1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
class file
class system
sid kernel
sid security
common infoflow
{
low_w
med_w
hi_w
low_r
med_r
hi_r
}
class infoflow
inherits infoflow
class infoflow2
inherits infoflow
{
super_w
super_r
}
class infoflow3
{
null
}
class infoflow4
inherits infoflow
class infoflow5
inherits infoflow
class infoflow6
inherits infoflow
class infoflow7
inherits infoflow
{
super_w
super_r
super_none
super_both
super_unmapped
}
class file
{
read
write
append
execute
execute_no_trans
}
class system
{
module_load
}
sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;
dominance { low_s med high_s }
category here;
category there;
category elsewhere alias lost;
#level decl
level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;
#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
attribute mls_exempt;
type system;
role system;
role system types system;
################################################################################
# Type enforcement declarations and rules
attribute domain;
type domain1, domain;
type domain2, domain;
type unconfined, domain;
attribute empty_source_attr;
attribute empty_target_attr;
attribute files;
attribute exempt_files_attr;
type exempt_file, files;
type kmodfile1, files, exempt_files_attr;
type kmodfile2, files, exempt_files_attr;
# Baseline read-only kmod:
type rokmod, files;
allow domain self:system module_load;
allow domain rokmod:system module_load;
# Baseline non-module file (kmod due to unconfined):
type nonkmod, files;
allow domain nonkmod:file read;
# Unconfined
allow unconfined self:system module_load;
allow unconfined files:system module_load;
# writer
allow domain1 kmodfile1:file write;
allow domain2 self:system module_load;
allow domain2 kmodfile1:system module_load;
# appender
allow domain2 kmodfile2:file append;
allow domain1 self:system module_load;
allow domain1 kmodfile2:system module_load;
# empty attrs
allow empty_source_attr self:system module_load;
allow empty_source_attr nonkmod:file { read write append };
allow empty_source_attr nonkmod:system module_load;
allow domain1 self:system module_load;
allow domain1 empty_target_attr:file { read write append };
allow domain1 empty_target_attr:system module_load;
################################################################################
#users
user system roles system level med range low_s - high_s:here.lost;
#normal constraints
constrain infoflow hi_w (u1 == u2);
#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost
#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;
#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there
portcon tcp 80 system:object_r:system:low_s
netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here
|
