1# FLASK
2
3#
4# Define the security object classes 
5#
6
7class security
8class process
9class system
10class capability
11
12# file-related classes
13class filesystem
14class file
15class dir
16class fd
17class lnk_file
18class chr_file
19class blk_file
20class sock_file
21class fifo_file
22
23# network-related classes
24class socket
25class tcp_socket
26class udp_socket
27class rawip_socket
28class node
29class netif
30class netlink_socket
31class packet_socket
32class key_socket
33class unix_stream_socket
34class unix_dgram_socket
35
36# sysv-ipc-related clases
37class sem
38class msg
39class msgq
40class shm
41class ipc
42
43# FLASK
44# FLASK
45
46#
47# Define initial security identifiers 
48#
49
50sid kernel
51
52
53# FLASK
54#
55# Define common prefixes for access vectors
56#
57# common common_name { permission_name ... }
58
59
60#
61# Define a common prefix for file access vectors.
62#
63
64common file
65{
66	ioctl
67	read
68	write
69	create
70	getattr
71	setattr
72	lock
73	relabelfrom
74	relabelto
75	append
76	unlink
77	link
78	rename
79	execute
80	swapon
81	quotaon
82	mounton
83}
84
85
86#
87# Define a common prefix for socket access vectors.
88#
89
90common socket
91{
92# inherited from file
93	ioctl
94	read
95	write
96	create
97	getattr
98	setattr
99	lock
100	relabelfrom
101	relabelto
102	append
103# socket-specific
104	bind
105	connect
106	listen
107	accept
108	getopt
109	setopt
110	shutdown
111	recvfrom
112	sendto
113	recv_msg
114	send_msg
115	name_bind
116}	
117
118#
119# Define a common prefix for ipc access vectors.
120#
121
122common ipc
123{
124	create
125	destroy
126	getattr
127	setattr
128	read
129	write
130	associate
131	unix_read
132	unix_write
133}
134
135#
136# Define the access vectors.
137#
138# class class_name [ inherits common_name ] { permission_name ... }
139
140
141#
142# Define the access vector interpretation for file-related objects.
143#
144
145class filesystem
146{
147	mount
148	remount
149	unmount
150	getattr
151	relabelfrom
152	relabelto
153	transition
154	associate
155	quotamod
156	quotaget
157}
158
159class dir
160inherits file
161{
162	add_name
163	remove_name
164	reparent
165	search
166	rmdir
167}
168
169class file
170inherits file
171{
172	execute_no_trans
173	entrypoint
174}
175
176class lnk_file
177inherits file
178
179class chr_file
180inherits file
181
182class blk_file
183inherits file
184
185class sock_file
186inherits file
187
188class fifo_file
189inherits file
190
191class fd
192{
193	use
194}
195
196
197#
198# Define the access vector interpretation for network-related objects.
199#
200
201class socket
202inherits socket
203
204class tcp_socket
205inherits socket
206{
207	connectto
208	newconn
209	acceptfrom
210}
211
212class udp_socket
213inherits socket
214
215class rawip_socket
216inherits socket
217
218class node 
219{
220	tcp_recv
221	tcp_send
222	udp_recv
223	udp_send
224	rawip_recv
225	rawip_send
226	enforce_dest
227}
228
229class netif
230{
231	tcp_recv
232	tcp_send
233	udp_recv
234	udp_send
235	rawip_recv
236	rawip_send
237}
238
239class netlink_socket
240inherits socket
241
242class packet_socket
243inherits socket
244
245class key_socket
246inherits socket
247
248class unix_stream_socket
249inherits socket
250{
251	connectto
252	newconn
253	acceptfrom
254}
255
256class unix_dgram_socket
257inherits socket
258
259
260#
261# Define the access vector interpretation for process-related objects
262#
263
264class process
265{
266	fork
267	transition
268	sigchld # commonly granted from child to parent
269	sigkill # cannot be caught or ignored
270	sigstop # cannot be caught or ignored
271	signull # for kill(pid, 0)
272	signal  # all other signals
273	ptrace
274	getsched
275	setsched
276	getsession
277	getpgid
278	setpgid
279	getcap
280	setcap
281	share
282}
283
284
285#
286# Define the access vector interpretation for ipc-related objects
287#
288
289class ipc
290inherits ipc
291
292class sem
293inherits ipc
294
295class msgq
296inherits ipc
297{
298	enqueue
299}
300
301class msg
302{
303	send
304	receive
305}
306
307class shm
308inherits ipc
309{
310	lock
311}
312
313
314#
315# Define the access vector interpretation for the security server. 
316#
317
318class security
319{
320	compute_av
321	transition_sid
322	member_sid
323	sid_to_context
324	context_to_sid
325	load_policy
326	get_sids
327	change_sid
328	get_user_sids
329}
330
331
332#
333# Define the access vector interpretation for system operations.
