selinux/checkpolicy/fuzz/min_pol.conf

class process
class blk_file
class chr_file
class dir
class fifo_file
class file
class lnk_file
class sock_file
sid kernel
sid security
sid unlabeled
sid fs
sid file
sid file_labels
sid init
sid any_socket
sid port
sid netif
sid netmsg
sid node
sid igmp_packet
sid icmp_socket
sid tcp_socket
sid sysctl_modprobe
sid sysctl
sid sysctl_fs
sid sysctl_kernel
sid sysctl_net
sid sysctl_net_unix
sid sysctl_vm
sid sysctl_dev
sid kmod
sid policy
sid scmp_packet
sid devnull
class process { dyntransition transition }
default_role { blk_file } source;
default_role { chr_file } source;
default_role { dir } source;
default_role { fifo_file } source;
default_role { file } source;
default_role { lnk_file } source;
default_role { sock_file } source;
type sys_isid;
typealias sys_isid alias { dpkg_script_t rpm_script_t };
allow sys_isid self : process { dyntransition transition };
role sys_role;
role sys_role types { sys_isid };
user sys_user roles sys_role;
sid kernel sys_user:sys_role:sys_isid
sid security sys_user:sys_role:sys_isid
sid unlabeled sys_user:sys_role:sys_isid
sid file sys_user:sys_role:sys_isid
sid port sys_user:sys_role:sys_isid
sid netif sys_user:sys_role:sys_isid
sid netmsg sys_user:sys_role:sys_isid
sid node sys_user:sys_role:sys_isid
sid devnull sys_user:sys_role:sys_isid
fs_use_trans devpts sys_user:sys_role:sys_isid;
fs_use_trans devtmpfs sys_user:sys_role:sys_isid;
checkpolicy: add libfuzz based fuzzer Introduce a libfuzz[1] based fuzzer testing the parsing and policy generation code used within checkpolicy(8) and checkmodule(8), similar to the fuzzer for secilc(8). The fuzzer will work on generated source policy input and try to parse, link, expand, optimize, sort and output it. This fuzzer will also ensure policy validation is not too strict by checking compilable source policies are valid. Build the fuzzer in the oss-fuzz script. [1]: https://llvm.org/docs/LibFuzzer.html Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> 2024-01-22 13:54:53 +00:00			`class process`
			`class blk_file`
			`class chr_file`
			`class dir`
			`class fifo_file`
			`class file`
			`class lnk_file`
			`class sock_file`
			`sid kernel`
			`sid security`
			`sid unlabeled`
			`sid fs`
			`sid file`
			`sid file_labels`
			`sid init`
			`sid any_socket`
			`sid port`
			`sid netif`
			`sid netmsg`
			`sid node`
			`sid igmp_packet`
			`sid icmp_socket`
			`sid tcp_socket`
			`sid sysctl_modprobe`
			`sid sysctl`
			`sid sysctl_fs`
			`sid sysctl_kernel`
			`sid sysctl_net`
			`sid sysctl_net_unix`
			`sid sysctl_vm`
			`sid sysctl_dev`
			`sid kmod`
			`sid policy`
			`sid scmp_packet`
			`sid devnull`
			`class process { dyntransition transition }`
			`default_role { blk_file } source;`
			`default_role { chr_file } source;`
			`default_role { dir } source;`
			`default_role { fifo_file } source;`
			`default_role { file } source;`
			`default_role { lnk_file } source;`
			`default_role { sock_file } source;`
			`type sys_isid;`
			`typealias sys_isid alias { dpkg_script_t rpm_script_t };`
			`allow sys_isid self : process { dyntransition transition };`
			`role sys_role;`
			`role sys_role types { sys_isid };`
			`user sys_user roles sys_role;`
			`sid kernel sys_user:sys_role:sys_isid`
			`sid security sys_user:sys_role:sys_isid`
			`sid unlabeled sys_user:sys_role:sys_isid`
			`sid file sys_user:sys_role:sys_isid`
			`sid port sys_user:sys_role:sys_isid`
			`sid netif sys_user:sys_role:sys_isid`
			`sid netmsg sys_user:sys_role:sys_isid`
			`sid node sys_user:sys_role:sys_isid`
			`sid devnull sys_user:sys_role:sys_isid`
			`fs_use_trans devpts sys_user:sys_role:sys_isid;`
			`fs_use_trans devtmpfs sys_user:sys_role:sys_isid;`