mirror of
https://github.com/SELinuxProject/setools
synced 2025-02-20 22:17:03 +00:00
895 lines
25 KiB
Plaintext
895 lines
25 KiB
Plaintext
class infoflow
|
|
class infoflow2
|
|
class infoflow3
|
|
class infoflow4
|
|
class infoflow5
|
|
class infoflow6
|
|
class infoflow7
|
|
class removed_class
|
|
class modified_add_perm
|
|
class modified_remove_perm
|
|
class modified_change_common
|
|
|
|
sid kernel
|
|
sid security
|
|
sid matched_sid
|
|
sid removed_sid
|
|
sid modified_sid
|
|
|
|
common infoflow
|
|
{
|
|
low_w
|
|
med_w
|
|
hi_w
|
|
low_r
|
|
med_r
|
|
hi_r
|
|
ioctl
|
|
}
|
|
|
|
common removed_common
|
|
{
|
|
old_com
|
|
}
|
|
|
|
common modified_remove_perm
|
|
{
|
|
same_perm
|
|
removed_perm
|
|
}
|
|
|
|
common modified_add_perm
|
|
{
|
|
matched_perm
|
|
}
|
|
|
|
class infoflow
|
|
inherits infoflow
|
|
|
|
class infoflow2
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
}
|
|
|
|
class infoflow3
|
|
{
|
|
null
|
|
}
|
|
|
|
class infoflow4
|
|
inherits infoflow
|
|
|
|
class infoflow5
|
|
inherits infoflow
|
|
|
|
class infoflow6
|
|
inherits infoflow
|
|
|
|
class infoflow7
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
super_none
|
|
super_both
|
|
super_unmapped
|
|
}
|
|
|
|
class removed_class
|
|
{
|
|
null_perm
|
|
}
|
|
|
|
class modified_add_perm
|
|
{
|
|
same_perm
|
|
}
|
|
|
|
class modified_remove_perm
|
|
{
|
|
same_perm
|
|
removed_perm
|
|
}
|
|
|
|
class modified_change_common
|
|
inherits removed_common
|
|
|
|
# matching defaults:
|
|
default_user infoflow source;
|
|
default_role infoflow source;
|
|
default_type infoflow source;
|
|
default_range infoflow source low;
|
|
|
|
# added:
|
|
|
|
# removed:
|
|
default_role infoflow3 source;
|
|
default_range infoflow3 target high;
|
|
|
|
# modified:
|
|
default_type infoflow4 source;
|
|
default_range infoflow4 source low;
|
|
|
|
# modified range:
|
|
default_range infoflow5 target low;
|
|
|
|
# modified both
|
|
default_range infoflow6 source high;
|
|
|
|
sensitivity s0 alias { al1 al2 };
|
|
sensitivity s1 alias { al3 };
|
|
sensitivity s2;
|
|
sensitivity s3;
|
|
sensitivity s40;
|
|
sensitivity s41;
|
|
sensitivity s42;
|
|
sensitivity s43;
|
|
sensitivity s44;
|
|
sensitivity s45;
|
|
sensitivity s47;
|
|
|
|
dominance { s0 s1 s2 s3 s40 s41 s42 s43 s44 s45 s47 }
|
|
|
|
category c0 alias { spam eggs };
|
|
category c1 alias { bar };
|
|
category c2;
|
|
category c3;
|
|
category c4;
|
|
category c5;
|
|
|
|
#level decl
|
|
level s0:c0.c4;
|
|
level s1:c0.c4;
|
|
level s2:c0.c4;
|
|
level s3:c0.c4;
|
|
level s40:c1;
|
|
level s41:c0.c4;
|
|
level s42:c0.c4;
|
|
level s43:c0.c4;
|
|
level s44:c0.c4;
|
|
level s45:c0.c4;
|
|
level s47:c0.c4;
|
|
|
|
# matching mls constraints
|
|
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
|
|
|
|
# added mls constraint
|
|
|
|
# removed mls constraint
|
|
mlsconstrain infoflow4 hi_w ((l1 domby l2 and h1 domby h2) or (t1 == mls_exempt));
|
|
|
|
# remove/add mls constraint (expression change)
|
|
mlsconstrain infoflow5 hi_r ((l1 domby l2 and h1 dom h2) or (t1 == mls_exempt));
|
|
|
|
# matching mls validatetrans
|
|
mlsvalidatetrans infoflow (h1 == h2 or t3 == system);
|
|
|
|
# added mls validatetrans
|
|
|
|
# removed mls validatetrans
|
|
mlsvalidatetrans infoflow4 ((l1 == l2 and h1 == h2) or t3 == mls_exempt);
|
|
|
|
# remove/add mls validatetrans (expression change)
|
