1# FLASK 2 3# 4# Define the security object classes 5# 6 7class security 8class process 9class system 10class capability 11 12# file-related classes 13class filesystem 14class file 15class dir 16class fd 17class lnk_file 18class chr_file 19class blk_file 20class sock_file 21class fifo_file 22 23# network-related classes 24class socket 25class tcp_socket 26class udp_socket 27class rawip_socket 28class node 29class netif 30class netlink_socket 31class packet_socket 32class key_socket 33class unix_stream_socket 34class unix_dgram_socket 35 36# sysv-ipc-related clases 37class sem 38class msg 39class msgq 40class shm 41class ipc 42 43# FLASK 44# FLASK 45 46# 47# Define initial security identifiers 48# 49 50sid kernel 51 52 53# FLASK 54# 55# Define common prefixes for access vectors 56# 57# common common_name { permission_name ... } 58 59 60# 61# Define a common prefix for file access vectors. 62# 63 64common file 65{ 66 ioctl 67 read 68 write 69 create 70 getattr 71 setattr 72 lock 73 relabelfrom 74 relabelto 75 append 76 unlink 77 link 78 rename 79 execute 80 swapon 81 quotaon 82 mounton 83} 84 85 86# 87# Define a common prefix for socket access vectors. 88# 89 90common socket 91{ 92# inherited from file 93 ioctl 94 read 95 write 96 create 97 getattr 98 setattr 99 lock 100 relabelfrom 101 relabelto 102 append 103# socket-specific 104 bind 105 connect 106 listen 107 accept 108 getopt 109 setopt 110 shutdown 111 recvfrom 112 sendto 113 recv_msg 114 send_msg 115 name_bind 116} 117 118# 119# Define a common prefix for ipc access vectors. 120# 121 122common ipc 123{ 124 create 125 destroy 126 getattr 127 setattr 128 read 129 write 130 associate 131 unix_read 132 unix_write 133} 134 135# 136# Define the access vectors. 137# 138# class class_name [ inherits common_name ] { permission_name ... } 139 140 141# 142# Define the access vector interpretation for file-related objects. 143# 144 145class filesystem 146{ 147 mount 148 remount 149 unmount 150 getattr 151 relabelfrom 152 relabelto 153 transition 154 associate 155 quotamod 156 quotaget 157} 158 159class dir 160inherits file 161{ 162 add_name 163 remove_name 164 reparent 165 search 166 rmdir 167} 168 169class file 170inherits file 171{ 172 execute_no_trans 173 entrypoint 174} 175 176class lnk_file 177inherits file 178 179class chr_file 180inherits file 181 182class blk_file 183inherits file 184 185class sock_file 186inherits file 187 188class fifo_file 189inherits file 190 191class fd 192{ 193 use 194} 195 196 197# 198# Define the access vector interpretation for network-related objects. 199# 200 201class socket 202inherits socket 203 204class tcp_socket 205inherits socket 206{ 207 connectto 208 newconn 209 acceptfrom 210} 211 212class udp_socket 213inherits socket 214 215class rawip_socket 216inherits socket 217 218class node 219{ 220 tcp_recv 221 tcp_send 222 udp_recv 223 udp_send 224 rawip_recv 225 rawip_send 226 enforce_dest 227} 228 229class netif 230{ 231 tcp_recv 232 tcp_send 233 udp_recv 234 udp_send 235 rawip_recv 236 rawip_send 237} 238 239class netlink_socket 240inherits socket 241 242class packet_socket 243inherits socket 244 245class key_socket 246inherits socket 247 248class unix_stream_socket 249inherits socket 250{ 251 connectto 252 newconn 253 acceptfrom 254} 255 256class unix_dgram_socket 257inherits socket 258 259 260# 261# Define the access vector interpretation for process-related objects 262# 263 264class process 265{ 266 fork 267 transition 268 sigchld # commonly granted from child to parent 269 sigkill # cannot be caught or ignored 270 sigstop # cannot be caught or ignored 271 signull # for kill(pid, 0) 272 signal # all other signals 273 ptrace 274 getsched 275 setsched 276 getsession 277 getpgid 278 setpgid 279 getcap 280 setcap 281 share 282} 283 284 285# 286# Define the access vector interpretation for ipc-related objects 287# 288 289class ipc 290inherits ipc 291 292class sem 293inherits ipc 294 295class msgq 296inherits ipc 297{ 298 enqueue 299} 300 301class msg 302{ 303 send 304 receive 305} 306 307class shm 308inherits ipc 309{ 310 lock 311} 312 313 314# 315# Define the access vector interpretation for the security server. 