16cd6a6acSopenharmony_ci# FLASK 26cd6a6acSopenharmony_ci 36cd6a6acSopenharmony_ci# 46cd6a6acSopenharmony_ci# Define the security object classes 56cd6a6acSopenharmony_ci# 66cd6a6acSopenharmony_ci 76cd6a6acSopenharmony_ciclass security 86cd6a6acSopenharmony_ciclass process 96cd6a6acSopenharmony_ciclass system 106cd6a6acSopenharmony_ciclass capability 116cd6a6acSopenharmony_ci 126cd6a6acSopenharmony_ci# file-related classes 136cd6a6acSopenharmony_ciclass filesystem 146cd6a6acSopenharmony_ciclass file 156cd6a6acSopenharmony_ciclass dir 166cd6a6acSopenharmony_ciclass fd 176cd6a6acSopenharmony_ciclass lnk_file 186cd6a6acSopenharmony_ciclass chr_file 196cd6a6acSopenharmony_ciclass blk_file 206cd6a6acSopenharmony_ciclass sock_file 216cd6a6acSopenharmony_ciclass fifo_file 226cd6a6acSopenharmony_ci 236cd6a6acSopenharmony_ci# network-related classes 246cd6a6acSopenharmony_ciclass socket 256cd6a6acSopenharmony_ciclass tcp_socket 266cd6a6acSopenharmony_ciclass udp_socket 276cd6a6acSopenharmony_ciclass rawip_socket 286cd6a6acSopenharmony_ciclass node 296cd6a6acSopenharmony_ciclass netif 306cd6a6acSopenharmony_ciclass netlink_socket 316cd6a6acSopenharmony_ciclass packet_socket 326cd6a6acSopenharmony_ciclass key_socket 336cd6a6acSopenharmony_ciclass unix_stream_socket 346cd6a6acSopenharmony_ciclass unix_dgram_socket 356cd6a6acSopenharmony_ci 366cd6a6acSopenharmony_ci# sysv-ipc-related classes 376cd6a6acSopenharmony_ciclass msg 386cd6a6acSopenharmony_ciclass msgq 396cd6a6acSopenharmony_ciclass shm 406cd6a6acSopenharmony_ciclass ipc 416cd6a6acSopenharmony_ci 426cd6a6acSopenharmony_ci# FLASK 436cd6a6acSopenharmony_ci# FLASK 446cd6a6acSopenharmony_ci 456cd6a6acSopenharmony_ci# 466cd6a6acSopenharmony_ci# Define initial security identifiers 476cd6a6acSopenharmony_ci# 486cd6a6acSopenharmony_ci 496cd6a6acSopenharmony_cisid kernel 506cd6a6acSopenharmony_ci 516cd6a6acSopenharmony_ci 526cd6a6acSopenharmony_ci# FLASK 536cd6a6acSopenharmony_ci# 546cd6a6acSopenharmony_ci# Define common prefixes for access vectors 556cd6a6acSopenharmony_ci# 566cd6a6acSopenharmony_ci# common common_name { permission_name ... } 576cd6a6acSopenharmony_ci 586cd6a6acSopenharmony_ci 596cd6a6acSopenharmony_ci# 606cd6a6acSopenharmony_ci# Define a common prefix for file access vectors. 616cd6a6acSopenharmony_ci# 626cd6a6acSopenharmony_ci 636cd6a6acSopenharmony_cicommon file 646cd6a6acSopenharmony_ci{ 656cd6a6acSopenharmony_ci ioctl 666cd6a6acSopenharmony_ci read 676cd6a6acSopenharmony_ci write 686cd6a6acSopenharmony_ci create 696cd6a6acSopenharmony_ci getattr 706cd6a6acSopenharmony_ci setattr 716cd6a6acSopenharmony_ci lock 726cd6a6acSopenharmony_ci relabelfrom 736cd6a6acSopenharmony_ci relabelto 746cd6a6acSopenharmony_ci append 756cd6a6acSopenharmony_ci unlink 766cd6a6acSopenharmony_ci link 776cd6a6acSopenharmony_ci rename 786cd6a6acSopenharmony_ci execute 796cd6a6acSopenharmony_ci swapon 806cd6a6acSopenharmony_ci quotaon 816cd6a6acSopenharmony_ci mounton 826cd6a6acSopenharmony_ci} 836cd6a6acSopenharmony_ci 846cd6a6acSopenharmony_ci 856cd6a6acSopenharmony_ci# 866cd6a6acSopenharmony_ci# Define a common prefix for socket access vectors. 