• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# FLASK
2
3#
4# Define the security object classes
5#
6
7class security
8class process
9class system
10class capability
11
12# file-related classes
13class filesystem
14class file
15class dir
16class fd
17class lnk_file
18class chr_file
19class blk_file
20class sock_file
21class fifo_file
22
23# network-related classes
24class socket
25class tcp_socket
26class udp_socket
27class rawip_socket
28class node
29class netif
30class netlink_socket
31class packet_socket
32class key_socket
33class unix_stream_socket
34class unix_dgram_socket
35
36# sysv-ipc-related clases
37class sem
38class msg
39class msgq
40class shm
41class ipc
42
43# FLASK
44# FLASK
45
46#
47# Define initial security identifiers
48#
49
50sid kernel
51
52
53# FLASK
54#
55# Define common prefixes for access vectors
56#
57# common common_name { permission_name ... }
58
59
60#
61# Define a common prefix for file access vectors.
62#
63
64common file
65{
66	ioctl
67	read
68	write
69	create
70	getattr
71	setattr
72	lock
73	relabelfrom
74	relabelto
75	append
76	unlink
77	link
78	rename
79	execute
80	swapon
81	quotaon
82	mounton
83}
84
85
86#
87# Define a common prefix for socket access vectors.
88#
89
90common socket
91{
92# inherited from file
93	ioctl
94	read
95	write
96	create
97	getattr
98	setattr
99	lock
100	relabelfrom
101	relabelto
102	append
103# socket-specific
104	bind
105	connect
106	listen
107	accept
108	getopt
109	setopt
110	shutdown
111	recvfrom
112	sendto
113	recv_msg
114	send_msg
115	name_bind
116}
117
118#
119# Define a common prefix for ipc access vectors.
120#
121
122common ipc
123{
124	create
125	destroy
126	getattr
127	setattr
128	read
129	write
130	associate
131	unix_read
132	unix_write
133}
134
135#
136# Define the access vectors.
137#
138# class class_name [ inherits common_name ] { permission_name ... }
139
140
141#
142# Define the access vector interpretation for file-related objects.
143#
144
145class filesystem
146{
147	mount
148	remount
149	unmount
150	getattr
151	relabelfrom
152	relabelto
153	transition
154	associate
155	quotamod
156	quotaget
157}
158
159class dir
160inherits file
161{
162	add_name
163	remove_name
164	reparent
165	search
166	rmdir
167}
168
169class file
170inherits file
171{
172	execute_no_trans
173	entrypoint
174}
175
176class lnk_file
177inherits file
178
179class chr_file
180inherits file
181
182class blk_file
183inherits file
184
185class sock_file
186inherits file
187
188class fifo_file
189inherits file
190
191class fd
192{
193	use
194}
195
196
197#
198# Define the access vector interpretation for network-related objects.
199#
200
201class socket
202inherits socket
203
204class tcp_socket
205inherits socket
206{
207	connectto
208	newconn
209	acceptfrom
210}
211
212class udp_socket
213inherits socket
214
215class rawip_socket
216inherits socket
217
218class node
219{
220	tcp_recv
221	tcp_send
222	udp_recv
223	udp_send
224	rawip_recv
225	rawip_send
226	enforce_dest
227}
228
229class netif
230{
231	tcp_recv
232	tcp_send
233	udp_recv
234	udp_send
235	rawip_recv
236	rawip_send
237}
238
239class netlink_socket
240inherits socket
241
242class packet_socket
243inherits socket
244
245class key_socket
246inherits socket
247
248class unix_stream_socket
249inherits socket
250{
251	connectto
252	newconn
253	acceptfrom
254}
255
256class unix_dgram_socket
257inherits socket
258
259
260#
261# Define the access vector interpretation for process-related objects
262#
263
264class process
265{
266	fork
267	transition
268	sigchld # commonly granted from child to parent
269	sigkill # cannot be caught or ignored
270	sigstop # cannot be caught or ignored
271	signull # for kill(pid, 0)
272	signal  # all other signals
273	ptrace
274	getsched
275	setsched
276	getsession
277	getpgid
278	setpgid
279	getcap
280	setcap
281	share
282}
283
284
285#
286# Define the access vector interpretation for ipc-related objects
287#
288
289class ipc
290inherits ipc
291
292class sem
293inherits ipc
294
295class msgq
296inherits ipc
297{
298	enqueue
299}
300
301class msg
302{
303	send
304	receive
305}
306
307class shm
308inherits ipc
309{
310	lock
311}
312
313
314#
315# Define the access vector interpretation for the security server.
