1class process 2class blk_file 3class chr_file 4class dir 5class fifo_file 6class file 7class lnk_file 8class sock_file 9 10sid kernel 11sid security 12sid unlabeled 13sid file 14sid port 15sid netif 16sid netmsg 17sid node 18sid devnull 19 20class process { dyntransition transition } 21class file { getattr ioctl open read write } 22 23ifdef(`enable_mls',` 24sensitivity s0; 25dominance { s0 } 26category c0; category c1; category c2; category c3; 27category c4; category c5; category c6; category c7; 28category c8; category c9; category c10; category c11; 29category c12; category c13; category c14; category c15; 30category c16; category c17; category c18; category c19; 31category c20; category c21; category c22; category c23; 32 33level s0:c0.c23; 34 35mlsconstrain file { write } ( h1 dom h2 ); 36') 37 38 39######################################## 40# 41# Test start 42# 43######################################## 44 45 46## Test 1 (basic) 47 48type test1_t; 49allow test1_t test1_t : file { read write }; 50neverallow test1_t test1_t : file read; 51 52 53## Test 2 (wildcard permission) 54 55type test2_t; 56allow test2_t test2_t : file { read write }; 57neverallow test2_t test2_t : file *; 58 59 60## Test 3 (complement permission) 61 62type test3_t; 63allow test3_t test3_t : file { read write }; 64neverallow test3_t test3_t : file ~{ write }; 65 66 67## Test 4 (wildcard source) 68 69type test4_t; 70allow test4_t test4_t : file { read write }; 71neverallow * test4_t : file read; 72 73 74## Test 5 (wildcard target) 75 76type test5_t; 77allow test5_t test5_t : file { read write }; 78neverallow test5_t * : file read; 79 80 81## Test 6 (complement source) 82 83type test6_1_t; 84type test6_2_t; 85allow { test6_1_t test6_2_t } { test6_1_t test6_2_t } : file { read write }; 86neverallow ~{ test6_2_t } test6_1_t : file read; 87 88 89## Test 7 (complement target) 90 91type test7_1_t; 92type test7_2_t; 93allow { test7_1_t test7_2_t } { test7_1_t test7_2_t } : file { read write }; 94neverallow test7_1_t ~{ test7_2_t } : file read; 95 96 97## Test 8 (source attribute) 98 99attribute test8_a; 100type test8_t, test8_a; 101allow test8_a test8_a : file read; 102allow test8_t test8_t : file write; 103neverallow test8_a test8_t : file { read write }; 104 105 106## Test 9 (target attribute) 107 108attribute test9_a; 109type test9_t, test9_a; 110allow test9_a test9_a : file read; 111allow test9_t test9_t : file write; 112neverallow test9_t test9_a : file { read write }; 113 114 115## Test 10 (self) 116 117attribute test10_a; 118type test10_1_t, test10_a; 119type test10_2_t; 120allow { test10_1_t test10_2_t } { test10_1_t test10_2_t } : file read; 121neverallow test10_a self : file *; 122 123 124## Test 11 (wildcard) 125 126type test11_t; 127allow test11_t self : process *; 128neverallow * * : process *; 129 130 131## Test 12 (complement attributes) 132 133attribute test12_1_a; 134attribute test12_2_a; 135attribute test12_3_a; 136type test12_1_t, test12_1_a; 137type test12_2_t, test12_2_a; 138type test12_3_t, test12_3_a; 139allow { test12_1_a test12_2_a test12_3_a } { test12_1_a test12_2_a test12_3_a } : file *; 140neverallow ~{ test12_1_a test12_2_t } ~{ test12_3_a } : file getattr; 141neverallow ~{ test12_1_a } ~{ test12_2_a test12_3_t } : file open; 142 143 144## Test 13 (excludes) 145 146attribute test13_1_a; 147attribute test13_2_a; 148attribute test13_3_a; 149type test13_1_t, test13_1_a; 150type test13_2_t, test13_2_a; 151type test13_3_t, test13_3_a; 152allow { test13_1_a test13_2_a test13_3_a } { test13_1_a test13_2_a test13_3_a } : file { read write }; 153neverallow { test13_1_a test13_2_a test13_3_a -test13_2_a -test13_3_t } { test13_1_a test13_2_a test13_3_a -test13_2_t -test13_3_a } : file read; 154 155 156## Test 14 (misc avrules) 157 158type test14_t; 159auditallow test14_t test14_t : file read; 160dontaudit test14_t test14_t : file write; 161neverallow test14_t test14_t : file { read write }; 162type_transition test14_t test14_t : file test14_t; 163type_transition test14_t test14_t : file