mirror of
https://github.com/SELinuxProject/setools
synced 2025-01-30 19:51:39 +00:00
403 lines
7.2 KiB
Plaintext
403 lines
7.2 KiB
Plaintext
class infoflow
|
|
class infoflow2
|
|
class infoflow3
|
|
class infoflow4
|
|
class infoflow5
|
|
class infoflow6
|
|
class infoflow7
|
|
|
|
sid kernel
|
|
sid security
|
|
|
|
common infoflow
|
|
{
|
|
low_w
|
|
med_w
|
|
hi_w
|
|
low_r
|
|
med_r
|
|
hi_r
|
|
}
|
|
|
|
class infoflow
|
|
inherits infoflow
|
|
|
|
class infoflow2
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
}
|
|
|
|
class infoflow3
|
|
{
|
|
null
|
|
}
|
|
|
|
class infoflow4
|
|
inherits infoflow
|
|
|
|
class infoflow5
|
|
inherits infoflow
|
|
|
|
class infoflow6
|
|
inherits infoflow
|
|
|
|
class infoflow7
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
super_none
|
|
super_both
|
|
super_unmapped
|
|
}
|
|
|
|
sensitivity s0;
|
|
sensitivity s1;
|
|
sensitivity s2;
|
|
sensitivity s3;
|
|
sensitivity s4;
|
|
sensitivity s5;
|
|
sensitivity s6;
|
|
|
|
dominance { s0 s1 s2 s3 s4 s5 s6 }
|
|
|
|
category c0;
|
|
category c1;
|
|
category c2;
|
|
category c3;
|
|
category c4;
|
|
|
|
#level decl
|
|
level s0:c0.c4;
|
|
level s1:c0.c4;
|
|
level s2:c0.c4;
|
|
level s3:c0.c4;
|
|
level s4:c0.c4;
|
|
level s5:c0.c4;
|
|
level s6:c0.c4;
|
|
|
|
#some constraints
|
|
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
|
|
|
|
attribute mls_exempt;
|
|
|
|
type system;
|
|
role system;
|
|
role system types system;
|
|
|
|
role role20_r;
|
|
role role21a_r;
|
|
role role21b_r;
|
|
role role21c_r;
|
|
|
|
role role20_r types system;
|
|
role role21a_r types system;
|
|
role role21b_r types system;
|
|
role role21c_r types system;
|
|
|
|
type type30;
|
|
type type31a;
|
|
type type31b;
|
|
type type31c;
|
|
role system types { type30 type31a type31b type31c };
|
|
|
|
allow system self:infoflow hi_w;
|
|
|
|
#users
|
|
user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s6:c0.c4;
|
|
user user10 roles system level s0 range s0 - s2:c0.c4;
|
|
user user11a roles system level s0 range s0 - s2:c0.c4;
|
|
user user11b roles system level s0 range s0 - s2:c0.c4;
|
|
user user11c roles system level s0 range s0 - s2:c0.c4;
|
|
|
|
#normal constraints
|
|
constrain infoflow hi_w (u1 == u2);
|
|
|
|
#isids
|
|
sid kernel system:system:system:s0
|
|
sid security system:system:system:s0
|
|
|
|
#fs_use
|
|
fs_use_trans devpts system:object_r:system:s0;
|
|
fs_use_xattr ext3 system:object_r:system:s0;
|
|
fs_use_task pipefs system:object_r:system:s0;
|
|
|
|
#genfscon
|
|
genfscon proc / system:object_r:system:s1
|
|
genfscon proc /sys system:object_r:system:s0
|
|
genfscon selinuxfs / system:object_r:system:s2:c0.c4
|
|
|
|
# test 1:
|
|
# protocol: UDP
|
|
# ports: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon udp 1 system:system:system:s0:c0.c1
|
|
|
|
# test 10:
|
|
# protocol: unset
|
|
# ports: unset
|
|
# user: user10, exact
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 10 user10:system:system:s0:c0.c1
|
|
|
|
# test 11:
|
|
# protocol: unset
|
|
# ports: unset
|
|
# user: user11(a|b), regex
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 11 user11a:system:system:s0:c0.c1
|
|
portcon tcp 11000 user11b:system:system:s0:c0.c1
|
|
portcon tcp 11001 user11c:system:system:s0:c0.c1
|
|
|
|
# test 20:
|
|
# protocol: unset
|
|
# ports: unset
|
|
# user: unset
|
|
# role: role20_r, exact
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 20 system:role20_r:system:s0:c0.c1
|
|
|
|
# test 21:
|
|
# protocol: unset
|
|
# ports: unset
|
|
# user: unset
|
|
# role: role20(a|c)_r, regex
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 21 system:role21a_r:system:s0:c0.c1
|
|
portcon tcp 21000 system:role21b_r:system:s0:c0.c1
|
|
portcon tcp 21001 system:role21c_r:system:s0:c0.c1
|
|
|
|
# test 30:
|
|
# protocol: unset
|
|
# ports: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: type30
|
|
# range: unset
|
|
portcon tcp 30 system:system:type30:s0:c0.c1
|
|
|
|
# test 31:
|
|
# protocol: unset
|
|
# ports: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: type31(b|c)
|
|
# range: unset
|
|
