1# FLASK 2 3# 4# Define the security object classes 5# 6 7class security 8class process 9class system 10class capability 11 12# file-related classes 13class filesystem 14class file 15class dir 16class fd 17class lnk_file 18class chr_file 19class blk_file 20class sock_file 21class fifo_file 22 23# network-related classes 24class socket 25class tcp_socket 26class udp_socket 27class rawip_socket 28class node 29class netif 30class netlink_socket 31class packet_socket 32class key_socket 33class unix_stream_socket 34class unix_dgram_socket 35 36# sysv-ipc-related clases 37class sem 38class msg 39class msgq 40class shm 41class ipc 42 43# FLASK 44# FLASK 45 46# 47# Define initial security identifiers 48# 49 50sid kernel 51 52 53# FLASK 54# 55# Define common prefixes for access vectors 56# 57# common common_name { permission_name ... } 58 59 60# 61# Define a common prefix for file access vectors. 62# 63 64common file 65{ 66 ioctl 67 read 68 write 69 create 70 getattr 71 setattr 72 lock 73 relabelfrom 74 relabelto 75 append 76 unlink 77 link 78 rename 79 execute 80 swapon 81 quotaon 82 mounton 83} 84 85 86# 87# Define a common prefix for socket access vectors. 88# 89 90common socket 91{ 92# inherited from file 93 ioctl 94 read 95 write 96 create 97 getattr 98 setattr 99 lock 100 relabelfrom 101 relabelto 102 append 103# socket-specific 104 bind 105 connect 106 listen 107 accept 108 getopt 109 setopt 110 shutdown 111 recvfrom 112 sendto 113 recv_msg 114 send_msg 115 name_bind 116} 117 118# 119# Define a common prefix for ipc access vectors. 120# 121 122common ipc 123{ 124 create 125 destroy 126 getattr 127 setattr 128 read 129 write 130 associate 131 unix_read 132 unix_write 133} 134 135# 136# Define the access vectors. 137# 138# class class_name [ inherits common_name ] { permission_name ... } 139 140 141# 142# Define the access vector interpretation for file-related objects. 143# 144 145class filesystem 146{ 147 mount 148 remount 149 unmount 150 getattr 151 relabelfrom 152 relabelto 153 transition 154 associate 155 quotamod 156 quotaget 157} 158 159class dir 160inherits file 161{ 162 add_name 163 remove_name 164 reparent 165 search 166 rmdir 167} 168 169class file 170inherits file 171{ 172 execute_no_trans 173 entrypoint 174} 175 176class lnk_file 177inherits file 178 179class chr_file 180inherits file 181 182class blk_file 183inherits file 184 185class sock_file 186inherits file 187 188class fifo_file 189inherits file 190 191class fd 192{ 193 use 194} 195 196 197# 198# Define the access vector interpretation for network-related objects. 199# 200 201class socket 202inherits socket 203 204class tcp_socket 205inherits socket 206{ 207 connectto 208 newconn 209 acceptfrom 210} 211 212class udp_socket 213inherits socket 214 215class rawip_socket 216inherits socket 217 218class node 219{ 220 tcp_recv 221 tcp_send 222 udp_recv 223 udp_send 224 rawip_recv 225 rawip_send 226 enforce_dest 227} 228 229class netif 230{ 231 tcp_recv 232 tcp_send 233 udp_recv 234 udp_send 235 rawip_recv 236 rawip_send 237} 238 239class netlink_socket 240inherits socket 241 242class packet_socket 243inherits socket 244 245class key_socket 246inherits socket 247 248class unix_stream_socket 249inherits socket 250{ 251 connectto 252 newconn 253 acceptfrom 254} 255 256class unix_dgram_socket 257inherits socket 258 259 260# 261# Define the access vector interpretation for process-related objects 262# 263 264class process 265{ 266 fork 267 transition 268 sigchld # commonly granted from child to parent 269 sigkill # cannot be caught or ignored 270 sigstop # cannot be caught or ignored 271 signull # for kill(pid, 0) 272 signal # all other signals 273 ptrace 274 getsched 275 setsched 276 getsession 277 getpgid 278 setpgid 279 getcap 280 setcap 281 share 282} 283 284 285# 286# Define the access vector interpretation for ipc-related objects 287# 288 289class ipc 290inherits ipc 291 292class sem 293inherits ipc 294 295class msgq 296inherits ipc 297{ 298 enqueue 299} 300 301class msg 302{ 303 send 304 receive 305} 306 307class shm 308inherits ipc 309{ 310 lock 311} 312 313 314# 315# Define the access vector interpretation for the security server. 316# 317 318class security 319{ 320 compute_av 321 transition_sid 322 member_sid 323 sid_to_context 324 context_to_sid 325 load_policy 326 get_sids 327 change_sid 328 get_user_sids 329} 330 331 332# 333# Define the access vector interpretation for system operations. 334# 335 336class system 337{ 338 ipc_info 339 avc_toggle 340 nfsd_control 341 bdflush 342 syslog_read 343 syslog_mod 344 syslog_console 345 ichsid 346} 347 348# 349# Define the access vector interpretation for controlling capabilities 350# 351 352class capability 353{ 354 # The capabilities are defined in include/linux/capability.h 355 # Care should be taken to ensure that these are consistent with 356 # those definitions. (Order matters) 357 358 chown 359 dac_override 360 dac_read_search 361 fowner 362 fsetid 363 kill 364 setgid 365 setuid 366 setpcap 367 linux_immutable 368 net_bind_service 369 net_broadcast 370 net_admin 371 net_raw 372 ipc_lock 373 ipc_owner 374 sys_module 375 sys_rawio 376 sys_chroot 377 sys_ptrace 378 sys_pacct 379 sys_admin 380 sys_boot 381 sys_nice 382 sys_resource 383 sys_time 384 sys_tty_config 385 mknod 386 lease 387} 388 389ifdef(`enable_mls',` 390sensitivity s0; 391 392# 393# Define the ordering of the sensitivity levels (least to greatest) 394# 395dominance { s0 } 396 397 398# 399# Define the categories 400# 401# Each category has a name and zero or more aliases. 402# 403category c0; category c1; category c2; category c3; 404category c4; category c5; category c6; category c7; 405category c8; category c9; category c10; category c11; 406category c12; category c13; category c14; category c15; 407category c16; category c17; category c18; category c19; 408category c20; category c21; category c22; category c23; 409 410level s0:c0.c23; 411 412mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } 413 ( h1 dom h2 ); 414') 415 416#################################### 417#################################### 418##################################### 419 420#g_b stands for global base 421 422type g_b_type_1; 423role g_b_role_1 types g_b_type_1; 424 425role g_b_role_2 types g_b_type_1; 426role g_b_role_3 types g_b_type_1; 427type g_b_type_2; 428 429optional { 430 require { 431 type invalid_type; 432 } 433 allow g_b_role_2 g_b_role_3; 434 role_transition g_b_role_2 g_b_type_2 g_b_role_3; 435} 436 437 438gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23) 439 440#################################### 441#line 1 "initial_sid_contexts" 442 443sid kernel gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0) 444 445 446############################################ 447#line 1 "fs_use" 448# 449fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0); 450fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0); 451fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0); 452 453 454genfscon proc / gen_context(g_b_user_1:object_r:g_b_type_1, s0) 455 456 457#################################### 458#line 1 "net_contexts" 459 460#portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0 461 462#netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0 463 464# 465#nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0 466 467nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(g_b_user_1:object_r:g_b_type_1, s0) 468 469 470 471 472