test.te

diff --git a/autotests/folding/test.cil.fold b/autotests/folding/test.cil.fold --- a/autotests/folding/test.cil.fold +++ b/autotests/folding/test.cil.fold @@ -48,7 +48,7 @@ (classcommon file any dir) (file any dir) ; portcon -(portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1)) +(portcon sctp 3333 (unconfined.user object_r unconfined.object levelrange_1)) (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2))) (defaultrole tcp udp) (tcp udp) @@ -58,7 +58,7 @@ (fsuse trans tmpfs file.tmpfs_context) (typemember xattr task trans) (xattr task trans) - + (allow unconfined.process self (file (read write))) (allow process httpd.object (file (read write))) @@ -142,3 +142,12 @@ (genfscon rootfs / rootfs_context) (genfscon selinuxfs / selinuxfs_context) ) + +; ioctl & call +(allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) ; ioctl kind +(ioctl read + find connectto) ; kind or permission? +(ioctl read find connectto) ; ioctl permission +(ioctl read ) +(call ioctl read find connectto) ; statement or permission? +( call ) ; call permission diff --git a/autotests/folding/test.fc.fold b/autotests/folding/test.fc.fold --- a/autotests/folding/test.fc.fold +++ b/autotests/folding/test.fc.fold @@ -56,6 +56,14 @@ /run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0) ') +# Android file contexts + +android.hardware.light::ILight u:object_r:hal_light_hwservice:s0 +android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0 +* u:object_r:default_android_hwservice:s0 +ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string +sys.usb.mtp.device_type u:object_r:exported2_system_prop:s0 exact int + # Tests # Variables diff --git a/autotests/folding/test.te.fold b/autotests/folding/test.te.fold new file mode 100644 --- /dev/null +++ b/autotests/folding/test.te.fold @@ -0,0 +1,125 @@ +# Sample SELinux Policy + +## > +## Sample SELinux Policy +## +## > +## > +## This module is not functional, +## but only to test the syntax highlighting. +##

+# Sample SELinux Policy
+
+## <summary>
+##  Sample SELinux Policy
+## </summary>
+## <desc>
+## <p>
+##  This module is not functional,
+##  but only to test the syntax highlighting.
+## </p>
+## </desc>
+## <required val="true">
+##  Depended on by other required modules.
+## </required>
+
+policycap open_perms;
+module myapp 1.0;
+
+require {
+  type httpd_t;
+  type httpd_sys_content_t;
+  type initrc_t;
+  class sock_file write;
+  class unix_stream_socket connectto;
+}
+
+allow httpd_t httpd_sys_content_t:sock_file write;
+allow httpd_t initrc_t:unix_stream_socket connectto;
+
+tunable_policy(`allow_execmem',`
+	/usr/share/holas(/.*)? -- gen_context(system_u:object_r:holas_t,s0);
+')
+regexp(`GNUs not Unix', `\w\(\w+\)$', `*** \& *** \1 ***')
+ifdef(`distro_ubuntu',`
+	unconfined_domain(chkpwd_t)
+')
+
+dominance { gen_dominance(0,decr($1)) };
+neverallow user=_isolated domain=((?!isolated_app).)*
+
+allow consoletype_t self:capability { sys_admin sys_tty_config };
+allow consoletype_t self:msg { send receive };
+
+# sample for administrative user
+user jadmin roles { staff_r sysadm_r };
+# sample for regular user
+user jdoe roles { user_r };
+
+default_user process source;
+default_range process source low;
+
+sid devnull;
+sid sysctl;
+
+common file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton };
+class dir inherits file { add_name remove_name reparent search rmdir open audit_access execmod };
+class class;
+
+sensitivity s0 alias sens0;
+category c0 alias cat0;
+level s0:c0;
+
+mlsconstrain dir { search read ioctl lock }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+
+attribute_role dpkg_roles;
+roleattribute system_r dpkg_roles;
+
+role system_r types system_t;
+role_transition hello init_script_file_type system_r;
+
+attribute filesystem_type;
+type dhcp_etc_t;
+typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
+
+bool le_boolean true;
+TUNABLE allow_java_execstack false;
+
+type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
+AUDITALLOW xserver_t { root_xdrawable_t x_domain }:x_drawable send;
+
+optional {
+	neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+	neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+};
+
+if le_boolean {
+	DONTAUDIT untrusted_app asec_public_file:file { execute execmod };
+} else {
+	ALLOW untrusted_app perfprofd_data_file:file r_file_perms;
+	allow untrusted_app perfprofd_data_file:dir r_dir_perms;
+};
+
+sid devnull system_u:object_r:null_device_t:s0
+genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
+genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+
+genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+genfscon selinuxfs / u:object_r:selinuxfs:s0
+fs_use_trans devtmpfs system_u:object_r:device_t:s0;
+fs_use_task pipefs u:object_r:pipefs:s0;
+fs_use_xattr xfs u:object_r:labeledfs:s0;
+fs_use_xattr btrfs u:object_r:labeledfs:s0;
+
+portcon tcp 80 u:object_r:http_port:s0;
+portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0);
+netifcon $2 gen_context(system_u:object_r:$1,$3) gen_context(system_u:object_r:unlabeled_t,$3);
+
+nodecon 2001:0DB8:AC10:FE01:: 2001:0DE0:DA88:2222:: system_u:object_r:hello_t:s0;
+nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0;
+
+# Regular Expressions
+regexp(`Hello(!|\^\^)+', `
+	^\s*(?<hello>\.)
+	(
+		hello[^\s\x12/][1-9]*|  # Hello
+		bye
+	)\s*$
+') 
+"aaaa(?=
+sdf sdf)ds(aa
+  aa)"
+"sdf[^
+a]"
+

