3 files changed, 793 insertions, 0 deletions
diff --git a/tests/policies/test-linker/module1.conf b/tests/policies/test-linker/module1.conf
new file mode 100644
index 0000000..7cfb6cb
--- /dev/null
+++ b/tests/policies/test-linker/module1.conf
@@ -0,0 +1,138 @@
+module linker_test_1 1.0;
+
+require { 
+	class file { read write };
+	class lnk_file append;
+	role g_b_role_2;
+	attribute g_b_attr_3;
+	attribute g_b_attr_5;
+	attribute o4_b_attr_1;
+	type g_b_type_3;
+}
+
+type tag_g_m1;
+
+#test for type in module and attr in module, added to in module
+attribute g_m1_attr_1;
+type g_m1_type_1, g_m1_attr_1;
+type g_m1_type_2;
+typeattribute g_m1_type_2 g_m1_attr_1;
+
+#add role in module test
+role g_m1_role_1 types g_m1_type_1;
+
+# test for attr declared in base, added to in module
+type g_m1_type_3;
+typeattribute g_m1_type_3 g_b_attr_3;
+
+# test for attr declared in base, added to in 2 modules
+type g_m1_type_4;
+typeattribute g_m1_type_4 g_b_attr_5;
+
+# test for attr declared in base optional, added to in module
+type g_m1_type_5;
+typeattribute g_m1_type_5 o4_b_attr_1;
+
+# test for attr declared in module, added to in base optional
+attribute g_m1_attr_2;
+
+#add type to base role test
+role g_b_role_2 types g_m1_type_1;
+role g_b_role_3 types g_m1_type_2;
+
+#add type to base optional role test
+role o1_b_role_2 types g_m1_type_1;
+
+#optional base role w/ adds in 2 modules
+role o4_b_role_1 types g_m1_type_2;
+
+# attr a added to in base optional, declared/added to in module, added to in other module
+attribute g_m1_attr_3;
+type g_m1_type_6, g_m1_attr_3;
+
+# attr a added to in base optional, declared/added in module , added to in other module optional
+attribute g_m1_attr_4;
+type g_m1_type_7, g_m1_attr_4;
+
+# alias tests
+typealias g_b_type_3 alias g_m_alias_1;
+
+# single boolean in module
+bool g_m1_bool_1 true;
+if (g_m1_bool_1) {
+	allow g_m1_type_1 g_m1_type_2 : lnk_file append;
+}
+
+
+optional {
+	require {
+		type optional_type;
+		attribute g_b_attr_4;
+		attribute o1_b_attr_2;
+		class lnk_file { ioctl };
+	}
+
+	type tag_o1_m1;
+
+	attribute o1_m1_attr_1;
+	type o1_m1_type_2, o1_m1_attr_1;
+	
+	type o1_m1_type_1;
+	role o1_m1_role_1 types o1_m1_type_1;
+
+	type o1_m1_type_3;
+	typeattribute o1_m1_type_3 g_b_attr_4;
+
+	type o1_m1_type_5;
+	typeattribute o1_m1_type_5 o1_b_attr_2;	
+
+	bool o1_m1_bool_1 false;
+	if (o1_m1_bool_1) {
+		allow o1_m1_type_2 o1_m1_type_1 : lnk_file ioctl;
+	}
+	
+}
+
+optional {
+	require {
+		type optional_type;
+		#role g_b_role_4; // This causes a bug where the role scope doesn't get copied into base
+	}
+	
+	type tag_o2_m1;
+
+	role g_b_role_4 types g_m1_type_2;
+}
+
+optional {
+	require {
+		attribute g_b_attr_6;
+	}
+
+	type tag_o3_m1;
+
+	type o3_m1_type_1;	
+        role o3_b_role_1 types o3_m1_type_1;
+
+	type o3_m1_type_2, g_b_attr_6;
+
+	attribute o3_m1_attr_1;	
+
+	# attr a added to in base optional, declared/added in module optional, added to in other module
+	attribute o3_m1_attr_2;
+	type o3_m1_type_3, o3_m1_attr_2;
+
+}
+
+optional {
+	require {
+		type enable_optional;
+	}
+	type tag_o4_m1;
+
+	attribute o4_m1_attr_1;
+	type o4_m1_type_1;
+	typeattribute o4_m1_type_1 o4_m1_attr_1;
+
+
+}
diff --git a/tests/policies/test-linker/module2.conf b/tests/policies/test-linker/module2.conf
new file mode 100644
index 0000000..3820cb7
--- /dev/null
+++ b/tests/policies/test-linker/module2.conf
@@ -0,0 +1,62 @@
+module linker_test_2 1.0;
+
+require { 
+	class file { read write };
+	class lnk_file { unlink };
+	attribute g_b_attr_5;
