blob: 3f836abe4d7e161d4599b81141973237c42fdb10 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
(block rbac
(constrain (constrainobject (create relabelto))
(or (or (or (eq r1 r2)
(and (eq t1 objchangesys.typeattr)
(eq r2 .sys.role)))
(eq t1 objchange.typeattr))
(eq t1 exempt.typeattr)))
(constrain (process (dyntransition transition))
(or (or (or (eq r1 r2)
(and (eq t1 subjchange.typeattr)
(eq t2 subjchangetarget.typeattr)))
(and (eq t1 subjchangesys.typeattr) (eq r2 .sys.role)))
(eq t1 exempt.typeattr)))
(block change
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(call objchange.type (typeattr))
(call subjchange.type (typeattr)))
(block changesys
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(call objchangesys.type (typeattr))
(call subjchangesys.type (typeattr)))
(block exempt
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr))
(block objchange
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr))
(block objchangesys
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr))
(block subjchange
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr))
(block subjchangesys
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr))
(block subjchangetarget
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)))
(in subj.unconfined
(call .rbac.exempt.type (typeattr)))
|
