mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-13 09:34:54 +00:00
594 lines
8.4 KiB
Plaintext
594 lines
8.4 KiB
Plaintext
# FLASK
|
|
|
|
#
|
|
# Define the security object classes
|
|
#
|
|
|
|
class security
|
|
class process
|
|
class system
|
|
class capability
|
|
|
|
# file-related classes
|
|
class filesystem
|
|
class file
|
|
class dir
|
|
class fd
|
|
class lnk_file
|
|
class chr_file
|
|
class blk_file
|
|
class sock_file
|
|
class fifo_file
|
|
|
|
# network-related classes
|
|
class socket
|
|
class tcp_socket
|
|
class udp_socket
|
|
class rawip_socket
|
|
class node
|
|
class netif
|
|
class netlink_socket
|
|
class packet_socket
|
|
class key_socket
|
|
class unix_stream_socket
|
|
class unix_dgram_socket
|
|
|
|
# sysv-ipc-related clases
|
|
class sem
|
|
class msg
|
|
class msgq
|
|
class shm
|
|
class ipc
|
|
|
|
# FLASK
|
|
# FLASK
|
|
|
|
#
|
|
# Define initial security identifiers
|
|
#
|
|
|
|
sid kernel
|
|
|
|
|
|
# FLASK
|
|
#
|
|
# Define common prefixes for access vectors
|
|
#
|
|
# common common_name { permission_name ... }
|
|
|
|
|
|
#
|
|
# Define a common prefix for file access vectors.
|
|
#
|
|
|
|
common file
|
|
{
|
|
ioctl
|
|
read
|
|
write
|
|
create
|
|
getattr
|
|
setattr
|
|
lock
|
|
relabelfrom
|
|
relabelto
|
|
append
|
|
unlink
|
|
link
|
|
rename
|
|
execute
|
|
swapon
|
|
quotaon
|
|
mounton
|
|
}
|
|
|
|
|
|
#
|
|
# Define a common prefix for socket access vectors.
|
|
#
|
|
|
|
common socket
|
|
{
|
|
# inherited from file
|
|
ioctl
|
|
read
|
|
write
|
|
create
|
|
getattr
|
|
setattr
|
|
lock
|
|
relabelfrom
|
|
relabelto
|
|
append
|
|
# socket-specific
|
|
bind
|
|
connect
|
|
listen
|
|
accept
|
|
getopt
|
|
setopt
|
|
shutdown
|
|
recvfrom
|
|
sendto
|
|
recv_msg
|
|
send_msg
|
|
name_bind
|
|
}
|
|
|
|
#
|
|
# Define a common prefix for ipc access vectors.
|
|
#
|
|
|
|
common ipc
|
|
{
|
|
create
|
|
destroy
|
|
getattr
|
|
setattr
|
|
read
|
|
write
|
|
associate
|
|
unix_read
|
|
unix_write
|
|
}
|
|
|
|
#
|
|
# Define the access vectors.
|
|
#
|
|
# class class_name [ inherits common_name ] { permission_name ... }
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for file-related objects.
|
|
#
|
|
|
|
class filesystem
|
|
{
|
|
mount
|
|
remount
|
|
unmount
|
|
getattr
|
|
relabelfrom
|
|
relabelto
|
|
transition
|
|
associate
|
|
quotamod
|
|
quotaget
|
|
}
|
|
|
|
class dir
|
|
inherits file
|
|
{
|
|
add_name
|
|
remove_name
|
|
reparent
|
|
search
|
|
rmdir
|
|
}
|
|
|
|
class file
|
|
inherits file
|
|
{
|
|
execute_no_trans
|
|
entrypoint
|
|
}
|
|
|
|
class lnk_file
|
|
inherits file
|
|
|
|
class chr_file
|
|
inherits file
|
|
|
|
class blk_file
|
|
inherits file
|
|
|
|
class sock_file
|
|
inherits file
|
|
|
|
class fifo_file
|
|
inherits file
|
|
|
|
class fd
|
|
{
|
|
use
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for network-related objects.
