mirror of
https://github.com/SELinuxProject/setools
synced 2025-02-28 18:11:27 +00:00
921 lines
26 KiB
Plaintext
921 lines
26 KiB
Plaintext
class infoflow
|
|
class infoflow2
|
|
class infoflow3
|
|
class infoflow4
|
|
class infoflow5
|
|
class infoflow6
|
|
class infoflow7
|
|
class added_class
|
|
class modified_add_perm
|
|
class modified_remove_perm
|
|
class modified_change_common
|
|
|
|
sid kernel
|
|
sid security
|
|
sid unlabeled
|
|
sid fs
|
|
sid file
|
|
sid file_labels
|
|
|
|
common infoflow
|
|
{
|
|
low_w
|
|
med_w
|
|
hi_w
|
|
low_r
|
|
med_r
|
|
hi_r
|
|
ioctl
|
|
}
|
|
|
|
common added_common
|
|
{
|
|
new_com
|
|
}
|
|
|
|
common modified_remove_perm
|
|
{
|
|
same_perm
|
|
}
|
|
|
|
common modified_add_perm
|
|
{
|
|
matched_perm
|
|
added_perm
|
|
}
|
|
|
|
class infoflow
|
|
inherits infoflow
|
|
|
|
class infoflow2
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
}
|
|
|
|
class infoflow3
|
|
{
|
|
null
|
|
}
|
|
|
|
class infoflow4
|
|
inherits infoflow
|
|
|
|
class infoflow5
|
|
inherits infoflow
|
|
|
|
class infoflow6
|
|
inherits infoflow
|
|
|
|
class infoflow7
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
super_none
|
|
super_both
|
|
super_unmapped
|
|
}
|
|
|
|
class added_class
|
|
{
|
|
new_class_perm
|
|
}
|
|
|
|
class modified_add_perm
|
|
{
|
|
same_perm
|
|
added_perm
|
|
}
|
|
|
|
class modified_remove_perm
|
|
{
|
|
same_perm
|
|
}
|
|
|
|
class modified_change_common
|
|
inherits added_common
|
|
|
|
# matching defaults:
|
|
default_user infoflow source;
|
|
default_role infoflow source;
|
|
default_type infoflow source;
|
|
default_range infoflow source low;
|
|
|
|
# added:
|
|
default_user infoflow2 target;
|
|
default_range infoflow2 source low;
|
|
|
|
# removed:
|
|
|
|
# modified:
|
|
default_type infoflow4 target;
|
|
default_range infoflow4 target low;
|
|
|
|
# modified range:
|
|
default_range infoflow5 target high;
|
|
|
|
# modified both
|
|
default_range infoflow6 target low;
|
|
|
|
sensitivity s0 alias { al1 };
|
|
sensitivity s1 alias { al3 al4 };
|
|
sensitivity s2;
|
|
sensitivity s3;
|
|
sensitivity s40;
|
|
sensitivity s41;
|
|
sensitivity s42;
|
|
sensitivity s43;
|
|
sensitivity s44;
|
|
sensitivity s45;
|
|
sensitivity s46;
|
|
|
|
dominance { s0 s1 s2 s3 s40 s41 s42 s43 s44 s45 s46 }
|
|
|
|
category c0 alias { spam };
|
|
category c1 alias { foo bar };
|
|
category c2;
|
|
category c3;
|
|
category c4;
|
|
category c6;
|
|
|
|
#level decl
|
|
level s0:c0.c4;
|
|
level s1:c0.c4;
|
|
level s2:c0.c4;
|
|
level s3:c0.c4;
|
|
level s40:c1,c3;
|
|
level s41:c0.c3;
|
|
level s42:c0.c4;
|
|
level s43:c0.c4;
|
|
level s44:c0.c4;
|
|
level s45:c0.c4;
|
|
level s46:c0.c4;
|
|
|
|
# matching mls constraints
|
|
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
|
|
|
|
# added mls constraint
|
|
mlsconstrain infoflow3 null ((l1 domby l2 and h1 domby h2) or (t1 != mls_exempt));
|
|
|
|
# removed mls constraint
|
|
|
|
# remove/add mls constraint (expression change)
|
|
mlsconstrain infoflow5 hi_r ((l1 domby l2 and h1 incomp h2) or (t1 == mls_exempt));
|
|
|
|
# matching mls validatetrans
|
|
mlsvalidatetrans infoflow (h1 == h2 or t3 == system);
|
|
|
|
# added mls validatetrans
|
|
mlsvalidatetrans infoflow3 ((l1 == l2 and h1 == h2) or t3 == mls_exempt);
|
|
|
|
# removed mls validatetrans
|
|
|
|
# remove/add mls validatetrans (expression change)
|
|
mlsvalidatetrans infoflow5 ((l1 incomp l2 and h1 domby h2) or (t3 == mls_exempt));
