1# 2# Define common prefixes for access vectors 3# 4# common common_name { permission_name ... } 5 6 7# 8# Define a common prefix for file access vectors. 9# 10 11common file 12{ 13 ioctl 14 read 15 write 16 create 17 getattr 18 setattr 19 lock 20 relabelfrom 21 relabelto 22 append 23 map 24 unlink 25 link 26 rename 27 execute 28 quotaon 29 mounton 30} 31 32 33# 34# Define a common prefix for socket access vectors. 35# 36 37common socket 38{ 39# inherited from file 40 ioctl 41 read 42 write 43 create 44 getattr 45 setattr 46 lock 47 relabelfrom 48 relabelto 49 append 50 map 51# socket-specific 52 bind 53 connect 54 listen 55 accept 56 getopt 57 setopt 58 shutdown 59 recvfrom 60 sendto 61 name_bind 62} 63 64# 65# Define a common prefix for ipc access vectors. 66# 67 68common ipc 69{ 70 create 71 destroy 72 getattr 73 setattr 74 read 75 write 76 associate 77 unix_read 78 unix_write 79} 80 81# 82# Define a common for capability access vectors. 83# 84common cap 85{ 86 # The capabilities are defined in include/linux/capability.h 87 # Capabilities >= 32 are defined in the cap2 common. 88 # Care should be taken to ensure that these are consistent with 89 # those definitions. (Order matters) 90 91 chown 92 dac_override 93 dac_read_search 94 fowner 95 fsetid 96 kill 97 setgid 98 setuid 99 setpcap 100 linux_immutable 101 net_bind_service 102 net_broadcast 103 net_admin 104 net_raw 105 ipc_lock 106 ipc_owner 107 sys_module 108 sys_rawio 109 sys_chroot 110 sys_ptrace 111 sys_pacct 112 sys_admin 113 sys_boot 114 sys_nice 115 sys_resource 116 sys_time 117 sys_tty_config 118 mknod 119 lease 120 audit_write 121 audit_control 122 setfcap 123} 124 125common cap2 126{ 127 mac_override # unused by SELinux 128 mac_admin # unused by SELinux 129 syslog 130 wake_alarm 131 block_suspend 132 audit_read 133} 134 135# 136# Define the access vectors. 137# 138# class class_name [ inherits common_name ] { permission_name ... } 139 140 141# 142# Define the access vector interpretation for file-related objects. 143# 144 145class filesystem 146{ 147 mount 148 remount 149 unmount 150 getattr 151 relabelfrom 152 relabelto 153 associate 154 quotamod 155 quotaget 156} 157 158class dir 159inherits file 160{ 161 add_name 162 remove_name 163 reparent 164 search 165 rmdir 166 open 167 audit_access 168 execmod 169} 170 171class file 172inherits file 173{ 174 execute_no_trans 175 entrypoint 176 execmod 177 open 178 audit_access 179} 180 181class lnk_file 182inherits file 183{ 184 open 185 audit_access 186 execmod 187} 188 189class chr_file 190inherits file 191{ 192 execute_no_trans 193 entrypoint 194 execmod 195 open 196 audit_access 197} 198 199class blk_file 200inherits file 201{ 202 open 203 audit_access 204 execmod 205} 206 207class sock_file 208inherits file 209{ 210 open 211 audit_access 212 execmod 213} 214 215class fifo_file 216inherits file 217{ 218 open 219 audit_access 220 execmod 221} 222 223class fd 224{ 225 use 226} 227 228 229# 230# Define the access vector interpretation for network-related objects. 