mirror of
https://github.com/SELinuxProject/setools
synced 2025-03-25 04:26:28 +00:00
Chris PeBenito
parent
1db73d396d
commit
acaee3a3d3
346
tests/diff.py
346
tests/diff.py
@ -1616,3 +1616,349 @@ class PolicyDifferenceTestNoDiff(unittest.TestCase):
|
||||
def test_modified_properties(self):
|
||||
"""NoDiff: no modified properties."""
|
||||
self.assertFalse(self.diff.modified_properties)
|
||||
|
||||
|
||||
class PolicyDifferenceTestMLStoStandard(unittest.TestCase):
|
||||
|
||||
"""
|
||||
Policy difference test between MLS and standard (non-MLS) policy.
|
||||
|
||||
The left policy is an MLS policy. The right policy is identical to the
|
||||
left policy, except with MLS disabled.
|
||||
"""
|
||||
|
||||
@classmethod
|
||||
def setUpClass(cls):
|
||||
cls.diff = PolicyDifference(SELinuxPolicy("tests/diff_left.conf"),
|
||||
SELinuxPolicy("tests/diff_left_standard.conf"))
|
||||
|
||||
def test_added_types(self):
|
||||
"""MLSvsStandardDiff: no added types"""
|
||||
self.assertFalse(self.diff.added_types)
|
||||
|
||||
def test_removed_types(self):
|
||||
"""MLSvsStandardDiff: no removed types"""
|
||||
self.assertFalse(self.diff.removed_types)
|
||||
|
||||
def test_modified_types(self):
|
||||
"""MLSvsStandardDiff: no modified types"""
|
||||
self.assertFalse(self.diff.modified_types)
|
||||
|
||||
def test_added_roles(self):
|
||||
"""MLSvsStandardDiff: no added roles."""
|
||||
self.assertFalse(self.diff.added_roles)
|
||||
|
||||
def test_removed_roles(self):
|
||||
"""MLSvsStandardDiff: no removed roles."""
|
||||
self.assertFalse(self.diff.removed_roles)
|
||||
|
||||
def test_modified_roles(self):
|
||||
"""MLSvsStandardDiff: no modified roles."""
|
||||
self.assertFalse(self.diff.modified_roles)
|
||||
|
||||
def test_added_commons(self):
|
||||
"""MLSvsStandardDiff: no added commons."""
|
||||
self.assertFalse(self.diff.added_commons)
|
||||
|
||||
def test_removed_commons(self):
|
||||
"""MLSvsStandardDiff: no removed commons."""
|
||||
self.assertFalse(self.diff.removed_commons)
|
||||
|
||||
def test_modified_commons(self):
|
||||
"""MLSvsStandardDiff: no modified commons."""
|
||||
self.assertFalse(self.diff.modified_commons)
|
||||
|
||||
def test_added_classes(self):
|
||||
"""MLSvsStandardDiff: no added classes."""
|
||||
self.assertFalse(self.diff.added_classes)
|
||||
|
||||
def test_removed_classes(self):
|
||||
"""MLSvsStandardDiff: no removed classes."""
|
||||
self.assertFalse(self.diff.removed_classes)
|
||||
|
||||
def test_modified_classes(self):
|
||||
"""MLSvsStandardDiff: no modified classes."""
|
||||
self.assertFalse(self.diff.modified_classes)
|
||||
|
||||
def test_added_allows(self):
|
||||
"""MLSvsStandardDiff: no added allow rules."""
|
||||
self.assertFalse(self.diff.added_allows)
|
||||
|
||||
def test_removed_allows(self):
|
||||
"""MLSvsStandardDiff: no removed allow rules."""
|
||||
self.assertFalse(self.diff.removed_allows)
|
||||
|
||||
def test_modified_allows(self):
|
||||
"""MLSvsStandardDiff: no modified allow rules."""
|
||||
self.assertFalse(self.diff.modified_allows)
|
||||
|
||||
def test_added_auditallows(self):
|
||||
"""MLSvsStandardDiff: no added auditallow rules."""
|
||||
self.assertFalse(self.diff.added_auditallows)
|
||||
|
||||
def test_removed_auditallows(self):
|
||||
"""MLSvsStandardDiff: no removed auditallow rules."""
|
||||
self.assertFalse(self.diff.removed_auditallows)
|
||||
|
||||
def test_modified_auditallows(self):
|
||||
"""MLSvsStandardDiff: no modified auditallow rules."""
|
||||
self.assertFalse(self.diff.modified_auditallows)
|
||||
|
||||
def test_added_neverallows(self):
|
||||
"""MLSvsStandardDiff: no added neverallow rules."""
|
||||
self.assertFalse(self.diff.added_neverallows)
|
||||
|
||||
def test_removed_neverallows(self):
|
||||
"""MLSvsStandardDiff: no removed neverallow rules."""
|
||||
self.assertFalse(self.diff.removed_neverallows)
|
||||
|
||||
def test_modified_neverallows(self):
|
||||
"""MLSvsStandardDiff: no modified neverallow rules."""
|
||||
self.assertFalse(self.diff.modified_neverallows)
|
||||
|
||||
def test_added_dontaudits(self):
|
||||
"""MLSvsStandardDiff: no added dontaudit rules."""