|
mlsvalidatetrans infoflow5 ((l1 dom l2 and h1 dom h2) or (t3 == mls_exempt));
|
|
|
|
attribute mls_exempt;
|
|
attribute an_attr;
|
|
attribute removed_attr;
|
|
|
|
type system;
|
|
role system;
|
|
role system types system;
|
|
|
|
################################################################################
|
|
# Type enforcement declarations and rules
|
|
|
|
type removed_type;
|
|
|
|
type modified_remove_attr, an_attr;
|
|
|
|
type modified_remove_alias alias an_alias;
|
|
|
|
type modified_remove_permissive;
|
|
permissive modified_remove_permissive;
|
|
|
|
type modified_add_attr;
|
|
|
|
type modified_add_alias;
|
|
|
|
type modified_add_permissive;
|
|
|
|
role removed_role;
|
|
|
|
role modified_add_type;
|
|
|
|
role modified_remove_type;
|
|
role modified_remove_type types { system };
|
|
|
|
# booleans
|
|
bool same_bool true;
|
|
bool removed_bool true;
|
|
bool modified_bool false;
|
|
|
|
# Allow rule differences
|
|
type matched_source;
|
|
type matched_target;
|
|
allow matched_source matched_target:infoflow hi_w;
|
|
|
|
type removed_rule_source;
|
|
type removed_rule_target;
|
|
allow removed_rule_source removed_rule_target:infoflow hi_r;
|
|
|
|
type added_rule_source;
|
|
type added_rule_target;
|
|
|
|
type modified_rule_add_perms;
|
|
allow modified_rule_add_perms self:infoflow hi_r;
|
|
|
|
type modified_rule_remove_perms;
|
|
allow modified_rule_remove_perms self:infoflow { low_r low_w };
|
|
|
|
type modified_rule_add_remove_perms;
|
|
allow modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
|
|
|
|
allow removed_type self:infoflow3 null;
|
|
|
|
type move_to_bool;
|
|
bool move_to_bool_b false;
|
|
allow move_to_bool self:infoflow4 hi_w;
|
|
|
|
type move_from_bool;
|
|
bool move_from_bool_b false;
|
|
if (move_from_bool_b) {
|
|
allow move_from_bool self:infoflow4 hi_r;
|
|
}
|
|
|
|
type switch_block;
|
|
bool switch_block_b false;
|
|
if (switch_block_b) {
|
|
allow system switch_block:infoflow5 hi_r;
|
|
allow system switch_block:infoflow6 hi_r;
|
|
} else {
|
|
allow system switch_block:infoflow7 hi_r;
|
|
}
|
|
|
|
attribute match_rule_by_attr;
|
|
type match_rule_by_attr_A_t, match_rule_by_attr;
|
|
type match_rule_by_attr_B_t, match_rule_by_attr;
|
|
allow match_rule_by_attr self:infoflow2 super_w;
|
|
|
|
attribute unioned_perm_via_attr;
|
|
type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
|
|
type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
|
|
allow unioned_perm_via_attr self:infoflow2 super_w;
|
|
allow unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
|
allow unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
|
|
|
# Auditallow rule differences
|
|
type aa_matched_source;
|
|
type aa_matched_target;
|
|
auditallow aa_matched_source aa_matched_target:infoflow hi_w;
|
|
|
|
type aa_removed_rule_source;
|
|
type aa_removed_rule_target;
|
|
auditallow aa_removed_rule_source aa_removed_rule_target:infoflow hi_r;
|
|
|
|
type aa_added_rule_source;
|
|
type aa_added_rule_target;
|
|
|
|
type aa_modified_rule_add_perms;
|
|
auditallow aa_modified_rule_add_perms self:infoflow hi_r;
|
|
|
|
type aa_modified_rule_remove_perms;
|
|
auditallow aa_modified_rule_remove_perms self:infoflow { low_r low_w };
|
|
|
|
type aa_modified_rule_add_remove_perms;
|
|
auditallow aa_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
|
|
|
|
