selinux/secilc/test/policy.cil
Christian Göttsche 1fd41f488e libsepol/cil: add support for xperms in conditional policies
Add support for extended permission rules in conditional policies.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-11-15 13:59:07 -05:00

376 lines
11 KiB
Plaintext

(type bin_t)
(type kernel_t)
(type security_t)
(type unlabeled_t)
(handleunknown allow)
(mls true)
(policycap open_perms)
(category c0)
(category c1)
(category c2)
(category c3)
(category c4)
(category c5)
(categoryalias cat0)
(categoryaliasactual cat0 c0)
(categoryset cats01 (c0 c1))
(categoryset cats02 (c2 c3))
(categoryset cats03 (range c0 c5))
(categoryset cats04 (not (range c0 c2)))
(categoryorder (cat0 c1 c2 c3))
(categoryorder (c3 c4 c5))
(sensitivity s0)
(sensitivity s1)
(sensitivity s2)
(sensitivity s3)
(sensitivityalias sens0)
(sensitivityaliasactual sens0 s0)
(sensitivityorder (s0 s1 s2 s3))
(sensitivitycategory s0 (cats03))
(sensitivitycategory s1 cats01)
(sensitivitycategory s1 (c2))
(sensitivitycategory s2 (cats01 cats02))
(sensitivitycategory s2 (range c4 c5))
(sensitivitycategory s3 (range c0 c5))
(level low (s0))
(level high (s3 (range c0 c3)))
(levelrange low_high (low high))
(levelrange lh1 ((s0 (c0)) (s2 (c0 c3))))
(levelrange lh2 (low (s2 (c0 c3))))
(levelrange lh3 ((s0 cats04) (s2 (range c0 c5))))
(levelrange lh4 ((s0) (s1)))
(block policy
(class file (execute_no_trans entrypoint execmod open audit_access a b c d e))
(class socket (nlmsg))
; order should be: file socket char b c a dir d e f
(classorder (file socket char))
(classorder (unordered dir))
(classorder (unordered c a b d e f))
(classorder (char b c a))
(common file (ioctl read write create getattr setattr lock relabelfrom
relabelto append unlink link rename execute swapon
quotaon mounton))
(classcommon file file)
(classpermission file_rw)
(classpermissionset file_rw (file (read write getattr setattr lock append)))
;;(classpermission loop1)
;;(classpermissionset loop1 ((loop2)))
;;(classpermission loop2)
;;(classpermissionset loop2 ((loop3)))
;;(classpermission loop3)
;;(classpermissionset loop3 ((loop1)))
(class char (foo))
(classcommon char file)
(class dir ())
(class a ())
(class b ())
(class c ())
(class d ())
(class e ())
(class f ())
(classcommon dir file)
(classpermission char_w)
(classpermissionset char_w (char (write setattr)))
(classpermissionset char_w (file (open read getattr)))
(classmap files (read))
(classmapping files read
(file (open read getattr)))
(classmapping files read
char_w)
(type auditadm_t)
(type console_t)
(type console_device_t)
(type user_tty_device_t)
(type device_t)
(type getty_t)
(type exec_t)
(type bad_t)
;;(allow console_t console_device_t file_rw)
(allow console_t console_device_t (files (read)))
(permissionx ioctl_test (ioctl files (and (range 0x1600 0x19FF) (not (range 0x1750 0x175F)))))
(allowx console_t console_device_t ioctl_test)
(boolean secure_mode false)
(boolean console_login true)
(sid kernel)
(sid security)
(sid unlabeled)
(sidorder (kernel security))
(sidorder (security unlabeled))
(typeattribute exec_type)
(typeattribute foo_type)
(typeattribute bar_type)
(typeattribute baz_type)
(typeattribute not_bad_type)
(typeattributeset exec_type (or bin_t kernel_t))
(typeattributeset foo_type (and exec_type kernel_t))
(typeattributeset bar_type (xor exec_type foo_type))
(typeattributeset baz_type (not bin_t))
(typeattributeset baz_type (and exec_type (and bar_type bin_t)))
(typeattributeset not_bad_type (not bad_t))
(typealias sbin_t)
(typealiasactual sbin_t bin_t)
(typepermissive device_t)
