16cd6a6acSopenharmony_ci# FLASK 26cd6a6acSopenharmony_ci 36cd6a6acSopenharmony_ci# 46cd6a6acSopenharmony_ci# Define the security object classes 56cd6a6acSopenharmony_ci# 66cd6a6acSopenharmony_ci 76cd6a6acSopenharmony_ciclass security 86cd6a6acSopenharmony_ciclass process 96cd6a6acSopenharmony_ciclass system 106cd6a6acSopenharmony_ciclass capability 116cd6a6acSopenharmony_ci 126cd6a6acSopenharmony_ci# file-related classes 136cd6a6acSopenharmony_ciclass filesystem 146cd6a6acSopenharmony_ciclass file 156cd6a6acSopenharmony_ciclass dir 166cd6a6acSopenharmony_ciclass fd 176cd6a6acSopenharmony_ciclass lnk_file 186cd6a6acSopenharmony_ciclass chr_file 196cd6a6acSopenharmony_ciclass blk_file 206cd6a6acSopenharmony_ciclass sock_file 216cd6a6acSopenharmony_ciclass fifo_file 226cd6a6acSopenharmony_ci 236cd6a6acSopenharmony_ci# network-related classes 246cd6a6acSopenharmony_ciclass socket 256cd6a6acSopenharmony_ciclass tcp_socket 266cd6a6acSopenharmony_ciclass udp_socket 276cd6a6acSopenharmony_ciclass rawip_socket 286cd6a6acSopenharmony_ciclass node 296cd6a6acSopenharmony_ciclass netif 306cd6a6acSopenharmony_ciclass netlink_socket 316cd6a6acSopenharmony_ciclass packet_socket 326cd6a6acSopenharmony_ciclass key_socket 336cd6a6acSopenharmony_ciclass unix_stream_socket 346cd6a6acSopenharmony_ciclass unix_dgram_socket 356cd6a6acSopenharmony_ci 366cd6a6acSopenharmony_ci# sysv-ipc-related classes 376cd6a6acSopenharmony_ciclass sem 386cd6a6acSopenharmony_ciclass msg 396cd6a6acSopenharmony_ciclass msgq 406cd6a6acSopenharmony_ciclass shm 416cd6a6acSopenharmony_ciclass ipc 426cd6a6acSopenharmony_ci 436cd6a6acSopenharmony_ci# FLASK 446cd6a6acSopenharmony_ci# FLASK 456cd6a6acSopenharmony_ci 466cd6a6acSopenharmony_ci# 476cd6a6acSopenharmony_ci# Define initial security identifiers 486cd6a6acSopenharmony_ci# 496cd6a6acSopenharmony_ci 506cd6a6acSopenharmony_cisid kernel 516cd6a6acSopenharmony_ci 526cd6a6acSopenharmony_ci 536cd6a6acSopenharmony_ci# FLASK 546cd6a6acSopenharmony_ci# 556cd6a6acSopenharmony_ci# Define common prefixes for access vectors 566cd6a6acSopenharmony_ci# 576cd6a6acSopenharmony_ci# common common_name { permission_name ... } 586cd6a6acSopenharmony_ci 596cd6a6acSopenharmony_ci 606cd6a6acSopenharmony_ci# 616cd6a6acSopenharmony_ci# Define a common prefix for file access vectors. 626cd6a6acSopenharmony_ci# 636cd6a6acSopenharmony_ci 646cd6a6acSopenharmony_cicommon file 656cd6a6acSopenharmony_ci{ 666cd6a6acSopenharmony_ci ioctl 676cd6a6acSopenharmony_ci read 686cd6a6acSopenharmony_ci write 696cd6a6acSopenharmony_ci create 706cd6a6acSopenharmony_ci getattr 716cd6a6acSopenharmony_ci setattr 726cd6a6acSopenharmony_ci lock 736cd6a6acSopenharmony_ci relabelfrom 746cd6a6acSopenharmony_ci relabelto 756cd6a6acSopenharmony_ci append 766cd6a6acSopenharmony_ci unlink 776cd6a6acSopenharmony_ci link 786cd6a6acSopenharmony_ci rename 796cd6a6acSopenharmony_ci execute 806cd6a6acSopenharmony_ci swapon 816cd6a6acSopenharmony_ci quotaon 826cd6a6acSopenharmony_ci mounton 836cd6a6acSopenharmony_ci} 846cd6a6acSopenharmony_ci 856cd6a6acSopenharmony_ci 866cd6a6acSopenharmony_ci# 876cd6a6acSopenharmony_ci# Define a common prefix for socket access vectors. 