|
|
|
|
attribute mls_exempt;
|
|
attribute an_attr;
|
|
attribute added_attr;
|
|
|
|
type system;
|
|
role system;
|
|
role system types system;
|
|
|
|
################################################################################
|
|
# Type enforcement declarations and rules
|
|
|
|
type added_type;
|
|
|
|
type modified_remove_attr;
|
|
|
|
type modified_remove_alias;
|
|
|
|
type modified_remove_permissive;
|
|
|
|
type modified_add_attr, an_attr;
|
|
|
|
type modified_add_alias alias an_alias;
|
|
|
|
type modified_add_permissive;
|
|
permissive modified_add_permissive;
|
|
|
|
role added_role;
|
|
|
|
role modified_add_type;
|
|
role modified_add_type types { system };
|
|
|
|
role modified_remove_type;
|
|
|
|
# booleans
|
|
bool same_bool true;
|
|
bool added_bool true;
|
|
bool modified_bool true;
|
|
|
|
# Allow rule differences
|
|
type matched_source;
|
|
type matched_target;
|
|
allow matched_source matched_target:infoflow hi_w;
|
|
|
|
type removed_rule_source;
|
|
type removed_rule_target;
|
|
|
|
type added_rule_source;
|
|
type added_rule_target;
|
|
allow added_rule_source added_rule_target:infoflow med_w;
|
|
|
|
type modified_rule_add_perms;
|
|
allow modified_rule_add_perms self:infoflow { hi_r hi_w };
|
|
|
|
type modified_rule_remove_perms;
|
|
allow modified_rule_remove_perms self:infoflow low_w;
|
|
|
|
type modified_rule_add_remove_perms;
|
|
allow modified_rule_add_remove_perms self:infoflow2 { low_w super_r };
|
|
|
|
allow added_type self:infoflow2 med_w;
|
|
|
|
type move_to_bool;
|
|
bool move_to_bool_b false;
|
|
if (move_to_bool_b) {
|
|
allow move_to_bool self:infoflow4 hi_w;
|
|
}
|
|
|
|
type move_from_bool;
|
|
bool move_from_bool_b false;
|
|
allow move_from_bool self:infoflow4 hi_r;
|
|
|
|
type switch_block;
|
|
bool switch_block_b false;
|
|
if (switch_block_b) {
|
|
allow system switch_block:infoflow5 hi_r;
|
|
} else {
|
|
allow system switch_block:infoflow6 hi_r;
|
|
allow system switch_block:infoflow7 hi_r;
|
|
}
|
|
|
|
attribute match_rule_by_attr;
|
|
type match_rule_by_attr_A_t, match_rule_by_attr;
|
|
type match_rule_by_attr_B_t, match_rule_by_attr;
|
|
allow match_rule_by_attr_A_t self:infoflow2 super_w;
|
|
allow match_rule_by_attr_B_t self:infoflow2 super_w;
|
|
|
|
attribute union_perm_a;
|
|
attribute union_perm_b;
|
|
attribute union_perm_c;
|
|
type union_perm_source, union_perm_a, union_perm_c;
|
|
type union_perm_target, union_perm_b;
|
|
allow union_perm_a union_perm_b:infoflow hi_w;
|
|
allow union_perm_c union_perm_target:infoflow med_w;
|
|
allow union_perm_source union_perm_target:infoflow low_w;
|
|
|
|
# Auditallow rule differences
|
|
type aa_matched_source;
|
|
type aa_matched_target;
|
|
auditallow aa_matched_source aa_matched_target:infoflow hi_w;
|
|
|
|
type aa_removed_rule_source;
|
|
type aa_removed_rule_target;
|
|
|
|
type aa_added_rule_source;
|
|
type aa_added_rule_target;
|
|
auditallow aa_added_rule_source aa_added_rule_target:infoflow med_w;
|
|
|
|
type aa_modified_rule_add_perms;
|
|
auditallow aa_modified_rule_add_perms self:infoflow { hi_r hi_w };
|
|
|
|
type aa_modified_rule_remove_perms;
|
|
auditallow aa_modified_rule_remove_perms self:infoflow low_w;
|
|
|
|
type aa_modified_rule_add_remove_perms;
|
|
auditallow aa_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };
|
|
|
|
auditallow added_type self:infoflow7 super_none;
|
|
|
|
type aa_move_to_bool;
|
|
bool aa_move_to_bool_b false;
|
|