231# 232 233class socket 234inherits socket 235 236class tcp_socket 237inherits socket 238{ 239 node_bind 240 name_connect 241} 242 243class udp_socket 244inherits socket 245{ 246 node_bind 247} 248 249class rawip_socket 250inherits socket 251{ 252 node_bind 253} 254 255class node 256{ 257 recvfrom 258 sendto 259} 260 261class netif 262{ 263 ingress 264 egress 265} 266 267class netlink_socket 268inherits socket 269 270class packet_socket 271inherits socket 272 273class key_socket 274inherits socket 275 276class unix_stream_socket 277inherits socket 278{ 279 connectto 280} 281 282class unix_dgram_socket 283inherits socket 284 285# 286# Define the access vector interpretation for process-related objects 287# 288 289class process 290{ 291 fork 292 transition 293 sigchld # commonly granted from child to parent 294 sigkill # cannot be caught or ignored 295 sigstop # cannot be caught or ignored 296 signull # for kill(pid, 0) 297 signal # all other signals 298 ptrace 299 getsched 300 setsched 301 getsession 302 getpgid 303 setpgid 304 getcap 305 setcap 306 share 307 getattr 308 setexec 309 setfscreate 310 noatsecure 311 siginh 312 setrlimit 313 rlimitinh 314 dyntransition 315 setcurrent 316 execmem 317 execstack 318 execheap 319 setkeycreate 320 setsockcreate 321 getrlimit 322} 323 324class process2 325{ 326 nnp_transition 327 nosuid_transition 328} 329 330# 331# Define the access vector interpretation for ipc-related objects 332# 333 334class ipc 335inherits ipc 336 337class sem 338inherits ipc 339 340class msgq 341inherits ipc 342{ 343 enqueue 344} 345 346class msg 347{ 348 send 349 receive 350} 351 352class shm 353inherits ipc 354{ 355 lock 356} 357 358 359# 360# Define the access vector interpretation for the security server. 361# 362 363class security 364{ 365 compute_av 366 compute_create 367 compute_member 368 check_context 369 load_policy 370 compute_relabel 371 compute_user 372 setenforce # was avc_toggle in system class 373 setbool 374 setsecparam 375 setcheckreqprot 376 read_policy 377 validate_trans 378} 379 380 381# 382# Define the access vector interpretation for system operations. 383# 384 385class system 386{ 387 ipc_info 388 syslog_read 389 syslog_mod 390 syslog_console 391 module_request 392 module_load 393} 394 395# 396# Define the access vector interpretation for controlling capabilities 397# 398 399class capability 400inherits cap 401 402class capability2 403inherits cap2 404 405# 406# Extended Netlink classes 407# 408class netlink_route_socket 409inherits socket 410{ 411 nlmsg_read 412 nlmsg_write 413} 414 415class netlink_tcpdiag_socket 416inherits socket 417{ 418 nlmsg_read 419 nlmsg_write 420} 421 422class netlink_nflog_socket 423inherits socket 424 425class netlink_xfrm_socket 426inherits socket 427{ 428 nlmsg_read 429 nlmsg_write 430} 431 432class netlink_selinux_socket 433inherits socket 434 435class netlink_audit_socket 436inherits socket 437{ 438 nlmsg_read 439 nlmsg_write 440 nlmsg_relay 441 nlmsg_readpriv 442 nlmsg_tty_audit 443} 444 445class netlink_dnrt_socket 446inherits socket 447 448# Define the access vector interpretation for controlling 449# access to IPSec network data by association 450# 451class association 452{ 453 sendto 454 recvfrom 455 setcontext 456 polmatch 457} 458 459# Updated Netlink class for KOBJECT_UEVENT family. 460class netlink_kobject_uevent_socket 461inherits socket 462 463class appletalk_socket 464inherits socket 465 466class packet 467{ 468 send 469 recv 470 relabelto 471 flow_in # deprecated 472 flow_out # deprecated 473 forward_in 474 forward_out 475} 476 477class key 478{ 479 view 480 read 481 write 482 search 483 link 484 setattr 485 create 486} 487 488class dccp_socket 489inherits socket 490{ 491 node_bind 492 name_connect 493} 494 495class memprotect 496{ 497 mmap_zero 498} 499 500# network peer labels 501class peer 502{ 503 recv 504} 505 506class kernel_service 507{ 508 use_as_override 509 create_files_as 510} 511 512class tun_socket 513inherits socket 