886cd6a6acSopenharmony_ci# 896cd6a6acSopenharmony_ci 906cd6a6acSopenharmony_cicommon socket 916cd6a6acSopenharmony_ci{ 926cd6a6acSopenharmony_ci# inherited from file 936cd6a6acSopenharmony_ci ioctl 946cd6a6acSopenharmony_ci read 956cd6a6acSopenharmony_ci write 966cd6a6acSopenharmony_ci create 976cd6a6acSopenharmony_ci getattr 986cd6a6acSopenharmony_ci setattr 996cd6a6acSopenharmony_ci lock 1006cd6a6acSopenharmony_ci relabelfrom 1016cd6a6acSopenharmony_ci relabelto 1026cd6a6acSopenharmony_ci append 1036cd6a6acSopenharmony_ci# socket-specific 1046cd6a6acSopenharmony_ci bind 1056cd6a6acSopenharmony_ci connect 1066cd6a6acSopenharmony_ci listen 1076cd6a6acSopenharmony_ci accept 1086cd6a6acSopenharmony_ci getopt 1096cd6a6acSopenharmony_ci setopt 1106cd6a6acSopenharmony_ci shutdown 1116cd6a6acSopenharmony_ci recvfrom 1126cd6a6acSopenharmony_ci sendto 1136cd6a6acSopenharmony_ci recv_msg 1146cd6a6acSopenharmony_ci send_msg 1156cd6a6acSopenharmony_ci name_bind 1166cd6a6acSopenharmony_ci} 1176cd6a6acSopenharmony_ci 1186cd6a6acSopenharmony_ci# 1196cd6a6acSopenharmony_ci# Define a common prefix for ipc access vectors. 1206cd6a6acSopenharmony_ci# 1216cd6a6acSopenharmony_ci 1226cd6a6acSopenharmony_cicommon ipc 1236cd6a6acSopenharmony_ci{ 1246cd6a6acSopenharmony_ci create 1256cd6a6acSopenharmony_ci destroy 1266cd6a6acSopenharmony_ci getattr 1276cd6a6acSopenharmony_ci setattr 1286cd6a6acSopenharmony_ci read 1296cd6a6acSopenharmony_ci write 1306cd6a6acSopenharmony_ci associate 1316cd6a6acSopenharmony_ci unix_read 1326cd6a6acSopenharmony_ci unix_write 1336cd6a6acSopenharmony_ci} 1346cd6a6acSopenharmony_ci 1356cd6a6acSopenharmony_ci# 1366cd6a6acSopenharmony_ci# Define the access vectors. 1376cd6a6acSopenharmony_ci# 1386cd6a6acSopenharmony_ci# class class_name [ inherits common_name ] { permission_name ... } 1396cd6a6acSopenharmony_ci 1406cd6a6acSopenharmony_ci 1416cd6a6acSopenharmony_ci# 1426cd6a6acSopenharmony_ci# Define the access vector interpretation for file-related objects. 1436cd6a6acSopenharmony_ci# 1446cd6a6acSopenharmony_ci 1456cd6a6acSopenharmony_ciclass filesystem 1466cd6a6acSopenharmony_ci{ 1476cd6a6acSopenharmony_ci mount 1486cd6a6acSopenharmony_ci remount 1496cd6a6acSopenharmony_ci unmount 1506cd6a6acSopenharmony_ci getattr 1516cd6a6acSopenharmony_ci relabelfrom 1526cd6a6acSopenharmony_ci relabelto 1536cd6a6acSopenharmony_ci transition 1546cd6a6acSopenharmony_ci associate 1556cd6a6acSopenharmony_ci quotamod 1566cd6a6acSopenharmony_ci quotaget 1576cd6a6acSopenharmony_ci} 1586cd6a6acSopenharmony_ci 1596cd6a6acSopenharmony_ciclass dir 1606cd6a6acSopenharmony_ciinherits file 1616cd6a6acSopenharmony_ci{ 1626cd6a6acSopenharmony_ci add_name 1636cd6a6acSopenharmony_ci remove_name 1646cd6a6acSopenharmony_ci