if (aa_move_to_bool_b) {
|
|
auditallow aa_move_to_bool self:infoflow4 hi_w;
|
|
}
|
|
|
|
type aa_move_from_bool;
|
|
bool aa_move_from_bool_b false;
|
|
auditallow aa_move_from_bool self:infoflow4 hi_r;
|
|
|
|
type aa_switch_block;
|
|
bool aa_switch_block_b false;
|
|
if (aa_switch_block_b) {
|
|
auditallow system aa_switch_block:infoflow5 hi_r;
|
|
} else {
|
|
auditallow system aa_switch_block:infoflow6 hi_r;
|
|
auditallow system aa_switch_block:infoflow7 hi_r;
|
|
}
|
|
|
|
attribute aa_match_rule_by_attr;
|
|
type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
|
|
type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
|
|
auditallow aa_match_rule_by_attr_A_t self:infoflow2 super_w;
|
|
auditallow aa_match_rule_by_attr_B_t self:infoflow2 super_w;
|
|
|
|
attribute aa_union_perm_a;
|
|
attribute aa_union_perm_b;
|
|
attribute aa_union_perm_c;
|
|
type aa_union_perm_source, aa_union_perm_a, aa_union_perm_c;
|
|
type aa_union_perm_target, aa_union_perm_b;
|
|
auditallow aa_union_perm_a aa_union_perm_b:infoflow hi_w;
|
|
auditallow aa_union_perm_c aa_union_perm_target:infoflow med_w;
|
|
auditallow aa_union_perm_source aa_union_perm_target:infoflow low_w;
|
|
|
|
# Dontaudit rule differences
|
|
type da_matched_source;
|
|
type da_matched_target;
|
|
dontaudit da_matched_source da_matched_target:infoflow hi_w;
|
|
|
|
type da_removed_rule_source;
|
|
type da_removed_rule_target;
|
|
|
|
type da_added_rule_source;
|
|
type da_added_rule_target;
|
|
dontaudit da_added_rule_source da_added_rule_target:infoflow med_w;
|
|
|
|
type da_modified_rule_add_perms;
|
|
dontaudit da_modified_rule_add_perms self:infoflow { hi_r hi_w };
|
|
|
|
type da_modified_rule_remove_perms;
|
|
dontaudit da_modified_rule_remove_perms self:infoflow low_w;
|
|
|
|
type da_modified_rule_add_remove_perms;
|
|
dontaudit da_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };
|
|
|
|
dontaudit added_type self:infoflow7 super_none;
|
|
|
|
type da_move_to_bool;
|
|
bool da_move_to_bool_b false;
|
|
if (da_move_to_bool_b) {
|
|
dontaudit da_move_to_bool self:infoflow4 hi_w;
|
|
}
|
|
|
|
type da_move_from_bool;
|
|
bool da_move_from_bool_b false;
|
|
dontaudit da_move_from_bool self:infoflow4 hi_r;
|
|
|
|
type da_switch_block;
|
|
bool da_switch_block_b false;
|
|
if (da_switch_block_b) {
|
|
dontaudit system da_switch_block:infoflow5 hi_r;
|
|
} else {
|
|
dontaudit system da_switch_block:infoflow6 hi_r;
|
|
dontaudit system da_switch_block:infoflow7 hi_r;
|
|
}
|
|
|
|
attribute da_match_rule_by_attr;
|
|
type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
|
|
type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
|
|
dontaudit da_match_rule_by_attr_A_t self:infoflow2 super_w;
|
|
dontaudit da_match_rule_by_attr_B_t self:infoflow2 super_w;
|
|
|
|
attribute da_union_perm_a;
|
|
attribute da_union_perm_b;
|
|
attribute da_union_perm_c;
|
|
type da_union_perm_source, da_union_perm_a, da_union_perm_c;
|
|
type da_union_perm_target, da_union_perm_b;
|
|
dontaudit da_union_perm_a da_union_perm_b:infoflow hi_w;
|
|
dontaudit da_union_perm_c da_union_perm_target:infoflow med_w;
|
|
dontaudit da_union_perm_source da_union_perm_target:infoflow low_w;
|
|
|
|
# Neverallow rule differences
|
|
type na_matched_source;
|
|
type na_matched_target;
|
|
neverallow na_matched_source na_matched_target:infoflow hi_w;
|
|
|
|
type na_removed_rule_source;
|
|
type na_removed_rule_target;
|
|
|
|
type na_added_rule_source;
|
|
