mirror of
https://github.com/SELinuxProject/setools
synced 2025-02-21 06:27:02 +00:00
299 lines
4.8 KiB
Plaintext
299 lines
4.8 KiB
Plaintext
class test1
|
|
class test10
|
|
class test11a
|
|
class test11b
|
|
class test11c
|
|
class test12a
|
|
class test12b
|
|
class test12c
|
|
class test20a
|
|
class test20b
|
|
class test20c
|
|
class test21a
|
|
class test21b
|
|
class test21c
|
|
class test30
|
|
class test31a
|
|
class test31b
|
|
class test40
|
|
class test41a
|
|
class test41b
|
|
class test50
|
|
class test51a
|
|
class test51b
|
|
|
|
sid kernel
|
|
sid security
|
|
|
|
common test
|
|
{
|
|
low_w
|
|
med_w
|
|
hi_w
|
|
low_r
|
|
med_r
|
|
hi_r
|
|
}
|
|
|
|
|
|
class test1
|
|
inherits test
|
|
|
|
class test10
|
|
inherits test
|
|
|
|
class test11a
|
|
inherits test
|
|
|
|
class test11b
|
|
inherits test
|
|
|
|
class test11c
|
|
inherits test
|
|
|
|
class test12a
|
|
inherits test
|
|
|
|
class test12b
|
|
inherits test
|
|
|
|
class test12c
|
|
inherits test
|
|
|
|
class test20a
|
|
{
|
|
test20ap
|
|
test20bp
|
|
}
|
|
|
|
class test20b
|
|
{
|
|
test20ap
|
|
test20bp
|
|
}
|
|
|
|
class test20c
|
|
{
|
|
test20ap
|
|
test20bp
|
|
}
|
|
|
|
class test21a
|
|
{
|
|
test21ap
|
|
test21bp
|
|
}
|
|
|
|
class test21b
|
|
{
|
|
test21ap
|
|
test21bp
|
|
}
|
|
|
|
class test21c
|
|
{
|
|
test21ap
|
|
test21bp
|
|
}
|
|
|
|
class test30
|
|
inherits test
|
|
|
|
class test31a
|
|
inherits test
|
|
|
|
class test31b
|
|
inherits test
|
|
|
|
class test40
|
|
inherits test
|
|
|
|
class test41a
|
|
inherits test
|
|
|
|
class test41b
|
|
inherits test
|
|
|
|
class test50
|
|
inherits test
|
|
|
|
class test51a
|
|
inherits test
|
|
|
|
class test51b
|
|
inherits test
|
|
|
|
sensitivity low_s;
|
|
sensitivity medium_s alias med;
|
|
sensitivity high_s;
|
|
|
|
dominance { low_s med high_s }
|
|
|
|
category here;
|
|
category there;
|
|
category elsewhere alias lost;
|
|
|
|
level low_s:here.there;
|
|
level med:here, elsewhere;
|
|
level high_s:here.lost;
|
|
|
|
# test 1:
|
|
# ruletype: mlsconstrain
|
|
# tclass: unset
|
|
# perms: unset
|
|
mlsconstrain test1 hi_r ((l1 dom l2) or (t1 == mls_exempt));
|
|
|
|
attribute mls_exempt;
|
|
|
|
type system;
|
|
role system;
|
|
role system types system;
|
|
|
|
role test30r;
|
|
role test30r types system;
|
|
|
|
role test31ra;
|
|
role test31ra types system;
|
|
role test31rb;
|
|
role test31rb types system;
|
|
|
|
type test40t;
|
|
type test41ta;
|
|
type test41tb;
|
|
|
|
user system roles system level med range low_s - high_s:here.lost;
|
|
user test50u roles system level med range low_s - high_s:here.lost;
|
|
user test51u1 roles system level med range low_s - high_s:here.lost;
|
|
user test51u2 roles system level med range low_s - high_s:here.lost;
|
|
|
|
# test 10:
|
|
# ruletype: unset
|
|
# tclass: test10
|
|
# perms: unset
|
|
# role: unset
|
|
# type: unset
|
|
# user: unset
|
|
constrain test10 hi_w (u1 == u2);
|
|
|
|
# test 11:
|
|
# ruletype: unset
|
|
# tclass: test11a, test11b
|
|
# perms: unset
|
