| # FLASK |
| |
| # |
| # Define the security object classes |
| # |
| |
| class security |
| class process |
| class system |
| class capability |
| |
| # file-related classes |
| class filesystem |
| class file |
| class dir |
| class fd |
| class lnk_file |
| class chr_file |
| class blk_file |
| class sock_file |
| class fifo_file |
| |
| # network-related classes |
| class socket |
| class tcp_socket |
| class udp_socket |
| class rawip_socket |
| class node |
| class netif |
| class netlink_socket |
| class packet_socket |
| class key_socket |
| class unix_stream_socket |
| class unix_dgram_socket |
| |
| # sysv-ipc-related classes |
| class msg |
| class msgq |
| class shm |
| class ipc |
| |
| # FLASK |
| # FLASK |
| |
| # |
| # Define initial security identifiers |
| # |
| |
| sid kernel |
| |
| |
| # FLASK |
| # |
| # Define common prefixes for access vectors |
| # |
| # common common_name { permission_name ... } |
| |
| |
| # |
| # Define a common prefix for file access vectors. |
| # |
| |
| common file |
| { |
| ioctl |
| read |
| write |
| create |
| getattr |
| setattr |
| lock |
| relabelfrom |
| relabelto |
| append |
| unlink |
| link |
| rename |
| execute |
| swapon |
| quotaon |
| mounton |
| } |
| |
| |
| # |
| # Define a common prefix for socket access vectors. |
| # |
| |
| common socket |
| { |
| # inherited from file |
| ioctl |
| read |
| write |
| create |
| getattr |
| setattr |
| lock |
| relabelfrom |
| relabelto |
| append |
| # socket-specific |
| bind |
| connect |
| listen |
| accept |
| getopt |
| setopt |
| shutdown |
| recvfrom |
| sendto |
| recv_msg |
| send_msg |
| name_bind |
| } |
| |
| # |
| # Define a common prefix for ipc access vectors. |
| # |
| |
| common ipc |
| { |
| create |
| destroy |
| getattr |
| setattr |
| read |
| write |
| associate |
| unix_read |
| unix_write |
| } |
| |
| # |
| # Define the access vectors. |
| # |
| # class class_name [ inherits common_name ] { permission_name ... } |
| |
| |
| # |
| # Define the access vector interpretation for file-related objects. |
| # |
| |
| class filesystem |
| { |
| mount |
| remount |
| unmount |
| getattr |
| relabelfrom |
| relabelto |
| transition |
| associate |
| quotamod |
| quotaget |
| } |
| |
| class dir |
| inherits file |
| { |
| add_name |
| remove_name |
| reparent |
| search |
| rmdir |
| } |
| |
| class file |
| inherits file |
| { |
| execute_no_trans |
| entrypoint |
| } |
| |
| class lnk_file |
| inherits file |
| |
| class chr_file |
| inherits file |
| |
| class blk_file |
| inherits file |
| |
| class sock_file |
| inherits file |
| |
| class fifo_file |
| inherits file |
| |
| class fd |
| { |
| use |
| } |
| |
| |
| # |
| # Define the access vector interpretation for network-related objects. |
| # |
| |
| class socket |
| inherits socket |
| |
| class tcp_socket |
| inherits socket |
| { |
| connectto |
| newconn |
| acceptfrom |
| } |
| |
| class udp_socket |
| inherits socket |
| |
| class rawip_socket |
| inherits socket |
| |
| class node |
| { |
| tcp_recv |
| tcp_send |
| udp_recv |
| udp_send |
| rawip_recv |
| rawip_send |
| enforce_dest |
| } |
| |
| class netif |
| { |
| tcp_recv |
| tcp_send |
| udp_recv |
| udp_send |
| rawip_recv |
| rawip_send |
| } |
| |
| class netlink_socket |
| inherits socket |
| |
| class packet_socket |
| inherits socket |
| |
| class key_socket |
| inherits socket |
| |
| class unix_stream_socket |
| inherits socket |
| { |
| connectto |
| newconn |
| acceptfrom |
| } |
| |
| class unix_dgram_socket |
| inherits socket |
| |
| |
| # |
| # Define the access vector interpretation for process-related objects |
| # |
| |
| class process |
| { |
| fork |
| transition |
| sigchld # commonly granted from child to parent |
| sigkill # cannot be caught or ignored |
| sigstop # cannot be caught or ignored |
| signull # for kill(pid, 0) |
| signal # all other signals |
| ptrace |
| getsched |
| setsched |
| getsession |
| getpgid |
| setpgid |
| getcap |
| setcap |
| share |
| } |
| |
| |
| # |
| # Define the access vector interpretation for ipc-related objects |
| # |
| |
| class ipc |
| inherits ipc |
| |
| class msgq |
| inherits ipc |
| { |
| enqueue |
| } |
| |
| class msg |
| { |
| send |
| } |
| |
| class shm |
| inherits ipc |
| { |
| lock |
| } |
| |
| |
| # |
| # Define the access vector interpretation for the security server. |
| # |
| |
| class security |
| { |