+	attribute g_b_attr_6;
+	attribute g_m1_attr_3;
+	attribute o3_m1_attr_2;
+}
+
+type tag_g_m2;
+
+type g_m2_type_1;
+role g_m2_role_1 types g_m2_type_1;
+
+type g_m2_type_4, g_b_attr_5;
+type g_m2_type_5, g_b_attr_6;
+
+#add types to role declared in base test
+type g_m2_type_2;
+role g_b_role_3 types g_m2_type_2;
+
+#optional base role w/ adds in 2 modules
+role o4_b_role_1 types g_m2_type_1;
+
+# attr a added to in base optional, declared/added to in module, added to in other module
+type g_m2_type_3, g_m1_attr_3;
+
+# attr a added to in base optional, declared/added in module optional, added to in other module
+type g_m2_type_6, o3_m1_attr_2;
+
+# cond mapping tests
+bool g_m2_bool_1 true;
+bool g_m2_bool_2 false;
+if (g_m2_bool_1 && g_m2_bool_2) {
+	allow g_m2_type_1 g_m2_type_2 : lnk_file unlink;
+}
+
+optional {
+	require {
+		type optional_type;
+	}
+
+	type tag_o1_m2;
+
+	type o1_m2_type_1;
+	role o1_m2_role_1 types o1_m2_type_1;
+}
+
+
+optional {
+	require {
+		attribute g_m1_attr_4;
+		attribute o4_m1_attr_1;
+	}
+	type tag_o2_m2;
+
+	type o2_m2_type_1, g_m1_attr_4;
+	type o2_m2_type_2, o4_m1_attr_1;
+
+}
diff --git a/tests/policies/test-linker/small-base.conf b/tests/policies/test-linker/small-base.conf
new file mode 100644
index 0000000..2f166c9
--- /dev/null
+++ b/tests/policies/test-linker/small-base.conf
@@ -0,0 +1,593 @@
+# FLASK
+
+#
+# Define the security object classes 
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related clases
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# FLASK
+# FLASK
+
+#
+# Define initial security identifiers 
+#
+
+sid kernel
+
+
+# FLASK
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+	unlink
+	link
+	rename
+	execute
+	swapon
+	quotaon
+	mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+	ioctl
+	read
+	write
+	create
+	getattr
+	setattr
+	lock
+	relabelfrom
+	relabelto
+	append
+# socket-specific
+	bind
+	connect
+	listen
+	accept
+	getopt
+	setopt
+	shutdown
+	recvfrom
+	sendto
+	recv_msg
+	send_msg
+	name_bind
+}	
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+	create
+	destroy
+	getattr
+	setattr
+	read
+	write
+	associate
+	unix_read
+	unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+	mount
+	remount
+	unmount
+	getattr
+	relabelfrom
+	relabelto
+	transition
+	associate
+	quotamod
+	quotaget
+}
+
+class dir
+inherits file
+{
+	add_name
+	remove_name
+	reparent
+	search
+	rmdir
+}
+
+class file
+inherits file
+{
+	execute_no_trans
+	entrypoint
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+	use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+	connectto
+	newconn
+	acceptfrom
+}
+
+class udp_socket
+inherits socket
+
+class rawip_socket
+inherits socket
+
+class node 
+{
+	tcp_recv
+	tcp_send
+	udp_recv
+	udp_send
+	rawip_recv
+	rawip_send
+	enforce_dest
+}
+
+class netif
+{
+	tcp_recv
+	tcp_send
+	udp_recv
+	udp_send
+	rawip_recv
+	rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+	connectto
+	newconn
+	acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+	fork
+	transition
+	sigchld # commonly granted from child to parent
+	sigkill # cannot be caught or ignored
+	sigstop # cannot be caught or ignored
+	signull # for kill(pid, 0)
+	signal  # all other signals
+	ptrace
+	getsched
+	setsched
+	getsession
+	getpgid
+	setpgid
+	getcap
+	setcap
+	share
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+	enqueue
+}
+
+class msg
+{
+	send
+	receive
+}
+
+class shm
+inherits ipc
+{
+	lock
+}
+
+
+#
+# Define the access vector interpretation for the security server. 
