summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDominick Grift <dominick.grift@defensec.nl>2024-11-04 05:52:25 +0100
committerDominick Grift <dominick.grift@defensec.nl>2024-11-04 06:26:42 +0100
commitc31f9de714589eb1946a5972ab105011816e2353 (patch)
tree2b2ed2e698b09f444f512736f9af617d8ca09a87
parent489df53e4bdd8f03047a8c48b2fb8ccd8b51957e (diff)
downloadselinux-policy-c31f9de714589eb1946a5972ab105011816e2353.tar.gz
mls: support templates
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Diffstat
-rw-r--r--src/dev/nodedev.cil2
-rw-r--r--src/dev/nodedev/nullnodedev.cil2
-rw-r--r--src/dev/stordev.cil2
-rw-r--r--src/dev/termdev/ptytermdev.cil2
-rw-r--r--src/dev/termdev/serialtermdev.cil2
-rw-r--r--src/file.cil2
-rw-r--r--src/fs.cil2
-rw-r--r--src/invalid.cil2
-rw-r--r--src/misc.cil2
-rw-r--r--src/misc/mls.cil11
-rw-r--r--src/misc/modular.cil2
-rw-r--r--src/net/ibnet/endportibnet.cil2
-rw-r--r--src/net/ibnet/pkeyibnet.cil2
-rw-r--r--src/net/netifnet.cil4
-rw-r--r--src/net/nodenet.cil4
-rw-r--r--src/net/packetnet.cil2
-rw-r--r--src/net/peernet.cil4
-rw-r--r--src/net/portnet.cil4
-rw-r--r--src/net/spdnet.cil2
-rw-r--r--src/selinux.cil2
-rw-r--r--src/selinux/booleanfile.cil2
-rw-r--r--src/sys.cil12
-rw-r--r--src/sys/bpffile.cil2
-rw-r--r--src/sys/cgroupfile.cil2
-rw-r--r--src/sys/debugfile.cil2
-rw-r--r--src/sys/procfile.cil2
-rw-r--r--src/sys/procfile/sysctlfile.cil2
-rw-r--r--src/sys/pstorefile.cil2
-rw-r--r--src/sys/securityfile.cil2
-rw-r--r--src/sys/sysfile.cil2
-rw-r--r--src/sys/tracefile.cil2
-rw-r--r--src/unlabeled.cil2
32 files changed, 45 insertions, 46 deletions
diff --git a/src/dev/nodedev.cil b/src/dev/nodedev.cil
index 3a9378e..bf76848 100644
--- a/src/dev/nodedev.cil
+++ b/src/dev/nodedev.cil
@@ -19,7 +19,7 @@
(blockabstract base_template)
- (context nodedev_context (.sys.id .sys.role nodedev lowlevelrange))
+ (context nodedev_context (.sys.id .sys.role nodedev .sys.lowlow))
(type nodedev)
(call .nodedev.type (nodedev)))
diff --git a/src/dev/nodedev/nullnodedev.cil b/src/dev/nodedev/nullnodedev.cil
index c11816c..a212aec 100644
--- a/src/dev/nodedev/nullnodedev.cil
+++ b/src/dev/nodedev/nullnodedev.cil
@@ -1,7 +1,7 @@
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
-(sidcontext devnull (sys.id sys.role null.nodedev lowlevelrange))
+(sidcontext devnull (sys.id sys.role null.nodedev sys.lowlow))
(block null
diff --git a/src/dev/stordev.cil b/src/dev/stordev.cil
index 8085930..a1ee7ef 100644
--- a/src/dev/stordev.cil
+++ b/src/dev/stordev.cil
@@ -20,7 +20,7 @@
(blockabstract base_template)
- (context stordev_context (.sys.id .sys.role stordev lowlevelrange))
+ (context stordev_context (.sys.id .sys.role stordev .sys.lowlow))
(type stordev)
(call .stordev.type (stordev)))
diff --git a/src/dev/termdev/ptytermdev.cil b/src/dev/termdev/ptytermdev.cil
index 0a5f93e..8a3b3af 100644
--- a/src/dev/termdev/ptytermdev.cil
+++ b/src/dev/termdev/ptytermdev.cil
@@ -18,7 +18,7 @@
(blockabstract base_template)
- (context ptytermdev_context (.sys.id .sys.role ptytermdev lowlevelrange))