| compute_av |
| transition_sid |
| member_sid |
| sid_to_context |
| context_to_sid |
| load_policy |
| get_sids |
| change_sid |
| get_user_sids |
| } |
| |
| |
| # |
| # Define the access vector interpretation for system operations. |
| # |
| |
| class system |
| { |
| ipc_info |
| avc_toggle |
| nfsd_control |
| bdflush |
| syslog_read |
| syslog_mod |
| syslog_console |
| ichsid |
| } |
| |
| # |
| # Define the access vector interpretation for controlling capabilities |
| # |
| |
| class capability |
| { |
| # The capabilities are defined in include/linux/capability.h |
| # Care should be taken to ensure that these are consistent with |
| # those definitions. (Order matters) |
| |
| chown |
| dac_override |
| dac_read_search |
| fowner |
| fsetid |
| kill |
| setgid |
| setuid |
| setpcap |
| linux_immutable |
| net_bind_service |
| net_broadcast |
| net_admin |
| net_raw |
| ipc_lock |
| ipc_owner |
| sys_module |
| sys_rawio |
| sys_chroot |
| sys_ptrace |
| sys_pacct |
| sys_admin |
| sys_boot |
| sys_nice |
| sys_resource |
| sys_time |
| sys_tty_config |
| mknod |
| lease |
| } |
| |
| ifdef(`enable_mls',` |
| sensitivity s0; |
| |
| # |
| # Define the ordering of the sensitivity levels (least to greatest) |
| # |
| dominance { s0 } |
| |
| |
| # |
| # Define the categories |
| # |
| # Each category has a name and zero or more aliases. |
| # |
| category c0; category c1; category c2; category c3; |
| category c4; category c5; category c6; category c7; |
| category c8; category c9; category c10; category c11; |
| category c12; category c13; category c14; category c15; |
| category c16; category c17; category c18; category c19; |
| category c20; category c21; category c22; category c23; |
| |
| level s0:c0.c23; |
| |
| mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } |
| ( h1 dom h2 ); |
| ') |
| |
| #################################### |
| #################################### |
| ##################################### |
| # TE RULES |
| attribute domain; |
| attribute system; |
| attribute foo; |
| attribute num; |
| attribute num_exec; |
| attribute files; |
| |
| type net_foo_t, foo; |
| type sys_foo_t, foo, system; |
| role system_r; |
| role system_r types sys_foo_t; |
| |
| type user_t, domain; |
| role user_r; |
| role user_r types user_t; |
| |
| type sysadm_t, domain, system; |
| role sysadm_r; |
| role sysadm_r types sysadm_t; |
| |
| type system_t, domain, system, foo; |
| role system_r; |
| role system_r types { system_t sys_foo_t }; |
| |
| type file_t; |
| type file_exec_t, files; |
| type fs_t; |
| type base_optional_1; |
| type base_optional_2; |
| |
| allow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint }; |
| |
| optional { |
| require { |
| type base_optional_1, base_optional_2; |
| } |
| allow base_optional_1 base_optional_2 : file { read write }; |
| } |
| |
| ##################################### |
| # Role Allow |
| allow user_r sysadm_r; |
| |
| #################################### |
| # Booleans |
| bool allow_ypbind true; |
| bool secure_mode false; |
| bool allow_execheap false; |
| bool allow_execmem true; |
| bool allow_execmod false; |
| bool allow_execstack true; |
| bool optional_bool_1 true; |
| bool optional_bool_2 false; |
| |
| ##################################### |
| # users |
| gen_user(system_u,, system_r, s0, s0 - s0:c0.c23) |
| gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23) |
| gen_user(joe,, user_r, s0, s0 - s0:c0.c23) |
| |
| ##################################### |
| # constraints |
| |
| |
| #################################### |
| #line 1 "initial_sid_contexts" |
| |
| sid kernel gen_context(system_u:system_r:sys_foo_t, s0) |
| |
| |
| ############################################ |
| #line 1 "fs_use" |
| # |
| fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0); |
| fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0); |
| fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0); |
| |
| |
| genfscon proc / gen_context(system_u:object_r:sys_foo_t, s0) |
| |
| |
| #################################### |
| #line 1 "net_contexts" |
| |
| #portcon tcp 21 system_u:object_r:net_foo_t:s0 |
| |
| #netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0 |
| |
| # |
| #nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0 |
| |
| nodecon ::1 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF gen_context(system_u:object_r:net_foo_t, s0) |
| |
| |
| |
| |