334#
335
336class system
337{
338	ipc_info
339	avc_toggle
340	nfsd_control
341	bdflush
342	syslog_read
343	syslog_mod
344	syslog_console
345	ichsid
346}
347
348#
349# Define the access vector interpretation for controling capabilies
350#
351
352class capability
353{
354	# The capabilities are defined in include/linux/capability.h
355	# Care should be taken to ensure that these are consistent with
356	# those definitions. (Order matters)
357
358	chown           
359	dac_override    
360	dac_read_search 
361	fowner          
362	fsetid          
363	kill            
364	setgid           
365	setuid           
366	setpcap          
367	linux_immutable  
368	net_bind_service 
369	net_broadcast    
370	net_admin        
371	net_raw          
372	ipc_lock         
373	ipc_owner        
374	sys_module       
375	sys_rawio        
376	sys_chroot       
377	sys_ptrace       
378	sys_pacct        
379	sys_admin        
380	sys_boot         
381	sys_nice         
382	sys_resource     
383	sys_time         
384	sys_tty_config  
385	mknod
386	lease
387}
388
389ifdef(`enable_mls',`
390sensitivity s0;
391
392#
393# Define the ordering of the sensitivity levels (least to greatest)
394#
395dominance { s0 }
396
397
398#
399# Define the categories
400#
401# Each category has a name and zero or more aliases.
402#
403category c0; category c1; category c2; category c3;
404category c4; category c5; category c6; category c7;
405category c8; category c9; category c10; category c11;
406category c12; category c13; category c14; category c15;
407category c16; category c17; category c18; category c19;
408category c20; category c21; category c22; category c23;
409
410level s0:c0.c23;
411
412mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
413	( h1 dom h2 );
414')
415
416####################################
417####################################
418#####################################
419
420#g_b stands for global base
421
422type enable_optional;
423
424#decorative type for finding this decl, every block should have one
425type tag_g_b;
426
427attribute g_b_attr_1;
428attribute g_b_attr_2;
429attribute g_b_attr_3;
430attribute g_b_attr_4;
431attribute g_b_attr_5;
432attribute g_b_attr_6;
433
434type g_b_type_1, g_b_attr_1;
435type g_b_type_2, g_b_attr_2;
436type g_b_type_3;
437
438role g_b_role_1 types g_b_type_1;
439role g_b_role_2 types g_b_type_2;
440role g_b_role_3 types g_b_type_2;
441role g_b_role_4 types g_b_type_2;
442
443bool g_b_bool_1 false;
444bool g_b_bool_2 true;
445
446allow g_b_type_1 g_b_type_2 : security { compute_av load_policy };
447allow g_b_type_1 g_b_type_2 : file *; # test *
448allow g_b_type_1 g_b_type_2 : process ~ptrace; #test ~
449
450typealias g_b_type_3 alias g_b_alias_1;
451
452if (g_b_bool_1) {
453	allow g_b_type_1 g_b_type_2: lnk_file read;
454}
455
456
457optional {
458	require {
459		type enable_optional;
460		attribute g_m1_attr_2;
461	}
462	type tag_o1_b;
463
464	attribute o1_b_attr_1;
465	type o1_b_type_1, o1_b_attr_1;
466	bool o1_b_bool_1 true;
467	role o1_b_role_1 types o1_b_type_1;
468
469	role o1_b_role_2 types o1_b_type_1;
470
471	attribute o1_b_attr_2;
472
473	type o1_b_type_2, g_m1_attr_2;
474
475	if (o1_b_bool_1) {
476		allow o1_b_type_1 o1_b_type_2: lnk_file write;
477	}
478	
479}
480
481optional {
482	require {
483		# this should be activated by module 1
484		type g_m1_type_1;
485		attribute o3_m1_attr_2;
486	}	
487	type tag_o2_b;	
488
489	type o2_b_type_1, o3_m1_attr_2;
490}
491
492optional {
493	require {
494		#this block should not come on
495		type invalid_type;
496	}
497	type tag_o3_b;
498
499
500	attribute o3_b_attr_1;
501	type o3_b_type_1;
502	bool o3_b_bool_1 true;
503
504	role o3_b_role_1 types o3_b_type_1;
505
506	allow g_b_type_1 invalid_type : sem { create destroy };
507}
508
509optional {
510	require {
511		# also should be enabled by module 1
512		type enable_optional;
513		type g_m1_type_1;
514		attribute o3_m1_attr_1;
515		attribute g_m1_attr_3;
516	}
517	
518	type tag_o4_b;
519
520	attribute o4_b_attr_1;
521
522	role o4_b_role_1 types g_m1_type_1;
523
524	# test for attr declared in module optional, added to in base optional
525	type o4_b_type_1, o3_m1_attr_1;
526
527	type o4_b_type_2, g_m1_attr_3;
528}
529
530optional {
531	require {
532		attribute g_m1_attr_4;
533		attribute o4_m1_attr_1;
534	}
535	type tag_o5_b;
536
537	type o5_b_type_1, g_m1_attr_4;
538	type o5_b_type_2, o4_m1_attr_1;
539}
540
541optional {
542	require {
543		type enable_optional;
544	}
545	type tag_o6_b;
546
547	typealias g_b_type_3 alias g_b_alias_2;
548}
549
550optional {
551	require {
552		type g_m_alias_1;
553	}
554	type tag_o7_b;
555
556	allow g_m_alias_1 enable_optional:file read;
557}
558
559gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23)
560gen_user(g_b_user_2,, g_b_role_1, s0, s0 - s0:c0, c1, c3, c4, c5)
561
562####################################
563#line 1 "initial_sid_contexts"
564
565sid kernel	gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0)
566
567
568############################################
569#line 1 "fs_use"
570#
571fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
572fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
573fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0);
574
575
576genfscon proc /				gen_context(g_b_user_1:object_r:g_b_type_1, s0)
577
578
579####################################
580#line 1 "net_contexts"
581
582#portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0
583
584#netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0
585
586#
587#nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0
588
589nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(g_b_user_1:object_r:g_b_type_1, s0)
590
591
592
593
594