blob: 2efb466b0a7472af21a18b58a97e1b5f55ab91b0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
|
;; SPDX-FileCopyrightText: © 2025 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
(sidcontext unlabeled (sys.id sys.role invalid sys.lowlow))
(macro addname_invalid_dirs ((type ARG1))
(allow ARG1 invalid addname_dir))
(macro append_invalid_blk_files ((type ARG1))
(allow ARG1 invalid append_blk_file))
(macro append_invalid_chr_files ((type ARG1))
(allow ARG1 invalid append_chr_file))
(macro append_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid append_fifo_file))
(macro append_invalid_files ((type ARG1))
(allow ARG1 invalid append_file))
(macro appendinherited_invalid_blk_files ((type ARG1))
(allow ARG1 invalid appendinherited_blk_file))
(macro appendinherited_invalid_chr_files ((type ARG1))
(allow ARG1 invalid appendinherited_chr_file))
(macro appendinherited_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid appendinherited_fifo_file))
(macro appendinherited_invalid_files ((type ARG1))
(allow ARG1 invalid appendinherited_file))
(macro create_invalid ((type ARG1))
(allow ARG1 invalid (files (create))))
(macro create_invalid_blk_files ((type ARG1))
(allow ARG1 invalid create_blk_file))
(macro create_invalid_chr_files ((type ARG1))
(allow ARG1 invalid create_chr_file))
(macro create_invalid_dirs ((type ARG1))
(allow ARG1 invalid create_dir))
(macro create_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid create_fifo_file))
(macro create_invalid_files ((type ARG1))
(allow ARG1 invalid create_file))
(macro create_invalid_lnk_files ((type ARG1))
(allow ARG1 invalid create_lnk_file))
(macro create_invalid_sock_files ((type ARG1))
(allow ARG1 invalid create_sock_file))
(macro delete_invalid ((type ARG1))
(allow ARG1 invalid (files (delete))))
(macro delete_invalid_blk_files ((type ARG1))
(allow ARG1 invalid delete_blk_file))
(macro delete_invalid_chr_files ((type ARG1))
(allow ARG1 invalid delete_chr_file))
(macro delete_invalid_dirs ((type ARG1))
(allow ARG1 invalid delete_dir))
(macro delete_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid delete_fifo_file))
(macro delete_invalid_files ((type ARG1))
(allow ARG1 invalid delete_file))
(macro delete_invalid_lnk_files ((type ARG1))
(allow ARG1 invalid delete_lnk_file))
(macro delete_invalid_sock_files ((type ARG1))
(allow ARG1 invalid delete_sock_file))
(macro deletename_invalid_dirs ((type ARG1))
(allow ARG1 invalid deletename_dir))
(macro execute_invalid_files ((type ARG1))
(allow ARG1 invalid execute_file))
(macro getattr_invalid_processes ((type ARG1))
(allow ARG1 invalid (process (getattr))))
(macro getrlimit_invalid_processes ((type ARG1))
(allow ARG1 invalid (process (getrlimit))))
(macro getsched_invalid_processes ((type ARG1))
(allow ARG1 invalid (process (getsched))))
(macro invalid_type_transition ((type ARG1)(type ARG2)(class ARG3)(name ARG4))
(typetransition ARG1 invalid ARG3 ARG4 ARG2)
(call addname_invalid_dirs (ARG1)))
(macro list_invalid_dirs ((type ARG1))
(allow ARG1 invalid list_dir))
(macro listinherited_invalid_dirs ((type ARG1))
(allow ARG1 invalid listinherited_dir))
(macro manage_invalid ((type ARG1))
(allow ARG1 invalid (files (manage))))
(macro manage_invalid_blk_files ((type ARG1))
(allow ARG1 invalid manage_blk_file))
(macro manage_invalid_chr_files ((type ARG1))
(allow ARG1 invalid manage_chr_file))
(macro manage_invalid_dirs ((type ARG1))
(allow ARG1 invalid manage_dir))
(macro manage_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid manage_fifo_file))
(macro manage_invalid_files ((type ARG1))
(allow ARG1 invalid manage_file))
(macro manage_invalid_lnk_files ((type ARG1))
(allow ARG1 invalid manage_lnk_file))
(macro manage_invalid_sock_files ((type ARG1))
(allow ARG1 invalid manage_sock_file))
(macro mapexecute_invalid_chr_files ((type ARG1))
(allow ARG1 invalid mapexecute_chr_file))
(macro mapexecute_invalid_files ((type ARG1))
(allow ARG1 invalid mapexecute_file))
(macro mounton_invalid_dirs ((type ARG1))
(allow ARG1 invalid mounton_dir))
(macro mounton_invalid_files ((type ARG1))
(allow ARG1 invalid mounton_file))
(macro nnptransition_invalid_processes ((type ARG1))
(allow ARG1 invalid (process2 (nnp_transition))))
(macro noatsecure_invalid_processes ((type ARG1))
(allow ARG1 invalid (process (noatsecure))))
