blob: 810d68f99ebaf259a8bb9c4a07a384ff343c922a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
;; SPDX-FileCopyrightText: © 2024 Dominick Grift <dominick.grift@defensec.nl>
;; SPDX-License-Identifier: Unlicense
(sidcontext security (sys.id sys.role selinux sys.lowlow))
(class security
(check_context compute_av compute_create compute_member compute_relabel
compute_user load_policy read_policy setbool
setcheckreqprot setenforce setsecparam validate_trans))
(classorder (unordered security))
(macro checkcontext_selinux_security ((type ARG1))
(allow ARG1 selinux (security (check_context))))
(macro computeav_selinux_security ((type ARG1))
(allow ARG1 selinux (security (compute_av))))
(macro computecreate_selinux_security ((type ARG1))
(allow ARG1 selinux (security (compute_create))))
(macro computemember_selinux_security ((type ARG1))
(allow ARG1 selinux (security (compute_member))))
(macro computerelabel_selinux_security ((type ARG1))
(allow ARG1 selinux (security (compute_relabel))))
(macro computeuser_selinux_security ((type ARG1))
(allow ARG1 selinux (security (compute_user))))
(macro loadpolicy_selinux_security ((type ARG1))
(allow ARG1 selinux (security (load_policy))))
(macro readpolicy_selinux_security ((type ARG1))
(allow ARG1 selinux (security (read_policy))))
(macro setbool_selinux_security ((type ARG1))
(allow ARG1 selinux (security (setbool))))
(macro setcheckreqprot_selinux_security ((type ARG1))
(allow ARG1 selinux (security (setcheckreqprot))))
(macro setenforce_selinux_security ((type ARG1))
(allow ARG1 selinux (security (setenforce))))
(macro setsecparam_selinux_security ((type ARG1))
(allow ARG1 selinux (security (setsecparam))))
(macro validatetrans_selinux_security ((type ARG1))
(allow ARG1 selinux (security (validate_trans))))
(type selinux)
(roletype sys.role selinux)
(block selinux
(block loadpolicy
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute not_typeattr)
(typeattribute typeattr)
(typeattributeset not_typeattr (not typeattr))
(neverallow not_typeattr .selinux (security (load_policy))))
(block setenforce
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute not_typeattr)
(typeattribute typeattr)
(typeattributeset not_typeattr (not typeattr))
(neverallow not_typeattr .selinux (security (setenforce))))
(block setsecparam
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute not_typeattr)
(typeattribute typeattr)
(typeattributeset not_typeattr (not typeattr))
(neverallow not_typeattr .selinux (security (setsecparam))))
(block unconfined
(macro type ((type ARG1))
(typeattributeset typeattr ARG1))
(typeattribute typeattr)
(allow typeattr .selinux (security (all)))
(call loadpolicy.type (typeattr))
(call setenforce.type (typeattr))
(call setsecparam.type (typeattr))))
(in unconfined
(call .selinux.unconfined.type (typeattr)))
|