(typemember device_t bin_t file exec_t)
(typemember exec_type self file exec_t)
(typetransition device_t console_t files console_device_t)
(typetransition device_t exec_type files console_device_t)
(typetransition exec_type self files console_device_t)
(typetransition exec_type self files "filename" console_device_t)
(typechange console_device_t device_t file user_tty_device_t)
(typechange exec_type device_t file user_tty_device_t)
(typechange exec_type self file console_device_t)
(roleattribute exec_role)
(roleattribute foo_role)
(roleattribute bar_role)
(roleattribute baz_role)
(roleattribute foo_role_a)
(roleattributeset exec_role (or user_r system_r))
(roleattributeset foo_role_a (baz_r user_r system_r))
(roleattributeset foo_role (and exec_role system_r))
(roleattributeset bar_role (xor exec_role foo_role))
(roleattributeset baz_role (not user_r))
(rangetransition device_t console_t file low_high)
(rangetransition device_t kernel_t file ((s0) (s3 (not c3))))
(typetransition device_t console_t file "some_file" getty_t)
(allow foo_type self (file (execute)))
(allow bin_t device_t (file (execute)))
;; Next two rules violate the neverallow rule that follows
;;(allow bad_t not_bad_type (file (execute)))
;;(allow bad_t exec_t (file (execute)))
(neverallow bad_t not_bad_type (file (execute)))
(auditallowx getty_t console_device_t (ioctl file (range 0x1000 0x10FF)))
(auditallowx getty_t kernel_t (nlmsg socket (range 0x1000 0x10FF)))
(booleanif secure_mode
(true
(auditallow device_t exec_t (file (read write)))
)
)
(booleanif console_login
(true
(typechange auditadm_t console_device_t file user_tty_device_t)
(allow getty_t console_device_t (file (getattr open read write append)))
(auditallowx getty_t console_device_t (ioctl file (range 0x2000 0x21FF)))
(auditallowx getty_t kernel_t (nlmsg socket (0x1)))
)
(false
(dontaudit getty_t console_device_t (file (getattr open read write append)))
(dontauditx getty_t console_device_t (ioctl file (range 0x3000 0x31FF)))
)
)
(booleanif (not (xor (eq secure_mode console_login)
(and (or secure_mode console_login) secure_mode ) ) )
(true
(allow bin_t exec_t (file (execute)))
)
)
(tunable allow_execfile true)
(tunable allow_userexec false)
(tunableif (not (xor (eq allow_execfile allow_userexec)
(and (or allow_execfile allow_userexec)
(and allow_execfile allow_userexec) ) ) )
(true
(allow bin_t exec_t (file (execute)))
)
)
(optional allow_rules
(allow user_t exec_t (bins (execute)))
)
(dontaudit device_t auditadm_t (file (read)))
(auditallow device_t auditadm_t (file (open)))
(user system_u)
(user user_u)
(user foo_u)
(userprefix user_u user)
(userprefix system_u user)
(selinuxuser name user_u low_high)
(selinuxuserdefault user_u ((s0 (c0)) (s3 (range c0 c3))))
(role system_r)
(role user_r)
(role baz_r)
(roletype system_r bin_t)
(roletype system_r kernel_t)
(roletype system_r security_t)
(roletype system_r unlabeled_t)
(roletype system_r exec_type)
(roletype exec_role bin_t)
(roletype exec_role exec_type)
(roleallow system_r user_r)
(roletransition system_r bin_t file user_r)
(userrole foo_u foo_role)
(userlevel foo_u low)
(userattribute ua1)
(userattribute ua2)
(userattribute ua3)
(userattribute ua4)
(userattributeset ua1 (user_u system_u))
(userattributeset ua2 (foo_u system_u))
(userattributeset ua3 (and ua1 ua2))
(user u5)
(user u6)
(userlevel u5 low)
(userlevel u6 low)
(userrange u5 low_high)
(userrange u6 low_high)
(userattributeset ua4 (u5 u6))
(userrole ua4 foo_role_a)
(userrange foo_u low_high)
(userrole system_u system_r)
(userlevel system_u low)
