16cd6a6acSopenharmony_ci# FLASK 26cd6a6acSopenharmony_ci 36cd6a6acSopenharmony_ci# 46cd6a6acSopenharmony_ci# Define the security object classes 56cd6a6acSopenharmony_ci# 66cd6a6acSopenharmony_ci 76cd6a6acSopenharmony_ciclass security 86cd6a6acSopenharmony_ciclass process 96cd6a6acSopenharmony_ciclass system 106cd6a6acSopenharmony_ciclass capability 116cd6a6acSopenharmony_ci 126cd6a6acSopenharmony_ci# file-related classes 136cd6a6acSopenharmony_ciclass filesystem 146cd6a6acSopenharmony_ciclass file 156cd6a6acSopenharmony_ciclass dir 166cd6a6acSopenharmony_ciclass fd 176cd6a6acSopenharmony_ciclass lnk_file 186cd6a6acSopenharmony_ciclass chr_file 196cd6a6acSopenharmony_ciclass blk_file 206cd6a6acSopenharmony_ciclass sock_file 216cd6a6acSopenharmony_ciclass fifo_file 226cd6a6acSopenharmony_ci 236cd6a6acSopenharmony_ci# network-related classes 246cd6a6acSopenharmony_ciclass socket 256cd6a6acSopenharmony_ciclass tcp_socket 266cd6a6acSopenharmony_ciclass udp_socket 276cd6a6acSopenharmony_ciclass rawip_socket 286cd6a6acSopenharmony_ciclass node 296cd6a6acSopenharmony_ciclass netif 306cd6a6acSopenharmony_ciclass netlink_socket 316cd6a6acSopenharmony_ciclass packet_socket 326cd6a6acSopenharmony_ciclass key_socket 336cd6a6acSopenharmony_ciclass unix_stream_socket 346cd6a6acSopenharmony_ciclass unix_dgram_socket 356cd6a6acSopenharmony_ci 366cd6a6acSopenharmony_ci# sysv-ipc-related classes 376cd6a6acSopenharmony_ciclass sem 386cd6a6acSopenharmony_ciclass msg 396cd6a6acSopenharmony_ciclass msgq 406cd6a6acSopenharmony_ciclass shm 416cd6a6acSopenharmony_ciclass ipc 426cd6a6acSopenharmony_ci 436cd6a6acSopenharmony_ci# FLASK 446cd6a6acSopenharmony_ci# FLASK 456cd6a6acSopenharmony_ci 466cd6a6acSopenharmony_ci# 476cd6a6acSopenharmony_ci# Define initial security identifiers 486cd6a6acSopenharmony_ci# 496cd6a6acSopenharmony_ci 506cd6a6acSopenharmony_cisid kernel 516cd6a6acSopenharmony_ci 526cd6a6acSopenharmony_ci 536cd6a6acSopenharmony_ci# FLASK 546cd6a6acSopenharmony_ci# 556cd6a6acSopenharmony_ci# Define common prefixes for access vectors 566cd6a6acSopenharmony_ci# 576cd6a6acSopenharmony_ci# common common_name { permission_name ... } 586cd6a6acSopenharmony_ci 596cd6a6acSopenharmony_ci 606cd6a6acSopenharmony_ci# 616cd6a6acSopenharmony_ci# Define a common prefix for file access vectors. 626cd6a6acSopenharmony_ci# 636cd6a6acSopenharmony_ci 646cd6a6acSopenharmony_cicommon file 656cd6a6acSopenharmony_ci{ 666cd6a6acSopenharmony_ci ioctl 676cd6a6acSopenharmony_ci read 686cd6a6acSopenharmony_ci write 696cd6a6acSopenharmony_ci create 706cd6a6acSopenharmony_ci getattr 716cd6a6acSopenharmony_ci setattr 726cd6a6acSopenharmony_ci lock 736cd6a6acSopenharmony_ci relabelfrom 746cd6a6acSopenharmony_ci relabelto 756cd6a6acSopenharmony_ci append 766cd6a6acSopenharmony_ci unlink 776cd6a6acSopenharmony_ci link 786cd6a6acSopenharmony_ci rename 796cd6a6acSopenharmony_ci execute 806cd6a6acSopenharmony_ci swapon 816cd6a6acSopenharmony_ci quotaon 826cd6a6acSopenharmony_ci mounton 836cd6a6acSopenharmony_ci} 846cd6a6acSopenharmony_ci 856cd6a6acSopenharmony_ci 866cd6a6acSopenharmony_ci# 876cd6a6acSopenharmony_ci# Define a common prefix for socket access vectors. 886cd6a6acSopenharmony_ci# 896cd6a6acSopenharmony_ci 906cd6a6acSopenharmony_cicommon socket 916cd6a6acSopenharmony_ci{ 926cd6a6acSopenharmony_ci# inherited from file 936cd6a6acSopenharmony_ci ioctl 946cd6a6acSopenharmony_ci read 956cd6a6acSopenharmony_ci write 966cd6a6acSopenharmony_ci create 976cd6a6acSopenharmony_ci getattr 986cd6a6acSopenharmony_ci setattr 996cd6a6acSopenharmony_ci lock 1006cd6a6acSopenharmony_ci relabelfrom 1016cd6a6acSopenharmony_ci relabelto 1026cd6a6acSopenharmony_ci append 1036cd6a6acSopenharmony_ci# socket-specific 1046cd6a6acSopenharmony_ci bind 1056cd6a6acSopenharmony_ci connect 1066cd6a6acSopenharmony_ci listen 1076cd6a6acSopenharmony_ci accept 1086cd6a6acSopenharmony_ci getopt 1096cd6a6acSopenharmony_ci setopt 1106cd6a6acSopenharmony_ci shutdown 1116cd6a6acSopenharmony_ci recvfrom 1126cd6a6acSopenharmony_ci sendto 1136cd6a6acSopenharmony_ci recv_msg 1146cd6a6acSopenharmony_ci send_msg 1156cd6a6acSopenharmony_ci name_bind 1166cd6a6acSopenharmony_ci} 1176cd6a6acSopenharmony_ci 1186cd6a6acSopenharmony_ci# 1196cd6a6acSopenharmony_ci# Define a common prefix for ipc access vectors. 