mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-22 05:59:58 +00:00
2b9f21ef81
Add round-trip tests for checkpolicy(8). Test standard and MLS minimal policies as well as SELinux and Xen policies with each available statement. The output is checked against an expected result and then then checked for idempotence. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
80 lines
2.7 KiB
Plaintext
80 lines
2.7 KiB
Plaintext
# handle_unknown deny
|
|
class CLASS1
|
|
class CLASS2
|
|
class CLASS3
|
|
class dir
|
|
class file
|
|
class process
|
|
sid kernel
|
|
common COMMON1 { CPERM1 }
|
|
class CLASS1 { PERM1 ioctl }
|
|
class CLASS2 inherits COMMON1
|
|
class CLASS3 inherits COMMON1 { PERM1 }
|
|
default_user { CLASS1 } source;
|
|
default_role { CLASS2 } target;
|
|
default_type { CLASS3 } source;
|
|
policycap open_perms;
|
|
attribute ATTR1;
|
|
attribute ATTR2;
|
|
expandattribute ATTR1 true;
|
|
expandattribute ATTR2 false;
|
|
type TYPE1;
|
|
type TYPE2, ATTR1;
|
|
type TYPE3 alias { TYPEALIAS3A TYPEALIAS3B };
|
|
type TYPE4 alias TYPEALIAS4, ATTR2;
|
|
typealias TYPE1 alias TYPEALIAS1;
|
|
typeattribute TYPE1 ATTR1;
|
|
typebounds TYPE4 TYPE3;
|
|
bool BOOL1 true;
|
|
tunable TUNABLE1 false;
|
|
tunable TUNABLE2 true;
|
|
type_transition TYPE1 TYPE2 : CLASS1 TYPE3;
|
|
type_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME";
|
|
type_member TYPE1 TYPE2 : CLASS1 TYPE2;
|
|
type_change TYPE1 TYPE2 : CLASS1 TYPE3;
|
|
allow TYPE1 self : CLASS1 { PERM1 };
|
|
auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
|
|
dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
|
|
neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
|
|
allowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x1;
|
|
auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2;
|
|
dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
|
|
neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
|
|
permissive TYPE1;
|
|
attribute_role ROLE_ATTR1;
|
|
role ROLE1;
|
|
role ROLE3;
|
|
role ROLE2, ROLE_ATTR1;
|
|
role_transition ROLE1 TYPE1 ROLE2;
|
|
role_transition ROLE1 TYPE1 : CLASS1 ROLE2;
|
|
allow ROLE1 ROLE2;
|
|
roleattribute ROLE3 ROLE_ATTR1;
|
|
role ROLE1 types { TYPE1 };
|
|
if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
|
|
if TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; }
|
|
optional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; }
|
|
user USER1 roles ROLE1;
|
|
constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
|
|
# sameuser will be turned into (u1 == u2)
|
|
validatetrans CLASS2 sameuser and t3 == ATTR1;
|
|
sid kernel USER1:ROLE1:TYPE1
|
|
# fscon statements are not dumped
|
|
fscon 2 3 USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
|
|
fs_use_xattr btrfs USER1:ROLE1:TYPE1;
|
|
fs_use_trans devpts USER1:ROLE1:TYPE1;
|
|
fs_use_task pipefs USER1:ROLE1:TYPE1;
|
|
# paths will be turned into quoted strings
|
|
genfscon proc / -d USER1:ROLE1:TYPE1
|
|
genfscon proc "/file1" -- USER1:ROLE1:TYPE1
|
|
genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
|
|
portcon tcp 80 USER1:ROLE1:TYPE1
|
|
portcon udp 100-200 USER1:ROLE1:TYPE1
|
|
netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
|
|
nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
|
|
nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1
|
|
# hex numbers will be turned in decimal ones
|
|
ibpkeycon fe80:: 0xFFFF USER1:ROLE1:TYPE1
|
|
ibpkeycon fe80:: 0-0x10 USER1:ROLE1:TYPE1
|
|
ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1
|
|
ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1
|