1# 2# Define common prefixes for access vectors 3# 4# common common_name { permission_name ... } 5 6 7# 8# Define a common prefix for file access vectors. 9# 10 11common file 12{ 13 ioctl 14 read 15 write 16 create 17 getattr 18 setattr 19 lock 20 relabelfrom 21 relabelto 22 append 23 map 24 unlink 25 link 26 rename 27 execute 28 quotaon 29 mounton 30} 31 32 33# 34# Define a common prefix for socket access vectors. 35# 36 37common socket 38{ 39# inherited from file 40 ioctl 41 read 42 write 43 create 44 getattr 45 setattr 46 lock 47 relabelfrom 48 relabelto 49 append 50 map 51# socket-specific 52 bind 53 connect 54 listen 55 accept 56 getopt 57 setopt 58 shutdown 59 recvfrom 60 sendto 61 name_bind 62} 63 64# 65# Define a common prefix for ipc access vectors. 66# 67 68common ipc 69{ 70 create 71 destroy 72 getattr 73 setattr 74 read 75 write 76 associate 77 unix_read 78 unix_write 79} 80 81# 82# Define a common for capability access vectors. 83# 84common cap 85{ 86 # The capabilities are defined in include/linux/capability.h 87 # Capabilities >= 32 are defined in the cap2 common. 88 # Care should be taken to ensure that these are consistent with 89 # those definitions. (Order matters) 90 91 chown 92 dac_override 93 dac_read_search 94 fowner 95 fsetid 96 kill 97 setgid 98 setuid 99 setpcap 100 linux_immutable 101 net_bind_service 102 net_broadcast 103 net_admin 104 net_raw 105 ipc_lock 106 ipc_owner 107 sys_module 108 sys_rawio 109 sys_chroot 110 sys_ptrace 111 sys_pacct 112 sys_admin 113 sys_boot 114 sys_nice 115 sys_resource 116 sys_time 117 sys_tty_config 118 mknod 119 lease 120 audit_write 121 audit_control 122 setfcap 123} 124 125common cap2 126{ 127 mac_override # unused by SELinux 128 mac_admin # unused by SELinux 129 syslog 130 wake_alarm 131 block_suspend 132 audit_read 133} 134 135# 136# Define the access vectors. 137# 138# class class_name [ inherits common_name ] { permission_name ... } 139 140 141# 142# Define the access vector interpretation for file-related objects. 143# 144 145class filesystem 146{ 147 mount 148 remount 149 unmount 150 getattr 151 relabelfrom 152 relabelto 153 associate 154 quotamod 155 quotaget 156} 157 158class dir 159inherits file 160{ 161 add_name 162 remove_name 163 reparent 164 search 165 rmdir 166 open 167 audit_access 168 execmod 169} 170 171class file 172inherits file 173{ 174 execute_no_trans 175 entrypoint 176 execmod 177 open 178 audit_access 179} 180 181class lnk_file 182inherits file 183{ 184 open 185 audit_access 186 execmod 187} 188 189class chr_file 190inherits file 191{ 192 execute_no_trans 193 entrypoint 194 execmod 195 open 196 audit_access 197} 198 199class blk_file 200inherits file 201{ 202 open 203 audit_access 204 execmod 205} 206 207class sock_file 208inherits file 209{ 210 open 211 audit_access 212 execmod 213} 214 215class fifo_file 216inherits file 217{ 218 open 219 audit_access 220 execmod 221} 222 223class fd 224{ 225 use 226} 227 228 229# 230# Define the access vector interpretation for network-related objects. 231# 232 233class socket 234inherits socket 235 236class tcp_socket 237inherits socket 238{ 239 node_bind 240 name_connect 241} 242 243class udp_socket 244inherits socket 245{ 246 node_bind 247} 248 249class rawip_socket 250inherits socket 251{ 252 node_bind 253} 254 255class node 256{ 257 recvfrom 258 sendto 259} 260 261class netif 262{ 263 ingress 264 egress 265} 266 267class netlink_socket 268inherits socket 269 270class packet_socket 271inherits socket 272 273class key_socket 274inherits socket 275 276class unix_stream_socket 277inherits socket 278{ 279 connectto 280} 281 282class unix_dgram_socket 283inherits socket 284 285class bpf 286{ 287 map_create 288 map_read 289 map_write 290 prog_load 291 prog_run 292} 293 294# 295# Define the access vector interpretation for process-related objects 296# 297 298class process 299{ 300 fork 301 transition 302 sigchld # commonly granted from child to parent 303 sigkill # cannot be caught or ignored 304 sigstop # cannot be caught or ignored 305 signull # for kill(pid, 0) 306 signal # all other signals 307 ptrace 308 getsched 309 setsched 310 getsession 311 getpgid 312 setpgid 313 getcap 314 setcap 315 share 316 getattr 317 setexec 318 setfscreate 319 noatsecure 320 siginh 321 setrlimit 322 rlimitinh 323 dyntransition 324 setcurrent 325 execmem 326 execstack 327 execheap 328 setkeycreate 329 setsockcreate 330 getrlimit 331} 332 333 334# 335# Define the access vector interpretation for ipc-related objects 336# 337 338class ipc 339inherits ipc 340 341class sem 342inherits ipc 343 344class msgq 345inherits ipc 346{ 347 enqueue 348} 349 350class msg 351{ 352 send 353 receive 354} 355 356class shm 357inherits ipc 358{ 359 lock 360} 361 362 363# 364# Define the access vector interpretation for the security server. 365# 366 367class security 368{ 369 compute_av 370 compute_create 371 compute_member 372 check_context 373 load_policy 374 compute_relabel 375 compute_user 376 setenforce # was avc_toggle in system class 377 setbool 378 setsecparam 379 setcheckreqprot 380 read_policy 381 validate_trans 382} 383 384 385# 386# Define the access vector interpretation for system operations. 