Home | History | Annotate | Download | only in test-expander 
      1 # FLASK
      2 
      3 #
      4 # Define the security object classes 
      5 #
      6 
      7 class security
      8 class process
      9 class system
     10 class capability
     11 
     12 # file-related classes
     13 class filesystem
     14 class file
     15 class dir
     16 class fd
     17 class lnk_file
     18 class chr_file
     19 class blk_file
     20 class sock_file
     21 class fifo_file
     22 
     23 # network-related classes
     24 class socket
     25 class tcp_socket
     26 class udp_socket
     27 class rawip_socket
     28 class node
     29 class netif
     30 class netlink_socket
     31 class packet_socket
     32 class key_socket
     33 class unix_stream_socket
     34 class unix_dgram_socket
     35 
     36 # sysv-ipc-related clases
     37 class sem
     38 class msg
     39 class msgq
     40 class shm
     41 class ipc
     42 
     43 # FLASK
     44 # FLASK
     45 
     46 #
     47 # Define initial security identifiers 
     48 #
     49 
     50 sid kernel
     51 
     52 
     53 # FLASK
     54 #
     55 # Define common prefixes for access vectors
     56 #
     57 # common common_name { permission_name ... }
     58 
     59 
     60 #
     61 # Define a common prefix for file access vectors.
     62 #
     63 
     64 common file
     65 {
     66 	ioctl
     67 	read
     68 	write
     69 	create
     70 	getattr
     71 	setattr
     72 	lock
     73 	relabelfrom
     74 	relabelto
     75 	append
     76 	unlink
     77 	link
     78 	rename
     79 	execute
     80 	swapon
     81 	quotaon
     82 	mounton
     83 }
     84 
     85 
     86 #
     87 # Define a common prefix for socket access vectors.
     88 #
     89 
     90 common socket
     91 {
     92 # inherited from file
     93 	ioctl
     94 	read
     95 	write
     96 	create
     97 	getattr
     98 	setattr
     99 	lock
    100 	relabelfrom
    101 	relabelto
    102 	append
    103 # socket-specific
    104 	bind
    105 	connect
    106 	listen
    107 	accept
    108 	getopt
    109 	setopt
    110 	shutdown
    111 	recvfrom
    112 	sendto
    113 	recv_msg
    114 	send_msg
    115 	name_bind
    116 }	
    117 
    118 #
    119 # Define a common prefix for ipc access vectors.
    120 #
    121 
    122 common ipc
    123 {
    124 	create
    125 	destroy
    126 	getattr
    127 	setattr
    128 	read
    129 	write
    130 	associate
    131 	unix_read
    132 	unix_write
    133 }
    134 
    135 #
    136 # Define the access vectors.
    137 #
    138 # class class_name [ inherits common_name ] { permission_name ... }
    139 
    140 
    141 #
    142 # Define the access vector interpretation for file-related objects.
    143 #
    144 
    145 class filesystem
    146 {
    147 	mount
    148 	remount
    149 	unmount
    150 	getattr
    151 	relabelfrom
    152 	relabelto
    153 	transition
    154 	associate
    155 	quotamod
    156 	quotaget
    157 }
    158 
    159 class dir
    160 inherits file
    161 {
    162 	add_name
    163 	remove_name
    164 	reparent
    165 	search
    166 	rmdir
    167 }
    168 
    169 class file
    170 inherits file
    171 {
    172 	execute_no_trans
    173 	entrypoint
    174 }
    175 
    176 class lnk_file
    177 inherits file
    178 
    179 class chr_file
    180 inherits file
    181 
    182 class blk_file
    183 inherits file
    184 
    185 class sock_file
    186 inherits file
    187 
    188 class fifo_file
    189 inherits file
    190 
    191 class fd
    192 {
    193 	use
    194 }
    195 
    196 
    197 #
    198 # Define the access vector interpretation for network-related objects.
