Navigation

← Previous Changeset
Next Changeset →

Changeset 1715

Timestamp:

05/01/07 07:28:00 (2 years ago)

Author:

dsugar

Message:

Cleanup more test cases based on fixes Brian made.

Files:

trunk/test/test0005/expected.fc (added)
trunk/test/test0005/expected.if (added)
trunk/test/test0005/expected.te (added)
trunk/test/test0005/file_contexts (added)
trunk/test/test0005/test.fpol (modified) (1 diff)
trunk/test/test0005/test.fsys (added)
trunk/test/test0006/test.fpol (modified) (1 diff)
trunk/test/test0046/expected.te (modified) (1 diff)
trunk/test/test0048/expected.te (modified) (1 diff)
trunk/test/test0051/expected.fc (modified) (1 diff)
trunk/test/test0051/expected.if (modified) (1 diff)
trunk/test/test0051/expected.te (modified) (1 diff)
trunk/test/test0051/test.fpol (modified) (1 diff)
trunk/test/test0063/file_contexts (added)
trunk/test/test0063/init.flnk (modified) (1 diff)
trunk/test/test0066/expected.te (modified) (1 diff)
trunk/test/test0072/file_contexts (added)
trunk/test/test0072/test.sh (modified) (1 diff)
trunk/test/test0073/expected.te (modified) (1 diff)
trunk/test/test0074/expected.fc (modified) (1 diff)
trunk/test/test0074/expected.if (modified) (1 diff)
trunk/test/test0074/expected.te (modified) (1 diff)
trunk/test/test0074/file_contexts (added)
trunk/test/test0074/test.fpol (modified) (1 diff)
trunk/test/test0074/test.fsys (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/test/test0005/test.fpol

r1501	r1715
1	1	#Test 0005 - valid - load base domain
2	2
3		domain x ~~{ dirFiles }~~;
	3	domain x ;
4	4
5		#basedomain a from "./a.flnk";
6		basedomain a;
	5	basedomain a from "./a.flnk";
	6	#basedomain a;

trunk/test/test0006/test.fpol

r917 r1715

3 3 domain a { dirFiles };
4 4
5 #basedomain a from "./a.flnk";
6 basedomain a;
5 basedomain a from "./a.flnk";
6 #basedomain a;

trunk/test/test0046/expected.te

r941	r1715
2	2	SEFramework_header(test)
3	3	# These types are generated by the framework for internal use
4		type parent;
5		SEFramework_domain(parent)
6		SEFramework_files_type(parent)
7		type parent.child;
8		SEFramework_domain(parent.child)
9		# SEFramework domain_rdef: parent.child_dirFiles
10		type parent.child_dirFiles;
11		allow parent.child parent.child_dirFiles:file { append create execute getattr ioctl link lock read rename setattr unlink write };
12		allow parent.child parent.child_dirFiles:lnk_file { append create execute getattr ioctl link lock read rename setattr unlink write };
13		allow parent.child parent.child_dirFiles:dir { add_name append create execute getattr ioctl link lock read remove_name rename reparent rmdir search setattr unlink write };
14		SEFramework_files_type(parent.child_dirFiles)
15		SEFramework_resource(parent.res1)
16		# SEFramework resource identifier: parent.res1
17		# SEFramework resource_rdef: parent.res1
18		type parent.res1_dirFiles;
19		SEFramework_files_type(parent.res1_dirFiles)
	4	#Framework domain: parent.child
	5	type parent_child_t;
	6	SEFramework_domain(parent_child_t)
	7	# CDSFramework domain_rdef: parent.child_dirFiles
	8	type parent_child_dirFiles_t;
	9	allow parent_child_t parent_child_dirFiles_t:lnk_file { append create execute getattr ioctl link lock read rename setattr unlink write };
	10	allow parent_t self:lnk_file { append create execute getattr ioctl link lock read rename setattr unlink write };
	11	allow parent_child_t parent_child_dirFiles_t:dir { add_name append create execute getattr ioctl link lock read remove_name rename reparent rmdir search setattr unlink write };
	12	allow parent_t self:dir { add_name append create execute getattr ioctl link lock read remove_name rename reparent rmdir search setattr unlink write };
	13	allow parent_child_t parent_child_dirFiles_t:file { append create execute getattr ioctl link lock read rename setattr unlink write };
	14	allow parent_t self:file { append create execute getattr ioctl link lock read rename setattr unlink write };
	15	SEFramework_files_type(parent_child_dirFiles_t)
	16	SEFramework_files_type(parent_t)
	17	#End of Framework domain: parent.child
	18	#Framework domain: parent
	19	type parent_t;
	20	SEFramework_domain(parent_t)
	21	#End of Framework domain: parent
	22	# CDSFramework resource: parent.res1
	23	type parent_res1_dirFiles_t;
	24	SEFramework_resource(parent_res1_dirFiles_t)
	25	SEFramework_files_type(parent_res1_dirFiles_t)
	26	SEFramework_files_type(parent_t)
20	27
21		# SEFramework generated networking & directory search perms
22		allow parent.child_dirFiles root_t:dir { search };
	28	# CDSFramework generated networking & directory search perms
	29	allow parent_t root_t:dir { search };
	30	allow parent_child_dirFiles_t root_t:dir { search };

