rpms
/
checkpolicy
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
checkpolicy/tests/checkpolicy/policy.conf.from.secilc

144 lines
4.0 KiB
Plaintext
Raw Permalink Blame History

class file
class process
class char
sid kernel
sid security
sid unlabeled
common file {ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton }
class file inherits file { execute_no_trans entrypoint execmod open audit_access }
class char inherits file { foo transition }
class process { open }
sensitivity s0 alias sens0;
sensitivity s1;
dominance { s0 s1 }
category c0 alias cat0;
category c1;
category c2;
level s0:c0.c2;
level s1:c0.c2;
mlsconstrain file { open } (not (((l1 eq l2) and (u1 eq u2)) or (r1 eq r2)));
mlsconstrain file { open } (((l1 eq l2) and (u1 eq u2)) or (r1 != r2));
mlsconstrain file { open } (l1 dom h2);
mlsconstrain file { open } (h1 domby l2);
mlsconstrain file { open } (l1 incomp l2);
mlsvalidatetrans file (h1 domby l2);
attribute foo_type;
attribute bar_type;
attribute baz_type;
attribute exec_type;
type bin_t, bar_type, exec_type;
type kernel_t, foo_type, exec_type, baz_type;
type security_t, baz_type;
type unlabeled_t, baz_type;
type exec_t, baz_type;
type console_t, baz_type;
type auditadm_t, baz_type;
type console_device_t, baz_type;
type user_tty_device_t, baz_type;
type device_t, baz_type;
type getty_t, baz_type;
type a_t, baz_type;
type b_t, baz_type;
typealias bin_t alias sbin_t;
bool secure_mode false;
bool console_login true;
bool b1 false;
role system_r;
role user_r;
role system_r types bin_t;
role system_r types kernel_t;
role system_r types security_t;
role system_r types unlabeled_t;
policycap open_perms;
permissive device_t;
range_transition device_t console_t : file s0:c0 - s1:c0.c1;
type_transition device_t console_t : file console_device_t;
type_member device_t bin_t : file exec_t;
if console_login{
type_change auditadm_t console_device_t : file user_tty_device_t;
}
role_transition system_r bin_t user_r;
auditallow device_t auditadm_t: file { open };
dontaudit device_t auditadm_t: file { read };
allow system_r user_r;
allow console_t console_device_t: char { write setattr };
allow console_t console_device_t: file { open read getattr };
allow foo_type self: file { execute };
allow bin_t device_t: file { execute };
allow bin_t exec_t: file { execute };
allow bin_t bin_t: file { execute };
allow a_t b_t : file { write };
allow console_t console_device_t: file { read write getattr setattr lock append };
allow kernel_t kernel_t : file { execute };
if b1 {
allow a_t b_t : file { read };
}
if secure_mode{
auditallow device_t exec_t: file { read write };
}
if console_login{
allow getty_t console_device_t: file { getattr open read write append };
}
else {
dontaudit getty_t console_device_t: file { getattr open read write append };
}
if (not ((secure_mode eq console_login) xor ((secure_mode or console_login) and secure_mode))){
allow bin_t exec_t: file { execute };
}
user system_u roles system_r level s0:c0 range s0:c0 - s1:c0,c1;
user user_u roles user_r level s0:c0 range s0:c0 - s0:c0;
validatetrans file (t1 == exec_t);
constrain char transition (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
constrain file { open } (r1 dom r2);
constrain file { open } (r1 domby r2);
constrain file { open } (r1 incomp r2);
constrain file { open read getattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
constrain char { write setattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
sid kernel system_u:system_r:kernel_t:s0:c0 - s1:c0,c1
sid security system_u:system_r:security_t:s0:c0 - s1:c0,c1
sid unlabeled system_u:system_r:unlabeled_t:s0:c0 - s1:c0,c1
fs_use_xattr ext3 system_u:system_r:bin_t:s0:c0 - s1:c0,c1;
genfscon proc /usr/bin system_u:system_r:bin_t:s0:c0 - s1:c0,c1
portcon tcp 22 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
portcon udp 25 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
netifcon eth0 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
nodecon 192.25.35.200 192.168.1.1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
nodecon 2001:db8:ac10:fe01:: 2001:de0:da88:2222:: system_u:system_r:bin_t:s0:c0 - s1:c0,c1
Reference in New Issue View Git Blame Copy Permalink