876cd6a6acSopenharmony_ci# 886cd6a6acSopenharmony_ci 896cd6a6acSopenharmony_cicommon socket 906cd6a6acSopenharmony_ci{ 916cd6a6acSopenharmony_ci# inherited from file 926cd6a6acSopenharmony_ci ioctl 936cd6a6acSopenharmony_ci read 946cd6a6acSopenharmony_ci write 956cd6a6acSopenharmony_ci create 966cd6a6acSopenharmony_ci getattr 976cd6a6acSopenharmony_ci setattr 986cd6a6acSopenharmony_ci lock 996cd6a6acSopenharmony_ci relabelfrom 1006cd6a6acSopenharmony_ci relabelto 1016cd6a6acSopenharmony_ci append 1026cd6a6acSopenharmony_ci# socket-specific 1036cd6a6acSopenharmony_ci bind 1046cd6a6acSopenharmony_ci connect 1056cd6a6acSopenharmony_ci listen 1066cd6a6acSopenharmony_ci accept 1076cd6a6acSopenharmony_ci getopt 1086cd6a6acSopenharmony_ci setopt 1096cd6a6acSopenharmony_ci shutdown 1106cd6a6acSopenharmony_ci recvfrom 1116cd6a6acSopenharmony_ci sendto 1126cd6a6acSopenharmony_ci recv_msg 1136cd6a6acSopenharmony_ci send_msg 1146cd6a6acSopenharmony_ci name_bind 1156cd6a6acSopenharmony_ci} 1166cd6a6acSopenharmony_ci 1176cd6a6acSopenharmony_ci# 1186cd6a6acSopenharmony_ci# Define a common prefix for ipc access vectors. 1196cd6a6acSopenharmony_ci# 1206cd6a6acSopenharmony_ci 1216cd6a6acSopenharmony_cicommon ipc 1226cd6a6acSopenharmony_ci{ 1236cd6a6acSopenharmony_ci create 1246cd6a6acSopenharmony_ci destroy 1256cd6a6acSopenharmony_ci getattr 1266cd6a6acSopenharmony_ci setattr 1276cd6a6acSopenharmony_ci read 1286cd6a6acSopenharmony_ci write 1296cd6a6acSopenharmony_ci associate 1306cd6a6acSopenharmony_ci unix_read 1316cd6a6acSopenharmony_ci unix_write 1326cd6a6acSopenharmony_ci} 1336cd6a6acSopenharmony_ci 1346cd6a6acSopenharmony_ci# 1356cd6a6acSopenharmony_ci# Define the access vectors. 1366cd6a6acSopenharmony_ci# 1376cd6a6acSopenharmony_ci# class class_name [ inherits common_name ] { permission_name ... } 1386cd6a6acSopenharmony_ci 1396cd6a6acSopenharmony_ci 1406cd6a6acSopenharmony_ci# 1416cd6a6acSopenharmony_ci# Define the access vector interpretation for file-related objects. 1426cd6a6acSopenharmony_ci# 1436cd6a6acSopenharmony_ci 1446cd6a6acSopenharmony_ciclass filesystem 1456cd6a6acSopenharmony_ci{ 1466cd6a6acSopenharmony_ci mount 1476cd6a6acSopenharmony_ci remount 1486cd6a6acSopenharmony_ci unmount 1496cd6a6acSopenharmony_ci getattr 1506cd6a6acSopenharmony_ci relabelfrom 1516cd6a6acSopenharmony_ci relabelto 1526cd6a6acSopenharmony_ci transition 1536cd6a6acSopenharmony_ci associate 1546cd6a6acSopenharmony_ci quotamod 1556cd6a6acSopenharmony_ci quotaget 1566cd6a6acSopenharmony_ci} 1576cd6a6acSopenharmony_ci 1586cd6a6acSopenharmony_ciclass dir 1596cd6a6acSopenharmony_ciinherits file 1606cd6a6acSopenharmony_ci{ 