diff --git a/autotests/input/test.cil b/autotests/input/test.cil --- a/autotests/input/test.cil +++ b/autotests/input/test.cil @@ -48,7 +48,7 @@ (classcommon file any dir) (file any dir) ; portcon -(portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1)) +(portcon sctp 3333 (unconfined.user object_r unconfined.object levelrange_1)) (portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2))) (defaultrole tcp udp) (tcp udp) @@ -58,7 +58,7 @@ (fsuse trans tmpfs file.tmpfs_context) (typemember xattr task trans) (xattr task trans) - + (allow unconfined.process self (file (read write))) (allow process httpd.object (file (read write))) @@ -142,3 +142,12 @@ (genfscon rootfs / rootfs_context) (genfscon selinuxfs / selinuxfs_context) ) + +; ioctl & call +(allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) ; ioctl kind +(ioctl read + find connectto) ; kind or permission? +(ioctl read find connectto) ; ioctl permission +(ioctl read ) +(call ioctl read find connectto) ; statement or permission? +( call ) ; call permission diff --git a/autotests/input/test.fc b/autotests/input/test.fc --- a/autotests/input/test.fc +++ b/autotests/input/test.fc @@ -56,6 +56,14 @@ /run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0) ') +# Android file contexts + +android.hardware.light::ILight u:object_r:hal_light_hwservice:s0 +android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0 +* u:object_r:default_android_hwservice:s0 +ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string +sys.usb.mtp.device_type u:object_r:exported2_system_prop:s0 exact int + # Tests # Variables diff --git a/autotests/input/test.te b/autotests/input/test.te new file mode 100644 --- /dev/null +++ b/autotests/input/test.te @@ -0,0 +1,125 @@ +# Sample SELinux Policy + +##

+## Sample SELinux Policy +##

+## +##

+## This module is not functional, +## but only to test the syntax highlighting. +##

+## +## +## Depended on by other required modules. +## + +policycap open_perms; +module myapp 1.0; + +require { + type httpd_t; + type httpd_sys_content_t; + type initrc_t; + class sock_file write; + class unix_stream_socket connectto; +} + +allow httpd_t httpd_sys_content_t:sock_file write; +allow httpd_t initrc_t:unix_stream_socket connectto; + +tunable_policy(`allow_execmem',` + /usr/share/holas(/.*)? -- gen_context(system_u:object_r:holas_t,s0); +') +regexp(`GNUs not Unix', `\w$\w+$$', `*** \& *** \1 ***') +ifdef(`distro_ubuntu',` + unconfined_domain(chkpwd_t) +') + +dominance { gen_dominance(0,decr($1)) }; +neverallow user=_isolated domain=((?!isolated_app).)* + +allow consoletype_t self:capability { sys_admin sys_tty_config }; +allow consoletype_t self:msg { send receive }; + +# sample for administrative user +user jadmin roles { staff_r sysadm_r }; +# sample for regular user +user jdoe roles { user_r }; + +default_user process source; +default_range process source low; + +sid devnull; +sid sysctl; + +common file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton }; +class dir inherits file { add_name remove_name reparent search rmdir open audit_access execmod }; +class class; + +sensitivity s0 alias sens0; +category c0 alias cat0; +level s0:c0; + +mlsconstrain dir { search read ioctl lock } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcs_constrained_type ) and (t2 == domain))); + +attribute_role dpkg_roles; +roleattribute system_r dpkg_roles; + +role system_r types system_t; +role_transition hello init_script_file_type system_r; + +attribute filesystem_type; +type dhcp_etc_t; +typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; + +bool le_boolean true; +TUNABLE allow_java_execstack false; + +type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; +AUDITALLOW xserver_t { root_xdrawable_t x_domain }:x_drawable send; + +optional { + neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl; + neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; +}; + +if le_boolean { + DONTAUDIT untrusted_app asec_public_file:file { execute execmod }; +} else { + ALLOW untrusted_app perfprofd_data_file:file r_file_perms; + allow untrusted_app perfprofd_data_file:dir r_dir_perms; +}; + +sid devnull system_u:object_r:null_device_t:s0 +genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0) +genfscon rootfs / gen_context(system_u:object_r:root_t,s0) + +genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0 +genfscon selinuxfs / u:object_r:selinuxfs:s0 +fs_use_trans devtmpfs system_u:object_r:device_t:s0; +fs_use_task pipefs u:object_r:pipefs:s0; +fs_use_xattr xfs u:object_r:labeledfs:s0; +fs_use_xattr btrfs u:object_r:labeledfs:s0; + +portcon tcp 80 u:object_r:http_port:s0; +portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0); +netifcon $2 gen_context(system_u:object_r:$1,$3) gen_context(system_u:object_r:unlabeled_t,$3); + +nodecon 2001:0DB8:AC10:FE01:: 2001:0DE0:DA88:2222:: system_u:object_r:hello_t:s0; +nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0; + +# Regular Expressions +regexp(`Hello(!|\^\^)+', ` + ^\s*(?\.) + ( + hello[^\s\x12/][1-9]*| # Hello + bye + )\s*$ +') +"aaaa(?= +sdf sdf)ds(aa + aa)" +"sdf[^ +a]" diff --git a/autotests/reference/test.cil.ref b/autotests/reference/test.cil.ref --- a/autotests/reference/test.cil.ref +++ b/autotests/reference/test.cil.ref @@ -2,25 +2,25 @@
; Tests

-(policycap open_perms) ; Policy config. statement
+(policycap open_perms) ; Policy config. statement
(mls true)
(handleunknown allow)

(sid kernel) ; Declaration type statement
-(classpermissionset char_w (char (write setattr))) ; Other statements
+(classpermissionset char_w (char (write setattr))) ; Other statements

