1*2d543d20SAndroid Build Coastguard Worker(type bin_t) 2*2d543d20SAndroid Build Coastguard Worker(type kernel_t) 3*2d543d20SAndroid Build Coastguard Worker(type security_t) 4*2d543d20SAndroid Build Coastguard Worker(type unlabeled_t) 5*2d543d20SAndroid Build Coastguard Worker(handleunknown allow) 6*2d543d20SAndroid Build Coastguard Worker(mls true) 7*2d543d20SAndroid Build Coastguard Worker 8*2d543d20SAndroid Build Coastguard Worker(policycap open_perms) 9*2d543d20SAndroid Build Coastguard Worker 10*2d543d20SAndroid Build Coastguard Worker(category c0) 11*2d543d20SAndroid Build Coastguard Worker(category c1) 12*2d543d20SAndroid Build Coastguard Worker(category c2) 13*2d543d20SAndroid Build Coastguard Worker(category c3) 14*2d543d20SAndroid Build Coastguard Worker(category c4) 15*2d543d20SAndroid Build Coastguard Worker(category c5) 16*2d543d20SAndroid Build Coastguard Worker(categoryalias cat0) 17*2d543d20SAndroid Build Coastguard Worker(categoryaliasactual cat0 c0) 18*2d543d20SAndroid Build Coastguard Worker(categoryset cats01 (c0 c1)) 19*2d543d20SAndroid Build Coastguard Worker(categoryset cats02 (c2 c3)) 20*2d543d20SAndroid Build Coastguard Worker(categoryset cats03 (range c0 c5)) 21*2d543d20SAndroid Build Coastguard Worker(categoryset cats04 (not (range c0 c2))) 22*2d543d20SAndroid Build Coastguard Worker(categoryorder (cat0 c1 c2 c3)) 23*2d543d20SAndroid Build Coastguard Worker(categoryorder (c3 c4 c5)) 24*2d543d20SAndroid Build Coastguard Worker 25*2d543d20SAndroid Build Coastguard Worker(sensitivity s0) 26*2d543d20SAndroid Build Coastguard Worker(sensitivity s1) 27*2d543d20SAndroid Build Coastguard Worker(sensitivity s2) 28*2d543d20SAndroid Build Coastguard Worker(sensitivity s3) 29*2d543d20SAndroid Build Coastguard Worker(sensitivityalias sens0) 30*2d543d20SAndroid Build Coastguard Worker(sensitivityaliasactual sens0 s0) 31*2d543d20SAndroid Build Coastguard Worker(sensitivityorder (s0 s1 s2 s3)) 32*2d543d20SAndroid Build Coastguard Worker 33*2d543d20SAndroid Build Coastguard Worker(sensitivitycategory s0 (cats03)) 34*2d543d20SAndroid Build Coastguard Worker(sensitivitycategory s1 cats01) 35*2d543d20SAndroid Build Coastguard Worker(sensitivitycategory s1 (c2)) 36*2d543d20SAndroid Build Coastguard Worker(sensitivitycategory s2 (cats01 cats02)) 37*2d543d20SAndroid Build Coastguard Worker(sensitivitycategory s2 (range c4 c5)) 38*2d543d20SAndroid Build Coastguard Worker(sensitivitycategory s3 (range c0 c5)) 39*2d543d20SAndroid Build Coastguard Worker 40*2d543d20SAndroid Build Coastguard Worker(level low (s0)) 41*2d543d20SAndroid Build Coastguard Worker(level high (s3 (range c0 c3))) 42*2d543d20SAndroid Build Coastguard Worker(levelrange low_high (low high)) 43*2d543d20SAndroid Build Coastguard Worker(levelrange lh1 ((s0 (c0)) (s2 (c0 c3)))) 44*2d543d20SAndroid Build Coastguard Worker(levelrange lh2 (low (s2 (c0 c3)))) 45*2d543d20SAndroid Build Coastguard Worker(levelrange lh3 ((s0 cats04) (s2 (range c0 c5)))) 46*2d543d20SAndroid Build Coastguard Worker(levelrange lh4 ((s0) (s1))) 47*2d543d20SAndroid Build Coastguard Worker 48*2d543d20SAndroid Build Coastguard Worker(block policy 49*2d543d20SAndroid Build Coastguard Worker (class file (execute_no_trans entrypoint execmod open audit_access a b c d e)) 50*2d543d20SAndroid Build Coastguard