|
||||
self.assertFalse(self.diff.added_dontaudits)
|
||||
|
||||
def test_removed_dontaudits(self):
|
||||
"""MLSvsStandardDiff: no removed dontaudit rules."""
|
||||
self.assertFalse(self.diff.removed_dontaudits)
|
||||
|
||||
def test_modified_dontaudits(self):
|
||||
"""MLSvsStandardDiff: no modified dontaudit rules."""
|
||||
self.assertFalse(self.diff.modified_dontaudits)
|
||||
|
||||
def test_added_type_transitions(self):
|
||||
"""MLSvsStandardDiff: no added type_transition rules."""
|
||||
self.assertFalse(self.diff.added_type_transitions)
|
||||
|
||||
def test_removed_type_transitions(self):
|
||||
"""MLSvsStandardDiff: no removed type_transition rules."""
|
||||
self.assertFalse(self.diff.removed_type_transitions)
|
||||
|
||||
def test_modified_type_transitions(self):
|
||||
"""MLSvsStandardDiff: no modified type_transition rules."""
|
||||
self.assertFalse(self.diff.modified_type_transitions)
|
||||
|
||||
def test_added_type_changes(self):
|
||||
"""MLSvsStandardDiff: no added type_change rules."""
|
||||
self.assertFalse(self.diff.added_type_changes)
|
||||
|
||||
def test_removed_type_changes(self):
|
||||
"""MLSvsStandardDiff: no removed type_change rules."""
|
||||
self.assertFalse(self.diff.removed_type_changes)
|
||||
|
||||
def test_modified_type_changes(self):
|
||||
"""MLSvsStandardDiff: no modified type_change rules."""
|
||||
self.assertFalse(self.diff.modified_type_changes)
|
||||
|
||||
def test_added_type_members(self):
|
||||
"""MLSvsStandardDiff: no added type_member rules."""
|
||||
self.assertFalse(self.diff.added_type_members)
|
||||
|
||||
def test_removed_type_members(self):
|
||||
"""MLSvsStandardDiff: no removed type_member rules."""
|
||||
self.assertFalse(self.diff.removed_type_members)
|
||||
|
||||
def test_modified_type_members(self):
|
||||
"""MLSvsStandardDiff: no modified type_member rules."""
|
||||
self.assertFalse(self.diff.modified_type_members)
|
||||
|
||||
def test_added_range_transitions(self):
|
||||
"""MLSvsStandardDiff: no added range_transition rules."""
|
||||
self.assertFalse(self.diff.added_range_transitions)
|
||||
|
||||
def test_removed_range_transitions(self):
|
||||
"""MLSvsStandardDiff: all range_transition rules removed."""
|
||||
self.assertEqual(self.diff.left_policy.range_transition_count,
|
||||
len(self.diff.removed_range_transitions))
|
||||
|
||||
def test_modified_range_transitions(self):
|
||||
"""MLSvsStandardDiff: no modified range_transition rules."""
|
||||
self.assertFalse(self.diff.modified_range_transitions)
|
||||
|
||||
def test_added_role_allows(self):
|
||||
"""MLSvsStandardDiff: no added role_allow rules."""
|
||||
self.assertFalse(self.diff.added_role_allows)
|
||||
|
||||
def test_removed_role_allows(self):
|
||||
"""MLSvsStandardDiff: no removed role_allow rules."""
|
||||
self.assertFalse(self.diff.removed_role_allows)
|
||||
|
||||
def test_modified_role_allows(self):
|
||||
"""MLSvsStandardDiff: no modified role_allow rules."""
|
||||
self.assertFalse(self.diff.modified_role_allows)
|
||||
|
||||
def test_added_role_transitions(self):
|
||||
"""MLSvsStandardDiff: no added role_transition rules."""
|
||||
self.assertFalse(self.diff.added_role_transitions)
|
||||
|
||||
def test_removed_role_transitions(self):
|
||||
"""MLSvsStandardDiff: no removed role_transition rules."""
|
||||
self.assertFalse(self.diff.removed_role_transitions)
|
||||
|
||||
def test_modified_role_transitions(self):
|
||||
"""MLSvsStandardDiff: no modified role_transition rules."""
|
||||
self.assertFalse(self.diff.modified_role_transitions)
|
||||
|
||||
def test_added_users(self):
|
||||
"""MLSvsStandardDiff: no added users."""
|
||||
self.assertFalse(self.diff.added_users)
|
||||
|
||||
def test_removed_users(self):
|
||||
"""MLSvsStandardDiff: no removed users."""
|
||||
self.assertFalse(self.diff.removed_users)
|
||||
|
||||
def test_modified_users(self):
|
||||
"""MLSvsStandardDiff: all users modified."""
|
||||
self.assertEqual(self.diff.left_policy.user_count, len(self.diff.modified_users))
|
||||
|
||||
def test_added_type_attributes(self):
|
||||
"""MLSvsStandardDiff: no added type attribute."""
|
||||
self.assertFalse(self.diff.added_type_attributes)
|
||||
|
||||
def test_removed_type_attributes(self):
|
||||
"""MLSvsStandardDiff: no removed type attributes."""
|
||||
self.assertFalse(self.diff.removed_type_attributes)
|
||||
|
||||
def test_modified_type_attributes(self):
|
||||
"""MLSvsStandardDiff: no modified type attributes."""
