mirror of
https://github.com/SELinuxProject/selinux
synced 2025-01-10 15:39:25 +00:00
144 lines
4.0 KiB
Plaintext
144 lines
4.0 KiB
Plaintext
|
class file
|
||
|
class process
|
||
|
class char
|
||
|
|
||
|
sid kernel
|
||
|
sid security
|
||
|
sid unlabeled
|
||
|
|
||
|
common file {ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton }
|
||
|
|
||
|
class file inherits file { execute_no_trans entrypoint execmod open audit_access }
|
||
|
class char inherits file { foo transition }
|
||
|
class process { open }
|
||
|
|
||
|
sensitivity s0 alias sens0;
|
||
|
sensitivity s1;
|
||
|
|
||
|
dominance { s0 s1 }
|
||
|
|
||
|
category c0 alias cat0;
|
||
|
category c1;
|
||
|
category c2;
|
||
|
|
||
|
level s0:c0.c2;
|
||
|
level s1:c0.c2;
|
||
|
|
||
|
mlsconstrain file { open } (not (((l1 eq l2) and (u1 eq u2)) or (r1 eq r2)));
|
||
|
mlsconstrain file { open } (((l1 eq l2) and (u1 eq u2)) or (r1 != r2));
|
||
|
mlsconstrain file { open } (l1 dom h2);
|
||
|
mlsconstrain file { open } (h1 domby l2);
|
||
|
mlsconstrain file { open } (l1 incomp l2);
|
||
|
|
||
|
mlsvalidatetrans file (h1 domby l2);
|
||
|
|
||
|
attribute foo_type;
|
||
|
attribute bar_type;
|
||
|
attribute baz_type;
|
||
|
attribute exec_type;
|
||
|
|
||
|
type bin_t, bar_type, exec_type;
|
||
|
type kernel_t, foo_type, exec_type, baz_type;
|
||
|
type security_t, baz_type;
|
||
|
type unlabeled_t, baz_type;
|
||
|
|
||
|
type exec_t, baz_type;
|
||
|
type console_t, baz_type;
|
||
|
type auditadm_t, baz_type;
|
||
|
type console_device_t, baz_type;
|
||
|
type user_tty_device_t, baz_type;
|
||
|
type device_t, baz_type;
|
||
|
type getty_t, baz_type;
|
||
|
type a_t, baz_type;
|
||
|
type b_t, baz_type;
|
||
|
|
||
|
typealias bin_t alias sbin_t;
|
||
|
|
||
|
bool secure_mode false;
|
||
|
bool console_login true;
|
||
|
bool b1 false;
|
||
|
|
||
|
role system_r;
|
||
|
role user_r;
|
||
|
role system_r types bin_t;
|
||
|
role system_r types kernel_t;
|
||
|
role system_r types security_t;
|
||
|
role system_r types unlabeled_t;
|
||
|
|
||
|
policycap open_perms;
|
||
|
permissive device_t;
|
||
|
|
||
|
range_transition device_t console_t : file s0:c0 - s1:c0.c1;
|
||
|
|
||
|
type_transition device_t console_t : file console_device_t;
|
||
|
type_member device_t bin_t : file exec_t;
|
||
|
|
||
|
if console_login{
|
||
|
type_change auditadm_t console_device_t : file user_tty_device_t;
|
||
|
}
|
||
|
|
||
|
role_transition system_r bin_t user_r;
|
||
|
|
||
|
auditallow device_t auditadm_t: file { open };
|
||
|
dontaudit device_t auditadm_t: file { read };
|
||
|
|
||
|
allow system_r user_r;
|
||
|
|
||
|
allow console_t console_device_t: char { write setattr };
|
||
|
allow console_t console_device_t: file { open read getattr };
|
||
|
allow foo_type self: file { execute };
|
||
|
allow bin_t device_t: file { execute };
|
||
|
allow bin_t exec_t: file { execute };
|
||
|
allow bin_t bin_t: file { execute };
|
||
|
allow a_t b_t : file { write };
|
||
|
allow console_t console_device_t: file { read write getattr setattr lock append };
|
||
|
allow kernel_t kernel_t : file { execute };
|
||
|
|
||
|
if b1 {
|
||
|
allow a_t b_t : file { read };
|
||
|
}
|
||
|
|
||
|
if secure_mode{
|
||
|
auditallow device_t exec_t: file { read write };
|
||
|
}
|
||
|
|
||
|
if console_login{
|
||
|
allow getty_t console_device_t: file { getattr open read write append };
|
||
|
}
|
||
|
else {
|
||
|
dontaudit getty_t console_device_t: file { getattr open read write append };
|
||
|
}
|
||
|
|
||
|
if (not ((secure_mode eq console_login) xor ((secure_mode or console_login) and secure_mode))){
|
||
|
allow bin_t exec_t: file { execute };
|
||
|
}
|
||
|
|
||
|
user system_u roles system_r level s0:c0 range s0:c0 - s1:c0,c1;
|
||
|
user user_u roles user_r level s0:c0 range s0:c0 - s0:c0;
|
||
|
|
||
|
validatetrans file (t1 == exec_t);
|
||
|
|
||
|
constrain char transition (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
|
||
|
constrain file { open } (r1 dom r2);
|
||
|
constrain file { open } (r1 domby r2);
|
||
|
constrain file { open } (r1 incomp r2);
|
||
|
constrain file { open read getattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
|
||
|
constrain char { write setattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
|
||
|
|
||
|
|
||
|
sid kernel system_u:system_r:kernel_t:s0:c0 - s1:c0,c1
|
||
|
sid security system_u:system_r:security_t:s0:c0 - s1:c0,c1
|
||
|
sid unlabeled system_u:system_r:unlabeled_t:s0:c0 - s1:c0,c1
|
||
|
|
||
|
fs_use_xattr ext3 system_u:system_r:bin_t:s0:c0 - s1:c0,c1;
|
||
|
|
||
|
genfscon proc /usr/bin system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||
|
|
||
|
portcon tcp 22 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||
|
portcon udp 25 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||
|
|
||
|
netifcon eth0 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||
|
|
||
|
nodecon 192.25.35.200 192.168.1.1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||
|
nodecon 2001:db8:ac10:fe01:: 2001:de0:da88:2222:: system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|