Worker ; order should be: file char b c a dir d e f 51*2d543d20SAndroid Build Coastguard Worker (classorder (file char)) 52*2d543d20SAndroid Build Coastguard Worker (classorder (unordered dir)) 53*2d543d20SAndroid Build Coastguard Worker (classorder (unordered c a b d e f)) 54*2d543d20SAndroid Build Coastguard Worker (classorder (char b c a)) 55*2d543d20SAndroid Build Coastguard Worker 56*2d543d20SAndroid Build Coastguard Worker (common file (ioctl read write create getattr setattr lock relabelfrom 57*2d543d20SAndroid Build Coastguard Worker relabelto append unlink link rename execute swapon 58*2d543d20SAndroid Build Coastguard Worker quotaon mounton)) 59*2d543d20SAndroid Build Coastguard Worker (classcommon file file) 60*2d543d20SAndroid Build Coastguard Worker 61*2d543d20SAndroid Build Coastguard Worker (classpermission file_rw) 62*2d543d20SAndroid Build Coastguard Worker (classpermissionset file_rw (file (read write getattr setattr lock append))) 63*2d543d20SAndroid Build Coastguard Worker 64*2d543d20SAndroid Build Coastguard Worker ;;(classpermission loop1) 65*2d543d20SAndroid Build Coastguard Worker ;;(classpermissionset loop1 ((loop2))) 66*2d543d20SAndroid Build Coastguard Worker ;;(classpermission loop2) 67*2d543d20SAndroid Build Coastguard Worker ;;(classpermissionset loop2 ((loop3))) 68*2d543d20SAndroid Build Coastguard Worker ;;(classpermission loop3) 69*2d543d20SAndroid Build Coastguard Worker ;;(classpermissionset loop3 ((loop1))) 70*2d543d20SAndroid Build Coastguard Worker 71*2d543d20SAndroid Build Coastguard Worker (class char (foo)) 72*2d543d20SAndroid Build Coastguard Worker (classcommon char file) 73*2d543d20SAndroid Build Coastguard Worker 74*2d543d20SAndroid Build Coastguard Worker (class dir ()) 75*2d543d20SAndroid Build Coastguard Worker (class a ()) 76*2d543d20SAndroid Build Coastguard Worker (class b ()) 77*2d543d20SAndroid Build Coastguard Worker (class c ()) 78*2d543d20SAndroid Build Coastguard Worker (class d ()) 79*2d543d20SAndroid Build Coastguard Worker (class e ()) 80*2d543d20SAndroid Build Coastguard Worker (class f ()) 81*2d543d20SAndroid Build Coastguard Worker (classcommon dir file) 82*2d543d20SAndroid Build Coastguard Worker 83*2d543d20SAndroid Build Coastguard Worker (classpermission char_w) 84*2d543d20SAndroid Build Coastguard Worker (classpermissionset char_w (char (write setattr))) 85*2d543d20SAndroid Build Coastguard Worker (classpermissionset char_w (file (open read getattr))) 86*2d543d20SAndroid Build Coastguard Worker 87*2d543d20SAndroid Build Coastguard Worker (classmap files (read)) 88*2d543d20SAndroid Build Coastguard Worker (classmapping files read 89*2d543d20SAndroid Build Coastguard Worker (file (open read getattr))) 90*2d543d20SAndroid Build Coastguard Worker (classmapping files read 91*2d543d20SAndroid Build Coastguard Worker char_w) 92*2d543d20SAndroid Build Coastguard Worker 93*2d543d20SAndroid Build Coastguard Worker (type auditadm_t) 94*2d543d20SAndroid Build Coastguard Worker (type console_t) 95*2d543d20SAndroid Build Coastguard Worker (type console_device_t) 96*2d543d20SAndroid Build Coastguard Worker (type user_tty_device_t) 97*2d543d20SAndroid Build Coastguard Worker (type device_t) 98*2d543d20SAndroid Build Coastguard Worker (type getty_t) 99*2d543d20SAndroid Build Coastguard Worker (type