test14_t "objname"; 164neverallow test14_t test14_t : file *; # nofail 165 166 167## Test 15 (extended permissions - standard allow) 168 169type test15_t; 170allow test15_t self : file ioctl; 171neverallowxperm test15_t self : file ioctl 0x1111; 172 173 174## Test 16 (extended permissions - allowxperm) 175 176type test16_t; 177allow test16_t self : file ioctl; 178allowxperm test16_t self : file ioctl 0x1111; 179neverallowxperm test16_t self : file ioctl 0x1111; 180 181 182## Test 17 (extended permissions - allowxperm mismatch) 183 184type test17_t; 185allow test17_t self : file ioctl; 186allowxperm test17_t self : file ioctl 0x1111; 187neverallowxperm test17_t self : file ioctl 0x2222; # nofail 188 189 190## Test 18 (extended permissions - allowxperm range I) 191 192type test18_t; 193allow test18_t self : file ioctl; 194allowxperm test18_t self : file ioctl { 0x1100-0x1300 }; 195neverallowxperm test18_t self : file ioctl 0x1111; 196 197 198## Test 19 (extended permissions - allowxperm range II) 199 200type test19_t; 201allow test19_t self : file ioctl; 202allowxperm test19_t self : file ioctl 0x1111; 203neverallowxperm test19_t self : file ioctl { 0x1100-0x1300 }; 204 205 206## Test 20 (extended permissions - misc targets I) 207 208attribute test20_a; 209type test20_t, test20_a; 210 211allow test20_a test20_a : file ioctl; 212allowxperm test20_a test20_a : file ioctl 0x1111; 213neverallowxperm test20_a self : file ioctl 0x1111; 214 215 216## Test 21 (extended permissions - misc targets II) 217 218attribute test21_1_a; 219attribute test21_2_a; 220type test21_t, test21_1_a, test21_2_a; 221 222allow test21_1_a test21_1_a : file ioctl; 223allowxperm test21_1_a test21_2_a : file ioctl 0x1111; 224neverallowxperm test21_1_a self : file ioctl 0x1111; 225 226 227## Test 22 (extended permissions - misc targets III) 228 229attribute test22_a; 230type test22_t, test22_a; 231 232allow test22_a test22_a : file ioctl; 233allowxperm test22_t self : file ioctl 0x1111; 234neverallowxperm test22_a self : file ioctl 0x1111; 235 236 237## Test 23 (extended permissions - misc targets IV) 238 239attribute test23_a; 240type test23_t, test23_a; 241 242allow test23_a test23_a : file ioctl; 243allowxperm test23_t test23_t : file ioctl 0x1111; 244neverallowxperm test23_a self : file ioctl 0x1111; 245 246 247## Test 24 (extended permissions - misc targets V) 248 249attribute test24_a; 250type test24_t, test24_a; 251 252allow test24_a test24_a : file ioctl; 253allowxperm test24_t test24_a : file ioctl 0x1111; 254neverallowxperm test24_a self : file ioctl 0x1111; 255 256 257## Test 25 (extended permissions - misc targets VI) 258 259attribute test25_a; 260type test25_t, test25_a; 261 262allow test25_a test25_a : file ioctl; 263allowxperm test25_a self : file ioctl 0x1111; 264neverallowxperm test25_a self : file ioctl 0x1111; 265 266 267## Test 26 (extended permissions - assert twice) 268 269attribute test26_a; 270type test26_1_t, test26_a; 271type test26_2_t, test26_a; 272allow test26_a test26_a : file ioctl; 273allowxperm test26_a test26_a : file ioctl 0x1111; 274neverallowxperm test26_1_t test26_a : file ioctl 0x1111; 275 276 277######################################## 278# 279# Test End 280# 281######################################## 282 283 284type sys_isid; 285role sys_role; 286role sys_role types sys_isid; 287gen_user(sys_user,, sys_role, s0, s0 - s0:c0.c23) 288sid kernel gen_context(sys_user:sys_role:sys_isid, s0) 289sid security gen_context(sys_user:sys_role:sys_isid, s0) 290sid unlabeled gen_context(sys_user:sys_role:sys_isid, s0) 291sid file gen_context(sys_user:sys_role:sys_isid, s0) 292sid port gen_context(sys_user:sys_role:sys_isid, s0) 293sid netif gen_context(sys_user:sys_role:sys_isid, s0) 294sid netmsg gen_context(sys_user:sys_role:sys_isid, s0) 295sid node gen_context(sys_user:sys_role:sys_isid, s0) 296sid devnull gen_context(sys_user:sys_role:sys_isid, s0) 297fs_use_trans devpts gen_context(sys_user:sys_role:sys_isid, s0); 298fs_use_trans devtmpfs gen_context(sys_user:sys_role:sys_isid, s0); 299