trunk/test/test0048/expected.te

r949	r1715
2	2	SEFramework_header(test)
3	3	# These types are generated by the framework for internal use
4		type domA;
5		SEFramework_domain(domA)
6		# SEFramework domain_rdef: domA_dirFiles
7		type domA_dirFiles;
8		allow domA domA_dirFiles:file { append create execute getattr ioctl link lock read rename setattr unlink write };
9		allow domA domA_dirFiles:lnk_file { append create execute getattr ioctl link lock read rename setattr unlink write };
10		allow domA domA_dirFiles:dir { add_name append create execute getattr ioctl link lock read remove_name rename reparent rmdir search setattr unlink write };
11		allow domA self:file { append create execute getattr ioctl link lock read rename setattr unlink write };
12		allow domA self:lnk_file { append create execute getattr ioctl link lock read rename setattr unlink write };
13		allow domA self:dir { add_name append create execute getattr ioctl link lock read remove_name rename reparent rmdir search setattr unlink write };
14		SEFramework_files_type(domA)
15		type domA.subdomainA;
16		SEFramework_domain(domA.subdomainA)
17		# SEFramework domain_rdef: domA.subdomainA_dirFiles
18		type domA.subdomainA_dirFiles;
19		allow domA.subdomainA domA.subdomainA_dirFiles:file { append create execute getattr ioctl link lock read rename setattr unlink write };
20		allow domA.subdomainA domA.subdomainA_dirFiles:lnk_file { append create execute getattr ioctl link lock read rename setattr unlink write };
21		allow domA.subdomainA domA.subdomainA_dirFiles:dir { add_name append create execute getattr ioctl link lock read remove_name rename reparent rmdir search setattr unlink write };
22		SEFramework_files_type(domA.subdomainA_dirFiles)
	4	#Framework domain: domA
	5	type domA_t;
	6	SEFramework_domain(domA_t)
	7	#End of Framework domain: domA
	8	#Framework domain: domA.subdomainA
	9	type domA_subdomainA_t;
	10	SEFramework_domain(domA_subdomainA_t)
	11	# CDSFramework domain_rdef: domA.subdomainA_dirFiles
	12	type domA_subdomainA_dirFiles_t;
	13	allow domA_subdomainA_t domA_subdomainA_dirFiles_t:lnk_file { append create execute getattr ioctl link lock read rename setattr unlink write };
	14	allow domA_t self:lnk_file { append create execute getattr ioctl link lock read rename setattr unlink write };
	15	allow domA_subdomainA_t domA_subdomainA_dirFiles_t:dir { add_name append create execute getattr ioctl link lock read remove_name rename reparent rmdir search setattr unlink write };
	16	allow domA_t self:dir { add_name append create execute getattr ioctl link lock read remove_name rename reparent rmdir search setattr unlink write };
	17	allow domA_subdomainA_t domA_subdomainA_dirFiles_t:file { append create execute getattr ioctl link lock read rename setattr unlink write };
	18	allow domA_t self:file { append create execute getattr ioctl link lock read rename setattr unlink write };
	19	SEFramework_files_type(domA_subdomainA_dirFiles_t)
	20	SEFramework_files_type(domA_t)
	21	#End of Framework domain: domA.subdomainA
23	22
24		# SEFramework generated networking & directory search perms
25		allow domA.subdomainA_dirFiles root_t:dir { search };
	23	# CDSFramework generated networking & directory search perms
	24	allow domA_subdomainA_dirFiles_t root_t:dir { search };
	25	allow domA_t root_t:dir { search };