|
||||
self.assertFalse(self.diff.modified_type_attributes)
|
||||
|
||||
def test_added_booleans(self):
|
||||
"""MLSvsStandardDiff: no added booleans."""
|
||||
self.assertFalse(self.diff.added_booleans)
|
||||
|
||||
def test_removed_booleans(self):
|
||||
"""MLSvsStandardDiff: no removed booleans."""
|
||||
self.assertFalse(self.diff.removed_booleans)
|
||||
|
||||
def test_modified_booleans(self):
|
||||
"""MLSvsStandardDiff: no modified booleans."""
|
||||
self.assertFalse(self.diff.modified_booleans)
|
||||
|
||||
def test_added_categories(self):
|
||||
"""MLSvsStandardDiff: no added categories."""
|
||||
self.assertFalse(self.diff.added_categories)
|
||||
|
||||
def test_removed_categories(self):
|
||||
"""MLSvsStandardDiff: all categories removed."""
|
||||
self.assertEqual(self.diff.left_policy.category_count, len(self.diff.removed_categories))
|
||||
|
||||
def test_modified_categories(self):
|
||||
"""MLSvsStandardDiff: no modified categories."""
|
||||
self.assertFalse(self.diff.modified_categories)
|
||||
|
||||
def test_added_sensitivities(self):
|
||||
"""MLSvsStandardDiff: no added sensitivities."""
|
||||
self.assertFalse(self.diff.added_sensitivities)
|
||||
|
||||
def test_removed_sensitivities(self):
|
||||
"""MLSvsStandardDiff: all sensitivities removed."""
|
||||
self.assertEqual(self.diff.left_policy.level_count, len(self.diff.removed_sensitivities))
|
||||
|
||||
def test_modified_sensitivities(self):
|
||||
"""MLSvsStandardDiff: no modified sensitivities."""
|
||||
self.assertFalse(self.diff.modified_sensitivities)
|
||||
|
||||
def test_added_initialsids(self):
|
||||
"""MLSvsStandardDiff: no added initialsids."""
|
||||
self.assertFalse(self.diff.added_initialsids)
|
||||
|
||||
def test_removed_initialsids(self):
|
||||
"""MLSvsStandardDiff: no removed initialsids."""
|
||||
self.assertFalse(self.diff.removed_initialsids)
|
||||
|
||||
def test_modified_initialsids(self):
|
||||
"""MLSvsStandardDiff: all initialsids modified."""
|
||||
self.assertEqual(self.diff.left_policy.initialsids_count,
|
||||
len(self.diff.modified_initialsids))
|
||||
|
||||
def test_added_fs_uses(self):
|
||||
"""MLSvsStandardDiff: no added fs_uses."""
|
||||
self.assertFalse(self.diff.added_fs_uses)
|
||||
|
||||
def test_removed_fs_uses(self):
|
||||
"""MLSvsStandardDiff: no removed fs_uses."""
|
||||
self.assertFalse(self.diff.removed_fs_uses)
|
||||
|
||||
def test_modified_fs_uses(self):
|
||||
"""MLSvsStandardDiff: all fs_uses modified."""
|
||||
self.assertEqual(self.diff.left_policy.fs_use_count, len(self.diff.modified_fs_uses))
|
||||
|
||||
def test_added_genfscons(self):
|
||||
"""MLSvsStandardDiff: no added genfscons."""
|
||||
self.assertFalse(self.diff.added_genfscons)
|
||||
|
||||
def test_removed_genfscons(self):
|
||||
"""MLSvsStandardDiff: no removed genfscons."""
|
||||
self.assertFalse(self.diff.removed_genfscons)
|
||||
|
||||
def test_modified_genfscons(self):
|
||||
"""MLSvsStandardDiff: all genfscons modified."""
|
||||
self.assertEqual(self.diff.left_policy.genfscon_count, len(self.diff.modified_genfscons))
|
||||
|
||||
def test_added_levels(self):
|
||||
"""MLSvsStandardDiff: no added levels."""
|
||||
self.assertFalse(self.diff.added_levels)
|
||||
|
||||
def test_removed_levels(self):
|
||||
"""MLSvsStandardDiff: all levels removed."""
|
||||
self.assertEqual(self.diff.left_policy.level_count, len(self.diff.removed_levels))
|
||||
|
||||
def test_modified_levels(self):
|
||||
"""MLSvsStandardDiff: no modified levels."""
|
||||
self.assertFalse(self.diff.modified_levels)
|
||||
|
||||
def test_added_netifcons(self):
|
||||
"""MLSvsStandardDiff: no added netifcons."""
|
||||
self.assertFalse(self.diff.added_netifcons)
|
||||
|
||||
def test_removed_netifcons(self):
|
||||
"""MLSvsStandardDiff: no removed netifcons."""
|
||||
self.assertFalse(self.diff.removed_netifcons)
|
||||
|
||||
def test_modified_netifcons(self):
|
||||
"""MLSvsStandardDiff: all netifcons modified."""
|
||||
self.assertEqual(self.diff.left_policy.netifcon_count, len(self.diff.modified_netifcons))
|
||||
|
||||
def test_added_nodecons(self):
|
||||
"""MLSvsStandardDiff: no added nodecons."""
|
||||
self.assertFalse(self.diff.added_nodecons)
|
||||
|
||||
def test_removed_nodecons(self):
|
||||
"""MLSvsStandardDiff: no removed nodecons."""