    199 #
    200 
    201 class socket
    202 inherits socket
    203 
    204 class tcp_socket
    205 inherits socket
    206 {
    207 	connectto
    208 	newconn
    209 	acceptfrom
    210 }
    211 
    212 class udp_socket
    213 inherits socket
    214 
    215 class rawip_socket
    216 inherits socket
    217 
    218 class node 
    219 {
    220 	tcp_recv
    221 	tcp_send
    222 	udp_recv
    223 	udp_send
    224 	rawip_recv
    225 	rawip_send
    226 	enforce_dest
    227 }
    228 
    229 class netif
    230 {
    231 	tcp_recv
    232 	tcp_send
    233 	udp_recv
    234 	udp_send
    235 	rawip_recv
    236 	rawip_send
    237 }
    238 
    239 class netlink_socket
    240 inherits socket
    241 
    242 class packet_socket
    243 inherits socket
    244 
    245 class key_socket
    246 inherits socket
    247 
    248 class unix_stream_socket
    249 inherits socket
    250 {
    251 	connectto
    252 	newconn
    253 	acceptfrom
    254 }
    255 
    256 class unix_dgram_socket
    257 inherits socket
    258 
    259 
    260 #
    261 # Define the access vector interpretation for process-related objects
    262 #
    263 
    264 class process
    265 {
    266 	fork
    267 	transition
    268 	sigchld # commonly granted from child to parent
    269 	sigkill # cannot be caught or ignored
    270 	sigstop # cannot be caught or ignored
    271 	signull # for kill(pid, 0)
    272 	signal  # all other signals
    273 	ptrace
    274 	getsched
    275 	setsched
    276 	getsession
    277 	getpgid
    278 	setpgid
    279 	getcap
    280 	setcap
    281 	share
    282 }
    283 
    284 
    285 #
    286 # Define the access vector interpretation for ipc-related objects
    287 #
    288 
    289 class ipc
    290 inherits ipc
    291 
    292 class sem
    293 inherits ipc
    294 
    295 class msgq
    296 inherits ipc
    297 {
    298 	enqueue
    299 }
    300 
    301 class msg
    302 {
    303 	send
    304 	receive
    305 }
    306 
    307 class shm
    308 inherits ipc
    309 {
    310 	lock
    311 }
    312 
    313 
    314 #
    315 # Define the access vector interpretation for the security server. 
    316 #
    317 
    318 class security
    319 {
    320 	compute_av
    321 	transition_sid
    322 	member_sid
    323 	sid_to_context
    324 	context_to_sid
    325 	load_policy
    326 	get_sids
    327 	change_sid
    328 	get_user_sids
    329 }
    330 
    331 
    332 #
    333 # Define the access vector interpretation for system operations.
    334 #
    335 
    336 class system
    337 {
    338 	ipc_info
    339 	avc_toggle
    340 	nfsd_control
    341 	bdflush
    342 	syslog_read
    343 	syslog_mod
    344 	syslog_console
    345 	ichsid
    346 }
    347 
    348 #
    349 # Define the access vector interpretation for controling capabilies
    350 #
    351 
    352 class capability
    353 {
    354 	# The capabilities are defined in include/linux/capability.h
    355 	# Care should be taken to ensure that these are consistent with
    356 	# those definitions. (Order matters)
    357 
    358 	chown           
    359 	dac_override    
    360 	dac_read_search 
    361 	fowner          
    362 	fsetid          
    363 	kill            
    364 	setgid           
    365 	setuid           
    366 	setpcap          
    367 	linux_immutable  
    368 	net_bind_service 
    369 	net_broadcast    
    370 	net_admin        
    371 	net_raw          
    372 	ipc_lock         
    373 	ipc_owner        
    374 	sys_module       
    375 	sys_rawio        
    376 	sys_chroot       
    377 	sys_ptrace       
    378 	sys_pacct        
    379 	sys_admin        
    380 	sys_boot         
    381 	sys_nice         
    382 	sys_resource     
    383 	sys_time         
    384 	sys_tty_config  
    385 	mknod
    386 	lease
    387 }
    388 
    389 ifdef(`enable_mls',`
    390 sensitivity s0;
    391 
    392 #
    393 # Define the ordering of the sensitivity levels (least to greatest)
    394 #
    395 dominance { s0 }
    396 
    397 
    398 #
    399 # Define the categories
    400 #
    401 # Each category has a name and zero or more aliases.