1206cd6a6acSopenharmony_ci# 1216cd6a6acSopenharmony_ci 1226cd6a6acSopenharmony_cicommon ipc 1236cd6a6acSopenharmony_ci{ 1246cd6a6acSopenharmony_ci create 1256cd6a6acSopenharmony_ci destroy 1266cd6a6acSopenharmony_ci getattr 1276cd6a6acSopenharmony_ci setattr 1286cd6a6acSopenharmony_ci read 1296cd6a6acSopenharmony_ci write 1306cd6a6acSopenharmony_ci associate 1316cd6a6acSopenharmony_ci unix_read 1326cd6a6acSopenharmony_ci unix_write 1336cd6a6acSopenharmony_ci} 1346cd6a6acSopenharmony_ci 1356cd6a6acSopenharmony_ci# 1366cd6a6acSopenharmony_ci# Define the access vectors. 1376cd6a6acSopenharmony_ci# 1386cd6a6acSopenharmony_ci# class class_name [ inherits common_name ] { permission_name ... } 1396cd6a6acSopenharmony_ci 1406cd6a6acSopenharmony_ci 1416cd6a6acSopenharmony_ci# 1426cd6a6acSopenharmony_ci# Define the access vector interpretation for file-related objects. 1436cd6a6acSopenharmony_ci# 1446cd6a6acSopenharmony_ci 1456cd6a6acSopenharmony_ciclass filesystem 1466cd6a6acSopenharmony_ci{ 1476cd6a6acSopenharmony_ci mount 1486cd6a6acSopenharmony_ci remount 1496cd6a6acSopenharmony_ci unmount 1506cd6a6acSopenharmony_ci getattr 1516cd6a6acSopenharmony_ci relabelfrom 1526cd6a6acSopenharmony_ci relabelto 1536cd6a6acSopenharmony_ci transition 1546cd6a6acSopenharmony_ci associate 1556cd6a6acSopenharmony_ci quotamod 1566cd6a6acSopenharmony_ci quotaget 1576cd6a6acSopenharmony_ci} 1586cd6a6acSopenharmony_ci 1596cd6a6acSopenharmony_ciclass dir 1606cd6a6acSopenharmony_ciinherits file 1616cd6a6acSopenharmony_ci{ 1626cd6a6acSopenharmony_ci add_name 1636cd6a6acSopenharmony_ci remove_name 1646cd6a6acSopenharmony_ci reparent 1656cd6a6acSopenharmony_ci search 1666cd6a6acSopenharmony_ci rmdir 1676cd6a6acSopenharmony_ci} 1686cd6a6acSopenharmony_ci 1696cd6a6acSopenharmony_ciclass file 1706cd6a6acSopenharmony_ciinherits file 1716cd6a6acSopenharmony_ci{ 1726cd6a6acSopenharmony_ci execute_no_trans 1736cd6a6acSopenharmony_ci entrypoint 1746cd6a6acSopenharmony_ci} 1756cd6a6acSopenharmony_ci 1766cd6a6acSopenharmony_ciclass lnk_file 1776cd6a6acSopenharmony_ciinherits file 1786cd6a6acSopenharmony_ci 1796cd6a6acSopenharmony_ciclass chr_file 1806cd6a6acSopenharmony_ciinherits file 1816cd6a6acSopenharmony_ci 1826cd6a6acSopenharmony_ciclass blk_file 1836cd6a6acSopenharmony_ciinherits file 1846cd6a6acSopenharmony_ci 1856cd6a6acSopenharmony_ciclass sock_file 1866cd6a6acSopenharmony_ciinherits file 1876cd6a6acSopenharmony_ci 1886cd6a6acSopenharmony_ciclass fifo_file 1896cd6a6acSopenharmony_ciinherits file 1906cd6a6acSopenharmony_ci 1916cd6a6acSopenharmony_ciclass fd 1926cd6a6acSopenharmony_ci{ 1936cd6a6acSopenharmony_ci use 1946cd6a6acSopenharmony_ci} 1956cd6a6acSopenharmony_ci 1966cd6a6acSopenharmony_ci 1976cd6a6acSopenharmony_ci# 1986cd6a6acSopenharmony_ci# Define the access vector interpretation for network-related objects. 1996cd6a6acSopenharmony_ci# 2006cd6a6acSopenharmony_ci 2016cd6a6acSopenharmony_ciclass socket 2026cd6a6acSopenharmony_ciinherits socket 2036cd6a6acSopenharmony_ci 2046cd6a6acSopenharmony_ciclass tcp_socket 2056cd6a6acSopenharmony_ciinherits socket 2066cd6a6acSopenharmony_ci{ 2076cd6a6acSopenharmony_ci connectto 2086cd6a6acSopenharmony_ci newconn 2096cd6a6acSopenharmony_ci acceptfrom 2106cd6a6acSopenharmony_ci} 2116cd6a6acSopenharmony_ci 2126cd6a6acSopenharmony_ciclass udp_socket 2136cd6a6acSopenharmony_ciinherits socket 2146cd6a6acSopenharmony_ci 2156cd6a6acSopenharmony_ciclass rawip_socket 2166cd6a6acSopenharmony_ciinherits socket 2176cd6a6acSopenharmony_ci 2186cd6a6acSopenharmony_ciclass node 2196cd6a6acSopenharmony_ci{ 