mirror of
https://github.com/SELinuxProject/setools
synced 2025-02-22 15:16:58 +00:00
170 lines
2.9 KiB
Plaintext
170 lines
2.9 KiB
Plaintext
class infoflow
|
|
class infoflow2
|
|
class infoflow3
|
|
class infoflow4
|
|
class infoflow5
|
|
class infoflow6
|
|
class infoflow7
|
|
|
|
sid kernel
|
|
sid security
|
|
|
|
common infoflow
|
|
{
|
|
low_w
|
|
med_w
|
|
hi_w
|
|
low_r
|
|
med_r
|
|
hi_r
|
|
}
|
|
|
|
class infoflow
|
|
inherits infoflow
|
|
|
|
class infoflow2
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
}
|
|
|
|
class infoflow3
|
|
{
|
|
null
|
|
}
|
|
|
|
class infoflow4
|
|
inherits infoflow
|
|
|
|
class infoflow5
|
|
inherits infoflow
|
|
|
|
class infoflow6
|
|
inherits infoflow
|
|
|
|
class infoflow7
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
super_none
|
|
super_both
|
|
super_unmapped
|
|
}
|
|
|
|
sensitivity sens;
|
|
|
|
# test1
|
|
# name: test1
|
|
# alias: unset
|
|
# sens: unset
|
|
sensitivity test1;
|
|
|
|
# test2
|
|
# name: test2(a|b)
|
|
# alias: unset
|
|
# sens: unset
|
|
sensitivity test2a;
|
|
sensitivity test2b;
|
|
|
|
# test 10
|
|
# name: unset
|
|
# alias: test10a
|
|
# sens: unset
|
|
sensitivity test10s1 alias { test10a test10c };
|
|
sensitivity test10s2 alias { test10b test10d };
|
|
|
|
# test 11
|
|
# name: unset
|
|
# alias: test11(a|b)
|
|
# sens: unset
|
|
sensitivity test11s1 alias { test11a test11c };
|
|
sensitivity test11s2 alias { test11b test11d };
|
|
sensitivity test11s3 alias { test11e test11f };
|
|
|
|
|
|
# test 20
|
|
# name: unset
|
|
# alias: unset
|
|
# sens: test20
|
|
sensitivity test20;
|
|
|
|
# test 21
|
|
# name: unset
|
|
# alias: unset
|
|
# sens: test21crit, dom
|
|
sensitivity test21;
|
|
sensitivity test21crit;
|
|
|
|
# test 22
|
|
# name: unset
|
|
# alias: unset
|
|
# sens: test22crit, domby
|
|
sensitivity test22;
|
|
sensitivity test22crit;
|
|
|
|
dominance { test21 test21crit test1 test2a test2b test10s1 sens test10s2 test11s1 test11s2 test11s3 test20 test22crit test22 }
|
|
|
|
category begin;
|
|
category end;
|
|
|
|
#level decl
|
|
level sens:begin.end;
|
|
level test1;
|
|
level test2a;
|
|
level test2b;
|
|
level test10s1;
|
|
level test10s2;
|
|
level test11s1;
|
|
level test11s2;
|
|
level test11s3;
|
|
level test20;
|
|
level test21;
|
|
level test21crit;
|
|
level test22;
|
|
level test22crit;
|
|
|
|
#some constraints
|
|
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
|
|
|
|
attribute mls_exempt;
|
|
|
|
type system;
|
|
role system;
|
|
role system types system;
|
|
|
|
################################################################################
|
|
# Type enforcement declarations and rules
|
|
|
|
|
|
################################################################################
|
|
|
|
#users
|
|
user system roles system level sens range sens - sens:begin.end;
|
|
|
|
#normal constraints
|
|
constrain infoflow hi_w (u1 == u2);
|
|
|
|
#isids
|
|
sid kernel system:system:system:sens:begin
|
|
sid security system:system:system:sens:begin
|
|
|
|
#fs_use
|
|
fs_use_trans devpts system:object_r:system:sens;
|
|
fs_use_xattr ext3 system:object_r:system:sens;
|
|
fs_use_task pipefs system:object_r:system:sens;
|
|
|
|
#genfscon
|
|
genfscon proc / system:object_r:system:sens
|
|
genfscon proc /sys system:object_r:system:sens
|
|
genfscon selinuxfs / system:object_r:system:sens:begin.end
|
|
|
|
portcon tcp 80 system:object_r:system:sens
|
|
|
|
netifcon eth0 system:object_r:system:sens system:object_r:system:sens
|
|
|
|
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:sens:begin
|
|
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:sens:begin
|
|
|