RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-02-20 22:17:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
a75656b891
setools/tests/permmap.conf
Chris PeBenito 712138178f PermissionMap: implement policy mapping function. 
Also add unit tests for parsing functions.

closes #23
2015-03-18 10:16:15 -04:00

201 lines
3.5 KiB
Plaintext
Raw Blame History

class infoflow
class infoflow2
class infoflow3
class file
class process
class new_class
sid kernel
sid security
common infoflow
{
low_w
med_w
hi_w
low_r
med_r
hi_r
}
class infoflow
inherits infoflow
class infoflow2
inherits infoflow
{
super
new_perm
}
class infoflow3
{
null
}
class new_class
{
new_class_perm
}
class file
{
execute
entrypoint
}
class process
{
transition
}
sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;
dominance { low_s med high_s }
category here;
category there;
category elsewhere alias lost;
#level decl
level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;
#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
attribute mls_exempt;
type system;
role system;
role system types system;
################################################################################
# Note: these tests should be to determine if the graph
# is being constructed correctly. It is assumed that the
# graph algorithms being used are correct, as they are
# unit tested by the NetworkX project itself.
#
#
# Max steps for all flows: 6
#
# Graph if min weight is 8
#
#
# 4 -> 6 -> 7 d1 <-> d2
# ^
# 1 -> 2-/
#
# 3 5 -> 8 <-> 9
#
# Graph if min weight is 3
#
#
# 4 -> 6 -> 7 d1 <-> d2
# ^ |
# 1 -> 2-/ |
# \ v
# -> 3 5 -> 8 <-> 9
#
# Graph if min weight is 1
#
#
# 4 -> 6 -> 7 d1 <-> d2
# ^ |
# 1 -> 2-/ |
# \ v
# -> 3 -> 5 -> 8 <-> 9
#
#
#
attribute allnodes;
type node1, allnodes;
type node2, allnodes;
type node3, allnodes;
type node4, allnodes;
type node5, allnodes;
type node6, allnodes;
type node7, allnodes;
type node8, allnodes;
type node9, allnodes;
# no infoflow
allow allnodes allnodes:infoflow3 null;
# 1->2 (10, 5)
allow node1 node2:infoflow med_w;
allow node2 node1:infoflow hi_r;
# 1->3 (5, 1)
allow node3 node1:infoflow { low_r med_r };
# 2->4 (10)
allow node2 node4:infoflow hi_w;
# 3->5 (1)
allow node5 node3:infoflow low_r;
# 4->6 (10)
allow node4 node6:infoflow2 hi_w;
# 6->5 (5)
allow node5 node6:infoflow med_r;
# 6->7 (10)
allow node6 node7:infoflow hi_w;
# 5->8 (10)
allow node5 node8:infoflow2 hi_w;
# 8 <-> 9 (10)
allow node8 node9:infoflow2 super;
# disconnected from the main graph
# for testing the handling of no
# paths.
type disconnected1;
type disconnected2;
allow disconnected1 disconnected2:infoflow2 super;
# not an infoflow:
type disconnected3;
auditallow node1 disconnected3:infoflow hi_w;
# infoflow loop that should be ignored:
allow disconnected3 self:infoflow hi_w;
################################################################################
#users
user system roles system level med range low_s - high_s:here.lost;
#normal constraints
constrain infoflow hi_w (u1 == u2);
#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost
#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;
#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there
portcon tcp 80 system:object_r:system:low_s
netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here
Reference in New Issue View Git Blame Copy Permalink