selinux/checkpolicy/tests/policy_allonce_mls.expected.conf

89 lines
2.9 KiB
Plaintext
Raw Normal View History

# handle_unknown deny
class CLASS1
class CLASS2
class CLASS3
class dir
class file
class process
sid kernel
common COMMON1 { CPERM1 }
class CLASS1 { PERM1 ioctl }
class CLASS2 inherits COMMON1
class CLASS3 inherits COMMON1 { PERM1 }
default_user { CLASS1 } source;
default_role { CLASS2 } target;
default_type { CLASS3 } source;
sensitivity s0;
sensitivity s1;
sensitivity s2 alias SENSALIAS;
dominance { s0 s1 s2 }
category c0;
category c1 alias CATALIAS;
level s0:c0;
level s1:c0,c1;
level s2;
mlsconstrain CLASS1 { PERM1 } l1 == l2;
mlsvalidatetrans CLASS1 (r1 domby r2 and l1 incomp h2);
policycap open_perms;
attribute ATTR1;
attribute ATTR2;
bool BOOL1 true;
type TYPE1;
type TYPE2;
type TYPE3;
type TYPE4;
typealias TYPE1 alias TYPEALIAS1;
typealias TYPE3 alias TYPEALIAS3A;
typealias TYPE3 alias TYPEALIAS3B;
typealias TYPE4 alias TYPEALIAS4;
typebounds TYPE4 TYPE3;
typeattribute TYPE4 ATTR2;
permissive TYPE1;
allow TYPE1 self:CLASS1 { PERM1 };
allow TYPE1 self:CLASS2 { CPERM1 };
auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
type_transition TYPE1 TYPE2:CLASS1 TYPE3;
type_member TYPE1 TYPE2:CLASS1 TYPE2;
type_change TYPE1 TYPE2:CLASS1 TYPE3;
type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
range_transition TYPE1 TYPE2:CLASS1 s1:c0,c1 - s1:c0,c1;
if (BOOL1) {
} else {
allow TYPE1 self:CLASS1 { PERM1 ioctl };
}
role ROLE1;
role ROLE2;
role ROLE3;
role ROLE1 types { TYPE1 };
role_transition ROLE1 TYPE1:CLASS1 ROLE2;
role_transition ROLE1 TYPE1:process ROLE2;
allow ROLE1 ROLE2;
user USER1 roles ROLE1 level s0 range s0 - s1:c0,c1;
constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
sid kernel USER1:ROLE1:TYPE1:s0 - s1:c0,c1
fs_use_xattr btrfs USER1:ROLE1:TYPE1:s0 - s1:c0,c1;
fs_use_trans devpts USER1:ROLE1:TYPE1:s0 - s0;
fs_use_task pipefs USER1:ROLE1:TYPE1:s0 - s1;
genfscon proc "/" -d USER1:ROLE1:TYPE1:s0 - s0
genfscon proc "/file1" -- USER1:ROLE1:TYPE1:s0 - s0
genfscon proc "/path/to/file" USER1:ROLE1:TYPE1:s0 - s0
portcon tcp 80 USER1:ROLE1:TYPE1:s0 - s0
portcon udp 100-200 USER1:ROLE1:TYPE1:s0 - s0
netifcon lo USER1:ROLE1:TYPE1:s0 - s0 USER1:ROLE1:TYPE1:s0 - s0
nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1:s0 - s0
nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1:s0 - s0
ibpkeycon fe80:: 65535 USER1:ROLE1:TYPE1:s0 - s0
ibpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1:s0 - s0
ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1:s0 - s0
ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1:s0 - s0