+ (context ptytermdev_context (.sys.id .sys.role ptytermdev .sys.lowlow))
(type ptytermdev)
(call .ptytermdev.type (ptytermdev)))
diff --git a/src/dev/termdev/serialtermdev.cil b/src/dev/termdev/serialtermdev.cil
index 4e06669..510ea76 100644
--- a/src/dev/termdev/serialtermdev.cil
+++ b/src/dev/termdev/serialtermdev.cil
@@ -17,7 +17,7 @@
(blockabstract base_template)
(context serialtermdev_context
- (.sys.id .sys.role serialtermdev lowlevelrange))
+ (.sys.id .sys.role serialtermdev .sys.lowlow))
(type serialtermdev)
(call .serialtermdev.type (serialtermdev)))
diff --git a/src/file.cil b/src/file.cil
index 8afbb9c..b171e0c 100644
--- a/src/file.cil
+++ b/src/file.cil
@@ -406,7 +406,7 @@
(blockabstract base_template)
- (context file_context (.sys.id .sys.role file lowlevelrange))
+ (context file_context (.sys.id .sys.role file .sys.lowlow))
(type file)
(call .file.type (file)))
diff --git a/src/fs.cil b/src/fs.cil
index c4ce694..62a2437 100644
--- a/src/fs.cil
+++ b/src/fs.cil
@@ -141,7 +141,7 @@
(blockabstract base_template)
- (context fs_context (.sys.id .sys.role fs lowlevelrange))
+ (context fs_context (.sys.id .sys.role fs .sys.lowlow))
(type fs)
(call .fs.type (fs)))
diff --git a/src/invalid.cil b/src/invalid.cil
index 57b6f22..8625819 100644
--- a/src/invalid.cil
+++ b/src/invalid.cil
@@ -1,7 +1,7 @@
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
-(sidcontext unlabeled (sys.id sys.role invalid lowlevelrange))
+(sidcontext unlabeled (sys.id sys.role invalid sys.lowlow))
(macro addname_invalid_dirs ((type ARG1))
(allow ARG1 invalid addname_dir))
diff --git a/src/misc.cil b/src/misc.cil
index 83b14e2..d619657 100644
--- a/src/misc.cil
+++ b/src/misc.cil
@@ -1,7 +1,7 @@
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
-(sidcontext init (sys.id sys.role sys.subj lowlevelrange)) ;; userspace_initial_context
+(sidcontext init (sys.id sys.role sys.subj sys.lowlow)) ;; userspace_initial_context
(in boot
diff --git a/src/misc/mls.cil b/src/misc/mls.cil
index 357b4d0..007d757 100644
--- a/src/misc/mls.cil
+++ b/src/misc/mls.cil
@@ -1096,15 +1096,8 @@
c1011 c1012 c1013 c1014 c1015 c1016 c1017 c1018 c1019 c1020 c1021 c1022
c1023))
-(categoryset allcatset (range c0 c1023))
+(categoryset catset (range c0 c1023))
(sensitivity s0)
(sensitivityorder (s0))
-
-(sensitivitycategory s0 allcatset)
-
-(level systemlow (s0))
-(level systemhigh (s0 allcatset))
-
-(levelrange lowlevelrange (systemlow systemlow))
-(levelrange lowhighlevelrange (systemlow systemhigh))
+(sensitivitycategory s0 catset)
diff --git a/src/misc/modular.cil b/src/misc/modular.cil
index 601490f..1f7a6bd 100644
--- a/src/misc/modular.cil
+++ b/src/misc/modular.cil
@@ -1,5 +1,5 @@
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
-(selinuxuserdefault sys.id lowlevelrange)
+(selinuxuserdefault sys.id sys.lowlow)
(userprefix sys.id sys.role)
diff --git a/src/net/ibnet/endportibnet.cil b/src/net/ibnet/endportibnet.cil
index 32ff1a7..6510dab 100644
--- a/src/net/ibnet/endportibnet.cil
+++ b/src/net/ibnet/endportibnet.cil
@@ -43,7 +43,7 @@
