1# 2# Define common prefixes for access vectors 3# 4# common common_name { permission_name ... } 5 6 7# 8# Define a common prefix for file access vectors. 9# 10 11common file 12{ 13 ioctl 14 read 15 write 16 create 17 getattr 18 setattr 19 lock 20 relabelfrom 21 relabelto 22 append 23 map 24 unlink 25 link 26 rename 27 execute 28 quotaon 29 mounton 30} 31 32 33# 34# Define a common prefix for socket access vectors. 35# 36 37common socket 38{ 39# inherited from file 40 ioctl 41 read 42 write 43 create 44 getattr 45 setattr 46 lock 47 relabelfrom 48 relabelto 49 append 50 map 51# socket-specific 52 bind 53 connect 54 listen 55 accept 56 getopt 57 setopt 58 shutdown 59 recvfrom 60 sendto 61 name_bind 62} 63 64# 65# Define a common prefix for ipc access vectors. 66# 67 68common ipc 69{ 70 create 71 destroy 72 getattr 73 setattr 74 read 75 write 76 associate 77 unix_read 78 unix_write 79} 80 81# 82# Define a common for capability access vectors. 83# 84common cap 85{ 86 # The capabilities are defined in include/linux/capability.h 87 # Capabilities >= 32 are defined in the cap2 common. 88 # Care should be taken to ensure that these are consistent with 89 # those definitions. (Order matters) 90 91 chown 92 dac_override 93 dac_read_search 94 fowner 95 fsetid 96 kill 97 setgid 98 setuid 99 setpcap 100 linux_immutable 101 net_bind_service 102 net_broadcast 103 net_admin 104 net_raw 105 ipc_lock 106 ipc_owner 107 sys_module 108 sys_rawio 109 sys_chroot 110 sys_ptrace 111 sys_pacct 112 sys_admin 113 sys_boot 114 sys_nice 115 sys_resource 116 sys_time 117 sys_tty_config 118 mknod 119 lease 120 audit_write 121 audit_control 122 setfcap 123} 124 125common cap2 126{ 127 mac_override # unused by SELinux 128 mac_admin # unused by SELinux 129 syslog 130 wake_alarm 131 block_suspend 132 audit_read 133} 134 135# 136# Define the access vectors. 137# 138# class class_name [ inherits common_name ] { permission_name ... } 139 140 141# 142# Define the access vector interpretation for file-related objects. 143# 144 145class filesystem 146{ 147 mount 148 remount 149 unmount 150 getattr 151 relabelfrom 152 relabelto 153 associate 154 quotamod 155 quotaget 156} 157 158class dir 159inherits file 160{ 161 add_name 162 remove_name 163 reparent 164 search 165 rmdir 166 open 167 audit_access 168 execmod 169} 170 171class file 172inherits file 173{ 174 execute_no_trans 175 entrypoint 176 execmod 177 open 178 audit_access 179} 180 181class lnk_file 182inherits file 183{ 184 open 185 audit_access 186 execmod 187} 188 189class chr_file 190inherits file 191{ 192 execute_no_trans 193 entrypoint 194 execmod 195 open 196 audit_access 197} 198 199class blk_file 200inherits file 201{ 202 open 203 audit_access 204 execmod 205} 206 207class sock_file 208inherits file 209{ 210 open 211 audit_access 212 execmod 213} 214 215class fifo_file 216inherits file 217{ 218 open 219 audit_access 220 execmod 221} 222 223class fd 224{ 225 use 226} 227 228 229# 230# Define the access vector interpretation for network-related objects. 231# 232 233class socket 234inherits socket 235 236class tcp_socket 237inherits socket 238{ 239 node_bind 240 name_connect 241} 242 243class udp_socket 244inherits socket 245{ 246 node_bind 247} 248 249class rawip_socket 250inherits socket 251{ 252 node_bind 253} 254 255class node 256{ 257 recvfrom 258 sendto 259} 260 261class netif 262{ 263 ingress 264 egress 265} 266 267class netlink_socket 268inherits socket 269 270class packet_socket 271inherits socket 272 273class key_socket 274inherits socket 275 276class unix_stream_socket 277inherits socket 278{ 279 connectto 280} 281 282class unix_dgram_socket 283inherits socket 284 285# 286# Define the access vector interpretation for process-related objects 287# 288 289class process 290{ 291 fork 292 transition 293 sigchld # commonly granted from child to parent 294 sigkill # cannot be caught or ignored 295 sigstop # cannot be caught or ignored 296 signull # for kill(pid, 0) 297 signal # all other signals 298 ptrace 299 getsched 300 setsched 301 getsession 302 getpgid 303 setpgid 304 getcap 305 setcap 306 share 307 getattr 308 setexec 309 setfscreate 310 noatsecure 311 siginh 312 setrlimit 313 rlimitinh 314 dyntransition 315 setcurrent 316 execmem 317 execstack 318 execheap 319 setkeycreate 320 setsockcreate 321 getrlimit 322} 323 324 325# 326# Define the access vector interpretation for ipc-related objects 327# 328 329class ipc 330inherits ipc 331 332class sem 333inherits ipc 334 335class msgq 336inherits ipc 337{ 338 enqueue 339} 340 341class msg 342{ 343 send 344 receive 345} 346 347class shm 348inherits ipc 349{ 350 lock 351} 352 353 354# 355# Define the access vector interpretation for the security server. 356# 357 358class security 359{ 360 compute_av 361 compute_create 362 compute_member 363 check_context 364 load_policy 365 compute_relabel 366 compute_user 367 setenforce # was avc_toggle in system class 368 setbool 369 setsecparam 370 setcheckreqprot 371 read_policy 372 validate_trans 373} 374 375 376# 377# Define the access vector interpretation for system operations. 