mirror of
https://github.com/SELinuxProject/selinux
synced 2025-01-27 07:43:24 +00:00
2b9f21ef81
Add round-trip tests for checkpolicy(8). Test standard and MLS minimal policies as well as SELinux and Xen policies with each available statement. The output is checked against an expected result and then then checked for idempotence. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
66 lines
1.8 KiB
Plaintext
66 lines
1.8 KiB
Plaintext
# handle_unknown deny
|
|
class CLASS1
|
|
class CLASS2
|
|
class CLASS3
|
|
class dir
|
|
class file
|
|
class process
|
|
sid xen
|
|
common COMMON1 { CPERM1 }
|
|
class CLASS1 { PERM1 }
|
|
class CLASS2 inherits COMMON1
|
|
class CLASS3 inherits COMMON1 { PERM1 }
|
|
default_user { CLASS1 } source;
|
|
default_role { CLASS2 } target;
|
|
default_type { CLASS3 } source;
|
|
policycap open_perms;
|
|
attribute ATTR1;
|
|
attribute ATTR2;
|
|
bool BOOL1 true;
|
|
type TYPE1;
|
|
type TYPE2;
|
|
type TYPE3;
|
|
type TYPE4;
|
|
typealias TYPE1 alias TYPEALIAS1;
|
|
typealias TYPE3 alias TYPEALIAS3A;
|
|
typealias TYPE3 alias TYPEALIAS3B;
|
|
typealias TYPE4 alias TYPEALIAS4;
|
|
typebounds TYPE4 TYPE3;
|
|
typeattribute TYPE4 ATTR2;
|
|
permissive TYPE1;
|
|
allow TYPE1 self:CLASS1 { PERM1 };
|
|
allow TYPE1 self:CLASS2 { CPERM1 };
|
|
auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
|
|
auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
|
|
dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
|
|
dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
|
|
type_transition TYPE1 TYPE2:CLASS1 TYPE3;
|
|
type_member TYPE1 TYPE2:CLASS1 TYPE2;
|
|
type_change TYPE1 TYPE2:CLASS1 TYPE3;
|
|
type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
|
|
type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
|
|
type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
|
|
type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
|
|
if (BOOL1) {
|
|
} else {
|
|
allow TYPE1 self:CLASS1 { PERM1 };
|
|
}
|
|
role ROLE1;
|
|
role ROLE2;
|
|
role ROLE3;
|
|
role ROLE1 types { TYPE1 };
|
|
role_transition ROLE1 TYPE1:CLASS1 ROLE2;
|
|
role_transition ROLE1 TYPE1:process ROLE2;
|
|
allow ROLE1 ROLE2;
|
|
user USER1 roles ROLE1;
|
|
constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
|
|
validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
|
|
sid xen USER1:ROLE1:TYPE1
|
|
pirqcon 13 USER1:ROLE1:TYPE1
|
|
iomemcon 0xd USER1:ROLE1:TYPE1
|
|
iomemcon 0x17-0x1f USER1:ROLE1:TYPE1
|
|
ioportcon 0xd USER1:ROLE1:TYPE1
|
|
ioportcon 0x17-0x1f USER1:ROLE1:TYPE1
|
|
pcidevicecon 0xd USER1:ROLE1:TYPE1
|
|
devicetreecon "/path/to/device" USER1:ROLE1:TYPE1
|