2023-11-01 16:37:00 +00:00
|
|
|
# handle_unknown deny
|
|
|
|
class CLASS1
|
|
|
|
class CLASS2
|
|
|
|
class CLASS3
|
2024-11-11 13:51:04 +00:00
|
|
|
class CLASS4
|
2023-11-01 16:37:00 +00:00
|
|
|
class dir
|
|
|
|
class file
|
|
|
|
class process
|
|
|
|
sid kernel
|
|
|
|
common COMMON1 { CPERM1 }
|
|
|
|
class CLASS1 { PERM1 ioctl }
|
|
|
|
class CLASS2 inherits COMMON1
|
|
|
|
class CLASS3 inherits COMMON1 { PERM1 }
|
2024-11-11 13:51:04 +00:00
|
|
|
class CLASS4 { nlmsg }
|
2023-11-01 16:37:00 +00:00
|
|
|
default_user { CLASS1 } source;
|
|
|
|
default_role { CLASS2 } target;
|
|
|
|
default_type { CLASS3 } source;
|
|
|
|
policycap open_perms;
|
|
|
|
attribute ATTR1;
|
|
|
|
attribute ATTR2;
|
|
|
|
bool BOOL1 true;
|
2024-11-11 13:51:04 +00:00
|
|
|
bool BOOL2 false;
|
2023-11-01 16:37:00 +00:00
|
|
|
type TYPE1;
|
|
|
|
type TYPE2;
|
|
|
|
type TYPE3;
|
|
|
|
type TYPE4;
|
|
|
|
typealias TYPE1 alias TYPEALIAS1;
|
|
|
|
typealias TYPE3 alias TYPEALIAS3A;
|
|
|
|
typealias TYPE3 alias TYPEALIAS3B;
|
|
|
|
typealias TYPE4 alias TYPEALIAS4;
|
|
|
|
typebounds TYPE4 TYPE3;
|
|
|
|
typeattribute TYPE4 ATTR2;
|
|
|
|
permissive TYPE1;
|
|
|
|
allow TYPE1 self:CLASS1 { PERM1 };
|
|
|
|
allow TYPE1 self:CLASS2 { CPERM1 };
|
|
|
|
auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
|
|
|
|
auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
|
|
|
|
dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
|
|
|
|
dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
|
2024-04-08 15:08:00 +00:00
|
|
|
allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x456-0x4ff };
|
|
|
|
allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x500-0x55ff };
|
|
|
|
allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x5600-0x5678 };
|
2024-11-11 13:51:04 +00:00
|
|
|
allowxperm TYPE2 TYPE1:CLASS4 nlmsg { 0x1 0x12 };
|
2023-11-01 16:37:00 +00:00
|
|
|
auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
|
|
|
|
dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
|
|
|
|
type_transition TYPE1 TYPE2:CLASS1 TYPE3;
|
|
|
|
type_member TYPE1 TYPE2:CLASS1 TYPE2;
|
|
|
|
type_change TYPE1 TYPE2:CLASS1 TYPE3;
|
|
|
|
type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
|
|
|
|
type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
|
|
|
|
type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
|
|
|
|
type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
|
|
|
|
if (BOOL1) {
|
|
|
|
} else {
|
|
|
|
allow TYPE1 self:CLASS1 { ioctl };
|
2024-11-11 13:51:04 +00:00
|
|
|
dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x6789-0x67ff };
|
|
|
|
dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x6800-0x97ff };
|
|
|
|
dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x9800-0x9876 };
|
|
|
|
}
|
|
|
|
if (BOOL2) {
|
|
|
|
allowxperm TYPE2 TYPE1:CLASS4 nlmsg { 0x2 };
|
2023-11-01 16:37:00 +00:00
|
|
|
}
|
|
|
|
role ROLE1;
|
|
|
|
role ROLE2;
|
|
|
|
role ROLE3;
|
|
|
|
role ROLE1 types { TYPE1 };
|
|
|
|
role_transition ROLE1 TYPE1:CLASS1 ROLE2;
|
|
|
|
role_transition ROLE1 TYPE1:process ROLE2;
|
|
|
|
allow ROLE1 ROLE2;
|
|
|
|
user USER1 roles ROLE1;
|
|
|
|
constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
|
|
|
|
validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
|
|
|
|
sid kernel USER1:ROLE1:TYPE1
|
|
|
|
fs_use_xattr btrfs USER1:ROLE1:TYPE1;
|
|
|
|
fs_use_trans devpts USER1:ROLE1:TYPE1;
|
|
|
|
fs_use_task pipefs USER1:ROLE1:TYPE1;
|
|
|
|
genfscon proc "/" -d USER1:ROLE1:TYPE1
|
|
|
|
genfscon proc "/file1" -- USER1:ROLE1:TYPE1
|
|
|
|
genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
|
|
|
|
portcon tcp 80 USER1:ROLE1:TYPE1
|
|
|
|
portcon udp 100-200 USER1:ROLE1:TYPE1
|
|
|
|
netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
|
|
|
|
nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
|
2024-05-08 17:04:22 +00:00
|
|
|
nodecon 127.0.0.0 255.255.255.0 USER1:ROLE1:TYPE1
|
2023-11-01 16:37:00 +00:00
|
|
|
nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1
|
2024-05-08 17:04:22 +00:00
|
|
|
nodecon ff80:: ffff:: USER1:ROLE1:TYPE1
|
2023-11-01 16:37:00 +00:00
|
|
|
ibpkeycon fe80:: 65535 USER1:ROLE1:TYPE1
|
|
|
|
ibpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1
|
|
|
|
ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1
|
|
|
|
ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1
|