#
# ****** WARNING - THIS POLICY MUST NOT BE USED IN LIVE **************
# ******************* IT IS FOR TESTING ONLY *************************
#
##################### START OF POLICY BUILD #######################
#
#
#################### Start of FLASK Entries #######################
#
#
# ./policy/flask/security_classes file entries
#
# FLASK

#
# Define the security object classes 
#

# Classes marked as userspace are classes
# for userspace object managers

class security
class process
class system
class capability

# file-related classes
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file

# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket

# sysv-ipc-related classes
class sem
class msg
class msgq
class shm
class ipc

#
# userspace object manager classes
#

# passwd/chfn/chsh
class passwd			# userspace

# SE-X Windows stuff (more classes below)
class x_drawable		# userspace
class x_screen			# userspace
class x_gc			# userspace
class x_font			# userspace
class x_colormap		# userspace
class x_property		# userspace
class x_selection		# userspace
class x_cursor			# userspace
class x_client			# userspace
class x_device			# userspace
class x_server			# userspace
class x_extension		# userspace

# extended netlink sockets
class netlink_route_socket
class netlink_firewall_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
class netlink_ip6fw_socket
class netlink_dnrt_socket

class dbus			# userspace
class nscd			# userspace

# IPSec association
class association

# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket

class appletalk_socket

class packet

# Kernel access key retention
class key

class context			# userspace

class dccp_socket

class memprotect

class db_database		# userspace
class db_table			# userspace
class db_procedure		# userspace
class db_column			# userspace
class db_tuple			# userspace
class db_blob			# userspace

# network peer labels
class peer

# Capabilities >= 32
class capability2

# More SE-X Windows stuff
class x_resource		# userspace
class x_event			# userspace
class x_synthetic_event		# userspace
class x_application_data	# userspace

# kernel services that need to override task security, e.g. cachefiles
class kernel_service 

class tun_socket

# Still More SE-X Windows stuff
class x_pointer			# userspace
class x_keyboard		# userspace

# FLASK
#
# ./policy/flask/initial_sids file entries
#
# FLASK

#
# Define initial security identifiers 
#

sid kernel
sid security
sid unlabeled
sid fs
sid file
sid file_labels
sid init
sid any_socket
sid port
sid netif
sid netmsg
sid node
sid igmp_packet
sid icmp_socket
sid tcp_socket
sid sysctl_modprobe
sid sysctl
sid sysctl_fs
sid sysctl_kernel
sid sysctl_net
sid sysctl_net_unix
sid sysctl_vm
sid sysctl_dev
sid kmod
sid policy
sid scmp_packet
sid devnull

# FLASK
#
# ./policy/flask/access_vectors file entries
#
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }


#
# Define a common prefix for file access vectors.
#

common file
{
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
	unlink
	link
	rename
	execute
	swapon
	quotaon
	mounton
}


#
# Define a common prefix for socket access vectors.
#

common socket
{
# inherited from file
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
# socket-specific
	bind
	connect
	listen
	accept
	getopt
	setopt
	shutdown
	recvfrom
	sendto
	recv_msg
	send_msg
	name_bind
}	

#
# Define a common prefix for ipc access vectors.
#

common ipc
{
	create
	destroy
	getattr
	setattr
	read
	write
	associate
	unix_read
	unix_write
}

#
#  Define a common prefix for userspace database object access vectors.
#

common database
{
	create
	drop
	getattr
	setattr
	relabelfrom
	relabelto
}

#
# Define a common prefix for pointer and keyboard access vectors.
#

common x_device
{
	getattr
	setattr
	use
	read
	write
	getfocus
	setfocus
	bell
	force_cursor
	freeze
	grab
	manage
	list_property
	get_property
	set_property
	add
	remove
	create
	destroy
}

#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }


#
# Define the access vector interpretation for file-related objects.
#

class filesystem
{
	mount
	remount
	unmount
	getattr
	relabelfrom
	relabelto
	transition
	associate
	quotamod
	quotaget
}

class dir
inherits file
{
	add_name
	remove_name
	reparent
	search
	rmdir
	open
}

class file
inherits file
{
	execute_no_trans
	entrypoint
	execmod
	open
}

class lnk_file
inherits file

class chr_file
inherits file
{
	execute_no_trans
	entrypoint
	execmod
	open
}

class blk_file
inherits file
{
	open
}

class sock_file
inherits file
{
	open
}

class fifo_file
inherits file
{
	open
}

class fd
{
	use
}


#
# Define the access vector interpretation for network-related objects.
#

class socket
inherits socket

class tcp_socket
inherits socket
{
	connectto
	newconn
	acceptfrom
	node_bind
	name_connect
}

