From 134191be67440b119e53d23560728470cb6960e1 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jun 01 2005 15:40:37 +0000 Subject: move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work. --- diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 1f6bdaf..c83464e 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -21,7 +21,10 @@ # # Build compatibility policies -POLICYCOMPAT = -c 18 +POLICYCOMPAT = 18 + +# Build MLS policies +MLS=n # set distribution override M4PARAM += -D distro_redhat @@ -42,14 +45,24 @@ CHECKPOLICY := $(BINDIR)/checkpolicy LOADPOLICY := $(SBINDIR)/load_policy SETFILES := $(SBINDIR)/setfiles +# enable MLS if requested. +ifeq ($(MLS),y) + override M4PARAM += -D enable_mls + CHECKPOLICY += -M +endif + +ifneq ($(POLICYCOMPAT),) + CHECKPOLICY += -c $(POLICYCOMPAT) +endif + # determine the policy version and current kernel version if possible -PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ') +PV := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') KV := $(shell cat /selinux/policyvers) # dont print version warnings if we are unable to determine # the currently running kernel's policy version ifeq ($(KV),) -KV := $(PV) + KV := $(PV) endif FC := file_contexts @@ -68,21 +81,20 @@ FCPATH = $(CONTEXTPATH)/files/file_contexts HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template BASE_MODULE = kernel -FLASKDIR = $(BASE_MODULE)/flask/ -MISCDIR = $(BASE_MODULE)/misc/ +FLASKDIR = flask APPDIR := $(CONTEXTPATH) APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media -USER_FILES := $(MISCDIR)/users +USER_FILES := users DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d) -ALL_MODULES := $(filter-out tmp appconfig CVS,$(DETECTED_DIRS)) +ALL_MODULES := $(filter-out tmp CVS $(APPDIR) $(FLASKDIR),$(DETECTED_DIRS)) -PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) +PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) mls ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if)) ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te)) -POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use) +POST_TE_FILES := users constraints initial_sid_contexts fs_use ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc)) @@ -111,7 +123,7 @@ ifneq ($(PV),$(KV)) @echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?" @echo endif - $(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $@ + $(QUIET) $(CHECKPOLICY) $^ -o $@ ######################################## # @@ -125,7 +137,7 @@ ifneq ($(PV),$(KV)) @echo "WARNING: Policy version mismatch! Is your POLICYCOMPAT set correctly?" @echo endif - $(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $@ + $(QUIET) $(CHECKPOLICY) $^ -o $@ ######################################## # diff --git a/refpolicy/policy/constraints b/refpolicy/policy/constraints new file mode 100644 index 0000000..5f537f2 --- /dev/null +++ b/refpolicy/policy/constraints @@ -0,0 +1,80 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +# +# Define m4 macros for the constraints +# + +# +# Define the constraints +# +# constrain class_set perm_set expression ; +# +# expression : ( expression ) +# | not expression +# | expression and expression +# | expression or expression +# | u1 op u2 +# | r1 role_op r2 +# | t1 op t2 +# | u1 op names +# | u2 op names +# | r1 op names +# | r2 op names +# | t1 op names +# | t2 op names +# +# op : == | != +# role_op : == | != | eq | dom | domby | incomp +# +# names : name | { name_list } +# name_list : name | name_list name +# + +# +# SELinux process identity change constraint: +# +constrain process transition + ( u1 == u2 or ( t1 == can_change_process_identity and t2 == userdomain ) +ifdef(`crond.te', ` + or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u)) +') +ifdef(`TODO',` +ifdef(`userhelper.te', + `or (t1 == userhelperdomain)') + or (t1 == priv_system_role and u2 == system_u ) +') dnl end TODO + ); + +# +# SELinux process role change constraint: +# +constrain process transition + ( r1 == r2 or ( t1 == can_change_process_role and t2 == userdomain ) +ifdef(`crond.te', ` + or (t1 == crond_t and t2 == user_crond_domain) +') +ifdef(`TODO',` +ifdef(`userhelper.te', + `or (t1 == userhelperdomain)') +ifdef(`postfix.te', ` +ifdef(`direct_sysadm_daemon', + `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )') +') + or (t1 == priv_system_role and r2 == system_r ) +') dnl end TODO + ); + +# +# SELinux dynamic transition constraint: +# +constrain process dyntransition + ( u1 == u2 and r1 == r2); + +# +# SElinux object identity change constraint: +# +constrain dir_file_class_set { create relabelto relabelfrom } + ( u1 == u2 or t1 == can_change_object_identity ); + +constrain socket_class_set { create relabelto relabelfrom } + ( u1 == u2 or t1 == can_change_object_identity ); diff --git a/refpolicy/policy/flask/Makefile b/refpolicy/policy/flask/Makefile new file mode 100644 index 0000000..970b9fe --- /dev/null +++ b/refpolicy/policy/flask/Makefile @@ -0,0 +1,41 @@ +# flask needs to know where to export the libselinux headers. +LIBSEL ?