• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13	ioctl
14	read
15	write
16	create
17	getattr
18	setattr
19	lock
20	relabelfrom
21	relabelto
22	append
23	map
24	unlink
25	link
26	rename
27	execute
28	quotaon
29	mounton
30	audit_access
31	open
32	execmod
33	watch
34	watch_mount
35	watch_sb
36	watch_with_perm
37	watch_reads
38}
39
40
41#
42# Define a common prefix for socket access vectors.
43#
44
45common socket
46{
47# inherited from file
48	ioctl
49	read
50	write
51	create
52	getattr
53	setattr
54	lock
55	relabelfrom
56	relabelto
57	append
58	map
59# socket-specific
60	bind
61	connect
62	listen
63	accept
64	getopt
65	setopt
66	shutdown
67	recvfrom
68	sendto
69	name_bind
70}
71
72#
73# Define a common prefix for ipc access vectors.
74#
75
76common ipc
77{
78	create
79	destroy
80	getattr
81	setattr
82	read
83	write
84	associate
85	unix_read
86	unix_write
87}
88
89#
90# Define a common for capability access vectors.
91#
92common cap
93{
94	# The capabilities are defined in include/linux/capability.h
95	# Capabilities >= 32 are defined in the cap2 common.
96	# Care should be taken to ensure that these are consistent with
97	# those definitions. (Order matters)
98
99	chown
100	dac_override
101	dac_read_search
102	fowner
103	fsetid
104	kill
105	setgid
106	setuid
107	setpcap
108	linux_immutable
109	net_bind_service
110	net_broadcast
111	net_admin
112	net_raw
113	ipc_lock
114	ipc_owner
115	sys_module
116	sys_rawio
117	sys_chroot
118	sys_ptrace
119	sys_pacct
120	sys_admin
121	sys_boot
122	sys_nice
123	sys_resource
124	sys_time
125	sys_tty_config
126	mknod
127	lease
128	audit_write
129	audit_control
130	setfcap
131}
132
133common cap2
134{
135	mac_override	# unused by SELinux
136	mac_admin
137	syslog
138	wake_alarm
139	block_suspend
140	audit_read
141}
142
143#
144# Define the access vectors.
145#
146# class class_name [ inherits common_name ] { permission_name ... }
147
148
149#
150# Define the access vector interpretation for file-related objects.
151#
152
153class filesystem
154{
155	mount
156	remount
157	unmount
158	getattr
159	relabelfrom
160	relabelto
161	associate
162	quotamod
163	quotaget
164	watch
165}
166
167class dir
168inherits file
169{
170	add_name
171	remove_name
172	reparent
173	search
174	rmdir
175}
176
177class file
178inherits file
179{
180	execute_no_trans
181	entrypoint
182}
183
184class lnk_file
185inherits file
186
187class chr_file
188inherits file
189{
190	execute_no_trans
191	entrypoint
192}
193
194class blk_file
195inherits file
196
197class sock_file
198inherits file
199
200class fifo_file
201inherits file
202
203class fd
204{
205	use
206}
207
208
209#
210# Define the access vector interpretation for network-related objects.
211#
212
213class socket
214inherits socket
215
216class tcp_socket
217inherits socket
218{
219	node_bind
220	name_connect
221}
222
223class udp_socket
224inherits socket
225{
226	node_bind
227}
228
229class rawip_socket
230inherits socket
231{
232	node_bind
233}
234
235class node
236{
237	recvfrom
238	sendto
239}
240
241class netif
242{
243	ingress
244	egress
245}
246
247class netlink_socket
248inherits socket
249
250class packet_socket
251inherits socket
252
253class key_socket
254inherits socket
255
256class unix_stream_socket
257inherits socket
258{
259	connectto
260}
261
262class unix_dgram_socket
263inherits socket
264
265#
266# Define the access vector interpretation for process-related objects
267#
268
269class process
270{
271	fork
272	transition
273	sigchld # commonly granted from child to parent
274	sigkill # cannot be caught or ignored
275	sigstop # cannot be caught or ignored
276	signull # for kill(pid, 0)
277	signal  # all other signals
278	ptrace
279	getsched
280	setsched
281	getsession
282	getpgid
283	setpgid
284	getcap
285	setcap
286	share
287	getattr
288	setexec
289	setfscreate
290	noatsecure
291	siginh
292	setrlimit
293	rlimitinh
294	dyntransition
295	setcurrent
296	execmem
297	execstack
298	execheap
299	setkeycreate
300	setsockcreate
301	getrlimit
302}
303
304class process2
305{
306	nnp_transition
307	nosuid_transition
308}
309
310#
311# Define the access vector interpretation for ipc-related objects
312#
313
314class ipc
315inherits ipc
316
317class sem
318inherits ipc
319
320class msgq
321inherits ipc
322{
323	enqueue
324}
325
326class msg
327{
328	send
329	receive
330}
331
332class shm
333inherits ipc
334{
335	lock
336}
337
338
339#
340# Define the access vector interpretation for the security server.
341#
342
343class security
344{
345	compute_av
346	compute_create
347	compute_member
348	check_context
349	load_policy
350	compute_relabel
351	compute_user
352	setenforce     # was avc_toggle in system class
353	setbool
354	setsecparam
355	setcheckreqprot
356	read_policy
357	validate_trans
358}
359
360
361#
362# Define the access vector interpretation for system operations.
