Home | History | Annotate | Download | only in test-expander 
      1 # FLASK
      2 
      3 #
      4 # Define the security object classes 
      5 #
      6 
      7 class security
      8 class process
      9 class system
     10 class capability
     11 
     12 # file-related classes
     13 class filesystem
     14 class file
     15 class dir
     16 class fd
     17 class lnk_file
     18 class chr_file
     19 class blk_file
     20 class sock_file
     21 class fifo_file
     22 
     23 # network-related classes
     24 class socket
     25 class tcp_socket
     26 class udp_socket
     27 class rawip_socket
     28 class node
     29 class netif
     30 class netlink_socket
     31 class packet_socket
     32 class key_socket
     33 class unix_stream_socket
     34 class unix_dgram_socket
     35 
     36 # sysv-ipc-related clases
     37 class sem
     38 class msg
     39 class msgq
     40 class shm
     41 class ipc
     42 
     43 # FLASK
     44 # FLASK
     45 
     46 #
     47 # Define initial security identifiers 
     48 #
     49 
     50 sid kernel
     51 
     52 
     53 # FLASK
     54 #
     55 # Define common prefixes for access vectors
     56 #
     57 # common common_name { permission_name ... }
     58 
     59 
     60 #
     61 # Define a common prefix for file access vectors.
     62 #
     63 
     64 common file
     65 {
     66 	ioctl
     67 	read
     68 	write
     69 	create
     70 	getattr
     71 	setattr
     72 	lock
     73 	relabelfrom
     74 	relabelto
     75 	append
     76 	unlink
     77 	link
     78 	rename
     79 	execute
     80 	swapon
     81 	quotaon
     82 	mounton
     83 }
     84 
     85 
     86 #
     87 # Define a common prefix for socket access vectors.
     88 #
     89 
     90 common socket
     91 {
     92 # inherited from file
     93 	ioctl
     94 	read
     95 	write
     96 	create
     97 	getattr
     98 	setattr
     99 	lock
    100 	relabelfrom
    101 	relabelto
    102 	append
    103 # socket-specific
    104 	bind
    105 	connect
    106 	listen
    107 	accept
    108 	getopt
    109 	setopt
    110 	shutdown
    111 	recvfrom
    112 	sendto
    113 	recv_msg
    114 	send_msg
    115 	name_bind
    116 }	
    117 
    118 #
    119 # Define a common prefix for ipc access vectors.
    120 #
    121 
    122 common ipc
    123 {
    124 	create
    125 	destroy
    126 	getattr
    127 	setattr
    128 	read
    129 	write
    130 	associate
    131 	unix_read
    132 	unix_write
    133 }
    134 
    135 #
    136 # Define the access vectors.
    137 #
    138 # class class_name [ inherits common_name ] { permission_name ... }
    139 
    140 
    141 #
    142 # Define the access vector interpretation for file-related objects.
    143 #
    144 
    145 class filesystem
    146 {
    147 	mount
    148 	remount
    149 	unmount
    150 	getattr
    151 	relabelfrom
    152 	relabelto
    153 	transition
    154 	associate
    155 	quotamod
    156 	quotaget
    157 }
    158 
    159 class dir
    160 inherits file
    161 {
    162 	add_name
    163 	remove_name
    164 	reparent
    165 	search
    166 	rmdir
    167 }
    168 
    169 class file
    170 inherits file
    171 {
    172 	execute_no_trans
    173 	entrypoint
    174 }
    175 
    176 class lnk_file
    177 inherits file
    178 
    179 class chr_file
    180 inherits file
    181 
    182 class blk_file
    183 inherits file
    184 
    185 class sock_file
    186 inherits file
    187 
    188 class fifo_file
    189 inherits file
    190 
    191 class fd
    192 {
    193 	use
    194 }
    195 
    196 
    197 #
    198 # Define the access vector interpretation for network-related objects.
    199 #
    200 
    201 class socket
    202 inherits socket
    203 
    204 class tcp_socket
    205 inherits socket
    206 {
    207 	connectto
    208 	newconn
    209 	acceptfrom
    210 }
    211 
    212 class udp_socket
    213 inherits socket
    214 
    215 class rawip_socket
    216 inherits socket
    217 
    218 class node 
    219 {
    220 	tcp_recv
    221 	tcp_send
    222 	udp_recv
    223 	udp_send
    224 	rawip_recv
    225 	rawip_send
    226 	enforce_dest
    227 }
    228 
    229 class netif
    230 {
    231 	tcp_recv
    232 	tcp_send
    233 	udp_recv
    234 	udp_send
    235 	rawip_recv
    236 	rawip_send
    237 }
    238 
    239 class netlink_socket
    240 inherits socket
    241 
    242 class packet_socket
    243 inherits socket
    244 
    245 class key_socket
    246 inherits socket
    247 
    248 class unix_stream_socket
    249 inherits socket
    250 {
    251 	connectto
    252 	newconn
    253 	acceptfrom
    254 }
    255 
    256 class unix_dgram_socket
    257 inherits socket
    258 
    259 
    260 #
    261 # Define the access vector interpretation for process-related objects
    262 #
    263 
    264 class process
    265 {
    266 	fork
    267 	transition
    268 	sigchld # commonly granted from child to parent
    269 	sigkill # cannot be caught or ignored
    270 	sigstop # cannot be caught or ignored
    271 	signull # for kill(pid, 0)
    272 	signal  # all other signals
    273 	ptrace
    274 	getsched
    275 	setsched
    276 	getsession
    277 	getpgid
    278 	setpgid
    279 	getcap
    280 	setcap
    281 	share
    282 }
    283 
    284 
    285 #
    286 # Define the access vector interpretation for ipc-related objects
    287 #
    288 
    289 class ipc
    290 inherits ipc
    291 
    292 class sem
    293 inherits ipc
    294 
    295 class msgq
    296 inherits ipc
    297 {
    298 	enqueue
    299 }
    300 
    301 class msg
    302 {
    303 	send
    304 	receive
    305 }
    306 
    307 class shm
    308 inherits ipc
    309 {
    310 	lock
    311 }
    312 
    313 
    314 #
    315 # Define the access vector interpretation for the security server. 