class udp_socket
inherits socket
{
	node_bind
}

class rawip_socket
inherits socket
{
	node_bind
}

class node 
{
	tcp_recv
	tcp_send
	udp_recv
	udp_send
	rawip_recv
	rawip_send
	enforce_dest
	dccp_recv
	dccp_send
	recvfrom
	sendto
}

class netif
{
	tcp_recv
	tcp_send
	udp_recv
	udp_send
	rawip_recv
	rawip_send
	dccp_recv
	dccp_send
	ingress
	egress
}

class netlink_socket
inherits socket

class packet_socket
inherits socket

class key_socket
inherits socket

class unix_stream_socket
inherits socket
{
	connectto
	newconn
	acceptfrom
}

class unix_dgram_socket
inherits socket

#
# Define the access vector interpretation for process-related objects
#

class process
{
	fork
	transition
	sigchld # commonly granted from child to parent
	sigkill # cannot be caught or ignored
	sigstop # cannot be caught or ignored
	signull # for kill(pid, 0)
	signal  # all other signals
	ptrace
	getsched
	setsched
	getsession
	getpgid
	setpgid
	getcap
	setcap
	share
	getattr
	setexec
	setfscreate
	noatsecure
	siginh
	setrlimit
	rlimitinh
	dyntransition
	setcurrent
	execmem
	execstack
	execheap
	setkeycreate
	setsockcreate
}


#
# Define the access vector interpretation for ipc-related objects
#

class ipc
inherits ipc

class sem
inherits ipc

class msgq
inherits ipc
{
	enqueue
}

class msg
{
	send
	receive
}

class shm
inherits ipc
{
	lock
}


#
# Define the access vector interpretation for the security server. 
#

class security
{
	compute_av
	compute_create
	compute_member
	check_context
	load_policy
	compute_relabel
	compute_user
	setenforce     # was avc_toggle in system class
	setbool
	setsecparam
	setcheckreqprot
}


#
# Define the access vector interpretation for system operations.
#

class system
{
	ipc_info
	syslog_read  
	syslog_mod
	syslog_console
	module_request
}

#
# Define the access vector interpretation for controling capabilies
#

class capability
{
	# The capabilities are defined in include/linux/capability.h
	# Capabilities >= 32 are defined in the capability2 class.
	# Care should be taken to ensure that these are consistent with
	# those definitions. (Order matters)

	chown           
	dac_override    
	dac_read_search 
	fowner          
	fsetid          
	kill            
	setgid           
	setuid           
	setpcap          
	linux_immutable  
	net_bind_service 
	net_broadcast    
	net_admin        
	net_raw          
	ipc_lock         
	ipc_owner        
	sys_module       
	sys_rawio        
	sys_chroot       
	sys_ptrace       
	sys_pacct        
	sys_admin        
	sys_boot         
	sys_nice         
	sys_resource     
	sys_time         
	sys_tty_config  
	mknod
	lease
	audit_write
	audit_control
	setfcap
}

class capability2 
{
	mac_override	# unused by SELinux
	mac_admin	# unused by SELinux
}

#
# Define the access vector interpretation for controlling
# changes to passwd information.
#
class passwd
{
	passwd	# change another user passwd
	chfn	# change another user finger info
	chsh	# change another user shell
	rootok  # pam_rootok check (skip auth)
	crontab # crontab on another user
}

#
# SE-X Windows stuff
#
class x_drawable
{
	create
	destroy
	read
	write
	blend
	getattr
	setattr
	list_child
	add_child
	remove_child
	list_property
	get_property
	set_property
	manage
	override
	show
	hide
	send
	receive
}

class x_screen
{
	getattr
	setattr
	hide_cursor
	show_cursor
	saver_getattr
	saver_setattr
	saver_hide
	saver_show
}

class x_gc
{
	create
	destroy
	getattr
	setattr
	use
}

class x_font
{
	create
	destroy
	getattr
	add_glyph
	remove_glyph
	use
}

class x_colormap
{
	create
	destroy
	read
	write
	getattr
	add_color
	remove_color
	install
	uninstall
	use
}

class x_property
{
	create
	destroy
	read
	write
	append
	getattr
	setattr
}

class x_selection
{
	read
	write
	getattr
	setattr
}

class x_cursor
{
	create
	destroy
	read
	write
	getattr
	setattr
	use
}

class x_client
{
	destroy
	getattr
	setattr
	manage
}

class x_device
inherits x_device

class x_server
{
	getattr
	setattr
	record
	debug
	grab
	manage
}

class x_extension
{
	query
	use
}

class x_resource
{
	read
	write
}

class x_event
{
	send
	receive
}

class x_synthetic_event
{
	send
	receive
}

#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_firewall_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_tcpdiag_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_nflog_socket
inherits socket

class netlink_xfrm_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_selinux_socket
inherits socket

class netlink_audit_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
	nlmsg_relay
	nlmsg_readpriv
	nlmsg_tty_audit
}

class netlink_ip6fw_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_dnrt_socket
inherits socket