|
||||
self.assertFalse(self.diff.removed_nodecons)
|
||||
|
||||
def test_modified_nodecons(self):
|
||||
"""MLSvsStandardDiff: all nodecons modified."""
|
||||
self.assertEqual(self.diff.left_policy.nodecon_count, len(self.diff.modified_nodecons))
|
||||
|
||||
def test_added_polcaps(self):
|
||||
"""MLSvsStandardDiff: no added polcaps."""
|
||||
self.assertFalse(self.diff.added_polcaps)
|
||||
|
||||
def test_removed_polcaps(self):
|
||||
"""MLSvsStandardDiff: no removed polcaps."""
|
||||
self.assertFalse(self.diff.removed_polcaps)
|
||||
|
||||
def test_added_portcons(self):
|
||||
"""MLSvsStandardDiff: no added portcons."""
|
||||
self.assertFalse(self.diff.added_portcons)
|
||||
|
||||
def test_removed_portcons(self):
|
||||
"""MLSvsStandardDiff: no removed portcons."""
|
||||
self.assertFalse(self.diff.removed_portcons)
|
||||
|
||||
def test_modified_portcons(self):
|
||||
"""MLSvsStandardDiff: all portcons modified."""
|
||||
self.assertEqual(self.diff.left_policy.portcon_count, len(self.diff.modified_portcons))
|
||||
|
||||
def test_modified_properties(self):
|
||||
"""MLSvsStandardDiff: MLS property modified only."""
|
||||
self.assertEqual(1, len(self.diff.modified_properties))
|
||||
|
||||
name, added, removed = self.diff.modified_properties[0]
|
||||
self.assertEqual("MLS", name)
|
||||
self.assertIs(False, added)
|
||||
self.assertIs(True, removed)
|
||||
|
||||
620
tests/diff_left_standard.conf
Normal file
620
tests/diff_left_standard.conf
Normal file
@ -0,0 +1,620 @@
|
||||
class infoflow
|
||||
class infoflow2
|
||||
class infoflow3
|
||||
class infoflow4
|
||||
class infoflow5
|
||||
class infoflow6
|
||||
class infoflow7
|
||||
class removed_class
|
||||
class modified_add_perm
|
||||
class modified_remove_perm
|
||||
class modified_change_common
|
||||
|
||||
sid kernel
|
||||
sid security
|
||||
sid matched_sid
|
||||
sid removed_sid
|
||||
sid modified_sid
|
||||
|
||||
common infoflow
|
||||
{
|
||||
low_w
|
||||
med_w
|
||||
hi_w
|
||||
low_r
|
||||
med_r
|
||||
hi_r
|
||||
}
|
||||
|
||||
common removed_common
|
||||
{
|
||||
old_com
|
||||
}
|
||||
|
||||
common modified_remove_perm
|
||||
{
|
||||
same_perm
|
||||
removed_perm
|
||||
}
|
||||
|
||||
common modified_add_perm
|
||||
{
|
||||
matched_perm
|
||||
}
|
||||
|
||||
class infoflow
|
||||
inherits infoflow
|
||||
|
||||
class infoflow2
|
||||
inherits infoflow
|
||||
{
|
||||
super_w
|
||||
super_r
|
||||
}
|
||||
|
||||
class infoflow3
|
||||
{
|
||||
null
|
||||
}
|
||||
|
||||
class infoflow4
|
||||
inherits infoflow
|
||||
|
||||
class infoflow5
|
||||
inherits infoflow
|
||||
|
||||
class infoflow6
|
||||
inherits infoflow
|
||||
|
||||
class infoflow7
|
||||
inherits infoflow
|
||||
{
|
||||
super_w
|
||||
super_r
|
||||
super_none
|
||||
super_both
|
||||
super_unmapped
|
||||
}
|
||||
|
||||
class removed_class
|
||||
{
|
||||
null_perm
|
||||
}
|
||||
|
||||
class modified_add_perm
|
||||
{
|
||||
same_perm
|
||||
}
|
||||
|
||||
class modified_remove_perm
|
||||
{
|
||||
same_perm
|
||||
removed_perm
|
||||
}
|
||||
|
||||
class modified_change_common
|
||||
inherits removed_common
|
||||
|
||||
attribute mls_exempt;
|
||||
attribute an_attr;
|
||||
attribute removed_attr;
|
||||
|
||||
type system;
|
||||
role system;
|
||||
role system types system;
|
||||
|
||||
################################################################################
|
||||
# Type enforcement declarations and rules
|
||||
|
||||
type removed_type;
|
||||
|
||||
type modified_remove_attr, an_attr;
|
||||
|
||||
type modified_remove_alias alias an_alias;
|
||||
|
||||
type modified_remove_permissive;
|
||||
permissive modified_remove_permissive;
|
||||
|
||||
type modified_add_attr;
|
||||
|
||||
type modified_add_alias;
|
||||
|
||||
type modified_add_permissive;
|
||||
|
||||
role removed_role;
|
||||
|
||||
role modified_add_type;
|
||||
|
||||
role modified_remove_type;
|
||||
role modified_remove_type types { system };
|
||||
|
||||
# booleans
|
||||
bool same_bool true;
|
||||
bool removed_bool true;
|
||||
bool modified_bool false;
|
||||
|
||||
# Allow rule differences
|
||||
type matched_source;
|
||||
type matched_target;
|
||||
allow matched_source matched_target:infoflow hi_w;
|
||||
|
||||
type removed_rule_source;
|
||||
type removed_rule_target;
|
||||
allow removed_rule_source removed_rule_target:infoflow hi_r;
