selinux/secilc/test/neverallow.cil

80 lines
1.6 KiB
Plaintext
Raw Normal View History

(class CLASS (PERM))
(classorder (CLASS))
(sid SID)
(sidorder (SID))
(user USER)
(role ROLE)
(type TYPE)
(category CAT)
(categoryorder (CAT))
(sensitivity SENS)
(sensitivityorder (SENS))
(sensitivitycategory SENS (CAT))
(allow TYPE self (CLASS (PERM)))
(roletype ROLE TYPE)
(userrole USER ROLE)
(userlevel USER (SENS))
(userrange USER ((SENS)(SENS (CAT))))
(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
(class c1 (p1a p1b p1c))
(class c2 (p2a p2b p2c))
(class c3 (p3a p3b p3c))
(classorder (CLASS c1 c2 c3))
(classpermission cp1)
(classpermissionset cp1 (c1 (p1a p1b)))
(classpermissionset cp1 (c2 (p2a)))
(classmap cm1 (mp1))
(classmapping cm1 mp1
(c1 (p1a)))
(type t1)
(type t2)
(type t3)
(type t4)
(type t5)
(type t6)
(type t7)
(typeattribute a1)
(typeattribute a2)
(typeattribute a3)
(typeattribute a4)
(typeattribute a5)
(typeattribute a6)
(typeattributeset a1 (t1 t2 t3 t4 t5))
(typeattributeset a2 (t1 t2))
(typeattributeset a3 (t3 t4))
(typeattributeset a4 (t2 t3))
(typeattributeset a5 (t5 t6))
(typeattributeset a6 (t6 t7))
(neverallow t1 t2 (c1 (p1a p1b)))
(allow t1 t2 (c1 (p1a)))
(neverallow t3 t4 (cm1 (mp1)))
(allow t3 t4 (c1 (p1a)))
(neverallow t5 t6 cp1)
(allow t5 t6 (c1 (p1b)))
(allow t5 t6 (c2 (p2a)))
(neverallow a1 self (CLASS (PERM)))
(allow t1 t1 (CLASS (PERM)))
(allow t2 self (CLASS (PERM)))
(allow a3 self (CLASS (PERM)))
(allow a2 a4 (CLASS (PERM)))
(neverallow a5 a6 (CLASS (PERM)))
(allow t5 t7 (CLASS (PERM)))
(allow t6 self (CLASS (PERM)))
;; Should not call these violations
(allow a1 self (c1 (p1a)))
(allow a2 a3 (CLASS (PERM)))
(allow t5 t6 (c2 (p2b)))