1616cd6a6acSopenharmony_ci add_name 1626cd6a6acSopenharmony_ci remove_name 1636cd6a6acSopenharmony_ci reparent 1646cd6a6acSopenharmony_ci search 1656cd6a6acSopenharmony_ci rmdir 1666cd6a6acSopenharmony_ci} 1676cd6a6acSopenharmony_ci 1686cd6a6acSopenharmony_ciclass file 1696cd6a6acSopenharmony_ciinherits file 1706cd6a6acSopenharmony_ci{ 1716cd6a6acSopenharmony_ci execute_no_trans 1726cd6a6acSopenharmony_ci entrypoint 1736cd6a6acSopenharmony_ci} 1746cd6a6acSopenharmony_ci 1756cd6a6acSopenharmony_ciclass lnk_file 1766cd6a6acSopenharmony_ciinherits file 1776cd6a6acSopenharmony_ci 1786cd6a6acSopenharmony_ciclass chr_file 1796cd6a6acSopenharmony_ciinherits file 1806cd6a6acSopenharmony_ci 1816cd6a6acSopenharmony_ciclass blk_file 1826cd6a6acSopenharmony_ciinherits file 1836cd6a6acSopenharmony_ci 1846cd6a6acSopenharmony_ciclass sock_file 1856cd6a6acSopenharmony_ciinherits file 1866cd6a6acSopenharmony_ci 1876cd6a6acSopenharmony_ciclass fifo_file 1886cd6a6acSopenharmony_ciinherits file 1896cd6a6acSopenharmony_ci 1906cd6a6acSopenharmony_ciclass fd 1916cd6a6acSopenharmony_ci{ 1926cd6a6acSopenharmony_ci use 1936cd6a6acSopenharmony_ci} 1946cd6a6acSopenharmony_ci 1956cd6a6acSopenharmony_ci 1966cd6a6acSopenharmony_ci# 1976cd6a6acSopenharmony_ci# Define the access vector interpretation for network-related objects. 1986cd6a6acSopenharmony_ci# 1996cd6a6acSopenharmony_ci 2006cd6a6acSopenharmony_ciclass socket 2016cd6a6acSopenharmony_ciinherits socket 2026cd6a6acSopenharmony_ci 2036cd6a6acSopenharmony_ciclass tcp_socket 2046cd6a6acSopenharmony_ciinherits socket 2056cd6a6acSopenharmony_ci{ 2066cd6a6acSopenharmony_ci connectto 2076cd6a6acSopenharmony_ci newconn 2086cd6a6acSopenharmony_ci acceptfrom 2096cd6a6acSopenharmony_ci} 2106cd6a6acSopenharmony_ci 2116cd6a6acSopenharmony_ciclass udp_socket 2126cd6a6acSopenharmony_ciinherits socket 2136cd6a6acSopenharmony_ci 2146cd6a6acSopenharmony_ciclass rawip_socket 2156cd6a6acSopenharmony_ciinherits socket 2166cd6a6acSopenharmony_ci 2176cd6a6acSopenharmony_ciclass node 2186cd6a6acSopenharmony_ci{ 2196cd6a6acSopenharmony_ci tcp_recv 2206cd6a6acSopenharmony_ci tcp_send 2216cd6a6acSopenharmony_ci udp_recv 2226cd6a6acSopenharmony_ci udp_send 2236cd6a6acSopenharmony_ci rawip_recv 2246cd6a6acSopenharmony_ci rawip_send 2256cd6a6acSopenharmony_ci enforce_dest 2266cd6a6acSopenharmony_ci} 2276cd6a6acSopenharmony_ci 2286cd6a6acSopenharmony_ciclass netif 2296cd6a6acSopenharmony_ci{ 2306cd6a6acSopenharmony_ci tcp_recv 2316cd6a6acSopenharmony_ci tcp_send 2326cd6a6acSopenharmony_ci udp_recv 2336cd6a6acSopenharmony_ci udp_send 2346cd6a6acSopenharmony_ci rawip_recv 2356cd6a6acSopenharmony_ci rawip_send 2366cd6a6acSopenharmony_ci} 2376cd6a6acSopenharmony_ci 2386cd6a6acSopenharmony_ciclass netlink_socket 2396cd6a6acSopenharmony_ciinherits socket 2406cd6a6acSopenharmony_ci 2416cd6a6acSopenharmony_ciclass packet_socket 