exec_t) 100*2d543d20SAndroid Build Coastguard Worker (type bad_t) 101*2d543d20SAndroid Build Coastguard Worker 102*2d543d20SAndroid Build Coastguard Worker ;;(allow console_t console_device_t file_rw) 103*2d543d20SAndroid Build Coastguard Worker (allow console_t console_device_t (files (read))) 104*2d543d20SAndroid Build Coastguard Worker 105*2d543d20SAndroid Build Coastguard Worker (permissionx ioctl_test (ioctl files (and (range 0x1600 0x19FF) (not (range 0x1750 0x175F))))) 106*2d543d20SAndroid Build Coastguard Worker (allowx console_t console_device_t ioctl_test) 107*2d543d20SAndroid Build Coastguard Worker 108*2d543d20SAndroid Build Coastguard Worker (boolean secure_mode false) 109*2d543d20SAndroid Build Coastguard Worker (boolean console_login true) 110*2d543d20SAndroid Build Coastguard Worker 111*2d543d20SAndroid Build Coastguard Worker (sid kernel) 112*2d543d20SAndroid Build Coastguard Worker (sid security) 113*2d543d20SAndroid Build Coastguard Worker (sid unlabeled) 114*2d543d20SAndroid Build Coastguard Worker (sidorder (kernel security)) 115*2d543d20SAndroid Build Coastguard Worker (sidorder (security unlabeled)) 116*2d543d20SAndroid Build Coastguard Worker 117*2d543d20SAndroid Build Coastguard Worker (typeattribute exec_type) 118*2d543d20SAndroid Build Coastguard Worker (typeattribute foo_type) 119*2d543d20SAndroid Build Coastguard Worker (typeattribute bar_type) 120*2d543d20SAndroid Build Coastguard Worker (typeattribute baz_type) 121*2d543d20SAndroid Build Coastguard Worker (typeattribute not_bad_type) 122*2d543d20SAndroid Build Coastguard Worker (typeattributeset exec_type (or bin_t kernel_t)) 123*2d543d20SAndroid Build Coastguard Worker (typeattributeset foo_type (and exec_type kernel_t)) 124*2d543d20SAndroid Build Coastguard Worker (typeattributeset bar_type (xor exec_type foo_type)) 125*2d543d20SAndroid Build Coastguard Worker (typeattributeset baz_type (not bin_t)) 126*2d543d20SAndroid Build Coastguard Worker (typeattributeset baz_type (and exec_type (and bar_type bin_t))) 127*2d543d20SAndroid Build Coastguard Worker (typeattributeset not_bad_type (not bad_t)) 128*2d543d20SAndroid Build Coastguard Worker (typealias sbin_t) 129*2d543d20SAndroid Build Coastguard Worker (typealiasactual sbin_t bin_t) 130*2d543d20SAndroid Build Coastguard Worker (typepermissive device_t) 131*2d543d20SAndroid Build Coastguard Worker (typemember device_t bin_t file exec_t) 132*2d543d20SAndroid Build Coastguard Worker (typemember exec_type self file exec_t) 133*2d543d20SAndroid Build Coastguard Worker (typetransition device_t console_t files console_device_t) 134*2d543d20SAndroid Build Coastguard Worker (typetransition device_t exec_type files console_device_t) 135*2d543d20SAndroid Build Coastguard Worker (typetransition exec_type self files console_device_t) 136*2d543d20SAndroid Build Coastguard Worker (typetransition exec_type self files "filename" console_device_t) 137*2d543d20SAndroid Build Coastguard Worker (typechange console_device_t device_t file user_tty_device_t) 138*2d543d20SAndroid Build Coastguard Worker (typechange exec_type device_t file user_tty_device_t) 139*2d543d20SAndroid Build Coastguard Worker (typechange exec_type self file console_device_t) 140*2d543d20SAndroid Build Coastguard Worker 141*2d543d20SAndroid Build Coastguard