diff options
Diffstat (limited to 'src')
32 files changed, 45 insertions, 46 deletions
diff --git a/src/dev/nodedev.cil b/src/dev/nodedev.cil index 3a9378e..bf76848 100644 --- a/src/dev/nodedev.cil +++ b/src/dev/nodedev.cil @@ -19,7 +19,7 @@ (blockabstract base_template) - (context nodedev_context (.sys.id .sys.role nodedev lowlevelrange)) + (context nodedev_context (.sys.id .sys.role nodedev .sys.lowlow)) (type nodedev) (call .nodedev.type (nodedev))) diff --git a/src/dev/nodedev/nullnodedev.cil b/src/dev/nodedev/nullnodedev.cil index c11816c..a212aec 100644 --- a/src/dev/nodedev/nullnodedev.cil +++ b/src/dev/nodedev/nullnodedev.cil @@ -1,7 +1,7 @@ ;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense -(sidcontext devnull (sys.id sys.role null.nodedev lowlevelrange)) +(sidcontext devnull (sys.id sys.role null.nodedev sys.lowlow)) (block null diff --git a/src/dev/stordev.cil b/src/dev/stordev.cil index 8085930..a1ee7ef 100644 --- a/src/dev/stordev.cil +++ b/src/dev/stordev.cil @@ -20,7 +20,7 @@ (blockabstract base_template) - (context stordev_context (.sys.id .sys.role stordev lowlevelrange)) + (context stordev_context (.sys.id .sys.role stordev .sys.lowlow)) (type stordev) (call .stordev.type (stordev))) diff --git a/src/dev/termdev/ptytermdev.cil b/src/dev/termdev/ptytermdev.cil index 0a5f93e..8a3b3af 100644 --- a/src/dev/termdev/ptytermdev.cil +++ b/src/dev/termdev/ptytermdev.cil @@ -18,7 +18,7 @@ (blockabstract base_template) - (context ptytermdev_context (.sys.id .sys.role ptytermdev lowlevelrange)) + (context ptytermdev_context (.sys.id .sys.role ptytermdev .sys.lowlow)) (type ptytermdev) (call .ptytermdev.type (ptytermdev))) diff --git a/src/dev/termdev/serialtermdev.cil b/src/dev/termdev/serialtermdev.cil index 4e06669..510ea76 100644 --- a/src/dev/termdev/serialtermdev.cil +++ b/src/dev/termdev/serialtermdev.cil @@ -17,7 +17,7 @@ (blockabstract base_template) (context serialtermdev_context - (.sys.id .sys.role serialtermdev lowlevelrange)) + (.sys.id .sys.role serialtermdev .sys.lowlow)) (type serialtermdev) (call .serialtermdev.type (serialtermdev))) diff --git a/src/file.cil b/src/file.cil index 8afbb9c..b171e0c 100644 --- a/src/file.cil +++ b/src/file.cil @@ -406,7 +406,7 @@ (blockabstract base_template) - (context file_context (.sys.id .sys.role file lowlevelrange)) + (context file_context (.sys.id .sys.role file .sys.lowlow)) (type file) (call .file.type (file))) @@ -141,7 +141,7 @@ (blockabstract base_template) - (context fs_context (.sys.id .sys.role fs lowlevelrange)) + (context fs_context (.sys.id .sys.role fs .sys.lowlow)) (type fs) (call .fs.type (fs))) diff --git a/src/invalid.cil b/src/invalid.cil index 57b6f22..8625819 100644 --- a/src/invalid.cil +++ b/src/invalid.cil @@ -1,7 +1,7 @@ ;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense -(sidcontext unlabeled (sys.id sys.role invalid lowlevelrange)) +(sidcontext unlabeled (sys.id sys.role invalid sys.lowlow)) (macro addname_invalid_dirs ((type ARG1)) (allow ARG1 invalid addname_dir)) diff --git a/src/misc.cil b/src/misc.cil index 83b14e2..d619657 100644 --- a/src/misc.cil +++ b/src/misc.cil @@ -1,7 +1,7 @@ ;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense -(sidcontext init (sys.id sys.role sys.subj lowlevelrange)) ;; userspace_initial_context +(sidcontext init (sys.id sys.role sys.subj sys.lowlow)) ;; userspace_initial_context (in boot diff --git a/src/misc/mls.cil