224 lines
5.6 KiB
Plaintext
224 lines
5.6 KiB
Plaintext
|
(type bin_t)
|
||
|
(type kernel_t)
|
||
|
(type security_t)
|
||
|
(type unlabeled_t)
|
||
|
|
||
|
(policycap open_perms)
|
||
|
(sensitivity s0)
|
||
|
(sensitivity s1)
|
||
|
(sensitivityalias s0 sens0)
|
||
|
(dominance (s0 s1))
|
||
|
|
||
|
(category c0)
|
||
|
(category c1)
|
||
|
(category c2)
|
||
|
(categoryalias c0 cat0)
|
||
|
(categoryset cats01 (c0 c1))
|
||
|
(categoryorder (c0 c1 c2))
|
||
|
(categoryrange catrng02 (c0 c2))
|
||
|
|
||
|
(sensitivitycategory s0 (catrng02))
|
||
|
(sensitivitycategory s1 cats01)
|
||
|
(sensitivitycategory s1 (c2))
|
||
|
|
||
|
(level low (s0 (c0)))
|
||
|
(level high (s1 (c0 c1)))
|
||
|
(levelrange low_high (low high))
|
||
|
|
||
|
(permissionset file_perms (execute_no_trans entrypoint execmod open
|
||
|
audit_access))
|
||
|
(class file (execute_no_trans entrypoint execmod open audit_access))
|
||
|
(class process (open))
|
||
|
(common file (ioctl read write create getattr setattr lock relabelfrom
|
||
|
relabelto append unlink link rename execute swapon
|
||
|
quotaon mounton))
|
||
|
(classcommon file file)
|
||
|
|
||
|
(classpermissionset file_rw (file (read write getattr setattr lock append)))
|
||
|
|
||
|
(class char (foo transition))
|
||
|
(classcommon char file)
|
||
|
|
||
|
(classpermissionset char_w (char (write setattr)))
|
||
|
|
||
|
(classmap files (read))
|
||
|
(classmapping files read
|
||
|
(file (open read getattr))
|
||
|
char_w)
|
||
|
|
||
|
(type auditadm_t)
|
||
|
(type console_t)
|
||
|
(type console_device_t)
|
||
|
(type user_tty_device_t)
|
||
|
(type device_t)
|
||
|
(type getty_t)
|
||
|
(type exec_t)
|
||
|
|
||
|
(allow console_t console_device_t file_rw)
|
||
|
(allow console_t console_device_t (files (read)))
|
||
|
|
||
|
(boolean secure_mode false)
|
||
|
(boolean console_login true)
|
||
|
|
||
|
|
||
|
(sid kernel)
|
||
|
(sid security)
|
||
|
(sid unlabeled)
|
||
|
|
||
|
(typeattribute exec_type)
|
||
|
(typeattribute foo_type)
|
||
|
(typeattribute bar_type)
|
||
|
(typeattribute baz_type)
|
||
|
(typeattributeset exec_type (or bin_t kernel_t))
|
||
|
(typeattributeset foo_type (and exec_type kernel_t))
|
||
|
(typeattributeset bar_type (xor exec_type foo_type))
|
||
|
(typeattributeset baz_type (not bin_t))
|
||
|
(typealias bin_t sbin_t)
|
||
|
(typepermissive device_t)
|
||
|
(typebounds device_t bin_t)
|
||
|
(typemember device_t bin_t file exec_t)
|
||
|
(typetransition device_t console_t file console_device_t)
|
||
|
|
||
|
(rangetransition device_t console_t file low_high)
|
||
|
|
||
|
(nametypetransition some_file device_t console_t file getty_t)
|
||
|
|
||
|
(allow foo_type self (file (execute)))
|
||
|
(allow bin_t device_t (file (execute)))
|
||
|
|
||
|
(booleanif secure_mode
|
||
|
(true
|
||
|
(auditallow device_t exec_t (file (read write)))
|
||
|
)
|
||
|
)
|
||
|
|
||
|
(booleanif console_login
|
||
|
(true
|
||
|
(typechange auditadm_t console_device_t file user_tty_device_t)
|
||
|
(allow getty_t console_device_t (file (getattr open read write append)))
|
||
|
)
|
||
|
(false
|
||
|
(dontaudit getty_t console_device_t (file (getattr open read write append)))
|
||
|
)
|
||
|
)
|
||
|
|
||
|
(booleanif (not (xor (eq secure_mode console_login)
|
||
|
(and (or secure_mode console_login) secure_mode ) ) )
|
||
|
(true
|
||
|
(allow bin_t exec_t (file (execute)))
|
||
|
)
|
||
|
)
|
||
|
|
||
|
(tunable allow_execfile true)
|
||
|
(tunable allow_userexec false)
|
||
|
|
||
|
(tunableif (not (xor (eq allow_execfile allow_userexec)
|
||
|
(and (or allow_execfile allow_userexec)
|