trunk/test/test0051/expected.fc

r959 r1715

1 # SEFramework generated file contexts
1 # CDSFramework generated file contexts

trunk/test/test0051/expected.if

r959	r1715
3	3	# SEFramework generated interface
4	4
	5	## <summary> CDSFramework Dictionary Access Definition
	6	## Rdef: unixStreamSockets
	7	## Verb: readwrite
	8	## Access Def Name: read
	9	## </summary>
	10	## <param name="domain">
	11	## <summary> Domain interacting with a CDSFramework resource. </summary>
	12	## </param>
	13	## <param name="resource">
	14	## <summary> Resource the domain is getting access to.</summary>
	15	## </param>
	16	template(`framework_unixStreamSockets_readwrite_read',`
	17	allow $1 self:unix_stream_socket { accept bind connect create listen read shutdown write };
	18	allow $1 $2:dir { search };
	19	allow $1 $2:sock_file { create getattr read unlink write };
	20	')
	21
	22
	23	## <summary> CDSFramework Dictionary Access Definition
	24	## Rdef: signals@
	25	## Verb: write
	26	## Access Def Name: sigchld
	27	## </summary>
	28	## <param name="domain">
	29	## <summary> Domain interacting with a CDSFramework resource. </summary>
	30	## </param>
	31	## <param name="resource">
	32	## <summary> Resource the domain is getting access to.</summary>
	33	## </param>
	34	template(`framework_signals_AT_write_sigchld',`
	35	allow $1 $2:process { sigchld };
	36	')
	37
	38
	39	## <summary> CDSFramework Dictionary Access Definition
	40	## Rdef: signals@
	41	## Verb: write
	42	## Access Def Name: sigkill
	43	## </summary>
	44	## <param name="domain">
	45	## <summary> Domain interacting with a CDSFramework resource. </summary>
	46	## </param>
	47	## <param name="resource">
	48	## <summary> Resource the domain is getting access to.</summary>
	49	## </param>
	50	template(`framework_signals_AT_write_sigkill',`
	51	allow $1 $2:process { sigkill };
	52	')
	53
	54
	55	## <summary> CDSFramework Dictionary Access Definition
	56	## Rdef: signals@
	57	## Verb: write
	58	## Access Def Name: signal
	59	## </summary>
	60	## <param name="domain">
	61	## <summary> Domain interacting with a CDSFramework resource. </summary>
	62	## </param>
	63	## <param name="resource">
	64	## <summary> Resource the domain is getting access to.</summary>
	65	## </param>
	66	template(`framework_signals_AT_write_signal',`
	67	allow $1 $2:process { signal };
	68	')
	69
	70
	71	## <summary> CDSFramework Dictionary Access Definition
	72	## Rdef: signals@
	73	## Verb: write
	74	## Access Def Name: signull
	75	## </summary>
	76	## <param name="domain">
	77	## <summary> Domain interacting with a CDSFramework resource. </summary>
	78	## </param>
	79	## <param name="resource">
	80	## <summary> Resource the domain is getting access to.</summary>
	81	## </param>
	82	template(`framework_signals_AT_write_signull',`
	83	allow $1 $2:process { signull };
	84	')
	85
	86
	87	## <summary> CDSFramework Dictionary Access Definition
	88	## Rdef: signals@
	89	## Verb: write
	90	## Access Def Name: sigstop
	91	## </summary>
	92	## <param name="domain">
	93	## <summary> Domain interacting with a CDSFramework resource. </summary>
	94	## </param>
	95	## <param name="resource">
	96	## <summary> Resource the domain is getting access to.</summary>
	97	## </param>
	98	template(`framework_signals_AT_write_sigstop',`
	99	allow $1 $2:process { sigstop };
	100	')
	101
	102
	103	## <summary> CDSFramework Control Resource
	104	## signals@
	105	## </summary>
	106	## <desc>
	107	## <p>
	108	## desc : "Allow other domains to signal the owner of this control resource"
	109	## </p>
	110	## </desc>
	111	## <param name="domain">
	112	## <summary> The owner of the resource's type </summary>
	113	## </param>
	114	template(`framework_controlRes_signals_AT',`
	115	allow $1 self:process { sigchld sigkill signal signull sigstop };
	116	')
	117
	118
	119	## <summary> CDSFramework Dictionary Access Definition
	120	## Rdef: semaphores@
	121	## Verb: read
	122	## Access Def Name: check
	123	## </summary>
	124	## <param name="domain">
	125	## <summary> Domain interacting with a CDSFramework resource. </summary>
	126	## </param>
	127	## <param name="resource">
	128	## <summary> Resource the domain is getting access to.</summary>
	129	## </param>
	130	template(`framework_semaphores_AT_read_check',`
	131	allow $1 $2:sem { associate getattr read unix_read };
	132	')
	133
	134
	135	## <summary> CDSFramework Dictionary Access Definition
	136	## Rdef: semaphores@
	137	## Verb: write
	138	## Access Def Name: setattr
	139	## </summary>
	140	## <param name="domain">
	141	## <summary> Domain interacting with a CDSFramework resource. </summary>
	142	## </param>
	143	## <param name="resource">
	144	## <summary> Resource the domain is getting access to.</summary>
	145	## </param>
	146	template(`framework_semaphores_AT_write_setattr',`
	147	allow $1 $2:sem { setattr };
	148	')
	149
	150
	151	## <summary> CDSFramework Dictionary Access Definition
	152	## Rdef: semaphores@
	153	## Verb: readwrite
	154	## Access Def Name: use
	155	## </summary>
	156	## <param name="domain">
	157	## <summary> Domain interacting with a CDSFramework resource. </summary>
	158	## </param>
	159	## <param name="resource">
	160	## <summary> Resource the domain is getting access to.</summary>
	161	## </param>
	162	template(`framework_semaphores_AT_readwrite_use',`
