• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1class process
2class blk_file
3class chr_file
4class dir
5class fifo_file
6class file
7class lnk_file
8class sock_file
9
10class class5
11class class6
12class class7
13class class17
14
15sid kernel
16sid security
17sid unlabeled
18sid file
19sid port
20sid netif
21sid netmsg
22sid node
23sid devnull
24
25class process { dyntransition transition }
26class file { ioctl read write }
27
28class class5 { perm }
29class class6 { perm }
30class class7 { perm }
31class class17 { ioctl }
32
33ifdef(`enable_mls',`
34sensitivity s0;
35dominance { s0 }
36category c0; category c1; category c2; category c3;
37category c4; category c5; category c6; category c7;
38category c8; category c9; category c10; category c11;
39category c12; category c13; category c14; category c15;
40category c16; category c17; category c18; category c19;
41category c20; category c21; category c22; category c23;
42
43level s0:c0.c23;
44
45mlsconstrain file { write } ( h1 dom h2 );
46')
47
48
49########################################
50#
51# Test start
52#
53########################################
54
55
56## Test 1 (single type)
57
58type test1_t;
59allow      test1_t test1_t : file read;
60neverallow test1_t ~self   : file read;  # nofail
61
62
63## Test 2 (single type)
64
65type test2_t;
66allow      test2_t self  : file read;
67neverallow test2_t ~self : file read;  # nofail
68
69
70## Test 3 (single type)
71
72type test3_1_t;
73type test3_2_t;
74allow      test3_1_t test3_2_t : file read;
75neverallow test3_1_t ~self     : file read;
76
77
78## Test 4 (two types I)
79
80type test4_1_t;
81type test4_2_t;
82allow      { test4_1_t test4_2_t } { test4_1_t test4_2_t } : file read;
83neverallow test4_1_t               ~self                   : file read;
84
85
86## Test 5 (two types II)
87
88type test5_1_t;
89type test5_2_t;
90allow      { test5_1_t test5_2_t } { test5_1_t test5_2_t } : class5 perm;
91neverallow *                       ~self                   : class5 perm;
92
93
94## Test 6 (two types III)
95
96type test6_1_t;
97type test6_2_t;
98allow      { test6_1_t test6_2_t } { test6_1_t test6_2_t } : class6 perm;
99neverallow *                       ~{ self test6_1_t }     : class6 perm;
100
101
102## Test 7 (two types IV)
103
104type test7_1_t;
105type test7_2_t;
106allow      { test7_1_t test7_2_t } { test7_1_t test7_2_t }       : class7 perm;
107neverallow *                       ~{ self test7_1_t test7_2_t } : class7 perm; # nofail
108
109
110## Test 8 (attribute violates type I)
111
112attribute test8_a;
113type test8_1_t, test8_a;
114type test8_2_t, test8_a;
115allow      test8_a   test8_a : file read;
116neverallow test8_1_t ~self   : file *;
117
118
119## Test 9 (attribute violates type II)
120
121attribute test9_a;
122type test9_1_t, test9_a;
123type test9_2_t, test9_a;
124allow      test9_1_t test9_a : file read;
125neverallow test9_1_t ~self   : file *;
126
127
128## Test 10 (attribute violates type III)
129
130attribute test10_1_a;
131attribute test10_2_a;
132type test10_1_t, test10_1_a, test10_1_a;
133type test10_2_t, test10_1_a, test10_1_a;
134allow      test10_1_a test10_1_a : file read;
135neverallow test10_1_t ~self      : file *;
136
137
138## Test 11 (attribute violates attribute I)
139
140attribute test11_1_a;
141attribute test11_2_a;
142type test11_1_t, test11_1_a, test11_2_a;
143type test11_2_t, test11_1_a, test11_2_a;
144allow      test11_1_t self       : file read;
145allow      test11_2_t test11_2_t : file read;
146neverallow test11_1_a ~self      : file *;  # nofail
147
148
149## Test 12 (attribute violates attribute II)
150
151attribute test12_a;
152type test12_1_t, test12_a;
153type test12_2_t, test12_a;
154allow      test12_1_t test12_2_t : file read;
155neverallow test12_a   ~self      : file *;
156
157