378# 379 380class system 381{ 382 ipc_info 383 syslog_read 384 syslog_mod 385 syslog_console 386 module_request 387 module_load 388} 389 390# 391# Define the access vector interpretation for controlling capabilities 392# 393 394class capability 395inherits cap 396 397class capability2 398inherits cap2 399 400# 401# Extended Netlink classes 402# 403class netlink_route_socket 404inherits socket 405{ 406 nlmsg_read 407 nlmsg_write 408} 409 410class netlink_tcpdiag_socket 411inherits socket 412{ 413 nlmsg_read 414 nlmsg_write 415} 416 417class netlink_nflog_socket 418inherits socket 419 420class netlink_xfrm_socket 421inherits socket 422{ 423 nlmsg_read 424 nlmsg_write 425} 426 427class netlink_selinux_socket 428inherits socket 429 430class netlink_audit_socket 431inherits socket 432{ 433 nlmsg_read 434 nlmsg_write 435 nlmsg_relay 436 nlmsg_readpriv 437 nlmsg_tty_audit 438} 439 440class netlink_dnrt_socket 441inherits socket 442 443# Define the access vector interpretation for controlling 444# access to IPSec network data by association 445# 446class association 447{ 448 sendto 449 recvfrom 450 setcontext 451 polmatch 452} 453 454# Updated Netlink class for KOBJECT_UEVENT family. 455class netlink_kobject_uevent_socket 456inherits socket 457 458class appletalk_socket 459inherits socket 460 461class packet 462{ 463 send 464 recv 465 relabelto 466 flow_in # deprecated 467 flow_out # deprecated 468 forward_in 469 forward_out 470} 471 472class key 473{ 474 view 475 read 476 write 477 search 478 link 479 setattr 480 create 481} 482 483class dccp_socket 484inherits socket 485{ 486 node_bind 487 name_connect 488} 489 490class memprotect 491{ 492 mmap_zero 493} 494 495# network peer labels 496class peer 497{ 498 recv 499} 500 501class kernel_service 502{ 503 use_as_override 504 create_files_as 505} 506 507class tun_socket 508inherits socket 509{ 510 attach_queue 511} 512 513class binder 514{ 515 impersonate 516 call 517 set_context_mgr 518 transfer 519} 520 521class netlink_iscsi_socket 522inherits socket 523 524class netlink_fib_lookup_socket 525inherits socket 526 527class netlink_connector_socket 528inherits socket 529 530class netlink_netfilter_socket 531inherits socket 532 533class netlink_generic_socket 534inherits socket 535 536class netlink_scsitransport_socket 537inherits socket 538 539class netlink_rdma_socket 540inherits socket 541 542class netlink_crypto_socket 543inherits socket 544 545# 546# Define the access vector interpretation for controlling capabilities 547# in user namespaces 548# 549 550class cap_userns 551inherits cap 552 553class cap2_userns 554inherits cap2 555 556 557# 558# Define the access vector interpretation for the new socket classes 559# enabled by the extended_socket_class policy capability. 560# 561 562# 563# The next two classes were previously mapped to rawip_socket and therefore 564# have the same definition as rawip_socket (until further permissions 565# are defined). 566# 567class sctp_socket 568inherits socket 569{ 570 node_bind 571} 572 573class icmp_socket 574inherits socket 575{ 576 node_bind 577} 578 579# 580# The remaining network socket classes were previously 581# mapped to the socket class and therefore have the 582# same definition as socket. 583# 584 585class ax25_socket 586inherits socket 587 588class ipx_socket 589inherits socket 590 591class netrom_socket 592inherits socket 593 594class atmpvc_socket 595inherits socket 596 597class x25_socket 598inherits socket 599 600class rose_socket 601inherits socket 602 603class decnet_socket 604inherits socket 605 606class atmsvc_socket 607inherits socket 608 609class rds_socket 610inherits socket 611 612class irda_socket 613inherits socket 614 615class pppox_socket 616inherits socket 617 618class llc_socket 619inherits socket 620 621class can_socket 622inherits socket 623 624class tipc_socket 625inherits socket 626 627class bluetooth_socket 628inherits socket 629 630class iucv_socket 631inherits socket 632 633class rxrpc_socket 634inherits socket 635 636class isdn_socket 637inherits socket 638 639class phonet_socket 640inherits socket 641 642class ieee802154_socket 643inherits socket 644 645class caif_socket 646inherits socket 647 648class alg_socket 649inherits socket 650 651class nfc_socket 652inherits socket 653 654class vsock_socket 655inherits socket 656 657class kcm_socket 658inherits socket 659 660class qipcrtr_socket 661inherits socket 662 663class smc_socket 664inherits socket 665 666class property_service 667{ 668 set 669} 670 671class service_manager 672{ 673 add 674 find 675 list 676} 677 678class hwservice_manager 679{ 680 add 681 find 682 list 683} 684 685class keystore_key 686{ 687 get_state 688 get 689 insert 690 delete 691 exist 692 list 693 reset 694 password 695 lock 696 unlock 697 is_empty 698 sign 699 verify 700 grant 701 duplicate 702 clear_uid 703 add_auth 704 user_changed 705 gen_unique_id 706} 707 708class drmservice { 709 consumeRights 710 setPlaybackStatus 711 openDecryptSession 712 closeDecryptSession 713 initializeDecryptUnit 714 decrypt 715 finalizeDecryptUnit 716 pread 717} 718