reparent 1656cd6a6acSopenharmony_ci search 1666cd6a6acSopenharmony_ci rmdir 1676cd6a6acSopenharmony_ci} 1686cd6a6acSopenharmony_ci 1696cd6a6acSopenharmony_ciclass file 1706cd6a6acSopenharmony_ciinherits file 1716cd6a6acSopenharmony_ci{ 1726cd6a6acSopenharmony_ci execute_no_trans 1736cd6a6acSopenharmony_ci entrypoint 1746cd6a6acSopenharmony_ci} 1756cd6a6acSopenharmony_ci 1766cd6a6acSopenharmony_ciclass lnk_file 1776cd6a6acSopenharmony_ciinherits file 1786cd6a6acSopenharmony_ci 1796cd6a6acSopenharmony_ciclass chr_file 1806cd6a6acSopenharmony_ciinherits file 1816cd6a6acSopenharmony_ci 1826cd6a6acSopenharmony_ciclass blk_file 1836cd6a6acSopenharmony_ciinherits file 1846cd6a6acSopenharmony_ci 1856cd6a6acSopenharmony_ciclass sock_file 1866cd6a6acSopenharmony_ciinherits file 1876cd6a6acSopenharmony_ci 1886cd6a6acSopenharmony_ciclass fifo_file 1896cd6a6acSopenharmony_ciinherits file 1906cd6a6acSopenharmony_ci 1916cd6a6acSopenharmony_ciclass fd 1926cd6a6acSopenharmony_ci{ 1936cd6a6acSopenharmony_ci use 1946cd6a6acSopenharmony_ci} 1956cd6a6acSopenharmony_ci 1966cd6a6acSopenharmony_ci 1976cd6a6acSopenharmony_ci# 1986cd6a6acSopenharmony_ci# Define the access vector interpretation for network-related objects. 1996cd6a6acSopenharmony_ci# 2006cd6a6acSopenharmony_ci 2016cd6a6acSopenharmony_ciclass socket 2026cd6a6acSopenharmony_ciinherits socket 2036cd6a6acSopenharmony_ci 2046cd6a6acSopenharmony_ciclass tcp_socket 2056cd6a6acSopenharmony_ciinherits socket 2066cd6a6acSopenharmony_ci{ 2076cd6a6acSopenharmony_ci connectto 2086cd6a6acSopenharmony_ci newconn 2096cd6a6acSopenharmony_ci acceptfrom 2106cd6a6acSopenharmony_ci} 2116cd6a6acSopenharmony_ci 2126cd6a6acSopenharmony_ciclass udp_socket 2136cd6a6acSopenharmony_ciinherits socket 2146cd6a6acSopenharmony_ci 2156cd6a6acSopenharmony_ciclass rawip_socket 2166cd6a6acSopenharmony_ciinherits socket 2176cd6a6acSopenharmony_ci 2186cd6a6acSopenharmony_ciclass node 2196cd6a6acSopenharmony_ci{ 2206cd6a6acSopenharmony_ci tcp_recv 2216cd6a6acSopenharmony_ci tcp_send 2226cd6a6acSopenharmony_ci udp_recv 2236cd6a6acSopenharmony_ci udp_send 2246cd6a6acSopenharmony_ci rawip_recv 2256cd6a6acSopenharmony_ci rawip_send 2266cd6a6acSopenharmony_ci enforce_dest 2276cd6a6acSopenharmony_ci} 2286cd6a6acSopenharmony_ci 2296cd6a6acSopenharmony_ciclass netif 2306cd6a6acSopenharmony_ci{ 2316cd6a6acSopenharmony_ci tcp_recv 2326cd6a6acSopenharmony_ci tcp_send 2336cd6a6acSopenharmony_ci udp_recv 2346cd6a6acSopenharmony_ci udp_send 2356cd6a6acSopenharmony_ci rawip_recv 2366cd6a6acSopenharmony_ci rawip_send 2376cd6a6acSopenharmony_ci} 2386cd6a6acSopenharmony_ci 2396cd6a6acSopenharmony_ciclass netlink_socket 2406cd6a6acSopenharmony_ciinherits socket 2416cd6a6acSopenharmony_ci 2426cd6a6acSopenharmony_ciclass packet_socket 2436cd6a6acSopenharmony_ciinherits socket 2446cd6a6acSopenharmony_ci 2456cd6a6acSopenharmony_ciclass key_socket 2466cd6a6acSopenharmony_ciinherits socket 2476cd6a6acSopenharmony_ci 