= ../../libselinux + +# flask needs to know where to export the kernel headers. +LINUXDIR ?= ../../../linux-2.6 + +AWK = awk + +CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ + else if [ -x /bin/bash ]; then echo /bin/bash; \ + else echo sh; fi ; fi) + +FLASK_H_DEPEND = security_classes initial_sids +AV_H_DEPEND = access_vectors + +FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h +AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h +ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES) + +all: $(ALL_H_FILES) + +$(FLASK_H_FILES): $(FLASK_H_DEPEND) + $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND) + +$(AV_H_FILES): $(AV_H_DEPEND) + $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) + +tolib: all + install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux + install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src + +tokern: all + install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include + +install: all + +relabel: + +clean: + rm -f $(FLASK_H_FILES) + rm -f $(AV_H_FILES) diff --git a/refpolicy/policy/flask/access_vectors b/refpolicy/policy/flask/access_vectors new file mode 100644 index 0000000..1004d39 --- /dev/null +++ b/refpolicy/policy/flask/access_vectors @@ -0,0 +1,608 @@ +# +# Define common prefixes for access vectors +# +# common common_name { permission_name ... } + + +# +# Define a common prefix for file access vectors. +# + +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + unlink + link + rename + execute + swapon + quotaon + mounton +} + + +# +# Define a common prefix for socket access vectors. +# + +common socket +{ +# inherited from file + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append +# socket-specific + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + recv_msg + send_msg + name_bind +} + +# +# Define a common prefix for ipc access vectors. +# + +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} + +# +# Define the access vectors. +# +# class class_name [ inherits common_name ] { permission_name ... } + + +# +# Define the access vector interpretation for file-related objects. +# + +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + transition + associate + quotamod + quotaget +} + +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir +} + +class file +inherits file +{ + execute_no_trans + entrypoint + execmod +} + +class lnk_file +inherits file + +class chr_file +inherits file +{ + execute_no_trans + entrypoint + execmod +} + +class blk_file +inherits file + +class sock_file +inherits file + +class fifo_file +inherits file + +class fd +{ + use +} + + +# +# Define the access vector interpretation for network-related objects. +# + +class socket +inherits socket + +class tcp_socket +inherits socket +{ + connectto + newconn + acceptfrom + node_bind + name_connect +} + +class udp_socket +inherits socket +{ + node_bind +} + +class rawip_socket +inherits socket +{ + node_bind +} + +class node +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send + enforce_dest +} + +class netif +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send +} + +class netlink_socket +inherits socket + +class packet_socket +inherits socket + +class key_socket +inherits socket + +class unix_stream_socket +inherits socket +{ + connectto + newconn + acceptfrom +} + +class unix_dgram_socket +inherits socket + + +# +# Define the access vector interpretation for process-related objects +# + +class process +{ + fork + transition + sigchld # commonly granted from child to parent + sigkill # cannot be caught or ignored + sigstop # cannot be caught or ignored + signull # for kill(pid, 0) + signal # all other signals + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share + getattr + setexec + setfscreate + noatsecure + siginh + setrlimit + rlimitinh + dyntransition + setcurrent + execmem + execstack + execheap +} + + +# +# Define the access vector interpretation for ipc-related objects +# + +class ipc +inherits ipc + +class sem +inherits ipc + +class msgq +inherits ipc +{ + enqueue +} + +class msg +{ + send + receive +} + +class shm +inherits ipc +{ + lock +} + + +# +# Define the access vector interpretation for the security server. +# + +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce # was avc_toggle in system class + setbool + setsecparam + setcheckreqprot +} + + +# +# Define the access vector interpretation for system operations. +# + +class system +{ + ipc_info + syslog_read + syslog_mod + syslog_console +} + +# +# Define the access vector interpretation for controling capabilies +# + +class capability +{ + # The capabilities are defined in include/linux/capability.h + # Care should be taken to ensure that these are consistent with + # those definitions. (Order