2008-08-19 19:30:36 +00:00
|
|
|
# FLASK
|
|
|
|
|
|
|
|
#
|
|
|
|
# Define the security object classes
|
|
|
|
#
|
|
|
|
|
|
|
|
class security
|
|
|
|
class process
|
|
|
|
class system
|
|
|
|
class capability
|
|
|
|
|
|
|
|
# file-related classes
|
|
|
|
class filesystem
|
|
|
|
class file
|
|
|
|
class dir
|
|
|
|
class fd
|
|
|
|
class lnk_file
|
|
|
|
class chr_file
|
|
|
|
class blk_file
|
|
|
|
class sock_file
|
|
|
|
class fifo_file
|
|
|
|
|
|
|
|
# network-related classes
|
|
|
|
class socket
|
|
|
|
class tcp_socket
|
|
|
|
class udp_socket
|
|
|
|
class rawip_socket
|
|
|
|
class node
|
|
|
|
class netif
|
|
|
|
class netlink_socket
|
|
|
|
class packet_socket
|
|
|
|
class key_socket
|
|
|
|
class unix_stream_socket
|
|
|
|
class unix_dgram_socket
|
|
|
|
|
|
|
|
# sysv-ipc-related clases
|
|
|
|
class msg
|
|
|
|
class msgq
|
|
|
|
class shm
|
|
|
|
class ipc
|
|
|
|
|
|
|
|
# FLASK
|
|
|
|
# FLASK
|
|
|
|
|
|
|
|
#
|
|
|
|
# Define initial security identifiers
|
|
|
|
#
|
|
|
|
|
|
|
|
sid kernel
|
|
|
|
|
|
|
|
|
|
|
|
# FLASK
|
|
|
|
#
|
|
|
|
# Define common prefixes for access vectors
|
|
|
|
#
|
|
|
|
# common common_name { permission_name ... }
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Define a common prefix for file access vectors.
|
|
|
|
#
|
|
|
|
|
|
|
|
common file
|
|
|
|
{
|
|
|
|
ioctl
|
|
|
|
read
|
|
|
|
write
|
|
|
|
create
|
|
|
|
getattr
|
|
|
|
setattr
|
|
|
|
lock
|
|
|
|
relabelfrom
|
|
|
|
relabelto
|
|
|
|
append
|
|
|
|
unlink
|
|
|
|
link
|
|
|
|
rename
|
|
|
|
execute
|
|
|
|
swapon
|
|
|
|
quotaon
|
|
|
|
mounton
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Define a common prefix for socket access vectors.
|
|
|
|
#
|
|
|
|
|
|
|
|
common socket
|
|
|
|
{
|
|
|
|
# inherited from file
|
|
|
|
ioctl
|
|
|
|
read
|
|
|
|
write
|
|
|
|
create
|
|
|
|
getattr
|
|
|
|
setattr
|
|
|
|
lock
|
|
|
|
relabelfrom
|
|
|
|
relabelto
|
|
|
|
append
|
|
|
|
# socket-specific
|
|
|
|
bind
|
|
|
|
connect
|
|
|
|
listen
|
|
|
|
accept
|
|
|
|
getopt
|
|
|
|
setopt
|
|
|
|
shutdown
|
|
|
|
recvfrom
|
|
|
|
sendto
|
|
|
|
recv_msg
|
|
|
|
send_msg
|
|
|
|
name_bind
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Define a common prefix for ipc access vectors.
|
|
|
|
#
|
|
|
|
|
|
|
|
common ipc
|
|
|
|
{
|
|
|
|
create
|
|
|
|
destroy
|
|
|
|
getattr
|
|
|
|
setattr
|
|
|
|
read
|
|
|
|
write
|
|
|
|
associate
|
|
|
|
unix_read
|
|
|
|
unix_write
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Define the access vectors.
|
|
|
|
#
|
|
|
|
# class class_name [ inherits common_name ] { permission_name ... }
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Define the access vector interpretation for file-related objects.