2486cd6a6acSopenharmony_ciclass unix_stream_socket 2496cd6a6acSopenharmony_ciinherits socket 2506cd6a6acSopenharmony_ci{ 2516cd6a6acSopenharmony_ci connectto 2526cd6a6acSopenharmony_ci newconn 2536cd6a6acSopenharmony_ci acceptfrom 2546cd6a6acSopenharmony_ci} 2556cd6a6acSopenharmony_ci 2566cd6a6acSopenharmony_ciclass unix_dgram_socket 2576cd6a6acSopenharmony_ciinherits socket 2586cd6a6acSopenharmony_ci 2596cd6a6acSopenharmony_ci 2606cd6a6acSopenharmony_ci# 2616cd6a6acSopenharmony_ci# Define the access vector interpretation for process-related objects 2626cd6a6acSopenharmony_ci# 2636cd6a6acSopenharmony_ci 2646cd6a6acSopenharmony_ciclass process 2656cd6a6acSopenharmony_ci{ 2666cd6a6acSopenharmony_ci fork 2676cd6a6acSopenharmony_ci transition 2686cd6a6acSopenharmony_ci sigchld # commonly granted from child to parent 2696cd6a6acSopenharmony_ci sigkill # cannot be caught or ignored 2706cd6a6acSopenharmony_ci sigstop # cannot be caught or ignored 2716cd6a6acSopenharmony_ci signull # for kill(pid, 0) 2726cd6a6acSopenharmony_ci signal # all other signals 2736cd6a6acSopenharmony_ci ptrace 2746cd6a6acSopenharmony_ci getsched 2756cd6a6acSopenharmony_ci setsched 2766cd6a6acSopenharmony_ci getsession 2776cd6a6acSopenharmony_ci getpgid 2786cd6a6acSopenharmony_ci setpgid 2796cd6a6acSopenharmony_ci getcap 2806cd6a6acSopenharmony_ci setcap 2816cd6a6acSopenharmony_ci share 2826cd6a6acSopenharmony_ci} 2836cd6a6acSopenharmony_ci 2846cd6a6acSopenharmony_ci 2856cd6a6acSopenharmony_ci# 2866cd6a6acSopenharmony_ci# Define the access vector interpretation for ipc-related objects 2876cd6a6acSopenharmony_ci# 2886cd6a6acSopenharmony_ci 2896cd6a6acSopenharmony_ciclass ipc 2906cd6a6acSopenharmony_ciinherits ipc 2916cd6a6acSopenharmony_ci 2926cd6a6acSopenharmony_ciclass sem 2936cd6a6acSopenharmony_ciinherits ipc 2946cd6a6acSopenharmony_ci 2956cd6a6acSopenharmony_ciclass msgq 2966cd6a6acSopenharmony_ciinherits ipc 2976cd6a6acSopenharmony_ci{ 2986cd6a6acSopenharmony_ci enqueue 2996cd6a6acSopenharmony_ci} 3006cd6a6acSopenharmony_ci 3016cd6a6acSopenharmony_ciclass msg 3026cd6a6acSopenharmony_ci{ 3036cd6a6acSopenharmony_ci send 3046cd6a6acSopenharmony_ci receive 3056cd6a6acSopenharmony_ci} 3066cd6a6acSopenharmony_ci 3076cd6a6acSopenharmony_ciclass shm 3086cd6a6acSopenharmony_ciinherits ipc 3096cd6a6acSopenharmony_ci{ 3106cd6a6acSopenharmony_ci lock 3116cd6a6acSopenharmony_ci} 3126cd6a6acSopenharmony_ci 3136cd6a6acSopenharmony_ci 3146cd6a6acSopenharmony_ci# 3156cd6a6acSopenharmony_ci# Define the access vector interpretation for the security server. 3166cd6a6acSopenharmony_ci# 3176cd6a6acSopenharmony_ci 3186cd6a6acSopenharmony_ciclass security 3196cd6a6acSopenharmony_ci{ 3206cd6a6acSopenharmony_ci compute_av 3216cd6a6acSopenharmony_ci transition_sid 3226cd6a6acSopenharmony_ci member_sid 3236cd6a6acSopenharmony_ci sid_to_context 3246cd6a6acSopenharmony_ci context_to_sid 3256cd6a6acSopenharmony_ci load_policy 3266cd6a6acSopenharmony_ci get_sids 3276cd6a6acSopenharmony_ci change_sid 3286cd6a6acSopenharmony_ci get_user_sids 3296cd6a6acSopenharmony_ci} 3306cd6a6acSopenharmony_ci 3316cd6a6acSopenharmony_ci 3326cd6a6acSopenharmony_ci# 3336cd6a6acSopenharmony_ci# Define the access vector interpretation for system operations. 