matters) + + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control +} + + +# +# Define the access vector interpretation for controlling +# changes to passwd information. +# +class passwd +{ + passwd # change another user passwd + chfn # change another user finger info + chsh # change another user shell + rootok # pam_rootok check (skip auth) + crontab # crontab on another user +} + +# +# SE-X Windows stuff +# +class drawable +{ + create + destroy + draw + copy + getattr +} + +class gc +{ + create + free + getattr + setattr +} + +class window +{ + addchild + create + destroy + map + unmap + chstack + chproplist + chprop + listprop + getattr + setattr + setfocus + move + chselection + chparent + ctrllife + enumerate + transparent + mousemotion + clientcomevent + inputevent + drawevent + windowchangeevent + windowchangerequest + serverchangeevent + extensionevent +} + +class font +{ + load + free + getattr + use +} + +class colormap +{ + create + free + install + uninstall + list + read + store + getattr + setattr +} + +class property +{ + create + free + read + write +} + +class cursor +{ + create + createglyph + free + assign + setattr +} + +class xclient +{ + kill +} + +class xinput +{ + lookup + getattr + setattr + setfocus + warppointer + activegrab + passivegrab + ungrab + bell + mousemotion + relabelinput +} + +class xserver +{ + screensaver + gethostlist + sethostlist + getfontpath + setfontpath + getattr + grab + ungrab +} + +class xextension +{ + query + use +} + +# +# Define the access vector interpretation for controlling +# PaX flags +# +class pax +{ + pageexec # Paging based non-executable pages + emutramp # Emulate trampolines + mprotect # Restrict mprotect() + randmmap # Randomize mmap() base + randexec # Randomize ET_EXEC base + segmexec # Segmentation based non-executable pages +} + +# +# Extended Netlink classes +# +class netlink_route_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_firewall_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_tcpdiag_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_nflog_socket +inherits socket + +class netlink_xfrm_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_selinux_socket +inherits socket + +class netlink_audit_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_relay + nlmsg_readpriv +} + +class netlink_ip6fw_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_dnrt_socket +inherits socket + +# Define the access vector interpretation for controlling +# access and communication through the D-BUS messaging +# system. +# +class dbus +{ + acquire_svc + send_msg +} + +# Define the access vector interpretation for controlling +# access through the name service cache daemon (nscd). +# +class nscd +{ + getpwd + getgrp + gethost + getstat + admin + shmempwd + shmemgrp + shmemhost +} + +# Define the access vector interpretation for controlling +# access to IPSec network data by association +# +class association +{ + sendto + recvfrom +} + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket +inherits socket diff --git a/refpolicy/policy/flask/initial_sids b/refpolicy/policy/flask/initial_sids new file mode 100644 index 0000000..95894eb --- /dev/null +++ b/refpolicy/policy/flask/initial_sids @@ -0,0 +1,35 @@ +# FLASK + +# +# Define initial security identifiers +# + +sid kernel +sid security +sid unlabeled +sid fs +sid file +sid file_labels +sid init +sid any_socket +sid port +sid netif +sid netmsg +sid node +sid igmp_packet +sid icmp_socket +sid tcp_socket +sid sysctl_modprobe +sid sysctl +sid sysctl_fs +sid sysctl_kernel +sid sysctl_net +sid sysctl_net_unix +sid sysctl_vm +sid sysctl_dev +sid kmod +sid policy +sid scmp_packet +sid devnull + +# FLASK diff --git a/refpolicy/policy/flask/mkaccess_vector.sh b/refpolicy/policy/flask/mkaccess_vector.sh new file mode 100755 index 0000000..b5da734 --- /dev/null +++ b/refpolicy/policy/flask/mkaccess_vector.sh @@ -0,0 +1,227 @@ +#!/bin/sh - +# + +# FLASK + +set -e + +awk=$1 +shift + +# output files +av_permissions="av_permissions.h" +av_inherit="av_inherit.h" +common_perm_to_string="common_perm_to_string.h" +av_perm_to_string="av_perm_to_string.h" + +cat $* | $awk " +BEGIN { + outfile = \"$av_permissions\" + inheritfile = \"$av_inherit\" + cpermfile = \"$common_perm_to_string\" + avpermfile = \"$av_perm_to_string\" + "' + nextstate = "COMMON_OR_AV"; + printf("/* This file is automatically generated. Do not edit. */\n") > outfile; + printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile; + printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile; + printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; +; + } +/^[ \t]*#/ { + next; + } +$1 == "common" { + if (nextstate != "COMMON_OR_AV") + { + printf("Parse error: Unexpected COMMON definition on line %d\n", NR); + next; + } + + if ($2 in common_defined) + { + printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR); + next; + } + common_defined[$2] = 