setools/tests/userquery.conf

class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7

sid kernel
sid security

common infoflow
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
	super_w
	super_r
}

class infoflow3
{
	null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
	super_w
	super_r
	super_none
	super_both
	super_unmapped
}

sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;

dominance { low_s med high_s }

category here;
category there;
category elsewhere alias lost;

#level decl
level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;

#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;
role system;
role system types system;

################################################################################
# Type enforcement declarations and rules

########################################
#
# User Query
#

role test1_r;

role test2a_r;
role test2b_r;

role test10a_r;
role test10b_r;
role test10c_r;

role test11a_r;
role test11b_r;
role test11c_r;

role test12a_r;
role test12b_r;
role test12c_r;

# test 1
# name: test1_u
# roles: unset
user test1_u roles test1_r level med range med;

# test 2
# name: test2_u(1|2) regex
# roles: unset
user test2_u1 roles test2a_r level med range med;
user test2_u2 roles test2b_r level med range med;

# test 10
# name: unset
# roles: test10a_r,test10b_r
user test10_u1 roles test10a_r level med range med;
user test10_u2 roles { test10a_r test10b_r } level med range med;
user test10_u3 roles { test10a_r test10b_r test10c_r } level med range med;
user test10_u4 roles { test10b_r test10c_r } level med range med;
user test10_u5 roles { test10a_r test10c_r } level med range med;
user test10_u6 roles test10b_r level med range med;
user test10_u7 roles test10c_r level med range med;

# test 11
# name: unset
# roles: test11a_r,test11b_r equal
user test11_u1 roles test11a_r level med range med;
user test11_u2 roles { test11a_r test11b_r } level med range med;
user test11_u3 roles { test11a_r test11b_r test11c_r } level med range med;
user test11_u4 roles { test11b_r test11c_r } level med range med;
user test11_u5 roles { test11a_r test11c_r } level med range med;
user test11_u6 roles test11b_r level med range med;
user test11_u7 roles test11c_r level med range med;

# test 12
# name: unset
# roles: test12(a|b)_r regex
user test12_u1 roles test12a_r level med range med;
user test12_u2 roles { test12a_r test12b_r } level med range med;
user test12_u3 roles { test12a_r test12b_r test12c_r } level med range med;
user test12_u4 roles { test12b_r test12c_r } level med range med;
user test12_u5 roles { test12a_r test12c_r } level med range med;
user test12_u6 roles test12b_r level med range med;
user test12_u7 roles test12c_r level med range med;



################################################################################

#users
user system roles system level med range low_s - high_s:here.lost;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost

#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;

#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there

portcon tcp 80 system:object_r:system:low_s

netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here