3346cd6a6acSopenharmony_ci# 3356cd6a6acSopenharmony_ci 3366cd6a6acSopenharmony_ciclass system 3376cd6a6acSopenharmony_ci{ 3386cd6a6acSopenharmony_ci ipc_info 3396cd6a6acSopenharmony_ci avc_toggle 3406cd6a6acSopenharmony_ci nfsd_control 3416cd6a6acSopenharmony_ci bdflush 3426cd6a6acSopenharmony_ci syslog_read 3436cd6a6acSopenharmony_ci syslog_mod 3446cd6a6acSopenharmony_ci syslog_console 3456cd6a6acSopenharmony_ci ichsid 3466cd6a6acSopenharmony_ci} 3476cd6a6acSopenharmony_ci 3486cd6a6acSopenharmony_ci# 3496cd6a6acSopenharmony_ci# Define the access vector interpretation for controlling capabilities 3506cd6a6acSopenharmony_ci# 3516cd6a6acSopenharmony_ci 3526cd6a6acSopenharmony_ciclass capability 3536cd6a6acSopenharmony_ci{ 3546cd6a6acSopenharmony_ci # The capabilities are defined in include/linux/capability.h 3556cd6a6acSopenharmony_ci # Care should be taken to ensure that these are consistent with 3566cd6a6acSopenharmony_ci # those definitions. (Order matters) 3576cd6a6acSopenharmony_ci 3586cd6a6acSopenharmony_ci chown 3596cd6a6acSopenharmony_ci dac_override 3606cd6a6acSopenharmony_ci dac_read_search 3616cd6a6acSopenharmony_ci fowner 3626cd6a6acSopenharmony_ci fsetid 3636cd6a6acSopenharmony_ci kill 3646cd6a6acSopenharmony_ci setgid 3656cd6a6acSopenharmony_ci setuid 3666cd6a6acSopenharmony_ci setpcap 3676cd6a6acSopenharmony_ci linux_immutable 3686cd6a6acSopenharmony_ci net_bind_service 3696cd6a6acSopenharmony_ci net_broadcast 3706cd6a6acSopenharmony_ci net_admin 3716cd6a6acSopenharmony_ci net_raw 3726cd6a6acSopenharmony_ci ipc_lock 3736cd6a6acSopenharmony_ci ipc_owner 3746cd6a6acSopenharmony_ci sys_module 3756cd6a6acSopenharmony_ci sys_rawio 3766cd6a6acSopenharmony_ci sys_chroot 3776cd6a6acSopenharmony_ci sys_ptrace 3786cd6a6acSopenharmony_ci sys_pacct 3796cd6a6acSopenharmony_ci sys_admin 3806cd6a6acSopenharmony_ci sys_boot 3816cd6a6acSopenharmony_ci sys_nice 3826cd6a6acSopenharmony_ci sys_resource 3836cd6a6acSopenharmony_ci sys_time 3846cd6a6acSopenharmony_ci sys_tty_config 3856cd6a6acSopenharmony_ci mknod 3866cd6a6acSopenharmony_ci lease 3876cd6a6acSopenharmony_ci} 3886cd6a6acSopenharmony_ci 3896cd6a6acSopenharmony_ciifdef(`enable_mls',` 3906cd6a6acSopenharmony_cisensitivity s0; 3916cd6a6acSopenharmony_ci 3926cd6a6acSopenharmony_ci# 3936cd6a6acSopenharmony_ci# Define the ordering of the sensitivity levels (least to greatest) 3946cd6a6acSopenharmony_ci# 3956cd6a6acSopenharmony_cidominance { s0 } 3966cd6a6acSopenharmony_ci 3976cd6a6acSopenharmony_ci 3986cd6a6acSopenharmony_ci# 3996cd6a6acSopenharmony_ci# Define the categories 4006cd6a6acSopenharmony_ci# 4016cd6a6acSopenharmony_ci# Each category has a name and zero or more aliases. 