|
|
|
|
#
|
|
|
|
|
|
|
|
class filesystem
|
|
|
|
{
|
|
|
|
mount
|
|
|
|
remount
|
|
|
|
unmount
|
|
|
|
getattr
|
|
|
|
relabelfrom
|
|
|
|
relabelto
|
|
|
|
transition
|
|
|
|
associate
|
|
|
|
quotamod
|
|
|
|
quotaget
|
|
|
|
}
|
|
|
|
|
|
|
|
class dir
|
|
|
|
inherits file
|
|
|
|
{
|
|
|
|
add_name
|
|
|
|
remove_name
|
|
|
|
reparent
|
|
|
|
search
|
|
|
|
rmdir
|
|
|
|
}
|
|
|
|
|
|
|
|
class file
|
|
|
|
inherits file
|
|
|
|
{
|
|
|
|
execute_no_trans
|
|
|
|
entrypoint
|
|
|
|
}
|
|
|
|
|
|
|
|
class lnk_file
|
|
|
|
inherits file
|
|
|
|
|
|
|
|
class chr_file
|
|
|
|
inherits file
|
|
|
|
|
|
|
|
class blk_file
|
|
|
|
inherits file
|
|
|
|
|
|
|
|
class sock_file
|
|
|
|
inherits file
|
|
|
|
|
|
|
|
class fifo_file
|
|
|
|
inherits file
|
|
|
|
|
|
|
|
class fd
|
|
|
|
{
|
|
|
|
use
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Define the access vector interpretation for network-related objects.
|
|
|
|
#
|
|
|
|
|
|
|
|
class socket
|
|
|
|
inherits socket
|
|
|
|
|
|
|
|
class tcp_socket
|
|
|
|
inherits socket
|
|
|
|
{
|
|
|
|
connectto
|
|
|
|
newconn
|
|
|
|
acceptfrom
|
|
|
|
}
|
|
|
|
|
|
|
|
class udp_socket
|
|
|
|
inherits socket
|
|
|
|
|
|
|
|
class rawip_socket
|
|
|
|
inherits socket
|
|
|
|
|
|
|
|
class node
|
|
|
|
{
|
|
|
|
tcp_recv
|
|
|
|
tcp_send
|
|
|
|
udp_recv
|
|
|
|
udp_send
|
|
|
|
rawip_recv
|
|
|
|
rawip_send
|
|
|
|
enforce_dest
|
|
|
|
}
|
|
|
|
|
|
|
|
class netif
|
|
|
|
{
|
|
|
|
tcp_recv
|
|
|
|
tcp_send
|
|
|
|
udp_recv
|
|
|
|
udp_send
|
|
|
|
rawip_recv
|
|
|
|
rawip_send
|
|
|
|
}
|
|
|
|
|
|
|
|
class netlink_socket
|
|
|
|
inherits socket
|
|
|
|
|
|
|
|
class packet_socket
|
|
|
|
inherits socket
|
|
|
|
|
|
|
|
class key_socket
|
|
|
|
inherits socket
|
|
|
|
|
|
|
|
class unix_stream_socket
|
|
|
|
inherits socket
|
|
|
|
{
|
|
|
|
connectto
|
|
|
|
newconn
|
|
|
|
acceptfrom
|
|
|
|
}
|
|
|
|
|
|
|
|
class unix_dgram_socket
|
|
|
|
inherits socket
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Define the access vector interpretation for process-related objects
|
|
|
|
#
|
|
|
|
|
|
|
|
class process
|
|
|
|
{
|
|
|
|
fork
|
|
|
|
transition
|
|
|
|
sigchld # commonly granted from child to parent
|
|
|
|
sigkill # cannot be caught or ignored
|
|
|
|
sigstop # cannot be caught or ignored
|
|
|
|
signull # for kill(pid, 0)
|
|
|
|
signal # all other signals
|
|
|
|
ptrace
|
|
|
|
getsched
|
|
|
|
setsched
|
|
|
|
getsession
|
|
|
|
getpgid
|
|
|
|
setpgid
|
|
|
|
getcap
|
|
|
|
setcap
|
|
|
|
share
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Define the access vector interpretation for ipc-related objects
|
|
|
|
#
|
|
|
|
|
|
|
|
class ipc
|
|
|
|
inherits ipc
|
|
|
|
|
|
|
|
class msgq
|
|
|
|
inherits ipc
|
|
|
|
{
|
|
|
|
enqueue
|
|
|
|
}
|
|
|
|
|
|
|
|
class msg
|
|
|
|
{
|
|
|
|
send
|
|
|
|
}
|
|
|
|
|
|
|
|
class shm
|
|
|
|
inherits ipc
|
|
|
|
{
|
|
|
|
lock
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Define the access vector interpretation for the security server.
