113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# FLASK 213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the security object classes 513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass security 813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass process 913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass system 1013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass capability 1113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 1213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# file-related classes 1313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass filesystem 1413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass file 1513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass dir 1613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass fd 1713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass lnk_file 1813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass chr_file 1913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass blk_file 2013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass sock_file 2113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass fifo_file 2213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 2313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# network-related classes 2413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass socket 2513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass tcp_socket 2613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass udp_socket 2713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass rawip_socket 2813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass node 2913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass netif 3013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass netlink_socket 3113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass packet_socket 3213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass key_socket 3313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass unix_stream_socket 3413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass unix_dgram_socket 3513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 3613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# sysv-ipc-related clases 3713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass msg 3813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass msgq 3913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass shm 4013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass ipc 4113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 4213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# FLASK 4313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# FLASK 4413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 4513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 4613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define initial security identifiers 4713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 4813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 4913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlesid kernel 5013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 5113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 5213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# FLASK 5313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 5413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define common prefixes for access vectors 5513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 5613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# common common_name { permission_name ... } 5713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 5813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 5913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 6013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define a common prefix for file access vectors. 6113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 6213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 6313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecommon file 6413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 6513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ioctl 6613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle read 6713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle write 6813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle create 6913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getattr 7013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setattr 7113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle lock 7213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle relabelfrom 7313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle relabelto 7413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle append 7513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unlink 7613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle link 7713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rename 7813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle execute 7913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle swapon 8013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle quotaon 8113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mounton 8213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 8313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 8413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 8513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 8613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define a common prefix for socket access vectors. 8713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 8813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 8913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecommon socket 9013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 9113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# inherited from file 9213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ioctl 9313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle read 9413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle write 9513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle create 9613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getattr 9713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setattr 9813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle lock 9913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle relabelfrom 10013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle relabelto 10113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle append 10213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# socket-specific 10313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle bind 10413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle connect 10513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle listen 10613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle accept 10713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getopt 10813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setopt 10913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle shutdown 11013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle recvfrom 11113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sendto 11213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle recv_msg 11313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle send_msg 11413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle name_bind 11513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 11613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 11713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 11813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define a common prefix for ipc access vectors. 11913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 12013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 12113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecommon ipc 12213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 12313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle create 12413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle destroy 12513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getattr 12613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setattr 12713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle read 12813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle write 12913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle associate 13013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unix_read 13113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unix_write 13213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 13313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 13413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 13513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vectors. 13613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 13713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# class class_name [ inherits common_name ] { permission_name ... } 13813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 13913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 14013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 14113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vector interpretation for file-related objects. 14213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 14313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 14413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass filesystem 14513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 14613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mount 14713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle remount 14813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unmount 14913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getattr 15013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle relabelfrom 15113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle relabelto 15213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle transition 15313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle associate 15413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle quotamod 15513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle quotaget 15613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 15713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 15813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass dir 15913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits file 16013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 16113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle add_name 16213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle remove_name 16313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle reparent 16413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle search 16513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rmdir 16613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 16713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 16813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass file 16913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits file 17013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 17113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle execute_no_trans 17213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle entrypoint 17313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 17413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 17513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass lnk_file 17613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits file 17713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 17813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass chr_file 17913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits file 18013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 18113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass blk_file 18213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits file 18313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 18413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass sock_file 18513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits file 18613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 18713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass fifo_file 18813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits file 18913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 19013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass fd 19113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 19213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle use 19313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 19413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 19513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 19613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 19713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vector interpretation for network-related objects. 19813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 19913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 20013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass socket 20113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 20213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 20313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass tcp_socket 20413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 20513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 20613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle connectto 20713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newconn 20813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle acceptfrom 20913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 21013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 21113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass udp_socket 21213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 21313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 21413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass rawip_socket 21513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 21613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 21713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass node 21813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 21913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle tcp_recv 22013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle tcp_send 22113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle udp_recv 22213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle udp_send 22313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rawip_recv 22413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rawip_send 22513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle enforce_dest 22613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 22713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 22813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass netif 22913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 23013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle tcp_recv 23113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle tcp_send 23213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle udp_recv 23313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle udp_send 23413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rawip_recv 23513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rawip_send 23613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 23713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 23813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass netlink_socket 23913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 24013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 24113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass packet_socket 24213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 24313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 24413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass key_socket 24513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 24613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 24713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass unix_stream_socket 24813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 24913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 25013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle connectto 25113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newconn 25213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle acceptfrom 25313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 25413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 25513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass unix_dgram_socket 25613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits socket 25713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 25813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 25913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 26013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vector interpretation for process-related objects 26113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 26213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 26313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass process 26413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 26513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle fork 26613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle transition 26713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sigchld # commonly granted from child to parent 26813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sigkill # cannot be caught or ignored 26913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sigstop # cannot be caught or ignored 27013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle signull # for kill(pid, 0) 27113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle signal # all other signals 27213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ptrace 27313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getsched 27413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setsched 27513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getsession 27613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getpgid 27713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setpgid 27813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle getcap 27913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setcap 28013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle share 28113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 28213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 28313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 28413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 28513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vector interpretation for ipc-related objects 28613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 28713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 28813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass ipc 28913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits ipc 29013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 29113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass msgq 29213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits ipc 29313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 29413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle enqueue 29513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 29613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 29713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass msg 29813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 29913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle send 30013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 30113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 30213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass shm 30313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleinherits ipc 30413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 30513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle lock 30613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 30713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 30813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 30913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 31013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vector interpretation for the security server. 31113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 31213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 31313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass security 31413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 31513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle compute_av 31613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle transition_sid 31713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle member_sid 31813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sid_to_context 31913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle context_to_sid 32013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle load_policy 32113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle get_sids 32213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle change_sid 32313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle get_user_sids 32413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 32513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 32613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 32713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 32813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vector interpretation for system operations. 32913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 33013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 33113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass system 33213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 33313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ipc_info 33413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avc_toggle 33513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle nfsd_control 33613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle bdflush 33713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle syslog_read 33813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle syslog_mod 33913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle syslog_console 34013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ichsid 34113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 34213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 34313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 34413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the access vector interpretation for controling capabilies 34513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 34613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 34713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleclass capability 34813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 34913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle # The capabilities are defined in include/linux/capability.h 35013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle # Care should be taken to ensure that these are consistent with 35113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle # those definitions. (Order matters) 35213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 35313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle chown 35413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle dac_override 35513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle dac_read_search 35613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle fowner 35713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle fsetid 35813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle kill 35913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setgid 36013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setuid 36113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle setpcap 36213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle linux_immutable 36313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle net_bind_service 36413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle net_broadcast 36513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle net_admin 36613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle net_raw 36713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ipc_lock 36813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ipc_owner 36913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_module 37013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_rawio 37113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_chroot 37213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_ptrace 37313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_pacct 37413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_admin 37513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_boot 37613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_nice 37713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_resource 37813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_time 37913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sys_tty_config 38013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mknod 38113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle lease 38213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 38313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 38413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleifdef(`enable_mls',` 38513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlesensitivity s0; 38613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 38713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 38813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the ordering of the sensitivity levels (least to greatest) 38913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 39013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindledominance { s0 } 39113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 39213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 39313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 39413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Define the categories 39513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 39613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Each category has a name and zero or more aliases. 39713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 39813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecategory c0; category c1; category c2; category c3; 39913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecategory c4; category c5; category c6; category c7; 40013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecategory c8; category c9; category c10; category c11; 40113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecategory c12; category c13; category c14; category c15; 40213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecategory c16; category c17; category c18; category c19; 40313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecategory c20; category c21; category c22; category c23; 40413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 40513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlelevel s0:c0.c23; 40613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 40713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlemlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } 40813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ( h1 dom h2 ); 40913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle') 41013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 41113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#################################### 41213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#################################### 41313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle##################################### 41413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# TE RULES 41513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleattribute domain; 41613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleattribute system; 41713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleattribute foo; 41813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleattribute num; 41913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleattribute num_exec; 42013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleattribute files; 42113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 42213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype net_foo_t, foo; 42313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype sys_foo_t, foo, system; 4248b71d70b5533b81d72f055d9e20e1f1db16c5858Stephen Smalleyrole system_r; 42513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlerole system_r types sys_foo_t; 42613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 42713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype user_t, domain; 4288b71d70b5533b81d72f055d9e20e1f1db16c5858Stephen Smalleyrole user_r; 42913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlerole user_r types user_t; 43013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 43113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype sysadm_t, domain, system; 4328b71d70b5533b81d72f055d9e20e1f1db16c5858Stephen Smalleyrole sysadm_r; 43313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlerole sysadm_r types sysadm_t; 43413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 43513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype system_t, domain, system, foo; 4368b71d70b5533b81d72f055d9e20e1f1db16c5858Stephen Smalleyrole system_r; 43713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlerole system_r types { system_t sys_foo_t }; 43813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 43913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype file_t; 44013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype file_exec_t, files; 44113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype fs_t; 44213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype base_optional_1; 44313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletype base_optional_2; 44413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 44513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleallow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint }; 44613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 44713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleoptional { 44813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle require { 44913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type base_optional_1, base_optional_2; 45013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 45113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle allow base_optional_1 base_optional_2 : file { read write }; 45213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 45313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 45413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle##################################### 45513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Role Allow 45613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleallow user_r sysadm_r; 45713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 45813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#################################### 45913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Booleans 46013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool allow_ypbind true; 46113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool secure_mode false; 46213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool allow_execheap false; 46313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool allow_execmem true; 46413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool allow_execmod false; 46513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool allow_execstack true; 46613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool optional_bool_1 true; 46713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlebool optional_bool_2 false; 46813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 46913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle##################################### 47013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# users 47113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlegen_user(system_u,, system_r, s0, s0 - s0:c0.c23) 47213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlegen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23) 47313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlegen_user(joe,, user_r, s0, s0 - s0:c0.c23) 47413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 47513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle##################################### 47613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# constraints 47713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 47813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 47913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#################################### 48013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#line 1 "initial_sid_contexts" 48113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 48213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlesid kernel gen_context(system_u:system_r:sys_foo_t, s0) 48313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 48413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 48513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle############################################ 48613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#line 1 "fs_use" 48713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 48813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0); 48913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0); 49013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0); 49113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 49213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 49313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlegenfscon proc / gen_context(system_u:object_r:sys_foo_t, s0) 49413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 49513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 49613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#################################### 49713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#line 1 "net_contexts" 49813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 49913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#portcon tcp 21 system_u:object_r:net_foo_t:s0 50013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 50113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0 50213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 50313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 50413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0 50513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 50613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlenodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:net_foo_t, s0) 50713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 50813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 50913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 51013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 511