type na_added_rule_target;
|
|
neverallow na_added_rule_source na_added_rule_target:infoflow med_w;
|
|
|
|
type na_modified_rule_add_perms;
|
|
neverallow na_modified_rule_add_perms self:infoflow { hi_r hi_w };
|
|
|
|
type na_modified_rule_remove_perms;
|
|
neverallow na_modified_rule_remove_perms self:infoflow low_w;
|
|
|
|
type na_modified_rule_add_remove_perms;
|
|
neverallow na_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };
|
|
|
|
neverallow added_type self:added_class new_class_perm;
|
|
|
|
attribute na_match_rule_by_attr;
|
|
type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
|
|
type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
|
|
neverallow na_match_rule_by_attr_A_t self:infoflow2 super_w;
|
|
neverallow na_match_rule_by_attr_B_t self:infoflow2 super_w;
|
|
|
|
attribute na_union_perm_a;
|
|
attribute na_union_perm_b;
|
|
attribute na_union_perm_c;
|
|
type na_union_perm_source, na_union_perm_a, na_union_perm_c;
|
|
type na_union_perm_target, na_union_perm_b;
|
|
neverallow na_union_perm_a na_union_perm_b:infoflow hi_w;
|
|
neverallow na_union_perm_c na_union_perm_target:infoflow med_w;
|
|
neverallow na_union_perm_source na_union_perm_target:infoflow low_w;
|
|
|
|
# type_transition rule differences
|
|
type tt_matched_source;
|
|
type tt_matched_target;
|
|
type_transition tt_matched_source tt_matched_target:infoflow system;
|
|
|
|
type tt_removed_rule_source;
|
|
type tt_removed_rule_target;
|
|
|
|
type tt_added_rule_source;
|
|
type tt_added_rule_target;
|
|
type_transition tt_added_rule_source tt_added_rule_target:infoflow system;
|
|
|
|
type tt_old_type;
|
|
type tt_new_type;
|
|
type_transition tt_matched_source system:infoflow tt_new_type;
|
|
|
|
type_transition added_type system:infoflow4 system;
|
|
|
|
type tt_move_to_bool;
|
|
bool tt_move_to_bool_b false;
|
|
if (tt_move_to_bool_b) {
|
|
type_transition tt_move_to_bool system:infoflow3 system;
|
|
}
|
|
|
|
type tt_move_from_bool;
|
|
bool tt_move_from_bool_b false;
|
|
type_transition tt_move_from_bool system:infoflow4 system;
|
|
|
|
type tt_switch_block;
|
|
bool tt_switch_block_b false;
|
|
if (tt_switch_block_b) {
|
|
type_transition system tt_switch_block:infoflow5 system;
|
|
} else {
|
|
type_transition system tt_switch_block:infoflow6 system;
|
|
type_transition system tt_switch_block:infoflow7 system;
|
|
}
|
|
|
|
attribute tt_match_rule_by_attr;
|
|
type tt_match_rule_by_attr_A_t, tt_match_rule_by_attr;
|
|
type tt_match_rule_by_attr_B_t, tt_match_rule_by_attr;
|
|
type_transition tt_match_rule_by_attr system:infoflow2 system;
|
|
|
|
attribute tt_unioned_perm_via_attr;
|
|
type tt_unioned_perm_via_attr_A_t, tt_unioned_perm_via_attr;
|
|
type tt_unioned_perm_via_attr_B_t, tt_unioned_perm_via_attr;
|
|
type_transition tt_unioned_perm_via_attr system:infoflow2 system;
|
|
type_transition tt_unioned_perm_via_attr_A_t system:infoflow2 system;
|
|
type_transition tt_unioned_perm_via_attr_B_t system:infoflow2 system;
|
|
|
|
# type_change rule differences
|
|
type tc_matched_source;
|
|
type tc_matched_target;
|
|
type_change tc_matched_source tc_matched_target:infoflow system;
|
|
|
|
type tc_removed_rule_source;
|
|
type tc_removed_rule_target;
|
|
|
|
type tc_added_rule_source;
|
|
type tc_added_rule_target;
|
|
type_change tc_added_rule_source tc_added_rule_target:infoflow system;
|
|
|
|
type tc_old_type;
|
|
type tc_new_type;
|
|
type_change tc_matched_source system:infoflow tc_new_type;