(user user) ; Declare identifier 'user' of user type
(role role)
(type type)
(allow allow) (true true) (in in) (xor xor)

; List of permissions
-(class security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy))
+(class security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy))

; Highlighting permissions only if there is not a statement keyword
-(class binder (impersonate call set_context_mgr transfer receive))
+(class binder (impersonate call set_context_mgr transfer receive))
(class binder (classcommon impersonate call set_context_mgr transfer receive))
-(impersonate call set_context_mgr transfer receive)
+(impersonate call set_context_mgr transfer receive)
(tunableif impersonate call set_context_mgr transfer receive)

; This is allowed by the CIL compiler
@@ -43,67 +43,67 @@
; filecon
(filecon "/system/bin/run-as" file runas_exec_context)
-(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
+(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
(filecon "/data/local/mine" dir ())
(classcommon file any dir)
(file any dir)
; portcon
-(portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1))
+(portcon sctp 3333 (unconfined.user object_r unconfined.object levelrange_1))
(portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
(defaultrole tcp udp)
(tcp udp)
; fsuse
-(fsuse xattr ext4 file.labeledfs_context)
-(fsuse task pipefs file.pipefs_context)
-(fsuse trans tmpfs file.tmpfs_context)
+(fsuse xattr ext4 file.labeledfs_context)
+(fsuse task pipefs file.pipefs_context)
+(fsuse trans tmpfs file.tmpfs_context)
(typemember xattr task trans)
(xattr task trans)
-
-(allow unconfined.process self (file (read write)))
-(allow process httpd.object (file (read write)))
+
+(allow unconfined.process self (file (read write)))
+(allow process httpd.object (file (read write)))

; Paths
-"/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?"
-"/pa\12th.*a+b?"
-/usr/hi\"esc\032esc\*3es{2,2}ds
-"/data/(open "
-"/data/[open "
+"/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?"
+"/pa\12th.*a+b?"
+/usr/hi\"esc\032esc\*3es{2,2}ds
+"/data/(open "
+"/data/[open "

; Some rules

(call macro1("__kmsg__"))
-(macro macro1 ((string ARG1))
+(macro macro1 ((string ARG1))
(typetransition audit.process device.device chr_file ARG1 device.klog_device)
)

-(allow unconfined.process self (file (read write)))
-(auditallow release_app.process secmark_demo.browser_packet (packet (send recv)))
-(allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF)))
-(permissionx ioctl_nodebug (ioctl udp_socket (not (range 0x4000 0x4010))))
+(allow unconfined.process self (file (read write)))
+(auditallow release_app.process secmark_demo.browser_packet (packet (send recv)))
+(allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF)))
+(permissionx ioctl_nodebug (ioctl udp_socket (not (range 0x4000 0x4010))))
(allowx type_3 type_4 ioctl_nodebug)
-(dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF)))
+(dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF)))

-(class property_service (set))
+(class property_service (set))
(block av_rules
(type type_1)
(type type_2)
(typeattribute all_types)
(typeattributeset all_types ((all)))

- (neverallow type_2 all_types (property_service (set)))
+ (neverallow type_2 all_types (property_service (set)))
)
(macro binder_call ((type ARG1) (type ARG2))
- (allow ARG1 ARG2 (binder (transfer call)))
+ (allow ARG1 ARG2 (binder (transfer call)))
)
(ipaddr netmask_1 255.255.255.0)

(class dir)
(class foo)
(class bar)
(class baz)
(classorder (dir foo))
-(classorder (unordered bar foo baz))
+(classorder (unordered bar foo baz))

(classpermission zygote_2)
(classpermissionset zygote_2 (zygote
@@ -113,7 +113,7 @@ )
))

-(permissionx ioctl_3 (ioctl tcp_socket (and (range 0x8000 0x90FF) (not (range 0x8100 0x82FF)))))
+(permissionx ioctl_3 (ioctl tcp_socket (and (range 0x8000 0x90FF) (not (range 0x8100 0x82FF)))))
(boolean disableAudioCapture false)
(booleanif (and (not disableAudio) (not disableAudioCapture))
(true
@@ -133,12 +133,21 @@ (block ext_gateway
(optional move_file
(typetransition process msg_filter.move_file.in_queue file msg_filter.move_file.in_file)
- (allow process msg_filter.move_file.in_queue (dir (read getattr write search add_name)))))
+ (allow process msg_filter.move_file.in_queue (dir (read getattr write search add_name)))))

(context runas_exec_context (u object_r exec low_low))
(filecon "/system/bin/run-as" file runas_exec_context)

(in file
- (genfscon rootfs / rootfs_context)
- (genfscon selinuxfs / selinuxfs_context)
+ (genfscon rootfs / rootfs_context)
+ (genfscon selinuxfs / selinuxfs_context)
)
+
+; ioctl & call
+(allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) ; ioctl kind
+(ioctl read
+ find connectto) ; kind or permission?
+(ioctl read find connectto) ; ioctl permission
+(ioctl read )
+(call ioctl read find connectto) ; statement or permission?
+( call ) ; call permission
diff --git a/autotests/reference/test.fc.ref b/autotests/reference/test.fc.ref --- a/autotests/reference/test.fc.ref +++ b/autotests/reference/test.fc.ref @@ -2,76 +2,84 @@
# Syntax of 'file_contexts' file and other SELinux configuration files:

