setools/tests/genfsconquery.conf

class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7

sid kernel
sid security

common infoflow
{
    low_w
    med_w
    hi_w
    low_r
    med_r
    hi_r
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
    super_w
    super_r
}

class infoflow3
{
    null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
    super_w
    super_r
    super_none
    super_both
    super_unmapped
}

sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;

dominance { s0 s1 s2 s3 s4 s5 s6 }

category c0;
category c1;
category c2;
category c3;
category c4;

#level decl
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s4:c0.c4;
level s5:c0.c4;
level s6:c0.c4;


#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;
role system;
role system types system;

role role30_r;
role role31a_r;
role role31b_r;
role role31c_r;

role role30_r types system;
role role31a_r types system;
role role31b_r types system;
role role31c_r types system;

type type40;
type type41a;
type type41b;
type type41c;
role system types { type40 type41a type41b type41c };

################################################################################
# Type enforcement declarations and rules



################################################################################

#users
user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s6:c0.c4;
user user20 roles system level s0 range s0 - s2:c0.c4;
user user21a roles system level s0 range s0 - s2:c0.c4;
user user21b roles system level s0 range s0 - s2:c0.c4;
user user21c roles system level s0 range s0 - s2:c0.c4;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:s0
sid security system:system:system:s0

#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;
fs_use_task pipefs system:object_r:system:s0;

#genfscon
# test 1:
# fs: test1, exact
# path: unset
# user: unset
# role: unset
# type: unset
# range: unset
genfscon test1 / system:system:system:s0:c0.c4

# test 2:
# fs: test2(a|b), regex
# path: unset
# user: unset
# role: unset
# type: unset
# range: unset
genfscon test2a / system:system:system:s0:c0.c1
genfscon test2b / system:system:system:s0:c2.c4

# test 10:
# fs: unset
# path: /sys, exact
# user: unset
# role: unset
# type: unset
# range: unset
genfscon test10 /sys system:system:system:s0:c2.c4

# test 11:
# fs: unset
# path: /(spam|eggs), regex
# user: unset
# role: unset
# type: unset
# range: unset
genfscon test11a /spam system:system:system:s0:c2.c4
genfscon test11b /eggs system:system:system:s0:c2.c4
genfscon test11c /FAIL system:system:system:s0:c2.c4

# test 20:
# fs: unset
# path: unset
# user: user20, exact
# role: unset
# type: unset
# range: unset
genfscon test20 / user20:system:system:s0:c0.c1

# test 21:
# fs: unset
# path: unset
# user: user21(a|b), regex
# role: unset
# type: unset
# range: unset
genfscon test21a / user21a:system:system:s0:c0.c1
genfscon test21b / user21b:system:system:s0:c0.c1
genfscon test21c / user21c:system:system:s0:c0.c1

# test 30:
# fs: unset
# path: unset
# user: unset
# role: role30_r, exact
# type: unset
# range: unset
genfscon test30 / system:role30_r:system:s0:c0.c1

# test 31:
# fs: unset
# path: unset
# user: unset
# role: role30(a|c)_r, regex
# type: unset
# range: unset
genfscon test31a / system:role31a_r:system:s0:c0.c1
genfscon test31b / system:role31b_r:system:s0:c0.c1
genfscon test31c / system:role31c_r:system:s0:c0.c1

# test 40:
# fs: unset
# path: unset
# user: unset
# role: unset
# type: type40
# range: unset
genfscon test40 / system:system:type40:s0:c0.c1

# test 41:
# fs: unset
# path: unset
# user: unset
# role: unset
# type: type41(b|c)
# range: unset
genfscon test41a / system:system:type41a:s0:c0.c1
genfscon test41b / system:system:type41b:s0:c0.c1
genfscon test41c / system:system:type41c:s0:c0.c1

# test 50:
# fs: unset
# filetype: -b
# path: unset
# user: unset
# role: unset
# type: unset
# range: unset
genfscon test50f / -- system:system:system:s0:c0.c4
genfscon test50b / -b system:system:system:s0:c0.c4
genfscon test50c / -c system:system:system:s0:c0.c4
genfscon test50s / -s system:system:system:s0:c0.c4
genfscon test50l / -l system:system:system:s0:c0.c4
genfscon test50p / -p system:system:system:s0:c0.c4
genfscon test50d / -d system:system:system:s0:c0.c4

# test 60:
# fs: unset
# filetype: unset
# path: unset
# user: unset
# role: unset
# type: unset
# range: equal
genfscon test60 / system:system:system:s0:c1 - s0:c0.c4

# test 61:
# fs: unset
# filetype: unset
# path: unset
# user: unset
# role: unset
# type: unset
# range: overlap
genfscon test61 / system:system:system:s1:c1 - s1:c1.c3

# test 62:
# fs: unset
# filetype: unset
# path: unset
# user: unset
# role: unset
# type: unset
# range: subset
genfscon test62 / system:system:system:s2:c1 - s2:c1.c3

# test 63:
# fs: unset
# filetype: unset
# path: unset
# user: unset
# role: unset
# type: unset
# range: superset
genfscon test63 / system:system:system:s3:c1 - s3:c1.c3

# test 64:
# fs: unset
# filetype: unset
# path: unset
# user: unset
# role: unset
# type: unset
# range: proper subset
genfscon test64 / system:system:system:s4:c1 - s4:c1.c3

# test 65:
# fs: unset
# filetype: unset
# path: unset
# user: unset
# role: unset
# type: unset
# range: proper superset
genfscon test65 / system:system:system:s5:c1 - s5:c1.c3

portcon tcp 80 system:object_r:system:s0

netifcon eth0 system:object_r:system:s0 system:object_r:system:s0

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0