1 files changed, 506 insertions, 0 deletions
diff --git a/tests/policies/test-deps/base-notmetreq.conf b/tests/policies/test-deps/base-notmetreq.conf
new file mode 100644
index 0000000..cf6aa0a
--- /dev/null
+++ b/tests/policies/test-deps/base-notmetreq.conf
@@ -0,0 +1,506 @@
+# FLASK
+
+#
+# Define the security object classes 
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related clases
+class msg
+class msgq
+class shm
+class ipc
+
+# FLASK
+# FLASK
+
+#
+# Define initial security identifiers 
+#
+
+sid kernel
+
+
+# FLASK
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+	unlink
+	link
+	rename
+	execute
+	swapon
+	quotaon
+	mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+# socket-specific
+	bind
+	connect
+	listen
+	accept
+	getopt
+	setopt
+	shutdown
+	recvfrom
+	sendto
+	recv_msg
+	send_msg
+	name_bind
+}	
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+	create
+	destroy
+	getattr
+	setattr
+	read
+	write
+	associate
+	unix_read
+	unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+	mount
+	remount
+	unmount
+	getattr
+	relabelfrom
+	relabelto
+	transition
+	associate
+	quotamod
+	quotaget
+}
+
+class dir
+inherits file
+{
+	add_name
+	remove_name
+	reparent
+	search
+	rmdir
+}
+
+class file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+	use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+	connectto
+	newconn
+	acceptfrom
+}
+
+class udp_socket
+inherits socket
+
+class rawip_socket
+inherits socket
+
+class node 
+{
+	tcp_recv
+	tcp_send
+	udp_recv
+	udp_send
+	rawip_recv
+	rawip_send
+	enforce_dest
+}
+
+class netif
+{
+	tcp_recv
+	tcp_send
+	udp_recv
+	udp_send
+	rawip_recv
+	rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+	connectto
+	newconn
+	acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+	fork
+	transition
+	sigchld # commonly granted from child to parent
+	sigkill # cannot be caught or ignored
+	sigstop # cannot be caught or ignored
+	signull # for kill(pid, 0)
+	signal  # all other signals
+	ptrace
+	getsched
+	setsched
+	getsession
+	getpgid
+	setpgid
+	getcap
+	setcap
+	share
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class msgq
+inherits ipc
+{
+	enqueue
+}
+
+class msg
+{
+	send
+}
+
+class shm
+inherits ipc
+{
+	lock
+}
+
+
+#
+# Define the access vector interpretation for the security server. 
+#
+
+class security
+{
+	compute_av
+	transition_sid
+	member_sid
+	sid_to_context
+	context_to_sid
+	load_policy
+	get_sids
+	change_sid
+	get_user_sids
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+	ipc_info
+	avc_toggle
+	nfsd_control
+	bdflush
+	syslog_read
+	syslog_mod
+	syslog_console
+	ichsid
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown           
+	dac_override    
+	dac_read_search 
+	fowner          
+	fsetid          
+	kill            
+	setgid           
+	setuid           
+	setpcap          
+	linux_immutable  
+	net_bind_service 
+	net_broadcast    
+	net_admin        
+	net_raw          
+	ipc_lock         
+	ipc_owner        
+	sys_module       
+	sys_rawio        
+	sys_chroot       
+	sys_ptrace       
+	sys_pacct        
+	sys_admin        
+	sys_boot         
+	sys_nice         
+	sys_resource     
+	sys_time         
+	sys_tty_config  
+	mknod
+	lease
+}
+
+ifdef(`enable_mls',`
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+
+level s0:c0.c23;
+
+mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+	( h1 dom h2 );
+')
+
+####################################
+####################################
+#####################################
+# TE RULES
+attribute domain;
+attribute system;
+attribute foo;
+attribute num;
+attribute num_exec;
+attribute files;
+
+type net_foo_t, foo;
+type sys_foo_t, foo, system;
+role system_r types sys_foo_t;
+
+type user_t, domain;
+role user_r types user_t;
+
+type sysadm_t, domain, system;
+role sysadm_r types sysadm_t;
+
+type system_t, domain, system, foo;
+role system_r types { system_t sys_foo_t };
+
+type file_t;
+type file_exec_t, files;
+type fs_t;
+type base_optional_1;
+type base_optional_2;
+
+allow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint };
+
+optional {
+	require {
+		type base_optional_1, base_optional_2;
+	}
+	allow base_optional_1 base_optional_2 : file { read write };
+}
+
+#####################################
+# Role Allow
+allow user_r sysadm_r;
+
+####################################
+# Booleans
+bool allow_ypbind true;
+bool secure_mode false;
+bool allow_execheap false;
+bool allow_execmem true;
+bool allow_execmod false;
+bool allow_execstack true;
+bool optional_bool_1 true;
+bool optional_bool_2 false;
+
+#####################################
+# users
+gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
+gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
+gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
+
+#####################################
+# constraints
+
+
+####################################
+#line 1 "initial_sid_contexts"
+
+sid kernel	gen_context(system_u:system_r:sys_foo_t, s0)
+
+
+############################################
+#line 1 "fs_use"
+#
+fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
+
+
+genfscon proc /				gen_context(system_u:object_r:sys_foo_t, s0)
+
+
+####################################
+#line 1 "net_contexts"
+
+#portcon tcp 21 system_u:object_r:net_foo_t:s0
+
+#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
+
+#
+#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
+
+nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:net_foo_t, s0)
+
+
+
+