316#
317
318class security
319{
320	compute_av
321	transition_sid
322	member_sid
323	sid_to_context
324	context_to_sid
325	load_policy
326	get_sids
327	change_sid
328	get_user_sids
329}
330
331
332#
333# Define the access vector interpretation for system operations.
334#
335
336class system
337{
338	ipc_info
339	avc_toggle
340	nfsd_control
341	bdflush
342	syslog_read
343	syslog_mod
344	syslog_console
345	ichsid
346}
347
348#
349# Define the access vector interpretation for controlling capabilities
350#
351
352class capability
353{
354	# The capabilities are defined in include/linux/capability.h
355	# Care should be taken to ensure that these are consistent with
356	# those definitions. (Order matters)
357
358	chown
359	dac_override
360	dac_read_search
361	fowner
362	fsetid
363	kill
364	setgid
365	setuid
366	setpcap
367	linux_immutable
368	net_bind_service
369	net_broadcast
370	net_admin
371	net_raw
372	ipc_lock
373	ipc_owner
374	sys_module
375	sys_rawio
376	sys_chroot
377	sys_ptrace
378	sys_pacct
379	sys_admin
380	sys_boot
381	sys_nice
382	sys_resource
383	sys_time
384	sys_tty_config
385	mknod
386	lease
387}
388
389ifdef(`enable_mls',`
390sensitivity s0;
391
392#
393# Define the ordering of the sensitivity levels (least to greatest)
394#
395dominance { s0 }
396
397
398#
399# Define the categories
400#
401# Each category has a name and zero or more aliases.
402#
403category c0; category c1; category c2; category c3;
404category c4; category c5; category c6; category c7;
405category c8; category c9; category c10; category c11;
406category c12; category c13; category c14; category c15;
407category c16; category c17; category c18; category c19;
408category c20; category c21; category c22; category c23;
409
410level s0:c0.c23;
411
412mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
413	( h1 dom h2 );
414')
415
416####################################
417####################################
418#####################################
419# TE RULES
420attribute domain;
421attribute system;
422attribute foo;
423attribute num;
424attribute num_exec;
425attribute files;
426
427# Type - attribute mapping test
428# Shorthand tests
429# 1 = types in base, 2 = types in mod, 3 = types in both
430# 4 = types in optional in base, 5 = types in optional in mod
431# 6 = types in optional in both
432# 7 = types in disabled optional in base
433# 8 = types in disabled optional in module
434# 9 = types in disabled optional in both
435# 10 = types in enabled optional in base, disabled optional in module
436# 11 = types in disabled optional in base, enabled optional in module
437attribute attr_check_base_1;
438attribute attr_check_base_2;
439attribute attr_check_base_3;
440attribute attr_check_base_4;
441attribute attr_check_base_5;
442attribute attr_check_base_6;
443attribute attr_check_base_7;
444attribute attr_check_base_8;
445attribute attr_check_base_9;
446attribute attr_check_base_10;
447attribute attr_check_base_11;
448optional {
449	require {
450		type module_t;
451	}
452	attribute attr_check_base_optional_1;
453	attribute attr_check_base_optional_2;
454	attribute attr_check_base_optional_3;
455	attribute attr_check_base_optional_4;
456	attribute attr_check_base_optional_5;
457	attribute attr_check_base_optional_6;
458	attribute attr_check_base_optional_8;
459}
460optional {
461	require {
462		type does_not_exist_t;
463	}
464	attribute attr_check_base_optional_disabled_5;
465	attribute attr_check_base_optional_disabled_8;
466}
467
468type net_foo_t, foo;
469type sys_foo_t, foo, system;
470role system_r;
