File: sensitivityquery.conf

package info (click to toggle)
setools 4.3.0-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 3,900 kB
  • sloc: python: 20,968; makefile: 14
file content (170 lines) | stat: -rw-r--r-- 2,960 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
 
class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7

sid kernel
sid security

common infoflow
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
	super_w
	super_r
}

class infoflow3
{
	null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
	super_w
	super_r
	super_none
	super_both
	super_unmapped
}

sensitivity sens;

# test1
# name: test1
# alias: unset
# sens: unset
sensitivity test1;

# test2
# name: test2(a|b)
# alias: unset
# sens: unset
sensitivity test2a;
sensitivity test2b;

# test 10
# name: unset
# alias: test10a
# sens: unset
sensitivity test10s1 alias { test10a test10c };
sensitivity test10s2 alias { test10b test10d };

# test 11
# name: unset
# alias: test11(a|b)
# sens: unset
sensitivity test11s1 alias { test11a test11c };
sensitivity test11s2 alias { test11b test11d };
sensitivity test11s3 alias { test11e test11f };


# test 20
# name: unset
# alias: unset
# sens: test20
sensitivity test20;

# test 21
# name: unset
# alias: unset
# sens: test21crit, dom
sensitivity test21;
sensitivity test21crit;

# test 22
# name: unset
# alias: unset
# sens: test22crit, domby
sensitivity test22;
sensitivity test22crit;

dominance { test21 test21crit test1 test2a test2b test10s1 sens test10s2 test11s1 test11s2 test11s3 test20 test22crit test22 }

category begin;
category end;

#level decl
level sens:begin.end;
level test1;
level test2a;
level test2b;
level test10s1;
level test10s2;
level test11s1;
level test11s2;
level test11s3;
level test20;
level test21;
level test21crit;
level test22;
level test22crit;

#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;
role system;
role system types system;

################################################################################
# Type enforcement declarations and rules

allow system system:infoflow3 null;

################################################################################

#users
user system roles system level sens range sens - sens:begin.end;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:sens:begin
sid security system:system:system:sens:begin

#fs_use
fs_use_trans devpts system:object_r:system:sens;
fs_use_xattr ext3 system:object_r:system:sens;
fs_use_task pipefs system:object_r:system:sens;

#genfscon
genfscon proc / system:object_r:system:sens
genfscon proc /sys system:object_r:system:sens
genfscon selinuxfs / system:object_r:system:sens:begin.end

portcon tcp 80 system:object_r:system:sens

netifcon eth0 system:object_r:system:sens system:object_r:system:sens

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:sens:begin
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:sens:begin