|
||||
|
||||
type added_rule_source;
|
||||
type added_rule_target;
|
||||
|
||||
type modified_rule_add_perms;
|
||||
allow modified_rule_add_perms self:infoflow hi_r;
|
||||
|
||||
type modified_rule_remove_perms;
|
||||
allow modified_rule_remove_perms self:infoflow { low_r low_w };
|
||||
|
||||
type modified_rule_add_remove_perms;
|
||||
allow modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
|
||||
|
||||
allow removed_type self:infoflow3 null;
|
||||
|
||||
type move_to_bool;
|
||||
bool move_to_bool_b false;
|
||||
allow move_to_bool self:infoflow4 hi_w;
|
||||
|
||||
type move_from_bool;
|
||||
bool move_from_bool_b false;
|
||||
if (move_from_bool_b) {
|
||||
allow move_from_bool self:infoflow4 hi_r;
|
||||
}
|
||||
|
||||
type switch_block;
|
||||
bool switch_block_b false;
|
||||
if (switch_block_b) {
|
||||
allow system switch_block:infoflow5 hi_r;
|
||||
allow system switch_block:infoflow6 hi_r;
|
||||
} else {
|
||||
allow system switch_block:infoflow7 hi_r;
|
||||
}
|
||||
|
||||
attribute match_rule_by_attr;
|
||||
type match_rule_by_attr_A_t, match_rule_by_attr;
|
||||
type match_rule_by_attr_B_t, match_rule_by_attr;
|
||||
allow match_rule_by_attr self:infoflow2 super_w;
|
||||
|
||||
attribute unioned_perm_via_attr;
|
||||
type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
|
||||
type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
|
||||
allow unioned_perm_via_attr self:infoflow2 super_w;
|
||||
allow unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
||||
allow unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
||||
|
||||
# Auditallow rule differences
|
||||
type aa_matched_source;
|
||||
type aa_matched_target;
|
||||
auditallow aa_matched_source aa_matched_target:infoflow hi_w;
|
||||
|
||||
type aa_removed_rule_source;
|
||||
type aa_removed_rule_target;
|
||||
auditallow aa_removed_rule_source aa_removed_rule_target:infoflow hi_r;
|
||||
|
||||
type aa_added_rule_source;
|
||||
type aa_added_rule_target;
|
||||
|
||||
type aa_modified_rule_add_perms;
|
||||
auditallow aa_modified_rule_add_perms self:infoflow hi_r;
|
||||
|
||||
type aa_modified_rule_remove_perms;
|
||||
auditallow aa_modified_rule_remove_perms self:infoflow { low_r low_w };
|
||||
|
||||
type aa_modified_rule_add_remove_perms;
|
||||
auditallow aa_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
|
||||
|
||||
auditallow removed_type self:infoflow7 super_unmapped;
|
||||
|
||||
type aa_move_to_bool;
|
||||
bool aa_move_to_bool_b false;
|
||||
auditallow aa_move_to_bool self:infoflow4 hi_w;
|
||||
|
||||
type aa_move_from_bool;
|
||||
bool aa_move_from_bool_b false;
|
||||
if (aa_move_from_bool_b) {
|
||||
auditallow aa_move_from_bool self:infoflow4 hi_r;
|
||||
}
|
||||
|
||||
type aa_switch_block;
|
||||
bool aa_switch_block_b false;
|
||||
if (aa_switch_block_b) {
|
||||
auditallow system aa_switch_block:infoflow5 hi_r;
|
||||
auditallow system aa_switch_block:infoflow6 hi_r;
|
||||
} else {
|
||||
auditallow system aa_switch_block:infoflow7 hi_r;
|
||||
}
|
||||
|
||||
attribute aa_match_rule_by_attr;
|
||||
type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
|
||||
type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
|
||||
auditallow aa_match_rule_by_attr self:infoflow2 super_w;
|
||||
|
||||
attribute aa_unioned_perm_via_attr;
|
||||
type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
|
||||
type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
|
||||
auditallow aa_unioned_perm_via_attr self:infoflow2 super_w;
|
||||
auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
||||
auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
||||
|
||||
# Dontaudit rule differences
|
||||
type da_matched_source;
|
||||
type da_matched_target;
|
||||
dontaudit da_matched_source da_matched_target:infoflow hi_w;
|
||||
|
||||
type da_removed_rule_source;
|
||||
type da_removed_rule_target;
|
||||
dontaudit da_removed_rule_source da_removed_rule_target:infoflow hi_r;
|
||||
|
||||
type da_added_rule_source;
|
||||
type da_added_rule_target;
|
||||
|
||||
type da_modified_rule_add_perms;
|
||||
dontaudit da_modified_rule_add_perms self:infoflow hi_r;
|
||||
|
||||
type da_modified_rule_remove_perms;
|
||||
dontaudit da_modified_rule_remove_perms self:infoflow { low_r low_w };
|
||||
|
||||
type da_modified_rule_add_remove_perms;