|
|
|
|
type_change added_type system:infoflow4 system;
|
|
|
|
type tc_move_to_bool;
|
|
bool tc_move_to_bool_b false;
|
|
if (tc_move_to_bool_b) {
|
|
type_change tc_move_to_bool system:infoflow3 system;
|
|
}
|
|
|
|
type tc_move_from_bool;
|
|
bool tc_move_from_bool_b false;
|
|
type_change tc_move_from_bool system:infoflow4 system;
|
|
|
|
type tc_switch_block;
|
|
bool tc_switch_block_b false;
|
|
if (tc_switch_block_b) {
|
|
type_change system tc_switch_block:infoflow5 system;
|
|
} else {
|
|
type_change system tc_switch_block:infoflow6 system;
|
|
type_change system tc_switch_block:infoflow7 system;
|
|
}
|
|
|
|
attribute tc_match_rule_by_attr;
|
|
type tc_match_rule_by_attr_A_t, tc_match_rule_by_attr;
|
|
type tc_match_rule_by_attr_B_t, tc_match_rule_by_attr;
|
|
type_change tc_match_rule_by_attr system:infoflow2 system;
|
|
|
|
attribute tc_unioned_perm_via_attr;
|
|
type tc_unioned_perm_via_attr_A_t, tc_unioned_perm_via_attr;
|
|
type tc_unioned_perm_via_attr_B_t, tc_unioned_perm_via_attr;
|
|
type_change tc_unioned_perm_via_attr system:infoflow2 system;
|
|
type_change tc_unioned_perm_via_attr_A_t system:infoflow2 system;
|
|
type_change tc_unioned_perm_via_attr_B_t system:infoflow2 system;
|
|
|
|
# type_member rule differences
|
|
type tm_matched_source;
|
|
type tm_matched_target;
|
|
type_member tm_matched_source tm_matched_target:infoflow system;
|
|
|
|
type tm_removed_rule_source;
|
|
type tm_removed_rule_target;
|
|
|
|
type tm_added_rule_source;
|
|
type tm_added_rule_target;
|
|
type_member tm_added_rule_source tm_added_rule_target:infoflow system;
|
|
|
|
type tm_old_type;
|
|
type tm_new_type;
|
|
type_member tm_matched_source system:infoflow tm_new_type;
|
|
|
|
type_member added_type system:infoflow4 system;
|
|
|
|
type tm_move_to_bool;
|
|
bool tm_move_to_bool_b false;
|
|
if (tm_move_to_bool_b) {
|
|
type_member tm_move_to_bool system:infoflow3 system;
|
|
}
|
|
|
|
type tm_move_from_bool;
|
|
bool tm_move_from_bool_b false;
|
|
type_member tm_move_from_bool system:infoflow4 system;
|
|
|
|
type tm_switch_block;
|
|
bool tm_switch_block_b false;
|
|
if (tm_switch_block_b) {
|
|
type_member system tm_switch_block:infoflow5 system;
|
|
} else {
|
|
type_member system tm_switch_block:infoflow6 system;
|
|
type_member system tm_switch_block:infoflow7 system;
|
|
}
|
|
|
|
attribute tm_match_rule_by_attr;
|
|
type tm_match_rule_by_attr_A_t, tm_match_rule_by_attr;
|
|
type tm_match_rule_by_attr_B_t, tm_match_rule_by_attr;
|
|
type_member tm_match_rule_by_attr system:infoflow2 system;
|
|
|
|
attribute tm_unioned_perm_via_attr;
|
|
type tm_unioned_perm_via_attr_A_t, tm_unioned_perm_via_attr;
|
|
type tm_unioned_perm_via_attr_B_t, tm_unioned_perm_via_attr;
|
|
type_member tm_unioned_perm_via_attr system:infoflow2 system;
|
|
type_member tm_unioned_perm_via_attr_A_t system:infoflow2 system;
|
|
type_member tm_unioned_perm_via_attr_B_t system:infoflow2 system;
|
|
|
|
# range_transition rule differences
|
|
type rt_matched_source;
|
|
type rt_matched_target;
|
|
range_transition rt_matched_source rt_matched_target:infoflow s0;
|
|
|
|
type rt_removed_rule_source;
|
|
type rt_removed_rule_target;
|
|
|
|
type rt_added_rule_source;
|
|
type rt_added_rule_target;
|
|
range_transition rt_added_rule_source rt_added_rule_target:infoflow s3;
|
|
|
|
range_transition rt_matched_source system:infoflow s0:c0,c4 - s1:c0.c2,c4;
|
|
|
|
range_transition added_type system:infoflow4 s3;