1; + + tclass = $2; + common_name = $2; + permission = 1; + + printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile; + + nextstate = "COMMON-OPENBRACKET"; + next; + } +$1 == "class" { + if (nextstate != "COMMON_OR_AV" && + nextstate != "CLASS_OR_CLASS-OPENBRACKET") + { + printf("Parse error: Unexpected class definition on line %d\n", NR); + next; + } + + tclass = $2; + + if (tclass in av_defined) + { + printf("Duplicate access vector definition for %s on line %d\n", tclass, NR); + next; + } + av_defined[tclass] = 1; + + inherits = ""; + permission = 1; + + nextstate = "INHERITS_OR_CLASS-OPENBRACKET"; + next; + } +$1 == "inherits" { + if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET") + { + printf("Parse error: Unexpected INHERITS definition on line %d\n", NR); + next; + } + + if (!($2 in common_defined)) + { + printf("COMMON %s is not defined (line %d).\n", $2, NR); + next; + } + + inherits = $2; + permission = common_base[$2]; + + for (combined in common_perms) + { + split(combined,separate, SUBSEP); + if (separate[1] == inherits) + { + inherited_perms[common_perms[combined]] = separate[2]; + } + } + + j = 1; + for (i in inherited_perms) { + ind[j] = i + 0; + j++; + } + n = asort(ind); + for (i = 1; i <= n; i++) { + perm = inherited_perms[ind[i]]; + printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile; + spaces = 40 - (length(perm) + length(tclass)); + if (spaces < 1) + spaces = 1; + for (j = 0; j < spaces; j++) + printf(" ") > outfile; + printf("0x%08xUL\n", ind[i]) > outfile; + } + printf("\n") > outfile; + for (i in ind) delete ind[i]; + for (i in inherited_perms) delete inherited_perms[i]; + + printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile; + + nextstate = "CLASS_OR_CLASS-OPENBRACKET"; + next; + } +$1 == "{" { + if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" && + nextstate != "CLASS_OR_CLASS-OPENBRACKET" && + nextstate != "COMMON-OPENBRACKET") + { + printf("Parse error: Unexpected { on line %d\n", NR); + next; + } + + if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET") + nextstate = "CLASS-CLOSEBRACKET"; + + if (nextstate == "CLASS_OR_CLASS-OPENBRACKET") + nextstate = "CLASS-CLOSEBRACKET"; + + if (nextstate == "COMMON-OPENBRACKET") + nextstate = "COMMON-CLOSEBRACKET"; + } +/[a-z][a-z_]*/ { + if (nextstate != "COMMON-CLOSEBRACKET" && + nextstate != "CLASS-CLOSEBRACKET") + { + printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR); + next; + } + + if (nextstate == "COMMON-CLOSEBRACKET") + { + if ((common_name,$1) in common_perms) + { + printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR); + next; + } + + common_perms[common_name,$1] = permission; + + printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; + + printf(" S_(\"%s\")\n", $1) > cpermfile; + } + else + { + if ((tclass,$1) in av_perms) + { + printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR); + next; + } + + av_perms[tclass,$1] = permission; + + if (inherits != "") + { + if ((inherits,$1) in common_perms) + { + printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR); + next; + } + } + + printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; + + printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; + } + + spaces = 40 - (length($1) + length(tclass)); + if (spaces < 1) + spaces = 1; + + for (i = 0; i < spaces; i++) + printf(" ") > outfile; + printf("0x%08xUL\n", permission) > outfile; + permission = permission * 2; + } +$1 == "}" { + if (nextstate != "CLASS-CLOSEBRACKET" && + nextstate != "COMMON-CLOSEBRACKET") + { + printf("Parse error: Unexpected } on line %d\n", NR); + next; + } + + if (nextstate == "COMMON-CLOSEBRACKET") + { + common_base[common_name] = permission; + printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; + } + + printf("\n") > outfile; + + nextstate = "COMMON_OR_AV"; + } +END { + if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") + printf("Parse error: Unexpected end of file\n"); + + }' + +# FLASK diff --git a/refpolicy/policy/flask/mkflask.sh b/refpolicy/policy/flask/mkflask.sh new file mode 100755 index 0000000..9c84754 --- /dev/null +++ b/refpolicy/policy/flask/mkflask.sh @@ -0,0 +1,95 @@ +#!/bin/sh - +# + +# FLASK + +set -e + +awk=$1 +shift 1 + +# output file +output_file="flask.h" +debug_file="class_to_string.h" +debug_file2="initial_sid_to_string.h" + +cat $* | $awk " +BEGIN { + outfile = \"$output_file\" + debugfile = \"$debug_file\" + debugfile2 = \"$debug_file2\" + "' + nextstate = "CLASS"; + + printf("/* This file is automatically generated. Do not edit. */\n") > outfile; + + printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; + printf("#define _SELINUX_FLASK_H_\n") > outfile; + printf("\n/*\n * Security object class definitions\n */\n") > outfile; + printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; + printf("/*\n * Security object class definitions\n */\n") > debugfile; + printf(" S_(\"null\")\n") > debugfile; + printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2; + printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2; + printf(" \"null\",\n") > debugfile2; + } +/^[ \t]*#/ { + next; + } +$1 == "class" { + if (nextstate != "CLASS") + { + printf("Parse error: Unexpected class definition on line %d\n", NR); + next; + } + + if ($2 in class_found) + { + printf("Duplicate class definition for %s on line %d.