2206cd6a6acSopenharmony_ci tcp_recv 2216cd6a6acSopenharmony_ci tcp_send 2226cd6a6acSopenharmony_ci udp_recv 2236cd6a6acSopenharmony_ci udp_send 2246cd6a6acSopenharmony_ci rawip_recv 2256cd6a6acSopenharmony_ci rawip_send 2266cd6a6acSopenharmony_ci enforce_dest 2276cd6a6acSopenharmony_ci} 2286cd6a6acSopenharmony_ci 2296cd6a6acSopenharmony_ciclass netif 2306cd6a6acSopenharmony_ci{ 2316cd6a6acSopenharmony_ci tcp_recv 2326cd6a6acSopenharmony_ci tcp_send 2336cd6a6acSopenharmony_ci udp_recv 2346cd6a6acSopenharmony_ci udp_send 2356cd6a6acSopenharmony_ci rawip_recv 2366cd6a6acSopenharmony_ci rawip_send 2376cd6a6acSopenharmony_ci} 2386cd6a6acSopenharmony_ci 2396cd6a6acSopenharmony_ciclass netlink_socket 2406cd6a6acSopenharmony_ciinherits socket 2416cd6a6acSopenharmony_ci 2426cd6a6acSopenharmony_ciclass packet_socket 2436cd6a6acSopenharmony_ciinherits socket 2446cd6a6acSopenharmony_ci 2456cd6a6acSopenharmony_ciclass key_socket 2466cd6a6acSopenharmony_ciinherits socket 2476cd6a6acSopenharmony_ci 2486cd6a6acSopenharmony_ciclass unix_stream_socket 2496cd6a6acSopenharmony_ciinherits socket 2506cd6a6acSopenharmony_ci{ 2516cd6a6acSopenharmony_ci connectto 2526cd6a6acSopenharmony_ci newconn 2536cd6a6acSopenharmony_ci acceptfrom 2546cd6a6acSopenharmony_ci} 2556cd6a6acSopenharmony_ci 2566cd6a6acSopenharmony_ciclass unix_dgram_socket 2576cd6a6acSopenharmony_ciinherits socket 2586cd6a6acSopenharmony_ci 2596cd6a6acSopenharmony_ci 2606cd6a6acSopenharmony_ci# 2616cd6a6acSopenharmony_ci# Define the access vector interpretation for process-related objects 2626cd6a6acSopenharmony_ci# 2636cd6a6acSopenharmony_ci 2646cd6a6acSopenharmony_ciclass process 2656cd6a6acSopenharmony_ci{ 2666cd6a6acSopenharmony_ci fork 2676cd6a6acSopenharmony_ci transition 2686cd6a6acSopenharmony_ci sigchld # commonly granted from child to parent 2696cd6a6acSopenharmony_ci sigkill # cannot be caught or ignored 2706cd6a6acSopenharmony_ci sigstop # cannot be caught or ignored 2716cd6a6acSopenharmony_ci signull # for kill(pid, 0) 2726cd6a6acSopenharmony_ci signal # all other signals 2736cd6a6acSopenharmony_ci ptrace 2746cd6a6acSopenharmony_ci getsched 2756cd6a6acSopenharmony_ci setsched 2766cd6a6acSopenharmony_ci getsession 2776cd6a6acSopenharmony_ci getpgid 2786cd6a6acSopenharmony_ci setpgid 2796cd6a6acSopenharmony_ci getcap 2806cd6a6acSopenharmony_ci setcap 2816cd6a6acSopenharmony_ci share 2826cd6a6acSopenharmony_ci} 2836cd6a6acSopenharmony_ci 2846cd6a6acSopenharmony_ci 2856cd6a6acSopenharmony_ci# 2866cd6a6acSopenharmony_ci# Define the access vector interpretation for ipc-related objects 2876cd6a6acSopenharmony_ci# 2886cd6a6acSopenharmony_ci 2896cd6a6acSopenharmony_ciclass ipc 2906cd6a6acSopenharmony_ciinherits ipc 2916cd6a6acSopenharmony_ci 2926cd6a6acSopenharmony_ciclass sem 2936cd6a6acSopenharmony_ciinherits ipc 2946cd6a6acSopenharmony_ci 2956cd6a6acSopenharmony_ciclass msgq 2966cd6a6acSopenharmony_ciinherits ipc 2976cd6a6acSopenharmony_ci{ 2986cd6a6acSopenharmony_ci enqueue 2996cd6a6acSopenharmony_ci} 3006cd6a6acSopenharmony_ci 3016cd6a6acSopenharmony_ciclass msg 3026cd6a6acSopenharmony_ci{ 3036cd6a6acSopenharmony_ci send 3046cd6a6acSopenharmony_ci receive 3056cd6a6acSopenharmony_ci} 3066cd6a6acSopenharmony_ci 3076cd6a6acSopenharmony_ciclass shm 3086cd6a6acSopenharmony_ciinherits ipc 3096cd6a6acSopenharmony_ci{ 3106cd6a6acSopenharmony_ci lock 3116cd6a6acSopenharmony_ci} 3126cd6a6acSopenharmony_ci 3136cd6a6acSopenharmony_ci 3146cd6a6acSopenharmony_ci# 3156cd6a6acSopenharmony_ci# Define the access vector interpretation for the security server. 3166cd6a6acSopenharmony_ci# 3176cd6a6acSopenharmony_ci 3186cd6a6acSopenharmony_ciclass security 3196cd6a6acSopenharmony_ci{ 3206cd6a6acSopenharmony_ci compute_av 3216cd6a6acSopenharmony_ci transition_sid 3226cd6a6acSopenharmony_ci member_sid 3236cd6a6acSopenharmony_ci sid_to_context 3246cd6a6acSopenharmony_ci context_to_sid 3256cd6a6acSopenharmony_ci load_policy 3266cd6a6acSopenharmony_ci get_sids 3276cd6a6acSopenharmony_ci change_sid 3286cd6a6acSopenharmony_ci get_user_sids 3296cd6a6acSopenharmony_ci} 3306cd6a6acSopenharmony_ci 3316cd6a6acSopenharmony_ci 3326cd6a6acSopenharmony_ci# 3336cd6a6acSopenharmony_ci# Define the access vector interpretation for system operations. 