| (type bin_t) |
| (type kernel_t) |
| (type security_t) |
| (type unlabeled_t) |
| (handleunknown allow) |
| (mls true) |
| |
| (policycap open_perms) |
| |
| (category c0) |
| (category c1) |
| (category c2) |
| (category c3) |
| (category c4) |
| (category c5) |
| (categoryalias cat0) |
| (categoryaliasactual cat0 c0) |
| (categoryset cats01 (c0 c1)) |
| (categoryset cats02 (c2 c3)) |
| (categoryset cats03 (range c0 c5)) |
| (categoryset cats04 (not (range c0 c2))) |
| (categoryorder (cat0 c1 c2 c3)) |
| (categoryorder (c3 c4 c5)) |
| |
| (sensitivity s0) |
| (sensitivity s1) |
| (sensitivity s2) |
| (sensitivity s3) |
| (sensitivityalias sens0) |
| (sensitivityaliasactual sens0 s0) |
| (sensitivityorder (s0 s1 s2 s3)) |
| |
| (sensitivitycategory s0 (cats03)) |
| (sensitivitycategory s1 cats01) |
| (sensitivitycategory s1 (c2)) |
| (sensitivitycategory s2 (cats01 cats02)) |
| (sensitivitycategory s2 (range c4 c5)) |
| (sensitivitycategory s3 (range c0 c5)) |
| |
| (level low (s0)) |
| (level high (s3 (range c0 c3))) |
| (levelrange low_high (low high)) |
| (levelrange lh1 ((s0 (c0)) (s2 (c0 c3)))) |
| (levelrange lh2 (low (s2 (c0 c3)))) |
| (levelrange lh3 ((s0 cats04) (s2 (range c0 c5)))) |
| (levelrange lh4 ((s0) (s1))) |
| |
| (block policy |
| (class file (execute_no_trans entrypoint execmod open audit_access a b c d e)) |
| ; order should be: file char b c a dir d e f |
| (classorder (file char)) |
| (classorder (unordered dir)) |
| (classorder (unordered c a b d e f)) |
| (classorder (char b c a)) |
| |
| (common file (ioctl read write create getattr setattr lock relabelfrom |
| relabelto append unlink link rename execute swapon |
| quotaon mounton)) |
| (classcommon file file) |
| |
| (classpermission file_rw) |
| (classpermissionset file_rw (file (read write getattr setattr lock append))) |
| |
| ;;(classpermission loop1) |
| ;;(classpermissionset loop1 ((loop2))) |
| ;;(classpermission loop2) |
| ;;(classpermissionset loop2 ((loop3))) |
| ;;(classpermission loop3) |
| ;;(classpermissionset loop3 ((loop1))) |
| |
| (class char (foo)) |
| (classcommon char file) |
| |
| (class dir ()) |
| (class a ()) |
| (class b ()) |
| (class c ()) |
| (class d ()) |
| (class e ()) |
| (class f ()) |
| (classcommon dir file) |
| |
| (classpermission char_w) |
| (classpermissionset char_w (char (write setattr))) |
| (classpermissionset char_w (file (open read getattr))) |
| |
| (classmap files (read)) |
| (classmapping files read |
| (file (open read getattr))) |
| (classmapping files read |
| char_w) |
| |
| (type auditadm_t) |
| (type console_t) |
| (type console_device_t) |
| (type user_tty_device_t) |
| (type device_t) |
| (type getty_t) |
| (type exec_t) |
| (type bad_t) |
| |
| ;;(allow console_t console_device_t file_rw) |
| (allow console_t console_device_t (files (read))) |
| |
| (permissionx ioctl_test (ioctl files (and (range 0x1600 0x19FF) (not (range 0x1750 0x175F))))) |
| (allowx console_t console_device_t ioctl_test) |
| |
| (boolean secure_mode false) |
| (boolean console_login true) |
| |
| (sid kernel) |
| (sid security) |
| (sid unlabeled) |
| (sidorder (kernel security)) |
| (sidorder (security unlabeled)) |
| |
| (typeattribute exec_type) |
| (typeattribute foo_type) |
| (typeattribute bar_type) |
| (typeattribute baz_type) |
| (typeattribute not_bad_type) |
| (typeattributeset exec_type (or bin_t kernel_t)) |
| (typeattributeset foo_type (and exec_type kernel_t)) |
| (typeattributeset bar_type (xor exec_type foo_type)) |
| (typeattributeset baz_type (not bin_t)) |
| (typeattributeset baz_type (and exec_type (and bar_type bin_t))) |
| (typeattributeset not_bad_type (not bad_t)) |
| (typealias sbin_t) |