158## Test 13 (attribute violates attribute III)
159
160attribute test13_a;
161type test13_1_t, test13_a;
162type test13_2_t, test13_a;
163allow      test13_1_t test13_a : file read;
164neverallow test13_a   ~self    : file *;
165
166
167## Test 14 (attribute violates attribute IV)
168
169attribute test14_a;
170type test14_1_t, test14_a;
171type test14_2_t, test14_a;
172allow      test14_a test14_a : file read;
173neverallow test14_a ~self    : file *;
174
175
176## Test 15 (attribute violates attribute V)
177
178attribute test13_1_a;
179attribute test13_2_a;
180type test13_t, test13_1_a, test13_2_a;
181allow      test13_1_a test13_2_a : file read;
182neverallow test13_a   ~self      : file *;
183
184
185## Test 16 (types violate attribute)
186
187attribute test16_a;
188type test16_1_t, test16_a;
189type test16_2_t, test16_a;
190allow      { test16_1_t test16_2_t } { test16_1_t test16_2_t } : file read;
191neverallow test16_a                  ~self                     : file ~write;
192
193
194## Test 17 (extended permissions I)
195
196type test17_1_t;
197type test17_2_t;
198allow           { test17_1_t test17_2_t } { test17_1_t test17_2_t } : class17 ioctl;
199neverallowxperm ~test17_2_t               ~self                     : class17 ioctl 0x1111;
200
201
202## Test 18 (extended permissions II)
203
204type test18_1_t;
205type test18_2_t;
206allow           { test18_1_t test18_2_t } { test18_1_t test18_2_t } : file ioctl;
207allowxperm      { test18_1_t test18_2_t } { test18_1_t test18_2_t } : file ioctl 0x1111;
208neverallowxperm test18_1_t                ~self                     : file ioctl 0x2222;  # nofail
209
210
211## Test 19 (extended permissions III)
212
213type test19_1_t;
214type test19_2_t;
215allow           { test19_1_t test19_2_t } { test19_1_t test19_2_t } : file ioctl;
216allowxperm      { test19_1_t test19_2_t } { test19_1_t test19_2_t } : file ioctl { 0x0100 - 0x0102 };
217neverallowxperm test19_2_t                ~self                     : file ioctl { 0x0101 - 0x0104 };
218
219
220## Test 20 (extended permissions IV)
221
222type test20_1_t;
223type test20_2_t;
224allow           { test20_1_t test20_2_t } { test20_1_t test20_2_t } : file ioctl;
225allowxperm      test20_1_t                test20_1_t                : file ioctl 0x0101;
226allowxperm      test20_1_t                test20_2_t                : file ioctl 0x0102;
227allowxperm      test20_2_t                test20_1_t                : file ioctl 0x0103;
228allowxperm      test20_2_t                test20_2_t                : file ioctl 0x0104;
229neverallowxperm { test20_1_t test20_2_t } ~self                     : file ioctl { 0x0000 - 0x9000 };
230
231
232## Test 21 (extended permissions V)
233
234attribute test21_a;
235type test21_1_t, test21_a;
236type test21_2_t, test21_a;
237allow           test21_a   test21_a : file ioctl;
238allowxperm      test21_a   test21_a : file ioctl 0x9501;
239neverallowxperm test21_1_t ~self    : file ioctl 0x9511;  # nofail
240
241
242## Test 22 (extended permissions VI)
243
244type test22_t;
245allow           test22_t self  : file ioctl;
246allowxperm      test22_t self  : file ioctl 0x9501;
247allowxperm      test22_t self  : file ioctl 0x9511;
248neverallowxperm test22_t ~self : file ioctl 0x9511;  # nofail
249
250
251## Test 23 (extended permissions VII)
252
253attribute test23_a;
254type test23_1_t, test23_a;
255type test23_2_t, test23_a;
256allow           test23_a   test23_a   : file ioctl;
257allowxperm      test23_a   test23_a   : file ioctl 0x9501;
258allowxperm      test23_1_t test23_2_t : file ioctl 0x9511;
259neverallowxperm test23_1_t ~self      : file ioctl 0x9511;
260
261
262## Test 24 (extended permissions VII)
263
264attribute test24_a;
265type test24_1_t, test24_a;
266type test24_2_t, test24_a;
267allow           test24_a   test24_a : file ioctl;