3346cd6a6acSopenharmony_ci# 3356cd6a6acSopenharmony_ci 3366cd6a6acSopenharmony_ciclass system 3376cd6a6acSopenharmony_ci{ 3386cd6a6acSopenharmony_ci ipc_info 3396cd6a6acSopenharmony_ci avc_toggle 3406cd6a6acSopenharmony_ci nfsd_control 3416cd6a6acSopenharmony_ci bdflush 3426cd6a6acSopenharmony_ci syslog_read 3436cd6a6acSopenharmony_ci syslog_mod 3446cd6a6acSopenharmony_ci syslog_console 3456cd6a6acSopenharmony_ci ichsid 3466cd6a6acSopenharmony_ci} 3476cd6a6acSopenharmony_ci 3486cd6a6acSopenharmony_ci# 3496cd6a6acSopenharmony_ci# Define the access vector interpretation for controlling capabilities 3506cd6a6acSopenharmony_ci# 3516cd6a6acSopenharmony_ci 3526cd6a6acSopenharmony_ciclass capability 3536cd6a6acSopenharmony_ci{ 3546cd6a6acSopenharmony_ci # The capabilities are defined in include/linux/capability.h 3556cd6a6acSopenharmony_ci # Care should be taken to ensure that these are consistent with 3566cd6a6acSopenharmony_ci # those definitions. (Order matters) 3576cd6a6acSopenharmony_ci 3586cd6a6acSopenharmony_ci chown 3596cd6a6acSopenharmony_ci dac_override 3606cd6a6acSopenharmony_ci dac_read_search 3616cd6a6acSopenharmony_ci fowner 3626cd6a6acSopenharmony_ci fsetid 3636cd6a6acSopenharmony_ci kill 3646cd6a6acSopenharmony_ci setgid 3656cd6a6acSopenharmony_ci setuid 3666cd6a6acSopenharmony_ci setpcap 3676cd6a6acSopenharmony_ci linux_immutable 3686cd6a6acSopenharmony_ci net_bind_service 3696cd6a6acSopenharmony_ci net_broadcast 3706cd6a6acSopenharmony_ci net_admin 3716cd6a6acSopenharmony_ci net_raw 3726cd6a6acSopenharmony_ci ipc_lock 3736cd6a6acSopenharmony_ci ipc_owner 3746cd6a6acSopenharmony_ci sys_module 3756cd6a6acSopenharmony_ci sys_rawio 3766cd6a6acSopenharmony_ci sys_chroot 3776cd6a6acSopenharmony_ci sys_ptrace 3786cd6a6acSopenharmony_ci sys_pacct 3796cd6a6acSopenharmony_ci sys_admin 3806cd6a6acSopenharmony_ci sys_boot 3816cd6a6acSopenharmony_ci sys_nice 3826cd6a6acSopenharmony_ci sys_resource 3836cd6a6acSopenharmony_ci sys_time 3846cd6a6acSopenharmony_ci sys_tty_config 3856cd6a6acSopenharmony_ci mknod 3866cd6a6acSopenharmony_ci lease 3876cd6a6acSopenharmony_ci} 3886cd6a6acSopenharmony_ci 3896cd6a6acSopenharmony_ciifdef(`enable_mls',` 3906cd6a6acSopenharmony_cisensitivity s0; 3916cd6a6acSopenharmony_ci 3926cd6a6acSopenharmony_ci# 3936cd6a6acSopenharmony_ci# Define the ordering of the sensitivity levels (least to greatest) 3946cd6a6acSopenharmony_ci# 3956cd6a6acSopenharmony_cidominance { s0 } 3966cd6a6acSopenharmony_ci 3976cd6a6acSopenharmony_ci 3986cd6a6acSopenharmony_ci# 3996cd6a6acSopenharmony_ci# Define the categories 4006cd6a6acSopenharmony_ci# 4016cd6a6acSopenharmony_ci# Each category has a name and zero or more aliases. 4026cd6a6acSopenharmony_ci# 4036cd6a6acSopenharmony_cicategory c0; category c1; category c2; category c3; 4046cd6a6acSopenharmony_cicategory c4; category c5; category c6; category c7; 4056cd6a6acSopenharmony_cicategory c8; category c9; category c10; category c11; 4066cd6a6acSopenharmony_cicategory c12; category c13; category c14; category c15; 4076cd6a6acSopenharmony_cicategory c16; category c17; category c18; category c19; 4086cd6a6acSopenharmony_cicategory c20; category c21; category c22; category c23; 4096cd6a6acSopenharmony_ci 4106cd6a6acSopenharmony_cilevel s0:c0.c23; 4116cd6a6acSopenharmony_ci 4126cd6a6acSopenharmony_cimlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } 4136cd6a6acSopenharmony_ci ( h1 dom h2 ); 4146cd6a6acSopenharmony_ci') 4156cd6a6acSopenharmony_ci 4166cd6a6acSopenharmony_ci#################################### 4176cd6a6acSopenharmony_ci#################################### 