|
# role: unset
|
|
# type: unset
|
|
# user: unset
|
|
constrain test11a hi_w (u1 == u2);
|
|
constrain test11b hi_w (u1 == u2);
|
|
constrain test11c hi_w (u1 == u2);
|
|
|
|
# test 12:
|
|
# ruletype: unset
|
|
# tclass: intoflow12(a|c), regex
|
|
# perms: unset
|
|
# role: unset
|
|
# type: unset
|
|
# user: unset
|
|
constrain test12a hi_w (u1 == u2);
|
|
constrain test12b hi_w (u1 == u2);
|
|
constrain test12c hi_w (u1 == u2);
|
|
|
|
# test 20:
|
|
# ruletype: unset
|
|
# tclass: unset
|
|
# perms: test20ap, test20bp
|
|
# role: unset
|
|
# type: unset
|
|
# user: unset
|
|
constrain test20a test20ap (u1 == u2);
|
|
constrain test20b test20bp (u1 == u2);
|
|
|
|
# test 21:
|
|
# ruletype: unset
|
|
# tclass: unset
|
|
# perms: test21ap, test21bp, equal
|
|
# role: unset
|
|
# type: unset
|
|
# user: unset
|
|
constrain test21a test21ap (u1 == u2);
|
|
constrain test21b test21bp (u1 == u2);
|
|
constrain test21c { test21bp test21ap } (u1 == u2);
|
|
|
|
# test 30:
|
|
# ruletype: unset
|
|
# tclass: unset
|
|
# perms: unset
|
|
# role: test30r
|
|
# type: unset
|
|
# user: unset
|
|
constrain test30 hi_w (u1 == u2 or r1 == test30r);
|
|
|
|
# test 31:
|
|
# ruletype: unset
|
|
# tclass: unset
|
|
# perms: unset
|
|
# role: test31r. regex
|
|
# type: unset
|
|
# user: unset
|
|
constrain test31a hi_w (u1 == u2 or r1 == test31ra);
|
|
validatetrans test31b (u1 == u2 or r2 == test31rb);
|
|
|
|
# test 40:
|
|
# ruletype: unset
|
|
# tclass: unset
|
|
# perms: unset
|
|
# role: unset
|
|
# type: test40
|
|
# user: unset
|
|
constrain test40 hi_w (u1 == u2 or t1 == test40t);
|
|
|
|
# test 41:
|
|
# ruletype: unset
|
|
# tclass: unset
|
|
# perms: unset
|
|
# role: unset
|
|
# type: test41. regex
|
|
# user: unset
|
|
constrain test41a hi_w (u1 == u2 or t1 == test41ta);
|
|
constrain test41b hi_w (u1 == u2 or t2 == test41tb);
|
|
|
|
# test 50:
|
|
# ruletype: unset
|
|
# tclass: unset
|
|
# perms: unset
|
|
# role: unset
|
|
# type: unset
|
|
# user: test50
|
|
constrain test50 hi_w (u1 == u2 or u1 == test50u);
|
|
|
|
# test 51:
|
|
# ruletype: unset
|
|
# tclass: unset
|
|
# perms: unset
|
|
# role: unset
|
|
# type: unset
|
|
# user: test51u. regex
|
|
constrain test51a hi_w (u1 == u2 or u1 == test51u1);
|
|
constrain test51b hi_w (u1 == u2 or u2 == test51u2);
|
|
|
|
#isids
|
|
sid kernel system:system:system:medium_s:here
|
|
sid security system:system:system:high_s:lost
|
|
|
|
#fs_use
|
|
fs_use_trans devpts system:object_r:system:low_s;
|
|
fs_use_xattr ext3 system:object_r:system:low_s;
|
|
fs_use_task pipefs system:object_r:system:low_s;
|
|
|
|
#genfscon
|
|
genfscon proc / system:object_r:system:med
|
|
genfscon proc /sys system:object_r:system:low_s
|
|
genfscon selinuxfs / system:object_r:system:high_s:here.there
|
|
|
|
portcon tcp 80 system:object_r:system:low_s
|
|
|
|
netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
|
|
|
|
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
|
|
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here
|
|
|