class process class blk_file class chr_file class dir class fifo_file class file class lnk_file class sock_file class class5 class class6 class class7 class class17 sid kernel sid security sid unlabeled sid file sid port sid netif sid netmsg sid node sid devnull class process { dyntransition transition } class file { ioctl read write } class class5 { perm } class class6 { perm } class class7 { perm } class class17 { ioctl } ifdef(`enable_mls',` sensitivity s0; dominance { s0 } category c0; category c1; category c2; category c3; category c4; category c5; category c6; category c7; category c8; category c9; category c10; category c11; category c12; category c13; category c14; category c15; category c16; category c17; category c18; category c19; category c20; category c21; category c22; category c23; level s0:c0.c23; mlsconstrain file { write } ( h1 dom h2 ); ') ######################################## # # Test start # ######################################## ## Test 1 (single type) type test1_t; allow test1_t test1_t : file read; neverallow test1_t { test1_t -self } : file read; # nofail ## Test 2 (single type) type test2_t; allow test2_t self : file read; neverallow test2_t { test1_t -self } : file read; # nofail ## Test 3 (single type) type test3_1_t; type test3_2_t; allow test3_1_t test3_2_t : file read; neverallow test3_1_t { test3_2_t -self } : file read; ## Test 4 (two types I) type test4_1_t; type test4_2_t; allow { test4_1_t test4_2_t } { test4_1_t test4_2_t } : file read; neverallow test4_1_t { test4_1_t test4_2_t -self } : file read; ## Test 5 (two types II) type test5_1_t; type test5_2_t; allow { test5_1_t test5_2_t } { test5_1_t test5_2_t } : class5 perm; neverallow * { test5_1_t test5_2_t -self } : class5 perm; ## Test 6 (two types III) type test6_1_t; type test6_2_t; allow { test6_1_t test6_2_t } { test6_1_t test6_2_t } : class6 perm; neverallow * { test6_2_t -self } : class6 perm; ## Test 7 (two types IV) type test7_1_t; type test7_2_t; allow { test7_1_t test7_2_t } test7_2_t : class7 perm; neverallow * { test7_1_t -self } : class7 perm; # nofail ## Test 8 (attribute violates type I) attribute test8_a; type test8_1_t, test8_a; type test8_2_t, test8_a; allow test8_a test8_a : file read; neverallow test8_1_t { test8_a -self } : file *; ## Test 9 (attribute violates type II) attribute test9_a; type test9_1_t, test9_a; type test9_2_t, test9_a; allow test9_1_t test9_a : file read; neverallow test9_1_t { test9_a -self } : file *; ## Test 10 (attribute violates type III) attribute test10_1_a; attribute test10_2_a; type test10_1_t, test10_1_a, test10_1_a; type test10_2_t, test10_1_a, test10_1_a; allow test10_1_a test10_1_a : file read; neverallow test10_1_t { test10_2_a -self } : file *; ## Test 11 (attribute violates attribute I) attribute test11_1_a; attribute test11_2_a; type test11_1_t, test11_1_a, test11_2_a; type test11_2_t, test11_1_a, test11_2_a; allow test11_1_t self : file read; allow test11_2_t test11_2_t : file read; neverallow test11_1_a { test11_2_a -self } : file *; # nofail ## Test 12 (attribute violates attribute II) attribute test12_a; type test12_1_t, test12_a; type test12_2_t, test12_a; allow test12_1_t test12_2_t : file read; neverallow test12_a { test12_a -self } : file *; ## Test 13 (attribute violates attribute III) attribute test13_a; type test13_1_t, test13_a; type test13_2_t, test13_a; allow test13_1_t test13_a : file read; neverallow test13_a { test13_a -self } : file *; ## Test 14 (attribute violates attribute IV) attribute test14_a; type test14_1_t, test14_a; type test14_2_t, test14_a; allow test14_a test14_a : file read; neverallow test14_a { test14_a -self } : file *; # ## Test 15 (attribute violates attribute V) attribute test13_1_a; attribute test13_2_a; type test13_t, test13_1_a, test13_2_a; allow test13_1_a test13_2_a : file read; neverallow test13_a { test13_2_a -self } : file *; ## Test 16 (types violate attribute) attribute test16_a; type test16_1_t, test16_a; type test16_2_t, test16_a; allow { test16_1_t test16_2_t } { test16_1_t test16_2_t } : file read; neverallow test16_a { test16_a -self } : file ~write; ## Test 17 (extended permissions I) type test17_1_t; type test17_2_t; allow { test17_1_t test17_2_t } { test17_1_t test17_2_t } : class17 ioctl; neverallowxperm ~test17_2_t { test17_1_t test17_2_t -self } : class17 ioctl 0x1111; ## Test 18 (extended permissions II) type test18_1_t; type test18_2_t; allow { test18_1_t test18_2_t } { test18_1_t test18_2_t } : file ioctl; allowxperm { test18_1_t test18_2_t } { test18_1_t test18_2_t } : file ioctl 0x1111; neverallowxperm { test18_1_t test18_2_t } { test18_1_t test18_2_t -self } : file ioctl 0x2222; # nofail ## Test 19 (extended permissions III) type test19_1_t; type test19_2_t; allow { test19_1_t test19_2_t } { test19_1_t test19_2_t } : file ioctl; allowxperm { test19_1_t test19_2_t } { test19_1_t test19_2_t } : file ioctl { 0x0100 - 0x0102 }; neverallowxperm test19_2_t { test19_1_t test19_2_t -self } : file ioctl { 0x0101 - 0x0104 }; ## Test 20 (extended permissions IV) type test20_1_t; type test20_2_t; allow { test20_1_t test20_2_t } { test20_1_t test20_2_t } : file ioctl; allowxperm test20_1_t test20_1_t : file ioctl 0x0101; allowxperm test20_1_t test20_2_t : file ioctl 0x0102; allowxperm test20_2_t test20_1_t : file ioctl 0x0103; allowxperm test20_2_t test20_2_t : file ioctl 0x0104; neverallowxperm { test20_1_t test20_2_t } { test20_1_t test20_2_t -self } : file ioctl { 0x0000 - 0x9000 }; ## Test 21 (extended permissions V) attribute test21_a; type test21_1_t, test21_a; type test21_2_t, test21_a; allow test21_a test21_a : file ioctl; allowxperm test21_a test21_a : file ioctl 0x9501; neverallowxperm test21_1_t { test21_a -self } : file ioctl 0x9511; # nofail ## Test 22 (extended permissions VI) type test22_t; allow test22_t self : file ioctl; allowxperm test22_t self : file ioctl 0x9501; allowxperm test22_t self : file ioctl 0x9511; neverallowxperm test22_t { test22_t -self } : file ioctl 0x9511; # nofail ## Test 23 (extended permissions VII) attribute test23_a; type test23_1_t, test23_a; type test23_2_t, test23_a; allow test23_a test23_a : file ioctl; allowxperm test23_a test23_a : file ioctl 0x9501; allowxperm test23_1_t test23_2_t : file ioctl 0x9511; neverallowxperm test23_1_t { test23_a -self } : file ioctl 0x9511; ## Test 24 (extended permissions VII) attribute test24_a; type test24_1_t, test24_a; type test24_2_t, test24_a; allow test24_a test24_a : file ioctl; allowxperm test24_a test24_a : file ioctl 0x9501; allowxperm test24_1_t test24_a : file ioctl 0x9511; neverallowxperm test24_1_t { test24_a -self } : file ioctl 0x9511; ## Test 25 (extended permissions IX) attribute test25_a; type test25_1_t, test25_a; type test25_2_t, test25_a; allow test25_a test25_a : file ioctl; allowxperm test25_a test25_a : file ioctl 0x9501; allowxperm test25_a test25_a : file ioctl 0x9511; neverallowxperm test25_1_t { test25_a -self } : file ioctl 0x9511; ## Test 26 (extended permissions X) attribute test26_1_a; attribute test26_2_a; type test26_1_t, test26_1_a, test26_2_a; type test26_2_t, test26_1_a, test26_2_a; allow { test26_1_a test26_2_a } { test26_1_a test26_2_a } : file ioctl; allowxperm { test26_1_a test26_2_a } { test26_1_a test26_2_a } : file ioctl 0x9501; allowxperm test26_1_a test26_2_a : file ioctl 0x9511; neverallowxperm test26_1_t { test26_2_a -self } : file ioctl 0x9511; # ## Test 27 (extended permissions attribute violation I) attribute test27_a; type test27_1_t, test27_a; type test27_2_t, test27_a; allow test27_a test27_a : file ioctl; allowxperm test27_a test27_a : file ioctl 0x9501; allowxperm test27_1_t self : file ioctl 0x9521; allowxperm test27_2_t test27_2_t : file ioctl 0x9521; neverallowxperm test27_a { test27_a -self } : file ioctl 0x9521; # nofail # ## Test 28 (extended permissions attribute violation II) attribute test28_a; type test28_1_t, test28_a; type test28_2_t, test28_a; allow test28_a test28_a : file ioctl; allowxperm test28_1_t test28_2_t : file ioctl 0x9521; neverallowxperm test28_a { test28_a -self } : file ioctl 0x9521; ## Test 29 (extended permissions attribute violation III) attribute test29_a; type test29_1_t, test29_a; type test29_2_t, test29_a; allow test29_a test29_a : file ioctl; allowxperm test29_1_t test29_a : file ioctl 0x9521; neverallowxperm test29_a { test29_a -self } : file ioctl 0x9521; ## Test 30 (extended permissions attribute violation IV) attribute test30_a; type test30_1_t, test30_a; type test30_2_t, test30_a; allow test30_a test30_a : file ioctl; allowxperm test30_a test30_a : file ioctl 0x9521; neverallowxperm test30_a { test30_a -self } : file ioctl 0x9521; ## Test 31 (extended permissions attribute violation V) attribute test31_1_a; attribute test31_2_a; type test31_1_t, test31_1_a, test31_2_a; type test31_2_t, test31_1_a, test31_2_a; allow test31_1_a test31_1_a : file ioctl; allowxperm test31_1_a test31_2_a : file ioctl 0x9521; neverallowxperm test31_1_a { test31_2_a -self } : file ioctl 0x9521; ######################################## # # Test End # ######################################## type sys_isid; role sys_role; role sys_role types sys_isid; gen_user(sys_user,, sys_role, s0, s0 - s0:c0.c23) sid kernel gen_context(sys_user:sys_role:sys_isid, s0) sid security gen_context(sys_user:sys_role:sys_isid, s0) sid unlabeled gen_context(sys_user:sys_role:sys_isid, s0) sid file gen_context(sys_user:sys_role:sys_isid, s0) sid port gen_context(sys_user:sys_role:sys_isid, s0) sid netif gen_context(sys_user:sys_role:sys_isid, s0) sid netmsg gen_context(sys_user:sys_role:sys_isid, s0) sid node gen_context(sys_user:sys_role:sys_isid, s0) sid devnull gen_context(sys_user:sys_role:sys_isid, s0) fs_use_trans devpts gen_context(sys_user:sys_role:sys_isid, s0); fs_use_trans devtmpfs gen_context(sys_user:sys_role:sys_isid, s0);