||
|
(and allow_execfile allow_userexec) ) ) )
|
||
|
(true
|
||
|
(allow bin_t exec_t (file (execute)))
|
||
|
)
|
||
|
)
|
||
|
|
||
|
(optional allow_rules
|
||
|
(allow user_t exec_t (bins (execute)))
|
||
|
)
|
||
|
|
||
|
(dontaudit device_t auditadm_t (file (read)))
|
||
|
(auditallow device_t auditadm_t (file (open)))
|
||
|
|
||
|
(user system_u)
|
||
|
(user user_u)
|
||
|
(userprefix user_u user)
|
||
|
(userprefix system_u user)
|
||
|
|
||
|
(selinuxuser name user_u low_high)
|
||
|
(selinuxuserdefault user_u low_high)
|
||
|
|
||
|
(role system_r)
|
||
|
(role user_r)
|
||
|
|
||
|
(roletype system_r bin_t)
|
||
|
(roletype system_r kernel_t)
|
||
|
(roletype system_r security_t)
|
||
|
(roletype system_r unlabeled_t)
|
||
|
(roleallow system_r user_r)
|
||
|
(rolebounds system_r user_r)
|
||
|
(roletransition system_r bin_t process user_r)
|
||
|
|
||
|
(userrole system_u system_r)
|
||
|
(userlevel system_u low)
|
||
|
(userrange system_u low_high)
|
||
|
(userbounds system_u user_u)
|
||
|
(userrole user_u user_r)
|
||
|
(userlevel user_u low)
|
||
|
(userrange user_u (low low))
|
||
|
|
||
|
(sidcontext kernel (system_u system_r kernel_t (low high)))
|
||
|
(sidcontext security (system_u system_r security_t (low high)))
|
||
|
(sidcontext unlabeled (system_u system_r unlabeled_t (low high)))
|
||
|
|
||
|
(context system_u_bin_t_l2h (system_u system_r bin_t (low high)))
|
||
|
|
||
|
(ipaddr ip_v4 192.25.35.200)
|
||
|
(ipaddr netmask 192.168.1.1)
|
||
|
(ipaddr ip_v6 2001:0DB8:AC10:FE01::)
|
||
|
(ipaddr netmask_v6 2001:0DE0:DA88:2222::)
|
||
|
|
||
|
(filecon "/usr/bin/" "foo" file system_u_bin_t_l2h)
|
||
|
(filecon "/usr/bin/" "bar" file ())
|
||
|
(filecon "/usr/bin/" "baz" any ())
|
||
|
(nodecon ip_v4 netmask system_u_bin_t_l2h)
|
||
|
(nodecon ip_v6 netmask_v6 system_u_bin_t_l2h)
|
||
|
(portcon udp 25 system_u_bin_t_l2h)
|
||
|
(portcon tcp 22 system_u_bin_t_l2h)
|
||
|
(genfscon - "/usr/bin" system_u_bin_t_l2h)
|
||
|
(netifcon eth0 system_u_bin_t_l2h system_u_bin_t_l2h) ;different contexts?
|
||
|
(fsuse xattr ext3 system_u_bin_t_l2h)
|
||
|
|
||
|
; XEN
|
||
|
(pirqcon 256 system_u_bin_t_l2h)
|
||
|
(iomemcon (0 255) system_u_bin_t_l2h)
|
||
|
(ioportcon (22 22) system_u_bin_t_l2h)
|
||
|
(pcidevicecon 345 system_u_bin_t_l2h)
|
||
|
|
||
|
(constrain (files (read)) (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2))))
|
||
|
(constrain char_w (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2))))
|
||
|
|
||
|
(constrain (file (read)) (or (and (eq t1 exec_t) (neq t2 bin_t) ) (eq u1 u2) ) )
|
||
|
(constrain (file (open)) (dom r1 r2))
|
||
|
(constrain (file (open)) (domby r1 r2))
|
||
|
(constrain (file (open)) (incomp r1 r2))
|
||
|
|
||
|
(validatetrans file (eq t1 exec_t))
|
||
|
|
||
|
(mlsconstrain (file (open)) (not (or (and (eq l1 l2) (eq u1 u2)) (eq r1 r2))))
|
||
|
(mlsconstrain (file (open)) (or (and (eq l1 l2) (eq u1 u2)) (neq r1 r2)))
|
||
|
(mlsconstrain (file (open)) (dom h1 l2))
|
||
|
(mlsconstrain (file (open)) (domby l1 h2))
|
||
|
(mlsconstrain (file (open)) (incomp l1 l2))
|
||
|
|
||
|
(mlsvalidatetrans file (domby l1 h2))
|
||
|
|
||
|
(macro all ((type x))
|
||
|
(allow x bin_t (file (execute)))
|
||
|
)
|
||
|
(call all (bin_t))
|
||
|
|
||
|
(type a_t)
|
||
|
(type b_t)
|
||
|
(boolean b1 false)
|
||
|
(tunable tun1 true)
|
||
|
(macro m ((boolean b))
|
||
|
(tunableif tun1
|
||
|
(true
|
||
|
(allow a_t b_t (file (write))))
|
||
|
(false
|
||
|
(allow a_t b_t (file (execute)))))
|
||
|
(booleanif b
|
||
|
(true
|
||
|
(allow a_t b_t (file (read))))))
|
||
|
|
||
|
(call m (b1))
|
||
|
|