363#
364
365class system
366{
367	ipc_info
368	syslog_read
369	syslog_mod
370	syslog_console
371	module_request
372	module_load
373}
374
375#
376# Define the access vector interpretation for controlling capabilities
377#
378
379class capability
380inherits cap
381
382class capability2
383inherits cap2
384
385#
386# Extended Netlink classes
387#
388class netlink_route_socket
389inherits socket
390{
391	nlmsg_read
392	nlmsg_write
393	nlmsg_readpriv
394}
395
396class netlink_tcpdiag_socket
397inherits socket
398{
399	nlmsg_read
400	nlmsg_write
401}
402
403class netlink_nflog_socket
404inherits socket
405
406class netlink_xfrm_socket
407inherits socket
408{
409	nlmsg_read
410	nlmsg_write
411}
412
413class netlink_selinux_socket
414inherits socket
415
416class netlink_audit_socket
417inherits socket
418{
419	nlmsg_read
420	nlmsg_write
421	nlmsg_relay
422	nlmsg_readpriv
423	nlmsg_tty_audit
424}
425
426class netlink_dnrt_socket
427inherits socket
428
429# Define the access vector interpretation for controlling
430# access to IPSec network data by association
431#
432class association
433{
434	sendto
435	recvfrom
436	setcontext
437	polmatch
438}
439
440# Updated Netlink class for KOBJECT_UEVENT family.
441class netlink_kobject_uevent_socket
442inherits socket
443
444class appletalk_socket
445inherits socket
446
447class packet
448{
449	send
450	recv
451	relabelto
452	forward_in
453	forward_out
454}
455
456class key
457{
458	view
459	read
460	write
461	search
462	link
463	setattr
464	create
465}
466
467class dccp_socket
468inherits socket
469{
470	node_bind
471	name_connect
472}
473
474class memprotect
475{
476	mmap_zero
477}
478
479# network peer labels
480class peer
481{
482	recv
483}
484
485class kernel_service
486{
487	use_as_override
488	create_files_as
489}
490
491class tun_socket
492inherits socket
493{
494	attach_queue
495}
496
497class binder
498{
499	impersonate
500	call
501	set_context_mgr
502	transfer
503}
504
505class netlink_iscsi_socket
506inherits socket
507
508class netlink_fib_lookup_socket
509inherits socket
510
511class netlink_connector_socket
512inherits socket
513
514class netlink_netfilter_socket
515inherits socket
516
517class netlink_generic_socket
518inherits socket
519
520class netlink_scsitransport_socket
521inherits socket
522
523class netlink_rdma_socket
524inherits socket
525
526class netlink_crypto_socket
527inherits socket
528
529class infiniband_pkey
530{
531	access
532}
533
534class infiniband_endport
535{
536	manage_subnet
537}
538
539#
540# Define the access vector interpretation for controlling capabilities
541# in user namespaces
542#
543
544class cap_userns
545inherits cap
546
547class cap2_userns
548inherits cap2
549
550
551#
552# Define the access vector interpretation for the new socket classes
553# enabled by the extended_socket_class policy capability.
554#
555
556#
557# The next two classes were previously mapped to rawip_socket and therefore
558# have the same definition as rawip_socket (until further permissions
559# are defined).
560#
561class sctp_socket
562inherits socket
563{
564	node_bind
565	name_connect
566	association
567}
568
569class icmp_socket
570inherits socket
571{
572	node_bind
573}
574
575#
576# The remaining network socket classes were previously
577# mapped to the socket class and therefore have the
578# same definition as socket.
579#
580
581class ax25_socket
582inherits socket
583
584class ipx_socket
585inherits socket
586
587class netrom_socket
588inherits socket
589
590class atmpvc_socket
591inherits socket
592
593class x25_socket
594inherits socket
595
596class rose_socket
597inherits socket
598
599class decnet_socket
600inherits socket
601
602class atmsvc_socket
603inherits socket
604
605class rds_socket
606inherits socket
607
608class irda_socket
609inherits socket
610
611class pppox_socket
612inherits socket
613
614class llc_socket
615inherits socket
616
617class can_socket
618inherits socket
619
620class tipc_socket
621inherits socket
622
623class bluetooth_socket
624inherits socket
625
626class iucv_socket
627inherits socket
628
629class rxrpc_socket
630inherits socket
631
632class isdn_socket
633inherits socket
634
635class phonet_socket
636inherits socket
637
638class ieee802154_socket
639inherits socket
640
641class caif_socket
642inherits socket
643
644class alg_socket
645inherits socket
646
647class nfc_socket
648inherits socket
649
650class vsock_socket
651inherits socket
652
653class kcm_socket
654inherits socket
655
656class qipcrtr_socket
657inherits socket
658
659class smc_socket
660inherits socket
661
662class bpf
663{
664	map_create
665	map_read
666	map_write
667	prog_load
668	prog_run
669}
670
671class property_service
672{
673	set
674}
675
676class service_manager
677{
678	add
679	find
680	list
681}
682
683class hwservice_manager
684{
685	add
686	find
687	list
688}
689
690class keystore_key
691{
692	get_state
693	get
694	insert
695	delete
696	exist
697	list
698	reset
699	password
700	lock
701	unlock
702	is_empty
703	sign
704	verify
705	grant
706	duplicate
707	clear_uid
708	add_auth
709	user_changed
710	gen_unique_id
711}
712
713class drmservice {
714	consumeRights
715	setPlaybackStatus
716	openDecryptSession
717	closeDecryptSession
718	initializeDecryptUnit
719	decrypt
720	finalizeDecryptUnit
721	pread
722}
723
724class xdp_socket
725inherits socket
726
727class perf_event
728{
729	open
730	cpu
731	kernel
732	tracepoint
733	read
734	write
735}
736
737class lockdown
738{
739	integrity
740	confidentiality
741}
742