mirror of
https://github.com/SELinuxProject/setools
synced 2025-02-28 18:11:27 +00:00
dbf2c197c7
The object class values have not been static for many years. This has only worked because libsepol was similarly setting static class values. This will soon be removed, see SELinuxProject/selinux#200. Add file object classes to the unit tests where genfscons are used. The classes are added in the same alignment as the static values since old policies will have these class values. Remove static class values from sepol.pxd. Closes #39 Signed-off-by: Chris PeBenito <pebenito@ieee.org>
344 lines
6.2 KiB
Plaintext
344 lines
6.2 KiB
Plaintext
class infoflow
|
|
class infoflow2
|
|
class infoflow3
|
|
class infoflow4
|
|
class infoflow5
|
|
class file
|
|
class dir
|
|
class infoflow6
|
|
class lnk_file
|
|
class chr_file
|
|
class blk_file
|
|
class sock_file
|
|
class fifo_file
|
|
class infoflow7
|
|
|
|
sid kernel
|
|
sid security
|
|
|
|
common infoflow
|
|
{
|
|
low_w
|
|
med_w
|
|
hi_w
|
|
low_r
|
|
med_r
|
|
hi_r
|
|
}
|
|
|
|
class infoflow
|
|
inherits infoflow
|
|
|
|
class infoflow2
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
}
|
|
|
|
class infoflow3
|
|
{
|
|
null
|
|
}
|
|
|
|
class infoflow4
|
|
inherits infoflow
|
|
|
|
class infoflow5
|
|
inherits infoflow
|
|
|
|
class infoflow6
|
|
inherits infoflow
|
|
|
|
class infoflow7
|
|
inherits infoflow
|
|
{
|
|
super_w
|
|
super_r
|
|
super_none
|
|
super_both
|
|
super_unmapped
|
|
}
|
|
|
|
class dir
|
|
inherits infoflow
|
|
|
|
class file
|
|
inherits infoflow
|
|
|
|
class lnk_file
|
|
inherits infoflow
|
|
|
|
class sock_file
|
|
inherits infoflow
|
|
|
|
class fifo_file
|
|
inherits infoflow
|
|
|
|
class chr_file
|
|
inherits infoflow
|
|
|
|
class blk_file
|
|
inherits infoflow
|
|
|
|
sensitivity s0;
|
|
sensitivity s1;
|
|
sensitivity s2;
|
|
sensitivity s3;
|
|
sensitivity s4;
|
|
sensitivity s5;
|
|
sensitivity s6;
|
|
|
|
dominance { s0 s1 s2 s3 s4 s5 s6 }
|
|
|
|
category c0;
|
|
category c1;
|
|
category c2;
|
|
category c3;
|
|
category c4;
|
|
|
|
#level decl
|
|
level s0:c0.c4;
|
|
level s1:c0.c4;
|
|
level s2:c0.c4;
|
|
level s3:c0.c4;
|
|
level s4:c0.c4;
|
|
level s5:c0.c4;
|
|
level s6:c0.c4;
|
|
|
|
|
|
#some constraints
|
|
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
|
|
|
|
attribute mls_exempt;
|
|
|
|
type system;
|
|
role system;
|
|
role system types system;
|
|
|
|
role role30_r;
|
|
role role31a_r;
|
|
role role31b_r;
|
|
role role31c_r;
|
|
|
|
role role30_r types system;
|
|
role role31a_r types system;
|
|
role role31b_r types system;
|
|
role role31c_r types system;
|
|
|
|
type type40;
|
|
type type41a;
|
|
type type41b;
|
|
type type41c;
|
|
role system types { type40 type41a type41b type41c };
|
|
|
|
################################################################################
|
|
# Type enforcement declarations and rules
|
|
|
|
allow system system:infoflow3 null;
|
|
|
|
################################################################################
|
|
|
|
#users
|
|
user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s6:c0.c4;
|
|
user user20 roles system level s0 range s0 - s2:c0.c4;
|
|
user user21a roles system level s0 range s0 - s2:c0.c4;
|
|
user user21b roles system level s0 range s0 - s2:c0.c4;
|
|
user user21c roles system level s0 range s0 - s2:c0.c4;
|
|
|
|
#normal constraints
|
|
constrain infoflow hi_w (u1 == u2);
|
|
|
|
#isids
|
|
sid kernel system:system:system:s0
|
|
sid security system:system:system:s0
|
|
|
|
#fs_use
|
|
fs_use_trans devpts system:object_r:system:s0;
|
|
fs_use_xattr ext3 system:object_r:system:s0;
|
|
fs_use_task pipefs system:object_r:system:s0;
|
|
|
|
#genfscon
|
|
# test 1:
|
|
# fs: test1, exact
|
|
# path: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
genfscon test1 / system:system:system:s0:c0.c4
|
|
|
|
# test 2:
|
|
# fs: test2(a|b), regex
|
|