471role system_r types sys_foo_t;
472
473type user_t, domain;
474role user_r;
475role user_r types user_t;
476
477type sysadm_t, domain, system;
478role sysadm_r;
479role sysadm_r types sysadm_t;
480
481type system_t, domain, system, foo;
482role system_r types { system_t sys_foo_t };
483
484type file_t;
485type file_exec_t, files;
486type fs_t;
487type base_optional_1;
488type base_optional_2;
489
490allow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint };
491
492optional {
493	require {
494		type base_optional_1, base_optional_2;
495	}
496	allow base_optional_1 base_optional_2 : file { read write };
497}
498
499# Type - attribute mapping test
500type base_t;
501type attr_check_base_1_1_t, attr_check_base_1;
502type attr_check_base_1_2_t;
503typeattribute attr_check_base_1_2_t attr_check_base_1;
504type attr_check_base_3_1_t, attr_check_base_3;
505type attr_check_base_3_2_t;
506typeattribute attr_check_base_3_2_t attr_check_base_3;
507optional {
508	require {
509		attribute attr_check_base_4;
510	}
511	type attr_check_base_4_1_t, attr_check_base_4;
512	type attr_check_base_4_2_t;
513	typeattribute attr_check_base_4_2_t attr_check_base_4;
514}
515optional {
516	require {
517		type module_t;
518	}
519	type attr_check_base_6_1_t, attr_check_base_6;
520	type attr_check_base_6_2_t;
521	typeattribute attr_check_base_6_2_t attr_check_base_6;
522}
523optional {
524	require {
525		type does_not_exist_t;
526	}
527	type attr_check_base_7_1_t, attr_check_base_7;
528	type attr_check_base_7_2_t;
529	typeattribute attr_check_base_7_2_t attr_check_base_7;
530}
531optional {
532	require {
533		type does_not_exist_t;
534	}
535	type attr_check_base_9_1_t, attr_check_base_9;
536	type attr_check_base_9_2_t;
537	typeattribute attr_check_base_9_2_t attr_check_base_9;
538}
539optional {
540	require {
541		type module_t;
542	}
543	type attr_check_base_10_1_t, attr_check_base_10;
544	type attr_check_base_10_2_t;
545	typeattribute attr_check_base_10_2_t attr_check_base_10;
546}
547optional {
548	require {
549		type does_not_exist_t;
550	}
551	type attr_check_base_11_1_t, attr_check_base_11;
552	type attr_check_base_11_2_t;
553	typeattribute attr_check_base_11_2_t attr_check_base_11;
554}
555#optional {
556#	require {
557#		attribute attr_check_base_optional_4;
558#	}
559#	type attr_check_base_optional_4_1_t, attr_check_base_optional_4;
560#	type attr_check_base_optional_4_2_t;
561#	typeattribute attr_check_base_optional_4_2_t attr_check_base_optional_4;
562#}
563#optional {
564#	require {
565#		attribute attr_check_base_optional_6;
566#	}
567#	type attr_check_base_optional_6_1_t, attr_check_base_optional_6;
568#	type attr_check_base_optional_6_2_t;
569#	typeattribute attr_check_base_optional_6_2_t attr_check_base_optional_6;
570#}
571optional {
572	require {
573		attribute attr_check_mod_4;
574	}
575	type attr_check_mod_4_1_t, attr_check_mod_4;
576	type attr_check_mod_4_2_t;
577	typeattribute attr_check_mod_4_2_t attr_check_mod_4;
578}
579optional {
580	require {
581		attribute attr_check_mod_6;
582	}
583	type attr_check_mod_6_1_t, attr_check_mod_6;
584	type attr_check_mod_6_2_t;
585	typeattribute attr_check_mod_6_2_t attr_check_mod_6;
586}
587optional {
588	require {
589		type does_not_exist_t;
590		attribute attr_check_mod_7;
591	}
592	type attr_check_mod_7_1_t, attr_check_mod_7;
593	type attr_check_mod_7_2_t;
594	typeattribute attr_check_mod_7_2_t attr_check_mod_7;
595}
596optional {
597	require {
598		type does_not_exist_t;
599		attribute attr_check_mod_9;
600	}
601	type attr_check_mod_9_1_t, attr_check_mod_9;