-/usr/lib/.*/program/foo\.so -- user:role:type:s0:c0
+/usr/lib/.*/program/foo\.so -- user:role:type:s0:c0
/.* system_u:object_r:default_t:s0
-/sys(/.*)? system_u:object_r:sysfs_t:s0
-/xen(/.*)? system_u:object_r:xen_image_t:s1
-/mnt(/[^/]*)? -d system_u:object_r:mnt_t:s1-5
-/mnt(/[^/]*)? -l system_u:object_r:mnt_t:s0.s2
+/sys(/.*)? system_u:object_r:sysfs_t:s0
+/xen(/.*)? system_u:object_r:xen_image_t:s1
+/mnt(/[^/]*)? -d system_u:object_r:mnt_t:s1-5
+/mnt(/[^/]*)? -l system_u:object_r:mnt_t:s0.s2
/tmp/.* <>
-/root(/.*)? system_u:object_r:admin_home_t:s0
-/dev/[0-9].* -c system_u:object_r:usb_device_t:s0
-/run/.*\.*pid <>
-/mnt/[^/]*/.* <>
-/etc/[mg]dm(/.*)? system_u:object_r:xdm_etc_t:s5-s6:c0
-/dev/(misc/)?psaux -c system_u:object_r:mouse_device_t:s0-s3:c0.c5
+/root(/.*)? system_u:object_r:admin_home_t:s0
+/dev/[0-9].* -c system_u:object_r:usb_device_t:s0
+/run/.*\.*pid <>
+/mnt/[^/]*/.* <>
+/etc/[mg]dm(/.*)? system_u:object_r:xdm_etc_t:s5-s6:c0
+/dev/(misc/)?psaux -c system_u:object_r:mouse_device_t:s0-s3:c0.c5

HOME_DIR/.+ system_u:object_r:user_home_t:s0
-HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t:s0
-HOME_DIR/\.cache/google-chrome(/.*)? system_u:object_r:chrome_sandbox_home_t:s0
-
-/dev/(misc/)?rtc[0-9]* -c system_u:object_r:clock_device_t:s0-s2:c1
-/var/(db|adm)/sudo(/.*)? system_u:object_r:pam_var_run_t:s0
-/dev/pcd[0-3] -b system_u:object_r:removable_device_t:s0
-/etc/ppp(/.*)? -- system_u:object_r:pppd_etc_rw_t:s0
-/var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0
-/usr/lib(.*/)?bin(/.*)? system_u:object_r:bin_t:s0
+HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t:s0
+HOME_DIR/\.cache/google-chrome(/.*)? system_u:object_r:chrome_sandbox_home_t:s0
+
+/dev/(misc/)?rtc[0-9]* -c system_u:object_r:clock_device_t:s0-s2:c1
+/var/(db|adm)/sudo(/.*)? system_u:object_r:pam_var_run_t:s0
+/dev/pcd[0-3] -b system_u:object_r:removable_device_t:s0
+/etc/ppp(/.*)? -- system_u:object_r:pppd_etc_rw_t:s0
+/var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0
+/usr/lib(.*/)?bin(/.*)? system_u:object_r:bin_t:s0
/dev/shm/.* <>
-/usr/lib/(sse2/)?hello-.*\.so.* -- system_u:object_r:textrel_shlib_t:s0
-/sbin/grub.* -- system_u:object_r:bootloader_exec_t:s0.s3
+/usr/lib/(sse2/)?hello-.*\.so.* -- system_u:object_r:textrel_shlib_t:s0
+/sbin/grub.* -- system_u:object_r:bootloader_exec_t:s0.s3
/sbin/lilo.* -- system_u:object_r:bootloader_exec_t:s0
-/etc/group[-\+]? -- system_u:object_r:passwd_file_t:s0:c1-c5
-/etc/rc\.d/init\.d/mpd -- system_u:object_r:mpd_initrc_exec_t:s0
+/etc/group[-\+]? -- system_u:object_r:passwd_file_t:s0:c1-c5
+/etc/rc\.d/init\.d/mpd -- system_u:object_r:mpd_initrc_exec_t:s0

# Syntax of *.fc files, from the SELinux reference policy:

-/run/sudo/ts/%{USERNAME} gen_context(system_u:object_r:pam_var_run_t,s0,c0)
-/etc/aiccu\.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0-s2,c1.c5)
-HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
-/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
-/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-/dev/dasd[^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh,c1)
-HOME_ROOT -l gen_context(system_u:object_r:home_root_t,s0)
-
-ifdef(`distro_debian',`
- /run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
- /run/shm/.* <>
-')
-ifdef(`distro_suse',`
- /success -- gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-ifdef(`init_systemd',`
- /run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
-')
+/run/sudo/ts/%{USERNAME} gen_context(system_u:object_r:pam_var_run_t,s0,c0)
+/etc/aiccu\.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0-s2,c1.c5)
+HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
+/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
+/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/dasd[^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh,c1)
+HOME_ROOT -l gen_context(system_u:object_r:home_root_t,s0)
+
+ifdef(`distro_debian',`
+ /run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+ /run/shm/.* <>
+')
+ifdef(`distro_suse',`
+ /success -- gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+ifdef(`init_systemd',`
+ /run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
+')
+
+# Android file contexts
+
+android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
+android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
+* u:object_r:default_android_hwservice:s0
+ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
+sys.usb.mtp.device_type u:object_r:exported2_system_prop:s0 exact int

# Tests

# Variables
HOME_DIR/path
HOME_ROOT/path
-/path/HOME_DIR/HOME_ROOT
+/path/HOME_DIR/HOME_ROOT

# Open brackets
-/hello(world
-/hello[wo
+/hello(world
+/hello[wo

-/path[^0-8]+
-/path(hello|bye)
+/path[^0-8]+
+/path(hello|bye)
/path.*a+b?
-/path\wa\Wa\sa\da\ba\Ba\(a
-/usr/hi\"esc\sesc\032esc\*3esds
+/path\wa\Wa\sa\da\ba\Ba\(a
+/usr/hi\"esc\sesc\032esc\*3esds

