113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# FLASK 213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the security object classes 513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass security 813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass process 913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass system 1013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass capability 1113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 1213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# file-related classes 1313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass filesystem 1413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass file 1513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass dir 1613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass fd 1713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass lnk_file 1813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass chr_file 1913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass blk_file 2013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass sock_file 2113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass fifo_file 2213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 2313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# network-related classes 2413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass socket 2513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass tcp_socket 2613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass udp_socket 2713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass rawip_socket 2813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass node 2913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass netif 3013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass netlink_socket 3113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass packet_socket 3213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass key_socket 3313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass unix_stream_socket 3413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass unix_dgram_socket 3513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 3613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# sysv-ipc-related clases 3713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass sem 3813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass msg 3913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass msgq 4013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass shm 4113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass ipc 4213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 4313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# FLASK 4413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# FLASK 4513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 4613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 4713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define initial security identifiers 4813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 4913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 5013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlesid kernel 5113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 5213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 5313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# FLASK 5413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 5513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define common prefixes for access vectors 5613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 5713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# common common_name { permission_name ... } 5813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 5913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 6013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 6113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define a common prefix for file access vectors. 6213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 6313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 6413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecommon file 6513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 6613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ioctl 6713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle read 6813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle write 6913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle create 7013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getattr 7113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setattr 7213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle lock 7313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle relabelfrom 7413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle relabelto 7513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle append 7613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unlink 7713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle link 7813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rename 7913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle execute 8013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle swapon 8113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle quotaon 8213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mounton 8313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 8413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 8513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 8613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 8713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define a common prefix for socket access vectors. 8813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 8913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 9013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecommon socket 9113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 9213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# inherited from file 9313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ioctl 9413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle read 9513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle write 9613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle create 9713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getattr 9813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setattr 9913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle lock 10013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle relabelfrom 10113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle relabelto 10213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle append 10313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# socket-specific 10413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle bind 10513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle connect 10613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle listen 10713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle accept 10813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getopt 10913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setopt 11013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle shutdown 11113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle recvfrom 11213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sendto 11313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle recv_msg 11413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle send_msg 11513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle name_bind 11613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 11713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 11813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 11913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define a common prefix for ipc access vectors. 12013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 12113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 12213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecommon ipc 12313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 12413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle create 12513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle destroy 12613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getattr 12713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setattr 12813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle read 12913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle write 13013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle associate 13113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unix_read 13213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unix_write 13313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 13413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 13513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 13613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vectors. 13713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 13813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# class class_name [ inherits common_name ] { permission_name ... } 13913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 14013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 14113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 14213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vector interpretation for file-related objects. 14313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 14413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 14513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass filesystem 14613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 14713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mount 14813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle remount 14913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unmount 15013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getattr 15113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle relabelfrom 15213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle relabelto 15313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle transition 15413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle associate 15513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle quotamod 15613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle quotaget 15713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 15813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 15913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass dir 16013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits file 16113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 16213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle add_name 16313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle remove_name 16413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle reparent 16513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle search 16613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rmdir 16713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 16813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 16913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass file 17013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits file 17113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 17213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle execute_no_trans 17313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle entrypoint 17413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 17513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 17613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass lnk_file 17713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits file 17813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 17913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass chr_file 18013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits file 18113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 18213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass blk_file 18313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits file 18413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 18513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass sock_file 18613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits file 18713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 18813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass fifo_file 18913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits file 19013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 19113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass fd 19213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 19313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle use 19413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 19513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 19613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 19713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 19813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vector interpretation for network-related objects. 19913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 20013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 20113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass socket 20213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 20313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 20413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass tcp_socket 20513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 20613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 20713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle connectto 20813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newconn 20913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle acceptfrom 21013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 21113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 21213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass udp_socket 21313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 21413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 21513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass rawip_socket 21613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 21713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 21813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass node 21913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 22013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle tcp_recv 22113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle tcp_send 22213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle udp_recv 22313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle udp_send 22413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rawip_recv 22513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rawip_send 22613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle enforce_dest 22713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 22813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 22913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass netif 23013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 23113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle tcp_recv 23213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle tcp_send 23313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle udp_recv 23413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle udp_send 23513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rawip_recv 23613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rawip_send 23713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 23813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 23913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass netlink_socket 24013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 24113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 24213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass packet_socket 24313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 24413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 24513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass key_socket 24613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 24713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 24813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass unix_stream_socket 24913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 25013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 25113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle connectto 25213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newconn 25313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle acceptfrom 25413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 25513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 25613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass unix_dgram_socket 25713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 25813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 25913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 26013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 26113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vector interpretation for process-related objects 26213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 26313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 