| (typealiasactual sbin_t bin_t) |
| (typepermissive device_t) |
| (typemember device_t bin_t file exec_t) |
| (typetransition device_t console_t files console_device_t) |
| |
| (roleattribute exec_role) |
| (roleattribute foo_role) |
| (roleattribute bar_role) |
| (roleattribute baz_role) |
| (roleattribute foo_role_a) |
| (roleattributeset exec_role (or user_r system_r)) |
| (roleattributeset foo_role_a (baz_r user_r system_r)) |
| (roleattributeset foo_role (and exec_role system_r)) |
| (roleattributeset bar_role (xor exec_role foo_role)) |
| (roleattributeset baz_role (not user_r)) |
| |
| (rangetransition device_t console_t file low_high) |
| (rangetransition device_t kernel_t file ((s0) (s3 (not c3)))) |
| |
| (typetransition device_t console_t file "some_file" getty_t) |
| |
| (allow foo_type self (file (execute))) |
| (allow bin_t device_t (file (execute))) |
| |
| ;; Next two rules violate the neverallow rule that follows |
| ;;(allow bad_t not_bad_type (file (execute))) |
| ;;(allow bad_t exec_t (file (execute))) |
| (neverallow bad_t not_bad_type (file (execute))) |
| |
| (booleanif secure_mode |
| (true |
| (auditallow device_t exec_t (file (read write))) |
| ) |
| ) |
| |
| (booleanif console_login |
| (true |
| (typechange auditadm_t console_device_t file user_tty_device_t) |
| (allow getty_t console_device_t (file (getattr open read write append))) |
| ) |
| (false |
| (dontaudit getty_t console_device_t (file (getattr open read write append))) |
| ) |
| ) |
| |
| (booleanif (not (xor (eq secure_mode console_login) |
| (and (or secure_mode console_login) secure_mode ) ) ) |
| (true |
| (allow bin_t exec_t (file (execute))) |
| ) |
| ) |
| |
| (tunable allow_execfile true) |
| (tunable allow_userexec false) |
| |
| (tunableif (not (xor (eq allow_execfile allow_userexec) |
| (and (or allow_execfile allow_userexec) |
| (and allow_execfile allow_userexec) ) ) ) |
| (true |
| (allow bin_t exec_t (file (execute))) |
| ) |
| ) |
| |
| (optional allow_rules |
| (allow user_t exec_t (bins (execute))) |
| ) |
| |
| (dontaudit device_t auditadm_t (file (read))) |
| (auditallow device_t auditadm_t (file (open))) |
| |
| (user system_u) |
| (user user_u) |
| (user foo_u) |
| (userprefix user_u user) |
| (userprefix system_u user) |
| |
| (selinuxuser name user_u low_high) |
| (selinuxuserdefault user_u ((s0 (c0)) (s3 (range c0 c3)))) |
| |
| (role system_r) |
| (role user_r) |
| (role baz_r) |
| |
| (roletype system_r bin_t) |
| (roletype system_r kernel_t) |
| (roletype system_r security_t) |
| (roletype system_r unlabeled_t) |
| (roletype system_r exec_type) |
| (roletype exec_role bin_t) |
| (roletype exec_role exec_type) |
| (roleallow system_r user_r) |
| (roletransition system_r bin_t file user_r) |
| |
| (userrole foo_u foo_role) |
| (userlevel foo_u low) |
| |
| (userattribute ua1) |
| (userattribute ua2) |
| (userattribute ua3) |
| (userattribute ua4) |
| (userattributeset ua1 (user_u system_u)) |
| (userattributeset ua2 (foo_u system_u)) |
| (userattributeset ua3 (and ua1 ua2)) |
| (user u5) |
| (user u6) |
| (userlevel u5 low) |
| (userlevel u6 low) |
| (userrange u5 low_high) |
| (userrange u6 low_high) |
| (userattributeset ua4 (u5 u6)) |
| (userrole ua4 foo_role_a) |
| |
| (userrange foo_u low_high) |
| |
| (userrole system_u system_r) |
| (userlevel system_u low) |
| (userrange system_u low_high) |
| |
| (userrole user_u user_r) |
| (userlevel user_u (s0 (range c0 c2))) |
| (userrange user_u (low high)) |
| |
| (sidcontext kernel (system_u system_r kernel_t ((s0) high))) |
| (sidcontext security (system_u system_r security_t (low (s3 (range c0 c3))))) |
| (sidcontext unlabeled (system_u system_r unlabeled_t (low high))) |