(blockabstract base_template)
- (context endport_context (.sys.id .sys.role endport lowlevelrange))
+ (context endport_context (.sys.id .sys.role endport .sys.lowlow))
(type endport)
(call .net.ib.endport.type (endport)))
diff --git a/src/net/ibnet/pkeyibnet.cil b/src/net/ibnet/pkeyibnet.cil
index 83cbde3..235a432 100644
--- a/src/net/ibnet/pkeyibnet.cil
+++ b/src/net/ibnet/pkeyibnet.cil
@@ -43,7 +43,7 @@
(blockabstract base_template)
- (context pkey_context (.sys.id .sys.role pkey lowlevelrange))
+ (context pkey_context (.sys.id .sys.role pkey .sys.lowlow))
(type pkey)
(call .net.ib.pkey.type (pkey)))
diff --git a/src/net/netifnet.cil b/src/net/netifnet.cil
index 6a97ee3..03849df 100644
--- a/src/net/netifnet.cil
+++ b/src/net/netifnet.cil
@@ -1,7 +1,7 @@
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
-(sidcontext netif (sys.id sys.role net.netif lowlevelrange))
+(sidcontext netif (sys.id sys.role net.netif sys.lowlow))
(class netif (egress ingress))
(classorder (unordered netif))
@@ -62,7 +62,7 @@
(blockabstract base_template)
- (context netif_context (.sys.id .sys.role netif lowlevelrange))
+ (context netif_context (.sys.id .sys.role netif .sys.lowlow))
(type netif)
(call .net.netif.type (netif)))
diff --git a/src/net/nodenet.cil b/src/net/nodenet.cil
index e530aad..b15301e 100644
--- a/src/net/nodenet.cil
+++ b/src/net/nodenet.cil
@@ -1,7 +1,7 @@
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
-(sidcontext node (sys.id sys.role net.netnode lowlevelrange))
+(sidcontext node (sys.id sys.role net.netnode sys.lowlow))
(class node (recvfrom sendto))
(classorder (unordered node))
@@ -82,7 +82,7 @@
(blockabstract base_template)
- (context netnode_context (.sys.id .sys.role netnode lowlevelrange))
+ (context netnode_context (.sys.id .sys.role netnode .sys.lowlow))
(type netnode)
(call .net.netnode.type (netnode)))
diff --git a/src/net/packetnet.cil b/src/net/packetnet.cil
index 4ed4b3d..f31ee00 100644
--- a/src/net/packetnet.cil
+++ b/src/net/packetnet.cil
@@ -117,7 +117,7 @@
(blockabstract base_template)
- (context packet_context (.sys.id .sys.role packet lowlevelrange))
+ (context packet_context (.sys.id .sys.role packet .sys.lowlow))
(type packet)
(call .net.packet.type (packet)))
diff --git a/src/net/peernet.cil b/src/net/peernet.cil
index 743321c..51af170 100644
--- a/src/net/peernet.cil
+++ b/src/net/peernet.cil
@@ -1,7 +1,7 @@
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
-(sidcontext netmsg (sys.id sys.role net.peer lowlevelrange))
+(sidcontext netmsg (sys.id sys.role net.peer sys.lowlow))
(class peer (recv))
(classorder (unordered peer))
@@ -59,7 +59,7 @@
(blockabstract base_template)
- (context peer_context (.sys.id .sys.role peer lowlevelrange))
+ (context peer_context (.sys.id .sys.role peer .sys.lowlow))
(type peer)
(call .net.peer.type (peer)))
diff --git a/src/net/portnet.cil b/src/net/portnet.cil
index 544d062..7b989fa 100644
--- a/src/net/portnet.cil
+++ b/src/net/portnet.cil
@@ -1,7 +1,7 @@
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
-(sidcontext port (sys.id sys.role net.port lowlevelrange))
