mirror of
https://github.com/topjohnwu/selinux.git
synced 2024-12-04 17:46:23 +00:00
Add separate role declarations as required by modern checkpolicy.
Sadly, make test still fails on some tests. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
parent
99b070d5fc
commit
8b71d70b55
@ -1393,6 +1393,7 @@ role system_r;
|
||||
role sysadm_r;
|
||||
role staff_r;
|
||||
role user_r;
|
||||
role secadm_r;
|
||||
typeattribute kernel_t domain;
|
||||
allow kernel_t self:dir { read getattr lock search ioctl };
|
||||
allow kernel_t self:lnk_file { read getattr lock ioctl };
|
||||
|
||||
@ -426,15 +426,19 @@ attribute files;
|
||||
|
||||
type net_foo_t, foo;
|
||||
type sys_foo_t, foo, system;
|
||||
role system_r;
|
||||
role system_r types sys_foo_t;
|
||||
|
||||
type user_t, domain;
|
||||
role user_r;
|
||||
role user_r types user_t;
|
||||
|
||||
type sysadm_t, domain, system;
|
||||
role sysadm_r;
|
||||
role sysadm_r types sysadm_t;
|
||||
|
||||
type system_t, domain, system, foo;
|
||||
role system_r;
|
||||
role system_r types { system_t sys_foo_t };
|
||||
|
||||
type file_t;
|
||||
|
||||
@ -421,15 +421,19 @@ attribute files;
|
||||
|
||||
type net_foo_t, foo;
|
||||
type sys_foo_t, foo, system;
|
||||
role system_r;
|
||||
role system_r types sys_foo_t;
|
||||
|
||||
type user_t, domain;
|
||||
role user_r;
|
||||
role user_r types user_t;
|
||||
|
||||
type sysadm_t, domain, system;
|
||||
role sysadm_r;
|
||||
role sysadm_r types sysadm_t;
|
||||
|
||||
type system_t, domain, system, foo;
|
||||
role system_r;
|
||||
role system_r types { system_t sys_foo_t };
|
||||
|
||||
type file_t;
|
||||
|
||||
@ -440,6 +440,9 @@ optional {
|
||||
type fs_t;
|
||||
type system_t;
|
||||
type user_t;
|
||||
role system_r;
|
||||
role user_r;
|
||||
role sysadm_r;
|
||||
role system_r types system_t;
|
||||
role user_r types user_t;
|
||||
role sysadm_r types system_t;
|
||||
|
||||
@ -34,6 +34,7 @@ mlsconstrain file { read }
|
||||
|
||||
attribute myattr;
|
||||
type mytype_t;
|
||||
role myrole_r;
|
||||
role myrole_r types mytype_t;
|
||||
bool mybool true;
|
||||
gen_user(myuser_u,, myrole_r, s0, s0 - s0:c0)
|
||||
|
||||
@ -415,12 +415,16 @@ mlsconstrain file { write setattr append unlink link rename ioctl lock execute r
|
||||
|
||||
# Role mapping test
|
||||
type role_check_1_1_t;
|
||||
role role_check_1;
|
||||
role role_check_1 types role_check_1_1_t;
|
||||
|
||||
########
|
||||
type fs_t;
|
||||
type system_t;
|
||||
type user_t;
|
||||
role system_r;
|
||||
role user_r;
|
||||
role sysadm_r;
|
||||
role system_r types system_t;
|
||||
role user_r types user_t;
|
||||
role sysadm_r types system_t;
|
||||
|
||||
@ -467,12 +467,15 @@ optional {
|
||||
|
||||
type net_foo_t, foo;
|
||||
type sys_foo_t, foo, system;
|
||||
role system_r;
|
||||
role system_r types sys_foo_t;
|
||||
|
||||
type user_t, domain;
|
||||
role user_r;
|
||||
role user_r types user_t;
|
||||
|
||||
type sysadm_t, domain, system;
|
||||
role sysadm_r;
|
||||
role sysadm_r types sysadm_t;
|
||||
|
||||
type system_t, domain, system, foo;
|
||||
|
||||
@ -416,6 +416,8 @@ mlsconstrain file { write setattr append unlink link rename ioctl lock execute r
|
||||
# User mapping test
|
||||
type user_check_1_1_t;
|
||||
type user_check_1_2_t;
|
||||
role user_check_1_1_r;
|
||||
role user_check_1_2_r;
|
||||
role user_check_1_1_r types user_check_1_1_t;
|
||||
role user_check_1_2_r types user_check_1_2_t;
|
||||
|
||||
@ -423,6 +425,9 @@ role user_check_1_2_r types user_check_1_2_t;
|
||||
type fs_t;
|
||||
type system_t;
|
||||
