• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13	ioctl
14	read
15	write
16	create
17	getattr
18	setattr
19	lock
20	relabelfrom
21	relabelto
22	append
23	unlink
24	link
25	rename
26	execute
27	swapon
28	quotaon
29	mounton
30}
31
32
33#
34# Define a common prefix for socket access vectors.
35#
36
37common socket
38{
39# inherited from file
40	ioctl
41	read
42	write
43	create
44	getattr
45	setattr
46	lock
47	relabelfrom
48	relabelto
49	append
50# socket-specific
51	bind
52	connect
53	listen
54	accept
55	getopt
56	setopt
57	shutdown
58	recvfrom
59	sendto
60	recv_msg
61	send_msg
62	name_bind
63}
64
65#
66# Define a common prefix for ipc access vectors.
67#
68
69common ipc
70{
71	create
72	destroy
73	getattr
74	setattr
75	read
76	write
77	associate
78	unix_read
79	unix_write
80}
81
82#
83#  Define a common prefix for userspace database object access vectors.
84#
85
86common database
87{
88	create
89	drop
90	getattr
91	setattr
92	relabelfrom
93	relabelto
94}
95
96#
97# Define a common prefix for pointer and keyboard access vectors.
98#
99
100common x_device
101{
102	getattr
103	setattr
104	use
105	read
106	write
107	getfocus
108	setfocus
109	bell
110	force_cursor
111	freeze
112	grab
113	manage
114	list_property
115	get_property
116	set_property
117	add
118	remove
119	create
120	destroy
121}
122
123#
124# Define the access vectors.
125#
126# class class_name [ inherits common_name ] { permission_name ... }
127
128
129#
130# Define the access vector interpretation for file-related objects.
131#
132
133class filesystem
134{
135	mount
136	remount
137	unmount
138	getattr
139	relabelfrom
140	relabelto
141	transition
142	associate
143	quotamod
144	quotaget
145}
146
147class dir
148inherits file
149{
150	add_name
151	remove_name
152	reparent
153	search
154	rmdir
155	open
156	audit_access
157	execmod
158}
159
160class file
161inherits file
162{
163	execute_no_trans
164	entrypoint
165	execmod
166	open
167	audit_access
168}
169
170class lnk_file
171inherits file
172{
173	open
174	audit_access
175	execmod
176}
177
178class chr_file
179inherits file
180{
181	execute_no_trans
182	entrypoint
183	execmod
184	open
185	audit_access
186}
187
188class blk_file
189inherits file
190{
191	open
192	audit_access
193	execmod
194}
195
196class sock_file
197inherits file
198{
199	open
200	audit_access
201	execmod
202}
203
204class fifo_file
205inherits file
206{
207	open
208	audit_access
209	execmod
210}
211
212class fd
213{
214	use
215}
216
217
218#
219# Define the access vector interpretation for network-related objects.