Worker (roleattribute exec_role) 142*2d543d20SAndroid Build Coastguard Worker (roleattribute foo_role) 143*2d543d20SAndroid Build Coastguard Worker (roleattribute bar_role) 144*2d543d20SAndroid Build Coastguard Worker (roleattribute baz_role) 145*2d543d20SAndroid Build Coastguard Worker (roleattribute foo_role_a) 146*2d543d20SAndroid Build Coastguard Worker (roleattributeset exec_role (or user_r system_r)) 147*2d543d20SAndroid Build Coastguard Worker (roleattributeset foo_role_a (baz_r user_r system_r)) 148*2d543d20SAndroid Build Coastguard Worker (roleattributeset foo_role (and exec_role system_r)) 149*2d543d20SAndroid Build Coastguard Worker (roleattributeset bar_role (xor exec_role foo_role)) 150*2d543d20SAndroid Build Coastguard Worker (roleattributeset baz_role (not user_r)) 151*2d543d20SAndroid Build Coastguard Worker 152*2d543d20SAndroid Build Coastguard Worker (rangetransition device_t console_t file low_high) 153*2d543d20SAndroid Build Coastguard Worker (rangetransition device_t kernel_t file ((s0) (s3 (not c3)))) 154*2d543d20SAndroid Build Coastguard Worker 155*2d543d20SAndroid Build Coastguard Worker (typetransition device_t console_t file "some_file" getty_t) 156*2d543d20SAndroid Build Coastguard Worker 157*2d543d20SAndroid Build Coastguard Worker (allow foo_type self (file (execute))) 158*2d543d20SAndroid Build Coastguard Worker (allow bin_t device_t (file (execute))) 159*2d543d20SAndroid Build Coastguard Worker 160*2d543d20SAndroid Build Coastguard Worker ;; Next two rules violate the neverallow rule that follows 161*2d543d20SAndroid Build Coastguard Worker ;;(allow bad_t not_bad_type (file (execute))) 162*2d543d20SAndroid Build Coastguard Worker ;;(allow bad_t exec_t (file (execute))) 163*2d543d20SAndroid Build Coastguard Worker (neverallow bad_t not_bad_type (file (execute))) 164*2d543d20SAndroid Build Coastguard Worker 165*2d543d20SAndroid Build Coastguard Worker (booleanif secure_mode 166*2d543d20SAndroid Build Coastguard Worker (true 167*2d543d20SAndroid Build Coastguard Worker (auditallow device_t exec_t (file (read write))) 168*2d543d20SAndroid Build Coastguard Worker ) 169*2d543d20SAndroid Build Coastguard Worker ) 170*2d543d20SAndroid Build Coastguard Worker 171*2d543d20SAndroid Build Coastguard Worker (booleanif console_login 172*2d543d20SAndroid Build Coastguard Worker (true 173*2d543d20SAndroid Build Coastguard Worker (typechange auditadm_t console_device_t file user_tty_device_t) 174*2d543d20SAndroid Build Coastguard Worker (allow getty_t console_device_t (file (getattr open read write append))) 175*2d543d20SAndroid Build Coastguard Worker ) 176*2d543d20SAndroid Build Coastguard Worker (false 177*2d543d20SAndroid Build Coastguard Worker (dontaudit getty_t console_device_t (file (getattr open read write append))) 178*2d543d20SAndroid Build Coastguard Worker ) 179*2d543d20SAndroid Build Coastguard Worker ) 180*2d543d20SAndroid Build Coastguard Worker 181*2d543d20SAndroid Build Coastguard Worker (booleanif (not (xor (eq secure_mode console_login) 182*2d543d20SAndroid Build Coastguard Worker (and (or secure_mode console_login) secure_mode ) ) ) 183*2d543d20SAndroid Build Coastguard Worker (true 184*2d543d20SAndroid Build Coastguard Worker (allow bin_t exec_t (file (execute))) 185*2d543d20SAndroid Build Coastguard Worker ) 186*2d543d20SAndroid Build Coastguard Worker ) 187*2d543d20SAndroid Build Coastguard Worker 188*2d543d20SAndroid Build Coastguard Worker (tunable allow_execfile true) 189*2d543d20SAndroid Build Coastguard Worker (tunable allow_userexec false) 190*2d543d20SAndroid Build Coastguard Worker 191*2d543d20SAndroid Build Coastguard Worker (tunableif (not (xor (eq allow_execfile allow_userexec) 192*2d543d20SAndroid Build Coastguard Worker (and (or allow_execfile allow_userexec) 193*2d543d20SAndroid Build Coastguard Worker (and allow_execfile allow_userexec) ) ) ) 194*2d543d20SAndroid Build Coastguard Worker (true 195*2d543d20SAndroid Build Coastguard Worker (allow bin_t exec_t (file (execute))) 196*2d543d20SAndroid Build Coastguard Worker ) 197*2d543d20SAndroid Build Coastguard Worker ) 198*2d543d20SAndroid Build Coastguard Worker 199*2d543d20SAndroid Build Coastguard Worker (optional allow_rules 200*2d543d20SAndroid Build Coastguard Worker (allow user_t exec_t (bins (execute))) 201*2d543d20SAndroid Build Coastguard Worker ) 202*2d543d20SAndroid Build Coastguard Worker 203*2d543d20SAndroid Build Coastguard Worker (dontaudit device_t auditadm_t (file (read))) 204*2d543d20SAndroid Build Coastguard Worker (auditallow device_t auditadm_t (file (open))) 205*2d543d20SAndroid Build Coastguard Worker 206*2d543d20SAndroid Build Coastguard Worker (user system_u) 207*2d543d20SAndroid Build Coastguard Worker (user user_u) 208*2d543d20SAndroid Build Coastguard Worker (user foo_u) 209*2d543d20SAndroid Build Coastguard Worker (userprefix user_u user) 210*2d543d20SAndroid Build Coastguard Worker (userprefix system_u user) 211*2d543d20SAndroid Build Coastguard Worker 212*2d543d20SAndroid Build Coastguard Worker (selinuxuser name user_u low_high) 213*2d543d20SAndroid Build Coastguard Worker (selinuxuserdefault user_u ((s0 (c0)) (s3 (range c0 c3)))) 214*2d543d20SAndroid Build Coastguard Worker 215*2d543d20SAndroid Build Coastguard Worker (role system_r) 216*2d543d20SAndroid Build Coastguard Worker (role user_r) 217*2d543d20SAndroid Build Coastguard Worker (role baz_r) 218*2d543d20SAndroid Build Coastguard Worker 219*2d543d20SAndroid Build Coastguard Worker (roletype system_r bin_t) 220*2d543d20SAndroid Build Coastguard Worker (roletype system_r kernel_t) 221*2d543d20SAndroid Build Coastguard Worker (roletype system_r security_t) 222*2d543d20SAndroid Build Coastguard Worker (roletype system_r unlabeled_t) 223*2d543d20SAndroid Build Coastguard Worker (roletype system_r exec_type) 224*2d543d20SAndroid Build Coastguard Worker (roletype exec_role bin_t) 225*2d543d20SAndroid Build Coastguard Worker (roletype exec_role exec_type) 226*2d543d20SAndroid Build Coastguard Worker (roleallow system_r user_r) 227*2d543d20SAndroid Build Coastguard Worker (roletransition system_r bin_t file user_r) 228*2d543d20SAndroid Build Coastguard Worker 229*2d543d20SAndroid Build Coastguard Worker (userrole foo_u foo_role) 230*2d543d20SAndroid Build Coastguard Worker (userlevel foo_u low) 231*2d543d20SAndroid Build Coastguard Worker 232*2d543d20SAndroid Build Coastguard Worker (userattribute ua1) 233*2d543d20SAndroid Build Coastguard Worker (userattribute ua2) 234*2d543d20SAndroid Build Coastguard Worker (userattribute ua3) 235*2d543d20SAndroid Build Coastguard Worker (userattribute ua4) 