63 lines
1.9 KiB
Plaintext
63 lines
1.9 KiB
Plaintext
|
# handle_unknown deny
|
||
|
class CLASS1
|
||
|
class CLASS2
|
||
|
class CLASS3
|
||
|
class dir
|
||
|
class file
|
||
|
class process
|
||
|
sid kernel
|
||
|
common COMMON1 { CPERM1 }
|
||
|
class CLASS1 { PERM1 }
|
||
|
class CLASS2 inherits COMMON1
|
||
|
class CLASS3 inherits COMMON1 { PERM1 }
|
||
|
default_user { CLASS1 } source;
|
||
|
default_role { CLASS2 } target;
|
||
|
default_type { CLASS3 } source;
|
||
|
attribute ATTR1;
|
||
|
attribute ATTR2;
|
||
|
expandattribute ATTR1 true;
|
||
|
expandattribute ATTR2 false;
|
||
|
type TYPE1;
|
||
|
type TYPE2, ATTR1;
|
||
|
type TYPE3 alias { TYPEALIAS3A TYPEALIAS3B };
|
||
|
type TYPE4 alias TYPEALIAS4, ATTR2;
|
||
|
typealias TYPE1 alias TYPEALIAS1;
|
||
|
typeattribute TYPE1 ATTR1;
|
||
|
typebounds TYPE4 TYPE3;
|
||
|
bool BOOL1 true;
|
||
|
tunable TUNABLE1 false;
|
||
|
tunable TUNABLE2 true;
|
||
|
type_transition TYPE1 TYPE2 : CLASS1 TYPE3;
|
||
|
type_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME";
|
||
|
type_member TYPE1 TYPE2 : CLASS1 TYPE2;
|
||
|
type_change TYPE1 TYPE2 : CLASS1 TYPE3;
|
||
|
allow TYPE1 self : CLASS1 { PERM1 };
|
||
|
auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
|
||
|
dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
|
||
|
neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
|
||
|
permissive TYPE1;
|
||
|
attribute_role ROLE_ATTR1;
|
||
|
role ROLE1;
|
||
|
role ROLE3;
|
||
|
role ROLE2, ROLE_ATTR1;
|
||
|
role_transition ROLE1 TYPE1 ROLE2;
|
||
|
role_transition ROLE1 TYPE1 : CLASS1 ROLE2;
|
||
|
allow ROLE1 ROLE2;
|
||
|
roleattribute ROLE3 ROLE_ATTR1;
|
||
|
role ROLE1 types { TYPE1 };
|
||
|
if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
|
||
|
if TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; }
|
||
|
optional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; }
|
||
|
policycap open_perms;
|
||
|
user USER1 roles ROLE1;
|
||
|
constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
|
||
|
validatetrans CLASS2 sameuser and t3 == ATTR1;
|
||
|
sid kernel USER1:ROLE1:TYPE1
|
||
|
pirqcon 13 USER1:ROLE1:TYPE1
|
||
|
iomemcon 13 USER1:ROLE1:TYPE1
|
||
|
iomemcon 23-31 USER1:ROLE1:TYPE1
|
||
|
ioportcon 13 USER1:ROLE1:TYPE1
|
||
|
ioportcon 23-31 USER1:ROLE1:TYPE1
|
||
|
pcidevicecon 13 USER1:ROLE1:TYPE1
|
||
|
devicetreecon "/path/to/device" USER1:ROLE1:TYPE1
|