514{ 515 attach_queue 516} 517 518class binder 519{ 520 impersonate 521 call 522 set_context_mgr 523 transfer 524} 525 526class netlink_iscsi_socket 527inherits socket 528 529class netlink_fib_lookup_socket 530inherits socket 531 532class netlink_connector_socket 533inherits socket 534 535class netlink_netfilter_socket 536inherits socket 537 538class netlink_generic_socket 539inherits socket 540 541class netlink_scsitransport_socket 542inherits socket 543 544class netlink_rdma_socket 545inherits socket 546 547class netlink_crypto_socket 548inherits socket 549 550class infiniband_pkey 551{ 552 access 553} 554 555class infiniband_endport 556{ 557 manage_subnet 558} 559 560# 561# Define the access vector interpretation for controlling capabilities 562# in user namespaces 563# 564 565class cap_userns 566inherits cap 567 568class cap2_userns 569inherits cap2 570 571 572# 573# Define the access vector interpretation for the new socket classes 574# enabled by the extended_socket_class policy capability. 575# 576 577# 578# The next two classes were previously mapped to rawip_socket and therefore 579# have the same definition as rawip_socket (until further permissions 580# are defined). 581# 582class sctp_socket 583inherits socket 584{ 585 node_bind 586 name_connect 587 association 588} 589 590class icmp_socket 591inherits socket 592{ 593 node_bind 594} 595 596# 597# The remaining network socket classes were previously 598# mapped to the socket class and therefore have the 599# same definition as socket. 600# 601 602class ax25_socket 603inherits socket 604 605class ipx_socket 606inherits socket 607 608class netrom_socket 609inherits socket 610 611class atmpvc_socket 612inherits socket 613 614class x25_socket 615inherits socket 616 617class rose_socket 618inherits socket 619 620class decnet_socket 621inherits socket 622 623class atmsvc_socket 624inherits socket 625 626class rds_socket 627inherits socket 628 629class irda_socket 630inherits socket 631 632class pppox_socket 633inherits socket 634 635class llc_socket 636inherits socket 637 638class can_socket 639inherits socket 640 641class tipc_socket 642inherits socket 643 644class bluetooth_socket 645inherits socket 646 647class iucv_socket 648inherits socket 649 650class rxrpc_socket 651inherits socket 652 653class isdn_socket 654inherits socket 655 656class phonet_socket 657inherits socket 658 659class ieee802154_socket 660inherits socket 661 662class caif_socket 663inherits socket 664 665class alg_socket 666inherits socket 667 668class nfc_socket 669inherits socket 670 671class vsock_socket 672inherits socket 673 674class kcm_socket 675inherits socket 676 677class qipcrtr_socket 678inherits socket 679 680class smc_socket 681inherits socket 682 683class bpf 684{ 685 map_create 686 map_read 687 map_write 688 prog_load 689 prog_run 690} 691 692class property_service 693{ 694 set 695} 696 697class service_manager 698{ 699 add 700 find 701 list 702} 703 704class hwservice_manager 705{ 706 add 707 find 708 list 709} 710 711class keystore_key 712{ 713 get_state 714 get 715 insert 716 delete 717 exist 718 list 719 reset 720 password 721 lock 722 unlock 723 is_empty 724 sign 725 verify 726 grant 727 duplicate 728 clear_uid 729 add_auth 730 user_changed 731 gen_unique_id 732} 733 734class drmservice { 735 consumeRights 736 setPlaybackStatus 737 openDecryptSession 738 closeDecryptSession 739 initializeDecryptUnit 740 decrypt 741 finalizeDecryptUnit 742 pread 743} 744 745class xdp_socket 746inherits socket 747