2426cd6a6acSopenharmony_ciinherits socket 2436cd6a6acSopenharmony_ci 2446cd6a6acSopenharmony_ciclass key_socket 2456cd6a6acSopenharmony_ciinherits socket 2466cd6a6acSopenharmony_ci 2476cd6a6acSopenharmony_ciclass unix_stream_socket 2486cd6a6acSopenharmony_ciinherits socket 2496cd6a6acSopenharmony_ci{ 2506cd6a6acSopenharmony_ci connectto 2516cd6a6acSopenharmony_ci newconn 2526cd6a6acSopenharmony_ci acceptfrom 2536cd6a6acSopenharmony_ci} 2546cd6a6acSopenharmony_ci 2556cd6a6acSopenharmony_ciclass unix_dgram_socket 2566cd6a6acSopenharmony_ciinherits socket 2576cd6a6acSopenharmony_ci 2586cd6a6acSopenharmony_ci 2596cd6a6acSopenharmony_ci# 2606cd6a6acSopenharmony_ci# Define the access vector interpretation for process-related objects 2616cd6a6acSopenharmony_ci# 2626cd6a6acSopenharmony_ci 2636cd6a6acSopenharmony_ciclass process 2646cd6a6acSopenharmony_ci{ 2656cd6a6acSopenharmony_ci fork 2666cd6a6acSopenharmony_ci transition 2676cd6a6acSopenharmony_ci sigchld # commonly granted from child to parent 2686cd6a6acSopenharmony_ci sigkill # cannot be caught or ignored 2696cd6a6acSopenharmony_ci sigstop # cannot be caught or ignored 2706cd6a6acSopenharmony_ci signull # for kill(pid, 0) 2716cd6a6acSopenharmony_ci signal # all other signals 2726cd6a6acSopenharmony_ci ptrace 2736cd6a6acSopenharmony_ci getsched 2746cd6a6acSopenharmony_ci setsched 2756cd6a6acSopenharmony_ci getsession 2766cd6a6acSopenharmony_ci getpgid 2776cd6a6acSopenharmony_ci setpgid 2786cd6a6acSopenharmony_ci getcap 2796cd6a6acSopenharmony_ci setcap 2806cd6a6acSopenharmony_ci share 2816cd6a6acSopenharmony_ci} 2826cd6a6acSopenharmony_ci 2836cd6a6acSopenharmony_ci 2846cd6a6acSopenharmony_ci# 2856cd6a6acSopenharmony_ci# Define the access vector interpretation for ipc-related objects 2866cd6a6acSopenharmony_ci# 2876cd6a6acSopenharmony_ci 2886cd6a6acSopenharmony_ciclass ipc 2896cd6a6acSopenharmony_ciinherits ipc 2906cd6a6acSopenharmony_ci 2916cd6a6acSopenharmony_ciclass msgq 2926cd6a6acSopenharmony_ciinherits ipc 2936cd6a6acSopenharmony_ci{ 2946cd6a6acSopenharmony_ci enqueue 2956cd6a6acSopenharmony_ci} 2966cd6a6acSopenharmony_ci 2976cd6a6acSopenharmony_ciclass msg 2986cd6a6acSopenharmony_ci{ 2996cd6a6acSopenharmony_ci send 3006cd6a6acSopenharmony_ci} 3016cd6a6acSopenharmony_ci 3026cd6a6acSopenharmony_ciclass shm 3036cd6a6acSopenharmony_ciinherits ipc 3046cd6a6acSopenharmony_ci{ 3056cd6a6acSopenharmony_ci lock 3066cd6a6acSopenharmony_ci} 3076cd6a6acSopenharmony_ci 3086cd6a6acSopenharmony_ci 3096cd6a6acSopenharmony_ci# 3106cd6a6acSopenharmony_ci# Define the access vector interpretation for the security server. 