# Copyright (c) 1999 The University of Utah and the Flux Group.
# All rights reserved.
# 
# Contributed by the Computer Security Research division,
# INFOSEC Research and Technology Office, NSA.
# 
# This file is part of the Flux OSKit.  The OSKit is free software, also known
# as "open source;" you can redistribute it and/or modify it under the terms
# of the GNU General Public License (GPL), version 2, as published by the Free
# Software Foundation (FSF).  To explore alternate licensing terms, contact
# the University of Utah at csl-dist@cs.utah.edu or +1-801-585-3271.
# 
# The OSKit is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE.  See the GPL for more details.  You should have
# received a copy of the GPL along with the OSKit; see the file COPYING.  If
# not, write to the FSF, 59 Temple Place #330, Boston, MA 02111-1307, USA.

# Define sensitivities 
#
# Each sensitivity has a name and zero or more aliases.

sensitivity unclassified alias u;
sensitivity confidential alias c;
sensitivity secret alias s;
sensitivity top_secret alias ts;

# Define the ordering of the sensitivity levels (least to greatest)
dominance { u c s ts }

# Define the categories
#
# Each category has a name and zero or more aliases.
#

category nocon;
category noforn;
category nato;
category usuk;

# Identify which categories may be associated with which sensitivities
#
# Each MLS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.

level u; 
level c;
level s:nocon, noforn;
level ts:nocon, noforn, nato, usuk;

#
# Map each permission to a set of MLS base permissions.
#

common file
{
	read		:	read
	write		:	write
	create		:	write
	append		:	write
	execute		:	read
	access		:	read
	getattr		:	read
	setattr		:	write
	unlink		:	write
	link		:	write
	rename		:	write
	lock		:	write
	sync		: 	write
	pathconf	:	none
	relabelfrom	:	{ read write }
	relabelto	:	write
	transition	:	write
}

common socket
{
	receive		:	read
	send		:	write
	create		:	write
	getlocal	:	read
	setlocal	:	write
	getremote	:	read
	setremote	:	write
	getopt		:	read
	setopt		:	write
	tcp_setopt	:	write
	udp_setopt	:	write
	ip_setopt	:	write
	disable_send	:	write
	disable_receive	:	write
	send_associate	:	{ read write }
	recvfrom_associate :	{ read write }
	recv_associate	:	{ read write }
	port_associate	:	{ read write }
}	

class filesystem
{
	mount		:	none
	remount		:	none
	unmount		:	none
	getattr		:	none
	sync		: 	none
	lookupi		:	none
	relabelfrom	:	none
	relabelto	:	none
	transition	:	none
	associate	:	{ readby writeby }
}

class dir
{
	add_name	:	write	
	remove_name	:	write
	reparent	:	write
	search		:	read
	rmdir		:	{ read write }
	mounton		:	{ read write }
	mountassociate	:	{ read write }
}

class file
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file
class pipe

class fd
{
	create		:	write
	getattr		:	read
	setattr		:	write
	inherit		: 	read
}

class process
{
	execute		: 	read
	fork		:	{ read write }
	wait		:	read
	transition	:	write
	sigkill		:	write
	sigstop		:	write
	signal		:	write
}

class node 
{
	tcp_receive_node :	{ read write }
	tcp_send_node	:	{ read write }
	udp_receive_node :	{ read write }
	udp_send_node	:	{ read write }
	receive_node	:	{ read write }
	send_node	:	{ read write }
}

class netif
{
	getattr		:	read
	setattr		:	write
	tcp_receive_netif :	{ read write }
	tcp_send_netif	:	{ read write }
	udp_receive_netif :	{ read write }
	udp_send_netif	:	{ read write }
	receive_netif 	:	{ read write }
	send_netif	:	{ read write }
}

class rttab
{
	observe 	:	read
	modify		:	write
}

class rtsock

class in_stream_sock
{
	listen		:	write
	accept		:	read
	accept_associate :	{ read write }
	client_associate :	{ read write }
        server_associate :	{ read write }
}

class in_dgram_sock
class in_raw_sock
class in_icmp_sock
class in_igmp_sock
class in_rsvp_sock
class in_ipip_sock

class security
{
	compute_av		:	none
	notify_perm		:	none
	transition_sid		:	none
	member_sid		:	none
	sid_to_context		:	none
	context_to_sid		:	none
	load_extension		:	none
	load_policy		:	none
	register_avc		:	none
}

class system
{
	reboot			: 	{ read write }
}

class subject
{
        read			:	read	
        write			:	write
        execute			:	read
        create_object		: 	write
        specify_client		:	{ read write }
        specify_server		:	{ read write }
        connect			:	{ readby writeby }
        call			:	{ readby writeby }
        send 			:	readby 
        thread_scheduler	:	{ readby writeby }
        task_keeper		:	{ readby writeby }
        map			:	{ readby writeby }
}

class avc
{
        grant			:	none
        try_revoke		:	none
        revoke			:	none
        reset			:	none
        set_auditallow		:	none
        set_auditdeny		:	none
}

class memory
{
        segment_create		:	write
        segment_destroy		:	write
        segment_map		:	read
        segment_getsize		:	read
        segment_setsize		:	write
        segment_createcopy	:	{ read write }
        mempool_create 		:	write
        mempool_destroy		:	write
        mempool_addsubpool	:	readby
        mempool_addsegment	:	readby
        mempool_gettickets	:	read
        mempool_settickets	:	write
        segment_associate	:	{ readby writeby }
        subpool_associate	:	{ readby writeby }
}

