# FLASK # # Define the security object classes # class security class process class system class capability # file-related classes class filesystem class file class dir class fd class lnk_file class chr_file class blk_file class sock_file class fifo_file # network-related classes class socket class tcp_socket class udp_socket class rawip_socket class node class netif class netlink_socket class packet_socket class key_socket class unix_stream_socket class unix_dgram_socket # sysv-ipc-related clases class sem class msg class msgq class shm class ipc # FLASK # FLASK # # Define initial security identifiers # sid kernel # FLASK # # Define common prefixes for access vectors # # common common_name { permission_name ... } # # Define a common prefix for file access vectors. # common file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton } # # Define a common prefix for socket access vectors. # common socket { # inherited from file ioctl read write create getattr setattr lock relabelfrom relabelto append # socket-specific bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind } # # Define a common prefix for ipc access vectors. # common ipc { create destroy getattr setattr read write associate unix_read unix_write } # # Define the access vectors. # # class class_name [ inherits common_name ] { permission_name ... } # # Define the access vector interpretation for file-related objects. # class filesystem { mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget } class dir inherits file { add_name remove_name reparent search rmdir } class file inherits file { execute_no_trans entrypoint } class lnk_file inherits file class chr_file inherits file class blk_file inherits file class sock_file inherits file class fifo_file inherits file class fd { use } # # Define the access vector interpretation for network-related objects. # class socket inherits socket class tcp_socket inherits socket { connectto newconn acceptfrom } class udp_socket inherits socket class rawip_socket inherits socket class node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest } class netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send } class netlink_socket inherits socket class packet_socket inherits socket class key_socket inherits socket class unix_stream_socket inherits socket { connectto newconn acceptfrom } class unix_dgram_socket inherits socket # # Define the access vector interpretation for process-related objects # class process { fork transition sigchld # commonly granted from child to parent sigkill # cannot be caught or ignored sigstop # cannot be caught or ignored signull # for kill(pid, 0) signal # all other signals ptrace getsched setsched getsession getpgid setpgid getcap setcap share } # # Define the access vector interpretation for ipc-related objects # class ipc inherits ipc class sem inherits ipc class msgq inherits ipc { enqueue } class msg { send receive } class shm inherits ipc { lock } # # Define the access vector interpretation for the security server. # class security { compute_av transition_sid member_sid sid_to_context context_to_sid load_policy get_sids change_sid get_user_sids } # # Define the access vector interpretation for system operations. # class system { ipc_info avc_toggle nfsd_control bdflush syslog_read syslog_mod syslog_console ichsid } # # Define the access vector interpretation for controlling capabilities # class capability { # The capabilities are defined in include/linux/capability.h # Care should be taken to ensure that these are consistent with # those definitions. (Order matters) chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease } ifdef(`enable_mls',` sensitivity s0; # # Define the ordering of the sensitivity levels (least to greatest) # dominance { s0 } # # Define the categories # # Each category has a name and zero or more aliases. # category c0; category c1; category c2; category c3; category c4; category c5; category c6; category c7; category c8; category c9; category c10; category c11; category c12; category c13; category c14; category c15; category c16; category c17; category c18; category c19; category c20; category c21; category c22; category c23; level s0:c0.c23; mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } ( h1 dom h2 ); ') #################################### #################################### ##################################### #g_b stands for global base type enable_optional; #decorative type for finding this decl, every block should have one type tag_g_b; attribute g_b_attr_1; attribute g_b_attr_2; attribute g_b_attr_3; attribute g_b_attr_4; attribute g_b_attr_5; attribute g_b_attr_6; type g_b_type_1, g_b_attr_1; type g_b_type_2, g_b_attr_2; type g_b_type_3; role g_b_role_1; role g_b_role_2; role g_b_role_3; role g_b_role_4; role g_b_role_1 types g_b_type_1; role g_b_role_2 types g_b_type_2; role g_b_role_3 types g_b_type_2; role g_b_role_4 types g_b_type_2; bool g_b_bool_1 false; bool g_b_bool_2 true; allow g_b_type_1 g_b_type_2 : security { compute_av load_policy }; allow g_b_type_1 g_b_type_2 : file *; # test * allow g_b_type_1 g_b_type_2 : process ~ptrace; #test ~ typealias g_b_type_3 alias g_b_alias_1; if (g_b_bool_1) { allow g_b_type_1 g_b_type_2: lnk_file read; } optional { require { type enable_optional; attribute g_m1_attr_2; } type tag_o1_b; attribute o1_b_attr_1; type o1_b_type_1, o1_b_attr_1; bool o1_b_bool_1 true; role o1_b_role_1; role o1_b_role_1 types o1_b_type_1; role o1_b_role_2; role o1_b_role_2 types o1_b_type_1; attribute o1_b_attr_2; type o1_b_type_2, g_m1_attr_2; if (o1_b_bool_1) { allow o1_b_type_1 o1_b_type_2: lnk_file write; } } optional { require { # this should be activated by module 1 type g_m1_type_1; attribute o3_m1_attr_2; } type tag_o2_b; type o2_b_type_1, o3_m1_attr_2; } optional { require { #this block should not come on type invalid_type; } type tag_o3_b; attribute o3_b_attr_1; type o3_b_type_1; bool o3_b_bool_1 true; role o3_b_role_1; role o3_b_role_1 types o3_b_type_1; allow g_b_type_1 invalid_type : sem { create destroy }; } optional { require { # also should be enabled by module 1 type enable_optional; type g_m1_type_1; attribute o3_m1_attr_1; attribute g_m1_attr_3; } type tag_o4_b; attribute o4_b_attr_1; role o4_b_role_1; role o4_b_role_1 types g_m1_type_1; # test for attr declared in module optional, added to in base optional type o4_b_type_1, o3_m1_attr_1; type o4_b_type_2, g_m1_attr_3; } optional { require { attribute g_m1_attr_4; attribute o4_m1_attr_1; } type tag_o5_b; type o5_b_type_1, g_m1_attr_4; type o5_b_type_2, o4_m1_attr_1; } optional { require { type enable_optional; } type tag_o6_b; typealias g_b_type_3 alias g_b_alias_2; } optional { require { type g_m_alias_1; } type tag_o7_b; allow g_m_alias_1 enable_optional:file read; } gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23) gen_user(g_b_user_2,, g_b_role_1, s0, s0 - s0:c0, c1, c3, c4, c5) #################################### #line 1 "initial_sid_contexts" sid kernel gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0) ############################################ #line 1 "fs_use" # fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0); fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0); fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0); genfscon proc / gen_context(g_b_user_1:object_r:g_b_type_1, s0) #################################### #line 1 "net_contexts" #portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0 #netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0 # #nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0 nodecon ::1 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF gen_context(g_b_user_1:object_r:g_b_type_1, s0)