1# FLASK
2
3#
4# Define the security object classes
5#
6
7class security
8class process
9class system
10class capability
11
12# file-related classes
13class filesystem
14class file
15class dir
16class fd
17class lnk_file
18class chr_file
19class blk_file
20class sock_file
21class fifo_file
22
23# network-related classes
24class socket
25class tcp_socket
26class udp_socket
27class rawip_socket
28class node
29class netif
30class netlink_socket
31class packet_socket
32class key_socket
33class unix_stream_socket
34class unix_dgram_socket
35
36# sysv-ipc-related clases
37class sem
38class msg
39class msgq
40class shm
41class ipc
42
43# FLASK
44# FLASK
45
46#
47# Define initial security identifiers
48#
49
50sid kernel
51
52
53# FLASK
54#
55# Define common prefixes for access vectors
56#
57# common common_name { permission_name ... }
58
59
60#
61# Define a common prefix for file access vectors.
62#
63
64common file
65{
66	ioctl
67	read
68	write
69	create
70	getattr
71	setattr
72	lock
73	relabelfrom
74	relabelto
75	append
76	unlink
77	link
78	rename
79	execute
80	swapon
81	quotaon
82	mounton
83}
84
85
86#
87# Define a common prefix for socket access vectors.
88#
89
90common socket
91{
92# inherited from file
93	ioctl
94	read
95	write
96	create
97	getattr
98	setattr
99	lock
100	relabelfrom
101	relabelto
102	append
103# socket-specific
104	bind
105	connect
106	listen
107	accept
108	getopt
109	setopt
110	shutdown
111	recvfrom
112	sendto
113	recv_msg
114	send_msg
115	name_bind
116}
117
118#
119# Define a common prefix for ipc access vectors.
120#
121
122common ipc
123{
124	create
125	destroy
126	getattr
127	setattr
128	read
129	write
130	associate
131	unix_read
132	unix_write
133}
134
135#
136# Define the access vectors.
137#
138# class class_name [ inherits common_name ] { permission_name ... }
139
140
141#
142# Define the access vector interpretation for file-related objects.
143#
144
145class filesystem
146{
147	mount
148	remount
149	unmount
150	getattr
151	relabelfrom
152	relabelto
153	transition
154	associate
155	quotamod
156	quotaget
157}
158
159class dir
160inherits file
161{
162	add_name
163	remove_name
164	reparent
165	search
166	rmdir
167}
168
169class file
170inherits file
171{
172	execute_no_trans
173	entrypoint
174}
175
176class lnk_file
177inherits file
178
179class chr_file
180inherits file
181
182class blk_file
183inherits file
184
185class sock_file
186inherits file
187
188class fifo_file
189inherits file
190
191class fd
192{
193	use
194}
195
196
197#
198# Define the access vector interpretation for network-related objects.
199#
200
201class socket
202inherits socket
203
204class tcp_socket
205inherits socket
206{
207	connectto
208	newconn
209	acceptfrom
210}
211
212class udp_socket
213inherits socket
214
215class rawip_socket
216inherits socket
217
218class node
219{
220	tcp_recv
221	tcp_send
222	udp_recv
223	udp_send
224	rawip_recv
225	rawip_send
226	enforce_dest
227}
228
229class netif
230{
231	tcp_recv
232	tcp_send
233	udp_recv
234	udp_send
235	rawip_recv
236	rawip_send
237}
238
239class netlink_socket
240inherits socket
241
242class packet_socket
243inherits socket
244
245class key_socket
246inherits socket
247
248class unix_stream_socket
249inherits socket
250{
251	connectto
252	newconn
253	acceptfrom
254}
255
256class unix_dgram_socket
257inherits socket
258
259
260#
261# Define the access vector interpretation for process-related objects
262#
263
264class process
265{
266	fork
267	transition
268	sigchld # commonly granted from child to parent
269	sigkill # cannot be caught or ignored
270	sigstop # cannot be caught or ignored
271	signull # for kill(pid, 0)
272	signal  # all other signals
273	ptrace
274	getsched
275	setsched
276	getsession
277	getpgid
278	setpgid
279	getcap
280	setcap
281	share
282}
283
284
285#
286# Define the access vector interpretation for ipc-related objects
287#
288
289class ipc
290inherits ipc
291
292class sem
293inherits ipc
294
295class msgq
296inherits ipc
297{
298	enqueue
299}
300
301class msg
302{
303	send
304	receive
305}
306
307class shm
308inherits ipc
309{
310	lock
311}
312
313
314#
315# Define the access vector interpretation for the security server.
316#
317
318class security
319{
320	compute_av
321	transition_sid
322	member_sid
323	sid_to_context
324	context_to_sid
325	load_policy
326	get_sids
327	change_sid
328	get_user_sids
329}
330
331
332#
333# Define the access vector interpretation for system operations.
334#
335
336class system
337{
338	ipc_info
339	avc_toggle
340	nfsd_control
341	bdflush
342	syslog_read
343	syslog_mod
344	syslog_console
345	ichsid
346}
347
348#
349# Define the access vector interpretation for controling capabilies
350#
351
352class capability
353{
354	# The capabilities are defined in include/linux/capability.h
355	# Care should be taken to ensure that these are consistent with
356	# those definitions. (Order matters)
357
358	chown
359	dac_override
360	dac_read_search
361	fowner
362	fsetid
363	kill
364	setgid
365	setuid
366	setpcap
367	linux_immutable
368	net_bind_service
369	net_broadcast
370	net_admin
371	net_raw
372	ipc_lock
373	ipc_owner
374	sys_module
375	sys_rawio
376	sys_chroot
377	sys_ptrace
378	sys_pacct
379	sys_admin
380	sys_boot
381	sys_nice
382	sys_resource
383	sys_time
384	sys_tty_config
385	mknod
386	lease
387}
388
389ifdef(`enable_mls',`
390sensitivity s0;
391
392#
393# Define the ordering of the sensitivity levels (least to greatest)
394#
395dominance { s0 }
396
397
398#
399# Define the categories
400#
401# Each category has a name and zero or more aliases.
402#
403category c0; category c1; category c2; category c3;
404category c4; category c5; category c6; category c7;
405category c8; category c9; category c10; category c11;
406category c12; category c13; category c14; category c15;
407category c16; category c17; category c18; category c19;
408category c20; category c21; category c22; category c23;
409
410level s0:c0.c23;
411
412mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
413	( h1 dom h2 );
414')
415
416####################################
417####################################
418#####################################
419
420#g_b stands for global base
421
422type g_b_type_1;
423role g_b_role_1 types g_b_type_1;
424
425role g_b_role_2 types g_b_type_1;
426role g_b_role_3 types g_b_type_1;
427type g_b_type_2;
428
429optional {
430	require {
431		type invalid_type;
432	}
433	allow g_b_role_2 g_b_role_3;
434	role_transition g_b_role_2 g_b_type_2 g_b_role_3;
435}
436
437
438gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23)
439
440####################################
441#line 1 "initial_sid_contexts"
442
443sid kernel	gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0)
444
445
446############################################
447#line 1 "fs_use"
448#
449fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
450fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
451fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0);
452
453
454genfscon proc /				gen_context(g_b_user_1:object_r:g_b_type_1, s0)
455
456
457####################################
458#line 1 "net_contexts"
459
460#portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0
461
462#netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0
463
464#
465#nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0
466
467nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(g_b_user_1:object_r:g_b_type_1, s0)
468
469
470
471
472