    402 #
    403 category c0; category c1; category c2; category c3;
    404 category c4; category c5; category c6; category c7;
    405 category c8; category c9; category c10; category c11;
    406 category c12; category c13; category c14; category c15;
    407 category c16; category c17; category c18; category c19;
    408 category c20; category c21; category c22; category c23;
    409 
    410 level s0:c0.c23;
    411 
    412 mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
    413 	( h1 dom h2 );
    414 ')
    415 
    416 ####################################
    417 ####################################
    418 #####################################
    419 # TE RULES
    420 attribute domain;
    421 attribute system;
    422 attribute foo;
    423 attribute num;
    424 attribute num_exec;
    425 attribute files;
    426 
    427 # Type - attribute mapping test
    428 # Shorthand tests
    429 # 1 = types in base, 2 = types in mod, 3 = types in both
    430 # 4 = types in optional in base, 5 = types in optional in mod
    431 # 6 = types in optional in both
    432 # 7 = types in disabled optional in base
    433 # 8 = types in disabled optional in module
    434 # 9 = types in disabled optional in both
    435 # 10 = types in enabled optional in base, disabled optional in module
    436 # 11 = types in disabled optional in base, enabled optional in module
    437 attribute attr_check_base_1;
    438 attribute attr_check_base_2;
    439 attribute attr_check_base_3;
    440 attribute attr_check_base_4;
    441 attribute attr_check_base_5;
    442 attribute attr_check_base_6;
    443 attribute attr_check_base_7;
    444 attribute attr_check_base_8;
    445 attribute attr_check_base_9;
    446 attribute attr_check_base_10;
    447 attribute attr_check_base_11;
    448 optional {
    449 	require {
    450 		type module_t;
    451 	}
    452 	attribute attr_check_base_optional_1;
    453 	attribute attr_check_base_optional_2;
    454 	attribute attr_check_base_optional_3;
    455 	attribute attr_check_base_optional_4;
    456 	attribute attr_check_base_optional_5;
    457 	attribute attr_check_base_optional_6;
    458 	attribute attr_check_base_optional_8;
    459 }
    460 optional {
    461 	require {
    462 		type does_not_exist_t;
    463 	}
    464 	attribute attr_check_base_optional_disabled_5;
    465 	attribute attr_check_base_optional_disabled_8;
    466 }
    467 
    468 type net_foo_t, foo;
    469 type sys_foo_t, foo, system;
    470 role system_r;
    471 role system_r types sys_foo_t;
    472 
    473 type user_t, domain;
    474 role user_r;
    475 role user_r types user_t;
    476 
    477 type sysadm_t, domain, system;
    478 role sysadm_r;
    479 role sysadm_r types sysadm_t;
    480 
    481 type system_t, domain, system, foo;
    482 role system_r types { system_t sys_foo_t };
    483 
    484 type file_t;
    485 type file_exec_t, files;
    486 type fs_t;
    487 type base_optional_1;
    488 type base_optional_2;
    489 
    490 allow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint };
    491 
    492 optional {
    493 	require {
    494 		type base_optional_1, base_optional_2;
    495 	}
    496 	allow base_optional_1 base_optional_2 : file { read write };
    497 }
    498 
    499 # Type - attribute mapping test
    500 type base_t;
    501 type attr_check_base_1_1_t, attr_check_base_1;
    502 type attr_check_base_1_2_t;
    503 typeattribute attr_check_base_1_2_t attr_check_base_1;
    504 type attr_check_base_3_1_t, attr_check_base_3;
    505 type attr_check_base_3_2_t;
    506 typeattribute attr_check_base_3_2_t attr_check_base_3;
