1# FLASK
2
3#
4# Define the security object classes
5#
6
7class security
8class process
9class system
10class capability
11
12# file-related classes
13class filesystem
14class file
15class dir
16class fd
17class lnk_file
18class chr_file
19class blk_file
20class sock_file
21class fifo_file
22
23# network-related classes
24class socket
25class tcp_socket
26class udp_socket
27class rawip_socket
28class node
29class netif
30class netlink_socket
31class packet_socket
32class key_socket
33class unix_stream_socket
34class unix_dgram_socket
35
36# sysv-ipc-related clases
37class msg
38class msgq
39class shm
40class ipc
41
42# FLASK
43# FLASK
44
45#
46# Define initial security identifiers
47#
48
49sid kernel
50
51
52# FLASK
53#
54# Define common prefixes for access vectors
55#
56# common common_name { permission_name ... }
57
58
59#
60# Define a common prefix for file access vectors.
61#
62
63common file
64{
65	ioctl
66	read
67	write
68	create
69	getattr
70	setattr
71	lock
72	relabelfrom
73	relabelto
74	append
75	unlink
76	link
77	rename
78	execute
79	swapon
80	quotaon
81	mounton
82}
83
84
85#
86# Define a common prefix for socket access vectors.
87#
88
89common socket
90{
91# inherited from file
92	ioctl
93	read
94	write
95	create
96	getattr
97	setattr
98	lock
99	relabelfrom
100	relabelto
101	append
102# socket-specific
103	bind
104	connect
105	listen
106	accept
107	getopt
108	setopt
109	shutdown
110	recvfrom
111	sendto
112	recv_msg
113	send_msg
114	name_bind
115}
116
117#
118# Define a common prefix for ipc access vectors.
119#
120
121common ipc
122{
123	create
124	destroy
125	getattr
126	setattr
127	read
128	write
129	associate
130	unix_read
131	unix_write
132}
133
134#
135# Define the access vectors.
136#
137# class class_name [ inherits common_name ] { permission_name ... }
138
139
140#
141# Define the access vector interpretation for file-related objects.
142#
143
144class filesystem
145{
146	mount
147	remount
148	unmount
149	getattr
150	relabelfrom
151	relabelto
152	transition
153	associate
154	quotamod
155	quotaget
156}
157
158class dir
159inherits file
160{
161	add_name
162	remove_name
163	reparent
164	search
165	rmdir
166}
167
168class file
169inherits file
170{
171	execute_no_trans
172	entrypoint
173}
174
175class lnk_file
176inherits file
177
178class chr_file
179inherits file
180
181class blk_file
182inherits file
183
184class sock_file
185inherits file
186
187class fifo_file
188inherits file
189
190class fd
191{
192	use
193}
194
195
196#
197# Define the access vector interpretation for network-related objects.
198#
199
200class socket
201inherits socket
202
203class tcp_socket
204inherits socket
205{
206	connectto
207	newconn
208	acceptfrom
209}
210
211class udp_socket
212inherits socket
213
214class rawip_socket
215inherits socket
216
217class node
218{
219	tcp_recv
220	tcp_send
221	udp_recv
222	udp_send
223	rawip_recv
224	rawip_send
225	enforce_dest
226}
227
228class netif
229{
230	tcp_recv
231	tcp_send
232	udp_recv
233	udp_send
234	rawip_recv
235	rawip_send
236}
237
238class netlink_socket
239inherits socket
240
241class packet_socket
242inherits socket
243
244class key_socket
245inherits socket
246
247class unix_stream_socket
248inherits socket
249{
250	connectto
251	newconn
252	acceptfrom
253}
254
255class unix_dgram_socket
256inherits socket
257
258
259#
260# Define the access vector interpretation for process-related objects
261#
262
263class process
264{
265	fork
266	transition
267	sigchld # commonly granted from child to parent
268	sigkill # cannot be caught or ignored
269	sigstop # cannot be caught or ignored
270	signull # for kill(pid, 0)
271	signal  # all other signals
272	ptrace
273	getsched
274	setsched
275	getsession
276	getpgid
277	setpgid
278	getcap
279	setcap
280	share
281}
282
283
284#
285# Define the access vector interpretation for ipc-related objects
286#
287
288class ipc
289inherits ipc
290
291class msgq
292inherits ipc
293{
294	enqueue
295}
296
297class msg
298{
299	send
300}
301
302class shm
303inherits ipc
304{
305	lock
306}
307
308
309#
310# Define the access vector interpretation for the security server.