602	type attr_check_mod_9_2_t;
603	typeattribute attr_check_mod_9_2_t attr_check_mod_9;
604}
605optional {
606	require {
607		attribute attr_check_mod_10;
608	}
609	type attr_check_mod_10_1_t, attr_check_mod_10;
610	type attr_check_mod_10_2_t;
611	typeattribute attr_check_mod_10_2_t attr_check_mod_10;
612}
613optional {
614	require {
615		type does_not_exist_t;
616		attribute attr_check_mod_11;
617	}
618	type attr_check_mod_11_1_t, attr_check_mod_11;
619	type attr_check_mod_11_2_t;
620	typeattribute attr_check_mod_11_2_t attr_check_mod_11;
621}
622optional {
623	require {
624		attribute attr_check_mod_optional_4;
625	}
626	type attr_check_mod_optional_4_1_t, attr_check_mod_optional_4;
627	type attr_check_mod_optional_4_2_t;
628	typeattribute attr_check_mod_optional_4_2_t attr_check_mod_optional_4;
629}
630optional {
631	require {
632		attribute attr_check_mod_optional_6;
633	}
634	type attr_check_mod_optional_6_1_t, attr_check_mod_optional_6;
635	type attr_check_mod_optional_6_2_t;
636	typeattribute attr_check_mod_optional_6_2_t attr_check_mod_optional_6;
637}
638optional {
639	require {
640		type does_not_exist_t;
641		attribute attr_check_mod_optional_7;
642	}
643	type attr_check_mod_optional_7_1_t, attr_check_mod_optional_7;
644	type attr_check_mod_optional_7_2_t;
645	typeattribute attr_check_mod_optional_7_2_t attr_check_mod_optional_7;
646}
647optional {
648	require {
649		attribute attr_check_mod_optional_disabled_4;
650	}
651	type attr_check_mod_optional_disabled_4_1_t, attr_check_mod_optional_disabled_4;
652	type attr_check_mod_optional_disabled_4_2_t;
653	typeattribute attr_check_mod_optional_disabled_4_2_t attr_check_mod_optional_disabled_4;
654}
655optional {
656	require {
657		type does_not_exist_t;
658		attribute attr_check_mod_optional_disabled_7;
659	}
660	type attr_check_mod_optional_disabled_7_1_t, attr_check_mod_optional_disabled_7;
661	type attr_check_mod_optional_disabled_7_2_t;
662	typeattribute attr_check_mod_optional_disabled_7_2_t attr_check_mod_optional_disabled_7;
663}
664
665#####################################
666# Role Allow
667allow user_r sysadm_r;
668
669####################################
670# Booleans
671bool allow_ypbind true;
672bool secure_mode false;
673bool allow_execheap false;
674bool allow_execmem true;
675bool allow_execmod false;
676bool allow_execstack true;
677bool optional_bool_1 true;
678bool optional_bool_2 false;
679
680#####################################
681# users
682gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
683gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
684gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
685
686#####################################
687# constraints
688
689
690####################################
691#line 1 "initial_sid_contexts"
692
693sid kernel	gen_context(system_u:system_r:sys_foo_t, s0)
694
695
696############################################
697#line 1 "fs_use"
698#
699fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
700fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
701fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
702
703
704genfscon proc /				gen_context(system_u:object_r:sys_foo_t, s0)
705
706
707####################################
708#line 1 "net_contexts"
709
710#portcon tcp 21 system_u:object_r:net_foo_t:s0
711
712#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
713
714#
715#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
716
717nodecon ::1 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF gen_context(system_u:object_r:net_foo_t, s0)
718
719
720
721
722