# path: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
genfscon test2a / system:system:system:s0:c0.c1
|
|
genfscon test2b / system:system:system:s0:c2.c4
|
|
|
|
# test 10:
|
|
# fs: unset
|
|
# path: /sys, exact
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
genfscon test10 /sys system:system:system:s0:c2.c4
|
|
|
|
# test 11:
|
|
# fs: unset
|
|
# path: /(spam|eggs), regex
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
genfscon test11a /spam system:system:system:s0:c2.c4
|
|
genfscon test11b /eggs system:system:system:s0:c2.c4
|
|
genfscon test11c /FAIL system:system:system:s0:c2.c4
|
|
|
|
# test 20:
|
|
# fs: unset
|
|
# path: unset
|
|
# user: user20, exact
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
genfscon test20 / user20:system:system:s0:c0.c1
|
|
|
|
# test 21:
|
|
# fs: unset
|
|
# path: unset
|
|
# user: user21(a|b), regex
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
genfscon test21a / user21a:system:system:s0:c0.c1
|
|
genfscon test21b / user21b:system:system:s0:c0.c1
|
|
genfscon test21c / user21c:system:system:s0:c0.c1
|
|
|
|
# test 30:
|
|
# fs: unset
|
|
# path: unset
|
|
# user: unset
|
|
# role: role30_r, exact
|
|
# type: unset
|
|
# range: unset
|
|
genfscon test30 / system:role30_r:system:s0:c0.c1
|
|
|
|
# test 31:
|
|
# fs: unset
|
|
# path: unset
|
|
# user: unset
|
|
# role: role30(a|c)_r, regex
|
|
# type: unset
|
|
# range: unset
|
|
genfscon test31a / system:role31a_r:system:s0:c0.c1
|
|
genfscon test31b / system:role31b_r:system:s0:c0.c1
|
|
genfscon test31c / system:role31c_r:system:s0:c0.c1
|
|
|
|
# test 40:
|
|
# fs: unset
|
|
# path: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: type40
|
|
# range: unset
|
|
genfscon test40 / system:system:type40:s0:c0.c1
|
|
|
|
# test 41:
|
|
# fs: unset
|
|
# path: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: type41(b|c)
|
|
# range: unset
|
|
genfscon test41a / system:system:type41a:s0:c0.c1
|
|
genfscon test41b / system:system:type41b:s0:c0.c1
|
|
genfscon test41c / system:system:type41c:s0:c0.c1
|
|
|
|
# test 50:
|
|
# fs: unset
|
|
# filetype: -b
|
|
# path: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: unset
|
|
genfscon test50f / -- system:system:system:s0:c0.c4
|
|
genfscon test50b / -b system:system:system:s0:c0.c4
|
|
genfscon test50c / -c system:system:system:s0:c0.c4
|
|
genfscon test50s / -s system:system:system:s0:c0.c4
|
|
genfscon test50l / -l system:system:system:s0:c0.c4
|
|
genfscon test50p / -p system:system:system:s0:c0.c4
|
|
genfscon test50d / -d system:system:system:s0:c0.c4
|
|
|
|
# test 60:
|
|
# fs: unset
|
|
# filetype: unset
|
|
# path: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: equal
|
|
genfscon test60 / system:system:system:s0:c1 - s0:c0.c4
|
|
|
|
# test 61:
|
|
# fs: unset
|
|
# filetype: unset
|
|
# path: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: overlap
|
|
genfscon test61 / system:system:system:s1:c1 - s1:c1.c3
|
|
|
|
# test 62:
|
|
# fs: unset
|
|
# filetype: unset
|
|
# path: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: subset
|
|
genfscon test62 / system:system:system:s2:c1 - s2:c1.c3
|
|
|
|
# test 63:
|
|
# fs: unset
|
|
# filetype: unset
|
|
# path: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: superset
|
|
genfscon test63 / system:system:system:s3:c1 - s3:c1.c3
|
|
|
|
# test 64:
|
|
# fs: unset
|
|
# filetype: unset
|
|
# path: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: proper subset
|
|
genfscon test64 / system:system:system:s4:c1 - s4:c1.c3
|
|
|
|
# test 65:
|
|
# fs: unset
|
|
# filetype: unset
|
|
# path: unset
|
|
# user: unset
|
|
# role: unset
|
|
# type: unset
|
|
# range: proper superset
|
|
genfscon test65 / system:system:system:s5:c1 - s5:c1.c3
|
|
|
|
portcon tcp 80 system:object_r:system:s0
|
|
|
|
netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
|
|
|
|
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
|
|
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0
|
|
|