4026cd6a6acSopenharmony_ci# 4036cd6a6acSopenharmony_cicategory c0; category c1; category c2; category c3; 4046cd6a6acSopenharmony_cicategory c4; category c5; category c6; category c7; 4056cd6a6acSopenharmony_cicategory c8; category c9; category c10; category c11; 4066cd6a6acSopenharmony_cicategory c12; category c13; category c14; category c15; 4076cd6a6acSopenharmony_cicategory c16; category c17; category c18; category c19; 4086cd6a6acSopenharmony_cicategory c20; category c21; category c22; category c23; 4096cd6a6acSopenharmony_ci 4106cd6a6acSopenharmony_cilevel s0:c0.c23; 4116cd6a6acSopenharmony_ci 4126cd6a6acSopenharmony_cimlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } 4136cd6a6acSopenharmony_ci ( h1 dom h2 ); 4146cd6a6acSopenharmony_ci') 4156cd6a6acSopenharmony_ci 4166cd6a6acSopenharmony_ci#################################### 4176cd6a6acSopenharmony_ci#################################### 4186cd6a6acSopenharmony_ci##################################### 4196cd6a6acSopenharmony_ci# TE RULES 4206cd6a6acSopenharmony_ciattribute domain; 4216cd6a6acSopenharmony_ciattribute system; 4226cd6a6acSopenharmony_ciattribute foo; 4236cd6a6acSopenharmony_ciattribute num; 4246cd6a6acSopenharmony_ciattribute num_exec; 4256cd6a6acSopenharmony_ciattribute files; 4266cd6a6acSopenharmony_ci 4276cd6a6acSopenharmony_citype net_foo_t, foo; 4286cd6a6acSopenharmony_citype sys_foo_t, foo, system; 4296cd6a6acSopenharmony_cirole system_r; 4306cd6a6acSopenharmony_cirole system_r types sys_foo_t; 4316cd6a6acSopenharmony_ci 4326cd6a6acSopenharmony_citype user_t, domain; 4336cd6a6acSopenharmony_cirole user_r; 4346cd6a6acSopenharmony_cirole user_r types user_t; 4356cd6a6acSopenharmony_ci 4366cd6a6acSopenharmony_citype sysadm_t, domain, system; 4376cd6a6acSopenharmony_cirole sysadm_r; 4386cd6a6acSopenharmony_cirole sysadm_r types sysadm_t; 4396cd6a6acSopenharmony_ci 4406cd6a6acSopenharmony_citype system_t, domain, system, foo; 4416cd6a6acSopenharmony_cirole system_r; 4426cd6a6acSopenharmony_cirole system_r types { system_t sys_foo_t }; 4436cd6a6acSopenharmony_ci 4446cd6a6acSopenharmony_citype file_t; 4456cd6a6acSopenharmony_citype file_exec_t, files; 4466cd6a6acSopenharmony_citype fs_t; 4476cd6a6acSopenharmony_ci 4486cd6a6acSopenharmony_ci# Make this decl easy to find 4496cd6a6acSopenharmony_citype base_global_decl_t; 4506cd6a6acSopenharmony_ci 4516cd6a6acSopenharmony_ci# Actually used in module tests 4526cd6a6acSopenharmony_citype type_req_t; 4536cd6a6acSopenharmony_ciattribute attr_req; 4546cd6a6acSopenharmony_cibool bool_req false; 4556cd6a6acSopenharmony_cirole role_req_r; 4566cd6a6acSopenharmony_ci 4576cd6a6acSopenharmony_ci 4586cd6a6acSopenharmony_ciallow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint }; 4596cd6a6acSopenharmony_ci 4606cd6a6acSopenharmony_cioptional { 4616cd6a6acSopenharmony_ci require { 4626cd6a6acSopenharmony_ci type base_optional_1, base_optional_2; 4636cd6a6acSopenharmony_ci } 4646cd6a6acSopenharmony_ci allow