311#
312
313class security
314{
315	compute_av
316	transition_sid
317	member_sid
318	sid_to_context
319	context_to_sid
320	load_policy
321	get_sids
322	change_sid
323	get_user_sids
324}
325
326
327#
328# Define the access vector interpretation for system operations.
329#
330
331class system
332{
333	ipc_info
334	avc_toggle
335	nfsd_control
336	bdflush
337	syslog_read
338	syslog_mod
339	syslog_console
340	ichsid
341}
342
343#
344# Define the access vector interpretation for controling capabilies
345#
346
347class capability
348{
349	# The capabilities are defined in include/linux/capability.h
350	# Care should be taken to ensure that these are consistent with
351	# those definitions. (Order matters)
352
353	chown
354	dac_override
355	dac_read_search
356	fowner
357	fsetid
358	kill
359	setgid
360	setuid
361	setpcap
362	linux_immutable
363	net_bind_service
364	net_broadcast
365	net_admin
366	net_raw
367	ipc_lock
368	ipc_owner
369	sys_module
370	sys_rawio
371	sys_chroot
372	sys_ptrace
373	sys_pacct
374	sys_admin
375	sys_boot
376	sys_nice
377	sys_resource
378	sys_time
379	sys_tty_config
380	mknod
381	lease
382}
383
384ifdef(`enable_mls',`
385sensitivity s0;
386
387#
388# Define the ordering of the sensitivity levels (least to greatest)
389#
390dominance { s0 }
391
392
393#
394# Define the categories
395#
396# Each category has a name and zero or more aliases.
397#
398category c0; category c1; category c2; category c3;
399category c4; category c5; category c6; category c7;
400category c8; category c9; category c10; category c11;
401category c12; category c13; category c14; category c15;
402category c16; category c17; category c18; category c19;
403category c20; category c21; category c22; category c23;
404
405level s0:c0.c23;
406
407mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
408	( h1 dom h2 );
409')
410
411####################################
412####################################
413#####################################
414# TE RULES
415attribute domain;
416attribute system;
417attribute foo;
418attribute num;
419attribute num_exec;
420attribute files;
421
422type net_foo_t, foo;
423type sys_foo_t, foo, system;
424role system_r;
425role system_r types sys_foo_t;
426
427type user_t, domain;
428role user_r;
429role user_r types user_t;
430
431type sysadm_t, domain, system;
432role sysadm_r;
433role sysadm_r types sysadm_t;
434
435type system_t, domain, system, foo;
436role system_r;
437role system_r types { system_t sys_foo_t };
438
439type file_t;
440type file_exec_t, files;
441type fs_t;
442type base_optional_1;
443type base_optional_2;
444
445allow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint };
446
447optional {
448	require {
449		type base_optional_1, base_optional_2;
450	}
451	allow base_optional_1 base_optional_2 : file { read write };
452}
453
454#####################################
455# Role Allow
456allow user_r sysadm_r;
457
458####################################
459# Booleans
460bool allow_ypbind true;
461bool secure_mode false;
462bool allow_execheap false;
463bool allow_execmem true;
464bool allow_execmod false;
465bool allow_execstack true;
466bool optional_bool_1 true;
467bool optional_bool_2 false;
468
469#####################################
470# users
471gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
472gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
473gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
474
475#####################################
476# constraints
477
478
479####################################
480#line 1 "initial_sid_contexts"
481
482sid kernel	gen_context(system_u:system_r:sys_foo_t, s0)
483
484
485############################################
486#line 1 "fs_use"
487#
488fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
489fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
490fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
491
492
493genfscon proc /				gen_context(system_u:object_r:sys_foo_t, s0)
494
495
496####################################
497#line 1 "net_contexts"
498
499#portcon tcp 21 system_u:object_r:net_foo_t:s0
500
501#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
502
503#
504#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
505
506nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:net_foo_t, s0)
507
508
509
510
511