|
|
#
|
|
|
|
class socket
|
|
inherits socket
|
|
|
|
class tcp_socket
|
|
inherits socket
|
|
{
|
|
connectto
|
|
newconn
|
|
acceptfrom
|
|
}
|
|
|
|
class udp_socket
|
|
inherits socket
|
|
|
|
class rawip_socket
|
|
inherits socket
|
|
|
|
class node
|
|
{
|
|
tcp_recv
|
|
tcp_send
|
|
udp_recv
|
|
udp_send
|
|
rawip_recv
|
|
rawip_send
|
|
enforce_dest
|
|
}
|
|
|
|
class netif
|
|
{
|
|
tcp_recv
|
|
tcp_send
|
|
udp_recv
|
|
udp_send
|
|
rawip_recv
|
|
rawip_send
|
|
}
|
|
|
|
class netlink_socket
|
|
inherits socket
|
|
|
|
class packet_socket
|
|
inherits socket
|
|
|
|
class key_socket
|
|
inherits socket
|
|
|
|
class unix_stream_socket
|
|
inherits socket
|
|
{
|
|
connectto
|
|
newconn
|
|
acceptfrom
|
|
}
|
|
|
|
class unix_dgram_socket
|
|
inherits socket
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for process-related objects
|
|
#
|
|
|
|
class process
|
|
{
|
|
fork
|
|
transition
|
|
sigchld # commonly granted from child to parent
|
|
sigkill # cannot be caught or ignored
|
|
sigstop # cannot be caught or ignored
|
|
signull # for kill(pid, 0)
|
|
signal # all other signals
|
|
ptrace
|
|
getsched
|
|
setsched
|
|
getsession
|
|
getpgid
|
|
setpgid
|
|
getcap
|
|
setcap
|
|
share
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for ipc-related objects
|
|
#
|
|
|
|
class ipc
|
|
inherits ipc
|
|
|
|
class sem
|
|
inherits ipc
|
|
|
|
class msgq
|
|
inherits ipc
|
|
{
|
|
enqueue
|
|
}
|
|
|
|
class msg
|
|
{
|
|
send
|
|
receive
|
|
}
|
|
|
|
class shm
|
|
inherits ipc
|
|
{
|
|
lock
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for the security server.
|
|
#
|
|
|
|
class security
|
|
{
|
|
compute_av
|
|
transition_sid
|
|
member_sid
|
|
sid_to_context
|
|
context_to_sid
|
|
load_policy
|
|
get_sids
|
|
change_sid
|
|
get_user_sids
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for system operations.
|
|
#
|
|
|
|
class system
|
|
{
|
|
ipc_info
|
|
avc_toggle
|
|
nfsd_control
|
|
bdflush
|
|
syslog_read
|
|
syslog_mod
|
|
syslog_console
|
|
ichsid
|
|
}
|
|
|
|
#
|
|
# Define the access vector interpretation for controling capabilies
|
|
#
|
|
|
|
class capability
|
|
{
|
|
# The capabilities are defined in include/linux/capability.h
|
|
# Care should be taken to ensure that these are consistent with
|
|
# those definitions. (Order matters)
|
|
|
|
chown
|
|
dac_override
|
|
dac_read_search
|
|
fowner
|
|
fsetid
|
|
kill
|
|
setgid
|
|
setuid
|
|
setpcap
|
|
linux_immutable
|
|
net_bind_service
|
|
net_broadcast
|
|
net_admin
|
|
net_raw
|
|
ipc_lock
|
|
ipc_owner
|
|
sys_module
|
|
sys_rawio
|
|
sys_chroot
|
|
sys_ptrace
|
|
sys_pacct
|
|
sys_admin
|
|
sys_boot
|
|
sys_nice
|
|
sys_resource
|
|
sys_time
|
|
sys_tty_config
|
|
mknod
|
|
lease
|
|
}
|
|
|
|
ifdef(`enable_mls',`
|
|
sensitivity s0;