type user_t;
|
||||
role system_r;
|
||||
role user_r;
|
||||
role sysadm_r;
|
||||
role system_r types system_t;
|
||||
role user_r types user_t;
|
||||
role sysadm_r types system_t;
|
||||
|
||||
@ -19,6 +19,7 @@ type g_m1_type_2;
|
||||
typeattribute g_m1_type_2 g_m1_attr_1;
|
||||
|
||||
#add role in module test
|
||||
role g_m1_role_1;
|
||||
role g_m1_role_1 types g_m1_type_1;
|
||||
|
||||
# test for attr declared in base, added to in module
|
||||
@ -38,12 +39,15 @@ attribute g_m1_attr_2;
|
||||
|
||||
#add type to base role test
|
||||
role g_b_role_2 types g_m1_type_1;
|
||||
role g_b_role_3;
|
||||
role g_b_role_3 types g_m1_type_2;
|
||||
|
||||
#add type to base optional role test
|
||||
role o1_b_role_2;
|
||||
role o1_b_role_2 types g_m1_type_1;
|
||||
|
||||
#optional base role w/ adds in 2 modules
|
||||
role o4_b_role_1;
|
||||
role o4_b_role_1 types g_m1_type_2;
|
||||
|
||||
# attr a added to in base optional, declared/added to in module, added to in other module
|
||||
@ -78,6 +82,7 @@ optional {
|
||||
type o1_m1_type_2, o1_m1_attr_1;
|
||||
|
||||
type o1_m1_type_1;
|
||||
role o1_m1_role_1;
|
||||
role o1_m1_role_1 types o1_m1_type_1;
|
||||
|
||||
type o1_m1_type_3;
|
||||
@ -101,6 +106,7 @@ optional {
|
||||
|
||||
type tag_o2_m1;
|
||||
|
||||
role g_b_role_4;
|
||||
role g_b_role_4 types g_m1_type_2;
|
||||
}
|
||||
|
||||
@ -112,6 +118,7 @@ optional {
|
||||
type tag_o3_m1;
|
||||
|
||||
type o3_m1_type_1;
|
||||
role o3_b_role_1;
|
||||
role o3_b_role_1 types o3_m1_type_1;
|
||||
|
||||
type o3_m1_type_2, g_b_attr_6;
|
||||
|
||||
@ -12,6 +12,7 @@ require {
|
||||
type tag_g_m2;
|
||||
|
||||
type g_m2_type_1;
|
||||
role g_m2_role_1;
|
||||
role g_m2_role_1 types g_m2_type_1;
|
||||
|
||||
type g_m2_type_4, g_b_attr_5;
|
||||
@ -19,9 +20,11 @@ type g_m2_type_5, g_b_attr_6;
|
||||
|
||||
#add types to role declared in base test
|
||||
type g_m2_type_2;
|
||||
role g_b_role_3;
|
||||
role g_b_role_3 types g_m2_type_2;
|
||||
|
||||
#optional base role w/ adds in 2 modules
|
||||
role o4_b_role_1;
|
||||
role o4_b_role_1 types g_m2_type_1;
|
||||
|
||||
# attr a added to in base optional, declared/added to in module, added to in other module
|
||||
@ -45,6 +48,7 @@ optional {
|
||||
type tag_o1_m2;
|
||||
|
||||
type o1_m2_type_1;
|
||||
role o1_m2_role_1;
|
||||
role o1_m2_role_1 types o1_m2_type_1;
|
||||
}
|
||||
|
||||
|
||||
@ -435,6 +435,10 @@ type g_b_type_1, g_b_attr_1;
|
||||
type g_b_type_2, g_b_attr_2;
|
||||
type g_b_type_3;
|
||||
|
||||
role g_b_role_1;
|
||||
role g_b_role_2;
|
||||
role g_b_role_3;
|
||||
role g_b_role_4;
|
||||
role g_b_role_1 types g_b_type_1;
|
||||
role g_b_role_2 types g_b_type_2;
|
||||
role g_b_role_3 types g_b_type_2;
|
||||
@ -464,8 +468,9 @@ optional {
|
||||
attribute o1_b_attr_1;
|
||||
type o1_b_type_1, o1_b_attr_1;
|
||||
bool o1_b_bool_1 true;
|
||||
role o1_b_role_1;
|
||||
role o1_b_role_1 types o1_b_type_1;
|
||||
|
||||
role o1_b_role_2;
|
||||
role o1_b_role_2 types o1_b_type_1;
|
||||
|
||||
attribute o1_b_attr_2;
|
||||
@ -501,6 +506,7 @@ optional {
|
||||
type o3_b_type_1;
|
||||
bool o3_b_bool_1 true;
|
||||
|
||||
role o3_b_role_1;
|
||||
role o3_b_role_1 types o3_b_type_1;
|
||||
|
||||
allow g_b_type_1 invalid_type : sem { create destroy };
|
||||
@ -519,6 +525,7 @@ optional {
|
||||
|
||||
attribute o4_b_attr_1;
|
||||
|
||||
role o4_b_role_1;
|
||||
role o4_b_role_1 types g_m1_type_1;
|
||||
|
||||
# test for attr declared in module optional, added to in base optional
|
||||
|
||||
Loading…
Reference in New Issue
Block a user