File: terulequery2.conf

package info (click to toggle)
setools 4.3.0-2
links: PTS, VCS
area: main
in suites: bullseye
size: 3,900 kB
sloc: python: 20,968; makefile: 14
file content (279 lines) | stat: -rw-r--r-- 5,837 bytes
parent folder | download | duplicates (5)
class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7

sid kernel
sid security

common infoflow
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
	ioctl
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
	super_w
	super_r
}

class infoflow3
{
	ioctl
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
	super_w
	super_r
	super_none
	super_both
	super_unmapped
}

sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;

dominance { low_s med high_s }

category here;
category there;
category elsewhere alias lost;

#level decl
level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;

#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;


#########################################
# XPERM ioctl declarations and rules

# test 1
# ruletype: unset
# source: test1a, direct, no regex
# target: unset
# class: unset
# perms: unset
attribute test1a;
type test1s, test1a;
type test1t;
type test1FAIL, test1a;
allowxperm test1a test1t:infoflow ioctl { 0xebe0-0xebff };  # sets AVRULE_XPERMS_IOCTLFUNCTION
allowxperm test1FAIL self:infoflow ioctl { 0x8800-0x88ff }; # sets AVRULE_XPERMS_IOCTLDRIVER

# test 2
# ruletype: unset
# source: test2s, indirect, no regex
# target: unset
# class: unset
# perms: unset
attribute test2a;
type test2s, test2a;
type test2t;
allowxperm test2a test2t:infoflow ioctl { 0x5411 0x5451 };

# test 3
# ruletype: unset
# source: test3a.*, direct, regex
# target: unset
# class: unset
# perms: unset
attribute test3aS;
attribute test3b;
type test3s, test3aS;
type test3t;
type test3aFAIL, test3b;
allowxperm test3s  test3t:infoflow ioctl 0x9999;
allowxperm test3aS test3t:infoflow ioctl 0x1111;
allowxperm test3b  test3t:infoflow ioctl 0x5555;

# test 4
# ruletype: unset
# source: test4(s|t), indirect, regex
# target: unset
# class: unset
# perms: unset
attribute test4a1;
attribute test4a2;
type test4s1, test4a1;
type test4t1, test4a2;
type test4FAIL;
allowxperm test4a1 test4a1:infoflow ioctl 0x9999;
allowxperm test4a2 test4a2:infoflow ioctl 0x1111;
allowxperm test4FAIL self:infoflow ioctl 0x5555;

# test 5
# ruletype: unset
# source: unset
# target: test5a, direct, no regex
# class: unset
# perms: unset
attribute test5a;
type test5s;
type test5t, test5a;
allowxperm test5s test5a:infoflow ioctl 0x9999;
allowxperm test5s test5t:infoflow ioctl 0x9999;

# test 6
# ruletype: unset
# source: unset
# target: test6t, indirect, no regex
# class: unset
# perms: unset
attribute test6a;
type test6s;
type test6t, test6a;
allowxperm test6s test6a:infoflow ioctl 0x9999;
allowxperm test6s test6t:infoflow ioctl 0x1111;

# test 7
# ruletype: unset
# source: unset
# target: test7a.*, direct, regex
# class: unset
# perms: unset
attribute test7aPASS;
attribute test7b;
type test7s;
type test7t, test7aPASS;
type test7aFAIL, test7b;
allowxperm test7s  test7t:infoflow ioctl 0x9999;
allowxperm test7s test7aPASS:infoflow ioctl 0x1111;
allowxperm test7s  test7b:infoflow ioctl 0x5555;

# test 8
# ruletype: unset
# source: unset
# target: test8(s|t), indirect, regex
# class: unset
# perms: unset
attribute test8a1;
attribute test8a2;
type test8s1, test8a1;
type test8t1, test8a2;
type test8FAIL;
allowxperm test8a1 test8a1:infoflow ioctl 0x9999;
allowxperm test8a2 test8a2:infoflow ioctl 0x1111;
allowxperm test8FAIL self:infoflow ioctl 0x5555;

# test 10
# ruletype: unset
# source: unset
# target: unset
# class: infoflow3,infoflow4 , no regex
# perms: unset
type test10;
allowxperm test10 self:infoflow ioctl 0x9999;
allowxperm test10 self:infoflow4 ioctl 0x9999;
allowxperm test10 self:infoflow3 ioctl 0x0;

# test 11
# ruletype: unset
# source: unset
# target: unset
# class: infoflow(5|6), regex
# perms: unset
type test11;
allowxperm test11 self:infoflow ioctl 0x9999;
allowxperm test11 self:infoflow5 ioctl 0x1111;
allowxperm test11 self:infoflow6 ioctl 0x5555;

# test 14
# ruletype: dontauditxperm,auditallowxperm
# source: unset
# target: unset
# class: unset
# perms: unset
type test14;
auditallowxperm test14 self:infoflow7 ioctl 0x1234;
dontauditxperm test14 self:infoflow7 ioctl 0x4321;

# test 100
# ruletype: neverallow, neverallowxperm
# source: unset
# target: unset
# class: unset
# perms: ioctl (standard)
type test100;
neverallow test100 system:infoflow2 { ioctl hi_w };
neverallowxperm test100 self:infoflow2 ioctl 0x1234;

# test 101
# ruletype: unset
# source: unset
# target: unset
# class: unset
# perms: 0x9011-0x9013
type test101a;
type test101b;
type test101c;
type test101d;
allowxperm test101a self:infoflow7 ioctl 0x9011;
allowxperm test101b self:infoflow7 ioctl { 0x9011-0x9012 };
allowxperm test101c self:infoflow7 ioctl { 0x9011-0x9013 };
allowxperm test101d self:infoflow7 ioctl { 0x9011-0x9014 };

############# END XPERM ############################

role system;
role system types system;

#users
user system roles system level med range low_s - high_s:here.lost;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost

#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;

#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there

portcon tcp 80 system:object_r:system:low_s

netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here