236*2d543d20SAndroid Build Coastguard Worker (userattributeset ua1 (user_u system_u)) 237*2d543d20SAndroid Build Coastguard Worker (userattributeset ua2 (foo_u system_u)) 238*2d543d20SAndroid Build Coastguard Worker (userattributeset ua3 (and ua1 ua2)) 239*2d543d20SAndroid Build Coastguard Worker (user u5) 240*2d543d20SAndroid Build Coastguard Worker (user u6) 241*2d543d20SAndroid Build Coastguard Worker (userlevel u5 low) 242*2d543d20SAndroid Build Coastguard Worker (userlevel u6 low) 243*2d543d20SAndroid Build Coastguard Worker (userrange u5 low_high) 244*2d543d20SAndroid Build Coastguard Worker (userrange u6 low_high) 245*2d543d20SAndroid Build Coastguard Worker (userattributeset ua4 (u5 u6)) 246*2d543d20SAndroid Build Coastguard Worker (userrole ua4 foo_role_a) 247*2d543d20SAndroid Build Coastguard Worker 248*2d543d20SAndroid Build Coastguard Worker (userrange foo_u low_high) 249*2d543d20SAndroid Build Coastguard Worker 250*2d543d20SAndroid Build Coastguard Worker (userrole system_u system_r) 251*2d543d20SAndroid Build Coastguard Worker (userlevel system_u low) 252*2d543d20SAndroid Build Coastguard Worker (userrange system_u low_high) 253*2d543d20SAndroid Build Coastguard Worker 254*2d543d20SAndroid Build Coastguard Worker (userrole user_u user_r) 255*2d543d20SAndroid Build Coastguard Worker (userlevel user_u (s0 (range c0 c2))) 256*2d543d20SAndroid Build Coastguard Worker (userrange user_u (low high)) 257*2d543d20SAndroid Build Coastguard Worker 258*2d543d20SAndroid Build Coastguard Worker (sidcontext kernel (system_u system_r kernel_t ((s0) high))) 259*2d543d20SAndroid Build Coastguard Worker (sidcontext security (system_u system_r security_t (low (s3 (range c0 c3))))) 260*2d543d20SAndroid Build Coastguard Worker (sidcontext unlabeled (system_u system_r unlabeled_t (low high))) 261*2d543d20SAndroid Build Coastguard Worker 262*2d543d20SAndroid Build Coastguard Worker (context system_u_bin_t_l2h (system_u system_r bin_t (low high))) 263*2d543d20SAndroid Build Coastguard Worker 264*2d543d20SAndroid Build Coastguard Worker (ipaddr ip_v4 192.25.35.200) 265*2d543d20SAndroid Build Coastguard Worker (ipaddr netmask 192.168.1.1) 266*2d543d20SAndroid Build Coastguard Worker (ipaddr ip_v6 2001:0DB8:AC10:FE01::) 267*2d543d20SAndroid Build Coastguard Worker (ipaddr netmask_v6 2001:0DE0:DA88:2222::) 268*2d543d20SAndroid Build Coastguard Worker 269*2d543d20SAndroid Build Coastguard Worker (filecon "/usr/bin/foo" file system_u_bin_t_l2h) 270*2d543d20SAndroid Build Coastguard Worker (filecon "/usr/bin/bar" file (system_u system_r kernel_t (low low))) 271*2d543d20SAndroid Build Coastguard Worker (filecon "/usr/bin/baz" any ()) 272*2d543d20SAndroid Build Coastguard Worker (filecon "/usr/bin/aaa" any (system_u system_r kernel_t ((s0) (s3 (range c0 c2))))) 273*2d543d20SAndroid Build Coastguard Worker (filecon "/usr/bin/bbb" any (system_u system_r kernel_t ((s0 (c0)) high))) 274*2d543d20SAndroid Build Coastguard Worker (filecon "/usr/bin/ccc" any (system_u system_r kernel_t (low (s3 (cats01))))) 275*2d543d20SAndroid Build Coastguard Worker (filecon "/usr/bin/ddd" any (system_u system_r kernel_t (low (s3 (cats01 cats02))))) 276*2d543d20SAndroid Build Coastguard Worker (nodecon ip_v4 netmask system_u_bin_t_l2h) 277*2d543d20SAndroid Build Coastguard Worker (nodecon