|
|
|
|
#
|
|
# Define the ordering of the sensitivity levels (least to greatest)
|
|
#
|
|
dominance { s0 }
|
|
|
|
|
|
#
|
|
# Define the categories
|
|
#
|
|
# Each category has a name and zero or more aliases.
|
|
#
|
|
category c0; category c1; category c2; category c3;
|
|
category c4; category c5; category c6; category c7;
|
|
category c8; category c9; category c10; category c11;
|
|
category c12; category c13; category c14; category c15;
|
|
category c16; category c17; category c18; category c19;
|
|
category c20; category c21; category c22; category c23;
|
|
|
|
level s0:c0.c23;
|
|
|
|
mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
|
|
( h1 dom h2 );
|
|
')
|
|
|
|
####################################
|
|
####################################
|
|
#####################################
|
|
|
|
#g_b stands for global base
|
|
|
|
type enable_optional;
|
|
|
|
#decorative type for finding this decl, every block should have one
|
|
type tag_g_b;
|
|
|
|
attribute g_b_attr_1;
|
|
attribute g_b_attr_2;
|
|
attribute g_b_attr_3;
|
|
attribute g_b_attr_4;
|
|
attribute g_b_attr_5;
|
|
attribute g_b_attr_6;
|
|
|
|
type g_b_type_1, g_b_attr_1;
|
|
type g_b_type_2, g_b_attr_2;
|
|
type g_b_type_3;
|
|
|
|
role g_b_role_1 types g_b_type_1;
|
|
role g_b_role_2 types g_b_type_2;
|
|
role g_b_role_3 types g_b_type_2;
|
|
role g_b_role_4 types g_b_type_2;
|
|
|
|
bool g_b_bool_1 false;
|
|
bool g_b_bool_2 true;
|
|
|
|
allow g_b_type_1 g_b_type_2 : security { compute_av load_policy };
|
|
allow g_b_type_1 g_b_type_2 : file *; # test *
|
|
allow g_b_type_1 g_b_type_2 : process ~ptrace; #test ~
|
|
|
|
typealias g_b_type_3 alias g_b_alias_1;
|
|
|
|
if (g_b_bool_1) {
|
|
allow g_b_type_1 g_b_type_2: lnk_file read;
|
|
}
|
|
|
|
|
|
optional {
|
|
require {
|
|
type enable_optional;
|
|
attribute g_m1_attr_2;
|
|
}
|
|
type tag_o1_b;
|
|
|
|
attribute o1_b_attr_1;
|
|
type o1_b_type_1, o1_b_attr_1;
|
|
bool o1_b_bool_1 true;
|
|
role o1_b_role_1 types o1_b_type_1;
|
|
|
|
role o1_b_role_2 types o1_b_type_1;
|
|
|
|
attribute o1_b_attr_2;
|
|
|
|
type o1_b_type_2, g_m1_attr_2;
|
|
|
|
if (o1_b_bool_1) {
|
|
allow o1_b_type_1 o1_b_type_2: lnk_file write;
|
|
}
|
|
|
|
}
|
|
|
|
optional {
|
|
require {
|
|
# this should be activated by module 1
|
|
type g_m1_type_1;
|
|
attribute o3_m1_attr_2;
|
|
}
|
|
type tag_o2_b;
|
|
|
|
type o2_b_type_1, o3_m1_attr_2;
|
|
}
|
|
|
|
optional {
|
|
require {
|
|
#this block should not come on
|
|
type invalid_type;
|
|
}
|
|
type tag_o3_b;
|
|
|
|
|
|
attribute o3_b_attr_1;
|
|
type o3_b_type_1;
|
|
bool o3_b_bool_1 true;
|
|
|
|
role o3_b_role_1 types o3_b_type_1;
|
|
|
|
allow g_b_type_1 invalid_type : sem { create destroy };
|
|
}
|
|
|
|
optional {
|
|
require {
|
|
# also should be enabled by module 1
|
|
type enable_optional;
|
|
type g_m1_type_1;
|
|
attribute o3_m1_attr_1;
|
|
attribute g_m1_attr_3;
|
|
}
|
|
|
|
type tag_o4_b;
|
|
|
|
attribute o4_b_attr_1;
|
|
|
|
role o4_b_role_1 types g_m1_type_1;
|
|
|
|
# test for attr declared in module optional, added to in base optional
|
|
type o4_b_type_1, o3_m1_attr_1;
|
|
|
|
type o4_b_type_2, g_m1_attr_3;
|
|
}
|
|
|
|
optional {
|
|
require {
|
|
attribute g_m1_attr_4;
|
|
attribute o4_m1_attr_1;
|
|
}
|
|
type tag_o5_b;
|
|
|
|
type o5_b_type_1, g_m1_attr_4;
|
|
type o5_b_type_2, o4_m1_attr_1;
|
|
}
|
|
|
|
optional {
|
|
require {
|
|
type enable_optional;
|
|
}
|
|
type tag_o6_b;
|
|
|
|
typealias g_b_type_3 alias g_b_alias_2;
|
|
}
|
|
|
|
optional {
|
|
require {
|
|
type g_m_alias_1;
|
|
}
|
|
type tag_o7_b;
|
|
|
|
allow g_m_alias_1 enable_optional:file read;
|
|
}
|
|
|
|
gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23)
|
|
gen_user(g_b_user_2,, g_b_role_1, s0, s0 - s0:c0, c1, c3, c4, c5)
|
|
|
|
####################################
|
|
#line 1 "initial_sid_contexts"
|
|
|
|
sid kernel gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0)
|
|
|
|
|
|
############################################
|
|
#line 1 "fs_use"
|
|
#
|
|
fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
|
|
fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
|
|
fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0);
|
|
|
|
|
|
genfscon proc / gen_context(g_b_user_1:object_r:g_b_type_1, s0)
|
|
|
|
|
|
####################################
|
|
#line 1 "net_contexts"
|
|
|
|
#portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0
|
|
|
|
#netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0
|
|
|
|
#
|
|
#nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0
|
|
|
|
nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(g_b_user_1:object_r:g_b_type_1, s0)
|
|
|
|
|
|
|
|
|