+(sidcontext port (sys.id sys.role net.port sys.lowlow))
(in net
@@ -53,7 +53,7 @@
(blockabstract base_template)
- (context port_context (.sys.id .sys.role port lowlevelrange))
+ (context port_context (.sys.id .sys.role port .sys.lowlow))
(type port)
(call .net.port.type (port)))
diff --git a/src/net/spdnet.cil b/src/net/spdnet.cil
index 76c8311..54f3949 100644
--- a/src/net/spdnet.cil
+++ b/src/net/spdnet.cil
@@ -74,7 +74,7 @@
(blockabstract base_template)
- (context spd_context (.sys.id .sys.role spd lowlevelrange))
+ (context spd_context (.sys.id .sys.role spd .sys.lowlow))
(type spd)
(call .net.spd.type (spd)))
diff --git a/src/selinux.cil b/src/selinux.cil
index 3a9a7d6..810d68f 100644
--- a/src/selinux.cil
+++ b/src/selinux.cil
@@ -1,7 +1,7 @@
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
-(sidcontext security (sys.id sys.role selinux lowlevelrange))
+(sidcontext security (sys.id sys.role selinux sys.lowlow))
(class security
(check_context compute_av compute_create compute_member compute_relabel
diff --git a/src/selinux/booleanfile.cil b/src/selinux/booleanfile.cil
index c36bf0e..7fd3727 100644
--- a/src/selinux/booleanfile.cil
+++ b/src/selinux/booleanfile.cil
@@ -16,7 +16,7 @@
(blockabstract base_template)
- (context booleanfile_context (.sys.id .sys.role booleanfile lowlevelrange))
+ (context booleanfile_context (.sys.id .sys.role booleanfile .sys.lowlow))
(type booleanfile)
(call .booleanfile.type (booleanfile)))
diff --git a/src/sys.cil b/src/sys.cil
index fed73dc..9738789 100644
--- a/src/sys.cil
+++ b/src/sys.cil
@@ -1,18 +1,24 @@
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
-(sidcontext kernel (sys.id sys.role sys.subj lowlevelrange))
+(sidcontext kernel (sys.id sys.role sys.subj sys.lowlow))
(block sys
+ (level low (s0))
+ (level high (s0 .catset))
+
+ (levelrange lowlow (low low))
+ (levelrange lowhigh (low high))
+
(role role)
(roletype role subj)
(user id)
(userrole id role)
- (userlevel id systemlow)
- (userrange id lowhighlevelrange)
+ (userlevel id low)
+ (userrange id lowhigh)
(blockinherit .subj.template)
diff --git a/src/sys/bpffile.cil b/src/sys/bpffile.cil
index ccedea0..60793b2 100644
--- a/src/sys/bpffile.cil
+++ b/src/sys/bpffile.cil
@@ -19,7 +19,7 @@
(blockabstract base_template)
- (context bpffile_context (.sys.id .sys.role bpffile lowlevelrange))
+ (context bpffile_context (.sys.id .sys.role bpffile .sys.lowlow))
(type bpffile)
(call .bpffile.type (bpffile)))
diff --git a/src/sys/cgroupfile.cil b/src/sys/cgroupfile.cil
index bc58d23..6a5dd4d 100644
--- a/src/sys/cgroupfile.cil
+++ b/src/sys/cgroupfile.cil
@@ -19,7 +19,7 @@
(blockabstract base_template)
- (context cgroupfile_context (.sys.id .sys.role cgroupfile lowlevelrange))
+ (context cgroupfile_context (.sys.id .sys.role cgroupfile .sys.lowlow))
(type cgroupfile)
(call .cgroupfile.type (cgroupfile)))
diff --git a/src/sys/debugfile.cil b/src/sys/debugfile.cil
index 17fb2ac..33b75fa 100644
--- a/src/sys/debugfile.cil
+++ b/src/sys/debugfile.cil
@@ -19,7 +19,7 @@
(blockabstract base_template)
