mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-12 17:15:00 +00:00
512 lines
7.1 KiB
Plaintext
512 lines
7.1 KiB
Plaintext
|
# FLASK
|
||
|
|
||
|
#
|
||
|
# Define the security object classes
|
||
|
#
|
||
|
|
||
|
class security
|
||
|
class process
|
||
|
class system
|
||
|
class capability
|
||
|
|
||
|
# file-related classes
|
||
|
class filesystem
|
||
|
class file
|
||
|
class dir
|
||
|
class fd
|
||
|
class lnk_file
|
||
|
class chr_file
|
||
|
class blk_file
|
||
|
class sock_file
|
||
|
class fifo_file
|
||
|
|
||
|
# network-related classes
|
||
|
class socket
|
||
|
class tcp_socket
|
||
|
class udp_socket
|
||
|
class rawip_socket
|
||
|
class node
|
||
|
class netif
|
||
|
class netlink_socket
|
||
|
class packet_socket
|
||
|
class key_socket
|
||
|
class unix_stream_socket
|
||
|
class unix_dgram_socket
|
||
|
|
||
|
# sysv-ipc-related clases
|
||
|
class sem
|
||
|
class msg
|
||
|
class msgq
|
||
|
class shm
|
||
|
class ipc
|
||
|
|
||
|
# FLASK
|
||
|
# FLASK
|
||
|
|
||
|
#
|
||
|
# Define initial security identifiers
|
||
|
#
|
||
|
|
||
|
sid kernel
|
||
|
|
||
|
|
||
|
# FLASK
|
||
|
#
|
||
|
# Define common prefixes for access vectors
|
||
|
#
|
||
|
# common common_name { permission_name ... }
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define a common prefix for file access vectors.
|
||
|
#
|
||
|
|
||
|
common file
|
||
|
{
|
||
|
ioctl
|
||
|
read
|
||
|
write
|
||
|
create
|
||
|
getattr
|
||
|
setattr
|
||
|
lock
|
||
|
relabelfrom
|
||
|
relabelto
|
||
|
append
|
||
|
unlink
|
||
|
link
|
||
|
rename
|
||
|
execute
|
||
|
swapon
|
||
|
quotaon
|
||
|
mounton
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define a common prefix for socket access vectors.
|
||
|
#
|
||
|
|
||
|
common socket
|
||
|
{
|
||
|
# inherited from file
|
||
|
ioctl
|
||
|
read
|
||
|
write
|
||
|
create
|
||
|
getattr
|
||
|
setattr
|
||
|
lock
|
||
|
relabelfrom
|
||
|
relabelto
|
||
|
append
|
||
|
# socket-specific
|
||
|
bind
|
||
|
connect
|
||
|
listen
|
||
|
accept
|
||
|
getopt
|
||
|
setopt
|
||
|
shutdown
|
||
|
recvfrom
|
||
|
sendto
|
||
|
recv_msg
|
||
|
send_msg
|
||
|
name_bind
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Define a common prefix for ipc access vectors.
|
||
|
#
|
||
|
|
||
|
common ipc
|
||
|
{
|
||
|
create
|
||
|
destroy
|
||
|
getattr
|
||
|
setattr
|
||
|
read
|
||
|
write
|
||
|
associate
|
||
|
unix_read
|
||
|
unix_write
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Define the access vectors.
|
||
|
#
|
||
|
# class class_name [ inherits common_name ] { permission_name ... }
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for file-related objects.
|
||
|
#
|
||
|
|
||
|
class filesystem
|
||
|
{
|
||
|
mount
|
||
|
remount
|
||
|
unmount
|
||
|
getattr
|
||
|
relabelfrom
|
||
|
relabelto
|
||
|
transition
|
||
|
associate
|
||
|
quotamod
|
||
|
quotaget
|
||
|
}
|
||
|
|
||
|
class dir
|
||
|
inherits file
|
||
|
{
|
||
|
add_name
|
||
|
remove_name
|
||
|
reparent
|
||
|
search
|
||
|
rmdir
|
||
|
}
|
||
|
|
||
|
class file
|
||
|
inherits file
|
||
|
{
|
||
|
execute_no_trans
|
||
|
entrypoint
|
||
|
}
|
||
|
|
||
|
class lnk_file
|
||
|
inherits file
|
||
|
|
||
|
class chr_file
|
||
|
inherits file
|
||
|
|
||
|
class blk_file
|
||
|
inherits file
|
||
|
|
||
|
class sock_file
|
||
|
inherits file
|
||
|
|
||
|
class fifo_file
|
||
|
inherits file
|
||
|
|
||
|
class fd
|
||
|
{
|
||
|
use
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for network-related objects.