	163	allow $1 $2:sem { associate getattr read unix_read unix_write write };
	164	')
	165
	166
	167	## <summary> CDSFramework Control Resource
	168	## semaphores@
	169	## </summary>
	170	## <desc>
	171	## <p>
	172	## desc : "Semaphores"
	173	## </p>
	174	## </desc>
	175	## <param name="domain">
	176	## <summary> The owner of the resource's type </summary>
	177	## </param>
	178	template(`framework_controlRes_semaphores_AT',`
	179	allow $1 self:sem { associate create destroy getattr read setattr unix_read unix_write write };
	180	')
	181
	182
	183	## <summary> CDSFramework Dictionary Access Definition
	184	## Rdef: unnamedPipes
	185	## Verb: write
	186	## Access Def Name: create
	187	## </summary>
	188	## <param name="domain">
	189	## <summary> Domain interacting with a CDSFramework resource. </summary>
	190	## </param>
	191	## <param name="resource">
	192	## <summary> Resource the domain is getting access to.</summary>
	193	## </param>
	194	template(`framework_unnamedPipes_write_create',`
	195	allow $1 $2:fifo_file { create setattr };
	196	')
	197
	198
	199	## <summary> CDSFramework Dictionary Access Definition
	200	## Rdef: unnamedPipes
	201	## Verb: read
	202	## Access Def Name: read
	203	## </summary>
	204	## <param name="domain">
	205	## <summary> Domain interacting with a CDSFramework resource. </summary>
	206	## </param>
	207	## <param name="resource">
	208	## <summary> Resource the domain is getting access to.</summary>
	209	## </param>
	210	template(`framework_unnamedPipes_read_read',`
	211	allow $1 $2:fifo_file { getattr read };
	212	')
	213
	214
	215	## <summary> CDSFramework Dictionary Access Definition
	216	## Rdef: unnamedPipes
	217	## Verb: write
	218	## Access Def Name: write
	219	## </summary>
	220	## <param name="domain">
	221	## <summary> Domain interacting with a CDSFramework resource. </summary>
	222	## </param>
	223	## <param name="resource">
	224	## <summary> Resource the domain is getting access to.</summary>
	225	## </param>
	226	template(`framework_unnamedPipes_write_write',`
	227	allow $1 $2:fifo_file { setattr write };
	228	')
	229
	230
	231	## <summary> CDSFramework Dictionary Access Definition
	232	## Rdef: processControl@
	233	## Verb: read
	234	## Access Def Name: getInfo
	235	## </summary>
	236	## <param name="domain">
	237	## <summary> Domain interacting with a CDSFramework resource. </summary>
	238	## </param>
	239	## <param name="resource">
	240	## <summary> Resource the domain is getting access to.</summary>
	241	## </param>
	242	template(`framework_processControl_AT_read_getInfo',`
	243	allow $1 $2:process { getattr getpgid getsched getsession };
	244	')
	245
	246
	247	## <summary> CDSFramework Dictionary Access Definition
	248	## Rdef: processControl@
	249	## Verb: write
	250	## Access Def Name: setInfo
	251	## </summary>
	252	## <param name="domain">
	253	## <summary> Domain interacting with a CDSFramework resource. </summary>
	254	## </param>
	255	## <param name="resource">
	256	## <summary> Resource the domain is getting access to.</summary>
	257	## </param>
	258	template(`framework_processControl_AT_write_setInfo',`
	259	allow $1 $2:process { setpgid setsched };
	260	')
	261
	262
	263	## <summary> CDSFramework Dictionary Access Definition
	264	## Rdef: processControl@
	265	## Verb: readwrite
	266	## Access Def Name: trace
	267	## </summary>
	268	## <param name="domain">
	269	## <summary> Domain interacting with a CDSFramework resource. </summary>
	270	## </param>
	271	## <param name="resource">
	272	## <summary> Resource the domain is getting access to.</summary>
	273	## </param>
	274	template(`framework_processControl_AT_readwrite_trace',`
	275	allow $1 $2:process { ptrace };
	276	')
	277
	278
	279	## <summary> CDSFramework Control Resource
	280	## processControl@
	281	## </summary>
	282	## <desc>
	283	## <p>
	284	## desc : "Miscellaneous process control permissions"
	285	## </p>
	286	## </desc>
	287	## <param name="domain">
	288	## <summary> The owner of the resource's type </summary>
	289	## </param>
	290	template(`framework_controlRes_processControl_AT',`
	291	allow $1 self:process { getattr getpgid getsched getsession ptrace rlimitinh setpgid setrlimit setsched share siginh };
	292	')
	293
	294
	295	## <summary> CDSFramework Dictionary Access Definition
	296	## Rdef: unixDatagramSockets
	297	## Verb: write
	298	## Access Def Name: create
	299	## </summary>
	300	## <param name="domain">
	301	## <summary> Domain interacting with a CDSFramework resource. </summary>
	302	## </param>
	303	## <param name="resource">
	304	## <summary> Resource the domain is getting access to.</summary>
	305	## </param>
	306	template(`framework_unixDatagramSockets_write_create',`
	307	allow $1 $2:dir { add_name remove_name search write };
	308	allow $1 $2:sock_file { create unlink };
	309	')
	310
	311
	312	## <summary> CDSFramework Dictionary Access Definition
	313	## Rdef: unixDatagramSockets
	314	## Verb: read
	315	## Access Def Name: read
	316	## </summary>
	317	## <param name="domain">
	318	## <summary> Domain interacting with a CDSFramework resource. </summary>
	319	## </param>
	320	## <param name="resource">
	321	## <summary> Resource the domain is getting access to.</summary>
	322	## </param>
	323	template(`framework_unixDatagramSockets_read_read',`