# Security contexts
user:role
@@ -85,20 +93,20 @@ (user:role:type,level_s,)
(user:role:type,level_s,level_c)
(user:role:type,level_s,level_c,other,other,other)
-(user:role:type:level_s:level_c,other,other)
-(user:role:type:level_s:level_c:other,other,other)
+(user:role:type:level_s:level_c,other,other)
+(user:role:type:level_s:level_c:other,other,other)

us er:role:type:level_s:level_c
user:ro le:type:level_s:level_c
user:role:ty pe:level_s:level_c
user:role:type:lev el_s:level_c
user:role:type:level_s:lev el_c

(u ser:role:type,level_s,level_c,other,other)
-(user:ro le:type,level_s,level_c,other,other)
-(user:role:ty pe,level_s,level_c,other,other)
-(user:role:type,le vel_s,level_c,other,other)
-(user:role:type,level_s,le vel_c,other,other)
+(user:ro le:type,level_s,level_c,other,other)
+(user:role:ty pe,level_s,level_c,other,other)
+(user:role:type,le vel_s,level_c,other,other)
+(user:role:type,level_s,le vel_c,other,other)

-( user :role:type, level_s , level_c , other )
-( user:role:type, level_s , level_c , other )
+( user :role:type, level_s , level_c , other )
+( user:role:type, level_s , level_c , other )
diff --git a/autotests/reference/test.te.ref b/autotests/reference/test.te.ref new file mode 100644 --- /dev/null +++ b/autotests/reference/test.te.ref @@ -0,0 +1,125 @@ +# Sample SELinux Policy
+
+##

+## Sample SELinux Policy
+##

+##
+##

+## This module is not functional,
+## but only to test the syntax highlighting.
+##