auditallow removed_type self:infoflow7 super_unmapped;
|
|
|
|
type aa_move_to_bool;
|
|
bool aa_move_to_bool_b false;
|
|
auditallow aa_move_to_bool self:infoflow4 hi_w;
|
|
|
|
type aa_move_from_bool;
|
|
bool aa_move_from_bool_b false;
|
|
if (aa_move_from_bool_b) {
|
|
auditallow aa_move_from_bool self:infoflow4 hi_r;
|
|
}
|
|
|
|
type aa_switch_block;
|
|
bool aa_switch_block_b false;
|
|
if (aa_switch_block_b) {
|
|
auditallow system aa_switch_block:infoflow5 hi_r;
|
|
auditallow system aa_switch_block:infoflow6 hi_r;
|
|
} else {
|
|
auditallow system aa_switch_block:infoflow7 hi_r;
|
|
}
|
|
|
|
attribute aa_match_rule_by_attr;
|
|
type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
|
|
type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
|
|
auditallow aa_match_rule_by_attr self:infoflow2 super_w;
|
|
|
|
attribute aa_unioned_perm_via_attr;
|
|
type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
|
|
type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
|
|
auditallow aa_unioned_perm_via_attr self:infoflow2 super_w;
|
|
auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
|
auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
|
|
|
# Dontaudit rule differences
|
|
type da_matched_source;
|
|
type da_matched_target;
|
|
dontaudit da_matched_source da_matched_target:infoflow hi_w;
|
|
|
|
type da_removed_rule_source;
|
|
type da_removed_rule_target;
|
|
dontaudit da_removed_rule_source da_removed_rule_target:infoflow hi_r;
|
|
|
|
type da_added_rule_source;
|
|
type da_added_rule_target;
|
|
|
|
type da_modified_rule_add_perms;
|
|
dontaudit da_modified_rule_add_perms self:infoflow hi_r;
|
|
|
|
type da_modified_rule_remove_perms;
|
|
dontaudit da_modified_rule_remove_perms self:infoflow { low_r low_w };
|
|
|
|
type da_modified_rule_add_remove_perms;
|
|
dontaudit da_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
|
|
|
|
dontaudit removed_type self:infoflow7 super_both;
|
|
|
|
type da_move_to_bool;
|
|
bool da_move_to_bool_b false;
|
|
dontaudit da_move_to_bool self:infoflow4 hi_w;
|
|
|
|
type da_move_from_bool;
|
|
bool da_move_from_bool_b false;
|
|
if (da_move_from_bool_b) {
|
|
dontaudit da_move_from_bool self:infoflow4 hi_r;
|
|
}
|
|
|
|
type da_switch_block;
|
|
bool da_switch_block_b false;
|
|
if (da_switch_block_b) {
|
|
dontaudit system da_switch_block:infoflow5 hi_r;
|
|
dontaudit system da_switch_block:infoflow6 hi_r;
|
|
} else {
|
|
dontaudit system da_switch_block:infoflow7 hi_r;
|
|
}
|
|
|
|
attribute da_match_rule_by_attr;
|
|
type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
|
|
type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
|
|
dontaudit da_match_rule_by_attr self:infoflow2 super_w;
|
|
|
|
attribute da_unioned_perm_via_attr;
|
|
type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
|
|
type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
|
|
dontaudit da_unioned_perm_via_attr self:infoflow2 super_w;
|
|
dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
|
dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
|
|
|
# Neverallow rule differences
|
|
type na_matched_source;
|
|
type na_matched_target;
|
|
neverallow na_matched_source na_matched_target:infoflow hi_w;
|
|
|
|
type na_removed_rule_source;
|
|
type na_removed_rule_target;
|
|
neverallow na_removed_rule_source na_removed_rule_target:infoflow hi_r;
|
|
|
|
type na_added_rule_source;
|
|
