Changeset View
Changeset View
Standalone View
Standalone View
autotests/input/test.te
- This file was added.
1 | # Sample SELinux Policy | ||||
---|---|---|---|---|---|
2 | | ||||
3 | ## <summary> | ||||
4 | ## Sample SELinux Policy | ||||
5 | ## </summary> | ||||
6 | ## <desc> | ||||
7 | ## <p> | ||||
8 | ## This module is not functional, | ||||
9 | ## but only to test the syntax highlighting. | ||||
10 | ## </p> | ||||
11 | ## </desc> | ||||
12 | ## <required val="true"> | ||||
13 | ## Depended on by other required modules. | ||||
14 | ## </required> | ||||
15 | | ||||
16 | policycap open_perms; | ||||
17 | module myapp 1.0; | ||||
18 | | ||||
19 | require { | ||||
20 | type httpd_t; | ||||
21 | type httpd_sys_content_t; | ||||
22 | type initrc_t; | ||||
23 | class sock_file write; | ||||
24 | class unix_stream_socket connectto; | ||||
25 | } | ||||
26 | | ||||
27 | allow httpd_t httpd_sys_content_t:sock_file write; | ||||
28 | allow httpd_t initrc_t:unix_stream_socket connectto; | ||||
29 | | ||||
30 | # Refpolicy | ||||
31 | tunable_policy(`allow_execmem',` | ||||
32 | /usr/share/holas(/.*)? -- gen_context(system_u:object_r:holas_t,s0,fdf,df); | ||||
33 | ') | ||||
34 | # M4 Macros | ||||
35 | regexp(`GNUs not Unix', `\w\(\w+\)$', `*** \& *** \1 ***') | ||||
36 | ifdef(`distro_ubuntu',` | ||||
37 | unconfined_domain(chkpwd_t) | ||||
38 | ') | ||||
39 | | ||||
40 | dominance { gen_dominance(0,decr($1)) }; | ||||
41 | neverallow user=_isolated domain=((?!isolated_app).)* | ||||
42 | | ||||
43 | allow consoletype_t self:capability { sys_admin sys_tty_config }; | ||||
44 | allow consoletype_t self:msg { send receive }; | ||||
45 | | ||||
46 | # sample for administrative user | ||||
47 | user jadmin roles { staff_r sysadm_r }; | ||||
48 | # sample for regular user | ||||
49 | user jdoe roles { user_r }; | ||||
50 | | ||||
51 | default_user process source; | ||||
52 | default_range process source low; | ||||
53 | | ||||
54 | sid devnull; | ||||
55 | sid sysctl; | ||||
56 | | ||||
57 | common file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton }; | ||||
58 | class dir inherits file { add_name remove_name reparent search rmdir open audit_access execmod }; | ||||
59 | class class; | ||||
60 | | ||||
61 | sensitivity s0 alias sens0; | ||||
62 | category c0 alias cat0; | ||||
63 | | ||||
64 | mlsconstrain dir { search read ioctl lock } | ||||
65 | (( h1 dom h2 ) or ( t1 == mcsreadall ) or | ||||
66 | (( t1 != mcs_constrained_type ) and (t2 == domain))); | ||||
67 | | ||||
68 | attribute_role dpkg_roles; | ||||
69 | roleattribute system_r dpkg_roles; | ||||
70 | | ||||
71 | role system_r types system_t; | ||||
72 | role_transition hello init_script_file_type system_r; | ||||
73 | | ||||
74 | level s0:c0; | ||||
75 | user user_u roles role_r level s1:c1 range s1:c1 - s2:c2; | ||||
76 | range_transition initrc_t auditd_exec_t:process s15:c0.c255 - s20; | ||||
77 | range_transition source target:class s1 - s2 dsd; | ||||
78 | range_transition source target:class s1 ; | ||||
79 | | ||||
80 | attribute filesystem_type; | ||||
81 | type dhcp_etc_t; | ||||
82 | typealias dhcp_etc_t ALIAS { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; | ||||
83 | | ||||
84 | bool le_boolean true; | ||||
85 | TUNABLE allow_java_execstack false; | ||||
86 | | ||||
87 | type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; | ||||
88 | AUDITALLOW xserver_t { root_xdrawable_t x_domain }:x_drawable send; | ||||
89 | | ||||
90 | optional { | ||||
91 | neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl; | ||||
92 | neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; | ||||
93 | }; | ||||
94 | | ||||
95 | if le_boolean { | ||||
96 | DONTAUDIT untrusted_app asec_public_file:file { execute execmod }; | ||||
97 | } else { | ||||
98 | ALLOW untrusted_app perfprofd_data_file:file r_file_perms; | ||||
99 | allow untrusted_app perfprofd_data_file:dir r_dir_perms; | ||||
100 | }; | ||||
101 | | ||||
102 | sid devnull system_u:object_r:null_device_t:s0 | ||||
103 | genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0) | ||||
104 | genfscon rootfs / gen_context(system_u:object_r:root_t,s0) | ||||
105 | | ||||
106 | genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0 | ||||
107 | genfscon selinuxfs / u:object_r:selinuxfs:s0 | ||||
108 | fs_use_trans devtmpfs system_u:object_r:device_t:s0; | ||||
109 | fs_use_task pipefs u:object_r:pipefs:s0; | ||||
110 | fs_use_xattr xfs u:object_r:labeledfs:s0; | ||||
111 | fs_use_xattr btrfs u:object_r:labeledfs:s0; | ||||
112 | | ||||
113 | portcon tcp 80 u:object_r:http_port:s0; | ||||
114 | portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0); | ||||
115 | netifcon $2 gen_context(system_u:object_r:$1,$3) gen_context(system_u:object_r:unlabeled_t,$3); | ||||
116 | | ||||
117 | nodecon 2001:0DB8:AC10:FE01:: 2001:0DE0:DA88:2222:: system_u:object_r:hello_t:s0; | ||||
118 | nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0; | ||||
119 | | ||||
120 | #line 118 | ||||
121 | | ||||
122 | # Regular Expressions | ||||
123 | regexp(`Hello(!|\^\^)+', ` | ||||
124 | ^\s*(?<hello>\.) | ||||
125 | ( | ||||
126 | hello[^\s\x12/][1-9]*| # Hello | ||||
127 | bye | ||||
128 | )\s*$ | ||||
129 | ') | ||||
130 | "aa/aa(?=sdf sdf)ds(aa aa)df[^ a]" | ||||
131 | "open | ||||
132 | "text\"aaa | ||||
133 | "filename\s\w\%(?=aa)aa" | ||||
134 | "/path\s\w(?=aa)aa" | ||||
135 | | ||||
136 | u:role:type:sen:cat:other | ||||
137 | u:role:type:sen:cat - sen:cat:other | ||||
138 | u:role:type:s0.s1:c0 , c1 - s2.s3:c2.c3,c4:other | ||||
139 | u:role:type:s0,other |