mirror of
https://github.com/SELinuxProject/setools
synced 2025-01-30 03:32:42 +00:00
257 lines
5.0 KiB
Plaintext
257 lines
5.0 KiB
Plaintext
class infoflow
|
|
class infoflow2
|
|
class infoflow3
|
|
class infoflow4
|
|
class infoflow5
|
|
class infoflow6
|
|
class infoflow7
|
|
|
|
sid kernel
|
|
sid security
|
|
|
|
common infoflow
|
|
{
|
|
low_w
|
|
med_w
|
|
hi_w
|
|
low_r
|
|
med_r
|
|
hi_r
|
|
}
|
|
|
|
class infoflow
|
|
inherits infoflow
|
|
|
|
class infoflow2
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
}
|
|
|
|
class infoflow3
|
|
{
|
|
null
|
|
}
|
|
|
|
class infoflow4
|
|
inherits infoflow
|
|
|
|
class infoflow5
|
|
inherits infoflow
|
|
|
|
class infoflow6
|
|
inherits infoflow
|
|
|
|
class infoflow7
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
super_none
|
|
super_both
|
|
super_unmapped
|
|
}
|
|
|
|
sensitivity s0;
|
|
sensitivity s1;
|
|
sensitivity s2;
|
|
sensitivity s3;
|
|
sensitivity s4;
|
|
sensitivity s5;
|
|
sensitivity s6;
|
|
|
|
dominance { s0 s1 s2 s3 s4 s5 s6 }
|
|
|
|
category c0;
|
|
category c1;
|
|
category c2;
|
|
category c3;
|
|
category c4;
|
|
|
|
#level decl
|
|
level s0:c0.c4;
|
|
level s1:c0.c4;
|
|
level s2:c0.c4;
|
|
level s3:c0.c4;
|
|
level s4:c0.c4;
|
|
level s5:c0.c4;
|
|
level s6:c0.c4;
|
|
|
|
#some constraints
|
|
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
|
|
|
|
attribute mls_exempt;
|
|
|
|
type system;
|
|
role system;
|
|
role system types system;
|
|
|
|
role role20_r;
|
|
role role21a_r;
|
|
role role21b_r;
|
|
role role21c_r;
|
|
|
|
role role20_r types system;
|
|
role role21a_r types system;
|
|
role role21b_r types system;
|
|
role role21c_r types system;
|
|
|
|
type type30;
|
|
type type31a;
|
|
type type31b;
|
|
type type31c;
|
|
role system types { type30 type31a type31b type31c };
|
|
|
|
allow system self:infoflow hi_w;
|
|
|
|
#users
|
|
user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s6:c0.c4;
|
|
user user10 roles system level s0 range s0 - s2:c0.c4;
|
|
user user11a roles system level s0 range s0 - s2:c0.c4;
|
|
user user11b roles system level s0 range s0 - s2:c0.c4;
|
|
user user11c roles system level s0 range s0 - s2:c0.c4;
|
|
|
|
#normal constraints
|
|
constrain infoflow hi_w (u1 == u2);
|
|
|
|
#isids
|
|
sid kernel system:system:system:s0
|
|
sid security system:system:system:s0
|
|
|
|
#fs_use
|
|
fs_use_trans devpts system:object_r:system:s0;
|
|
fs_use_xattr ext3 system:object_r:system:s0;
|
|
fs_use_task pipefs system:object_r:system:s0;
|
|
|
|
#genfscon
|
|
genfscon proc / system:object_r:system:s1
|
|
genfscon proc /sys system:object_r:system:s0
|
|
genfscon selinuxfs / system:object_r:system:s2:c0.c4
|
|
|
|
portcon tcp 80 system:object_r:system:s0
|
|
|
|
# test 1:
|
|
# name: test1, exact
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
netifcon test1 system:system:system:s0:c0.c4 system:object_r:system:s0
|
|
|
|
# test 2:
|
|
# name: test2(a|b), regex
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
netifcon test2a system:system:system:s0:c0.c1 system:object_r:system:s0
|
|
netifcon test2b system:system:system:s0:c2.c4 system:object_r:system:s0
|
|
|
|
# test 10:
|
|
# name: unset
|
|
# user: user10, exact
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
netifcon test10 user10:system:system:s0:c0.c1 system:object_r:system:s0
|
|
|
|
# test 11:
|
|
# name: unset
|
|
# user: user11(a|b), regex
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
netifcon test11a user11a:system:system:s0:c0.c1 system:object_r:system:s0
|
|
netifcon test11b user11b:system:system:s0:c0.c1 system:object_r:system:s0
|
|
netifcon test11c user11c:system:system:s0:c0.c1 system:object_r:system:s0
|
|
|
|
# test 20:
|
|
# name: unset
|
|
# user: unset
|
|
# role: role20_r, exact
|
|
# type: unset
|
|
# range: unset
|
|
netifcon test20 system:role20_r:system:s0:c0.c1 system:object_r:system:s0
|
|
|
|
# test 21:
|
|
# name: unset
|
|
# user: unset
|
|
# role: role20(a|c)_r, regex
|
|
# type: unset
|
|
# range: unset
|
|
netifcon test21a system:role21a_r:system:s0:c0.c1 system:object_r:system:s0
|
|
netifcon test21b system:role21b_r:system:s0:c0.c1 system:object_r:system:s0
|
|
netifcon test21c system:role21c_r:system:s0:c0.c1 system:object_r:system:s0
|
|
|
|
# test 30:
|
|
# name: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: type30
|
|
# range: unset
|
|
netifcon test30 system:system:type30:s0:c0.c1 system:object_r:system:s0
|
|
|
|
# test 31:
|
|
# name: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: type31(b|c)
|
|
# range: unset
|
|
netifcon test31a system:system:type31a:s0:c0.c1 system:object_r:system:s0
|
|
netifcon test31b system:system:type31b:s0:c0.c1 system:object_r:system:s0
|
|
netifcon test31c system:system:type31c:s0:c0.c1 system:object_r:system:s0
|
|
|
|
# test 40:
|
|
# name: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: equal
|
|
netifcon test40 system:system:system:s0:c1 - s0:c0.c4 system:object_r:system:s0
|
|
|
|
# test 41:
|
|
# name: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: overlap
|
|
netifcon test41 system:system:system:s1:c1 - s1:c1.c3 system:object_r:system:s0
|
|
|
|
# test 42:
|
|
# name: unset
|
|
# ruletype: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: subset
|
|
netifcon test42 system:system:system:s2:c1 - s2:c1.c3 system:object_r:system:s0
|
|
|
|
# test 43:
|
|
# name: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: superset
|
|
netifcon test43 system:system:system:s3:c1 - s3:c1.c3 system:object_r:system:s0
|
|
|
|
# test 44:
|
|
# name: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: proper subset
|
|
netifcon test44 system:system:system:s4:c1 - s4:c1.c3 system:object_r:system:s0
|
|
|
|
# test 45:
|
|
# name: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: proper superset
|
|
netifcon test45 system:system:system:s5:c1 - s5:c1.c3 system:object_r:system:s0
|
|
|
|
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
|
|
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0
|
|
|