|
|
|
|
# range transitions cannot be conditional.
|
|
#type rt_move_to_bool;
|
|
#bool rt_move_to_bool_b false;
|
|
#if (rt_move_to_bool_b) {
|
|
#range_transition rt_move_to_bool system:infoflow3 s0;
|
|
#}
|
|
|
|
#type rt_move_from_bool;
|
|
#bool rt_move_from_bool_b false;
|
|
#range_transition rt_move_from_bool system:infoflow4 s0;
|
|
|
|
#type rt_switch_block;
|
|
#bool rt_switch_block_b false;
|
|
#if (rt_switch_block_b) {
|
|
#range_transition system rt_switch_block:infoflow5 s0;
|
|
#} else {
|
|
#range_transition system rt_switch_block:infoflow6 s0;
|
|
#range_transition system rt_switch_block:infoflow7 s0;
|
|
#}
|
|
|
|
attribute rt_match_rule_by_attr;
|
|
type rt_match_rule_by_attr_A_t, rt_match_rule_by_attr;
|
|
type rt_match_rule_by_attr_B_t, rt_match_rule_by_attr;
|
|
range_transition rt_match_rule_by_attr system:infoflow2 s0;
|
|
|
|
attribute rt_unioned_perm_via_attr;
|
|
type rt_unioned_perm_via_attr_A_t, rt_unioned_perm_via_attr;
|
|
type rt_unioned_perm_via_attr_B_t, rt_unioned_perm_via_attr;
|
|
range_transition rt_unioned_perm_via_attr system:infoflow2 s0;
|
|
range_transition rt_unioned_perm_via_attr_B_t system:infoflow2 s0;
|
|
|
|
# role allow
|
|
role matched_source_r;
|
|
role matched_target_r;
|
|
allow matched_source_r matched_target_r;
|
|
|
|
role removed_rule_source_r;
|
|
role removed_rule_target_r;
|
|
|
|
role added_rule_source_r;
|
|
role added_rule_target_r;
|
|
allow added_rule_source_r added_rule_target_r;
|
|
|
|
allow added_role system;
|
|
|
|
# role_transition
|
|
role role_tr_matched_source;
|
|
type role_tr_matched_target;
|
|
role_transition role_tr_matched_source role_tr_matched_target:infoflow system;
|
|
|
|
role role_tr_removed_rule_source;
|
|
type role_tr_removed_rule_target;
|
|
|
|
role role_tr_added_rule_source;
|
|
type role_tr_added_rule_target;
|
|
role_transition role_tr_added_rule_source role_tr_added_rule_target:infoflow6 system;
|
|
|
|
role_transition added_role system:infoflow4 system;
|
|
|
|
role role_tr_old_role;
|
|
role role_tr_new_role;
|
|
role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_new_role;
|
|
|
|
# Allowxperm rule differences
|
|
type ax_matched_source;
|
|
type ax_matched_target;
|
|
allowxperm ax_matched_source ax_matched_target:infoflow ioctl 0x0001;
|
|
|
|
type ax_removed_rule_source;
|
|
type ax_removed_rule_target;
|
|
|
|
type ax_added_rule_source;
|
|
type ax_added_rule_target;
|
|
allowxperm ax_added_rule_source ax_added_rule_target:infoflow ioctl 0x0002;
|
|
|
|
type ax_modified_rule_add_perms;
|
|
allowxperm ax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };
|
|
|
|
type ax_modified_rule_remove_perms;
|
|
allowxperm ax_modified_rule_remove_perms self:infoflow ioctl 0x0005;
|
|
|
|
type ax_modified_rule_add_remove_perms;
|
|
allowxperm ax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };
|
|
|
|
allowxperm added_type self:infoflow7 ioctl 0x0009;
|
|
|
|
attribute ax_match_rule_by_attr;
|
|
type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
|
|
type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
|
|
allowxperm ax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
|
|
allowxperm ax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
|
|
|
|
attribute ax_union_perm_a;
|
|
attribute ax_union_perm_b;
|
|
attribute ax_union_perm_c;
|
|
type ax_union_perm_source, ax_union_perm_a, ax_union_perm_c;
|
|
type ax_union_perm_target, ax_union_perm_b;
|
|
allowxperm ax_union_perm_a ax_union_perm_b:infoflow ioctl 0x1;
|
|
allowxperm ax_union_perm_c ax_union_perm_target:infoflow ioctl 0x2;
|
|
allowxperm ax_union_perm_source ax_union_perm_target:infoflow ioctl 0x3;
|
|
|
|
# Auditallowxperm rule differences
|
|
type aax_matched_source;
|
|
type aax_matched_target;
|
|
auditallowxperm aax_matched_source aax_matched_target:infoflow ioctl 0x0001;
|
|
|
|
type aax_removed_rule_source;
|
|
type aax_removed_rule_target;
|
|
|
|
type aax_added_rule_source;
|
|
type aax_added_rule_target;
|
|
auditallowxperm aax_added_rule_source aax_added_rule_target:infoflow ioctl 0x0002;
|
|
|
|
type aax_modified_rule_add_perms;
|
|
auditallowxperm aax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };
|
|
|
|
type aax_modified_rule_remove_perms;
|
|