    507 optional {
    508 	require {
    509 		attribute attr_check_base_4;
    510 	}
    511 	type attr_check_base_4_1_t, attr_check_base_4;
    512 	type attr_check_base_4_2_t;
    513 	typeattribute attr_check_base_4_2_t attr_check_base_4;
    514 }
    515 optional {
    516 	require {
    517 		type module_t;
    518 	}
    519 	type attr_check_base_6_1_t, attr_check_base_6;
    520 	type attr_check_base_6_2_t;
    521 	typeattribute attr_check_base_6_2_t attr_check_base_6;
    522 }
    523 optional {
    524 	require {
    525 		type does_not_exist_t;
    526 	}
    527 	type attr_check_base_7_1_t, attr_check_base_7;
    528 	type attr_check_base_7_2_t;
    529 	typeattribute attr_check_base_7_2_t attr_check_base_7;
    530 }
    531 optional {
    532 	require {
    533 		type does_not_exist_t;
    534 	}
    535 	type attr_check_base_9_1_t, attr_check_base_9;
    536 	type attr_check_base_9_2_t;
    537 	typeattribute attr_check_base_9_2_t attr_check_base_9;
    538 }
    539 optional {
    540 	require {
    541 		type module_t;
    542 	}
    543 	type attr_check_base_10_1_t, attr_check_base_10;
    544 	type attr_check_base_10_2_t;
    545 	typeattribute attr_check_base_10_2_t attr_check_base_10;
    546 }
    547 optional {
    548 	require {
    549 		type does_not_exist_t;
    550 	}
    551 	type attr_check_base_11_1_t, attr_check_base_11;
    552 	type attr_check_base_11_2_t;
    553 	typeattribute attr_check_base_11_2_t attr_check_base_11;
    554 }
    555 #optional {
    556 #	require {
    557 #		attribute attr_check_base_optional_4;
    558 #	}
    559 #	type attr_check_base_optional_4_1_t, attr_check_base_optional_4;
    560 #	type attr_check_base_optional_4_2_t;
    561 #	typeattribute attr_check_base_optional_4_2_t attr_check_base_optional_4;
    562 #}
    563 #optional {
    564 #	require {
    565 #		attribute attr_check_base_optional_6;
    566 #	}
    567 #	type attr_check_base_optional_6_1_t, attr_check_base_optional_6;
    568 #	type attr_check_base_optional_6_2_t;
    569 #	typeattribute attr_check_base_optional_6_2_t attr_check_base_optional_6;
    570 #}
    571 optional {
    572 	require {
    573 		attribute attr_check_mod_4;
    574 	}
    575 	type attr_check_mod_4_1_t, attr_check_mod_4;
    576 	type attr_check_mod_4_2_t;
    577 	typeattribute attr_check_mod_4_2_t attr_check_mod_4;
    578 }
    579 optional {
    580 	require {
    581 		attribute attr_check_mod_6;
    582 	}
    583 	type attr_check_mod_6_1_t, attr_check_mod_6;
    584 	type attr_check_mod_6_2_t;
    585 	typeattribute attr_check_mod_6_2_t attr_check_mod_6;
    586 }
    587 optional {
    588 	require {
    589 		type does_not_exist_t;
    590 		attribute attr_check_mod_7;
    591 	}
    592 	type attr_check_mod_7_1_t, attr_check_mod_7;
    593 	type attr_check_mod_7_2_t;
    594 	typeattribute attr_check_mod_7_2_t attr_check_mod_7;
    595 }
    596 optional {
    597 	require {
    598 		type does_not_exist_t;
    599 		attribute attr_check_mod_9;
    600 	}
    601 	type attr_check_mod_9_1_t, attr_check_mod_9;
    602 	type attr_check_mod_9_2_t;
    603 	typeattribute attr_check_mod_9_2_t attr_check_mod_9;
    604 }
    605 optional {
    606 	require {
    607 		attribute attr_check_mod_10;
    608 	}
    609 	type attr_check_mod_10_1_t, attr_check_mod_10;
    610 	type attr_check_mod_10_2_t;
    611 	typeattribute attr_check_mod_10_2_t attr_check_mod_10;
    612 }
    613 optional {
    614 	require {
    615 		type does_not_exist_t;
    616 		attribute attr_check_mod_11;
    617 	}