\n", $2, NR); + next; + } + class_found[$2] = 1; + + class_value++; + + printf("#define SECCLASS_%s", toupper($2)) > outfile; + for (i = 0; i < 40 - length($2); i++) + printf(" ") > outfile; + printf("%d\n", class_value) > outfile; + + printf(" S_(\"%s\")\n", $2) > debugfile; + } +$1 == "sid" { + if (nextstate == "CLASS") + { + nextstate = "SID"; + printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile; + } + + if ($2 in sid_found) + { + printf("Duplicate SID definition for %s on line %d.\n", $2, NR); + next; + } + sid_found[$2] = 1; + sid_value++; + + printf("#define SECINITSID_%s", toupper($2)) > outfile; + for (i = 0; i < 37 - length($2); i++) + printf(" ") > outfile; + printf("%d\n", sid_value) > outfile; + printf(" \"%s\",\n", $2) > debugfile2; + } +END { + if (nextstate != "SID") + printf("Parse error: Unexpected end of file\n"); + + printf("\n#define SECINITSID_NUM") > outfile; + for (i = 0; i < 34; i++) + printf(" ") > outfile; + printf("%d\n", sid_value) > outfile; + printf("\n#endif\n") > outfile; + printf("};\n\n") > debugfile2; + }' + +# FLASK diff --git a/refpolicy/policy/flask/security_classes b/refpolicy/policy/flask/security_classes new file mode 100644 index 0000000..2669c30 --- /dev/null +++ b/refpolicy/policy/flask/security_classes @@ -0,0 +1,86 @@ +# FLASK + +# +# Define the security object classes +# + +class security +class process +class system +class capability + +# file-related classes +class filesystem +class file +class dir +class fd +class lnk_file +class chr_file +class blk_file +class sock_file +class fifo_file + +# network-related classes +class socket +class tcp_socket +class udp_socket +class rawip_socket +class node +class netif +class netlink_socket +class packet_socket +class key_socket +class unix_stream_socket +class unix_dgram_socket + +# sysv-ipc-related classes +class sem +class msg +class msgq +class shm +class ipc + +# +# userspace object manager classes +# + +# passwd/chfn/chsh +class passwd + +# SE-X Windows stuff +class drawable +class window +class gc +class font +class colormap +class property +class cursor +class xclient +class xinput +class xserver +class xextension + +# pax flags +class pax + +# extended netlink sockets +class netlink_route_socket +class netlink_firewall_socket +class netlink_tcpdiag_socket +class netlink_nflog_socket +class netlink_xfrm_socket +class netlink_selinux_socket +class netlink_audit_socket +class netlink_ip6fw_socket +class netlink_dnrt_socket + +class dbus +class nscd + +# IPSec association +class association + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket + +# FLASK diff --git a/refpolicy/policy/mls b/refpolicy/policy/mls new file mode 100644 index 0000000..21f9f2d --- /dev/null +++ b/refpolicy/policy/mls @@ -0,0 +1,731 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +ifdef(`enable_mls',` +# +# Define sensitivities +# +# Each sensitivity has a name and zero or more aliases. +# +sensitivity s0; +sensitivity s1; +sensitivity s2; +sensitivity s3; +sensitivity s4; +sensitivity s5; +sensitivity s6; +sensitivity s7; +sensitivity s8; +sensitivity s9; + + +# +# Define the ordering of the sensitivity levels (least to greatest) +# +dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 } + +# +# Define the categories +# +# Each category has a name and zero or more aliases. +# +category c0; +category c1; +category c2; +category c3; +category c4; +category c5; +category c6; +category c7; +category c8; +category c9; +category c10; +category c11; +category c12; +category c13; +category c14; +category c15; +category c16; +category c17; +category c18; +category c19; +category c20; +category c21; +category c22; +category c23; +category c24; +category c25; +category c26; +category c27; +category c28; +category c29; +category c30; +category c31; +category c32; +category c33; +category c34; +category c35; +category c36; +category c37; +category c38; +category c39; +category c40; +category c41; +category c42; +category c43; +category c44; +category c45; +category c46; +category c47; +category c48; +category c49; +category c50; +category c51; +category c52; +category c53; +category c54; +category c55; +category c56; +category c57; +category c58; +category c59; +category c60; +category c61; +category c62; +category c63; +category c64; +category c65; +category c66; +category c67; +category c68; +category c69; +category c70; +category c71; +category c72; +category c73; +category c74; +category