b/src/misc/mls.cil index 357b4d0..007d757 100644 --- a/src/misc/mls.cil +++ b/src/misc/mls.cil @@ -1096,15 +1096,8 @@ c1011 c1012 c1013 c1014 c1015 c1016 c1017 c1018 c1019 c1020 c1021 c1022 c1023)) -(categoryset allcatset (range c0 c1023)) +(categoryset catset (range c0 c1023)) (sensitivity s0) (sensitivityorder (s0)) - -(sensitivitycategory s0 allcatset) - -(level systemlow (s0)) -(level systemhigh (s0 allcatset)) - -(levelrange lowlevelrange (systemlow systemlow)) -(levelrange lowhighlevelrange (systemlow systemhigh)) +(sensitivitycategory s0 catset) diff --git a/src/misc/modular.cil b/src/misc/modular.cil index 601490f..1f7a6bd 100644 --- a/src/misc/modular.cil +++ b/src/misc/modular.cil @@ -1,5 +1,5 @@ ;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense -(selinuxuserdefault sys.id lowlevelrange) +(selinuxuserdefault sys.id sys.lowlow) (userprefix sys.id sys.role) diff --git a/src/net/ibnet/endportibnet.cil b/src/net/ibnet/endportibnet.cil index 32ff1a7..6510dab 100644 --- a/src/net/ibnet/endportibnet.cil +++ b/src/net/ibnet/endportibnet.cil @@ -43,7 +43,7 @@ (blockabstract base_template) - (context endport_context (.sys.id .sys.role endport lowlevelrange)) + (context endport_context (.sys.id .sys.role endport .sys.lowlow)) (type endport) (call .net.ib.endport.type (endport))) diff --git a/src/net/ibnet/pkeyibnet.cil b/src/net/ibnet/pkeyibnet.cil index 83cbde3..235a432 100644 --- a/src/net/ibnet/pkeyibnet.cil +++ b/src/net/ibnet/pkeyibnet.cil @@ -43,7 +43,7 @@ (blockabstract base_template) - (context pkey_context (.sys.id .sys.role pkey lowlevelrange)) + (context pkey_context (.sys.id .sys.role pkey .sys.lowlow)) (type pkey) (call .net.ib.pkey.type (pkey))) diff --git a/src/net/netifnet.cil b/src/net/netifnet.cil index 6a97ee3..03849df 100644 --- a/src/net/netifnet.cil +++ b/src/net/netifnet.cil @@ -1,7 +1,7 @@ ;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense -(sidcontext netif (sys.id sys.role net.netif lowlevelrange)) +(sidcontext netif (sys.id sys.role net.netif sys.lowlow)) (class netif (egress ingress)) (classorder (unordered netif)) @@ -62,7 +62,7 @@ (blockabstract base_template) - (context netif_context (.sys.id .sys.role netif lowlevelrange)) + (context netif_context (.sys.id .sys.role netif .sys.lowlow)) (type netif) (call .net.netif.type (netif))) diff --git a/src/net/nodenet.cil b/src/net/nodenet.cil index e530aad..b15301e 100644 --- a/src/net/nodenet.cil +++ b/src/net/nodenet.cil @@ -1,7 +1,7 @@ ;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense -(sidcontext node (sys.id sys.role net.netnode lowlevelrange)) +(sidcontext node (sys.id sys.role net.netnode sys.lowlow)) (class node (recvfrom sendto)) (classorder (unordered node)) @@ -82,7 +82,7 @@ (blockabstract base_template) - (context netnode_context (.sys.id .sys.role netnode lowlevelrange)) + (context netnode_context (.sys.id .sys.role netnode .sys.lowlow)) (type netnode) (call .net.netnode.type (netnode))) diff --git a/src/net/packetnet.cil b/src/net/packetnet.cil index 4ed4b3d..f31ee00 100644 --- a/src/net/packetnet.cil +++ b/src/net/packetnet.cil @@ -117,7 +117,7 @@ (blockabstract base_template) - (context packet_context (.sys.id .sys.role packet lowlevelrange)) + (context packet_context (.sys.id .sys.role packet .sys.lowlow)) (type packet) (call .net.packet.type (packet))) diff --git a/src/net/peernet.cil b/src/net/peernet.cil index 743321c..51af170 100644 --- a/src/net/peernet.cil +++ b/src/net/peernet.cil @@ -1,7 +1,7 @@ ;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense -(sidcontext netmsg (sys.id sys.role net.peer lowlevelrange)) +(sidcontext netmsg (sys.id sys.role net.peer sys.lowlow)) (class peer (recv)) (classorder (unordered peer)) @@ -59,7 +59,7 @@ (blockabstract base_template) - (context peer_context (.sys.id .sys.role peer lowlevelrange)) + (context peer_context (.sys.id .sys.role peer .sys.lowlow)) (type peer) (call .net.peer.type (peer))) diff --git a/src/net/portnet.cil b/src/net/portnet.cil index 544d062..7b989fa 100644 --- a/src/net/portnet.cil +++ b/src/net/portnet.cil @@ -1,7 +1,7 @@ ;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense -(sidcontext port (sys.id sys.role net.port lowlevelrange)) +(sidcontext port (sys.id sys.role net.port sys.lowlow)) (in net @@ -53,7 +53,7 @@ (blockabstract base_template) - (context port_context (.sys.id .sys.role port lowlevelrange)) + (context port_context (.sys.id .sys.role port .sys.lowlow)) (type port) (call .net.port.type (port))) diff --git a/src/net/spdnet.cil b/src/net/spdnet.cil index 76c8311..54f3949 100644 --- a/src/net/spdnet.cil +++ b/src/net/spdnet.cil @@ -74,7 +74,7 @@ (blockabstract base_template) - (context spd_context (.sys.id .sys.role spd lowlevelrange)) + (context spd_context (.sys.id .sys.role spd .sys.lowlow)) (type spd) (call .net.spd.type (spd))) diff --git a/src/selinux.cil b/src/selinux.cil index 3a9a7d6..810d68f 100644 --- a/src/selinux.cil +++ b/src/selinux.cil @@ -1,7 +1,7 @@ ;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense -(sidcontext security (sys.id sys.role selinux lowlevelrange)) +(sidcontext security (sys.id sys.role selinux sys.lowlow)) (class security (check_context compute_av compute_create compute_member compute_relabel diff --git a/src/selinux/booleanfile.cil b/src/selinux/booleanfile.cil index c36bf0e..7fd3727 100644 --- a/src/selinux/booleanfile.cil +++ b/src/selinux/booleanfile.cil @@ -16,7 +16,7 @@ (blockabstract base_template) - (context booleanfile_context (.sys.id .sys.role booleanfile lowlevelrange)) + (context booleanfile_context (.sys.id .sys.role booleanfile .sys.lowlow)) (type booleanfile) (call .booleanfile.type (booleanfile))) diff --git a/src/sys.cil b/src/sys.cil index fed73dc..9738789 100644 --- a/src/sys.cil +++ b/src/sys.cil @@ -1,18 +1,24 @@ ;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense -(sidcontext kernel (sys.id sys.role sys.subj lowlevelrange)) +(sidcontext kernel (sys.id sys.role sys.subj sys.lowlow)) (block sys + (level low (s0)) + (level high (s0 .catset)) + + (levelrange lowlow (low low)) + (levelrange lowhigh (low high)) + (role role) (roletype role subj) (user id) (userrole id role) - (userlevel id systemlow) - (userrange id lowhighlevelrange) + (userlevel id low) + (userrange id lowhigh) (blockinherit .subj.template) diff --git a/src/sys/bpffile.cil b/src/sys/bpffile.cil index ccedea0..60793b2 100644 --- a/src/sys/bpffile.cil +++ b/src/sys/bpffile.cil @@ -19,7 +19,7 @@ (blockabstract base_template) - (context bpffile_context (.sys.id .sys.role bpffile lowlevelrange)) + (context bpffile_context (.sys.id .sys.role bpffile .sys.lowlow)) (type bpffile) (call .bpffile.type (bpffile))) diff --git a/src/sys/cgroupfile.cil b/src/sys/cgroupfile.cil index bc58d23..6a5dd4d 100644 --- a/src/sys/cgroupfile.cil +++ b/src/sys/cgroupfile.cil @@ -19,7 +19,7 @@ (blockabstract