3116cd6a6acSopenharmony_ci# 3126cd6a6acSopenharmony_ci 3136cd6a6acSopenharmony_ciclass security 3146cd6a6acSopenharmony_ci{ 3156cd6a6acSopenharmony_ci compute_av 3166cd6a6acSopenharmony_ci transition_sid 3176cd6a6acSopenharmony_ci member_sid 3186cd6a6acSopenharmony_ci sid_to_context 3196cd6a6acSopenharmony_ci context_to_sid 3206cd6a6acSopenharmony_ci load_policy 3216cd6a6acSopenharmony_ci get_sids 3226cd6a6acSopenharmony_ci change_sid 3236cd6a6acSopenharmony_ci get_user_sids 3246cd6a6acSopenharmony_ci} 3256cd6a6acSopenharmony_ci 3266cd6a6acSopenharmony_ci 3276cd6a6acSopenharmony_ci# 3286cd6a6acSopenharmony_ci# Define the access vector interpretation for system operations. 3296cd6a6acSopenharmony_ci# 3306cd6a6acSopenharmony_ci 3316cd6a6acSopenharmony_ciclass system 3326cd6a6acSopenharmony_ci{ 3336cd6a6acSopenharmony_ci ipc_info 3346cd6a6acSopenharmony_ci avc_toggle 3356cd6a6acSopenharmony_ci nfsd_control 3366cd6a6acSopenharmony_ci bdflush 3376cd6a6acSopenharmony_ci syslog_read 3386cd6a6acSopenharmony_ci syslog_mod 3396cd6a6acSopenharmony_ci syslog_console 3406cd6a6acSopenharmony_ci ichsid 3416cd6a6acSopenharmony_ci} 3426cd6a6acSopenharmony_ci 3436cd6a6acSopenharmony_ci# 3446cd6a6acSopenharmony_ci# Define the access vector interpretation for controlling capabilities 3456cd6a6acSopenharmony_ci# 3466cd6a6acSopenharmony_ci 3476cd6a6acSopenharmony_ciclass capability 3486cd6a6acSopenharmony_ci{ 3496cd6a6acSopenharmony_ci # The capabilities are defined in include/linux/capability.h 3506cd6a6acSopenharmony_ci # Care should be taken to ensure that these are consistent with 3516cd6a6acSopenharmony_ci # those definitions. (Order matters) 3526cd6a6acSopenharmony_ci 3536cd6a6acSopenharmony_ci chown 3546cd6a6acSopenharmony_ci dac_override 3556cd6a6acSopenharmony_ci dac_read_search 3566cd6a6acSopenharmony_ci fowner 3576cd6a6acSopenharmony_ci fsetid 3586cd6a6acSopenharmony_ci kill 3596cd6a6acSopenharmony_ci setgid 3606cd6a6acSopenharmony_ci setuid 3616cd6a6acSopenharmony_ci setpcap 3626cd6a6acSopenharmony_ci linux_immutable 3636cd6a6acSopenharmony_ci net_bind_service 3646cd6a6acSopenharmony_ci net_broadcast 3656cd6a6acSopenharmony_ci net_admin 3666cd6a6acSopenharmony_ci net_raw 3676cd6a6acSopenharmony_ci ipc_lock 3686cd6a6acSopenharmony_ci ipc_owner 3696cd6a6acSopenharmony_ci sys_module 3706cd6a6acSopenharmony_ci sys_rawio 3716cd6a6acSopenharmony_ci sys_chroot 3726cd6a6acSopenharmony_ci sys_ptrace 3736cd6a6acSopenharmony_ci sys_pacct 3746cd6a6acSopenharmony_ci sys_admin 3756cd6a6acSopenharmony_ci sys_boot 3766cd6a6acSopenharmony_ci sys_nice 3776cd6a6acSopenharmony_ci sys_resource 3786cd6a6acSopenharmony_ci sys_time 3796cd6a6acSopenharmony_ci sys_tty_config 3806cd6a6acSopenharmony_ci mknod 3816cd6a6acSopenharmony_ci lease 3826cd6a6acSopenharmony_ci} 3836cd6a6acSopenharmony_ci 3846cd6a6acSopenharmony_ciifdef(`enable_mls',` 3856cd6a6acSopenharmony_cisensitivity s0; 3866cd6a6acSopenharmony_ci 3876cd6a6acSopenharmony_ci# 3886cd6a6acSopenharmony_ci# Define the ordering of the sensitivity levels (least to greatest) 3896cd6a6acSopenharmony_ci# 3906cd6a6acSopenharmony_cidominance { s0 } 3916cd6a6acSopenharmony_ci 3926cd6a6acSopenharmony_ci 3936cd6a6acSopenharmony_ci# 3946cd6a6acSopenharmony_ci# Define the categories 3956cd6a6acSopenharmony_ci# 3966cd6a6acSopenharmony_ci# Each category has a name and zero or more aliases. 