portcon tcp 31 system:system:type31a:s0:c0.c1
|
|
portcon tcp 31000 system:system:type31b:s0:c0.c1
|
|
portcon tcp 31001 system:system:type31c:s0:c0.c1
|
|
|
|
# test 40:
|
|
# protocol: unset
|
|
# ports: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: equal
|
|
portcon tcp 40 system:system:system:s0:c1 - s0:c0.c4
|
|
|
|
# test 41:
|
|
# protocol: unset
|
|
# ports: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: overlap
|
|
portcon tcp 41 system:system:system:s1:c1 - s1:c1.c3
|
|
|
|
# test 42:
|
|
# protocol: unset
|
|
# ports: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: subset
|
|
portcon tcp 42 system:system:system:s2:c1 - s2:c1.c3
|
|
|
|
# test 43:
|
|
# protocol: unset
|
|
# ports: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: superset
|
|
portcon tcp 43 system:system:system:s3:c1 - s3:c1.c3
|
|
|
|
# test 44:
|
|
# protocol: unset
|
|
# ports: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: proper subset
|
|
portcon tcp 44 system:system:system:s4:c1 - s4:c1.c3
|
|
|
|
# test 45:
|
|
# protocol: unset
|
|
# ports: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: proper superset
|
|
portcon tcp 45 system:system:system:s5:c1 - s5:c1.c3
|
|
|
|
# test 50:
|
|
# protocol: unset
|
|
# ports: (50, 50)
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 50 system:system:system:s0:c0.c1
|
|
|
|
# test 51:
|
|
# protocol: unset
|
|
# ports: (50100, 50110)
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 50100-50110 system:system:system:s0:c0.c1
|
|
|
|
# test 52:
|
|
# protocol: unset
|
|
# ports: (50200, 50200), subset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 50200 system:system:system:s0:c0.c1
|
|
|
|
# test 53:
|
|
# protocol: unset
|
|
# ports: (50301, 50309), subset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 50300-50310 system:system:system:s0:c0.c1
|
|
|
|
# test 54:
|
|
# protocol: unset
|
|
# ports: (50400, 50400), proper subset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 50400 system:system:system:s0:c0.c1
|
|
|
|
# test 55:
|
|
# protocol: unset
|
|
# ports: (50501, 50509), proper subset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 50500-50510 system:system:system:s0:c0.c1
|
|
|
|
# test 56:
|
|
# protocol: unset
|
|
# ports: (50600, 50602), superset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 50601 system:system:system:s0:c0.c1
|
|
|
|
# test 57:
|
|
# protocol: unset
|
|
# ports: (50700, 50711), superset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 50700-50710 system:system:system:s0:c0.c1
|
|
|
|
# test 58:
|
|
# protocol: unset
|
|
# ports: (50600, 50602), proper superset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 50801 system:system:system:s0:c0.c1
|
|
|
|
# test 59:
|
|
# protocol: unset
|
|
# ports: (50900, 50911), proper superset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 50901-50910 system:system:system:s0:c0.c1
|
|
|
|
# test 60:
|
|
# protocol: unset
|
|
# ports: (60001, 60001), overlap
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 60001 system:system:system:s0:c0.c1
|
|
|
|
# test 61:
|
|
# protocol: unset
|
|
# ports: (60100, 60105), overlap
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 60101-60110 system:system:system:s0:c0.c1
|
|
|
|
# test 62:
|
|
# protocol: unset
|
|
# ports: (60205, 60211), overlap
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 60200-60210 system:system:system:s0:c0.c1
|
|
|
|
# test 63:
|
|
# protocol: unset
|
|
# ports: (60305, 60308), overlap
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 60300-60310 system:system:system:s0:c0.c1
|
|
|
|
# test 64:
|
|
# protocol: unset
|
|
# ports: (60400, 60410), overlap
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 60400-60410 system:system:system:s0:c0.c1
|
|
|
|
# test 65:
|
|
# protocol: unset
|
|
# ports: (60500, 60510), overlap
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
portcon tcp 60501-60509 system:system:system:s0:c0.c1
|
|
|
|
netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
|
|
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
|
|
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0
|
|
|