type na_added_rule_target;
|
|
|
|
type na_modified_rule_add_perms;
|
|
neverallow na_modified_rule_add_perms self:infoflow hi_r;
|
|
|
|
type na_modified_rule_remove_perms;
|
|
neverallow na_modified_rule_remove_perms self:infoflow { low_r low_w };
|
|
|
|
type na_modified_rule_add_remove_perms;
|
|
neverallow na_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
|
|
|
|
neverallow removed_type self:removed_class null_perm;
|
|
|
|
attribute na_match_rule_by_attr;
|
|
type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
|
|
type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
|
|
neverallow na_match_rule_by_attr self:infoflow2 super_w;
|
|
|
|
attribute na_unioned_perm_via_attr;
|
|
type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
|
|
type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
|
|
neverallow na_unioned_perm_via_attr self:infoflow2 super_w;
|
|
neverallow na_unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
|
neverallow na_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
|
|
|
# type_transition rule differences
|
|
type tt_matched_source;
|
|
type tt_matched_target;
|
|
type_transition tt_matched_source tt_matched_target:infoflow system;
|
|
|
|
type tt_removed_rule_source;
|
|
type tt_removed_rule_target;
|
|
type_transition tt_removed_rule_source tt_removed_rule_target:infoflow system;
|
|
|
|
type tt_added_rule_source;
|
|
type tt_added_rule_target;
|
|
|
|
type tt_old_type;
|
|
type tt_new_type;
|
|
type_transition tt_matched_source system:infoflow tt_old_type;
|
|
|
|
type_transition removed_type system:infoflow4 system;
|
|
|
|
type tt_move_to_bool;
|
|
bool tt_move_to_bool_b false;
|
|
type_transition tt_move_to_bool system:infoflow3 system;
|
|
|
|
type tt_move_from_bool;
|
|
bool tt_move_from_bool_b false;
|
|
if (tt_move_from_bool_b) {
|
|
type_transition tt_move_from_bool system:infoflow4 system;
|
|
}
|
|
|
|
type tt_switch_block;
|
|
bool tt_switch_block_b false;
|
|
if (tt_switch_block_b) {
|
|
type_transition system tt_switch_block:infoflow5 system;
|
|
type_transition system tt_switch_block:infoflow6 system;
|
|
} else {
|
|
type_transition system tt_switch_block:infoflow7 system;
|
|
}
|
|
|
|
attribute tt_match_rule_by_attr;
|
|
type tt_match_rule_by_attr_A_t, tt_match_rule_by_attr;
|
|
type tt_match_rule_by_attr_B_t, tt_match_rule_by_attr;
|
|
type_transition tt_match_rule_by_attr system:infoflow2 system;
|
|
|
|
attribute tt_unioned_perm_via_attr;
|
|
type tt_unioned_perm_via_attr_A_t, tt_unioned_perm_via_attr;
|
|
type tt_unioned_perm_via_attr_B_t, tt_unioned_perm_via_attr;
|
|
type_transition tt_unioned_perm_via_attr system:infoflow2 system;
|
|
type_transition tt_unioned_perm_via_attr_A_t system:infoflow2 system;
|
|
type_transition tt_unioned_perm_via_attr_B_t system:infoflow2 system;
|
|
|
|
# type_change rule differences
|
|
type tc_matched_source;
|
|
type tc_matched_target;
|
|
type_change tc_matched_source tc_matched_target:infoflow system;
|
|
|
|
type tc_removed_rule_source;
|
|
type tc_removed_rule_target;
|
|
type_change tc_removed_rule_source tc_removed_rule_target:infoflow system;
|
|
|
|
type tc_added_rule_source;
|
|
type tc_added_rule_target;
|
|
|
|
type tc_old_type;
|
|
type tc_new_type;
|
|
type_change tc_matched_source system:infoflow tc_old_type;
|
|
|
|
type_change removed_type system:infoflow4 system;
|
|
|
|
type tc_move_to_bool;