# Define the access vector interpretation for controlling
# access and communication through the D-BUS messaging
# system.
#
class dbus
{
	acquire_svc
	send_msg
}

# Define the access vector interpretation for controlling
# access through the name service cache daemon (nscd).
#
class nscd
{
	getpwd
	getgrp
	gethost
	getstat
	admin
	shmempwd
	shmemgrp
	shmemhost
	getserv
	shmemserv
}

# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
	sendto
	recvfrom
	setcontext
	polmatch
}

# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket

class appletalk_socket
inherits socket

class packet
{
	send
	recv
	relabelto
	flow_in		# deprecated
	flow_out	# deprecated
	forward_in
	forward_out
}

class key
{
	view
	read
	write
	search
	link
	setattr
	create
}

class context
{
	translate
	contains
}

class dccp_socket
inherits socket
{
	node_bind
	name_connect
}

class memprotect
{
	mmap_zero
}

class db_database
inherits database
{
	access
	install_module
	load_module
	get_param	# deprecated
	set_param	# deprecated
}

class db_table
inherits database
{
	use		# deprecated
	select
	update
	insert
	delete
	lock
}

class db_procedure
inherits database
{
	execute
	entrypoint
	install
}

class db_column
inherits database
{
	use		# deprecated
	select
	update
	insert
}

class db_tuple
{
	relabelfrom
	relabelto
	use		# deprecated
	select
	update
	insert
	delete
}

class db_blob
inherits database
{
	read
	write
	import
	export
}

# network peer labels
class peer
{
	recv
}

class x_application_data
{
	paste
	paste_after_confirm
	copy
}

class kernel_service
{
	use_as_override
	create_files_as	
}

class tun_socket
inherits socket

class x_pointer
inherits x_device

class x_keyboard
inherits x_device

#
###################### End of FLASK Entries #######################
#

#
# This policycap statement will be used in a netlabel module exercise
# to show network_peer_controls. For now comment out:
# policycap network_peer_controls;

# The only type defined for this policy:
type unconfined_t;
 
# The only role defined for this policy:
role unconfined_r types { unconfined_t };

#
# These allow rules enable all of the objects to access all of their
# permissions. This effectively gives access to everything.
#
allow unconfined_t self:security *;
allow unconfined_t self:process *;
allow unconfined_t self:system *;
allow unconfined_t self:capability *;
allow unconfined_t self:filesystem *;
allow unconfined_t self:file *;
allow unconfined_t self:dir *;
allow unconfined_t self:fd *;
allow unconfined_t self:lnk_file *;
allow unconfined_t self:chr_file *;
allow unconfined_t self:blk_file *;
allow unconfined_t self:sock_file *;
allow unconfined_t self:fifo_file *;
allow unconfined_t self:socket *;
allow unconfined_t self:tcp_socket *;
allow unconfined_t self:udp_socket *;
allow unconfined_t self:rawip_socket *;
allow unconfined_t self:node *;
allow unconfined_t self:netif *;
allow unconfined_t self:netlink_socket *;
allow unconfined_t self:packet_socket *;
allow unconfined_t self:key_socket *;
allow unconfined_t self:unix_stream_socket *;
allow unconfined_t self:unix_dgram_socket *;
allow unconfined_t self:sem *;
allow unconfined_t self:msg *;
allow unconfined_t self:msgq *;
allow unconfined_t self:shm *;
allow unconfined_t self:ipc *;
allow unconfined_t self:passwd *;
allow unconfined_t self:x_drawable *;
allow unconfined_t self:x_screen *;
allow unconfined_t self:x_gc *;
allow unconfined_t self:x_font *;
allow unconfined_t self:x_colormap *;
allow unconfined_t self:x_property *;
allow unconfined_t self:x_selection *;
allow unconfined_t self:x_cursor *;
allow unconfined_t self:x_client *;
allow unconfined_t self:x_device *;
allow unconfined_t self:x_server *;
allow unconfined_t self:x_extension *;
allow unconfined_t self:netlink_route_socket *;
allow unconfined_t self:netlink_firewall_socket *;
allow unconfined_t self:netlink_tcpdiag_socket *;
allow unconfined_t self:netlink_nflog_socket *;
allow unconfined_t self:netlink_xfrm_socket *;
allow unconfined_t self:netlink_selinux_socket *;
allow unconfined_t self:netlink_audit_socket *;
allow unconfined_t self:netlink_ip6fw_socket *;
allow unconfined_t self:netlink_dnrt_socket *;
allow unconfined_t self:dbus *;
allow unconfined_t self:nscd *;
allow unconfined_t self:association *;
allow unconfined_t self:netlink_kobject_uevent_socket *;
allow unconfined_t self:appletalk_socket *;
allow unconfined_t self:packet *;
allow unconfined_t self:key *;
allow unconfined_t self:context *;
allow unconfined_t self:dccp_socket *;
allow unconfined_t self:memprotect *;
allow unconfined_t self:db_database *;
allow unconfined_t self:db_table *;
allow unconfined_t self:db_procedure *;
allow unconfined_t self:db_column *;
allow unconfined_t self:db_tuple *;
allow unconfined_t self:db_blob *;
allow unconfined_t self:peer *;
allow unconfined_t self:capability2 *;
allow unconfined_t self:x_resource *;
allow unconfined_t self:x_event *;
allow unconfined_t self:x_synthetic_event *;
allow unconfined_t self:x_application_data *;
allow unconfined_t self:kernel_service *;
allow unconfined_t self:tun_socket *;
allow unconfined_t self:x_pointer *;
allow unconfined_t self:x_keyboard *;