+#
+
+class security
+{
+	compute_av
+	transition_sid
+	member_sid
+	sid_to_context
+	context_to_sid
+	load_policy
+	get_sids
+	change_sid
+	get_user_sids
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+	ipc_info
+	avc_toggle
+	nfsd_control
+	bdflush
+	syslog_read
+	syslog_mod
+	syslog_console
+	ichsid
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown           
+	dac_override    
+	dac_read_search 
+	fowner          
+	fsetid          
+	kill            
+	setgid           
+	setuid           
+	setpcap          
+	linux_immutable  
+	net_bind_service 
+	net_broadcast    
+	net_admin        
+	net_raw          
+	ipc_lock         
+	ipc_owner        
+	sys_module       
+	sys_rawio        
+	sys_chroot       
+	sys_ptrace       
+	sys_pacct        
+	sys_admin        
+	sys_boot         
+	sys_nice         
+	sys_resource     
+	sys_time         
+	sys_tty_config  
+	mknod
+	lease
+}
+
+ifdef(`enable_mls',`
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+
+level s0:c0.c23;
+
+mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+	( h1 dom h2 );
+')
+
+####################################
+####################################
+#####################################
+
+#g_b stands for global base
+
+type enable_optional;
+
+#decorative type for finding this decl, every block should have one
+type tag_g_b;
+
+attribute g_b_attr_1;
+attribute g_b_attr_2;
+attribute g_b_attr_3;
+attribute g_b_attr_4;
+attribute g_b_attr_5;
+attribute g_b_attr_6;
+
+type g_b_type_1, g_b_attr_1;
+type g_b_type_2, g_b_attr_2;
+type g_b_type_3;
+
+role g_b_role_1 types g_b_type_1;
+role g_b_role_2 types g_b_type_2;
+role g_b_role_3 types g_b_type_2;
+role g_b_role_4 types g_b_type_2;
+
+bool g_b_bool_1 false;
+bool g_b_bool_2 true;
+
+allow g_b_type_1 g_b_type_2 : security { compute_av load_policy };
+allow g_b_type_1 g_b_type_2 : file *; # test *
+allow g_b_type_1 g_b_type_2 : process ~ptrace; #test ~
+
+typealias g_b_type_3 alias g_b_alias_1;
+
+if (g_b_bool_1) {
+	allow g_b_type_1 g_b_type_2: lnk_file read;
+}
+
+
+optional {
+	require {
+		type enable_optional;
+		attribute g_m1_attr_2;
+	}
+	type tag_o1_b;
+
+	attribute o1_b_attr_1;
+	type o1_b_type_1, o1_b_attr_1;
+	bool o1_b_bool_1 true;
+	role o1_b_role_1 types o1_b_type_1;
+
+	role o1_b_role_2 types o1_b_type_1;
+
+	attribute o1_b_attr_2;
+
+	type o1_b_type_2, g_m1_attr_2;
+
+	if (o1_b_bool_1) {
+		allow o1_b_type_1 o1_b_type_2: lnk_file write;
+	}
+	
+}
+
+optional {
+	require {
+		# this should be activated by module 1
+		type g_m1_type_1;
+		attribute o3_m1_attr_2;
+	}	
+	type tag_o2_b;	
+
+	type o2_b_type_1, o3_m1_attr_2;
+}
+
+optional {
+	require {
+		#this block should not come on
+		type invalid_type;
+	}
+	type tag_o3_b;
+
+
+	attribute o3_b_attr_1;
+	type o3_b_type_1;
+	bool o3_b_bool_1 true;
+
+	role o3_b_role_1 types o3_b_type_1;
+
+	allow g_b_type_1 invalid_type : sem { create destroy };
+}
+
+optional {
+	require {
+		# also should be enabled by module 1
+		type enable_optional;
+		type g_m1_type_1;
+		attribute o3_m1_attr_1;
+		attribute g_m1_attr_3;
+	}
+	
+	type tag_o4_b;
+
+	attribute o4_b_attr_1;
+
+	role o4_b_role_1 types g_m1_type_1;
+
+	# test for attr declared in module optional, added to in base optional
+	type o4_b_type_1, o3_m1_attr_1;
+
+	type o4_b_type_2, g_m1_attr_3;
+}
+
+optional {
+	require {
+		attribute g_m1_attr_4;
+		attribute o4_m1_attr_1;
+	}
+	type tag_o5_b;
+
+	type o5_b_type_1, g_m1_attr_4;
+	type o5_b_type_2, o4_m1_attr_1;
+}
+
+optional {
+	require {
+		type enable_optional;
+	}
+	type tag_o6_b;
+
+	typealias g_b_type_3 alias g_b_alias_2;
+}
+
+optional {
+	require {
+		type g_m_alias_1;
+	}
+	type tag_o7_b;
+
+	allow g_m_alias_1 enable_optional:file read;
+}
+
+gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23)
+gen_user(g_b_user_2,, g_b_role_1, s0, s0 - s0:c0, c1, c3, c4, c5)
+
+####################################
+#line 1 "initial_sid_contexts"
+
+sid kernel	gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0)
+
+
+############################################
+#line 1 "fs_use"
+#
+fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
+fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
+fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0);
+
+
+genfscon proc /				gen_context(g_b_user_1:object_r:g_b_type_1, s0)
+
+
+####################################
+#line 1 "net_contexts"
+
+#portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0
+
+#netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0
+
+#
+#nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0
+
+nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(g_b_user_1:object_r:g_b_type_1, s0)
+
+
+
+