4186cd6a6acSopenharmony_ci##################################### 4196cd6a6acSopenharmony_ci# TE RULES 4206cd6a6acSopenharmony_ciattribute domain; 4216cd6a6acSopenharmony_ciattribute system; 4226cd6a6acSopenharmony_ciattribute foo; 4236cd6a6acSopenharmony_ciattribute num; 4246cd6a6acSopenharmony_ciattribute num_exec; 4256cd6a6acSopenharmony_ciattribute files; 4266cd6a6acSopenharmony_ci 4276cd6a6acSopenharmony_ci# Type - attribute mapping test 4286cd6a6acSopenharmony_ci# Shorthand tests 4296cd6a6acSopenharmony_ci# 1 = types in base, 2 = types in mod, 3 = types in both 4306cd6a6acSopenharmony_ci# 4 = types in optional in base, 5 = types in optional in mod 4316cd6a6acSopenharmony_ci# 6 = types in optional in both 4326cd6a6acSopenharmony_ci# 7 = types in disabled optional in base 4336cd6a6acSopenharmony_ci# 8 = types in disabled optional in module 4346cd6a6acSopenharmony_ci# 9 = types in disabled optional in both 4356cd6a6acSopenharmony_ci# 10 = types in enabled optional in base, disabled optional in module 4366cd6a6acSopenharmony_ci# 11 = types in disabled optional in base, enabled optional in module 4376cd6a6acSopenharmony_ciattribute attr_check_base_1; 4386cd6a6acSopenharmony_ciattribute attr_check_base_2; 4396cd6a6acSopenharmony_ciattribute attr_check_base_3; 4406cd6a6acSopenharmony_ciattribute attr_check_base_4; 4416cd6a6acSopenharmony_ciattribute attr_check_base_5; 4426cd6a6acSopenharmony_ciattribute attr_check_base_6; 4436cd6a6acSopenharmony_ciattribute attr_check_base_7; 4446cd6a6acSopenharmony_ciattribute attr_check_base_8; 4456cd6a6acSopenharmony_ciattribute attr_check_base_9; 4466cd6a6acSopenharmony_ciattribute attr_check_base_10; 4476cd6a6acSopenharmony_ciattribute attr_check_base_11; 4486cd6a6acSopenharmony_cioptional { 4496cd6a6acSopenharmony_ci require { 4506cd6a6acSopenharmony_ci type module_t; 4516cd6a6acSopenharmony_ci } 4526cd6a6acSopenharmony_ci attribute attr_check_base_optional_1; 4536cd6a6acSopenharmony_ci attribute attr_check_base_optional_2; 4546cd6a6acSopenharmony_ci attribute attr_check_base_optional_3; 4556cd6a6acSopenharmony_ci attribute attr_check_base_optional_4; 4566cd6a6acSopenharmony_ci attribute attr_check_base_optional_5; 4576cd6a6acSopenharmony_ci attribute attr_check_base_optional_6; 4586cd6a6acSopenharmony_ci attribute attr_check_base_optional_8; 4596cd6a6acSopenharmony_ci} 4606cd6a6acSopenharmony_cioptional { 4616cd6a6acSopenharmony_ci require { 4626cd6a6acSopenharmony_ci type does_not_exist_t; 4636cd6a6acSopenharmony_ci } 4646cd6a6acSopenharmony_ci attribute attr_check_base_optional_disabled_5; 4656cd6a6acSopenharmony_ci attribute attr_check_base_optional_disabled_8; 4666cd6a6acSopenharmony_ci} 4676cd6a6acSopenharmony_ci 4686cd6a6acSopenharmony_citype net_foo_t, foo; 4696cd6a6acSopenharmony_citype sys_foo_t, foo, system; 4706cd6a6acSopenharmony_cirole system_r; 4716cd6a6acSopenharmony_cirole system_r types sys_foo_t; 4726cd6a6acSopenharmony_ci 4736cd6a6acSopenharmony_citype user_t, domain; 4746cd6a6acSopenharmony_cirole user_r; 4756cd6a6acSopenharmony_cirole user_r types user_t; 4766cd6a6acSopenharmony_ci 4776cd6a6acSopenharmony_citype sysadm_t, domain, system; 4786cd6a6acSopenharmony_cirole sysadm_r; 4796cd6a6acSopenharmony_cirole sysadm_r types sysadm_t; 4806cd6a6acSopenharmony_ci 4816cd6a6acSopenharmony_citype system_t, domain, system, foo; 4826cd6a6acSopenharmony_cirole system_r types { system_t sys_foo_t }; 4836cd6a6acSopenharmony_ci 4846cd6a6acSopenharmony_citype file_t; 4856cd6a6acSopenharmony_citype file_exec_t, files; 4866cd6a6acSopenharmony_citype fs_t; 4876cd6a6acSopenharmony_citype base_optional_1; 4886cd6a6acSopenharmony_citype base_optional_2; 4896cd6a6acSopenharmony_ci 4906cd6a6acSopenharmony_ciallow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint }; 4916cd6a6acSopenharmony_ci 4926cd6a6acSopenharmony_cioptional { 4936cd6a6acSopenharmony_ci require { 4946cd6a6acSopenharmony_ci type base_optional_1, base_optional_2; 