(macro nosuidtransition_invalid_processes ((type ARG1))
(allow ARG1 invalid (process2 (nosuid_transition))))
(macro ps_invalid_states ((type ARG1))
(allow ARG1 invalid (state (ps))))
(macro ptrace_invalid_processes ((type ARG1))
(allow ARG1 invalid (process (ptrace))))
(macro read_invalid ((type ARG1))
(allow ARG1 invalid (files (read))))
(macro read_invalid_blk_files ((type ARG1))
(allow ARG1 invalid read_blk_file))
(macro read_invalid_chr_files ((type ARG1))
(allow ARG1 invalid read_chr_file))
(macro read_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid read_fifo_file))
(macro read_invalid_files ((type ARG1))
(allow ARG1 invalid read_file))
(macro read_invalid_lnk_files ((type ARG1))
(allow ARG1 invalid read_lnk_file))
(macro read_invalid_sock_files ((type ARG1))
(allow ARG1 invalid read_sock_file))
(macro read_invalid_states ((type ARG1))
(allow ARG1 invalid (state (read))))
(macro readinherited_invalid_blk_files ((type ARG1))
(allow ARG1 invalid readinherited_blk_file))
(macro readinherited_invalid_chr_files ((type ARG1))
(allow ARG1 invalid readinherited_chr_file))
(macro readinherited_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid readinherited_fifo_file))
(macro readinherited_invalid_files ((type ARG1))
(allow ARG1 invalid readinherited_file))
(macro readinherited_invalid_sock_files ((type ARG1))
(allow ARG1 invalid readinherited_sock_file))
(macro readwrite_invalid ((type ARG1))
(allow ARG1 invalid (files (readwrite))))
(macro readwrite_invalid_blk_files ((type ARG1))
(allow ARG1 invalid readwrite_blk_file))
(macro readwrite_invalid_chr_files ((type ARG1))
(allow ARG1 invalid readwrite_chr_file))
(macro readwrite_invalid_dirs ((type ARG1))
(allow ARG1 invalid readwrite_dir))
(macro readwrite_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid readwrite_fifo_file))
(macro readwrite_invalid_files ((type ARG1))
(allow ARG1 invalid readwrite_file))
(macro readwrite_invalid_lnk_files ((type ARG1))
(allow ARG1 invalid readwrite_lnk_file))
(macro readwrite_invalid_sock_files ((type ARG1))
(allow ARG1 invalid readwrite_sock_file))
(macro readwriteinherited_invalid_blk_files ((type ARG1))
(allow ARG1 invalid readwriteinherited_blk_file))
(macro readwriteinherited_invalid_chr_files ((type ARG1))
(allow ARG1 invalid readwriteinherited_chr_file))
(macro readwriteinherited_invalid_dirs ((type ARG1))
(allow ARG1 invalid readwriteinherited_dir))
(macro readwriteinherited_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid readwriteinherited_fifo_file))
(macro readwriteinherited_invalid_files ((type ARG1))
(allow ARG1 invalid readwriteinherited_file))
(macro readwriteinherited_invalid_sock_files ((type ARG1))
(allow ARG1 invalid readwriteinherited_sock_file))
(macro relabel_invalid ((type ARG1))
(allow ARG1 invalid (files (relabel))))
(macro relabel_invalid_blk_files ((type ARG1))
(allow ARG1 invalid relabel_blk_file))
(macro relabel_invalid_chr_files ((type ARG1))
(allow ARG1 invalid relabel_chr_file))
(macro relabel_invalid_dirs ((type ARG1))
(allow ARG1 invalid relabel_dir))
(macro relabel_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid relabel_fifo_file))
(macro relabel_invalid_files ((type ARG1))
(allow ARG1 invalid relabel_file))
(macro relabel_invalid_lnk_files ((type ARG1))
(allow ARG1 invalid relabel_lnk_file))
(macro relabel_invalid_sock_files ((type ARG1))
(allow ARG1 invalid relabel_sock_file))
(macro relabelfrom_invalid ((type ARG1))
(allow ARG1 invalid (files (relabelfrom))))
(macro relabelfrom_invalid_blk_files ((type ARG1))
(allow ARG1 invalid relabelfrom_blk_file))
(macro relabelfrom_invalid_chr_files ((type ARG1))
(allow ARG1 invalid relabelfrom_chr_file))
(macro relabelfrom_invalid_dirs ((type ARG1))
(allow ARG1 invalid relabelfrom_dir))
(macro relabelfrom_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid relabelfrom_fifo_file))
(macro relabelfrom_invalid_files ((type ARG1))
(allow ARG1 invalid relabelfrom_file))
(macro relabelfrom_invalid_lnk_files ((type ARG1))
(allow ARG1 invalid relabelfrom_lnk_file))
(macro relabelfrom_invalid_sock_files ((type ARG1))
(allow ARG1 invalid relabelfrom_sock_file))
(macro relabelto_invalid ((type ARG1))
(allow ARG1 invalid (files (relabelto))))
(macro relabelto_invalid_blk_files ((type ARG1))
(allow ARG1 invalid relabelto_blk_file))