|
|
|
|
#
|
|
|
|
|
|
|
|
class security
|
|
|
|
{
|
|
|
|
compute_av
|
|
|
|
transition_sid
|
|
|
|
member_sid
|
|
|
|
sid_to_context
|
|
|
|
context_to_sid
|
|
|
|
load_policy
|
|
|
|
get_sids
|
|
|
|
change_sid
|
|
|
|
get_user_sids
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Define the access vector interpretation for system operations.
|
|
|
|
#
|
|
|
|
|
|
|
|
class system
|
|
|
|
{
|
|
|
|
ipc_info
|
|
|
|
avc_toggle
|
|
|
|
nfsd_control
|
|
|
|
bdflush
|
|
|
|
syslog_read
|
|
|
|
syslog_mod
|
|
|
|
syslog_console
|
|
|
|
ichsid
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
2019-08-05 20:11:20 +00:00
|
|
|
# Define the access vector interpretation for controlling capabilities
|
2008-08-19 19:30:36 +00:00
|
|
|
#
|
|
|
|
|
|
|
|
class capability
|
|
|
|
{
|
|
|
|
# The capabilities are defined in include/linux/capability.h
|
|
|
|
# Care should be taken to ensure that these are consistent with
|
|
|
|
# those definitions. (Order matters)
|
|
|
|
|
|
|
|
chown
|
|
|
|
dac_override
|
|
|
|
dac_read_search
|
|
|
|
fowner
|
|
|
|
fsetid
|
|
|
|
kill
|
|
|
|
setgid
|
|
|
|
setuid
|
|
|
|
setpcap
|
|
|
|
linux_immutable
|
|
|
|
net_bind_service
|
|
|
|
net_broadcast
|
|
|
|
net_admin
|
|
|
|
net_raw
|
|
|
|
ipc_lock
|
|
|
|
ipc_owner
|
|
|
|
sys_module
|
|
|
|
sys_rawio
|
|
|
|
sys_chroot
|
|
|
|
sys_ptrace
|
|
|
|
sys_pacct
|
|
|
|
sys_admin
|
|
|
|
sys_boot
|
|
|
|
sys_nice
|
|
|
|
sys_resource
|
|
|
|
sys_time
|
|
|
|
sys_tty_config
|
|
|
|
mknod
|
|
|
|
lease
|
|
|
|
}
|
|
|
|
|
|
|
|
ifdef(`enable_mls',`
|
|
|
|
sensitivity s0;