- (context debugfile_context (.sys.id .sys.role debugfile lowlevelrange))
+ (context debugfile_context (.sys.id .sys.role debugfile .sys.lowlow))
(type debugfile)
(call .debugfile.type (debugfile)))
diff --git a/src/sys/procfile.cil b/src/sys/procfile.cil
index 70cb308..d76ca0d 100644
--- a/src/sys/procfile.cil
+++ b/src/sys/procfile.cil
@@ -18,7 +18,7 @@
(blockabstract base_template)
- (context procfile_context (.sys.id .sys.role procfile lowlevelrange))
+ (context procfile_context (.sys.id .sys.role procfile .sys.lowlow))
(type procfile)
(call .procfile.type (procfile)))
diff --git a/src/sys/procfile/sysctlfile.cil b/src/sys/procfile/sysctlfile.cil
index 4f5b199..96ade2e 100644
--- a/src/sys/procfile/sysctlfile.cil
+++ b/src/sys/procfile/sysctlfile.cil
@@ -17,7 +17,7 @@
(blockabstract base_template)
- (context sysctlfile_context (.sys.id .sys.role sysctlfile lowlevelrange))
+ (context sysctlfile_context (.sys.id .sys.role sysctlfile .sys.lowlow))
(type sysctlfile)
(call .sysctlfile.type (sysctlfile)))
diff --git a/src/sys/pstorefile.cil b/src/sys/pstorefile.cil
index 7a1062b..4e44750 100644
--- a/src/sys/pstorefile.cil
+++ b/src/sys/pstorefile.cil
@@ -19,7 +19,7 @@
(blockabstract base_template)
- (context pstorefile_context (.sys.id .sys.role pstorefile lowlevelrange))
+ (context pstorefile_context (.sys.id .sys.role pstorefile .sys.lowlow))
(type pstorefile)
(call .pstorefile.type (pstorefile)))
diff --git a/src/sys/securityfile.cil b/src/sys/securityfile.cil
index d53837f..862dd03 100644
--- a/src/sys/securityfile.cil
+++ b/src/sys/securityfile.cil
@@ -21,7 +21,7 @@
(blockabstract base_template)
(context securityfile_context
- (.sys.id .sys.role securityfile lowlevelrange))
+ (.sys.id .sys.role securityfile .sys.lowlow))
(type securityfile)
(call .securityfile.type (securityfile)))
diff --git a/src/sys/sysfile.cil b/src/sys/sysfile.cil
index 25cd041..d4240c7 100644
--- a/src/sys/sysfile.cil
+++ b/src/sys/sysfile.cil
@@ -20,7 +20,7 @@
(blockabstract base_template)
- (context sysfile_context (.sys.id .sys.role sysfile lowlevelrange))
+ (context sysfile_context (.sys.id .sys.role sysfile .sys.lowlow))
(type sysfile)
(call .sysfile.type (sysfile)))
diff --git a/src/sys/tracefile.cil b/src/sys/tracefile.cil
index 702a3b8..dcd6248 100644
--- a/src/sys/tracefile.cil
+++ b/src/sys/tracefile.cil
@@ -19,7 +19,7 @@
(blockabstract base_template)
- (context tracefile_context (.sys.id .sys.role tracefile lowlevelrange))
+ (context tracefile_context (.sys.id .sys.role tracefile .sys.lowlow))
(type tracefile)
(call .tracefile.type (tracefile)))
diff --git a/src/unlabeled.cil b/src/unlabeled.cil
index 540f904..d928442 100644
--- a/src/unlabeled.cil
+++ b/src/unlabeled.cil
@@ -1,7 +1,7 @@
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
-(sidcontext file (sys.id sys.role unlabeled lowlevelrange))
+(sidcontext file (sys.id sys.role unlabeled sys.lowlow))
(macro addname_unlabeled_dirs ((type ARG1))
(allow ARG1 unlabeled addname_dir))
generated by cgit v1.2.3 (git 2.46.0) at 2025-09-20 13:02:52 +0000