(macro relabelto_invalid_chr_files ((type ARG1))
(allow ARG1 invalid relabelto_chr_file))
(macro relabelto_invalid_dirs ((type ARG1))
(allow ARG1 invalid relabelto_dir))
(macro relabelto_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid relabelto_fifo_file))
(macro relabelto_invalid_files ((type ARG1))
(allow ARG1 invalid relabelto_file))
(macro relabelto_invalid_lnk_files ((type ARG1))
(allow ARG1 invalid relabelto_lnk_file))
(macro relabelto_invalid_sock_files ((type ARG1))
(allow ARG1 invalid relabelto_sock_file))
(macro rename_invalid ((type ARG1))
(allow ARG1 invalid (files (rename))))
(macro rename_invalid_blk_files ((type ARG1))
(allow ARG1 invalid rename_blk_file))
(macro rename_invalid_chr_files ((type ARG1))
(allow ARG1 invalid rename_chr_file))
(macro rename_invalid_dirs ((type ARG1))
(allow ARG1 invalid rename_dir))
(macro rename_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid rename_fifo_file))
(macro rename_invalid_files ((type ARG1))
(allow ARG1 invalid rename_file))
(macro rename_invalid_lnk_files ((type ARG1))
(allow ARG1 invalid rename_lnk_file))
(macro rename_invalid_sock_files ((type ARG1))
(allow ARG1 invalid rename_sock_file))
(macro rlimitinh_invalid_processes ((type ARG1))
(allow ARG1 invalid (process (rlimitinh))))
(macro search_invalid_dirs ((type ARG1))
(allow ARG1 invalid search_dir))
(macro setrlimit_invalid_processes ((type ARG1))
(allow ARG1 invalid (process (setrlimit))))
(macro setsched_invalid_processes ((type ARG1))
(allow ARG1 invalid (process (setsched))))
(macro sigchld_invalid_processes ((type ARG1))
(allow ARG1 invalid (process (sigchld))))
(macro sigkill_invalid_processes ((type ARG1))
(allow ARG1 invalid (process (sigkill))))
(macro signal_invalid_processes ((type ARG1))
(allow ARG1 invalid (process (signal))))
(macro signull_invalid_processes ((type ARG1))
(allow ARG1 invalid (process (signull))))
(macro sigstop_invalid_processes ((type ARG1))
(allow ARG1 invalid (process (sigstop))))
(macro transition_invalid_processes ((type ARG1))
(allow ARG1 invalid (process (transition))))
(macro write_invalid ((type ARG1))
(allow ARG1 invalid (files (write))))
(macro write_invalid_blk_files ((type ARG1))
(allow ARG1 invalid write_blk_file))
(macro write_invalid_chr_files ((type ARG1))
(allow ARG1 invalid write_chr_file))
(macro write_invalid_dirs ((type ARG1))
(allow ARG1 invalid write_dir))
(macro write_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid write_fifo_file))
(macro write_invalid_files ((type ARG1))
(allow ARG1 invalid write_file))
(macro write_invalid_lnk_files ((type ARG1))
(allow ARG1 invalid write_lnk_file))
(macro write_invalid_sock_files ((type ARG1))
(allow ARG1 invalid write_sock_file))
(macro writeinherited_invalid_blk_files ((type ARG1))
(allow ARG1 invalid writeinherited_blk_file))
(macro writeinherited_invalid_chr_files ((type ARG1))
(allow ARG1 invalid writeinherited_chr_file))
(macro writeinherited_invalid_dirs ((type ARG1))
(allow ARG1 invalid writeinherited_dir))
(macro writeinherited_invalid_fifo_files ((type ARG1))
(allow ARG1 invalid writeinherited_fifo_file))
(macro writeinherited_invalid_files ((type ARG1))
(allow ARG1 invalid writeinherited_file))
(macro writeinherited_invalid_sock_files ((type ARG1))
(allow ARG1 invalid writeinherited_sock_file))
(type invalid)
(roletype sys.role invalid)
(call .xattr.associate_fs (invalid))
(block invalid
(block unconfined
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(allow typeattr .invalid
(process (not (dyntransition execheap execstack transition))))
(allow typeattr .invalid
(process2 (not (nnp_transition nosuid_transition))))
(allow typeattr .invalid
(blk_file (not (audit_access execmod map mounton relabelto))))
(allow typeattr .invalid
(chr_file (not (audit_access execmod mounton relabelto))))
(allow typeattr .invalid (dir (not (audit_access execmod relabelto))))
(allow typeattr .invalid
(fifo_file (not (audit_access execmod map mounton relabelto))))
(allow typeattr .invalid
(file (not (audit_access entrypoint execmod relabelto))))
(allow typeattr .invalid
(lnk_file (not (audit_access execmod map mounton relabelto))))
(allow typeattr .invalid
(sock_file (not (audit_access execmod map mounton relabelto))))))
(in unconfined
(call .invalid.unconfined.type (typeattr)))
|
