# FLASK # # Define the security object classes # class security class process class system class capability # file-related classes class filesystem class file class dir class fd class lnk_file class chr_file class blk_file class sock_file class fifo_file # network-related classes class socket class tcp_socket class udp_socket class rawip_socket class node class netif class netlink_socket class packet_socket class key_socket class unix_stream_socket class unix_dgram_socket # sysv-ipc-related clases class msg class msgq class shm class ipc # FLASK # FLASK # # Define initial security identifiers # sid kernel # FLASK # # Define common prefixes for access vectors # # common common_name { permission_name ... } # # Define a common prefix for file access vectors. # common file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton } # # Define a common prefix for socket access vectors. # common socket { # inherited from file ioctl read write create getattr setattr lock relabelfrom relabelto append # socket-specific bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind } # # Define a common prefix for ipc access vectors. # common ipc { create destroy getattr setattr read write associate unix_read unix_write } # # Define the access vectors. # # class class_name [ inherits common_name ] { permission_name ... } # # Define the access vector interpretation for file-related objects. # class filesystem { mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget } class dir inherits file { add_name remove_name reparent search rmdir } class file inherits file { execute_no_trans entrypoint } class lnk_file inherits file class chr_file inherits file class blk_file inherits file class sock_file inherits file class fifo_file inherits file class fd { use } # # Define the access vector interpretation for network-related objects. # class socket inherits socket class tcp_socket inherits socket { connectto newconn acceptfrom } class udp_socket inherits socket class rawip_socket inherits socket class node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest } class netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send } class netlink_socket inherits socket class packet_socket inherits socket class key_socket inherits socket class unix_stream_socket inherits socket { connectto newconn acceptfrom } class unix_dgram_socket inherits socket # # Define the access vector interpretation for process-related objects # class process { fork transition sigchld # commonly granted from child to parent sigkill # cannot be caught or ignored sigstop # cannot be caught or ignored signull # for kill(pid, 0) signal # all other signals ptrace getsched setsched getsession getpgid setpgid getcap setcap share } # # Define the access vector interpretation for ipc-related objects # class ipc inherits ipc class msgq inherits ipc { enqueue } class msg { send } class shm inherits ipc { lock } # # Define the access vector interpretation for the security server. # class security { compute_av transition_sid member_sid sid_to_context context_to_sid load_policy get_sids change_sid get_user_sids } # # Define the access vector interpretation for system operations. # class system { ipc_info avc_toggle nfsd_control bdflush syslog_read syslog_mod syslog_console ichsid } # # Define the access vector interpretation for controlling capabilities # class capability { # The capabilities are defined in include/linux/capability.h # Care should be taken to ensure that these are consistent with # those definitions. (Order matters) chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease } ifdef(`enable_mls',` sensitivity s0; # # Define the ordering of the sensitivity levels (least to greatest) # dominance { s0 } # # Define the categories # # Each category has a name and zero or more aliases. # category c0; category c1; category c2; category c3; category c4; category c5; category c6; category c7; category c8; category c9; category c10; category c11; category c12; category c13; category c14; category c15; category c16; category c17; category c18; category c19; category c20; category c21; category c22; category c23; level s0:c0.c23; mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } ( h1 dom h2 ); ') #################################### #################################### ##################################### # TE RULES attribute domain; attribute system; attribute foo; attribute num; attribute num_exec; attribute files; type net_foo_t, foo; type sys_foo_t, foo, system; role system_r; role system_r types sys_foo_t; type user_t, domain; role user_r; role user_r types user_t; type sysadm_t, domain, system; role sysadm_r; role sysadm_r types sysadm_t; type system_t, domain, system, foo; role system_r; role system_r types { system_t sys_foo_t }; type file_t; type file_exec_t, files; type fs_t; type base_optional_1; type base_optional_2; allow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint }; optional { require { type base_optional_1, base_optional_2; } allow base_optional_1 base_optional_2 : file { read write }; } ##################################### # Role Allow allow user_r sysadm_r; #################################### # Booleans bool allow_ypbind true; bool secure_mode false; bool allow_execheap false; bool allow_execmem true; bool allow_execmod false; bool allow_execstack true; bool optional_bool_1 true; bool optional_bool_2 false; ##################################### # users gen_user(system_u,, system_r, s0, s0 - s0:c0.c23) gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23) gen_user(joe,, user_r, s0, s0 - s0:c0.c23) ##################################### # constraints #################################### #line 1 "initial_sid_contexts" sid kernel gen_context(system_u:system_r:sys_foo_t, s0) ############################################ #line 1 "fs_use" # fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0); fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0); fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0); genfscon proc / gen_context(system_u:object_r:sys_foo_t, s0) #################################### #line 1 "net_contexts" #portcon tcp 21 system_u:object_r:net_foo_t:s0 #netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0 # #nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0 nodecon ::1 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF gen_context(system_u:object_r:net_foo_t, s0)