	324	allow $1 self:unix_dgram_socket { create read };
	325	allow $1 $2:dir { search };
	326	')
	327
	328
	329	## <summary> CDSFramework Dictionary Access Definition
	330	## Rdef: unixDatagramSockets
	331	## Verb: write
	332	## Access Def Name: write
	333	## </summary>
	334	## <param name="domain">
	335	## <summary> Domain interacting with a CDSFramework resource. </summary>
	336	## </param>
	337	## <param name="resource">
	338	## <summary> Resource the domain is getting access to.</summary>
	339	## </param>
	340	template(`framework_unixDatagramSockets_write_write',`
	341	allow $1 self:unix_dgram_socket { bind create sendto shutdown write };
	342	allow $1 $2:dir { search };
	343	allow $1 $2:sock_file { write };
	344	')
	345
	346
	347	## <summary> CDSFramework Dictionary Access Definition
	348	## Rdef: unnamedUnixStreams
	349	## Verb: write
	350	## Access Def Name: create
	351	## </summary>
	352	## <param name="domain">
	353	## <summary> Domain interacting with a CDSFramework resource. </summary>
	354	## </param>
	355	## <param name="resource">
	356	## <summary> Resource the domain is getting access to.</summary>
	357	## </param>
	358	template(`framework_unnamedUnixStreams_write_create',`
	359	allow $1 $2:unix_stream_socket { create setattr };
	360	')
	361
	362
	363	## <summary> CDSFramework Dictionary Access Definition
	364	## Rdef: unnamedUnixStreams
	365	## Verb: read
	366	## Access Def Name: read
	367	## </summary>
	368	## <param name="domain">
	369	## <summary> Domain interacting with a CDSFramework resource. </summary>
	370	## </param>
	371	## <param name="resource">
	372	## <summary> Resource the domain is getting access to.</summary>
	373	## </param>
	374	template(`framework_unnamedUnixStreams_read_read',`
	375	allow $1 $2:sock_file { getattr };
	376	allow $1 $2:unix_stream_socket { connectto listen read recvfrom shutdown };
	377	')
	378
	379
	380	## <summary> CDSFramework Dictionary Access Definition
	381	## Rdef: unnamedUnixStreams
	382	## Verb: write
	383	## Access Def Name: write
	384	## </summary>
	385	## <param name="domain">
	386	## <summary> Domain interacting with a CDSFramework resource. </summary>
	387	## </param>
	388	## <param name="resource">
	389	## <summary> Resource the domain is getting access to.</summary>
	390	## </param>
	391	template(`framework_unnamedUnixStreams_write_write',`
	392	allow $1 $2:unix_stream_socket { connect sendto write };
	393	')
	394
	395
	396	## <summary> CDSFramework Dictionary Access Definition
	397	## Rdef: mqueues@
	398	## Verb: read
	399	## Access Def Name: read
	400	## </summary>
	401	## <param name="domain">
	402	## <summary> Domain interacting with a CDSFramework resource. </summary>
	403	## </param>
	404	## <param name="resource">
	405	## <summary> Resource the domain is getting access to.</summary>
	406	## </param>
	407	template(`framework_mqueues_AT_read_read',`
	408	allow $1 $2:msg { receive };
	409	allow $1 $2:msgq { associate getattr read unix_read };
	410	')
	411
	412
	413	## <summary> CDSFramework Dictionary Access Definition
	414	## Rdef: mqueues@
	415	## Verb: write
	416	## Access Def Name: write
	417	## </summary>
	418	## <param name="domain">
	419	## <summary> Domain interacting with a CDSFramework resource. </summary>
	420	## </param>
	421	## <param name="resource">
	422	## <summary> Resource the domain is getting access to.</summary>
	423	## </param>
	424	template(`framework_mqueues_AT_write_write',`
	425	allow $1 self:msg { send };
	426	allow $1 $2:msgq { enqueue unix_write write };
	427	')
	428
	429
	430	## <summary> CDSFramework Control Resource
	431	## mqueues@
	432	## </summary>
	433	## <desc>
	434	## <p>
	435	## desc : "System V message queues attached to a domain. The primary difference between a System V message queue and a socket or named pipe is that message queues may have multiple processes reading and writing from and to them, or no readers at all."
	436	## </p>
	437	## </desc>
	438	## <param name="domain">
	439	## <summary> The owner of the resource's type </summary>
	440	## </param>
	441	template(`framework_controlRes_mqueues_AT',`
	442	allow $1 self:msgq { associate create destroy enqueue getattr read setattr unix_read unix_write write };
	443	allow $1 self:msg { receive send };
	444	')
	445
	446
	447	## <summary> CDSFramework Dictionary Access Definition
	448	## Rdef: dirFiles
	449	## Verb: write
	450	## Access Def Name: append_only
	451	## </summary>
	452	## <param name="domain">
	453	## <summary> Domain interacting with a CDSFramework resource. </summary>
	454	## </param>
	455	## <param name="resource">
	456	## <summary> Resource the domain is getting access to.</summary>
	457	## </param>
	458	template(`framework_dirFiles_write_append_only',`
	459	allow $1 $2:dir { search };
	460	allow $1 $2:file { append lock };
	461	allow $1 $2:lnk_file { append lock };
	462	')
	463
	464
	465	## <summary> CDSFramework Dictionary Access Definition
	466	## Rdef: dirFiles
	467	## Verb: write
	468	## Access Def Name: delete
	469	## </summary>
	470	## <param name="domain">
	471	## <summary> Domain interacting with a CDSFramework resource. </summary>
	472	## </param>
	473	## <param name="resource">
	474	## <summary> Resource the domain is getting access to.</summary>
	475	## </param>
	476	template(`framework_dirFiles_write_delete',`
