mirror of
https://github.com/SELinuxProject/selinux
synced 2025-01-27 07:43:24 +00:00
2b9f21ef81
Add round-trip tests for checkpolicy(8). Test standard and MLS minimal policies as well as SELinux and Xen policies with each available statement. The output is checked against an expected result and then then checked for idempotence. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
63 lines
1.9 KiB
Plaintext
63 lines
1.9 KiB
Plaintext
# handle_unknown deny
|
|
class CLASS1
|
|
class CLASS2
|
|
class CLASS3
|
|
class dir
|
|
class file
|
|
class process
|
|
sid kernel
|
|
common COMMON1 { CPERM1 }
|
|
class CLASS1 { PERM1 }
|
|
class CLASS2 inherits COMMON1
|
|
class CLASS3 inherits COMMON1 { PERM1 }
|
|
default_user { CLASS1 } source;
|
|
default_role { CLASS2 } target;
|
|
default_type { CLASS3 } source;
|
|
attribute ATTR1;
|
|
attribute ATTR2;
|
|
expandattribute ATTR1 true;
|
|
expandattribute ATTR2 false;
|
|
type TYPE1;
|
|
type TYPE2, ATTR1;
|
|
type TYPE3 alias { TYPEALIAS3A TYPEALIAS3B };
|
|
type TYPE4 alias TYPEALIAS4, ATTR2;
|
|
typealias TYPE1 alias TYPEALIAS1;
|
|
typeattribute TYPE1 ATTR1;
|
|
typebounds TYPE4 TYPE3;
|
|
bool BOOL1 true;
|
|
tunable TUNABLE1 false;
|
|
tunable TUNABLE2 true;
|
|
type_transition TYPE1 TYPE2 : CLASS1 TYPE3;
|
|
type_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME";
|
|
type_member TYPE1 TYPE2 : CLASS1 TYPE2;
|
|
type_change TYPE1 TYPE2 : CLASS1 TYPE3;
|
|
allow TYPE1 self : CLASS1 { PERM1 };
|
|
auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
|
|
dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
|
|
neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
|
|
permissive TYPE1;
|
|
attribute_role ROLE_ATTR1;
|
|
role ROLE1;
|
|
role ROLE3;
|
|
role ROLE2, ROLE_ATTR1;
|
|
role_transition ROLE1 TYPE1 ROLE2;
|
|
role_transition ROLE1 TYPE1 : CLASS1 ROLE2;
|
|
allow ROLE1 ROLE2;
|
|
roleattribute ROLE3 ROLE_ATTR1;
|
|
role ROLE1 types { TYPE1 };
|
|
if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
|
|
if TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; }
|
|
optional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; }
|
|
policycap open_perms;
|
|
user USER1 roles ROLE1;
|
|
constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
|
|
validatetrans CLASS2 sameuser and t3 == ATTR1;
|
|
sid kernel USER1:ROLE1:TYPE1
|
|
pirqcon 13 USER1:ROLE1:TYPE1
|
|
iomemcon 13 USER1:ROLE1:TYPE1
|
|
iomemcon 23-31 USER1:ROLE1:TYPE1
|
|
ioportcon 13 USER1:ROLE1:TYPE1
|
|
ioportcon 23-31 USER1:ROLE1:TYPE1
|
|
pcidevicecon 13 USER1:ROLE1:TYPE1
|
|
devicetreecon "/path/to/device" USER1:ROLE1:TYPE1
|