|
||||
dontaudit da_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
|
||||
|
||||
dontaudit removed_type self:infoflow7 super_both;
|
||||
|
||||
type da_move_to_bool;
|
||||
bool da_move_to_bool_b false;
|
||||
dontaudit da_move_to_bool self:infoflow4 hi_w;
|
||||
|
||||
type da_move_from_bool;
|
||||
bool da_move_from_bool_b false;
|
||||
if (da_move_from_bool_b) {
|
||||
dontaudit da_move_from_bool self:infoflow4 hi_r;
|
||||
}
|
||||
|
||||
type da_switch_block;
|
||||
bool da_switch_block_b false;
|
||||
if (da_switch_block_b) {
|
||||
dontaudit system da_switch_block:infoflow5 hi_r;
|
||||
dontaudit system da_switch_block:infoflow6 hi_r;
|
||||
} else {
|
||||
dontaudit system da_switch_block:infoflow7 hi_r;
|
||||
}
|
||||
|
||||
attribute da_match_rule_by_attr;
|
||||
type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
|
||||
type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
|
||||
dontaudit da_match_rule_by_attr self:infoflow2 super_w;
|
||||
|
||||
attribute da_unioned_perm_via_attr;
|
||||
type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
|
||||
type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
|
||||
dontaudit da_unioned_perm_via_attr self:infoflow2 super_w;
|
||||
dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
||||
dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
||||
|
||||
# Neverallow rule differences
|
||||
type na_matched_source;
|
||||
type na_matched_target;
|
||||
neverallow na_matched_source na_matched_target:infoflow hi_w;
|
||||
|
||||
type na_removed_rule_source;
|
||||
type na_removed_rule_target;
|
||||
neverallow na_removed_rule_source na_removed_rule_target:infoflow hi_r;
|
||||
|
||||
type na_added_rule_source;
|
||||
type na_added_rule_target;
|
||||
|
||||
type na_modified_rule_add_perms;
|
||||
neverallow na_modified_rule_add_perms self:infoflow hi_r;
|
||||
|
||||
type na_modified_rule_remove_perms;
|
||||
neverallow na_modified_rule_remove_perms self:infoflow { low_r low_w };
|
||||
|
||||
type na_modified_rule_add_remove_perms;
|
||||
neverallow na_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
|
||||
|
||||
neverallow removed_type self:removed_class null_perm;
|
||||
|
||||
attribute na_match_rule_by_attr;
|
||||
type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
|
||||
type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
|
||||
neverallow na_match_rule_by_attr self:infoflow2 super_w;
|
||||
|
||||
attribute na_unioned_perm_via_attr;
|
||||
type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
|
||||
type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
|
||||
neverallow na_unioned_perm_via_attr self:infoflow2 super_w;
|
||||
neverallow na_unioned_perm_via_attr_A_t self:infoflow2 super_r;
|
||||
neverallow na_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
|
||||
|
||||
# type_transition rule differences
|
||||
type tt_matched_source;
|
||||
type tt_matched_target;
|
||||
type_transition tt_matched_source tt_matched_target:infoflow system;
|
||||
|
||||
type tt_removed_rule_source;
|
||||
type tt_removed_rule_target;
|
||||
type_transition tt_removed_rule_source tt_removed_rule_target:infoflow system;
|
||||
|
||||
type tt_added_rule_source;
|
||||
type tt_added_rule_target;
|
||||
|
||||
type tt_old_type;
|
||||
type tt_new_type;
|
||||
type_transition tt_matched_source system:infoflow tt_old_type;
|
||||
|
||||
type_transition removed_type system:infoflow4 system;
|
||||
|
||||
type tt_move_to_bool;
|
||||
bool tt_move_to_bool_b false;
|
||||
type_transition tt_move_to_bool system:infoflow3 system;
|
||||
|
||||
type tt_move_from_bool;
|
||||
bool tt_move_from_bool_b false;
|
||||
if (tt_move_from_bool_b) {
|
||||
type_transition tt_move_from_bool system:infoflow4 system;
|
||||
}
|
||||
|
||||
type tt_switch_block;
|
||||
bool tt_switch_block_b false;
|
||||
if (tt_switch_block_b) {
|
||||
type_transition system tt_switch_block:infoflow5 system;
|
||||
type_transition system tt_switch_block:infoflow6 system;
|
||||
} else {
|
||||
type_transition system tt_switch_block:infoflow7 system;
|
||||
}
|
||||
|
||||
attribute tt_match_rule_by_attr;
|
||||
type tt_match_rule_by_attr_A_t, tt_match_rule_by_attr;
|
||||
type tt_match_rule_by_attr_B_t, tt_match_rule_by_attr;
|
||||
type_transition tt_match_rule_by_attr system:infoflow2 system;
|
||||
|
