141 lines
6.7 KiB
Plaintext
141 lines
6.7 KiB
Plaintext
# Sample SELinux Policy
|
|
|
|
## <beginfold id='1'><summary</beginfold id='1'>>
|
|
## Sample SELinux Policy
|
|
## <endfold id='1'></summary></endfold id='1'>
|
|
## <beginfold id='1'><desc</beginfold id='1'>>
|
|
## <beginfold id='1'><p</beginfold id='1'>>
|
|
## This module is not functional,
|
|
## but only to test the syntax highlighting.
|
|
## <endfold id='1'></p></endfold id='1'>
|
|
## <endfold id='1'></desc></endfold id='1'>
|
|
## <beginfold id='1'><required</beginfold id='1'> val="true">
|
|
## Depended on by other required modules.
|
|
## <endfold id='1'></required></endfold id='1'>
|
|
|
|
policycap open_perms;
|
|
module myapp 1.0;
|
|
|
|
require <beginfold id='2'>{</beginfold id='2'>
|
|
type httpd_t;
|
|
type httpd_sys_content_t;
|
|
type initrc_t;
|
|
class sock_file write;
|
|
class unix_stream_socket connectto;
|
|
<endfold id='2'>}</endfold id='2'>
|
|
|
|
allow httpd_t httpd_sys_content_t:sock_file write;
|
|
allow httpd_t initrc_t:unix_stream_socket connectto;
|
|
|
|
# Refpolicy
|
|
tunable_policy<beginfold id='3'>(</beginfold id='3'>`allow_execmem',`
|
|
/usr/share/holas(/.*)? -- gen_context<beginfold id='3'>(</beginfold id='3'>system_u:object_r:holas_t,s0,a,b<endfold id='3'>)</endfold id='3'>;
|
|
'<endfold id='3'>)</endfold id='3'>
|
|
# M4 Macros
|
|
regexp<beginfold id='3'>(</beginfold id='3'>`GNUs not Unix', `\w\(\w+\)$', `*** \& *** \1 ***'<endfold id='3'>)</endfold id='3'>
|
|
ifdef<beginfold id='3'>(</beginfold id='3'>`distro_ubuntu',`
|
|
unconfined_domain<beginfold id='3'>(</beginfold id='3'>chkpwd_t<endfold id='3'>)</endfold id='3'>
|
|
'<endfold id='3'>)</endfold id='3'>
|
|
|
|
dominance <beginfold id='2'>{</beginfold id='2'> gen_dominance<beginfold id='3'>(</beginfold id='3'>0,decr<beginfold id='3'>(</beginfold id='3'>$1<endfold id='3'>)</endfold id='3'><endfold id='3'>)</endfold id='3'> <endfold id='2'>}</endfold id='2'>;
|
|
neverallow user=_isolated domain=((?!isolated_app).)*
|
|
|
|
allow consoletype_t self:capability <beginfold id='2'>{</beginfold id='2'> sys_admin sys_tty_config <endfold id='2'>}</endfold id='2'>;
|
|
allow consoletype_t self:msg <beginfold id='2'>{</beginfold id='2'> send receive <endfold id='2'>}</endfold id='2'>;
|
|
|
|
# sample for administrative user
|
|
user jadmin roles <beginfold id='2'>{</beginfold id='2'> staff_r sysadm_r <endfold id='2'>}</endfold id='2'>;
|
|
# sample for regular user
|
|
user jdoe roles <beginfold id='2'>{</beginfold id='2'> user_r <endfold id='2'>}</endfold id='2'>;
|
|
|
|
default_user process source;
|
|
default_range process source low;
|
|
default_range name GLBLUB;
|
|
|
|
sid devnull;
|
|
sid sysctl;
|
|
|
|
common file <beginfold id='2'>{</beginfold id='2'> ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton <endfold id='2'>}</endfold id='2'>;
|
|
class dir inherits file <beginfold id='2'>{</beginfold id='2'> add_name remove_name reparent search rmdir open audit_access execmod <endfold id='2'>}</endfold id='2'>;
|
|
class class;
|
|
|
|
sensitivity s0 alias sens0;
|
|
category c0 alias cat0;
|
|
|
|
mlsconstrain dir <beginfold id='2'>{</beginfold id='2'> search read ioctl lock <endfold id='2'>}</endfold id='2'>
|
|
<beginfold id='3'>(</beginfold id='3'><beginfold id='3'>(</beginfold id='3'> h1 dom h2 <endfold id='3'>)</endfold id='3'> or <beginfold id='3'>(</beginfold id='3'> t1 == mcsreadall <endfold id='3'>)</endfold id='3'> or
|
|
<beginfold id='3'>(</beginfold id='3'><beginfold id='3'>(</beginfold id='3'> t1 != mcs_constrained_type <endfold id='3'>)</endfold id='3'> and <beginfold id='3'>(</beginfold id='3'>t2 == domain<endfold id='3'>)</endfold id='3'><endfold id='3'>)</endfold id='3'><endfold id='3'>)</endfold id='3'>;