# The only real SELinux user defined for this policy:
user user_u roles { unconfined_r };

#
# The system_u user is defined so that objects can be labeled with
# system_u:object_r as in standard policies, also so that semanage can add
# ports etc. as it requires a system_u user for adding these type of objects.
user system_u roles { unconfined_r };

#
# This role constraint statement will be used to show limiting
# a role transition in the external gateway. For now comment out:
# constrain process transition ( r1 == r2 );

#
# These are the default labeling operations for these objects.
# Note that the kernel entry is unconfined_r not object_r
#
sid kernel system_u:unconfined_r:unconfined_t
sid security system_u:object_r:unconfined_t
sid unlabeled system_u:object_r:unconfined_t
sid fs system_u:object_r:unconfined_t
sid file system_u:object_r:unconfined_t
sid file_labels system_u:object_r:unconfined_t
sid init system_u:object_r:unconfined_t
sid any_socket system_u:object_r:unconfined_t
sid port system_u:object_r:unconfined_t
sid netif system_u:object_r:unconfined_t
sid netmsg system_u:object_r:unconfined_t
sid node system_u:object_r:unconfined_t
sid igmp_packet system_u:object_r:unconfined_t
sid icmp_socket system_u:object_r:unconfined_t
sid tcp_socket system_u:object_r:unconfined_t
sid sysctl_modprobe system_u:object_r:unconfined_t
sid sysctl system_u:object_r:unconfined_t
sid sysctl_fs system_u:object_r:unconfined_t
sid sysctl_kernel system_u:object_r:unconfined_t
sid sysctl_net system_u:object_r:unconfined_t
sid sysctl_net_unix system_u:object_r:unconfined_t
sid sysctl_vm system_u:object_r:unconfined_t
sid sysctl_dev system_u:object_r:unconfined_t
sid kmod system_u:object_r:unconfined_t
sid policy system_u:object_r:unconfined_t
sid scmp_packet system_u:object_r:unconfined_t
sid devnull system_u:object_r:unconfined_t

#
# These are the default file labeling routines.
#
fs_use_xattr ext3 system_u:object_r:unconfined_t;
fs_use_xattr ext4 system_u:object_r:unconfined_t;
fs_use_task eventpollfs system_u:object_r:unconfined_t;
fs_use_task pipefs system_u:object_r:unconfined_t;
fs_use_task sockfs system_u:object_r:unconfined_t;
fs_use_trans mqueue system_u:object_r:unconfined_t;
fs_use_trans shm system_u:object_r:unconfined_t;
fs_use_trans tmpfs system_u:object_r:unconfined_t;
fs_use_trans devpts system_u:object_r:unconfined_t;
genfscon proc / system_u:object_r:unconfined_t
genfscon sysfs / system_u:object_r:unconfined_t
genfscon selinuxfs / system_u:object_r:unconfined_t
genfscon securityfs / system_u:object_r:unconfined_t

#
################## END OF POLICY BUILD ######################
#