3976cd6a6acSopenharmony_ci# 3986cd6a6acSopenharmony_cicategory c0; category c1; category c2; category c3; 3996cd6a6acSopenharmony_cicategory c4; category c5; category c6; category c7; 4006cd6a6acSopenharmony_cicategory c8; category c9; category c10; category c11; 4016cd6a6acSopenharmony_cicategory c12; category c13; category c14; category c15; 4026cd6a6acSopenharmony_cicategory c16; category c17; category c18; category c19; 4036cd6a6acSopenharmony_cicategory c20; category c21; category c22; category c23; 4046cd6a6acSopenharmony_ci 4056cd6a6acSopenharmony_cilevel s0:c0.c23; 4066cd6a6acSopenharmony_ci 4076cd6a6acSopenharmony_cimlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } 4086cd6a6acSopenharmony_ci ( h1 dom h2 ); 4096cd6a6acSopenharmony_ci') 4106cd6a6acSopenharmony_ci 4116cd6a6acSopenharmony_ci#################################### 4126cd6a6acSopenharmony_ci#################################### 4136cd6a6acSopenharmony_ci##################################### 4146cd6a6acSopenharmony_ci# TE RULES 4156cd6a6acSopenharmony_ciattribute domain; 4166cd6a6acSopenharmony_ciattribute system; 4176cd6a6acSopenharmony_ciattribute foo; 4186cd6a6acSopenharmony_ciattribute num; 4196cd6a6acSopenharmony_ciattribute num_exec; 4206cd6a6acSopenharmony_ciattribute files; 4216cd6a6acSopenharmony_ci 4226cd6a6acSopenharmony_citype net_foo_t, foo; 4236cd6a6acSopenharmony_citype sys_foo_t, foo, system; 4246cd6a6acSopenharmony_cirole system_r; 4256cd6a6acSopenharmony_cirole system_r types sys_foo_t; 4266cd6a6acSopenharmony_ci 4276cd6a6acSopenharmony_citype user_t, domain; 4286cd6a6acSopenharmony_cirole user_r; 4296cd6a6acSopenharmony_cirole user_r types user_t; 4306cd6a6acSopenharmony_ci 4316cd6a6acSopenharmony_citype sysadm_t, domain, system; 4326cd6a6acSopenharmony_cirole sysadm_r; 4336cd6a6acSopenharmony_cirole sysadm_r types sysadm_t; 4346cd6a6acSopenharmony_ci 4356cd6a6acSopenharmony_citype system_t, domain, system, foo; 4366cd6a6acSopenharmony_cirole system_r; 4376cd6a6acSopenharmony_cirole system_r types { system_t sys_foo_t }; 4386cd6a6acSopenharmony_ci 4396cd6a6acSopenharmony_citype file_t; 4406cd6a6acSopenharmony_citype file_exec_t, files; 4416cd6a6acSopenharmony_citype fs_t; 4426cd6a6acSopenharmony_citype base_optional_1; 4436cd6a6acSopenharmony_citype base_optional_2; 4446cd6a6acSopenharmony_ci 4456cd6a6acSopenharmony_ciallow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint }; 4466cd6a6acSopenharmony_ci 4476cd6a6acSopenharmony_cioptional { 4486cd6a6acSopenharmony_ci require { 4496cd6a6acSopenharmony_ci type base_optional_1, base_optional_2; 4506cd6a6acSopenharmony_ci } 4516cd6a6acSopenharmony_ci allow base_optional_1 base_optional_2 : file { read write }; 4526cd6a6acSopenharmony_ci} 