|
|
|
|
|
|
|
|
#
|
|
|
|
# Define the ordering of the sensitivity levels (least to greatest)
|
|
|
|
#
|
|
|
|
dominance { s0 }
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Define the categories
|
|
|
|
#
|
|
|
|
# Each category has a name and zero or more aliases.
|
|
|
|
#
|
|
|
|
category c0; category c1; category c2; category c3;
|
|
|
|
category c4; category c5; category c6; category c7;
|
|
|
|
category c8; category c9; category c10; category c11;
|
|
|
|
category c12; category c13; category c14; category c15;
|
|
|
|
category c16; category c17; category c18; category c19;
|
|
|
|
category c20; category c21; category c22; category c23;
|
|
|
|
|
|
|
|
level s0:c0.c23;
|
|
|
|
|
|
|
|
mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
|
|
|
|
( h1 dom h2 );
|
|
|
|
')
|
|
|
|
|
|
|
|
####################################
|
|
|
|
####################################
|
|
|
|
#####################################
|
|
|
|
# TE RULES
|
|
|
|
attribute domain;
|
|
|
|
attribute system;
|
|
|
|
attribute foo;
|
|
|
|
attribute num;
|
|
|
|
attribute num_exec;
|
|
|
|
attribute files;
|
|
|
|
|
|
|
|
type net_foo_t, foo;
|
|
|
|
type sys_foo_t, foo, system;
|
2013-10-25 16:08:23 +00:00
|
|
|
role system_r;
|
2008-08-19 19:30:36 +00:00
|
|
|
role system_r types sys_foo_t;
|
|
|
|
|
|
|
|
type user_t, domain;
|
2013-10-25 16:08:23 +00:00
|
|
|
role user_r;
|
2008-08-19 19:30:36 +00:00
|
|
|
role user_r types user_t;
|
|
|
|
|
|
|
|
type sysadm_t, domain, system;
|
2013-10-25 16:08:23 +00:00
|
|
|
role sysadm_r;
|
2008-08-19 19:30:36 +00:00
|
|
|
role sysadm_r types sysadm_t;
|
|
|
|
|
|
|
|
type system_t, domain, system, foo;
|
2013-10-25 16:08:23 +00:00
|
|
|
role system_r;
|
2008-08-19 19:30:36 +00:00
|
|
|
role system_r types { system_t sys_foo_t };
|
|
|
|
|
|
|
|
type file_t;
|
|
|
|
type file_exec_t, files;
|
|
|
|
type fs_t;
|
|
|
|
type base_optional_1;
|
|
|
|
type base_optional_2;
|
|
|
|
|
|
|
|
allow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint };
|
|
|
|
|
|
|
|
optional {
|
|
|
|
require {
|
|
|
|
type base_optional_1, base_optional_2;
|
|
|
|
}
|
|
|
|
allow base_optional_1 base_optional_2 : file { read write };
|
|
|
|
}
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# Role Allow
|
|
|
|
allow user_r sysadm_r;
|
|
|
|
|
|
|
|
####################################
|
|
|
|
# Booleans
|
|
|
|
bool allow_ypbind true;
|
|
|
|
bool secure_mode false;
|
|
|
|
bool allow_execheap false;
|
|
|
|
bool allow_execmem true;
|
|
|
|
bool allow_execmod false;
|
|
|
|
bool allow_execstack true;
|
|
|
|
bool optional_bool_1 true;
|
|
|
|
bool optional_bool_2 false;
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# users
|
|
|
|
gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
|
|
|
|
gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
|
|
|
|
gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
# constraints
|
|
|
|
|
|
|
|
|
|
|
|
####################################
|
|
|
|
#line 1 "initial_sid_contexts"
|
|
|
|
|
|
|
|
sid kernel gen_context(system_u:system_r:sys_foo_t, s0)
|
|
|
|
|
|
|
|
|
|
|
|
############################################
|
|
|
|
#line 1 "fs_use"
|
|
|
|
#
|
|
|
|
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
|
|
|
|
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
|
|
|
|
fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
|
|
|
|
|
|
|
|
|
|
|
|
genfscon proc / gen_context(system_u:object_r:sys_foo_t, s0)
|
|
|
|
|
|
|
|
|
|
|
|
####################################
|
|
|
|
#line 1 "net_contexts"
|
|
|
|
|
|
|
|
#portcon tcp 21 system_u:object_r:net_foo_t:s0
|
|
|
|
|
|
|
|
#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
|
|
|
|
|
|
|
|
#
|
|
|
|
#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
|
|
|
|
|
|
|
|
nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:net_foo_t, s0)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|