26413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass process 26513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 26613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle fork 26713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle transition 26813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sigchld # commonly granted from child to parent 26913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sigkill # cannot be caught or ignored 27013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sigstop # cannot be caught or ignored 27113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle signull # for kill(pid, 0) 27213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle signal # all other signals 27313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ptrace 27413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getsched 27513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setsched 27613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getsession 27713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getpgid 27813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setpgid 27913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getcap 28013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setcap 28113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle share 28213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 28313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 28413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 28513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 28613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vector interpretation for ipc-related objects 28713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 28813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 28913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass ipc 29013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits ipc 29113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 29213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass sem 29313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits ipc 29413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 29513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass msgq 29613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits ipc 29713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 29813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle enqueue 29913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 30013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 30113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass msg 30213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 30313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle send 30413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle receive 30513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 30613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 30713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass shm 30813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits ipc 30913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 31013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle lock 31113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 31213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 31313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 31413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 31513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vector interpretation for the security server. 31613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 31713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 31813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass security 31913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 32013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle compute_av 32113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle transition_sid 32213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle member_sid 32313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sid_to_context 32413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle context_to_sid 32513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle load_policy 32613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle get_sids 32713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle change_sid 32813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle get_user_sids 32913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 33013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 33113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 33213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 33313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vector interpretation for system operations. 33413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 33513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 33613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass system 33713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 33813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ipc_info 33913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avc_toggle 34013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle nfsd_control 34113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle bdflush 34213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle syslog_read 34313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle syslog_mod 34413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle syslog_console 34513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ichsid 34613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 34713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 34813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 34913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vector interpretation for controling capabilies 35013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 35113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 35213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass capability 35313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 35413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle # The capabilities are defined in include/linux/capability.h 35513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle # Care should be taken to ensure that these are consistent with 35613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle # those definitions. (Order matters) 35713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 35813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle chown 35913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle dac_override 36013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle dac_read_search 36113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle fowner 36213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle fsetid 36313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle kill 36413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setgid 36513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setuid 36613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setpcap 36713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle linux_immutable 36813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle net_bind_service 36913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle net_broadcast 37013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle net_admin 37113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle net_raw 37213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ipc_lock 37313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ipc_owner 37413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_module 37513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_rawio 37613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_chroot 37713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_ptrace 37813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_pacct 37913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_admin 38013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_boot 38113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_nice 38213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_resource 38313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_time 38413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_tty_config 38513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mknod 38613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle lease 38713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 38813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 38913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleifdef(`enable_mls',` 39013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlesensitivity s0; 39113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 39213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 39313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the ordering of the sensitivity levels (least to greatest) 39413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 39513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindledominance { s0 } 39613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 39713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 39813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 39913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the categories 40013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 40113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Each category has a name and zero or more aliases. 40213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 40313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecategory c0; category c1; category c2; category c3; 40413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecategory c4; category c5; category c6; category c7; 40513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecategory c8; category c9; category c10; category c11; 40613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecategory c12; category c13; category c14; category c15; 40713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecategory c16; category c17; category c18; category c19; 40813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecategory c20; category c21; category c22; category c23; 40913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 41013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlelevel s0:c0.c23; 41113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 41213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlemlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } 41313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ( h1 dom h2 ); 41413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle') 41513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 41613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype enable_optional; 41713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 41813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Alias tests 41913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype alias_check_1_t; 42013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype alias_check_2_t; 42113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype alias_check_3_t; 42213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 42313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletypealias alias_check_1_t alias alias_check_1_a; 42413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 42513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleoptional { 42613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle require { 42713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type alias_check_2_t; 42813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 42913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle typealias alias_check_2_t alias alias_check_2_a; 43013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 43113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 43213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleoptional { 43313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle require { 43413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type alias_check_3_a; 43513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 43613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle allow alias_check_3_a enable_optional:file read; 43713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 43813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 43913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle######## 44013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype fs_t; 44113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype system_t; 44213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype user_t; 4438b71d70b5533b81d72f055d9e20e1f1db16c5858Stephen Smalleyrole system_r; 4448b71d70b5533b81d72f055d9e20e1f1db16c5858Stephen Smalleyrole user_r; 4458b71d70b5533b81d72f055d9e20e1f1db16c5858Stephen Smalleyrole sysadm_r; 44613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlerole system_r types system_t; 44713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlerole user_r types user_t; 44813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlerole sysadm_r types system_t; 44913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#################################### 45013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Booleans 45113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool allow_ypbind true; 45213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool secure_mode false; 45313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool allow_execheap false; 45413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool allow_execmem true; 45513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool allow_execmod false; 45613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool allow_execstack true; 45713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool optional_bool_1 true; 45813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool optional_bool_2 false; 45913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 46013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle##################################### 46113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# users 46213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlegen_user(system_u,, system_r, s0, s0 - s0:c0.c23) 46313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlegen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23) 46413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlegen_user(joe,, user_r, s0, s0 - s0:c0.c23) 46513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 46613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle##################################### 46713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# constraints 46813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 46913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 47013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#################################### 47113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#line 1 "initial_sid_contexts" 47213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 47313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlesid kernel gen_context(system_u:system_r:system_t, s0) 47413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 47513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 47613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle############################################ 47713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#line 1 "fs_use" 47813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 47913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0); 48013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0); 48113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0); 48213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 48313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 48413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlegenfscon proc / gen_context(system_u:object_r:system_t, s0) 48513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 48613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 48713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#################################### 48813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#line 1 "net_contexts" 48913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 49013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#portcon tcp 21 system_u:object_r:net_foo_t:s0 49113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 49213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0 49313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 49413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 49513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0 49613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 49713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlenodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:system_t, s0) 49813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 49913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 50013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 50113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 502