201b
type test201t1;
type test201t2;
bool test201a false;
bool test201b true;
if (test201a) {
allow test201t1 self:infoflow7 super_w;
}
if (test201b) {
allow test201t2 self:infoflow7 super_w;
}
if (test201a && test201b) {
allow test201t1 self:infoflow7 super_unmapped;
}
# test 202
# ruletype: unset
# source: unset
# target: unset
# class: unset
# default: unset
# boolean: test202(a|b)
type test202t1;
type test202t2;
bool test202a false;
bool test202b true;
bool test202c true;
if (test202a) {
allow test202t1 self:infoflow7 super_none;
}
if (test202c) {
allow test202t2 self:infoflow7 super_both;
}
if (test202c || test202b) {
allow test202t2 self:infoflow7 super_unmapped;
}
################################################################################
#users
user system roles system level med range low_s - high_s:here.lost;
#normal constraints
constrain infoflow hi_w (u1 == u2);
#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost
#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;
#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there
portcon tcp 80 system:object_r:system:low_s
netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here
Reference in New Issue View Git Blame Copy Permalink