auditallowxperm aax_modified_rule_remove_perms self:infoflow ioctl 0x0005;
|
|
|
|
type aax_modified_rule_add_remove_perms;
|
|
auditallowxperm aax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };
|
|
|
|
auditallowxperm added_type self:infoflow7 ioctl 0x0009;
|
|
|
|
attribute aax_match_rule_by_attr;
|
|
type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
|
|
type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
|
|
auditallowxperm aax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
|
|
auditallowxperm aax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
|
|
|
|
attribute aax_union_perm_a;
|
|
attribute aax_union_perm_b;
|
|
attribute aax_union_perm_c;
|
|
type aax_union_perm_source, aax_union_perm_a, aax_union_perm_c;
|
|
type aax_union_perm_target, aax_union_perm_b;
|
|
auditallowxperm aax_union_perm_a aax_union_perm_b:infoflow ioctl 0x1;
|
|
auditallowxperm aax_union_perm_c aax_union_perm_target:infoflow ioctl 0x2;
|
|
auditallowxperm aax_union_perm_source aax_union_perm_target:infoflow ioctl 0x3;
|
|
|
|
# Neverallowxperm rule differences
|
|
type nax_matched_source;
|
|
type nax_matched_target;
|
|
neverallowxperm nax_matched_source nax_matched_target:infoflow ioctl 0x0001;
|
|
|
|
type nax_removed_rule_source;
|
|
type nax_removed_rule_target;
|
|
|
|
type nax_added_rule_source;
|
|
type nax_added_rule_target;
|
|
neverallowxperm nax_added_rule_source nax_added_rule_target:infoflow ioctl 0x0002;
|
|
|
|
type nax_modified_rule_add_perms;
|
|
neverallowxperm nax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };
|
|
|
|
type nax_modified_rule_remove_perms;
|
|
neverallowxperm nax_modified_rule_remove_perms self:infoflow ioctl 0x0005;
|
|
|
|
type nax_modified_rule_add_remove_perms;
|
|
neverallowxperm nax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };
|
|
|
|
neverallowxperm added_type self:infoflow7 ioctl 0x0009;
|
|
|
|
attribute nax_match_rule_by_attr;
|
|
type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
|
|
type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
|
|
neverallowxperm nax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
|
|
neverallowxperm nax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
|
|
|
|
attribute nax_union_perm_a;
|
|
attribute nax_union_perm_b;
|
|
attribute nax_union_perm_c;
|
|
type nax_union_perm_source, nax_union_perm_a, nax_union_perm_c;
|
|
type nax_union_perm_target, nax_union_perm_b;
|
|
neverallowxperm nax_union_perm_a nax_union_perm_b:infoflow ioctl 0x1;
|
|
neverallowxperm nax_union_perm_c nax_union_perm_target:infoflow ioctl 0x2;
|
|
neverallowxperm nax_union_perm_source nax_union_perm_target:infoflow ioctl 0x3;
|
|
|
|
# Dontauditxperm rule differences
|
|
type dax_matched_source;
|
|
type dax_matched_target;
|
|
dontauditxperm dax_matched_source dax_matched_target:infoflow ioctl 0x0001;
|
|
|
|
type dax_removed_rule_source;
|
|
type dax_removed_rule_target;
|
|
|
|
type dax_added_rule_source;
|
|
type dax_added_rule_target;
|
|
dontauditxperm dax_added_rule_source dax_added_rule_target:infoflow ioctl 0x0002;
|
|
|
|
type dax_modified_rule_add_perms;
|
|
dontauditxperm dax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };
|
|
|
|
type dax_modified_rule_remove_perms;
|
|
dontauditxperm dax_modified_rule_remove_perms self:infoflow ioctl 0x0005;
|
|
|
|
type dax_modified_rule_add_remove_perms;
|
|
dontauditxperm dax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };
|
|
|
|
dontauditxperm added_type self:infoflow7 ioctl 0x0009;
|
|
|
|
attribute dax_match_rule_by_attr;
|
|
type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
|
|
type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
|
|
dontauditxperm dax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
|
|
dontauditxperm dax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;
|
|
|
|
attribute dax_union_perm_a;
|
|
attribute dax_union_perm_b;
|
|
attribute dax_union_perm_c;
|
|
type dax_union_perm_source, dax_union_perm_a, dax_union_perm_c;
|
|
type dax_union_perm_target, dax_union_perm_b;
|
|
dontauditxperm dax_union_perm_a dax_union_perm_b:infoflow ioctl 0x1;
|
|
dontauditxperm dax_union_perm_c dax_union_perm_target:infoflow ioctl 0x2;
|
|
dontauditxperm dax_union_perm_source dax_union_perm_target:infoflow ioctl 0x3;
|
|
|
|