c75; +category c76; +category c77; +category c78; +category c79; +category c80; +category c81; +category c82; +category c83; +category c84; +category c85; +category c86; +category c87; +category c88; +category c89; +category c90; +category c91; +category c92; +category c93; +category c94; +category c95; +category c96; +category c97; +category c98; +category c99; +category c100; +category c101; +category c102; +category c103; +category c104; +category c105; +category c106; +category c107; +category c108; +category c109; +category c110; +category c111; +category c112; +category c113; +category c114; +category c115; +category c116; +category c117; +category c118; +category c119; +category c120; +category c121; +category c122; +category c123; +category c124; +category c125; +category c126; +category c127; + + +# +# Each MLS level specifies a sensitivity and zero or more categories which may +# be associated with that sensitivity. +# +level s0:c0.c127; +level s1:c0.c127; +level s2:c0.c127; +level s3:c0.c127; +level s4:c0.c127; +level s5:c0.c127; +level s6:c0.c127; +level s7:c0.c127; +level s8:c0.c127; +level s9:c0.c127; + + +# +# Define the MLS policy +# +# mlsconstrain class_set perm_set expression ; +# +# mlsvalidatetrans class_set expression ; +# +# expression : ( expression ) +# | not expression +# | expression and expression +# | expression or expression +# | u1 op u2 +# | r1 role_mls_op r2 +# | t1 op t2 +# | l1 role_mls_op l2 +# | l1 role_mls_op h2 +# | h1 role_mls_op l2 +# | h1 role_mls_op h2 +# | l1 role_mls_op h1 +# | l2 role_mls_op h2 +# | u1 op names +# | u2 op names +# | r1 op names +# | r2 op names +# | t1 op names +# | t2 op names +# | u3 op names (NOTE: this is only available for mlsvalidatetrans) +# | r3 op names (NOTE: this is only available for mlsvalidatetrans) +# | t3 op names (NOTE: this is only available for mlsvalidatetrans) +# +# op : == | != +# role_mls_op : == | != | eq | dom | domby | incomp +# +# names : name | { name_list } +# name_list : name | name_list name# +# + +# +# MLS policy for the file classes +# + +# make sure these file classes are "single level" +mlsconstrain { file lnk_file fifo_file } { create relabelto } + ( l2 eq h2 ); + +# new file labels must be dominated by the relabling subject clearance +mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto + ( h1 dom h2 ); + +# the file "read" ops (note the check is dominance of the low level) +mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } + (( l1 dom l2 ) or + (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsfileread ) or + ( t2 == mlstrustedobject )); + +mlsconstrain dir search + (( l1 dom l2 ) or + (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsfileread ) or + ( t2 == mlstrustedobject )); + +# the "single level" file "write" ops +mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton } + (( l1 eq l2 ) or + (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsfilewrite ) or + ( t2 == mlstrustedobject )); + +# the "ranged" file "write" ops +mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton } + ((( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsfilewrite ) or + ( t2 == mlstrustedobject )); + +mlsconstrain dir { add_name remove_name reparent rmdir } + ((( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsfilewrite ) or + ( t2 == mlstrustedobject )); + +# these access vectors have no MLS restrictions +# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon } +# +# file { execute_no_trans entrypoint } + +# the file upgrade/downgrade rule +mlsvalidatetrans { file lnk_file chr_file blk_file sock_file fifo_file } + ((( l1 eq l2 ) or + (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or + (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or + (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and + (( h1 eq h2 ) or + (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or + (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or + (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 )))); + +# create can also require the upgrade/downgrade checks if the creating process +# has used setfscreate (note that both the high and low level of the object +# default to the process sensitivity level) +mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create + ((( l1 eq l2 ) or + (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or + (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or + (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and + (( l1 eq h2 ) or + (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or + (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or + (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 )))); + + +# +# MLS policy for the filesystem class +# + +# new filesystem labels must be dominated by the relabling subject clearance +mlsconstrain filesystem relabelto + ( h1 dom h2 ); + +# the filesystem "read" ops (implicit single