|
||
|
#
|
||
|
|
||
|
class socket
|
||
|
inherits socket
|
||
|
|
||
|
class tcp_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
connectto
|
||
|
newconn
|
||
|
acceptfrom
|
||
|
}
|
||
|
|
||
|
class udp_socket
|
||
|
inherits socket
|
||
|
|
||
|
class rawip_socket
|
||
|
inherits socket
|
||
|
|
||
|
class node
|
||
|
{
|
||
|
tcp_recv
|
||
|
tcp_send
|
||
|
udp_recv
|
||
|
udp_send
|
||
|
rawip_recv
|
||
|
rawip_send
|
||
|
enforce_dest
|
||
|
}
|
||
|
|
||
|
class netif
|
||
|
{
|
||
|
tcp_recv
|
||
|
tcp_send
|
||
|
udp_recv
|
||
|
udp_send
|
||
|
rawip_recv
|
||
|
rawip_send
|
||
|
}
|
||
|
|
||
|
class netlink_socket
|
||
|
inherits socket
|
||
|
|
||
|
class packet_socket
|
||
|
inherits socket
|
||
|
|
||
|
class key_socket
|
||
|
inherits socket
|
||
|
|
||
|
class unix_stream_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
connectto
|
||
|
newconn
|
||
|
acceptfrom
|
||
|
}
|
||
|
|
||
|
class unix_dgram_socket
|
||
|
inherits socket
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for process-related objects
|
||
|
#
|
||
|
|
||
|
class process
|
||
|
{
|
||
|
fork
|
||
|
transition
|
||
|
sigchld # commonly granted from child to parent
|
||
|
sigkill # cannot be caught or ignored
|
||
|
sigstop # cannot be caught or ignored
|
||
|
signull # for kill(pid, 0)
|
||
|
signal # all other signals
|
||
|
ptrace
|
||
|
getsched
|
||
|
setsched
|
||
|
getsession
|
||
|
getpgid
|
||
|
setpgid
|
||
|
getcap
|
||
|
setcap
|
||
|
share
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for ipc-related objects
|
||
|
#
|
||
|
|
||
|
class ipc
|
||
|
inherits ipc
|
||
|
|
||
|
class sem
|
||
|
inherits ipc
|
||
|
|
||
|
class msgq
|
||
|
inherits ipc
|
||
|
{
|
||
|
enqueue
|
||
|
}
|
||
|
|
||
|
class msg
|
||
|
{
|
||
|
send
|
||
|
receive
|
||
|
}
|
||
|
|
||
|
class shm
|
||
|
inherits ipc
|
||
|
{
|
||
|
lock
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for the security server.
|
||
|
#
|
||
|
|
||
|
class security
|
||
|
{
|
||
|
compute_av
|
||
|
transition_sid
|
||
|
member_sid
|
||
|
sid_to_context
|
||
|
context_to_sid
|
||
|
load_policy
|
||
|
get_sids
|
||
|
change_sid
|
||
|
get_user_sids
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for system operations.
|
||
|
#
|
||
|
|
||
|
class system
|
||
|
{
|
||
|
ipc_info
|
||
|
avc_toggle
|
||
|
nfsd_control
|
||
|
bdflush
|
||
|
syslog_read
|
||
|
syslog_mod
|
||
|
syslog_console
|
||
|
ichsid
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for controling capabilies
|
||
|
#
|
||
|
|
||
|
class capability
|
||
|
{
|
||
|
# The capabilities are defined in include/linux/capability.h
|
||
|
# Care should be taken to ensure that these are consistent with
|
||
|
# those definitions. (Order matters)
|
||
|
|
||
|
chown
|
||
|
dac_override
|
||
|
dac_read_search
|
||
|
fowner
|
||
|
fsetid
|
||
|
kill
|
||
|
setgid
|
||
|
setuid
|
||
|
setpcap
|
||
|
linux_immutable
|
||
|
net_bind_service
|
||
|
net_broadcast
|
||
|
net_admin
|
||
|
net_raw
|
||
|
ipc_lock
|
||
|
ipc_owner
|
||
|
sys_module
|
||
|
sys_rawio
|
||
|
sys_chroot
|
||
|
sys_ptrace
|
||
|
sys_pacct
|
||
|
sys_admin
|
||
|
sys_boot
|
||
|
sys_nice
|
||
|
sys_resource
|
||
|
sys_time
|
||
|
sys_tty_config
|
||
|
mknod
|
||
|
lease
|
||
|
}
|
||
|
|
||
|
ifdef(`enable_mls',`
|
||
|
sensitivity s0;
