##############################

#

# Assertions for the type enforcement (TE) configuration.

#

#

# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  

#

##################################

#

# Access vector assertions.

#

# An access vector assertion specifies permissions that should not be in

# an access vector based on a source type, a target type, and a class.

# If any of the specified permissions are in the corresponding access

# vector, then the policy compiler will reject the policy configuration.

# Currently, there is only one kind of access vector assertion, neverallow, 

# but support for the other kinds of vectors could be easily added.  Access 

# vector assertions use the same syntax as access vector rules.

#

# Confined domains must never touch an unconfined domain except to

# send SIGCHLD for child termination notifications.

neverallow { domain -unrestricted -unconfinedtrans -snmpd_t } unconfined_t:process ~sigchld;

# Confined domains must never see /proc/pid entries for an unconfined domain.

neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };

#

# Verify that every type that can be entered by

# a domain is also tagged as a domain.

#

neverallow domain ~domain:process { transition dyntransition};

# for gross mistakes in policy

neverallow domain domain:dir ~r_dir_perms;

neverallow domain domain:file_class_set ~rw_file_perms;

neverallow domain file_type:process *;

neverallow ~{ domain unlabeled_t } *:process *;