level) +mlsconstrain filesystem { getattr quotaget } + (( l1 dom l2 ) or + (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsfileread )); + +# all the filesystem "write" ops (implicit single level) +mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } + (( l1 eq l2 ) or + (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsfilewrite )); + +# these access vectors have no MLS restrictions +# filesystem { transition associate } + + +# +# MLS policy for the socket classes +# + +# new socket labels must be dominated by the relabling subject clearance +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto + ( h1 dom h2 ); + +# the socket "read" ops (note that the we check dominance of the low level) +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg } + (( l1 dom l2 ) or + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsnetread )); + +mlsconstrain { tcp_socket unix_stream_socket } acceptfrom + (( l1 dom l2 ) or + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsnetread )); + +mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read + (( l1 dom l2 ) or + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsnetread )); + +# the socket "write" ops +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { setattr relabelfrom connect setopt shutdown } + ((( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsnetwrite )); + +mlsconstrain { tcp_socket unix_stream_socket } { connectto newconn } + ((( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsnetwrite )); + +# these access vectors have no MLS restrictions +# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl write create lock append bind sendto send_msg name_bind } +# +# { tcp_socket udp_socket rawip_socket } node_bind +# +# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write +# + + +# +# MLS policy for the ipc classes +# + +# the ipc "read" ops (implicit single level) +mlsconstrain { ipc sem msgq shm } { getattr read unix_read } + (( l1 dom l2 ) or + (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsipcread )); + +mlsconstrain msg receive + (( l1 dom l2 ) or + (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsipcread )); + +# the ipc "write" ops (implicit single level) +mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } + (( l1 eq l2 ) or + (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsipcwrite )); + +mlsconstrain msgq enqueue + (( l1 eq l2 ) or + (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsipcwrite )); + +mlsconstrain shm lock + (( l1 eq l2 ) or + (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsipcwrite )); + +mlsconstrain msg send + (( l1 eq l2 ) or + (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsipcwrite )); + +# these access vectors have no MLS restrictions +# { ipc sem msgq shm } associate + + +# +# MLS policy for the fd class +# + +# these access vectors have no MLS restrictions +# fd use + + +# +# MLS policy for the node class +# + +# these access vectors have no MLS restrictions +# node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest } + + +# +# MLS policy for the netif class +# + +# these access vectors have no MLS restrictions +# netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest } + + +# +# MLS policy for the process class +# + +# new process labels must be dominated by the relabling subject clearance and +# sensitivity level changes require privilege +mlsconstrain process { transition dyntransition } + (( h1 dom h2 ) and + (( l1 eq l2 ) or ( t1 == mlsprocsetsl ))); + +# all the process "read" ops +mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } + (( l1 dom l2 ) or + (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsprocread )); + +# all the process "write" ops (note the check is equality on the low level) +mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share } + (( l1 eq l2 ) or + (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsprocwrite )); + +# these access vectors have no MLS restrictions +# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh} + + +# +# MLS policy for the security class +# + +# these access vectors have no MLS restrictions +# security * + + +# +# MLS policy for the system class +# + +# these access vectors have no MLS restrictions +# system * + + +# +# MLS policy for the capability class +# + +# these access vectors have no MLS restrictions +# capability * + + + +# +# MLS policy for the passwd class +# + +# these access vectors have no MLS restrictions +# passwd * + + +# +# MLS policy for the drawable class +# + +# the drawable "read" ops (implicit single level) +mlsconstrain drawable { getattr copy } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the drawable "write" ops (implicit single level) +mlsconstrain drawable { create destroy draw copy } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + +# +# MLS policy for the gc class +# + +# the gc "read" ops (implicit single level) +mlsconstrain