diff --git a/autotests/folding/test.cil.fold b/autotests/folding/test.cil.fold
--- a/autotests/folding/test.cil.fold
+++ b/autotests/folding/test.cil.fold
@@ -48,7 +48,7 @@
(classcommon file any dir)
(file any dir)
; portcon
-(portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1))
+(portcon sctp 3333 (unconfined.user object_r unconfined.object levelrange_1))
(portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
(defaultrole tcp udp)
(tcp udp)
@@ -58,7 +58,7 @@
(fsuse trans tmpfs file.tmpfs_context)
(typemember xattr task trans)
(xattr task trans)
-
+
(allow unconfined.process self (file (read write)))
(allow process httpd.object (file (read write)))
@@ -142,3 +142,12 @@
(genfscon rootfs / rootfs_context)
(genfscon selinuxfs / selinuxfs_context)
)
+
+; ioctl & call
+(allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) ; ioctl kind
+(ioctl read
+ find connectto) ; kind or permission?
+(ioctl read find connectto) ; ioctl permission
+(ioctl read )
+(call ioctl read find connectto) ; statement or permission?
+( call ) ; call permission
diff --git a/autotests/folding/test.fc.fold b/autotests/folding/test.fc.fold
--- a/autotests/folding/test.fc.fold
+++ b/autotests/folding/test.fc.fold
@@ -2,7 +2,7 @@
# Syntax of 'file_contexts' file and other SELinux configuration files:
-/usr/lib/.*/program/foo\.so -- user:role:type:s0:c0
+/usr/lib/.*/program/foo\.so -- user:role:type:s0:c0-dsds.sd:sdsd
/.* system_u:object_r:default_t:s0
/sys(/.*)? system_u:object_r:sysfs_t:s0
/xen(/.*)? system_u:object_r:xen_image_t:s1
@@ -42,7 +42,7 @@
/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/dasd[^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh,c1)
+HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh,s1)
HOME_ROOT -l gen_context(system_u:object_r:home_root_t,s0)
ifdef(`distro_debian',`
@@ -56,6 +56,14 @@
/run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
')
+# Android contexts
+
+android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
+android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
+* u:object_r:default_android_hwservice:s0
+ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
+sys.usb.mtp.device_type u:object_r:exported2_system_prop:s0 exact int
+
# Tests
# Variables
@@ -80,6 +88,10 @@
user:role:type:level_sensitivity
user:role:type:level_sensitivity:level_category
user:role:type:level_sensitivity:level_category:other:other
+user:role:type:level_sensitivity:level_category-sens:cat:other
+user:role:type:s0.s1.s3:c0.c1,c2,c3 - s5.s6:c4,c5:other
+user : role : type : s0 . s1 . s3 : c0 . c1 , c2 , c3 - s5 . s6 : c4 , c5 : other
+user:role:type:s0,other
(user:role:type,)
(user:role:type,level_s,)
diff --git a/autotests/html/test.cil.html b/autotests/html/test.cil.html
--- a/autotests/html/test.cil.html
+++ b/autotests/html/test.cil.html
@@ -8,7 +8,7 @@
; Tests
-(policycap open_perms) ; Policy config. statement
+(policycap open_perms) ; Policy config. statement
(mls true)
(handleunknown allow)
@@ -49,12 +49,12 @@
; filecon
(filecon "/system/bin/run-as" file runas_exec_context)
-(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
+(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
(filecon "/data/local/mine" dir ())
(classcommon file any dir)
(file any dir)
; portcon
-(portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1))
+(portcon sctp 3333 (unconfined.user object_r unconfined.object levelrange_1))
(portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
(defaultrole tcp udp)
(tcp udp)
@@ -64,16 +64,16 @@
(fsuse trans tmpfs file.tmpfs_context)
(typemember xattr task trans)
(xattr task trans)
-
+
(allow unconfined.process self (file (read write)))
(allow process httpd.object (file (read write)))
; Paths
-"/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?"
-"/pa\12th.*a+b?"
-/usr/hi\"esc\032esc\*3es{2,2}ds
-"/data/(open "
-"/data/[open "
+"/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?"
+"/pa\12th.*a+b?"
+/usr/hi\"esc\032esc\*3es{2,2}ds
+"/data/(open "
+"/data/[open "
; Some rules
@@ -90,14 +90,14 @@
(allowx type_3 type_4 ioctl_nodebug)
(dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF)))
-(class property_service (set))
+(class property_service (set))
(block av_rules
(type type_1)
(type type_2)
(typeattribute all_types)
(typeattributeset all_types ((all)))
- (neverallow type_2 all_types (property_service (set)))
+ (neverallow type_2 all_types (property_service (set)))
)
(macro binder_call ((type ARG1) (type ARG2))
(allow ARG1 ARG2 (binder (transfer call)))
@@ -148,4 +148,13 @@
(genfscon rootfs / rootfs_context)
(genfscon selinuxfs / selinuxfs_context)
)
+
+; ioctl & call
+(allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) ; ioctl kind
+(ioctl read
+ find connectto) ; kind or permission?
+(ioctl read find connectto) ; ioctl permission
+(ioctl read )
+(call ioctl read find connectto) ; statement or permission?
+( call ) ; call permission