	477	allow $1 $2:dir { remove_name search write };
	478	allow $1 $2:file { unlink };
	479	allow $1 $2:lnk_file { unlink };
	480	')
	481
	482
	483	## <summary> CDSFramework Dictionary Access Definition
	484	## Rdef: dirFiles
	485	## Verb: read
	486	## Access Def Name: execute
	487	## </summary>
	488	## <param name="domain">
	489	## <summary> Domain interacting with a CDSFramework resource. </summary>
	490	## </param>
	491	## <param name="resource">
	492	## <summary> Resource the domain is getting access to.</summary>
	493	## </param>
	494	template(`framework_dirFiles_read_execute',`
	495	allow $1 $2:dir { search };
	496	allow $1 $2:file { execute getattr read };
	497	allow $1 $2:lnk_file { read };
	498	')
	499
	500
	501	## <summary> CDSFramework Dictionary Access Definition
	502	## Rdef: dirFiles
	503	## Verb: read
	504	## Access Def Name: read
	505	## </summary>
	506	## <param name="domain">
	507	## <summary> Domain interacting with a CDSFramework resource. </summary>
	508	## </param>
	509	## <param name="resource">
	510	## <summary> Resource the domain is getting access to.</summary>
	511	## </param>
	512	template(`framework_dirFiles_read_read',`
	513	allow $1 $2:dir { read search };
	514	allow $1 $2:file { getattr read };
	515	allow $1 $2:lnk_file { read };
	516	')
	517
	518
	519	## <summary> CDSFramework Dictionary Access Definition
	520	## Rdef: dirFiles
	521	## Verb: write
	522	## Access Def Name: rename
	523	## </summary>
	524	## <param name="domain">
	525	## <summary> Domain interacting with a CDSFramework resource. </summary>
	526	## </param>
	527	## <param name="resource">
	528	## <summary> Resource the domain is getting access to.</summary>
	529	## </param>
	530	template(`framework_dirFiles_write_rename',`
	531	allow $1 $2:dir { add_name remove_name search write };
	532	allow $1 $2:file { rename };
	533	allow $1 $2:lnk_file { rename };
	534	')
	535
	536
	537	## <summary> CDSFramework Dictionary Access Definition
	538	## Rdef: dirFiles
	539	## Verb: write
	540	## Access Def Name: write
	541	## </summary>
	542	## <param name="domain">
	543	## <summary> Domain interacting with a CDSFramework resource. </summary>
	544	## </param>
	545	## <param name="resource">
	546	## <summary> Resource the domain is getting access to.</summary>
	547	## </param>
	548	template(`framework_dirFiles_write_write',`
	549	allow $1 $2:dir { add_name search write };
	550	allow $1 $2:file { append create lock write };
	551	allow $1 $2:lnk_file { append lock write };
	552	')
	553
	554
	555	## <summary> CDSFramework Dictionary Access Definition
	556	## Rdef: sharedMemory@
	557	## Verb: read
	558	## Access Def Name: read
	559	## </summary>
	560	## <param name="domain">
	561	## <summary> Domain interacting with a CDSFramework resource. </summary>
	562	## </param>
	563	## <param name="resource">
	564	## <summary> Resource the domain is getting access to.</summary>
	565	## </param>
	566	template(`framework_sharedMemory_AT_read_read',`
	567	allow $1 $2:shm { associate getattr read unix_read };
	568	')
	569
	570
	571	## <summary> CDSFramework Dictionary Access Definition
	572	## Rdef: sharedMemory@
	573	## Verb: write
	574	## Access Def Name: write
	575	## </summary>
	576	## <param name="domain">
	577	## <summary> Domain interacting with a CDSFramework resource. </summary>
	578	## </param>
	579	## <param name="resource">
	580	## <summary> Resource the domain is getting access to.</summary>
	581	## </param>
	582	template(`framework_sharedMemory_AT_write_write',`
	583	allow $1 $2:shm { associate lock unix_write write };
	584	')
	585
	586
	587	## <summary> CDSFramework Control Resource
	588	## sharedMemory@
	589	## </summary>
	590	## <desc>
	591	## <p>
	592	## desc : "System V Shared Memory (shm) attached to a domain"
	593	## </p>
	594	## </desc>
	595	## <param name="domain">
	596	## <summary> The owner of the resource's type </summary>
	597	## </param>
	598	template(`framework_controlRes_sharedMemory_AT',`
	599	allow $1 self:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
	600	')
	601
	602
	603	## <summary> CDSFramework Dictionary Access Definition
	604	## Rdef: unnamedUnixDatagrams
	605	## Verb: write
	606	## Access Def Name: create
	607	## </summary>
	608	## <param name="domain">
	609	## <summary> Domain interacting with a CDSFramework resource. </summary>
	610	## </param>
	611	## <param name="resource">
	612	## <summary> Resource the domain is getting access to.</summary>
	613	## </param>
	614	template(`framework_unnamedUnixDatagrams_write_create',`
	615	allow $1 $2:sock_file { getattr };
	616	allow $1 $2:unix_dgram_socket { create setopt };
	617	')
	618
	619
	620	## <summary> CDSFramework Dictionary Access Definition
	621	## Rdef: unnamedUnixDatagrams
	622	## Verb: read
	623	## Access Def Name: read
	624	## </summary>
	625	## <param name="domain">
	626	## <summary> Domain interacting with a CDSFramework resource. </summary>
	627	## </param>
	628	## <param name="resource">
	629	## <summary> Resource the domain is getting access to.</summary>
	630	## </param>
	631	template(`framework_unnamedUnixDatagrams_read_read',`
	632	allow $1 $2:sock_file { getattr };
	633	allow $1 $2:unix_dgram_socket { getopt read recvfrom shutdown };
	634	')
	635
	636
	637	## <summary> CDSFramework Dictionary Access Definition
	638	## Rdef: unnamedUnixDatagrams