|
|
|
|
attribute_role dpkg_roles;
|
|
roleattribute system_r dpkg_roles;
|
|
|
|
role system_r types system_t;
|
|
role_transition hello init_script_file_type system_r;
|
|
|
|
level s0:c0;
|
|
user user_u roles role_r level s1:c1 range s1:c1 - s2:c2;
|
|
range_transition initrc_t auditd_exec_t:process s15:c0.c255 - s20;
|
|
range_transition source target:class s1 - s2 dsd;
|
|
range_transition source target:class s1 ;
|
|
|
|
attribute filesystem_type;
|
|
type dhcp_etc_t;
|
|
typealias dhcp_etc_t ALIAS <beginfold id='2'>{</beginfold id='2'> etc_dhcp_t etc_dhcpc_t etc_dhcpd_t <endfold id='2'>}</endfold id='2'>;
|
|
|
|
bool le_boolean true;
|
|
TUNABLE allow_java_execstack false;
|
|
|
|
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
|
|
AUDITALLOW xserver_t <beginfold id='2'>{</beginfold id='2'> root_xdrawable_t x_domain <endfold id='2'>}</endfold id='2'>:x_drawable send;
|
|
|
|
optional <beginfold id='2'>{</beginfold id='2'>
|
|
neverallow untrusted_app *:<beginfold id='2'>{</beginfold id='2'> netlink_route_socket netlink_selinux_socket <endfold id='2'>}</endfold id='2'> ioctl;
|
|
neverallowxperm shell domain:<beginfold id='2'>{</beginfold id='2'> rawip_socket tcp_socket udp_socket <endfold id='2'>}</endfold id='2'> ioctl priv_sock_ioctls;
|
|
<endfold id='2'>}</endfold id='2'>;
|
|
|
|
if le_boolean <beginfold id='2'>{</beginfold id='2'>
|
|
DONTAUDIT untrusted_app asec_public_file:file <beginfold id='2'>{</beginfold id='2'> execute execmod <endfold id='2'>}</endfold id='2'>;
|
|
<endfold id='2'>}</endfold id='2'> else <beginfold id='2'>{</beginfold id='2'>
|
|
ALLOW untrusted_app perfprofd_data_file:file r_file_perms;
|
|
allow untrusted_app perfprofd_data_file:dir r_dir_perms;
|
|
<endfold id='2'>}</endfold id='2'>;
|
|
|
|
sid devnull system_u:object_r:null_device_t:s0
|
|
genfscon sysfs /devices/system/cpu/online gen_context<beginfold id='3'>(</beginfold id='3'>system_u:object_r:cpu_online_t,s0<endfold id='3'>)</endfold id='3'>
|
|
genfscon rootfs / gen_context<beginfold id='3'>(</beginfold id='3'>system_u:object_r:root_t,s0<endfold id='3'>)</endfold id='3'>
|
|
|
|
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
|
|
genfscon selinuxfs / u:object_r:selinuxfs:s0
|
|
fs_use_trans devtmpfs system_u:object_r:device_t:s0;
|
|
fs_use_task pipefs u:object_r:pipefs:s0;
|
|
fs_use_xattr xfs u:object_r:labeledfs:s0;
|
|
fs_use_xattr btrfs u:object_r:labeledfs:s0;
|
|
|
|
portcon tcp 80 u:object_r:http_port:s0;
|
|
portcon udp 1024-65535 gen_context<beginfold id='3'>(</beginfold id='3'>system_u:object_r:unreserved_port_t, s0<endfold id='3'>)</endfold id='3'>;
|
|
netifcon $2 gen_context<beginfold id='3'>(</beginfold id='3'>system_u:object_r:$1,$3<endfold id='3'>)</endfold id='3'> gen_context<beginfold id='3'>(</beginfold id='3'>system_u:object_r:unlabeled_t,$3<endfold id='3'>)</endfold id='3'>;
|
|
|
|
nodecon 2001:0DB8:AC10:FE01:: 2001:0DE0:DA88:2222:: system_u:object_r:hello_t:s0;
|
|
nodecon ipv4 127.0.0.2 255.255.255.255 system_u:object_r:node_t:s0;
|
|
|
|
#line 118
|
|
|
|
# Regular Expressions
|
|
regexp<beginfold id='3'>(</beginfold id='3'>`Hello(!|\^\^)+', `
|
|
^\s*(?<hello>\.)
|
|
(
|
|
hello[^\s\x12/][1-9]*| # Hello
|
|
bye
|
|
)\s*$
|
|
'<endfold id='3'>)</endfold id='3'>
|
|
"aa/aa(?=sdf sdf)ds(aa aa)df[^ a]"
|
|
"open
|
|
"text\"aaa
|
|
"filename\s\w\%(?=aa)aa"
|
|
"/path\s\w(?=aa)aa"
|
|
|
|
u:role:type:sen:cat:other
|
|
u:role:type:sen:cat - sen:cat:other
|
|
u:role:type:s0.s1:c0 , c1 - s2.s3:c2.c3,c4:other
|
|
u:role:type:s0,other
|