File: rolequery.conf

package info (click to toggle)
setools 4.3.0-2
links: PTS, VCS
area: main
in suites: bullseye
size: 3,900 kB
sloc: python: 20,968; makefile: 14
file content (192 lines) | stat: -rw-r--r-- 3,562 bytes
parent folder | download | duplicates (5)
class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7

sid kernel
sid security

common infoflow
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
	super_w
	super_r
}

class infoflow3
{
	null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
	super_w
	super_r
	super_none
	super_both
	super_unmapped
}

sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;

dominance { low_s med high_s }

category here;
category there;
category elsewhere alias lost;

#level decl
level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;

#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;
role system;
role system types system;

################################################################################
# Type enforcement declarations and rules

allow system system:infoflow3 null;

########################################
#
# Role Query
#

# test 1
# name: test1
# types: unset
role test1;

# test 2
# name: test2(a|b) regex
# types: unset
role test2a;
role test2b;

# test 10
# name: unset
# types: test10a,test10b
type test10a;
type test10b;
type test10c;
role test10r1;
role test10r2;
role test10r3;
role test10r4;
role test10r5;
role test10r6;
role test10r7;
role test10r1 types test10a;
role test10r2 types { test10a test10b };
role test10r3 types { test10a test10b test10c };
role test10r4 types { test10b test10c };
role test10r5 types { test10a test10c };
role test10r6 types test10b;
role test10r7 types test10c;

# test 11
# name: unset
# types: test11a,test11b equal
type test11a;
type test11b;
type test11c;
role test11r1;
role test11r2;
role test11r3;
role test11r4;
role test11r5;
role test11r6;
role test11r7;
role test11r1 types test11a;
role test11r2 types { test11a test11b };
role test11r3 types { test11a test11b test11c };
role test11r4 types { test11b test11c };
role test11r5 types { test11a test11c };
role test11r6 types test11b;
role test11r7 types test11c;

# test 12
# name: unset
# types: test12(a|b) regex
type test12a;
type test12b;
type test12c;
role test12r1;
role test12r2;
role test12r3;
role test12r4;
role test12r5;
role test12r6;
role test12r7;
role test12r1 types test12a;
role test12r2 types { test12a test12b };
role test12r3 types { test12a test12b test12c };
role test12r4 types { test12b test12c };
role test12r5 types { test12a test12c };
role test12r6 types test12b;
role test12r7 types test12c;

################################################################################

#users
user system roles system level med range low_s - high_s:here.lost;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost

#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;

#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there

portcon tcp 80 system:object_r:system:low_s

netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here