base_optional_1 base_optional_2 : file { read write }; 4656cd6a6acSopenharmony_ci} 4666cd6a6acSopenharmony_ci 4676cd6a6acSopenharmony_ci##################################### 4686cd6a6acSopenharmony_ci# Role Allow 4696cd6a6acSopenharmony_ciallow user_r sysadm_r; 4706cd6a6acSopenharmony_ci 4716cd6a6acSopenharmony_ci#################################### 4726cd6a6acSopenharmony_ci# Booleans 4736cd6a6acSopenharmony_cibool allow_ypbind true; 4746cd6a6acSopenharmony_cibool secure_mode false; 4756cd6a6acSopenharmony_cibool allow_execheap false; 4766cd6a6acSopenharmony_cibool allow_execmem true; 4776cd6a6acSopenharmony_cibool allow_execmod false; 4786cd6a6acSopenharmony_cibool allow_execstack true; 4796cd6a6acSopenharmony_cibool optional_bool_1 true; 4806cd6a6acSopenharmony_cibool optional_bool_2 false; 4816cd6a6acSopenharmony_ci 4826cd6a6acSopenharmony_ci##################################### 4836cd6a6acSopenharmony_ci# users 4846cd6a6acSopenharmony_cigen_user(system_u,, system_r, s0, s0 - s0:c0.c23) 4856cd6a6acSopenharmony_cigen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23) 4866cd6a6acSopenharmony_cigen_user(joe,, user_r, s0, s0 - s0:c0.c23) 4876cd6a6acSopenharmony_ci 4886cd6a6acSopenharmony_ci##################################### 4896cd6a6acSopenharmony_ci# constraints 4906cd6a6acSopenharmony_ci 4916cd6a6acSopenharmony_ci 4926cd6a6acSopenharmony_ci#################################### 4936cd6a6acSopenharmony_ci#line 1 "initial_sid_contexts" 4946cd6a6acSopenharmony_ci 4956cd6a6acSopenharmony_cisid kernel gen_context(system_u:system_r:sys_foo_t, s0) 4966cd6a6acSopenharmony_ci 4976cd6a6acSopenharmony_ci 4986cd6a6acSopenharmony_ci############################################ 4996cd6a6acSopenharmony_ci#line 1 "fs_use" 5006cd6a6acSopenharmony_ci# 5016cd6a6acSopenharmony_cifs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0); 5026cd6a6acSopenharmony_cifs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0); 5036cd6a6acSopenharmony_cifs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0); 5046cd6a6acSopenharmony_ci 5056cd6a6acSopenharmony_ci 5066cd6a6acSopenharmony_cigenfscon proc / gen_context(system_u:object_r:sys_foo_t, s0) 5076cd6a6acSopenharmony_ci 5086cd6a6acSopenharmony_ci 5096cd6a6acSopenharmony_ci#################################### 5106cd6a6acSopenharmony_ci#line 1 "net_contexts" 5116cd6a6acSopenharmony_ci 5126cd6a6acSopenharmony_ci#portcon tcp 21 system_u:object_r:net_foo_t:s0 5136cd6a6acSopenharmony_ci 5146cd6a6acSopenharmony_ci#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0 5156cd6a6acSopenharmony_ci 5166cd6a6acSopenharmony_ci# 5176cd6a6acSopenharmony_ci#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0 5186cd6a6acSopenharmony_ci 5196cd6a6acSopenharmony_cinodecon ::1 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF gen_context(system_u:object_r:net_foo_t, s0) 5206cd6a6acSopenharmony_ci 5216cd6a6acSopenharmony_ci 5226cd6a6acSopenharmony_ci 5236cd6a6acSopenharmony_ci 524