class file class process class char sid kernel sid security sid unlabeled common file {ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton } class file inherits file { execute_no_trans entrypoint execmod open audit_access } class char inherits file { foo transition } class process { open } sensitivity s0 alias sens0; sensitivity s1; dominance { s0 s1 } category c0 alias cat0; category c1; category c2; level s0:c0.c2; level s1:c0.c2; mlsconstrain file { open } (not (((l1 eq l2) and (u1 eq u2)) or (r1 eq r2))); mlsconstrain file { open } (((l1 eq l2) and (u1 eq u2)) or (r1 != r2)); mlsconstrain file { open } (l1 dom h2); mlsconstrain file { open } (h1 domby l2); mlsconstrain file { open } (l1 incomp l2); mlsvalidatetrans file (h1 domby l2); attribute foo_type; attribute bar_type; attribute baz_type; attribute exec_type; type bin_t, bar_type, exec_type; type kernel_t, foo_type, exec_type, baz_type; type security_t, baz_type; type unlabeled_t, baz_type; type exec_t, baz_type; type console_t, baz_type; type auditadm_t, baz_type; type console_device_t, baz_type; type user_tty_device_t, baz_type; type device_t, baz_type; type getty_t, baz_type; type a_t, baz_type; type b_t, baz_type; typealias bin_t alias sbin_t; bool secure_mode false; bool console_login true; bool b1 false; role system_r; role user_r; role system_r types bin_t; role system_r types kernel_t; role system_r types security_t; role system_r types unlabeled_t; policycap open_perms; permissive device_t; range_transition device_t console_t : file s0:c0 - s1:c0.c1; type_transition device_t console_t : file console_device_t; type_member device_t bin_t : file exec_t; if console_login{ type_change auditadm_t console_device_t : file user_tty_device_t; } role_transition system_r bin_t user_r; auditallow device_t auditadm_t: file { open }; dontaudit device_t auditadm_t: file { read }; allow system_r user_r; allow console_t console_device_t: char { write setattr }; allow console_t console_device_t: file { open read getattr }; allow foo_type self: file { execute }; allow bin_t device_t: file { execute }; allow bin_t exec_t: file { execute }; allow bin_t bin_t: file { execute }; allow a_t b_t : file { write }; allow console_t console_device_t: file { read write getattr setattr lock append }; allow kernel_t kernel_t : file { execute }; if b1 { allow a_t b_t : file { read }; } if secure_mode{ auditallow device_t exec_t: file { read write }; } if console_login{ allow getty_t console_device_t: file { getattr open read write append }; } else { dontaudit getty_t console_device_t: file { getattr open read write append }; } if (not ((secure_mode eq console_login) xor ((secure_mode or console_login) and secure_mode))){ allow bin_t exec_t: file { execute }; } user system_u roles system_r level s0:c0 range s0:c0 - s1:c0,c1; user user_u roles user_r level s0:c0 range s0:c0 - s0:c0; validatetrans file (t1 == exec_t); constrain char transition (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2))); constrain file { open } (r1 dom r2); constrain file { open } (r1 domby r2); constrain file { open } (r1 incomp r2); constrain file { open read getattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2))); constrain char { write setattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2))); sid kernel system_u:system_r:kernel_t:s0:c0 - s1:c0,c1 sid security system_u:system_r:security_t:s0:c0 - s1:c0,c1 sid unlabeled system_u:system_r:unlabeled_t:s0:c0 - s1:c0,c1 fs_use_xattr ext3 system_u:system_r:bin_t:s0:c0 - s1:c0,c1; genfscon proc /usr/bin system_u:system_r:bin_t:s0:c0 - s1:c0,c1 portcon tcp 22 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 portcon udp 25 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 netifcon eth0 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 nodecon 192.25.35.200 192.168.1.1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 nodecon 2001:db8:ac10:fe01:: 2001:de0:da88:2222:: system_u:system_r:bin_t:s0:c0 - s1:c0,c1