||||
attribute tt_unioned_perm_via_attr;
|
||||
type tt_unioned_perm_via_attr_A_t, tt_unioned_perm_via_attr;
|
||||
type tt_unioned_perm_via_attr_B_t, tt_unioned_perm_via_attr;
|
||||
type_transition tt_unioned_perm_via_attr system:infoflow2 system;
|
||||
type_transition tt_unioned_perm_via_attr_A_t system:infoflow2 system;
|
||||
type_transition tt_unioned_perm_via_attr_B_t system:infoflow2 system;
|
||||
|
||||
# type_change rule differences
|
||||
type tc_matched_source;
|
||||
type tc_matched_target;
|
||||
type_change tc_matched_source tc_matched_target:infoflow system;
|
||||
|
||||
type tc_removed_rule_source;
|
||||
type tc_removed_rule_target;
|
||||
type_change tc_removed_rule_source tc_removed_rule_target:infoflow system;
|
||||
|
||||
type tc_added_rule_source;
|
||||
type tc_added_rule_target;
|
||||
|
||||
type tc_old_type;
|
||||
type tc_new_type;
|
||||
type_change tc_matched_source system:infoflow tc_old_type;
|
||||
|
||||
type_change removed_type system:infoflow4 system;
|
||||
|
||||
type tc_move_to_bool;
|
||||
bool tc_move_to_bool_b false;
|
||||
type_change tc_move_to_bool system:infoflow3 system;
|
||||
|
||||
type tc_move_from_bool;
|
||||
bool tc_move_from_bool_b false;
|
||||
if (tc_move_from_bool_b) {
|
||||
type_change tc_move_from_bool system:infoflow4 system;
|
||||
}
|
||||
|
||||
type tc_switch_block;
|
||||
bool tc_switch_block_b false;
|
||||
if (tc_switch_block_b) {
|
||||
type_change system tc_switch_block:infoflow5 system;
|
||||
type_change system tc_switch_block:infoflow6 system;
|
||||
} else {
|
||||
type_change system tc_switch_block:infoflow7 system;
|
||||
}
|
||||
|
||||
attribute tc_match_rule_by_attr;
|
||||
type tc_match_rule_by_attr_A_t, tc_match_rule_by_attr;
|
||||
type tc_match_rule_by_attr_B_t, tc_match_rule_by_attr;
|
||||
type_change tc_match_rule_by_attr system:infoflow2 system;
|
||||
|
||||
attribute tc_unioned_perm_via_attr;
|
||||
type tc_unioned_perm_via_attr_A_t, tc_unioned_perm_via_attr;
|
||||
type tc_unioned_perm_via_attr_B_t, tc_unioned_perm_via_attr;
|
||||
type_change tc_unioned_perm_via_attr system:infoflow2 system;
|
||||
type_change tc_unioned_perm_via_attr_A_t system:infoflow2 system;
|
||||
type_change tc_unioned_perm_via_attr_B_t system:infoflow2 system;
|
||||
|
||||
# type_member rule differences
|
||||
type tm_matched_source;
|
||||
type tm_matched_target;
|
||||
type_member tm_matched_source tm_matched_target:infoflow system;
|
||||
|
||||
type tm_removed_rule_source;
|
||||
type tm_removed_rule_target;
|
||||
type_member tm_removed_rule_source tm_removed_rule_target:infoflow system;
|
||||
|
||||
type tm_added_rule_source;
|
||||
type tm_added_rule_target;
|
||||
|
||||
type tm_old_type;
|
||||
type tm_new_type;
|
||||
type_member tm_matched_source system:infoflow tm_old_type;
|
||||
|
||||
type_member removed_type system:infoflow4 system;
|
||||
|
||||
type tm_move_to_bool;
|
||||
bool tm_move_to_bool_b false;
|
||||
type_member tm_move_to_bool system:infoflow3 system;
|
||||
|
||||
type tm_move_from_bool;
|
||||
bool tm_move_from_bool_b false;
|
||||
if (tm_move_from_bool_b) {
|
||||
type_member tm_move_from_bool system:infoflow4 system;
|
||||
}
|
||||
|
||||
type tm_switch_block;
|
||||
bool tm_switch_block_b false;
|
||||
if (tm_switch_block_b) {
|
||||
type_member system tm_switch_block:infoflow5 system;
|
||||
type_member system tm_switch_block:infoflow6 system;
|
||||
} else {
|
||||
type_member system tm_switch_block:infoflow7 system;
|
||||
}
|
||||
|
||||
attribute tm_match_rule_by_attr;
|
||||
type tm_match_rule_by_attr_A_t, tm_match_rule_by_attr;
|
||||
type tm_match_rule_by_attr_B_t, tm_match_rule_by_attr;
|
||||
type_member tm_match_rule_by_attr system:infoflow2 system;
|
||||
|
||||
attribute tm_unioned_perm_via_attr;
|
||||
type tm_unioned_perm_via_attr_A_t, tm_unioned_perm_via_attr;
|
||||
type tm_unioned_perm_via_attr_B_t, tm_unioned_perm_via_attr;
|
||||
type_member tm_unioned_perm_via_attr system:infoflow2 system;
|
||||
type_member tm_unioned_perm_via_attr_A_t system:infoflow2 system;
|
||||
type_member tm_unioned_perm_via_attr_B_t system:infoflow2 system;
|
||||
|
||||
type rt_matched_source;
|
||||
type rt_matched_target;
|
||||
|
||||
type rt_removed_rule_source;
|
||||
type rt_removed_rule_target;
|
||||
|
||||
type rt_added_rule_source;
|
||||
type rt_added_rule_target;