    618 	type attr_check_mod_11_1_t, attr_check_mod_11;
    619 	type attr_check_mod_11_2_t;
    620 	typeattribute attr_check_mod_11_2_t attr_check_mod_11;
    621 }
    622 optional {
    623 	require {
    624 		attribute attr_check_mod_optional_4;
    625 	}
    626 	type attr_check_mod_optional_4_1_t, attr_check_mod_optional_4;
    627 	type attr_check_mod_optional_4_2_t;
    628 	typeattribute attr_check_mod_optional_4_2_t attr_check_mod_optional_4;
    629 }
    630 optional {
    631 	require {
    632 		attribute attr_check_mod_optional_6;
    633 	}
    634 	type attr_check_mod_optional_6_1_t, attr_check_mod_optional_6;
    635 	type attr_check_mod_optional_6_2_t;
    636 	typeattribute attr_check_mod_optional_6_2_t attr_check_mod_optional_6;
    637 }
    638 optional {
    639 	require {
    640 		type does_not_exist_t;
    641 		attribute attr_check_mod_optional_7;
    642 	}
    643 	type attr_check_mod_optional_7_1_t, attr_check_mod_optional_7;
    644 	type attr_check_mod_optional_7_2_t;
    645 	typeattribute attr_check_mod_optional_7_2_t attr_check_mod_optional_7;
    646 }
    647 optional {
    648 	require {
    649 		attribute attr_check_mod_optional_disabled_4;
    650 	}
    651 	type attr_check_mod_optional_disabled_4_1_t, attr_check_mod_optional_disabled_4;
    652 	type attr_check_mod_optional_disabled_4_2_t;
    653 	typeattribute attr_check_mod_optional_disabled_4_2_t attr_check_mod_optional_disabled_4;
    654 }
    655 optional {
    656 	require {
    657 		type does_not_exist_t;
    658 		attribute attr_check_mod_optional_disabled_7;
    659 	}
    660 	type attr_check_mod_optional_disabled_7_1_t, attr_check_mod_optional_disabled_7;
    661 	type attr_check_mod_optional_disabled_7_2_t;
    662 	typeattribute attr_check_mod_optional_disabled_7_2_t attr_check_mod_optional_disabled_7;
    663 }
    664 
    665 #####################################
    666 # Role Allow
    667 allow user_r sysadm_r;
    668 
    669 ####################################
    670 # Booleans
    671 bool allow_ypbind true;
    672 bool secure_mode false;
    673 bool allow_execheap false;
    674 bool allow_execmem true;
    675 bool allow_execmod false;
    676 bool allow_execstack true;
    677 bool optional_bool_1 true;
    678 bool optional_bool_2 false;
    679 
    680 #####################################
    681 # users
    682 gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
    683 gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
    684 gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
    685 
    686 #####################################
    687 # constraints
    688 
    689 
    690 ####################################
    691 #line 1 "initial_sid_contexts"
    692 
    693 sid kernel	gen_context(system_u:system_r:sys_foo_t, s0)
    694 
    695 
    696 ############################################
    697 #line 1 "fs_use"
    698 #
    699 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
    700 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
    701 fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
    702 
    703 
    704 genfscon proc /				gen_context(system_u:object_r:sys_foo_t, s0)
    705 
    706 
    707 ####################################
    708 #line 1 "net_contexts"
    709 
    710 #portcon tcp 21 system_u:object_r:net_foo_t:s0
    711 
    712 #netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
    713 
    714 #
    715 #nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
    716 
    717 nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:net_foo_t, s0)
    718 
    719 
    720 
    721 
    722