	639	## Verb: write
	640	## Access Def Name: write
	641	## </summary>
	642	## <param name="domain">
	643	## <summary> Domain interacting with a CDSFramework resource. </summary>
	644	## </param>
	645	## <param name="resource">
	646	## <summary> Resource the domain is getting access to.</summary>
	647	## </param>
	648	template(`framework_unnamedUnixDatagrams_write_write',`
	649	allow $1 $2:sock_file { getattr };
	650	allow $1 $2:unix_dgram_socket { sendto setopt shutdown write };
	651	')
	652
	653
	654	## <summary> CDSFramework Dictionary Access Definition
	655	## Rdef: namedPipes
	656	## Verb: write
	657	## Access Def Name: create
	658	## </summary>
	659	## <param name="domain">
	660	## <summary> Domain interacting with a CDSFramework resource. </summary>
	661	## </param>
	662	## <param name="resource">
	663	## <summary> Resource the domain is getting access to.</summary>
	664	## </param>
	665	template(`framework_namedPipes_write_create',`
	666	allow $1 $2:dir { add_name remove_name search write };
	667	allow $1 $2:fifo_file { create setattr unlink };
	668	')
	669
	670
	671	## <summary> CDSFramework Dictionary Access Definition
	672	## Rdef: namedPipes
	673	## Verb: read
	674	## Access Def Name: read
	675	## </summary>
	676	## <param name="domain">
	677	## <summary> Domain interacting with a CDSFramework resource. </summary>
	678	## </param>
	679	## <param name="resource">
	680	## <summary> Resource the domain is getting access to.</summary>
	681	## </param>
	682	template(`framework_namedPipes_read_read',`
	683	allow $1 $2:dir { read search };
	684	allow $1 $2:fifo_file { getattr read };
	685	')
	686
	687
	688	## <summary> CDSFramework Dictionary Access Definition
	689	## Rdef: namedPipes
	690	## Verb: write
	691	## Access Def Name: write
	692	## </summary>
	693	## <param name="domain">
	694	## <summary> Domain interacting with a CDSFramework resource. </summary>
	695	## </param>
	696	## <param name="resource">
	697	## <summary> Resource the domain is getting access to.</summary>
	698	## </param>
	699	template(`framework_namedPipes_write_write',`
	700	allow $1 $2:dir { search };
	701	allow $1 $2:fifo_file { setattr write };
	702	')
	703
	704
	705	## <summary> CDSFramework Dictionary Enter Access </summary>
	706	## <param name="starting domain">
	707	## <summary> Domain you start in. </summary>
	708	## </param>
	709	## <param name="ending domain">
	710	## <summary> Domain you end in. </summary>
	711	## </param>
	712	## <param name="resource">
	713	## <summary> Entrypoint resource.</summary>
	714	## </param>
	715	template(`framework_enter_downstream_pipes',`
	716	allow $1 self:fifo_file { create getattr unlink write };
	717	allow $2 $1:fifo_file { read };
	718	')
	719
	720
	721	## <summary> CDSFramework Dictionary Enter Access </summary>
	722	## <param name="starting domain">
	723	## <summary> Domain you start in. </summary>
	724	## </param>
	725	## <param name="ending domain">
	726	## <summary> Domain you end in. </summary>
	727	## </param>
	728	## <param name="resource">
	729	## <summary> Entrypoint resource.</summary>
	730	## </param>
	731	template(`framework_enter_kill',`
	732	allow $2 $1:process { sigkill };
	733	')
	734
	735
	736	## <summary> CDSFramework Dictionary Enter Access </summary>
	737	## <param name="starting domain">
	738	## <summary> Domain you start in. </summary>
	739	## </param>
	740	## <param name="ending domain">
	741	## <summary> Domain you end in. </summary>
	742	## </param>
	743	## <param name="resource">
	744	## <summary> Entrypoint resource.</summary>
	745	## </param>
	746	template(`framework_enter_sigchld',`
	747	allow $2 $1:process { sigchld };
	748	')
	749
	750
	751	## <summary> CDSFramework Dictionary Enter Access </summary>
	752	## <param name="starting domain">
	753	## <summary> Domain you start in. </summary>
	754	## </param>
	755	## <param name="ending domain">
	756	## <summary> Domain you end in. </summary>
	757	## </param>
	758	## <param name="resource">
	759	## <summary> Entrypoint resource.</summary>
	760	## </param>
	761	template(`framework_enter_transition',`
	762	allow $1 $3:file { execute read };
	763	allow $1 $2:process { noatsecure rlimitinh siginh transition };
	764	allow $1 self:process { fork };
	765	allow $2 $3:file { entrypoint };
	766	')
	767
	768
	769	## <summary> CDSFramework Dictionary Enter Access </summary>
	770	## <param name="starting domain">
	771	## <summary> Domain you start in. </summary>
	772	## </param>
	773	## <param name="ending domain">
	774	## <summary> Domain you end in. </summary>
	775	## </param>
	776	## <param name="resource">
	777	## <summary> Entrypoint resource.</summary>
	778	## </param>
	779	template(`framework_enter_upstream_pipes',`
	780	allow $1 self:fifo_file { create getattr read unlink };
	781	allow $2 $1:fifo_file { write };
	782	')
	783
	784
	785	## <summary> CDSFramework Dictionary Enter Access </summary>
	786	## <param name="starting domain">
	787	## <summary> Domain you start in. </summary>
	788	## </param>
	789	## <param name="ending domain">
	790	## <summary> Domain you end in. </summary>
	791	## </param>
	792	## <param name="resource">
	793	## <summary> Entrypoint resource.</summary>
	794	## </param>
	795	template(`framework_enter_use_fd',`
	796	allow $2 $1:fd { use };
	797	')
	798
	799