|
|
bool tc_move_to_bool_b false;
|
|
type_change tc_move_to_bool system:infoflow3 system;
|
|
|
|
type tc_move_from_bool;
|
|
bool tc_move_from_bool_b false;
|
|
if (tc_move_from_bool_b) {
|
|
type_change tc_move_from_bool system:infoflow4 system;
|
|
}
|
|
|
|
type tc_switch_block;
|
|
bool tc_switch_block_b false;
|
|
if (tc_switch_block_b) {
|
|
type_change system tc_switch_block:infoflow5 system;
|
|
type_change system tc_switch_block:infoflow6 system;
|
|
} else {
|
|
type_change system tc_switch_block:infoflow7 system;
|
|
}
|
|
|
|
attribute tc_match_rule_by_attr;
|
|
type tc_match_rule_by_attr_A_t, tc_match_rule_by_attr;
|
|
type tc_match_rule_by_attr_B_t, tc_match_rule_by_attr;
|
|
type_change tc_match_rule_by_attr system:infoflow2 system;
|
|
|
|
attribute tc_unioned_perm_via_attr;
|
|
type tc_unioned_perm_via_attr_A_t, tc_unioned_perm_via_attr;
|
|
type tc_unioned_perm_via_attr_B_t, tc_unioned_perm_via_attr;
|
|
type_change tc_unioned_perm_via_attr system:infoflow2 system;
|
|
type_change tc_unioned_perm_via_attr_A_t system:infoflow2 system;
|
|
type_change tc_unioned_perm_via_attr_B_t system:infoflow2 system;
|
|
|
|
# type_member rule differences
|
|
type tm_matched_source;
|
|
type tm_matched_target;
|
|
type_member tm_matched_source tm_matched_target:infoflow system;
|
|
|
|
type tm_removed_rule_source;
|
|
type tm_removed_rule_target;
|
|
type_member tm_removed_rule_source tm_removed_rule_target:infoflow system;
|
|
|
|
type tm_added_rule_source;
|
|
type tm_added_rule_target;
|
|
|
|
type tm_old_type;
|
|
type tm_new_type;
|
|
type_member tm_matched_source system:infoflow tm_old_type;
|
|
|
|
type_member removed_type system:infoflow4 system;
|
|
|
|
type tm_move_to_bool;
|
|
bool tm_move_to_bool_b false;
|
|
type_member tm_move_to_bool system:infoflow3 system;
|
|
|
|
type tm_move_from_bool;
|
|
bool tm_move_from_bool_b false;
|
|
if (tm_move_from_bool_b) {
|
|
type_member tm_move_from_bool system:infoflow4 system;
|
|
}
|
|
|
|
type tm_switch_block;
|
|
bool tm_switch_block_b false;
|
|
if (tm_switch_block_b) {
|
|
type_member system tm_switch_block:infoflow5 system;
|
|
type_member system tm_switch_block:infoflow6 system;
|
|
} else {
|
|
type_member system tm_switch_block:infoflow7 system;
|
|
}
|
|
|
|
attribute tm_match_rule_by_attr;
|
|
type tm_match_rule_by_attr_A_t, tm_match_rule_by_attr;
|
|
type tm_match_rule_by_attr_B_t, tm_match_rule_by_attr;
|
|
type_member tm_match_rule_by_attr system:infoflow2 system;
|
|
|
|
attribute tm_unioned_perm_via_attr;
|
|
type tm_unioned_perm_via_attr_A_t, tm_unioned_perm_via_attr;
|
|
type tm_unioned_perm_via_attr_B_t, tm_unioned_perm_via_attr;
|
|
type_member tm_unioned_perm_via_attr system:infoflow2 system;
|
|
type_member tm_unioned_perm_via_attr_A_t system:infoflow2 system;
|
|
type_member tm_unioned_perm_via_attr_B_t system:infoflow2 system;
|
|
|
|
# range_transition rule differences
|
|
type rt_matched_source;
|
|
type rt_matched_target;
|
|
range_transition rt_matched_source rt_matched_target:infoflow s0;
|
|
|
|
type rt_removed_rule_source;
|
|
type rt_removed_rule_target;
|
|
range_transition rt_removed_rule_source rt_removed_rule_target:infoflow s1;
|
|
|
|
type rt_added_rule_source;
|
|
type rt_added_rule_target;
|
|
|
|
range_transition rt_matched_source system:infoflow s2:c0 - s3:c0.c2;
|
|
|
|
range_transition removed_type system:infoflow4 s1;