ip_v6 netmask_v6 system_u_bin_t_l2h) 278*2d543d20SAndroid Build Coastguard Worker (portcon udp 25 system_u_bin_t_l2h) 279*2d543d20SAndroid Build Coastguard Worker (portcon tcp 22 system_u_bin_t_l2h) 280*2d543d20SAndroid Build Coastguard Worker (portcon dccp (2048 2096) system_u_bin_t_l2h) 281*2d543d20SAndroid Build Coastguard Worker (portcon sctp (1024 1035) system_u_bin_t_l2h) 282*2d543d20SAndroid Build Coastguard Worker (genfscon - "/usr/bin" system_u_bin_t_l2h) 283*2d543d20SAndroid Build Coastguard Worker (netifcon eth0 system_u_bin_t_l2h system_u_bin_t_l2h) ;different contexts? 284*2d543d20SAndroid Build Coastguard Worker (fsuse xattr ext3 system_u_bin_t_l2h) 285*2d543d20SAndroid Build Coastguard Worker 286*2d543d20SAndroid Build Coastguard Worker ; XEN 287*2d543d20SAndroid Build Coastguard Worker (pirqcon 256 system_u_bin_t_l2h) 288*2d543d20SAndroid Build Coastguard Worker (iomemcon (0 255) system_u_bin_t_l2h) 289*2d543d20SAndroid Build Coastguard Worker (ioportcon (22 22) system_u_bin_t_l2h) 290*2d543d20SAndroid Build Coastguard Worker (pcidevicecon 345 system_u_bin_t_l2h) 291*2d543d20SAndroid Build Coastguard Worker (devicetreecon "/this is/a/path" system_u_bin_t_l2h) 292*2d543d20SAndroid Build Coastguard Worker 293*2d543d20SAndroid Build Coastguard Worker ; InfiniBand 294*2d543d20SAndroid Build Coastguard Worker (ibpkeycon fe80:: (0 0x10) system_u_bin_t_l2h) 295*2d543d20SAndroid Build Coastguard Worker (ibpkeycon fe80::7629:afff:fe0f:8e5d (15 25) (system_u system_r kernel_t (low (s3 (cats01 cats02))))) 296*2d543d20SAndroid Build Coastguard Worker (ibendportcon mlx5_0 1 system_u_bin_t_l2h) 297*2d543d20SAndroid Build Coastguard Worker (ibendportcon mlx4_3 5 (system_u system_r kernel_t (low (s3 (cats01 cats02))))) 298*2d543d20SAndroid Build Coastguard Worker 299*2d543d20SAndroid Build Coastguard Worker (constrain (files (read)) (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2)))) 300*2d543d20SAndroid Build Coastguard Worker (constrain char_w (not (or (and (eq t1 exec_t) (eq t2 bin_t)) (eq r1 r2)))) 301*2d543d20SAndroid Build Coastguard Worker 302*2d543d20SAndroid Build Coastguard Worker (constrain (file (read)) (or (and (eq t1 exec_t) (neq t2 bin_t) ) (eq u1 ua4) ) ) 303*2d543d20SAndroid Build Coastguard Worker (constrain (file (open)) (dom r1 r2)) 304*2d543d20SAndroid Build Coastguard Worker (constrain (file (open)) (domby r1 r2)) 305*2d543d20SAndroid Build Coastguard Worker (constrain (file (open)) (incomp r1 r2)) 306*2d543d20SAndroid Build Coastguard Worker 307*2d543d20SAndroid Build Coastguard Worker (validatetrans file (eq t1 exec_t)) 308*2d543d20SAndroid Build Coastguard Worker 309*2d543d20SAndroid Build Coastguard Worker (mlsconstrain (file (open)) (not (or (and (eq l1 l2) (eq u1 u2)) (eq r1 r2)))) 310*2d543d20SAndroid Build Coastguard Worker (mlsconstrain (file (open)) (or (and (eq l1 l2) (eq u1 u2)) (neq r1 r2))) 311*2d543d20SAndroid Build Coastguard Worker (mlsconstrain (file (open)) (dom h1 l2)) 312*2d543d20SAndroid Build Coastguard Worker (mlsconstrain (file (open)) (domby l1 h2)) 313*2d543d20SAndroid Build Coastguard Worker (mlsconstrain (file (open)) (incomp l1 l2)) 314*2d543d20SAndroid Build Coastguard Worker 315*2d543d20SAndroid Build Coastguard Worker (mlsvalidatetrans file (domby l1 h2)) 316*2d543d20SAndroid Build