4536cd6a6acSopenharmony_ci 4546cd6a6acSopenharmony_ci##################################### 4556cd6a6acSopenharmony_ci# Role Allow 4566cd6a6acSopenharmony_ciallow user_r sysadm_r; 4576cd6a6acSopenharmony_ci 4586cd6a6acSopenharmony_ci#################################### 4596cd6a6acSopenharmony_ci# Booleans 4606cd6a6acSopenharmony_cibool allow_ypbind true; 4616cd6a6acSopenharmony_cibool secure_mode false; 4626cd6a6acSopenharmony_cibool allow_execheap false; 4636cd6a6acSopenharmony_cibool allow_execmem true; 4646cd6a6acSopenharmony_cibool allow_execmod false; 4656cd6a6acSopenharmony_cibool allow_execstack true; 4666cd6a6acSopenharmony_cibool optional_bool_1 true; 4676cd6a6acSopenharmony_cibool optional_bool_2 false; 4686cd6a6acSopenharmony_ci 4696cd6a6acSopenharmony_ci##################################### 4706cd6a6acSopenharmony_ci# users 4716cd6a6acSopenharmony_cigen_user(system_u,, system_r, s0, s0 - s0:c0.c23) 4726cd6a6acSopenharmony_cigen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23) 4736cd6a6acSopenharmony_cigen_user(joe,, user_r, s0, s0 - s0:c0.c23) 4746cd6a6acSopenharmony_ci 4756cd6a6acSopenharmony_ci##################################### 4766cd6a6acSopenharmony_ci# constraints 4776cd6a6acSopenharmony_ci 4786cd6a6acSopenharmony_ci 4796cd6a6acSopenharmony_ci#################################### 4806cd6a6acSopenharmony_ci#line 1 "initial_sid_contexts" 4816cd6a6acSopenharmony_ci 4826cd6a6acSopenharmony_cisid kernel gen_context(system_u:system_r:sys_foo_t, s0) 4836cd6a6acSopenharmony_ci 4846cd6a6acSopenharmony_ci 4856cd6a6acSopenharmony_ci############################################ 4866cd6a6acSopenharmony_ci#line 1 "fs_use" 4876cd6a6acSopenharmony_ci# 4886cd6a6acSopenharmony_cifs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0); 4896cd6a6acSopenharmony_cifs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0); 4906cd6a6acSopenharmony_cifs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0); 4916cd6a6acSopenharmony_ci 4926cd6a6acSopenharmony_ci 4936cd6a6acSopenharmony_cigenfscon proc / gen_context(system_u:object_r:sys_foo_t, s0) 4946cd6a6acSopenharmony_ci 4956cd6a6acSopenharmony_ci 4966cd6a6acSopenharmony_ci#################################### 4976cd6a6acSopenharmony_ci#line 1 "net_contexts" 4986cd6a6acSopenharmony_ci 4996cd6a6acSopenharmony_ci#portcon tcp 21 system_u:object_r:net_foo_t:s0 5006cd6a6acSopenharmony_ci 5016cd6a6acSopenharmony_ci#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0 5026cd6a6acSopenharmony_ci 5036cd6a6acSopenharmony_ci# 5046cd6a6acSopenharmony_ci#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0 5056cd6a6acSopenharmony_ci 5066cd6a6acSopenharmony_cinodecon ::1 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF gen_context(system_u:object_r:net_foo_t, s0) 5076cd6a6acSopenharmony_ci 5086cd6a6acSopenharmony_ci 5096cd6a6acSopenharmony_ci 5106cd6a6acSopenharmony_ci 511