|
|
|
|
# range transitions cannot be conditional.
|
|
#type rt_move_to_bool;
|
|
#bool rt_move_to_bool_b false;
|
|
#range_transition rt_move_to_bool system:infoflow3 s0;
|
|
|
|
#type rt_move_from_bool;
|
|
#bool rt_move_from_bool_b false;
|
|
#if (rt_move_from_bool_b) {
|
|
#range_transition rt_move_from_bool system:infoflow4 s0;
|
|
#}
|
|
|
|
#type rt_switch_block;
|
|
#bool rt_switch_block_b false;
|
|
#if (rt_switch_block_b) {
|
|
#range_transition system rt_switch_block:infoflow5 s0;
|
|
#range_transition system rt_switch_block:infoflow6 s0;
|
|
#} else {
|
|
#range_transition system rt_switch_block:infoflow7 s0;
|
|
#}
|
|
|
|
attribute rt_match_rule_by_attr;
|
|
type rt_match_rule_by_attr_A_t, rt_match_rule_by_attr;
|
|
type rt_match_rule_by_attr_B_t, rt_match_rule_by_attr;
|
|
range_transition rt_match_rule_by_attr system:infoflow2 s0;
|
|
|
|
attribute rt_unioned_perm_via_attr;
|
|
type rt_unioned_perm_via_attr_A_t, rt_unioned_perm_via_attr;
|
|
type rt_unioned_perm_via_attr_B_t, rt_unioned_perm_via_attr;
|
|
range_transition rt_unioned_perm_via_attr system:infoflow2 s0;
|
|
range_transition rt_unioned_perm_via_attr_A_t system:infoflow2 s0;
|
|
|
|
# role allow
|
|
role matched_source_r;
|
|
role matched_target_r;
|
|
allow matched_source_r matched_target_r;
|
|
|
|
role removed_rule_source_r;
|
|
role removed_rule_target_r;
|
|
allow removed_rule_source_r removed_rule_target_r;
|
|
|
|
role added_rule_source_r;
|
|
role added_rule_target_r;
|
|
|
|
allow removed_role system;
|
|
|
|
# role_transition
|
|
role role_tr_matched_source;
|
|
type role_tr_matched_target;
|
|
role_transition role_tr_matched_source role_tr_matched_target:infoflow system;
|
|
|
|
role role_tr_removed_rule_source;
|
|
type role_tr_removed_rule_target;
|
|
role_transition role_tr_removed_rule_source role_tr_removed_rule_target:infoflow5 system;
|
|
|
|
role role_tr_added_rule_source;
|
|
type role_tr_added_rule_target;
|
|
|
|
role_transition removed_role system:infoflow4 system;
|
|
|
|
role role_tr_old_role;
|
|
role role_tr_new_role;
|
|
role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_old_role;
|
|
|
|
# Allowxperm rule differences
|
|
type ax_matched_source;
|
|
type ax_matched_target;
|
|
allowxperm ax_matched_source ax_matched_target:infoflow ioctl 0x0001;
|
|
|
|
type ax_removed_rule_source;
|
|
type ax_removed_rule_target;
|
|
allowxperm ax_removed_rule_source ax_removed_rule_target:infoflow ioctl 0x0002;
|
|
|
|
type ax_added_rule_source;
|
|
type ax_added_rule_target;
|
|
|
|
type ax_modified_rule_add_perms;
|
|
allowxperm ax_modified_rule_add_perms self:infoflow ioctl 0x0004;
|
|
|
|
type ax_modified_rule_remove_perms;
|
|
allowxperm ax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
|
|
|
|
type ax_modified_rule_add_remove_perms;
|
|
allowxperm ax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
|
|
|
|
allowxperm removed_type self:infoflow7 ioctl 0x0009;
|
|
|
|
attribute ax_match_rule_by_attr;
|
|
type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
|
|
type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
|
|
allowxperm ax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
|
|
|
attribute ax_unioned_perm_via_attr;
|
|
type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr;
|
|
type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr;
|
|
allowxperm ax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
|
allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
|
allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
|
|
|
# Auditallowxperm rule differences
|
|
type aax_matched_source;
|
|
type aax_matched_target;
|
|
auditallowxperm aax_matched_source aax_matched_target:infoflow ioctl 0x0001;
|
|
|
|
type aax_removed_rule_source;
|
|
type aax_removed_rule_target;
|
|
auditallowxperm aax_removed_rule_source aax_removed_rule_target:infoflow ioctl 0x0002;
|
|
|
|
type aax_added_rule_source;
|
|
type aax_added_rule_target;
|
|
|
|
type aax_modified_rule_add_perms;
|
|
auditallowxperm aax_modified_rule_add_perms self:infoflow ioctl 0x0004;
|
|
|
|
type aax_modified_rule_remove_perms;