| |
| (context system_u_bin_t_l2h (system_u system_r bin_t (low high))) |
| |
| (ipaddr ip_v4 |
| (ipaddr netmask |
| (ipaddr ip_v6 2001:0DB8:AC10:FE01::) |
| (ipaddr netmask_v6 2001:0DE0:DA88:2222::) |
| |
| (filecon "/usr/bin/foo" file system_u_bin_t_l2h) |
| (filecon "/usr/bin/bar" file (system_u system_r kernel_t (low low))) |
| (filecon "/usr/bin/baz" any ()) |
| (filecon "/usr/bin/aaa" any (system_u system_r kernel_t ((s0) (s3 (range c0 c2))))) |
| (filecon "/usr/bin/bbb" any (system_u system_r kernel_t ((s0 (c0)) high))) |
| (filecon "/usr/bin/ccc" any (system_u system_r kernel_t (low (s3 (cats01))))) |
| (filecon "/usr/bin/ddd" any (system_u system_r kernel_t (low (s3 (cats01 cats02))))) |
| (nodecon ip_v4 netmask system_u_bin_t_l2h) |
| (nodecon ip_v6 netmask_v6 system_u_bin_t_l2h) |
| (portcon udp 25 system_u_bin_t_l2h) |
| (portcon tcp 22 system_u_bin_t_l2h) |
| (portcon dccp (2048 2096) system_u_bin_t_l2h) |
| (portcon sctp (1024 1035) system_u_bin_t_l2h) |
| (genfscon - "/usr/bin" system_u_bin_t_l2h) |
| (netifcon eth0 system_u_bin_t_l2h system_u_bin_t_l2h) ;different contexts? |
| (fsuse xattr ext3 system_u_bin_t_l2h) |
| |
| ; XEN |
| (pirqcon 256 system_u_bin_t_l2h) |
| (iomemcon (0 255) system_u_bin_t_l2h) |
| (ioportcon (22 22) system_u_bin_t_l2h) |
| (pcidevicecon 345 system_u_bin_t_l2h) |
| (devicetreecon "/this is/a/path" system_u_bin_t_l2h) |
| |
| ; InfiniBand |
| (ibpkeycon fe80:: (0 0x10) system_u_bin_t_l2h) |
| (ibpkeycon fe80::7629:afff:fe0f:8e5d (15 25) (system_u system_r kernel_t (low (s3 (cats01 cats02))))) |
| (ibendportcon mlx5_0 1 system_u_bin_t_l2h) |
| (ibendportcon mlx4_3 5 (system_u system_r kernel_t (low (s3 (cats01 cats02))))) |
| |
| (constrain (files (read)) (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2)))) |
| (constrain char_w (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2)))) |
| |
| (constrain (file (read)) (or (and (eq t1 exec_t) (neq t2 bin_t) ) (eq u1 ua4) ) ) |
| (constrain (file (open)) (dom r1 r2)) |
| (constrain (file (open)) (domby r1 r2)) |
| (constrain (file (open)) (incomp r1 r2)) |
| |
| (validatetrans file (eq t1 exec_t)) |
| |
| (mlsconstrain (file (open)) (not (or (and (eq l1 l2) (eq u1 u2)) (eq r1 r2)))) |
| (mlsconstrain (file (open)) (or (and (eq l1 l2) (eq u1 u2)) (neq r1 r2))) |
| (mlsconstrain (file (open)) (dom h1 l2)) |
| (mlsconstrain (file (open)) (domby l1 h2)) |
| (mlsconstrain (file (open)) (incomp l1 l2)) |
| |
| (mlsvalidatetrans file (domby l1 h2)) |
| |
| (macro test_mapping ((classpermission cps)) |
| (allow bin_t auditadm_t cps)) |
| |
| (call test_mapping ((file (read)))) |
| (call test_mapping ((files (read)))) |
| (call test_mapping (char_w)) |
| |
| (defaultuser (file char) source) |
| (defaultrole char target) |
| (defaulttype (files) source) |
| (defaultrange (file) target low) |
| (defaultrange (char) source low-high) |
| ) |
| |
| (macro all ((type x)) |
| (allow x bin_t (policy.file (execute))) |
| (allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) |
| ) |
| (call all (bin_t)) |
| |
| (block z |
| (block ba |
| (roletype r t) |
| (blockabstract z.ba))) |
| |
| (block test_ba |
| (blockinherit z.ba) |
| (role r) |
| (type t)) |
| |
| (block bb |
| (type t1) |
| (type t2) |
| (boolean b1 false) |
| (tunable tun1 true) |
| (macro m ((boolean b)) |
| (tunableif tun1 |
| (true |
| (allow t1 t2 (policy.file (write)))) |
| (false |
| (allow t1 t2 (policy.file (execute))))) |
| (booleanif b |
| (true |
| (allow t1 t2 (policy.file (read)))))) |
| |
| (call m (b1)) |
| ) |
| |
| (in bb |
| (tunableif bb.tun1 |
| (true |
| (allow bb.t2 bb.t1 (policy.file (read write execute)))))) |