mirror of
https://github.com/SELinuxProject/setools
synced 2025-02-23 15:47:00 +00:00
235 lines
4.3 KiB
Plaintext
235 lines
4.3 KiB
Plaintext
class infoflow
|
|
class infoflow2
|
|
class infoflow3
|
|
class infoflow4
|
|
class infoflow5
|
|
class infoflow6
|
|
class infoflow7
|
|
class process
|
|
|
|
sid kernel
|
|
sid security
|
|
|
|
common infoflow
|
|
{
|
|
low_w
|
|
med_w
|
|
hi_w
|
|
low_r
|
|
med_r
|
|
hi_r
|
|
}
|
|
|
|
class infoflow
|
|
inherits infoflow
|
|
|
|
class infoflow2
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
}
|
|
|
|
class infoflow3
|
|
{
|
|
null
|
|
}
|
|
|
|
class infoflow4
|
|
inherits infoflow
|
|
|
|
class infoflow5
|
|
inherits infoflow
|
|
|
|
class infoflow6
|
|
inherits infoflow
|
|
|
|
class infoflow7
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
super_none
|
|
super_both
|
|
super_unmapped
|
|
}
|
|
|
|
class process
|
|
inherits infoflow
|
|
{
|
|
transition
|
|
}
|
|
|
|
sensitivity low_s;
|
|
sensitivity medium_s alias med;
|
|
sensitivity high_s;
|
|
|
|
dominance { low_s med high_s }
|
|
|
|
category here;
|
|
category there;
|
|
category elsewhere alias lost;
|
|
|
|
#level decl
|
|
level low_s:here.there;
|
|
level med:here, elsewhere;
|
|
level high_s:here.lost;
|
|
|
|
#some constraints
|
|
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
|
|
|
|
attribute mls_exempt;
|
|
|
|
type system;
|
|
role system;
|
|
role system types system;
|
|
|
|
################################################################################
|
|
# RBAC
|
|
|
|
# test 1
|
|
# ruletype: unset
|
|
# source: test1s, direct, no regex
|
|
# target: unset
|
|
# class: unset
|
|
# default: unset
|
|
role test1s;
|
|
role test1t;
|
|
allow test1s test1t;
|
|
role_transition test1s system:infoflow test1t;
|
|
|
|
# test 2
|
|
# ruletype: unset
|
|
# source: test2s, direct, regex
|
|
# target: unset
|
|
# class: unset
|
|
# default: unset
|
|
role test2s1;
|
|
role test2s2;
|
|
role test2s3;
|
|
role test2t;
|
|
allow test2s1 test2t;
|
|
role_transition test2s3 system:infoflow test2t;
|
|
|
|
# test 10
|
|
# ruletype: unset
|
|
# source: unset
|
|
# target: test10t, direct, no regex
|
|
# class: unset
|
|
# default: unset
|
|
role test10s;
|
|
role test10t;
|
|
allow test10s test10t;
|
|
role_transition test10s system:infoflow test10t;
|
|
|
|
# test 11
|
|
# ruletype: unset
|
|
# source: unset
|
|
# target: test11t(1|3), direct, regex
|
|
# class: unset
|
|
# default: unset
|
|
role test11s;
|
|
role test11t1;
|
|
role test11t2;
|
|
role test11t3;
|
|
allow test11s test11t1;
|
|
role_transition test11s system:infoflow test11t3;
|
|
|
|
# test 20
|
|
# ruletype: unset
|
|
# source: unset
|
|
# target: unset
|
|
# class: infoflow2, no regex
|
|
# default: unset
|
|
role test20;
|
|
role test20d1;
|
|
role test20d2;
|
|
role_transition test20 system:infoflow test20d1;
|
|
role_transition test20 system:infoflow2 test20d2;
|
|
|
|
# test 21
|
|
# ruletype: unset
|
|
# source: unset
|
|
# target: unset
|
|
# class: infoflow3,infoflow4 , no regex
|
|
# default: unset
|
|
role test21;
|
|
role test21d1;
|
|
role test21d2;
|
|
role test21d3;
|
|
role_transition test21 system:infoflow test21d1;
|
|
role_transition test21 system:infoflow4 test21d2;
|
|
role_transition test21 system:infoflow3 test21d3;
|
|
|
|
# test 22
|
|
# ruletype: unset
|
|
# source: unset
|
|
# target: unset
|
|
# class: infoflow(5|6), regex
|
|
# default: unset
|
|
role test22;
|
|
role test22d1;
|
|
role test22d2;
|
|
role test22d3;
|
|
role_transition test22 system:infoflow test22d1;
|
|
role_transition test22 system:infoflow5 test22d2;
|
|
role_transition test22 system:infoflow6 test22d3;
|
|
|
|
# test 30
|
|
# ruletype: unset
|
|
# source: unset
|
|
# target: unset
|
|
# class: unset
|
|
# default: test30d, no regex
|
|
role test30s;
|
|
role test30d;
|
|
allow test30s test30d;
|
|
role_transition test30s system:infoflow test30d;
|
|
|
|
# test 31
|
|
# ruletype: unset
|
|
# source: unset
|
|
# target: unset
|
|
# class: unset
|
|
# default: test31d(2|3), regex
|
|
role test31s;
|
|
role test31d1;
|
|
role test31d2;
|
|
role test31d3;
|
|
allow test31s test31d1;
|
|
allow test31s test31d2;
|
|
allow test31s test31d3;
|
|
role_transition test31s system:infoflow test31d1;
|
|
role_transition test31s system test31d2;
|
|
role_transition test31s system:infoflow7 test31d3;
|
|
|
|
################################################################################
|
|
|
|
#users
|
|
user system roles system level med range low_s - high_s:here.lost;
|
|
|
|
#normal constraints
|
|
constrain infoflow hi_w (u1 == u2);
|
|
|
|
#isids
|
|
sid kernel system:system:system:medium_s:here
|
|
sid security system:system:system:high_s:lost
|
|
|
|
#fs_use
|
|
fs_use_trans devpts system:object_r:system:low_s;
|
|
fs_use_xattr ext3 system:object_r:system:low_s;
|
|
fs_use_task pipefs system:object_r:system:low_s;
|
|
|
|
#genfscon
|
|
genfscon proc / system:object_r:system:med
|
|
genfscon proc /sys system:object_r:system:low_s
|
|
genfscon selinuxfs / system:object_r:system:high_s:here.there
|
|
|
|
portcon tcp 80 system:object_r:system:low_s
|
|
|
|
netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
|
|
|
|
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
|
|
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here
|
|
|