    316 #
    317 
    318 class security
    319 {
    320 	compute_av
    321 	transition_sid
    322 	member_sid
    323 	sid_to_context
    324 	context_to_sid
    325 	load_policy
    326 	get_sids
    327 	change_sid
    328 	get_user_sids
    329 }
    330 
    331 
    332 #
    333 # Define the access vector interpretation for system operations.
    334 #
    335 
    336 class system
    337 {
    338 	ipc_info
    339 	avc_toggle
    340 	nfsd_control
    341 	bdflush
    342 	syslog_read
    343 	syslog_mod
    344 	syslog_console
    345 	ichsid
    346 }
    347 
    348 #
    349 # Define the access vector interpretation for controling capabilies
    350 #
    351 
    352 class capability
    353 {
    354 	# The capabilities are defined in include/linux/capability.h
    355 	# Care should be taken to ensure that these are consistent with
    356 	# those definitions. (Order matters)
    357 
    358 	chown           
    359 	dac_override    
    360 	dac_read_search 
    361 	fowner          
    362 	fsetid          
    363 	kill            
    364 	setgid           
    365 	setuid           
    366 	setpcap          
    367 	linux_immutable  
    368 	net_bind_service 
    369 	net_broadcast    
    370 	net_admin        
    371 	net_raw          
    372 	ipc_lock         
    373 	ipc_owner        
    374 	sys_module       
    375 	sys_rawio        
    376 	sys_chroot       
    377 	sys_ptrace       
    378 	sys_pacct        
    379 	sys_admin        
    380 	sys_boot         
    381 	sys_nice         
    382 	sys_resource     
    383 	sys_time         
    384 	sys_tty_config  
    385 	mknod
    386 	lease
    387 }
    388 
    389 ifdef(`enable_mls',`
    390 sensitivity s0;
    391 
    392 #
    393 # Define the ordering of the sensitivity levels (least to greatest)
    394 #
    395 dominance { s0 }
    396 
    397 
    398 #
    399 # Define the categories
    400 #
    401 # Each category has a name and zero or more aliases.
    402 #
    403 category c0; category c1; category c2; category c3;
    404 category c4; category c5; category c6; category c7;
    405 category c8; category c9; category c10; category c11;
    406 category c12; category c13; category c14; category c15;
    407 category c16; category c17; category c18; category c19;
    408 category c20; category c21; category c22; category c23;
    409 
    410 level s0:c0.c23;
    411 
    412 mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
    413 	( h1 dom h2 );
    414 ')
    415 
    416 type enable_optional;
    417 
    418 # Alias tests
    419 type alias_check_1_t;
    420 type alias_check_2_t;
    421 type alias_check_3_t;
    422 
    423 typealias alias_check_1_t alias alias_check_1_a;
    424 
    425 optional {
    426 	require {
    427 		type alias_check_2_t;
    428 	}
    429 	typealias alias_check_2_t alias alias_check_2_a;
    430 }
    431 
    432 optional {
    433 	require {
    434 		type alias_check_3_a;
    435 	}
    436 	allow alias_check_3_a enable_optional:file read;
    437 }
    438 
    439 ########
    440 type fs_t;
    441 type system_t;
    442 type user_t;
    443 role system_r;
    444 role user_r;
    445 role sysadm_r;
    446 role system_r types system_t;
    447 role user_r types user_t;
    448 role sysadm_r types system_t;
    449 ####################################
    450 # Booleans
    451 bool allow_ypbind true;
    452 bool secure_mode false;
    453 bool allow_execheap false;
    454 bool allow_execmem true;
    455 bool allow_execmod false;
    456 bool allow_execstack true;
    457 bool optional_bool_1 true;
    458 bool optional_bool_2 false;
    459 
    460 #####################################
    461 # users
    462 gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
    463 gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
    464 gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
    465 
    466 #####################################
    467 # constraints
    468 
    469 
    470 ####################################
    471 #line 1 "initial_sid_contexts"
    472 
    473 sid kernel	gen_context(system_u:system_r:system_t, s0)
    474 
    475 
    476 ############################################
    477 #line 1 "fs_use"
    478 #
    479 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
    480 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
    481 fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
    482 
    483 
    484 genfscon proc /				gen_context(system_u:object_r:system_t, s0)
    485 
    486 
    487 ####################################
    488 #line 1 "net_contexts"
    489 
    490 #portcon tcp 21 system_u:object_r:net_foo_t:s0
    491 
    492 #netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
    493 
    494 #
    495 #nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
    496 
    497 nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:system_t, s0)
    498 
    499 
    500 
    501 
    502