316# 317 318class security 319{ 320 compute_av 321 transition_sid 322 member_sid 323 sid_to_context 324 context_to_sid 325 load_policy 326 get_sids 327 change_sid 328 get_user_sids 329} 330 331 332# 333# Define the access vector interpretation for system operations. 334# 335 336class system 337{ 338 ipc_info 339 avc_toggle 340 nfsd_control 341 bdflush 342 syslog_read 343 syslog_mod 344 syslog_console 345 ichsid 346} 347 348# 349# Define the access vector interpretation for controling capabilies 350# 351 352class capability 353{ 354 # The capabilities are defined in include/linux/capability.h 355 # Care should be taken to ensure that these are consistent with 356 # those definitions. (Order matters) 357 358 chown 359 dac_override 360 dac_read_search 361 fowner 362 fsetid 363 kill 364 setgid 365 setuid 366 setpcap 367 linux_immutable 368 net_bind_service 369 net_broadcast 370 net_admin 371 net_raw 372 ipc_lock 373 ipc_owner 374 sys_module 375 sys_rawio 376 sys_chroot 377 sys_ptrace 378 sys_pacct 379 sys_admin 380 sys_boot 381 sys_nice 382 sys_resource 383 sys_time 384 sys_tty_config 385 mknod 386 lease 387} 388 389ifdef(`enable_mls',` 390sensitivity s0; 391 392# 393# Define the ordering of the sensitivity levels (least to greatest) 394# 395dominance { s0 } 396 397 398# 399# Define the categories 400# 401# Each category has a name and zero or more aliases. 402# 403category c0; category c1; category c2; category c3; 404category c4; category c5; category c6; category c7; 405category c8; category c9; category c10; category c11; 406category c12; category c13; category c14; category c15; 407category c16; category c17; category c18; category c19; 408category c20; category c21; category c22; category c23; 409 410level s0:c0.c23; 411 412mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } 413 ( h1 dom h2 ); 414') 415 416#################################### 417#################################### 418##################################### 419# TE RULES 420attribute domain; 421attribute system; 422attribute foo; 423attribute num; 424attribute num_exec; 425attribute files; 426 427type net_foo_t, foo; 428type sys_foo_t, foo, system; 429role system_r types sys_foo_t; 430 431type user_t, domain; 432role user_r types user_t; 433 434type sysadm_t, domain, system; 435role sysadm_r types sysadm_t; 436 437type system_t, domain, system, foo; 438role system_r types { system_t sys_foo_t }; 439 440type file_t; 441type file_exec_t, files; 442type fs_t; 443type base_optional_1; 444type base_optional_2; 445 446allow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint }; 447 448optional { 449 require { 450 type base_optional_1, base_optional_2; 451 } 452 allow base_optional_1 base_optional_2 : file { read write }; 453} 454 455##################################### 456# Role Allow 457allow user_r sysadm_r; 458 459#################################### 460# Booleans 461bool allow_ypbind true; 462bool secure_mode false; 463bool allow_execheap false; 464bool allow_execmem true; 465bool allow_execmod false; 466bool allow_execstack true; 467bool optional_bool_1 true; 468bool optional_bool_2 false; 469 470##################################### 471# users 472gen_user(system_u,, system_r, s0, s0 - s0:c0.c23) 473gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23) 474gen_user(joe,, user_r, s0, s0 - s0:c0.c23) 475 476##################################### 477# constraints 478 479 480#################################### 481#line 1 "initial_sid_contexts" 482 483sid kernel gen_context(system_u:system_r:sys_foo_t, s0) 484 485 486############################################ 487#line 1 "fs_use" 488# 489fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0); 490fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0); 491fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0); 492 493 494genfscon proc / gen_context(system_u:object_r:sys_foo_t, s0) 495 496 497#################################### 498#line 1 "net_contexts" 499 500#portcon tcp 21 system_u:object_r:net_foo_t:s0 501 502#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0 503 504# 505#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0 506 507nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:net_foo_t, s0) 508 509 510 511 512