+##
+## val="true">
+## Depended on by other required modules.
+##
+
+policycap open_perms;
+module myapp 1.0;
+
+require {
+ type httpd_t;
+ type httpd_sys_content_t;
+ type initrc_t;
+ class sock_file write;
+ class unix_stream_socket connectto;
+}
+
+allow httpd_t httpd_sys_content_t:sock_file write;
+allow httpd_t initrc_t:unix_stream_socket connectto;
+
+tunable_policy(`allow_execmem',`
+ /usr/share/holas(/.*)? -- gen_context(system_u:object_r:holas_t,s0);
+')
+regexp(`GNUs not Unix', `\w$\w+$$', `*** \& *** \1 ***')
+ifdef(`distro_ubuntu',`
+ unconfined_domain(chkpwd_t)
+')
+
+dominance { gen_dominance(0,decr($1)) };
+neverallow user=_isolated domain=((?!isolated_app).)*
+
+allow consoletype_t self:capability { sys_admin sys_tty_config };
+allow consoletype_t self:msg { send receive };
+
+# sample for administrative user
+user jadmin roles { staff_r sysadm_r };
+# sample for regular user
+user jdoe roles { user_r };
+
+default_user process source;
+default_range process source low;
+
+sid devnull;
+sid sysctl;
+
+common file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton };
+class dir inherits file { add_name remove_name reparent search rmdir open audit_access execmod };
+class class;
+
+sensitivity s0 alias sens0;
+category c0 alias cat0;
+level s0:c0;
+
+mlsconstrain dir { search read ioctl lock }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcs_constrained_type ) and (t2 == domain)));
+
+attribute_role dpkg_roles;
+roleattribute system_r dpkg_roles;
+
+role system_r types system_t;
+role_transition hello init_script_file_type system_r;
+
+attribute filesystem_type;
+type dhcp_etc_t;
+typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
+
+bool le_boolean true;
+TUNABLE allow_java_execstack false;
+
+type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
+AUDITALLOW xserver_t { root_xdrawable_t x_domain }:x_drawable send;
+
+optional {
+ neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+ neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+};
+
+if le_boolean {
+ DONTAUDIT untrusted_app asec_public_file:file { execute execmod };
+} else {
+ ALLOW untrusted_app perfprofd_data_file:file r_file_perms;
+ allow untrusted_app perfprofd_data_file:dir r_dir_perms;
+};
+
+sid devnull system_u:object_r:null_device_t:s0
+genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
+genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+
+genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+genfscon selinuxfs / u:object_r:selinuxfs:s0
+fs_use_trans devtmpfs system_u:object_r:device_t:s0;
+fs_use_task pipefs u:object_r:pipefs:s0;
+fs_use_xattr xfs u:object_r:labeledfs:s0;
+fs_use_xattr btrfs u:object_r:labeledfs:s0;
+
+portcon tcp 80 u:object_r:http_port:s0;
+portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0);
+netifcon $2 gen_context(system_u:object_r:$1,$3) gen_context(system_u:object_r:unlabeled_t,$3);
+
+nodecon 2001:0DB8:AC10:FE01:: 2001:0DE0:DA88:2222:: system_u:object_r:hello_t:s0;
+nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0;
+
+# Regular Expressions
+regexp(`Hello(!|\^\^)+', `
+ ^\s*(?\.)
+ (
+ hello[^\s\x12/][1-9]*| # Hello
+ bye
+ )\s*$
+')
+"aaaa(?=
+sdf sdf)ds(aa
+ aa)"
+"sdf[^
+a]"
diff --git a/data/syntax/selinux-cil.xml b/data/syntax/selinux-cil.xml --- a/data/syntax/selinux-cil.xml +++ b/data/syntax/selinux-cil.xml @@ -3,50 +3,63 @@ [ - + + + + ]> + version="2" + kateversion="5.0" + section="Sources" + extensions="*.cil" + priority="9" + mimetype="" + author="Nibaldo González (nibgonz@gmail.com)" + license="MIT"> @@ -102,8 +115,9 @@ tcp udp dccp + sctp - + self @@ -152,7 +166,7 @@ + Also: block, optional, macro --> blockabstract blockinherit in @@ -165,7 +179,7 @@ defaultrange + Also: user --> userrole userattribute userattributeset @@ -177,15 +191,15 @@ selinuxuserdefault + Also: role, roleattribute --> roletype roleattributeset roleallow roletransition rolebounds + Also: type, typeattribute, typealias --> typealiasactual typeattributeset typebounds @@ -199,16 +213,16 @@ nametypetransition + Also: common, class, classmap, classmapping, classpermission --> classcommon classorder permission permissionset classpermissionset permissionx + Also: tunable, boolean --> booleanif tunableif @@ -219,7 +233,7 @@ mlsvalidatetrans + Also: sensitivity, sensitivityalias, category, categoryalias, categoryset, level, levelrange --> sensitivityaliasactual sensitivityorder categoryaliasactual @@ -230,7 +244,7 @@ + Also: sid --> sidorder sidcontext @@ -244,7 +258,7 @@ fsusetrans + Also: ipaddr --> netifcon nodecon portcon @@ -272,7 +286,7 @@ string name - ioctl + ioctl @@ -298,403 +312,69 @@ h1 h2 - - - - accept - acceptfrom - access - acquire_svc - add - add_child - add_color - add_glyph - add_name - admin - append - associate - attach_queue - audit_access - audit_control - audit_read - audit_write - bell - bind - blend - block_suspend - call - check_context - chfn - chown - chsh - compute_av - compute_create - compute_member - compute_relabel - compute_user - connect - connectto - contains - copy - create - create_files_as - crontab - dac_override - dac_read_search - dccp_recv - dccp_send - debug - delete - destroy - disable - drop - dyntransition - egress - enable - enforce_dest - enqueue - entrypoint - execheap - execmem - execmod - execstack - execute - execute_no_trans - expand - export - flow_in - flow_out - force_cursor - fork - forward_in - forward_out - fowner - freeze - fsetid - get_param - get_property - get_value - getattr - getcap - getfocus - getgrp - gethost - getopt - getpgid - getpwd - getrlimit - getsched - getserv - getsession - getstat - grab - halt - hide - hide_cursor - impersonate - implement - import - ingress - insert - install - install_module - ioctl - ipc_info - ipc_lock - ipc_owner - kill - lease - link - linux_immutable - list_child - list_property - listen - load_module - load_policy - lock - mac_admin - mac_override - manage - manage_subnet - map - mknod - mmap_zero - module_load - module_request - mount - mounton - name_bind - name_connect - net_admin - net_bind_service - net_broadcast - net_raw - newconn - next_value - nlmsg_read - nlmsg_readpriv - nlmsg_relay - nlmsg_tty_audit - nlmsg_write - nnp_transition - noatsecure - node_bind - nosuid_transition - open - override - passwd - paste - paste_after_confirm - polmatch - ptrace - query - quotaget - quotamod - quotaon - rawip_recv - rawip_send - read - read_policy - reboot - receive - record - recv - recv_msg - recvfrom - relabelfrom - relabelto - reload - remount - remove - remove_child - remove_color - remove_glyph - remove_name - rename - reparent - rlimitinh - rmdir - rootok - saver_getattr - saver_hide - saver_setattr - saver_show - search - select - send - send_msg - sendto - set_context_mgr - set_param - set_property - set_value - setattr - setbool - setcap - setcheckreqprot - setcontext - setcurrent - setenforce - setexec - setfcap - setfocus - setfscreate - setgid - setkeycreate - setopt - setpcap - setpgid - setrlimit - setsched - setsecparam - setsockcreate - setuid - share - shmemgrp - shmemhost - shmempwd - shmemserv - show - show_cursor - shutdown - sigchld - siginh - sigkill - signal - signull - sigstop - start - status - stop - swapon - sys_admin - sys_boot - sys_chroot - sys_module - sys_nice - sys_pacct - sys_ptrace - sys_rawio - sys_resource - sys_time - sys_tty_config - syslog - syslog_console - syslog_mod - syslog_read - tcp_recv - tcp_send - transfer - transition - translate - udp_recv - udp_send - uninstall - unix_read - unix_write - unlink - unmount - update - use - use_as_override - validate_trans - view - wake_alarm - write - - - - - autofs - bdev - bpf - cachefs - cgroup - cgroup2 - cifs - coherent - configfs - cpuset - cramfs - debugfs - devfs - devpts - devtmpfs - ecryptfs - efs - fuse - fuseblk - fusectl - hugetlbfs - iso9660 - kernfs - mqueue - pipefs - proc - procfs - pstore - ramfs - romfs - rootfs - securityfs - selinuxfs - sockfs - specfs - squashfs - swapfs - sysfs - sysv - tmpfs - usbfs - vfat - - adfs - affs - apfs - btrfs - coda - exfat - ext2 - ext3 - ext4 - f2fs - fatx - hfs - hfsplus - hpfs - jfs - lvm2 - minix - msdos - ncpfs - nilfs - nilfs2 - nfs - nfs4 - ntfs-3g - qnx4 - qnx6 - reiser4 - reiserfs - smbfs - swap - tracefs - ubifs - udf - ufs - umsdos - urefs - xenix - xfs - zfs - - + + - - - - - - - - - - - + + + + + - - - + + + + + + + + + + + + + + - + + + - - - - + - - - + + + + + + + + + + + + + @@ -720,25 +400,51 @@ + + + + + + + + + + + + + + + + + + + + - + + + + + - - + + @@ -751,23 +457,27 @@ - + + + - + - + + Only the first word of a rule can be highlighted as a statement keyword. --> - + + + @@ -777,26 +487,26 @@ - + - + - + - + @@ -813,8 +523,8 @@ - + @@ -831,8 +541,8 @@ - + @@ -849,8 +559,8 @@ - + @@ -867,59 +577,37 @@ - + - - - - + + + + + - - + + + - - - + + + - - - + + + + + + - - - - - - - - - - - - + + + + - - - - - - - - - - - - - - - - - - - @@ -933,42 +621,41 @@ - + - - - - - - - - - - - + + + + + + + + + - - - - - + + + + + - + + diff --git a/data/syntax/selinux-fc.xml b/data/syntax/selinux-fc.xml --- a/data/syntax/selinux-fc.xml +++ b/data/syntax/selinux-fc.xml @@ -1,223 +1,233 @@ + + + + + + ]> + version="2" + kateversion="5.0" + section="Other" + extensions="*.fc;file_contexts;file_contexts_*;file_contexts.local;file_contexts.homedirs;file_contexts.template;homedir_template;property_contexts;service_contexts;hwservice_contexts;initial_sid_contexts;genfs_contexts;fs_use" + priority="3" + mimetype="" + author="Nibaldo González (nibgonz@gmail.com)" + license="MIT"> - - gen_context - ifdef - define - - - - + + - - + - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + - - + - - - - - - - - - - - - + + - - - - - - + + + + - + + + + + + + + + + + + + - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - + + + + + + + - + - - - - - - - - - - - + + + + + - + + diff --git a/data/syntax/selinux.xml b/data/syntax/selinux.xml new file mode 100644 --- /dev/null +++ b/data/syntax/selinux.xml @@ -0,0 +1,1544 @@ + + + + + + + + + + + + + + +]> + + + + + + + + + SELF + self + + + FALSE + false + TRUE + true + + + ALLOW + allow + NEVERALLOW + neverallow + AUDITALLOW + auditallow + AUDITDENY + auditdeny + DONTAUDIT + dontaudit + ALLOWXPERM + allowxperm + AUDITALLOWXPERM + auditallowxperm + DONTAUDITXPERM + dontauditxperm + NEVERALLOWXPERM + neverallowxperm + + + + + ALIAS + alias + CLONE + clone + INHERITS + inherits + ROLES + roles + TYPES + types + + + ATTRIBUTE + attribute + ATTRIBUTE_ROLE + attribute_role + BOOL + bool + CATEGORY + category + COMMON + common + DOMINANCE + dominance + EXPANDATTRIBUTE + expandattribute + LEVEL + level + MODULE + module + PERMISSIVE + permissive + RANGE + range + RANGE_TRANSITION + range_transition + ROLE + role + ROLEATTRIBUTE + roleattribute + SENSITIVITY + sensitivity + TUNABLE + tunable + TYPE + type + TYPEALIAS + typealias + TYPEATTRIBUTE + typeattribute + TYPEBOUNDS + typebounds + USER + user + + IF + if + ELSE + else + require + REQUIRE + optional + OPTIONAL + + + CLASS + class + + + DEVICETREECON + devicetreecon + FS_USE_TASK + fs_use_task + FS_USE_TRANS + fs_use_trans + FS_USE_XATTR + fs_use_xattr + FSCON + fscon + GENFSCON + genfscon + IBENDPORTCON + ibendportcon + IBPKEYCON + ibpkeycon + IOMEMCON + iomemcon + IOPORTCON + ioportcon + NETIFCON + netifcon + NODECON + nodecon + PCIDEVICECON + pcidevicecon + PIRQCON + pirqcon + PORTCON + portcon + SID + sid + + + + + POLICYCAP + policycap + + + TYPE_TRANSITION + type_transition + TYPE_MEMBER + type_member + TYPE_CHANGE + type_change + + + ROLE_TRANSITION + role_transition + + + DEFAULT_USER + default_user + DEFAULT_ROLE + default_role + DEFAULT_TYPE + default_type + + + DEFAULT_RANGE + default_range + + + CONSTRAIN + constrain + VALIDATETRANS + validatetrans + MLSCONSTRAIN + mlsconstrain + MLSVALIDATETRANS + mlsvalidatetrans + + + + SOURCE + source + TARGET + target + + + SAMEUSER + sameuser + + + + OR + or + AND + and + NOT + not + xor + XOR + eq + EQ + + + eq + EQ + dom + DOM + domby + DOMBY + INCOMP + incomp + + + r1 + R1 + r2 + R2 + r3 + R3 + u1 + U1 + u2 + U2 + u3 + U3 + t1 + T1 + t2 + T2 + t3 + T3 + l1 + L1 + l2 + L2 + h1 + H1 + h2 + H2 + + + low-high + LOW-HIGH + high + HIGH + low + LOW + + + + + always_check_network + always_use_network + cgroup_seclabel + extended_socket_class + network_peer_controls + nnp_nosuid_transition + open_perms + redhat1 + + + + + accept + acceptfrom + access + acquire_svc + add + add_child + add_color + add_glyph + add_name + admin + append + associate + attach_queue + audit_access + audit_control + audit_read + audit_write + bell + bind + blend + block_suspend + call + check_context + chfn + chown + chsh + compute_av + compute_create + compute_member + compute_relabel + compute_user + connect + connectto + contains + copy + create + create_files_as + crontab + dac_override + dac_read_search + dccp_recv + dccp_send + debug + delete + destroy + disable + drop + dyntransition + egress + enable + enforce_dest + enqueue + entrypoint + execheap + execmem + execmod + execstack + execute + execute_no_trans + expand + export + flow_in + flow_out + force_cursor + fork + forward_in + forward_out + fowner + freeze + fsetid + get_param + get_property + get_value + getattr + getcap + getfocus + getgrp + gethost + getopt + getpgid + getpwd + getrlimit + getsched + getserv + getsession + getstat + grab + halt + hide + hide_cursor + impersonate + implement + import + ingress + insert + install + install_module + ioctl + ipc_info + ipc_lock + ipc_owner + kill + lease + link + linux_immutable + list_child + list_property + listen + load_module + load_policy + lock + mac_admin + mac_override + manage + manage_subnet + map + map_create + map_read + map_write + mknod + mmap_zero + module_load + module_request + mount + mounton + name_bind + name_connect + net_admin + net_bind_service + net_broadcast + net_raw + newconn + next_value + nlmsg_read + nlmsg_readpriv + nlmsg_relay + nlmsg_tty_audit + nlmsg_write + nnp_transition + noatsecure + node_bind + nosuid_transition + open + override + passwd + paste + paste_after_confirm + polmatch + prog_load + prog_run + ptrace + query + quotaget + quotamod + quotaon + rawip_recv + rawip_send + read + read_policy + reboot + receive + record + recv + recv_msg + recvfrom + relabelfrom + relabelto + reload + remount + remove + remove_child + remove_color + remove_glyph + remove_name + rename + reparent + rlimitinh + rmdir + rootok + saver_getattr + saver_hide + saver_setattr + saver_show + search + select + send + send_msg + sendto + set_context_mgr + set_param + set_property + set_value + setattr + setbool + setcap + setcheckreqprot + setcontext + setcurrent + setenforce + setexec + setfcap + setfocus + setfscreate + setgid + setkeycreate + setopt + setpcap + setpgid + setrlimit + setsched + setsecparam + setsockcreate + setuid + share + shmemgrp + shmemhost + shmempwd + shmemserv + show + show_cursor + shutdown + sigchld + siginh + sigkill + signal + signull + sigstop + start + status + stop + swapon + sys_admin + sys_boot + sys_chroot + sys_module + sys_nice + sys_pacct + sys_ptrace + sys_rawio + sys_resource + sys_time + sys_tty_config + syslog + syslog_console + syslog_mod + syslog_read + tcp_recv + tcp_send + transfer + transition + translate + udp_recv + udp_send + uninstall + unix_read + unix_write + unlink + unmount + update + use + use_as_override + validate_trans + view + wake_alarm + write + + + + + add_auth + clear_uid + closeDecryptSession + consumeRights + decrypt + dump_backtrace + dump_tombstone + duplicate + exist + finalizeDecryptUnit + find + gen_unique_id + get + get_state + grant + initializeDecryptUnit + is_empty + list + openDecryptSession + password + pread + reset + saw + set + setPlaybackStatus + sign + unlock + user_changed + verify + + + + + + + + ecryptfs + overlayfs + unionfs + + devtmpfs + ramfs + tmpfs + + adfs + affs + afs + apfs + apparmorfs + autofs + bdev + bfs + bpf + btrfs + cachefs + ceph + cgroup2 + cgroup + cifs + coda + coherent + configfs + cpuset + cramfs + debugfs + devfs + devpts + efs + exfat + ext2 + ext3 + ext4 + f2fs + fatx + fuse + fuseblk + fusectl + futexfs + gfs + hfs + hfsplus + hpfs + hugetlbfs + ifs + iso9660 + jffs2 + jffs + jfs + kernfs + lvm2 + minix + mqueue + msdos + ncpfs + nfs4 + nfs + nilfs2 + nilfs + ntfs-3g + ntfs + ocfs + pipefs + proc + procfs + pstore + pstorefs + qnx4 + qnx6 + reiser4 + reiserfs + romfs + rootfs + sdcardfs + securityfs + selinuxfs + shm + smbfs + sockfs + specfs + squashfs + swap + swapfs + sysfs + sysv + tracefs + ubifs + udf + ufs + umsdos + urefs + usbfs + vfat + xenix + xfs + yaffs2 + yaffs + zfs + + + functionfs + inotifyfs + labeledfs + oemfs + + + + + policy_module + gen_require + template + interface + optional_policy + gen_tunable + tunable_policy + gen_user + gen_context + gen_bool + gen_cats + gen_sens + gen_levels + mls_systemlow + mls_systemhigh + mcs_systemlow + mcs_systemhigh + mcs_allcats + ifndef + + + + + __file__ + __line__ + __program__ + builtin + changecom + changequote + changeword + debugfile + debugmode + decr + define + defn + divert + divnum + dnl + dumpdef + errprint + esyscmd + eval + format + ifdef + ifelse + include + incr + index + indir + len + m4exit + m4wrap + maketemp + mkstemp + patsubst + popdef + pushdef + shift + sinclude + substr + syscmd + sysval + traceon + traceoff + translit + undefine + undivert + m4___file__ + m4___line__ + m4___program__ + m4_builtin + m4_changecom + m4_changequote + m4_changeword + m4_debugfile + m4_debugmode + m4_decr + m4_define + m4_defn + m4_divert + m4_divnum + m4_dnl + m4_dumpdef + m4_errprint + m4_esyscmd + m4_eval + m4_format + m4_ifdef + m4_ifelse + m4_include + m4_incr + m4_index + m4_indir + m4_len + m4_m4exit + m4_m4wrap + m4_maketemp + m4_mkstemp + m4_patsubst + m4_popdef + m4_pushdef + m4_shift + m4_sinclude + m4_substr + m4_syscmd + m4_sysval + m4_traceon + m4_traceoff + m4_translit + m4_undefine + m4_undivert + + + regexp + m4_regexp + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +