RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-02-23 15:47:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
e55764700c
setools/tests/dta.conf
Chris PeBenito 1352888dc0 Add additional DTA and infoflow rules for self loop testing. 
An edge from a node going back to itself should be ignored.
2015-02-28 10:11:13 -05:00

262 lines
5.5 KiB
Plaintext
Raw Blame History

class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
class process
class file
class sock_file
sid kernel
sid security
common infoflow
{
low_w
med_w
hi_w
low_r
med_r
hi_r
}
class infoflow
inherits infoflow
class infoflow2
inherits infoflow
{
super_w
super_r
}
class infoflow3
{
null
}
class infoflow4
inherits infoflow
class infoflow5
inherits infoflow
class infoflow6
inherits infoflow
class infoflow7
inherits infoflow
{
super_w
super_r
super_none
super_both
super_unmapped
}
class process
{
transition
dyntransition
setexec
setcurrent
}
class file
{
execute
entrypoint
}
class sock_file
{
execute
}
sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;
dominance { low_s med high_s }
category here;
category there;
category elsewhere alias lost;
#level decl
level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;
#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
attribute mls_exempt;
type system;
role system;
role system types system;
################################################################################
# Type enforcement declarations and rules
########################################
#
# Domain transition analysis
#
# The extent of the valid transition graph:
#
# start -> trans1 -> trans2 -> trans3 -> trans5
# |
# | -> dyntrans100 -> bothtrans200
#
# Everything else is invalid
# test 1
# type_transition start -> trans1
type start;
type trans1;
type trans1_exec;
allow start trans1:process transition;
allow start trans1_exec:file execute;
allow trans1 trans1_exec:file entrypoint;
type_transition start trans1_exec:process trans1;
# test 2
# setexec trans1 -> trans2
type trans2;
type trans2_exec;
allow trans1 self:process setexec;
allow trans1 trans2:process transition;
allow trans1 trans2_exec:file execute;
allow trans2 trans2_exec:file entrypoint;
# test 3
# type_transiton and setexec trans2 -> trans3
# 2 entrypoints
type trans3;
type trans3_exec1;
type trans3_exec2;
allow trans2 self:process setexec;
allow trans2 trans3:process transition;
allow trans2 { trans3_exec1 trans3_exec2 }:file execute;
allow trans3 { trans3_exec1 trans3_exec2 }:file entrypoint;
type_transition trans2 trans3_exec1:process trans3;
# test 4
# invalid transition, no type_transition/setexec
type trans4;
type trans4_exec;
allow start trans4:process transition;
allow start trans4_exec:file execute;
allow trans4 trans4_exec:file entrypoint;
# test 5
# type_transition trans3 -> trans5
# 1 entrypoint w/conditional type_trans
# This makes sure the type_transition fully
# matches as expected.
type trans5;
type trans5_exec;
bool trans5 false;
allow trans3 trans5:process transition;
allow trans3 trans5_exec:file execute;
allow trans5 trans5_exec:file entrypoint;
if(trans5) {
type_transition trans3 trans5_exec:process trans5;
} else {
type_transition trans3 trans5_exec:process trans4;
}
# test 100
# dyntrans start -> dyntrans100
type dyntrans100;
allow start self:process setcurrent;
allow start dyntrans100:process dyntransition;
# test 101
# invalid dyntransition, no setcurrent
type dyntrans101;
type dyntrans102;
allow dyntrans101 dyntrans102:process dyntransition;
# test 200
# all transition possiblities dyntrans100 -> bothtrans200
type bothtrans200;
type bothtrans200_exec;
allow dyntrans100 self:process { setexec setcurrent };
allow dyntrans100 bothtrans200:process { transition dyntransition };
allow dyntrans100 bothtrans200_exec:file execute;
allow bothtrans200 bothtrans200_exec:file entrypoint;
type_transition dyntrans100 bothtrans200_exec:process bothtrans200;
# test 201
# no loops in graph
type bothtrans201;
type bothtrans201_exec;
allow bothtrans201 self:process { setexec setcurrent };
allow bothtrans201 bothtrans201:process { transition dyntransition };
allow bothtrans201 bothtrans201_exec:file { execute entrypoint };
# test 300
# auditallow by itself does not work for execute perms
type trans300;
type trans300_exec;
allow start trans300:process transition;
auditallow start trans300_exec:file execute;
allow trans300 trans300_exec:file entrypoint;
type_transition start trans300_exec:process trans300;
# test 301
# wrong class for type transition
type trans301;
type trans301_exec;
allow start trans301:process transition;
allow start trans301_exec:file execute;
allow trans301 trans301_exec:file entrypoint;
type_transition start trans301_exec:file trans301;
# test 302
# wrong class for exec perms
type trans302;
type trans302_exec;
allow start trans302:process transition;
allow start trans302_exec:sock_file execute;
allow trans302 trans302_exec:file entrypoint;
type_transition start trans302_exec:file trans302;
################################################################################
#users
user system roles system level med range low_s - high_s:here.lost;
#normal constraints
constrain infoflow hi_w (u1 == u2);
#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost
#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;
#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there
portcon tcp 80 system:object_r:system:low_s
netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here
Reference in New Issue View Git Blame Copy Permalink