diff options
Diffstat (limited to 'tests/policies/test-expander/user-base.conf')
-rw-r--r-- | tests/policies/test-expander/user-base.conf | 482 |
1 files changed, 482 insertions, 0 deletions
diff --git a/tests/policies/test-expander/user-base.conf b/tests/policies/test-expander/user-base.conf new file mode 100644 index 0000000..660152e --- /dev/null +++ b/tests/policies/test-expander/user-base.conf @@ -0,0 +1,482 @@ +# FLASK + +# +# Define the security object classes +# + +class security +class process +class system +class capability + +# file-related classes +class filesystem +class file +class dir +class fd +class lnk_file +class chr_file +class blk_file +class sock_file +class fifo_file + +# network-related classes +class socket +class tcp_socket +class udp_socket +class rawip_socket +class node +class netif +class netlink_socket +class packet_socket +class key_socket +class unix_stream_socket +class unix_dgram_socket + +# sysv-ipc-related clases +class sem +class msg +class msgq +class shm +class ipc + +# FLASK +# FLASK + +# +# Define initial security identifiers +# + +sid kernel + + +# FLASK +# +# Define common prefixes for access vectors +# +# common common_name { permission_name ... } + + +# +# Define a common prefix for file access vectors. +# + +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + unlink + link + rename + execute + swapon + quotaon + mounton +} + + +# +# Define a common prefix for socket access vectors. +# + +common socket +{ +# inherited from file + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append +# socket-specific + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + recv_msg + send_msg + name_bind +} + +# +# Define a common prefix for ipc access vectors. +# + +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} + +# +# Define the access vectors. +# +# class class_name [ inherits common_name ] { permission_name ... } + + +# +# Define the access vector interpretation for file-related objects. +# + +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + transition + associate + quotamod + quotaget +} + +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir +} + +class file +inherits file +{ + execute_no_trans + entrypoint +} + +class lnk_file +inherits file + +class chr_file +inherits file + +class blk_file +inherits file + +class sock_file +inherits file + +class fifo_file +inherits file + +class fd +{ + use +} + + +# +# Define the access vector interpretation for network-related objects. +# + +class socket +inherits socket + +class tcp_socket +inherits socket +{ + connectto + newconn + acceptfrom +} + +class udp_socket +inherits socket + +class rawip_socket +inherits socket + +class node +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send + enforce_dest +} + +class netif +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send +} + +class netlink_socket +inherits socket + +class packet_socket +inherits socket + +class key_socket +inherits socket + +class unix_stream_socket +inherits socket +{ + connectto + newconn + acceptfrom +} + +class unix_dgram_socket +inherits socket + + +# +# Define the access vector interpretation for process-related objects +# + +class process +{ + fork + transition + sigchld # commonly granted from child to parent + sigkill # cannot be caught or ignored + sigstop # cannot be caught or ignored + signull # for kill(pid, 0) + signal # all other signals + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share +} + + +# +# Define the access vector interpretation for ipc-related objects +# + +class ipc +inherits ipc + +class sem +inherits ipc + +class msgq +inherits ipc +{ + enqueue +} + +class msg +{ + send + receive +} + +class shm +inherits ipc +{ + lock +} + + +# +# Define the access vector interpretation for the security server. +# + +class security +{ + compute_av + transition_sid + member_sid + sid_to_context + context_to_sid + load_policy + get_sids + change_sid + get_user_sids +} + + +# +# Define the access vector interpretation for system operations. +# + +class system +{ + ipc_info + avc_toggle + nfsd_control + bdflush + syslog_read + syslog_mod + syslog_console + ichsid +} + +# +# Define the access vector interpretation for controling capabilies +# + +class capability +{ + # The capabilities are defined in include/linux/capability.h + # Care should be taken to ensure that these are consistent with + # those definitions. (Order matters) + + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease +} + +ifdef(`enable_mls',` +sensitivity s0; + +# +# Define the ordering of the sensitivity levels (least to greatest) +# +dominance { s0 } + + +# +# Define the categories +# +# Each category has a name and zero or more aliases. +# +category c0; category c1; category c2; category c3; +category c4; category c5; category c6; category c7; +category c8; category c9; category c10; category c11; +category c12; category c13; category c14; category c15; +category c16; category c17; category c18; category c19; +category c20; category c21; category c22; category c23; + +level s0:c0.c23; + +mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } + ( h1 dom h2 ); +') + +# User mapping test +type user_check_1_1_t; +type user_check_1_2_t; +role user_check_1_1_r types user_check_1_1_t; +role user_check_1_2_r types user_check_1_2_t; + +######## +type fs_t; +type system_t; +type user_t; +role system_r types system_t; +role user_r types user_t; +role sysadm_r types system_t; +#################################### +# Booleans +bool allow_ypbind true; +bool secure_mode false; +bool allow_execheap false; +bool allow_execmem true; +bool allow_execmod false; +bool allow_execstack true; +bool optional_bool_1 true; +bool optional_bool_2 false; + +##################################### +# users +gen_user(user_check_1,, user_check_1_1_r user_check_1_2_r, s0, s0 - s0:c0.c23) +gen_user(system_u,, system_r, s0, s0 - s0:c0.c23) +gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23) +gen_user(joe,, user_r, s0, s0 - s0:c0.c23) + +##################################### +# constraints + + +#################################### +#line 1 "initial_sid_contexts" + +sid kernel gen_context(system_u:system_r:system_t, s0) + + +############################################ +#line 1 "fs_use" +# +fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0); +fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0); +fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0); + + +genfscon proc / gen_context(system_u:object_r:system_t, s0) + + +#################################### +#line 1 "net_contexts" + +#portcon tcp 21 system_u:object_r:net_foo_t:s0 + +#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0 + +# +#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0 + +nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:system_t, s0) + + + + |