|
||
|
|
||
|
#
|
||
|
# Define the ordering of the sensitivity levels (least to greatest)
|
||
|
#
|
||
|
dominance { s0 }
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the categories
|
||
|
#
|
||
|
# Each category has a name and zero or more aliases.
|
||
|
#
|
||
|
category c0; category c1; category c2; category c3;
|
||
|
category c4; category c5; category c6; category c7;
|
||
|
category c8; category c9; category c10; category c11;
|
||
|
category c12; category c13; category c14; category c15;
|
||
|
category c16; category c17; category c18; category c19;
|
||
|
category c20; category c21; category c22; category c23;
|
||
|
|
||
|
level s0:c0.c23;
|
||
|
|
||
|
mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
|
||
|
( h1 dom h2 );
|
||
|
')
|
||
|
|
||
|
####################################
|
||
|
####################################
|
||
|
#####################################
|
||
|
# TE RULES
|
||
|
attribute domain;
|
||
|
attribute system;
|
||
|
attribute foo;
|
||
|
attribute num;
|
||
|
attribute num_exec;
|
||
|
attribute files;
|
||
|
|
||
|
type net_foo_t, foo;
|
||
|
type sys_foo_t, foo, system;
|
||
|
role system_r types sys_foo_t;
|
||
|
|
||
|
type user_t, domain;
|
||
|
role user_r types user_t;
|
||
|
|
||
|
type sysadm_t, domain, system;
|
||
|
role sysadm_r types sysadm_t;
|
||
|
|
||
|
type system_t, domain, system, foo;
|
||
|
role system_r types { system_t sys_foo_t };
|
||
|
|
||
|
type file_t;
|
||
|
type file_exec_t, files;
|
||
|
type fs_t;
|
||
|
type base_optional_1;
|
||
|
type base_optional_2;
|
||
|
|
||
|
allow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint };
|
||
|
|
||
|
optional {
|
||
|
require {
|
||
|
type base_optional_1, base_optional_2;
|
||
|
}
|
||
|
allow base_optional_1 base_optional_2 : file { read write };
|
||
|
}
|
||
|
|
||
|
#####################################
|
||
|
# Role Allow
|
||
|
allow user_r sysadm_r;
|
||
|
|
||
|
####################################
|
||
|
# Booleans
|
||
|
bool allow_ypbind true;
|
||
|
bool secure_mode false;
|
||
|
bool allow_execheap false;
|
||
|
bool allow_execmem true;
|
||
|
bool allow_execmod false;
|
||
|
bool allow_execstack true;
|
||
|
bool optional_bool_1 true;
|
||
|
bool optional_bool_2 false;
|
||
|
|
||
|
#####################################
|
||
|
# users
|
||
|
gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
|
||
|
gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
|
||
|
gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
|
||
|
|
||
|
#####################################
|
||
|
# constraints
|
||
|
|
||
|
|
||
|
####################################
|
||
|
#line 1 "initial_sid_contexts"
|
||
|
|
||
|
sid kernel gen_context(system_u:system_r:sys_foo_t, s0)
|
||
|
|
||
|
|
||
|
############################################
|
||
|
#line 1 "fs_use"
|
||
|
#
|
||
|
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
|
||
|
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
|
||
|
fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
|
||
|
|
||
|
|
||
|
genfscon proc / gen_context(system_u:object_r:sys_foo_t, s0)
|
||
|
|
||
|
|
||
|
####################################
|
||
|
#line 1 "net_contexts"
|
||
|
|
||
|
#portcon tcp 21 system_u:object_r:net_foo_t:s0
|
||
|
|
||
|
#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
|
||
|
|
||
|
#
|
||
|
#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
|
||
|
|
||
|
nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:net_foo_t, s0)
|
||
|
|
||
|
|
||
|
|
||
|
|