268allowxperm      test24_a   test24_a : file ioctl 0x9501;
269allowxperm      test24_1_t test24_a : file ioctl 0x9511;
270neverallowxperm test24_1_t ~self    : file ioctl 0x9511;
271
272
273## Test 25 (extended permissions IX)
274
275attribute test25_a;
276type test25_1_t, test25_a;
277type test25_2_t, test25_a;
278allow           test25_a   test25_a : file ioctl;
279allowxperm      test25_a   test25_a : file ioctl 0x9501;
280allowxperm      test25_a   test25_a : file ioctl 0x9511;
281neverallowxperm test25_1_t ~self    : file ioctl 0x9511;
282
283
284## Test 26 (extended permissions X)
285
286attribute test26_1_a;
287attribute test26_2_a;
288type test26_1_t, test26_1_a, test26_2_a;
289type test26_2_t, test26_1_a, test26_2_a;
290allow           { test26_1_a test26_2_a } { test26_1_a test26_2_a } : file ioctl;
291allowxperm      { test26_1_a test26_2_a } { test26_1_a test26_2_a } : file ioctl 0x9501;
292allowxperm      test26_1_a                test26_2_a                : file ioctl 0x9511;
293neverallowxperm test26_1_t                ~self                     : file ioctl 0x9511;
294
295
296## Test 27 (extended permissions attribute violation I)
297
298attribute test27_a;
299type test27_1_t, test27_a;
300type test27_2_t, test27_a;
301allow           test27_a   test27_a   : file ioctl;
302allowxperm      test27_a   test27_a   : file ioctl 0x9501;
303allowxperm      test27_1_t self       : file ioctl 0x9521;
304allowxperm      test27_2_t test27_2_t : file ioctl 0x9521;
305neverallowxperm test27_a   ~self      : file ioctl 0x9521;  # nofail
306
307
308## Test 28 (extended permissions attribute violation II)
309
310attribute test28_a;
311type test28_1_t, test28_a;
312type test28_2_t, test28_a;
313allow           test28_a   test28_a   : file ioctl;
314allowxperm      test28_1_t test28_2_t : file ioctl 0x9521;
315neverallowxperm test28_a   ~self      : file ioctl 0x9521;
316
317
318## Test 29 (extended permissions attribute violation III)
319
320attribute test29_a;
321type test29_1_t, test29_a;
322type test29_2_t, test29_a;
323allow           test29_a   test29_a : file ioctl;
324allowxperm      test29_1_t test29_a : file ioctl 0x9521;
325neverallowxperm test29_a   ~self    : file ioctl 0x9521;
326
327
328## Test 30 (extended permissions attribute violation IV)
329
330attribute test30_a;
331type test30_1_t, test30_a;
332type test30_2_t, test30_a;
333allow           test30_a test30_a : file ioctl;
334allowxperm      test30_a test30_a : file ioctl 0x9521;
335neverallowxperm test30_a ~self    : file ioctl 0x9521;
336
337
338## Test 31 (extended permissions attribute violation V)
339
340attribute test31_1_a;
341attribute test31_2_a;
342type test31_1_t, test31_1_a, test31_2_a;
343type test31_2_t, test31_1_a, test31_2_a;
344allow           test31_1_a test31_1_a : file ioctl;
345allowxperm      test31_1_a test31_2_a : file ioctl 0x9521;
346neverallowxperm test31_1_a ~self      : file ioctl 0x9521;
347
348
349########################################
350#
351# Test End
352#
353########################################
354
355
356type sys_isid;
357role sys_role;
358role sys_role types sys_isid;
359gen_user(sys_user,, sys_role, s0, s0 - s0:c0.c23)
360sid kernel gen_context(sys_user:sys_role:sys_isid, s0)
361sid security gen_context(sys_user:sys_role:sys_isid, s0)
362sid unlabeled gen_context(sys_user:sys_role:sys_isid, s0)
363sid file gen_context(sys_user:sys_role:sys_isid, s0)
364sid port gen_context(sys_user:sys_role:sys_isid, s0)
365sid netif gen_context(sys_user:sys_role:sys_isid, s0)
366sid netmsg gen_context(sys_user:sys_role:sys_isid, s0)
367sid node gen_context(sys_user:sys_role:sys_isid, s0)
368sid devnull gen_context(sys_user:sys_role:sys_isid, s0)
369fs_use_trans devpts gen_context(sys_user:sys_role:sys_isid, s0);
370fs_use_trans devtmpfs gen_context(sys_user:sys_role:sys_isid, s0);
371