File: rbacrulequery.conf

package info (click to toggle)
setools 4.3.0-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 3,900 kB
  • sloc: python: 20,968; makefile: 14
file content (248 lines) | stat: -rw-r--r-- 4,614 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
 
class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
class process

sid kernel
sid security

common infoflow
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
	super_w
	super_r
}

class infoflow3
{
	null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
	super_w
	super_r
	super_none
	super_both
	super_unmapped
}

class process
inherits infoflow
{
    transition
}

sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;

dominance { low_s med high_s }

category here;
category there;
category elsewhere alias lost;

#level decl
level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;

#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;
role system;
role system types system;

allow system system:infoflow3 null;

################################################################################
# RBAC

# test 1
# ruletype: unset
# source: test1s, direct, no regex
# target: unset
# class: unset
# default: unset
role test1s;
role test1t;
allow test1s test1t;
role_transition test1s system:infoflow test1t;

# test 2
# ruletype: unset
# source: test2s, direct, regex
# target: unset
# class: unset
# default: unset
role test2s1;
role test2s2;
role test2s3;
role test2t;
allow test2s1 test2t;
role_transition test2s3 system:infoflow test2t;

# test 10
# ruletype: unset
# source: unset
# target: test10t, direct, no regex
# class: unset
# default: unset
role test10s;
role test10t;
allow test10s test10t;
role_transition test10s system:infoflow test10t;

# test 11
# ruletype: unset
# source: unset
# target: test11t(1|3), direct, regex
# class: unset
# default: unset
role test11s;
role test11t1;
role test11t2;
role test11t3;
allow test11s test11t1;
role_transition test11s system:infoflow test11t3;

# test 12
# ruletype: unset
# source: unset
# target: test12t
# class: unset
# default: unset
role test12s;
type test12t;
role test12d;
allow test12s test12d;
role_transition test12s test12t:infoflow test12d;

# test 20
# ruletype: unset
# source: unset
# target: unset
# class: infoflow2, no regex
# default: unset
role test20;
role test20d1;
role test20d2;
role_transition test20 system:infoflow test20d1;
role_transition test20 system:infoflow2 test20d2;

# test 21
# ruletype: unset
# source: unset
# target: unset
# class: infoflow3,infoflow4 , no regex
# default: unset
role test21;
role test21d1;
role test21d2;
role test21d3;
role_transition test21 system:infoflow test21d1;
role_transition test21 system:infoflow4 test21d2;
role_transition test21 system:infoflow3 test21d3;

# test 22
# ruletype: unset
# source: unset
# target: unset
# class: infoflow(5|6), regex
# default: unset
role test22;
role test22d1;
role test22d2;
role test22d3;
role_transition test22 system:infoflow test22d1;
role_transition test22 system:infoflow5 test22d2;
role_transition test22 system:infoflow6 test22d3;

# test 30
# ruletype: unset
# source: unset
# target: unset
# class: unset
# default: test30d, no regex
role test30s;
role test30d;
allow test30s test30d;
role_transition test30s system:infoflow test30d;

# test 31
# ruletype: unset
# source: unset
# target: unset
# class: unset
# default: test31d(2|3), regex
role test31s;
role test31d1;
role test31d2;
role test31d3;
allow test31s test31d1;
allow test31s test31d2;
allow test31s test31d3;
role_transition test31s system:infoflow test31d1;
role_transition test31s system test31d2;
role_transition test31s system:infoflow7 test31d3;

################################################################################

#users
user system roles system level med range low_s - high_s:here.lost;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost

#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;

#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there

portcon tcp 80 system:object_r:system:low_s

netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here