|
|
auditallowxperm aax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
|
|
|
|
type aax_modified_rule_add_remove_perms;
|
|
auditallowxperm aax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
|
|
|
|
auditallowxperm removed_type self:infoflow7 ioctl 0x0009;
|
|
|
|
attribute aax_match_rule_by_attr;
|
|
type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
|
|
type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
|
|
auditallowxperm aax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
|
|
|
attribute aax_unioned_perm_via_attr;
|
|
type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr;
|
|
type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr;
|
|
auditallowxperm aax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
|
auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
|
auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
|
|
|
# Neverallowxperm rule differences
|
|
type nax_matched_source;
|
|
type nax_matched_target;
|
|
neverallowxperm nax_matched_source nax_matched_target:infoflow ioctl 0x0001;
|
|
|
|
type nax_removed_rule_source;
|
|
type nax_removed_rule_target;
|
|
neverallowxperm nax_removed_rule_source nax_removed_rule_target:infoflow ioctl 0x0002;
|
|
|
|
type nax_added_rule_source;
|
|
type nax_added_rule_target;
|
|
|
|
type nax_modified_rule_add_perms;
|
|
neverallowxperm nax_modified_rule_add_perms self:infoflow ioctl 0x0004;
|
|
|
|
type nax_modified_rule_remove_perms;
|
|
neverallowxperm nax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
|
|
|
|
type nax_modified_rule_add_remove_perms;
|
|
neverallowxperm nax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
|
|
|
|
neverallowxperm removed_type self:infoflow7 ioctl 0x0009;
|
|
|
|
attribute nax_match_rule_by_attr;
|
|
type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
|
|
type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
|
|
neverallowxperm nax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
|
|
|
attribute nax_unioned_perm_via_attr;
|
|
type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr;
|
|
type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr;
|
|
neverallowxperm nax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
|
neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
|
neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
|
|
|
# Dontauditxperm rule differences
|
|
type dax_matched_source;
|
|
type dax_matched_target;
|
|
dontauditxperm dax_matched_source dax_matched_target:infoflow ioctl 0x0001;
|
|
|
|
type dax_removed_rule_source;
|
|
type dax_removed_rule_target;
|
|
dontauditxperm dax_removed_rule_source dax_removed_rule_target:infoflow ioctl 0x0002;
|
|
|
|
type dax_added_rule_source;
|
|
type dax_added_rule_target;
|
|
|
|
type dax_modified_rule_add_perms;
|
|
dontauditxperm dax_modified_rule_add_perms self:infoflow ioctl 0x0004;
|
|
|
|
type dax_modified_rule_remove_perms;
|
|
dontauditxperm dax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
|
|
|
|
type dax_modified_rule_add_remove_perms;
|
|
dontauditxperm dax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
|
|
|
|
dontauditxperm removed_type self:infoflow7 ioctl 0x0009;
|
|
|
|
attribute dax_match_rule_by_attr;
|
|
type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
|
|
type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
|
|
dontauditxperm dax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
|
|
|
|
attribute dax_unioned_perm_via_attr;
|
|
type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr;
|
|
type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr;
|
|
dontauditxperm dax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
|
|
dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
|
|
dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;
|
|
|
|
################################################################################
|
|
# matching typebounds
|
|
type match_parent;
|
|
type match_child;
|
|
typebounds match_parent match_child;
|
|
|
|
# removed typebounds
|
|
type removed_parent;
|
|
type removed_child;
|
|