387# 388 389class system 390{ 391 ipc_info 392 syslog_read 393 syslog_mod 394 syslog_console 395 module_request 396 module_load 397} 398 399# 400# Define the access vector interpretation for controlling capabilities 401# 402 403class capability 404inherits cap 405 406class capability2 407inherits cap2 408 409# 410# Extended Netlink classes 411# 412class netlink_route_socket 413inherits socket 414{ 415 nlmsg_read 416 nlmsg_write 417} 418 419class netlink_tcpdiag_socket 420inherits socket 421{ 422 nlmsg_read 423 nlmsg_write 424} 425 426class netlink_nflog_socket 427inherits socket 428 429class netlink_xfrm_socket 430inherits socket 431{ 432 nlmsg_read 433 nlmsg_write 434} 435 436class netlink_selinux_socket 437inherits socket 438 439class netlink_audit_socket 440inherits socket 441{ 442 nlmsg_read 443 nlmsg_write 444 nlmsg_relay 445 nlmsg_readpriv 446 nlmsg_tty_audit 447} 448 449class netlink_dnrt_socket 450inherits socket 451 452# Define the access vector interpretation for controlling 453# access to IPSec network data by association 454# 455class association 456{ 457 sendto 458 recvfrom 459 setcontext 460 polmatch 461} 462 463# Updated Netlink class for KOBJECT_UEVENT family. 464class netlink_kobject_uevent_socket 465inherits socket 466 467class appletalk_socket 468inherits socket 469 470class packet 471{ 472 send 473 recv 474 relabelto 475 flow_in # deprecated 476 flow_out # deprecated 477 forward_in 478 forward_out 479} 480 481class key 482{ 483 view 484 read 485 write 486 search 487 link 488 setattr 489 create 490} 491 492class dccp_socket 493inherits socket 494{ 495 node_bind 496 name_connect 497} 498 499class memprotect 500{ 501 mmap_zero 502} 503 504# network peer labels 505class peer 506{ 507 recv 508} 509 510class kernel_service 511{ 512 use_as_override 513 create_files_as 514} 515 516class tun_socket 517inherits socket 518{ 519 attach_queue 520} 521 522class binder 523{ 524 impersonate 525 call 526 set_context_mgr 527 transfer 528} 529 530class netlink_iscsi_socket 531inherits socket 532 533class netlink_fib_lookup_socket 534inherits socket 535 536class netlink_connector_socket 537inherits socket 538 539class netlink_netfilter_socket 540inherits socket 541 542class netlink_generic_socket 543inherits socket 544 545class netlink_scsitransport_socket 546inherits socket 547 548class netlink_rdma_socket 549inherits socket 550 551class netlink_crypto_socket 552inherits socket 553 554# 555# Define the access vector interpretation for controlling capabilities 556# in user namespaces 557# 558 559class cap_userns 560inherits cap 561 562class cap2_userns 563inherits cap2 564 565 566# 567# Define the access vector interpretation for the new socket classes 568# enabled by the extended_socket_class policy capability. 569# 570 571# 572# The next two classes were previously mapped to rawip_socket and therefore 573# have the same definition as rawip_socket (until further permissions 574# are defined). 575# 576class sctp_socket 577inherits socket 578{ 579 node_bind 580} 581 582class icmp_socket 583inherits socket 584{ 585 node_bind 586} 587 588# 589# The remaining network socket classes were previously 590# mapped to the socket class and therefore have the 591# same definition as socket. 592# 593 594class ax25_socket 595inherits socket 596 597class ipx_socket 598inherits socket 599 600class netrom_socket 601inherits socket 602 603class atmpvc_socket 604inherits socket 605 606class x25_socket 607inherits socket 608 609class rose_socket 610inherits socket 611 612class decnet_socket 613inherits socket 614 615class atmsvc_socket 616inherits socket 617 618class rds_socket 619inherits socket 620 621class irda_socket 622inherits socket 623 624class pppox_socket 625inherits socket 626 627class llc_socket 628inherits socket 629 630class can_socket 631inherits socket 632 633class tipc_socket 634inherits socket 635 636class bluetooth_socket 637inherits socket 638 639class iucv_socket 640inherits socket 641 642class rxrpc_socket 643inherits socket 644 645class isdn_socket 646inherits socket 647 648class phonet_socket 649inherits socket 650 651class ieee802154_socket 652inherits socket 653 654class caif_socket 655inherits socket 656 657class alg_socket 658inherits socket 659 660class nfc_socket 661inherits socket 662 663class vsock_socket 664inherits socket 665 666class kcm_socket 667inherits socket 668 669class qipcrtr_socket 670inherits socket 671 672class smc_socket 673inherits socket 674 675class property_service 676{ 677 set 678} 679 680class service_manager 681{ 682 add 683 find 684 list 685} 686 687class hwservice_manager 688{ 689 add 690 find 691 list 692} 693 694class keystore_key 695{ 696 get_state 697 get 698 insert 699 delete 700 exist 701 list 702 reset 703 password 704 lock 705 unlock 706 is_empty 707 sign 708 verify 709 grant 710 duplicate 711 clear_uid 712 add_auth 713 user_changed 714 gen_unique_id 715} 716 717class drmservice { 718 consumeRights 719 setPlaybackStatus 720 openDecryptSession 721 closeDecryptSession 722 initializeDecryptUnit 723 decrypt 724 finalizeDecryptUnit 725 pread 726} 727