Coastguard Worker 317*2d543d20SAndroid Build Coastguard Worker (macro test_mapping ((classpermission cps)) 318*2d543d20SAndroid Build Coastguard Worker (allow bin_t auditadm_t cps)) 319*2d543d20SAndroid Build Coastguard Worker 320*2d543d20SAndroid Build Coastguard Worker (call test_mapping ((file (read)))) 321*2d543d20SAndroid Build Coastguard Worker (call test_mapping ((files (read)))) 322*2d543d20SAndroid Build Coastguard Worker (call test_mapping (char_w)) 323*2d543d20SAndroid Build Coastguard Worker 324*2d543d20SAndroid Build Coastguard Worker (defaultuser (file char) source) 325*2d543d20SAndroid Build Coastguard Worker (defaultrole char target) 326*2d543d20SAndroid Build Coastguard Worker (defaulttype (files) source) 327*2d543d20SAndroid Build Coastguard Worker (defaultrange (file) target low) 328*2d543d20SAndroid Build Coastguard Worker (defaultrange (char) source low-high) 329*2d543d20SAndroid Build Coastguard Worker) 330*2d543d20SAndroid Build Coastguard Worker 331*2d543d20SAndroid Build Coastguard Worker(macro all ((type x)) 332*2d543d20SAndroid Build Coastguard Worker (allow x bin_t (policy.file (execute))) 333*2d543d20SAndroid Build Coastguard Worker (allowx x bin_t (ioctl policy.file (range 0x1000 0x11FF))) 334*2d543d20SAndroid Build Coastguard Worker) 335*2d543d20SAndroid Build Coastguard Worker(call all (bin_t)) 336*2d543d20SAndroid Build Coastguard Worker 337*2d543d20SAndroid Build Coastguard Worker(block z 338*2d543d20SAndroid Build Coastguard Worker (block ba 339*2d543d20SAndroid Build Coastguard Worker (roletype r t) 340*2d543d20SAndroid Build Coastguard Worker (blockabstract z.ba))) 341*2d543d20SAndroid Build Coastguard Worker 342*2d543d20SAndroid Build Coastguard Worker(block test_ba 343*2d543d20SAndroid Build Coastguard Worker (blockinherit z.ba) 344*2d543d20SAndroid Build Coastguard Worker (role r) 345*2d543d20SAndroid Build Coastguard Worker (type t)) 346*2d543d20SAndroid Build Coastguard Worker 347*2d543d20SAndroid Build Coastguard Worker(block bb 348*2d543d20SAndroid Build Coastguard Worker (type t1) 349*2d543d20SAndroid Build Coastguard Worker (type t2) 350*2d543d20SAndroid Build Coastguard Worker (boolean b1 false) 351*2d543d20SAndroid Build Coastguard Worker (tunable tun1 true) 352*2d543d20SAndroid Build Coastguard Worker (macro m ((boolean b)) 353*2d543d20SAndroid Build Coastguard Worker (tunableif tun1 354*2d543d20SAndroid Build Coastguard Worker (true 355*2d543d20SAndroid Build Coastguard Worker (allow t1 t2 (policy.file (write)))) 356*2d543d20SAndroid Build Coastguard Worker (false 357*2d543d20SAndroid Build Coastguard Worker (allow t1 t2 (policy.file (execute))))) 358*2d543d20SAndroid Build Coastguard Worker (booleanif b 359*2d543d20SAndroid Build Coastguard Worker (true 360*2d543d20SAndroid Build Coastguard Worker (allow t1 t2 (policy.file (read)))))) 361*2d543d20SAndroid Build Coastguard Worker 362*2d543d20SAndroid Build Coastguard Worker (call m (b1)) 363*2d543d20SAndroid Build Coastguard Worker) 364*2d543d20SAndroid Build Coastguard Worker 365*2d543d20SAndroid Build Coastguard Worker(in bb 366*2d543d20SAndroid Build Coastguard Worker (tunableif bb.tun1 367*2d543d20SAndroid Build Coastguard Worker (true 368*2d543d20SAndroid Build Coastguard Worker (allow bb.t2 bb.t1 (policy.file (read write execute)))))) 369