trunk/test/test0051/expected.te

r959	r1715
2	2	SEFramework_header(test)
3	3	# These types are generated by the framework for internal use
	4	optional_policy(`
	5	gen_require(`
	6	type init_t;
	7	role system_r;
	8	')
4	9
5		# SEFramework generated networking & directory search perms
	10	')
	11
	12	# CDSFramework generated networking & directory search perms

trunk/test/test0051/test.fpol

r1021 r1715

1 1 #Test 0051 - Valid base domain usage
2 2
3 basedomain init;
3 basedomain init from "./init.flnk";
4 4

trunk/test/test0063/init.flnk

r1014	r1715
5	5
6	6	baseresource loopback {
7		~~module "test/test0063/corenetwork.if"~~
8	7	write {
	8	default {lo_bind}
9	9	lo_bind {
10		corenet_tcp_bind_lo_node
	10	corenet_tcp_bind_lo_node($)
11	11	}
12	12	eth1_bind {

trunk/test/test0066/expected.te

r1622	r1715
25	25	type a_child_a_dirFiles_t;
26	26	allow a_child_a_t a_child_a_dirFiles_t:lnk_file { append create execute getattr ioctl link lock read rename setattr unlink write };
27		allow a_t ~~a_t~~:lnk_file { append create execute getattr ioctl link lock read rename setattr unlink write };
	27	allow a_t self:lnk_file { append create execute getattr ioctl link lock read rename setattr unlink write };
28	28	allow a_child_a_t a_child_a_dirFiles_t:dir { add_name append create execute getattr ioctl link lock read remove_name rename reparent rmdir search setattr unlink write };
29		allow a_t ~~a_t~~:dir { add_name append create execute getattr ioctl link lock read remove_name rename reparent rmdir search setattr unlink write };
	29	allow a_t self:dir { add_name append create execute getattr ioctl link lock read remove_name rename reparent rmdir search setattr unlink write };
30	30	allow a_child_a_t a_child_a_dirFiles_t:file { append create execute getattr ioctl link lock read rename setattr unlink write };
31		allow a_t ~~a_t~~:file { append create execute getattr ioctl link lock read rename setattr unlink write };
	31	allow a_t self:file { append create execute getattr ioctl link lock read rename setattr unlink write };
32	32	SEFramework_files_type(a_child_a_dirFiles_t)
33	33	SEFramework_files_type(a_t)

trunk/test/test0072/test.sh

r1469	r1715
18	18
19	19	#spaces removed so 'if' doesn't complain
20		EXPECTED_ERROR="~~parent+domainof\"a.child_a\"mustalsoenterthrough\"entpoint~~\""
	20	EXPECTED_ERROR="entermustbebalancedacrosslevels;enterintoachildof\"a\""
21	21	if [ -e $DIR/test.err ]; then
22	22	LINES=`wc -l $DIR/test.err \| cut -f 1 -d ' '`

trunk/test/test0073/expected.te

r1622

r917	r1715
3	3	domain a { dirFiles };
4	4
5		#basedomain a from "./a.flnk";
6		basedomain a;
	5	basedomain a from "./a.flnk";
	6	#basedomain a;

r959	r1715
1		# SEFramework generated file contexts
	1	# CDSFramework generated file contexts

r1021	r1715
1	1	#Test 0051 - Valid base domain usage
2	2
3		basedomain init;
	3	basedomain init from "./init.flnk";
4	4