typebounds removed_parent removed_child;
|
|
|
|
# added typebounds
|
|
type added_parent;
|
|
type added_child;
|
|
|
|
# modified typebounds
|
|
type mod_parent_removed;
|
|
type mod_parent_added;
|
|
type mod_child;
|
|
typebounds mod_parent_removed mod_child;
|
|
|
|
# policycaps
|
|
policycap open_perms;
|
|
policycap network_peer_controls;
|
|
|
|
#users
|
|
user system roles system level s0 range s0;
|
|
|
|
user removed_user roles system level s0 range s0;
|
|
|
|
user modified_add_role roles system level s2 range s2;
|
|
user modified_remove_role roles { system removed_role } level s2 range s2;
|
|
user modified_change_level roles system level s2:c0 range s2:c0 - s2:c0,c1;
|
|
user modified_change_range roles system level s3:c1 range s3:c1 - s3:c1.c3;
|
|
|
|
# matching constraints
|
|
constrain infoflow hi_w (u1 == u2 or t1 == system);
|
|
constrain infoflow hi_w (t1 == t2 or t1 == system);
|
|
constrain infoflow hi_r (r1 == r2 or t1 == system);
|
|
|
|
# added constraint
|
|
|
|
# removed constraint
|
|
constrain infoflow4 hi_w (u1 != u2);
|
|
|
|
# remove/add constraint (expression change)
|
|
constrain infoflow5 hi_r ((u1 == u2 and r1 == r2) or (t1 == system));
|
|
|
|
# matching validatetrans
|
|
validatetrans infoflow (u1 == u2 or t3 == system);
|
|
validatetrans infoflow (r1 == r2 or t3 == system);
|
|
validatetrans infoflow2 (u1 == u2 or t3 == system);
|
|
|
|
# added validatetrans
|
|
|
|
# removed validatetrans
|
|
validatetrans infoflow4 (u1 == u2 or t3 == system);
|
|
|
|
# remove/add validatetrans (expression change)
|
|
validatetrans infoflow5 ((u1 == u2 and r1 != r2) or (t3 == system));
|
|
|
|
#isids
|
|
sid kernel system:system:system:s0
|
|
sid security system:system:system:s0
|
|
sid matched_sid system:system:system:s0
|
|
sid removed_sid removed_user:system:system:s0
|
|
sid modified_sid system:system:system:s0
|
|
|
|
#fs_use
|
|
fs_use_trans devpts system:object_r:system:s0;
|
|
fs_use_xattr ext3 system:object_r:system:s0;
|
|
fs_use_task pipefs system:object_r:system:s0;
|
|
fs_use_task removed_fsuse system:object_r:system:s0;
|
|
fs_use_trans modified_fsuse removed_user:object_r:system:s0;
|
|
|
|
#genfscon
|
|
genfscon proc / system:object_r:system:s0
|
|
genfscon proc /sys system:object_r:system:s0
|
|
genfscon selinuxfs / system:object_r:system:s0
|
|
genfscon removed_genfs / system:object_r:system:s0
|
|
genfscon change_path /old system:object_r:system:s0
|
|
genfscon modified_genfs / -s removed_user:object_r:system:s0
|
|
|
|
# matched portcons
|
|
portcon tcp 80 system:object_r:system:s0
|
|
portcon udp 80 system:object_r:system:s0
|
|
portcon udp 30-40 system:object_r:system:s0
|
|
|
|
# removed portcons
|
|
portcon udp 1024 system:object_r:system:s0
|
|
portcon tcp 1024-1026 system:object_r:system:s0
|
|
|
|
# modified portcons
|
|
portcon udp 3024 removed_user:object_r:system:s0
|
|
portcon tcp 3024-3026 removed_user:object_r:system:s0
|
|
|
|
netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
|
|
netifcon removed_netif system:object_r:system:s0 system:object_r:system:s0
|
|
netifcon mod_ctx_netif removed_user:object_r:system:s0 system:object_r:system:s0
|
|
netifcon mod_pkt_netif system:object_r:system:s0 removed_user:object_r:system:s0
|
|
netifcon mod_both_netif removed_user:object_r:system:s0 removed_user:object_r:system:s0
|
|
|
|
# matched nodecons
|
|
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
|
|
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0
|
|
|
|
# removed nodecons
|
|
nodecon 127.0.0.2 255.255.255.255 removed_user:object_r:system:s0
|
|
nodecon ::2 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff removed_user:object_r:system:s0
|
|
|
|
# modified nodecons
|
|
nodecon 127.0.0.3 255.255.255.255 modified_change_level:object_r:system:s2:c1
|
|
nodecon ::3 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff modified_change_level:object_r:system:s2:c0,c1
|
|
|
|
# change netmask (add/remove)
|
|
nodecon 127.0.0.5 255.255.255.255 system:object_r:system:s0
|
|
nodecon ::5 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0
|