setools/tests/policyrep/invalid_policies/user-level-not-in-range.conf

class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
class removed_class
class modified_add_perm
class modified_remove_perm
class modified_change_common

sid kernel
sid security
sid matched_sid
sid removed_sid
sid modified_sid

common infoflow
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
}

common removed_common
{
    old_com
}

common modified_remove_perm
{
    same_perm
    removed_perm
}

common modified_add_perm
{
    matched_perm
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
	super_w
	super_r
}

class infoflow3
{
	null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
	super_w
	super_r
	super_none
	super_both
	super_unmapped
}

class removed_class
{
    null_perm
}

class modified_add_perm
{
    same_perm
}

class modified_remove_perm
{
    same_perm
    removed_perm
}

class modified_change_common
inherits removed_common

sensitivity s0 alias { al1 al2 };
sensitivity s1 alias { al3 };
sensitivity s2;
sensitivity s3;
sensitivity s40;
sensitivity s41;
sensitivity s42;
sensitivity s43;
sensitivity s44;
sensitivity s45;
sensitivity s47;

dominance { s0 s1 s2 s3 s40 s41 s42 s43 s44 s45 s47 }

category c0 alias { spam eggs };
category c1 alias { bar };
category c2;
category c3;
category c4;
category c5;

#level decl
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s40:c1;
level s41:c0.c4;
level s42:c0.c4;
level s43:c0.c4;
level s44:c0.c4;
level s45:c0.c4;
level s47:c0.c4;

#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;
attribute an_attr;
attribute removed_attr;

type system;
role system;
role system types system;

################################################################################
# Type enforcement declarations and rules

type removed_type;

type modified_remove_attr, an_attr;

type modified_remove_alias alias an_alias;

type modified_remove_permissive;
permissive modified_remove_permissive;

type modified_add_attr;

type modified_add_alias;

type modified_add_permissive;

role removed_role;

role modified_add_type;

role modified_remove_type;
role modified_remove_type types { system };

# booleans
bool same_bool true;
bool removed_bool true;
bool modified_bool false;


################################################################################

# policycaps
policycap open_perms;
policycap network_peer_controls;

#users
user system roles system level s0 range s0;

user removed_user roles system level s0 range s0;

user modified_add_role roles system level s2 range s2;
user modified_remove_role roles { system removed_role } level s2 range s2;
user modified_change_level roles system level s2:c0 range s2:c0 - s2:c0,c1;

# this is an invalid user: default level is not within the range.
user modified_change_range roles system level s3:c1 range s3:c1.c3;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:s0
sid security system:system:system:s0
sid matched_sid system:system:system:s0
sid removed_sid removed_user:system:system:s0
sid modified_sid system:system:system:s0

#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;
fs_use_task pipefs system:object_r:system:s0;
fs_use_task removed_fsuse system:object_r:system:s0;
fs_use_trans modified_fsuse removed_user:object_r:system:s0;

#genfscon
genfscon proc / system:object_r:system:s0
genfscon proc /sys system:object_r:system:s0
genfscon selinuxfs / system:object_r:system:s0
genfscon removed_genfs / system:object_r:system:s0
genfscon change_path /old system:object_r:system:s0
genfscon modified_genfs / -s removed_user:object_r:system:s0

# matched portcons
portcon tcp 80 system:object_r:system:s0
portcon udp 80 system:object_r:system:s0
portcon udp 30-40 system:object_r:system:s0

# removed portcons
portcon udp 1024 system:object_r:system:s0
portcon tcp 1024-1026 system:object_r:system:s0

# modified portcons
portcon udp 3024 removed_user:object_r:system:s0
portcon tcp 3024-3026 removed_user:object_r:system:s0

netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
netifcon removed_netif system:object_r:system:s0 system:object_r:system:s0
netifcon mod_ctx_netif removed_user:object_r:system:s0 system:object_r:system:s0
netifcon mod_pkt_netif system:object_r:system:s0 removed_user:object_r:system:s0
netifcon mod_both_netif removed_user:object_r:system:s0 removed_user:object_r:system:s0

# matched nodecons
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0

# removed nodecons
nodecon 127.0.0.2 255.255.255.255 removed_user:object_r:system:s0
nodecon ::2 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff removed_user:object_r:system:s0

# modified nodecons
nodecon 127.0.0.3 255.255.255.255 modified_change_level:object_r:system:s2:c1
nodecon ::3 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff modified_change_level:object_r:system:s2:c0,c1

# change netmask (add/remove)
nodecon 127.0.0.5 255.255.255.255 system:object_r:system:s0
nodecon ::5 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0