psss / tests / selinux

Forked from tests/selinux 6 years ago
Clone
Blob Blame History Raw
class file
class process
class char

sid kernel
sid security
sid unlabeled

common file {ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton }

class file inherits file { execute_no_trans entrypoint execmod open audit_access }
class char inherits file { foo transition }
class process { open }

sensitivity s0 alias sens0;
sensitivity s1;

dominance { s0 s1 }

category c0 alias cat0;
category c1;
category c2;

level s0:c0.c2;
level s1:c0.c2;

mlsconstrain file { open } (not (((l1 eq l2) and (u1 eq u2)) or (r1 eq r2)));
mlsconstrain file { open } (((l1 eq l2) and (u1 eq u2)) or (r1 != r2));
mlsconstrain file { open } (l1 dom h2);
mlsconstrain file { open } (h1 domby l2);
mlsconstrain file { open } (l1 incomp l2);

mlsvalidatetrans file (h1 domby l2);

attribute foo_type;
attribute bar_type;
attribute baz_type;
attribute exec_type;

type bin_t, bar_type, exec_type;
type kernel_t, foo_type, exec_type, baz_type;
type security_t, baz_type;
type unlabeled_t, baz_type;

type exec_t, baz_type;
type console_t, baz_type;
type auditadm_t, baz_type;
type console_device_t, baz_type;
type user_tty_device_t, baz_type;
type device_t, baz_type;
type getty_t, baz_type;
type a_t, baz_type;
type b_t, baz_type;

typealias bin_t alias sbin_t;

bool secure_mode false;
bool console_login true;
bool b1 false;

role system_r;
role user_r;
role system_r types bin_t; 
role system_r types kernel_t; 
role system_r types security_t; 
role system_r types unlabeled_t; 

policycap open_perms;
permissive device_t;

range_transition device_t console_t : file s0:c0 - s1:c0.c1;

type_transition device_t console_t : file console_device_t;
type_member device_t bin_t : file exec_t;

if console_login{
	type_change auditadm_t console_device_t : file user_tty_device_t;
}

role_transition system_r bin_t user_r;

auditallow device_t auditadm_t: file { open };
dontaudit device_t auditadm_t: file { read };

allow system_r user_r;

allow console_t console_device_t: char { write setattr };
allow console_t console_device_t: file { open read getattr };
allow foo_type self: file { execute };
allow bin_t device_t: file { execute };
allow bin_t exec_t: file { execute };
allow bin_t bin_t: file { execute };
allow a_t b_t : file { write };
allow console_t console_device_t: file { read write getattr setattr lock append };
allow kernel_t kernel_t : file { execute };

if b1 {
	allow a_t b_t : file { read };
}

if secure_mode{
	auditallow device_t exec_t: file { read write };
}

if console_login{
	allow getty_t console_device_t: file { getattr open read write append };
}
else {
	dontaudit getty_t console_device_t: file { getattr open read write append };
}

if (not ((secure_mode eq console_login) xor ((secure_mode or console_login) and secure_mode))){
	allow bin_t exec_t: file { execute };
}

user system_u roles system_r level s0:c0 range s0:c0 - s1:c0,c1; 
user user_u roles user_r level s0:c0 range s0:c0 - s0:c0;

validatetrans file (t1 == exec_t);

constrain char transition (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
constrain file { open } (r1 dom r2);
constrain file { open }	(r1 domby r2);
constrain file { open }	(r1 incomp r2);
constrain file { open read getattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
constrain char { write setattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));


sid kernel system_u:system_r:kernel_t:s0:c0 - s1:c0,c1
sid security system_u:system_r:security_t:s0:c0 - s1:c0,c1
sid unlabeled system_u:system_r:unlabeled_t:s0:c0 - s1:c0,c1

fs_use_xattr ext3 system_u:system_r:bin_t:s0:c0 - s1:c0,c1;

genfscon proc /usr/bin system_u:system_r:bin_t:s0:c0 - s1:c0,c1

portcon tcp 22 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
portcon udp 25 system_u:system_r:bin_t:s0:c0 - s1:c0,c1

netifcon eth0 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1

nodecon 192.25.35.200 192.168.1.1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
nodecon 2001:db8:ac10:fe01:: 2001:de0:da88:2222:: system_u:system_r:bin_t:s0:c0 - s1:c0,c1