强访设计文档

nfs_security_exec_file_type 包含

apt_exec_t
	auditctl_exec_t
	dpkg_exec_t
	nfs_chcon_exec_t
	nfs_sec_exec_t
	nfs_security_exec_t
	quota_exec_t
	semanage_exec_t
	su_exec_t
	sudo_exec_t
	useradd_exec_t

nfs_security_domain_type 包含

 auditctl_t
local_login_t
nfs_security_t
quota_t
semanage_t
useradd_t

nfs_security_file_type 包含

etc_t
security_t
var_log_t

针对nfs_security_exec_file_type对execute_no_trans权限的限制

ifdef(`enable_mls',`
constrain file { execute_no_trans }
(
	u1 == u2
	or t2 != nfs_security_exec_file_type
);

对nfs_security_domain_type user_home_target 做了限制，放行nfs_security_domain_type对目录读写权限，限制用户的域访问其他用户的家目录

constrain dir { open search }
(
	u1 == u2
	or u1 == system_u
	or u1 == unconfined_u
	or t1 == nfs_security_domain_type
	or t2 != user_home_target
	or ( u1 == user_u and u2 == system_u )
);

限制对nfs_security_file_type的读权限

constrain dir_file_class_set { create relabelto relabelfrom }
(
	u1 == u2
	or t1 == can_change_object_identity
	or (t1 == user_t and t2 == user_home_dir_t)
	or (t1 == secadm_t and t2 == secadm_home_dir_t)
	or (t1 == sysadm_t and t2 == sysadm_home_dir_t)
	or (t1 == auditadm_t and t2 == auditadm_home_dir_t)
);

constrain file { execute_no_trans }
(
	u1 == u2
	or t1 == nfs_security_t
	or t1 == useradd_t
	or t2 != nfs_security_exec_file_type
);

constrain file { read }
(
	u1 == u2
	or u1 == system_u
	or u1 == unconfined_u
	or t2 != nfs_security_file_type
	or (t1 != sysadm_t and t1 != auditadm_t and t1 != user_t and t2 == security_t)
	or (t2 == var_log_t)
	or (t2 == etc_t)
);

constrain file { write }
(
	u1 == u2
	or u1 == system_u
	or u1 == unconfined_u
	or t2 != nfs_security_file_type
	or (t1 != sysadm_t and t1 != auditadm_t and t1 != user_t and t2 == security_t)
	or (t1 != secadm_t and t1 != auditadm_t and t1 != user_t and t2 == var_log_t)
	or ( t1 != user_t and t2 == etc_t)
);

constrain process { sigkill signal }
	(
		t2 != auditd_t
	);