File: fsusequery.conf

package info (click to toggle)
setools 4.3.0-2
links: PTS, VCS
area: main
in suites: bullseye
size: 3,900 kB
sloc: python: 20,968; makefile: 14
file content (283 lines) | stat: -rw-r--r-- 5,365 bytes
parent folder | download | duplicates (5)
class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7

sid kernel
sid security

common infoflow
{
    low_w
    med_w
    hi_w
    low_r
    med_r
    hi_r
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
    super_w
    super_r
}

class infoflow3
{
    null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
    super_w
    super_r
    super_none
    super_both
    super_unmapped
}

sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;

dominance { s0 s1 s2 s3 s4 s5 s6 }

category c0;
category c1;
category c2;
category c3;
category c4;

#level decl
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s4:c0.c4;
level s5:c0.c4;
level s6:c0.c4;

#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;
role system;
role system types system;

role role30_r;
role role31a_r;
role role31b_r;
role role31c_r;

role role30_r types system;
role role31a_r types system;
role role31b_r types system;
role role31c_r types system;

type type40;
type type41a;
type type41b;
type type41c;
role system types { type40 type41a type41b type41c };

################################################################################
# Type enforcement declarations and rules

allow system system:infoflow3 null;

################################################################################

#users
user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s6:c0.c4;
user user20 roles system level s0 range s0 - s2:c0.c4;
user user21a roles system level s0 range s0 - s2:c0.c4;
user user21b roles system level s0 range s0 - s2:c0.c4;
user user21c roles system level s0 range s0 - s2:c0.c4;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:s0
sid security system:system:system:s0

#fs_use
# test 1:
# ruletype: unset
# fs: test1, exact
# user: unset
# role: unset
# type: unset
# range: unset
fs_use_xattr test1 system:system:system:s0:c0.c4;

# test 2:
# ruletype: unset
# fs: test2(a|b), regex
# user: unset
# role: unset
# type: unset
# range: unset
fs_use_xattr test2a system:system:system:s0:c0.c1;
fs_use_xattr test2b system:system:system:s0:c2.c4;

# test 10:
# ruletype: ['fs_use_trans','fs_use_task']
# fs: unset
# user: unset
# role: unset
# type: unset
# range: unset
fs_use_trans test10a system:system:system:s0:c0.c1;
fs_use_task test10b system:system:system:s0:c2.c4;
fs_use_xattr test10c system:system:system:s0:c2;

# test 20:
# ruletype: unset
# fs: unset
# user: user20, exact
# role: unset
# type: unset
# range: unset
fs_use_xattr test20 user20:system:system:s0:c0.c1;

# test 21:
# ruletype: unset
# fs: unset
# user: user21(a|b), regex
# role: unset
# type: unset
# range: unset
fs_use_xattr test21a user21a:system:system:s0:c0.c1;
fs_use_xattr test21b user21b:system:system:s0:c0.c1;
fs_use_xattr test21c user21c:system:system:s0:c0.c1;

# test 30:
# ruletype: unset
# fs: unset
# user: unset
# role: role30_r, exact
# type: unset
# range: unset
fs_use_xattr test30 system:role30_r:system:s0:c0.c1;

# test 31:
# ruletype: unset
# fs: unset
# user: unset
# role: role30(a|c)_r, regex
# type: unset
# range: unset
fs_use_xattr test31a system:role31a_r:system:s0:c0.c1;
fs_use_xattr test31b system:role31b_r:system:s0:c0.c1;
fs_use_xattr test31c system:role31c_r:system:s0:c0.c1;

# test 40:
# ruletype: unset
# fs: unset
# user: unset
# role: unset
# type: type40
# range: unset
fs_use_xattr test40 system:system:type40:s0:c0.c1;

# test 41:
# ruletype: unset
# fs: unset
# user: unset
# role: unset
# type: type41(b|c)
# range: unset
fs_use_xattr test41a system:system:type41a:s0:c0.c1;
fs_use_xattr test41b system:system:type41b:s0:c0.c1;
fs_use_xattr test41c system:system:type41c:s0:c0.c1;

# test 50:
# ruletype: unset
# fs: unset
# user: unset
# role: unset
# type: unset
# range: equal
fs_use_xattr test50 system:system:system:s0:c1 - s0:c0.c4;

# test 51:
# ruletype: unset
# fs: unset
# user: unset
# role: unset
# type: unset
# range: overlap
fs_use_xattr test51 system:system:system:s1:c1 - s1:c1.c3;

# test 52:
# ruletype: unset
# fs: unset
# user: unset
# role: unset
# type: unset
# range: subset
fs_use_xattr test52 system:system:system:s2:c1 - s2:c1.c3;

# test 53:
# ruletype: unset
# fs: unset
# user: unset
# role: unset
# type: unset
# range: superset
fs_use_xattr test53 system:system:system:s3:c1 - s3:c1.c3;

# test 54:
# ruletype: unset
# fs: unset
# user: unset
# role: unset
# type: unset
# range: proper subset
fs_use_xattr test54 system:system:system:s4:c1 - s4:c1.c3;

# test 55:
# ruletype: unset
# fs: unset
# user: unset
# role: unset
# type: unset
# range: proper superset
fs_use_xattr test55 system:system:system:s5:c1 - s5:c1.c3;

#genfscon
genfscon proc / system:object_r:system:s1
genfscon proc /sys system:object_r:system:s0
genfscon selinuxfs / system:object_r:system:s2:c0.c4

portcon tcp 80 system:object_r:system:s0

netifcon eth0 system:object_r:system:s0 system:object_r:system:s0

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0