class infoflow class infoflow2 class infoflow3 class infoflow4 class infoflow5 class infoflow6 class infoflow7 sid kernel sid security common infoflow { low_w med_w hi_w low_r med_r hi_r } class infoflow inherits infoflow class infoflow2 inherits infoflow { super_w super_r } class infoflow3 { null } class infoflow4 inherits infoflow class infoflow5 inherits infoflow class infoflow6 inherits infoflow class infoflow7 inherits infoflow { super_w super_r super_none super_both super_unmapped } sensitivity low_s; sensitivity medium_s alias med; sensitivity high_s; dominance { low_s med high_s } category here; category there; category elsewhere alias lost; #level decl level low_s:here.there; level med:here, elsewhere; level high_s:here.lost; #some constraints mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt)); attribute mls_exempt; type system; role system; role system types system; ################################################################################ # Type enforcement declarations and rules allow system system:infoflow3 null; ######################################## # # Type Query # # test 1 # name: test1 # attrs: unset # alias: unset type test1; # test 2 # name: test2(a|b) regex # attrs: unset # alias: unset type test2a; type test2b; # test 10 # name: unset # attrs: test10a,test10b # alias: unset attribute test10a; attribute test10b; attribute test10c; type test10t1, test10a; type test10t2, test10a, test10b; type test10t3, test10a, test10b, test10c; type test10t4, test10b, test10c; type test10t5, test10a, test10c; type test10t6, test10b; type test10t7, test10c; # test 11 # name: unset # attrs: test11a,test11b equal # alias: unset attribute test11a; attribute test11b; attribute test11c; type test11t1, test11a; type test11t2, test11a, test11b; type test11t3, test11a, test11b, test11c; type test11t4, test11b, test11c; type test11t5, test11a, test11c; type test11t6, test11b; type test11t7, test11c; # test 12 # name: unset # attrs: test12(a|b) regex # alias: unset attribute test12a; attribute test12b; attribute test12c; type test12t1, test12a; type test12t2, test12a, test12b; type test12t3, test12a, test12b, test12c; type test12t4, test12b, test12c; type test12t5, test12a, test12c; type test12t6, test12b; type test12t7, test12c; # test 20 # name: unset # attrs: unset # alias: test20a type test20t1 alias { test20a test20c }; type test20t2 alias { test20b test20d }; # test 21 # name: unset # attrs: unset # alias: test21(a|b) type test21t1 alias { test21a test21c }; type test21t2 alias { test21b test21d }; type test21t3 alias { test21e test21f }; # test 30 # name: test30 # attrs: unset # alias: unset type test30; type test30a; permissive test30; ################################################################################ #users user system roles system level med range low_s - high_s:here.lost; #normal constraints constrain infoflow hi_w (u1 == u2); #isids sid kernel system:system:system:medium_s:here sid security system:system:system:high_s:lost #fs_use fs_use_trans devpts system:object_r:system:low_s; fs_use_xattr ext3 system:object_r:system:low_s; fs_use_task pipefs system:object_r:system:low_s; #genfscon genfscon proc / system:object_r:system:med genfscon proc /sys system:object_r:system:low_s genfscon selinuxfs / system:object_r:system:high_s:here.there portcon tcp 80 system:object_r:system:low_s netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here