4956cd6a6acSopenharmony_ci } 4966cd6a6acSopenharmony_ci allow base_optional_1 base_optional_2 : file { read write }; 4976cd6a6acSopenharmony_ci} 4986cd6a6acSopenharmony_ci 4996cd6a6acSopenharmony_ci# Type - attribute mapping test 5006cd6a6acSopenharmony_citype base_t; 5016cd6a6acSopenharmony_citype attr_check_base_1_1_t, attr_check_base_1; 5026cd6a6acSopenharmony_citype attr_check_base_1_2_t; 5036cd6a6acSopenharmony_citypeattribute attr_check_base_1_2_t attr_check_base_1; 5046cd6a6acSopenharmony_citype attr_check_base_3_1_t, attr_check_base_3; 5056cd6a6acSopenharmony_citype attr_check_base_3_2_t; 5066cd6a6acSopenharmony_citypeattribute attr_check_base_3_2_t attr_check_base_3; 5076cd6a6acSopenharmony_cioptional { 5086cd6a6acSopenharmony_ci require { 5096cd6a6acSopenharmony_ci attribute attr_check_base_4; 5106cd6a6acSopenharmony_ci } 5116cd6a6acSopenharmony_ci type attr_check_base_4_1_t, attr_check_base_4; 5126cd6a6acSopenharmony_ci type attr_check_base_4_2_t; 5136cd6a6acSopenharmony_ci typeattribute attr_check_base_4_2_t attr_check_base_4; 5146cd6a6acSopenharmony_ci} 5156cd6a6acSopenharmony_cioptional { 5166cd6a6acSopenharmony_ci require { 5176cd6a6acSopenharmony_ci type module_t; 5186cd6a6acSopenharmony_ci } 5196cd6a6acSopenharmony_ci type attr_check_base_6_1_t, attr_check_base_6; 5206cd6a6acSopenharmony_ci type attr_check_base_6_2_t; 5216cd6a6acSopenharmony_ci typeattribute attr_check_base_6_2_t attr_check_base_6; 5226cd6a6acSopenharmony_ci} 5236cd6a6acSopenharmony_cioptional { 5246cd6a6acSopenharmony_ci require { 5256cd6a6acSopenharmony_ci type does_not_exist_t; 5266cd6a6acSopenharmony_ci } 5276cd6a6acSopenharmony_ci type attr_check_base_7_1_t, attr_check_base_7; 5286cd6a6acSopenharmony_ci type attr_check_base_7_2_t; 5296cd6a6acSopenharmony_ci typeattribute attr_check_base_7_2_t attr_check_base_7; 5306cd6a6acSopenharmony_ci} 5316cd6a6acSopenharmony_cioptional { 5326cd6a6acSopenharmony_ci require { 5336cd6a6acSopenharmony_ci type does_not_exist_t; 5346cd6a6acSopenharmony_ci } 5356cd6a6acSopenharmony_ci type attr_check_base_9_1_t, attr_check_base_9; 5366cd6a6acSopenharmony_ci type attr_check_base_9_2_t; 5376cd6a6acSopenharmony_ci typeattribute attr_check_base_9_2_t attr_check_base_9; 5386cd6a6acSopenharmony_ci} 5396cd6a6acSopenharmony_cioptional { 5406cd6a6acSopenharmony_ci require { 5416cd6a6acSopenharmony_ci type module_t; 5426cd6a6acSopenharmony_ci } 5436cd6a6acSopenharmony_ci type attr_check_base_10_1_t, attr_check_base_10; 5446cd6a6acSopenharmony_ci type attr_check_base_10_2_t; 5456cd6a6acSopenharmony_ci typeattribute attr_check_base_10_2_t attr_check_base_10; 5466cd6a6acSopenharmony_ci} 5476cd6a6acSopenharmony_cioptional { 5486cd6a6acSopenharmony_ci require { 5496cd6a6acSopenharmony_ci type does_not_exist_t; 5506cd6a6acSopenharmony_ci } 5516cd6a6acSopenharmony_ci type attr_check_base_11_1_t, attr_check_base_11; 5526cd6a6acSopenharmony_ci type attr_check_base_11_2_t; 5536cd6a6acSopenharmony_ci typeattribute attr_check_base_11_2_t attr_check_base_11; 5546cd6a6acSopenharmony_ci} 5556cd6a6acSopenharmony_ci#optional { 5566cd6a6acSopenharmony_ci# require { 5576cd6a6acSopenharmony_ci# attribute attr_check_base_optional_4; 5586cd6a6acSopenharmony_ci# } 5596cd6a6acSopenharmony_ci# type attr_check_base_optional_4_1_t, attr_check_base_optional_4; 5606cd6a6acSopenharmony_ci# type attr_check_base_optional_4_2_t; 5616cd6a6acSopenharmony_ci# typeattribute attr_check_base_optional_4_2_t attr_check_base_optional_4; 5626cd6a6acSopenharmony_ci#} 5636cd6a6acSopenharmony_ci#optional { 5646cd6a6acSopenharmony_ci# require { 5656cd6a6acSopenharmony_ci# attribute attr_check_base_optional_6; 5666cd6a6acSopenharmony_ci# } 5676cd6a6acSopenharmony_ci# type attr_check_base_optional_6_1_t, attr_check_base_optional_6; 5686cd6a6acSopenharmony_ci# type attr_check_base_optional_6_2_t; 5696cd6a6acSopenharmony_ci# typeattribute attr_check_base_optional_6_2_t attr_check_base_optional_6; 