base_template) - (context cgroupfile_context (.sys.id .sys.role cgroupfile lowlevelrange)) + (context cgroupfile_context (.sys.id .sys.role cgroupfile .sys.lowlow)) (type cgroupfile) (call .cgroupfile.type (cgroupfile))) diff --git a/src/sys/debugfile.cil b/src/sys/debugfile.cil index 17fb2ac..33b75fa 100644 --- a/src/sys/debugfile.cil +++ b/src/sys/debugfile.cil @@ -19,7 +19,7 @@ (blockabstract base_template) - (context debugfile_context (.sys.id .sys.role debugfile lowlevelrange)) + (context debugfile_context (.sys.id .sys.role debugfile .sys.lowlow)) (type debugfile) (call .debugfile.type (debugfile))) diff --git a/src/sys/procfile.cil b/src/sys/procfile.cil index 70cb308..d76ca0d 100644 --- a/src/sys/procfile.cil +++ b/src/sys/procfile.cil @@ -18,7 +18,7 @@ (blockabstract base_template) - (context procfile_context (.sys.id .sys.role procfile lowlevelrange)) + (context procfile_context (.sys.id .sys.role procfile .sys.lowlow)) (type procfile) (call .procfile.type (procfile))) diff --git a/src/sys/procfile/sysctlfile.cil b/src/sys/procfile/sysctlfile.cil index 4f5b199..96ade2e 100644 --- a/src/sys/procfile/sysctlfile.cil +++ b/src/sys/procfile/sysctlfile.cil @@ -17,7 +17,7 @@ (blockabstract base_template) - (context sysctlfile_context (.sys.id .sys.role sysctlfile lowlevelrange)) + (context sysctlfile_context (.sys.id .sys.role sysctlfile .sys.lowlow)) (type sysctlfile) (call .sysctlfile.type (sysctlfile))) diff --git a/src/sys/pstorefile.cil b/src/sys/pstorefile.cil index 7a1062b..4e44750 100644 --- a/src/sys/pstorefile.cil +++ b/src/sys/pstorefile.cil @@ -19,7 +19,7 @@ (blockabstract base_template) - (context pstorefile_context (.sys.id .sys.role pstorefile lowlevelrange)) + (context pstorefile_context (.sys.id .sys.role pstorefile .sys.lowlow)) (type pstorefile) (call .pstorefile.type (pstorefile))) diff --git a/src/sys/securityfile.cil b/src/sys/securityfile.cil index d53837f..862dd03 100644 --- a/src/sys/securityfile.cil +++ b/src/sys/securityfile.cil @@ -21,7 +21,7 @@ (blockabstract base_template) (context securityfile_context - (.sys.id .sys.role securityfile lowlevelrange)) + (.sys.id .sys.role securityfile .sys.lowlow)) (type securityfile) (call .securityfile.type (securityfile))) diff --git a/src/sys/sysfile.cil b/src/sys/sysfile.cil index 25cd041..d4240c7 100644 --- a/src/sys/sysfile.cil +++ b/src/sys/sysfile.cil @@ -20,7 +20,7 @@ (blockabstract base_template) - (context sysfile_context (.sys.id .sys.role sysfile lowlevelrange)) + (context sysfile_context (.sys.id .sys.role sysfile .sys.lowlow)) (type sysfile) (call .sysfile.type (sysfile))) diff --git a/src/sys/tracefile.cil b/src/sys/tracefile.cil index 702a3b8..dcd6248 100644 --- a/src/sys/tracefile.cil +++ b/src/sys/tracefile.cil @@ -19,7 +19,7 @@ (blockabstract base_template) - (context tracefile_context (.sys.id .sys.role tracefile lowlevelrange)) + (context tracefile_context (.sys.id .sys.role tracefile .sys.lowlow)) (type tracefile) (call .tracefile.type (tracefile))) diff --git a/src/unlabeled.cil b/src/unlabeled.cil index 540f904..d928442 100644 --- a/src/unlabeled.cil +++ b/src/unlabeled.cil @@ -1,7 +1,7 @@ ;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl> ;; SPDX-License-Identifier: Unlicense -(sidcontext file (sys.id sys.role unlabeled lowlevelrange)) +(sidcontext file (sys.id sys.role unlabeled sys.lowlow)) (macro addname_unlabeled_dirs ((type ARG1)) (allow ARG1 unlabeled addname_dir)) |