(userrange system_u low_high)
(userrole user_u user_r)
(userlevel user_u (s0 (range c0 c2)))
(userrange user_u (low high))
(sidcontext kernel (system_u system_r kernel_t ((s0) high)))
(sidcontext security (system_u system_r security_t (low (s3 (range c0 c3)))))
(sidcontext unlabeled (system_u system_r unlabeled_t (low high)))
(context system_u_bin_t_l2h (system_u system_r bin_t (low high)))
(ipaddr ip_v4 192.25.35.200)
(ipaddr netmask 192.168.1.1)
(ipaddr ip_v6 2001:0DB8:AC10:FE01::)
(ipaddr netmask_v6 2001:0DE0:DA88:2222::)
(filecon "/usr/bin/foo" file system_u_bin_t_l2h)
(filecon "/usr/bin/bar" file (system_u system_r kernel_t (low low)))
(filecon "/usr/bin/baz" any ())
(filecon "/usr/bin/aaa" any (system_u system_r kernel_t ((s0) (s3 (range c0 c2)))))
(filecon "/usr/bin/bbb" any (system_u system_r kernel_t ((s0 (c0)) high)))
(filecon "/usr/bin/ccc" any (system_u system_r kernel_t (low (s3 (cats01)))))
(filecon "/usr/bin/ddd" any (system_u system_r kernel_t (low (s3 (cats01 cats02)))))
(nodecon ip_v4 netmask system_u_bin_t_l2h)
(nodecon ip_v6 netmask_v6 system_u_bin_t_l2h)
(portcon udp 25 system_u_bin_t_l2h)
(portcon tcp 22 system_u_bin_t_l2h)
(portcon dccp (2048 2096) system_u_bin_t_l2h)
(portcon sctp (1024 1035) system_u_bin_t_l2h)
(genfscon - "/usr/bin" system_u_bin_t_l2h)
(netifcon eth0 system_u_bin_t_l2h system_u_bin_t_l2h) ;different contexts?
(fsuse xattr ext3 system_u_bin_t_l2h)
; XEN
(pirqcon 256 system_u_bin_t_l2h)
(iomemcon (0 255) system_u_bin_t_l2h)
(ioportcon (22 22) system_u_bin_t_l2h)
(pcidevicecon 345 system_u_bin_t_l2h)
(devicetreecon "/this is/a/path" system_u_bin_t_l2h)
; InfiniBand
(ibpkeycon fe80:: (0 0x10) system_u_bin_t_l2h)
(ibpkeycon fe80::7629:afff:fe0f:8e5d (15 25) (system_u system_r kernel_t (low (s3 (cats01 cats02)))))
(ibendportcon mlx5_0 1 system_u_bin_t_l2h)
(ibendportcon mlx4_3 5 (system_u system_r kernel_t (low (s3 (cats01 cats02)))))
(constrain (files (read)) (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2))))
(constrain char_w (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2))))
(constrain (file (read)) (or (and (eq t1 exec_t) (neq t2 bin_t) ) (eq u1 ua4) ) )
(constrain (file (open)) (dom r1 r2))
(constrain (file (open)) (domby r1 r2))
(constrain (file (open)) (incomp r1 r2))
(validatetrans file (eq t1 exec_t))
(mlsconstrain (file (open)) (not (or (and (eq l1 l2) (eq u1 u2)) (eq r1 r2))))
(mlsconstrain (file (open)) (or (and (eq l1 l2) (eq u1 u2)) (neq r1 r2)))
(mlsconstrain (file (open)) (dom h1 l2))
(mlsconstrain (file (open)) (domby l1 h2))
(mlsconstrain (file (open)) (incomp l1 l2))
(mlsvalidatetrans file (domby l1 h2))
(macro test_mapping ((classpermission cps))
(allow bin_t auditadm_t cps))
(call test_mapping ((file (read))))
(call test_mapping ((files (read))))
(call test_mapping (char_w))
(defaultuser (file char) source)
(defaultrole char target)
(defaulttype (files) source)
(defaultrange (file) target low)
(defaultrange (char) source low-high)
)
(macro all ((type x))
(allow x bin_t (policy.file (execute)))
(allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF)))
)
(call all (bin_t))
(block z
(block ba
(roletype r t)
(blockabstract z.ba)))
(block test_ba
(blockinherit z.ba)
(role r)
(type t))
(block bb
(type t1)
(type t2)
(boolean b1 false)
(tunable tun1 true)
(macro m ((boolean b))
(tunableif tun1
(true
(allow t1 t2 (policy.file (write))))
(false
(allow t1 t2 (policy.file (execute)))))
(booleanif b
(true
(allow t1 t2 (policy.file (read))))))
(call m (b1))
)
(in bb
(tunableif bb.tun1
(true
(allow bb.t2 bb.t1 (policy.file (read write execute))))))