5706cd6a6acSopenharmony_ci#} 5716cd6a6acSopenharmony_cioptional { 5726cd6a6acSopenharmony_ci require { 5736cd6a6acSopenharmony_ci attribute attr_check_mod_4; 5746cd6a6acSopenharmony_ci } 5756cd6a6acSopenharmony_ci type attr_check_mod_4_1_t, attr_check_mod_4; 5766cd6a6acSopenharmony_ci type attr_check_mod_4_2_t; 5776cd6a6acSopenharmony_ci typeattribute attr_check_mod_4_2_t attr_check_mod_4; 5786cd6a6acSopenharmony_ci} 5796cd6a6acSopenharmony_cioptional { 5806cd6a6acSopenharmony_ci require { 5816cd6a6acSopenharmony_ci attribute attr_check_mod_6; 5826cd6a6acSopenharmony_ci } 5836cd6a6acSopenharmony_ci type attr_check_mod_6_1_t, attr_check_mod_6; 5846cd6a6acSopenharmony_ci type attr_check_mod_6_2_t; 5856cd6a6acSopenharmony_ci typeattribute attr_check_mod_6_2_t attr_check_mod_6; 5866cd6a6acSopenharmony_ci} 5876cd6a6acSopenharmony_cioptional { 5886cd6a6acSopenharmony_ci require { 5896cd6a6acSopenharmony_ci type does_not_exist_t; 5906cd6a6acSopenharmony_ci attribute attr_check_mod_7; 5916cd6a6acSopenharmony_ci } 5926cd6a6acSopenharmony_ci type attr_check_mod_7_1_t, attr_check_mod_7; 5936cd6a6acSopenharmony_ci type attr_check_mod_7_2_t; 5946cd6a6acSopenharmony_ci typeattribute attr_check_mod_7_2_t attr_check_mod_7; 5956cd6a6acSopenharmony_ci} 5966cd6a6acSopenharmony_cioptional { 5976cd6a6acSopenharmony_ci require { 5986cd6a6acSopenharmony_ci type does_not_exist_t; 5996cd6a6acSopenharmony_ci attribute attr_check_mod_9; 6006cd6a6acSopenharmony_ci } 6016cd6a6acSopenharmony_ci type attr_check_mod_9_1_t, attr_check_mod_9; 6026cd6a6acSopenharmony_ci type attr_check_mod_9_2_t; 6036cd6a6acSopenharmony_ci typeattribute attr_check_mod_9_2_t attr_check_mod_9; 6046cd6a6acSopenharmony_ci} 6056cd6a6acSopenharmony_cioptional { 6066cd6a6acSopenharmony_ci require { 6076cd6a6acSopenharmony_ci attribute attr_check_mod_10; 6086cd6a6acSopenharmony_ci } 6096cd6a6acSopenharmony_ci type attr_check_mod_10_1_t, attr_check_mod_10; 6106cd6a6acSopenharmony_ci type attr_check_mod_10_2_t; 6116cd6a6acSopenharmony_ci typeattribute attr_check_mod_10_2_t attr_check_mod_10; 6126cd6a6acSopenharmony_ci} 6136cd6a6acSopenharmony_cioptional { 6146cd6a6acSopenharmony_ci require { 6156cd6a6acSopenharmony_ci type does_not_exist_t; 6166cd6a6acSopenharmony_ci attribute attr_check_mod_11; 6176cd6a6acSopenharmony_ci } 6186cd6a6acSopenharmony_ci type attr_check_mod_11_1_t, attr_check_mod_11; 6196cd6a6acSopenharmony_ci type attr_check_mod_11_2_t; 6206cd6a6acSopenharmony_ci typeattribute attr_check_mod_11_2_t attr_check_mod_11; 6216cd6a6acSopenharmony_ci} 6226cd6a6acSopenharmony_cioptional { 6236cd6a6acSopenharmony_ci require { 6246cd6a6acSopenharmony_ci attribute attr_check_mod_optional_4; 6256cd6a6acSopenharmony_ci } 6266cd6a6acSopenharmony_ci type attr_check_mod_optional_4_1_t, attr_check_mod_optional_4; 6276cd6a6acSopenharmony_ci type attr_check_mod_optional_4_2_t; 6286cd6a6acSopenharmony_ci typeattribute attr_check_mod_optional_4_2_t attr_check_mod_optional_4; 6296cd6a6acSopenharmony_ci} 6306cd6a6acSopenharmony_cioptional { 6316cd6a6acSopenharmony_ci require { 6326cd6a6acSopenharmony_ci attribute attr_check_mod_optional_6; 6336cd6a6acSopenharmony_ci } 6346cd6a6acSopenharmony_ci type attr_check_mod_optional_6_1_t, attr_check_mod_optional_6; 6356cd6a6acSopenharmony_ci type attr_check_mod_optional_6_2_t; 6366cd6a6acSopenharmony_ci typeattribute attr_check_mod_optional_6_2_t attr_check_mod_optional_6; 6376cd6a6acSopenharmony_ci} 6386cd6a6acSopenharmony_cioptional { 6396cd6a6acSopenharmony_ci require { 6406cd6a6acSopenharmony_ci type does_not_exist_t; 6416cd6a6acSopenharmony_ci attribute attr_check_mod_optional_7; 6426cd6a6acSopenharmony_ci } 6436cd6a6acSopenharmony_ci type attr_check_mod_optional_7_1_t, attr_check_mod_optional_7; 6446cd6a6acSopenharmony_ci type attr_check_mod_optional_7_2_t; 6456cd6a6acSopenharmony_ci typeattribute attr_check_mod_optional_7_2_t attr_check_mod_optional_7; 6466cd6a6acSopenharmony_ci} 