# FLASK
#
# Define the security object classes
#
class security
class process
class system
class capability
# file-related classes
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file
# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related clases
class sem
class msg
class msgq
class shm
class ipc
# FLASK
# FLASK
#
# Define initial security identifiers
#
sid kernel
# FLASK
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
#
# Define a common prefix for ipc access vectors.
#
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
transition
associate
quotamod
quotaget
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
}
class file
inherits file
{
execute_no_trans
entrypoint
}
class lnk_file
inherits file
class chr_file
inherits file
class blk_file
inherits file
class sock_file
inherits file
class fifo_file
inherits file
class fd
{
use
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
connectto
newconn
acceptfrom
}
class udp_socket
inherits socket
class rawip_socket
inherits socket
class node
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
enforce_dest
}
class netif
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
newconn
acceptfrom
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
}
#
# Define the access vector interpretation for ipc-related objects
#
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
#
# Define the access vector interpretation for the security server.
#
class security
{
compute_av
transition_sid
member_sid
sid_to_context
context_to_sid
load_policy
get_sids
change_sid
get_user_sids
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
avc_toggle
nfsd_control
bdflush
syslog_read
syslog_mod
syslog_console
ichsid
}
#
# Define the access vector interpretation for controling capabilies
#
class capability
{
# The capabilities are defined in include/linux/capability.h
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
}
ifdef(`enable_mls',`
sensitivity s0;
#
# Define the ordering of the sensitivity levels (least to greatest)
#
dominance { s0 }
#
# Define the categories
#
# Each category has a name and zero or more aliases.
#
category c0; category c1; category c2; category c3;
category c4; category c5; category c6; category c7;
category c8; category c9; category c10; category c11;
category c12; category c13; category c14; category c15;
category c16; category c17; category c18; category c19;
category c20; category c21; category c22; category c23;
level s0:c0.c23;
mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
( h1 dom h2 );
')
####################################
####################################
#####################################
#g_b stands for global base
type enable_optional;
#decorative type for finding this decl, every block should have one
type tag_g_b;
attribute g_b_attr_1;
attribute g_b_attr_2;
attribute g_b_attr_3;
attribute g_b_attr_4;
attribute g_b_attr_5;
attribute g_b_attr_6;
type g_b_type_1, g_b_attr_1;
type g_b_type_2, g_b_attr_2;
type g_b_type_3;
role g_b_role_1;
role g_b_role_2;
role g_b_role_3;
role g_b_role_4;
role g_b_role_1 types g_b_type_1;
role g_b_role_2 types g_b_type_2;
role g_b_role_3 types g_b_type_2;
role g_b_role_4 types g_b_type_2;
bool g_b_bool_1 false;
bool g_b_bool_2 true;
allow g_b_type_1 g_b_type_2 : security { compute_av load_policy };
allow g_b_type_1 g_b_type_2 : file *; # test *
allow g_b_type_1 g_b_type_2 : process ~ptrace; #test ~
typealias g_b_type_3 alias g_b_alias_1;
if (g_b_bool_1) {
allow g_b_type_1 g_b_type_2: lnk_file read;
}
optional {
require {
type enable_optional;
attribute g_m1_attr_2;
}
type tag_o1_b;
attribute o1_b_attr_1;
type o1_b_type_1, o1_b_attr_1;
bool o1_b_bool_1 true;
role o1_b_role_1;
role o1_b_role_1 types o1_b_type_1;
role o1_b_role_2;
role o1_b_role_2 types o1_b_type_1;
attribute o1_b_attr_2;
type o1_b_type_2, g_m1_attr_2;
if (o1_b_bool_1) {
allow o1_b_type_1 o1_b_type_2: lnk_file write;
}
}
optional {
require {
# this should be activated by module 1
type g_m1_type_1;
attribute o3_m1_attr_2;
}
type tag_o2_b;
type o2_b_type_1, o3_m1_attr_2;
}
optional {
require {
#this block should not come on
type invalid_type;
}
type tag_o3_b;
attribute o3_b_attr_1;
type o3_b_type_1;
bool o3_b_bool_1 true;
role o3_b_role_1;
role o3_b_role_1 types o3_b_type_1;
allow g_b_type_1 invalid_type : sem { create destroy };
}
optional {
require {
# also should be enabled by module 1
type enable_optional;
type g_m1_type_1;
attribute o3_m1_attr_1;
attribute g_m1_attr_3;
}
type tag_o4_b;
attribute o4_b_attr_1;
role o4_b_role_1;
role o4_b_role_1 types g_m1_type_1;
# test for attr declared in module optional, added to in base optional
type o4_b_type_1, o3_m1_attr_1;
type o4_b_type_2, g_m1_attr_3;
}
optional {
require {
attribute g_m1_attr_4;
attribute o4_m1_attr_1;
}
type tag_o5_b;
type o5_b_type_1, g_m1_attr_4;
type o5_b_type_2, o4_m1_attr_1;
}
optional {
require {
type enable_optional;
}
type tag_o6_b;
typealias g_b_type_3 alias g_b_alias_2;
}
optional {
require {
type g_m_alias_1;
}
type tag_o7_b;
allow g_m_alias_1 enable_optional:file read;
}
gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23)
gen_user(g_b_user_2,, g_b_role_1, s0, s0 - s0:c0, c1, c3, c4, c5)
####################################
#line 1 "initial_sid_contexts"
sid kernel gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0)
############################################
#line 1 "fs_use"
#
fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0);
genfscon proc / gen_context(g_b_user_1:object_r:g_b_type_1, s0)
####################################
#line 1 "net_contexts"
#portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0
#netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0
#
#nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0
nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(g_b_user_1:object_r:g_b_type_1, s0)