################################################################################
|
|
# matching typebounds
|
|
type match_parent;
|
|
type match_child;
|
|
typebounds match_parent match_child;
|
|
|
|
# removed typebounds
|
|
type removed_parent;
|
|
type removed_child;
|
|
|
|
# added typebounds
|
|
type added_parent;
|
|
type added_child;
|
|
typebounds added_parent added_child;
|
|
|
|
# modified typebounds
|
|
type mod_parent_removed;
|
|
type mod_parent_added;
|
|
type mod_child;
|
|
typebounds mod_parent_added mod_child;
|
|
|
|
# policycaps
|
|
policycap open_perms;
|
|
policycap always_check_network;
|
|
|
|
#users
|
|
user system roles system level s0 range s0;
|
|
|
|
user added_user roles system level s1 range s1;
|
|
|
|
user modified_add_role roles { system added_role } level s2 range s2;
|
|
user modified_remove_role roles system level s2 range s2;
|
|
user modified_change_level roles system level s2:c1 range s2:c1 - s2:c0,c1;
|
|
user modified_change_range roles system level s3:c1 range s3:c1 - s3:c1.c4;
|
|
|
|
# matching constraints
|
|
constrain infoflow hi_w (u1 == u2 or t1 == system);
|
|
constrain infoflow hi_w (t1 == t2 or t1 == system);
|
|
constrain infoflow hi_r (r1 == r2 or t1 == system);
|
|
|
|
# added constraint
|
|
constrain infoflow3 null (u1 != u2);
|
|
|
|
# removed constraint
|
|
|
|
# remove/add constraint (expression change)
|
|
constrain infoflow5 hi_r ((u1 == u2 and r1 == r2) or (t1 != system));
|
|
|
|
# matching validatetrans
|
|
validatetrans infoflow (u1 == u2 or t3 == system);
|
|
validatetrans infoflow (r1 == r2 or t3 == system);
|
|
validatetrans infoflow2 (u1 == u2 or t3 == system);
|
|
|
|
# added validatetrans
|
|
validatetrans infoflow3 (t1 == t2 or t3 == system);
|
|
|
|
# removed validatetrans
|
|
|
|
# remove/add validatetrans (expression change)
|
|
validatetrans infoflow5 ((u1 != u2 and r1 == r2) or (t3 == system));
|
|
|
|
#isids
|
|
sid kernel system:system:system:s0
|
|
sid security system:system:system:s0
|
|
sid unlabeled system:system:system:s0
|
|
sid fs system:system:system:s0
|
|
sid file system:system:system:s0
|
|
sid file_labels added_user:system:system:s1
|
|
|
|
#fs_use
|
|
fs_use_trans devpts system:object_r:system:s0;
|
|
fs_use_xattr ext3 system:object_r:system:s0;
|
|
fs_use_task pipefs system:object_r:system:s0;
|
|
fs_use_xattr added_fsuse system:object_r:system:s0;
|
|
fs_use_trans modified_fsuse added_user:object_r:system:s1;
|
|
|
|
#genfscon
|
|
genfscon proc / system:object_r:system:s0
|
|
genfscon proc /sys system:object_r:system:s0
|
|
genfscon selinuxfs / system:object_r:system:s0
|
|
genfscon added_genfs / added_user:object_r:system:s0
|
|
genfscon change_path /new system:object_r:system:s0
|
|
genfscon modified_genfs / -s added_user:object_r:system:s0
|
|
|
|
# matched portcons
|
|
portcon tcp 80 system:object_r:system:s0
|
|
portcon udp 80 system:object_r:system:s0
|
|
portcon udp 30-40 system:object_r:system:s0
|
|
|
|
# added portcons
|
|
portcon udp 2024 system:object_r:system:s0
|
|
portcon tcp 2024-2026 system:object_r:system:s0
|
|
|
|
# modified portcons
|
|
portcon udp 3024 added_user:object_r:system:s1
|
|
portcon tcp 3024-3026 added_user:object_r:system:s1
|
|
|
|
netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
|
|
netifcon added_netif system:object_r:system:s0 system:object_r:system:s0
|
|
netifcon mod_ctx_netif added_user:object_r:system:s0 system:object_r:system:s0
|
|
netifcon mod_pkt_netif system:object_r:system:s0 added_user:object_r:system:s0
|
|
netifcon mod_both_netif added_user:object_r:system:s0 added_user:object_r:system:s0
|
|
|
|
# matched nodecons
|
|
nodecon 121.0.0.0 255.0.0.0 system:object_r:system:s0
|
|
nodecon ff01:: ffff:ffff:ffff:fffc:: system:object_r:system:s0
|
|
|
|
# added nodecons
|
|
nodecon 124.0.0.0 255.0.0.0 added_user:object_r:system:s0
|
|
nodecon ff04:: ffff:ffff:ffff:fffc:: added_user:object_r:system:s0
|
|
|
|
# modified nodecons
|
|
nodecon 123.0.0.0 255.0.0.0 modified_change_level:object_r:system:s2:c0
|
|
nodecon ff03:: ffff:ffff:ffff:fffc:: modified_change_level:object_r:system:s2:c1
|
|
|
|
# change netmask (add/remove)
|
|
nodecon 125.0.0.0 255.255.0.0 system:object_r:system:s0
|
|
nodecon ff05:: ffff:ffff:ffff:fff0:: system:object_r:system:s0
|