6476cd6a6acSopenharmony_cioptional { 6486cd6a6acSopenharmony_ci require { 6496cd6a6acSopenharmony_ci attribute attr_check_mod_optional_disabled_4; 6506cd6a6acSopenharmony_ci } 6516cd6a6acSopenharmony_ci type attr_check_mod_optional_disabled_4_1_t, attr_check_mod_optional_disabled_4; 6526cd6a6acSopenharmony_ci type attr_check_mod_optional_disabled_4_2_t; 6536cd6a6acSopenharmony_ci typeattribute attr_check_mod_optional_disabled_4_2_t attr_check_mod_optional_disabled_4; 6546cd6a6acSopenharmony_ci} 6556cd6a6acSopenharmony_cioptional { 6566cd6a6acSopenharmony_ci require { 6576cd6a6acSopenharmony_ci type does_not_exist_t; 6586cd6a6acSopenharmony_ci attribute attr_check_mod_optional_disabled_7; 6596cd6a6acSopenharmony_ci } 6606cd6a6acSopenharmony_ci type attr_check_mod_optional_disabled_7_1_t, attr_check_mod_optional_disabled_7; 6616cd6a6acSopenharmony_ci type attr_check_mod_optional_disabled_7_2_t; 6626cd6a6acSopenharmony_ci typeattribute attr_check_mod_optional_disabled_7_2_t attr_check_mod_optional_disabled_7; 6636cd6a6acSopenharmony_ci} 6646cd6a6acSopenharmony_ci 6656cd6a6acSopenharmony_ci##################################### 6666cd6a6acSopenharmony_ci# Role Allow 6676cd6a6acSopenharmony_ciallow user_r sysadm_r; 6686cd6a6acSopenharmony_ci 6696cd6a6acSopenharmony_ci#################################### 6706cd6a6acSopenharmony_ci# Booleans 6716cd6a6acSopenharmony_cibool allow_ypbind true; 6726cd6a6acSopenharmony_cibool secure_mode false; 6736cd6a6acSopenharmony_cibool allow_execheap false; 6746cd6a6acSopenharmony_cibool allow_execmem true; 6756cd6a6acSopenharmony_cibool allow_execmod false; 6766cd6a6acSopenharmony_cibool allow_execstack true; 6776cd6a6acSopenharmony_cibool optional_bool_1 true; 6786cd6a6acSopenharmony_cibool optional_bool_2 false; 6796cd6a6acSopenharmony_ci 6806cd6a6acSopenharmony_ci##################################### 6816cd6a6acSopenharmony_ci# users 6826cd6a6acSopenharmony_cigen_user(system_u,, system_r, s0, s0 - s0:c0.c23) 6836cd6a6acSopenharmony_cigen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23) 6846cd6a6acSopenharmony_cigen_user(joe,, user_r, s0, s0 - s0:c0.c23) 6856cd6a6acSopenharmony_ci 6866cd6a6acSopenharmony_ci##################################### 6876cd6a6acSopenharmony_ci# constraints 6886cd6a6acSopenharmony_ci 6896cd6a6acSopenharmony_ci 6906cd6a6acSopenharmony_ci#################################### 6916cd6a6acSopenharmony_ci#line 1 "initial_sid_contexts" 6926cd6a6acSopenharmony_ci 6936cd6a6acSopenharmony_cisid kernel gen_context(system_u:system_r:sys_foo_t, s0) 6946cd6a6acSopenharmony_ci 6956cd6a6acSopenharmony_ci 6966cd6a6acSopenharmony_ci############################################ 6976cd6a6acSopenharmony_ci#line 1 "fs_use" 6986cd6a6acSopenharmony_ci# 6996cd6a6acSopenharmony_cifs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0); 7006cd6a6acSopenharmony_cifs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0); 7016cd6a6acSopenharmony_cifs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0); 7026cd6a6acSopenharmony_ci 7036cd6a6acSopenharmony_ci 7046cd6a6acSopenharmony_cigenfscon proc / gen_context(system_u:object_r:sys_foo_t, s0) 7056cd6a6acSopenharmony_ci 7066cd6a6acSopenharmony_ci 7076cd6a6acSopenharmony_ci#################################### 7086cd6a6acSopenharmony_ci#line 1 "net_contexts" 7096cd6a6acSopenharmony_ci 7106cd6a6acSopenharmony_ci#portcon tcp 21 system_u:object_r:net_foo_t:s0 7116cd6a6acSopenharmony_ci 7126cd6a6acSopenharmony_ci#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0 7136cd6a6acSopenharmony_ci 7146cd6a6acSopenharmony_ci# 7156cd6a6acSopenharmony_ci#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0 7166cd6a6acSopenharmony_ci 7176cd6a6acSopenharmony_cinodecon ::1 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF gen_context(system_u:object_r:net_foo_t, s0) 7186cd6a6acSopenharmony_ci 7196cd6a6acSopenharmony_ci 7206cd6a6acSopenharmony_ci 7216cd6a6acSopenharmony_ci 722