gc getattr + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the gc "write" ops (implicit single level) +mlsconstrain gc { create free setattr } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + +# +# MLS policy for the window class +# + +# the window "read" ops (implicit single level) +mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the window "write" ops (implicit single level) +mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + +# these access vectors have no MLS restrictions +# window { map unmap } + + +# +# MLS policy for the font class +# + +# the font "read" ops (implicit single level) +mlsconstrain font { load getattr } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the font "write" ops (implicit single level) +mlsconstrain font free + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + +# these access vectors have no MLS restrictions +# font use + + +# +# MLS policy for the colormap class +# + +# the colormap "read" ops (implicit single level) +mlsconstrain colormap { list read getattr } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the colormap "write" ops (implicit single level) +mlsconstrain colormap { create free install uninstall store setattr } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + +# +# MLS policy for the property class +# + +# the property "read" ops (implicit single level) +mlsconstrain property { read } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the property "write" ops (implicit single level) +mlsconstrain property { create free write } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + +# +# MLS policy for the cursor class +# + +# the cursor "write" ops (implicit single level) +mlsconstrain cursor { create createglyph free assign setattr } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + +# +# MLS policy for the xclient class +# + +# the xclient "write" ops (implicit single level) +mlsconstrain xclient kill + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + +# +# MLS policy for the xinput class +# + +# the xinput "read" ops (implicit single level) +mlsconstrain xinput { lookup getattr mousemotion } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the xinput "write" ops (implicit single level) +mlsconstrain xinput { setattr setfocus warppointer activegrab passivegrab ungrab bell relabelinput } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + + + +# +# MLS policy for the xserver class +# + +# the xserver "read" ops (implicit single level) +mlsconstrain xserver { gethostlist getfontpath getattr screensaver } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the xserver "write" ops (implicit single level) +mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + +# +# MLS policy for the xextension class +# + +# the xextension "read" ops (implicit single level) +mlsconstrain xextension query + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinread )); + +# the xextension "write" ops (implicit single level) +mlsconstrain xextension use + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwrite )); + + +# +# MLS policy for the pax class +# + +# these access vectors have no MLS restrictions +# pax { pageexec emutramp mprotect randmmap randexec segmexec } + + +# +# MLS policy for the dbus class +# + +# these access vectors have no MLS restrictions +# dbus { acquire_svc send_msg } + + +# +# MLS policy for the nscd class +# + +# these access vectors have no MLS restrictions +# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } + + +# +# MLS policy for the association class +# + +# these access vectors have no MLS restrictions +# association { sendto recvfrom } + +attribute mlsfileread; +attribute mlsfilereadtoclr; +attribute mlsfilewrite; +attribute mlsfilewritetoclr; +attribute mlsfileupgrade; +attribute mlsfiledowngrade; + +attribute mlsnetread; +attribute mlsnetreadtoclr; +attribute mlsnetwrite; +attribute mlsnetwritetoclr; +attribute mlsnetupgrade; +attribute mlsnetdowngrade; +attribute mlsnetbindall; + +attribute mlsipcread; +attribute mlsipcreadtoclr; +attribute mlsipcwrite; +attribute mlsipcwritetoclr; + +attribute mlsprocread; +attribute mlsprocreadtoclr; +attribute mlsprocwrite; +attribute mlsprocwritetoclr; +attribute mlsprocsetsl; + +attribute mlsxwinread; +attribute mlsxwinreadtoclr; +attribute mlsxwinwrite; +attribute mlsxwinwritetoclr; +attribute mlsxwinupgrade; +attribute mlsxwindowngrade; + +attribute mlstrustedobject; + +attribute privrangetrans; +attribute mlsrangetrans; + +') dnl end enable_mls diff --git a/refpolicy/policy/users b/refpolicy/policy/users new file mode 100644 index 0000000..5027903 --- /dev/null +++ b/refpolicy/policy/users @@ -0,0 +1,14 @@ +# Copyright (C) 2005 Tresys Technology, LLC + +################################## +# +# Core User configuration. +# + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +user system_u roles system_r user_mls(s0,s0 - s9:c0.c127);