|
||||
|
||||
|
||||
|
||||
# range transitions cannot be conditional.
|
||||
#type rt_move_to_bool;
|
||||
#bool rt_move_to_bool_b false;
|
||||
|
||||
#type rt_move_from_bool;
|
||||
#bool rt_move_from_bool_b false;
|
||||
#if (rt_move_from_bool_b) {
|
||||
#}
|
||||
|
||||
#type rt_switch_block;
|
||||
#bool rt_switch_block_b false;
|
||||
#if (rt_switch_block_b) {
|
||||
#} else {
|
||||
#}
|
||||
|
||||
attribute rt_match_rule_by_attr;
|
||||
type rt_match_rule_by_attr_A_t, rt_match_rule_by_attr;
|
||||
type rt_match_rule_by_attr_B_t, rt_match_rule_by_attr;
|
||||
|
||||
attribute rt_unioned_perm_via_attr;
|
||||
type rt_unioned_perm_via_attr_A_t, rt_unioned_perm_via_attr;
|
||||
type rt_unioned_perm_via_attr_B_t, rt_unioned_perm_via_attr;
|
||||
|
||||
# role allow
|
||||
role matched_source_r;
|
||||
role matched_target_r;
|
||||
allow matched_source_r matched_target_r;
|
||||
|
||||
role removed_rule_source_r;
|
||||
role removed_rule_target_r;
|
||||
allow removed_rule_source_r removed_rule_target_r;
|
||||
|
||||
role added_rule_source_r;
|
||||
role added_rule_target_r;
|
||||
|
||||
allow removed_role system;
|
||||
|
||||
# role_transition
|
||||
role role_tr_matched_source;
|
||||
type role_tr_matched_target;
|
||||
role_transition role_tr_matched_source role_tr_matched_target:infoflow system;
|
||||
|
||||
role role_tr_removed_rule_source;
|
||||
type role_tr_removed_rule_target;
|
||||
role_transition role_tr_removed_rule_source role_tr_removed_rule_target:infoflow5 system;
|
||||
|
||||
role role_tr_added_rule_source;
|
||||
type role_tr_added_rule_target;
|
||||
|
||||
role_transition removed_role system:infoflow4 system;
|
||||
|
||||
role role_tr_old_role;
|
||||
role role_tr_new_role;
|
||||
role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_old_role;
|
||||
|
||||
################################################################################
|
||||
|
||||
# policycaps
|
||||
policycap open_perms;
|
||||
policycap network_peer_controls;
|
||||
|
||||
#users
|
||||
user system roles system;
|
||||
|
||||
user removed_user roles system;
|
||||
|
||||
user modified_add_role roles system;
|
||||
user modified_remove_role roles { system removed_role };
|
||||
user modified_change_level roles system;
|
||||
user modified_change_range roles system;
|
||||
|
||||
#normal constraints
|
||||
constrain infoflow hi_w (u1 == u2);
|
||||
|
||||
#isids
|
||||
sid kernel system:system:system
|
||||
sid security system:system:system
|
||||
sid matched_sid system:system:system
|
||||
sid removed_sid removed_user:system:system
|
||||
sid modified_sid system:system:system
|
||||
|
||||
#fs_use
|
||||
fs_use_trans devpts system:object_r:system;
|
||||
fs_use_xattr ext3 system:object_r:system;
|
||||
fs_use_task pipefs system:object_r:system;
|
||||
fs_use_task removed_fsuse system:object_r:system;
|
||||
fs_use_trans modified_fsuse removed_user:object_r:system;
|
||||
|
||||
#genfscon
|
||||
genfscon proc / system:object_r:system
|
||||
genfscon proc /sys system:object_r:system
|
||||
genfscon selinuxfs / system:object_r:system
|
||||
genfscon removed_genfs / system:object_r:system
|
||||
genfscon change_path /old system:object_r:system
|
||||
genfscon modified_genfs / -s removed_user:object_r:system
|
||||
|
||||
# matched portcons
|
||||
portcon tcp 80 system:object_r:system
|
||||
portcon udp 80 system:object_r:system
|
||||
portcon udp 30-40 system:object_r:system
|
||||
|
||||
# removed portcons
|
||||
portcon udp 1024 system:object_r:system
|
||||
portcon tcp 1024-1026 system:object_r:system
|
||||
|
||||
# modified portcons
|
||||
portcon udp 3024 removed_user:object_r:system
|
||||
portcon tcp 3024-3026 removed_user:object_r:system
|
||||
|
||||
netifcon eth0 system:object_r:system system:object_r:system
|
||||
netifcon removed_netif system:object_r:system system:object_r:system
|
||||
netifcon mod_ctx_netif removed_user:object_r:system system:object_r:system
|
||||
netifcon mod_pkt_netif system:object_r:system removed_user:object_r:system
|
||||
netifcon mod_both_netif removed_user:object_r:system removed_user:object_r:system
|
||||
|
||||
# matched nodecons
|
||||
nodecon 127.0.0.1 255.255.255.255 system:object_r:system
|
||||
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system
|
||||
|
||||
# removed nodecons
|
||||
nodecon 127.0.0.2 255.255.255.255 removed_user:object_r:system
|
||||
nodecon ::2 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff removed_user:object_r:system
|
||||
|
||||
# modified nodecons
|
||||
nodecon 127.0.0.3 255.255.255.255 modified_change_level:object_r:system
|
||||
nodecon ::3 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff modified_change_level:object_r:system
|
||||
|
||||
# change netmask (add/remove)
|
||||
nodecon 127.0.0.5 255.255.255.255 system:object_r:system
|
||||
nodecon ::5 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system
|
||||
Loading…
Reference in New Issue
Block a user