# FLASK
#
# Define the security object classes
#
class security
class process
class system
class capability
# file-related classes
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file
# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related clases
class sem
class msg
class msgq
class shm
class ipc
# FLASK
# FLASK
#
# Define initial security identifiers
#
sid kernel
# FLASK
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
#
# Define a common prefix for ipc access vectors.
#
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
transition
associate
quotamod
quotaget
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
}
class file
inherits file
{
execute_no_trans
entrypoint
}
class lnk_file
inherits file
class chr_file
inherits file
class blk_file
inherits file
class sock_file
inherits file
class fifo_file
inherits file
class fd
{
use
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
connectto
newconn
acceptfrom
}
class udp_socket
inherits socket
class rawip_socket
inherits socket
class node
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
enforce_dest
}
class netif
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
newconn
acceptfrom
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
}
#
# Define the access vector interpretation for ipc-related objects
#
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
#
# Define the access vector interpretation for the security server.
#
class security
{
compute_av
transition_sid
member_sid
sid_to_context
context_to_sid
load_policy
get_sids
change_sid
get_user_sids
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
avc_toggle
nfsd_control
bdflush
syslog_read
syslog_mod
syslog_console
ichsid
}
#
# Define the access vector interpretation for controling capabilies
#
class capability
{
# The capabilities are defined in include/linux/capability.h
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
}
ifdef(`enable_mls',`
sensitivity s0;
#
# Define the ordering of the sensitivity levels (least to greatest)
#
dominance { s0 }
#
# Define the categories
#
# Each category has a name and zero or more aliases.
#
category c0; category c1; category c2; category c3;
category c4; category c5; category c6; category c7;
category c8; category c9; category c10; category c11;
category c12; category c13; category c14; category c15;
category c16; category c17; category c18; category c19;
category c20; category c21; category c22; category c23;
level s0:c0.c23;
mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
( h1 dom h2 );
')
####################################
####################################
#####################################
# TE RULES
attribute domain;
attribute system;
attribute foo;
attribute num;
attribute num_exec;
attribute files;
type net_foo_t, foo;
type sys_foo_t, foo, system;
role system_r;
role system_r types sys_foo_t;
type user_t, domain;
role user_r;
role user_r types user_t;
type sysadm_t, domain, system;
role sysadm_r;
role sysadm_r types sysadm_t;
type system_t, domain, system, foo;
role system_r;
role system_r types { system_t sys_foo_t };
type file_t;
type file_exec_t, files;
type fs_t;
# Make this decl easy to find
type base_global_decl_t;
# Actually used in module tests
type type_req_t;
attribute attr_req;
bool bool_req false;
role role_req_r;
allow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint };
optional {
require {
type base_optional_1, base_optional_2;
}
allow base_optional_1 base_optional_2 : file { read write };
}
#####################################
# Role Allow
allow user_r sysadm_r;
####################################
# Booleans
bool allow_ypbind true;
bool secure_mode false;
bool allow_execheap false;
bool allow_execmem true;
bool allow_execmod false;
bool allow_execstack true;
bool optional_bool_1 true;
bool optional_bool_2 false;
#####################################
# users
gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
#####################################
# constraints
####################################
#line 1 "initial_sid_contexts"
sid kernel gen_context(system_u:system_r:sys_foo_t, s0)
############################################
#line 1 "fs_use"
#
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
genfscon proc / gen_context(system_u:object_r:sys_foo_t, s0)
####################################
#line 1 "net_contexts"
#portcon tcp 21 system_u:object_r:net_foo_t:s0
#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
#
#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:net_foo_t, s0)