220#
221
222class socket
223inherits socket
224
225class tcp_socket
226inherits socket
227{
228	connectto
229	newconn
230	acceptfrom
231	node_bind
232	name_connect
233}
234
235class udp_socket
236inherits socket
237{
238	node_bind
239}
240
241class rawip_socket
242inherits socket
243{
244	node_bind
245}
246
247class node
248{
249	tcp_recv
250	tcp_send
251	udp_recv
252	udp_send
253	rawip_recv
254	rawip_send
255	enforce_dest
256	dccp_recv
257	dccp_send
258	recvfrom
259	sendto
260}
261
262class netif
263{
264	tcp_recv
265	tcp_send
266	udp_recv
267	udp_send
268	rawip_recv
269	rawip_send
270	dccp_recv
271	dccp_send
272	ingress
273	egress
274}
275
276class netlink_socket
277inherits socket
278
279class packet_socket
280inherits socket
281
282class key_socket
283inherits socket
284
285class unix_stream_socket
286inherits socket
287{
288	connectto
289	newconn
290	acceptfrom
291}
292
293class unix_dgram_socket
294inherits socket
295
296#
297# Define the access vector interpretation for process-related objects
298#
299
300class process
301{
302	fork
303	transition
304	sigchld # commonly granted from child to parent
305	sigkill # cannot be caught or ignored
306	sigstop # cannot be caught or ignored
307	signull # for kill(pid, 0)
308	signal  # all other signals
309	ptrace
310	getsched
311	setsched
312	getsession
313	getpgid
314	setpgid
315	getcap
316	setcap
317	share
318	getattr
319	setexec
320	setfscreate
321	noatsecure
322	siginh
323	setrlimit
324	rlimitinh
325	dyntransition
326	setcurrent
327	execmem
328	execstack
329	execheap
330	setkeycreate
331	setsockcreate
332}
333
334
335#
336# Define the access vector interpretation for ipc-related objects
337#
338
339class ipc
340inherits ipc
341
342class sem
343inherits ipc
344
345class msgq
346inherits ipc
347{
348	enqueue
349}
350
351class msg
352{
353	send
354	receive
355}
356
357class shm
358inherits ipc
359{
360	lock
361}
362
363
364#
365# Define the access vector interpretation for the security server.
366#
367
368class security
369{
370	compute_av
371	compute_create
372	compute_member
373	check_context
374	load_policy
375	compute_relabel
376	compute_user
377	setenforce     # was avc_toggle in system class
378	setbool
379	setsecparam
380	setcheckreqprot
381	read_policy
382}
383
384
385#
386# Define the access vector interpretation for system operations.
387#
388
389class system
390{
391	ipc_info
392	syslog_read
393	syslog_mod
394	syslog_console
395	module_request
396}
397
398#
399# Define the access vector interpretation for controling capabilies
400#
401
402class capability
403{
404	# The capabilities are defined in include/linux/capability.h
405	# Capabilities >= 32 are defined in the capability2 class.
406	# Care should be taken to ensure that these are consistent with
407	# those definitions. (Order matters)
408
409	chown
410	dac_override
411	dac_read_search
412	fowner
413	fsetid
414	kill
415	setgid
416	setuid
417	setpcap
418	linux_immutable
419	net_bind_service
420	net_broadcast
421	net_admin
422	net_raw
423	ipc_lock
424	ipc_owner
425	sys_module
426	sys_rawio
427	sys_chroot
428	sys_ptrace
429	sys_pacct
430	sys_admin
431	sys_boot
432	sys_nice
433	sys_resource
434	sys_time
435	sys_tty_config
436	mknod
437	lease
438	audit_write
439	audit_control
440	setfcap
441}
442
443class capability2
444{
445	mac_override	# unused by SELinux
446	mac_admin	# unused by SELinux
447	syslog
448	wake_alarm
449	block_suspend
450}
451
452#
453# Define the access vector interpretation for controlling
454# changes to passwd information.
455#
456class passwd
457{
458	passwd	# change another user passwd
459	chfn	# change another user finger info
460	chsh	# change another user shell
461	rootok  # pam_rootok check (skip auth)
462	crontab # crontab on another user
463}
464
465#
466# SE-X Windows stuff
467#
468class x_drawable
469{
470	create
471	destroy
472	read
473	write
474	blend
475	getattr
476	setattr
477	list_child
478	add_child
479	remove_child
480	list_property
481	get_property
482	set_property
483	manage
484	override
485	show
486	hide
487	send
488	receive
489}
490
491class x_screen
492{
493	getattr
494	setattr
495	hide_cursor
496	show_cursor
497	saver_getattr
498	saver_setattr
499	saver_hide
500	saver_show
501}
502
503class x_gc
504{
505	create
506	destroy
507	getattr
508	setattr
509	use
510}
511
512class x_font
513{
514	create
515	destroy
516	getattr
517	add_glyph
518	remove_glyph
519	use
520}
521
522class x_colormap
523{
524	create
525	destroy
526	read
527	write
528	getattr
529	add_color
530	remove_color
531	install
532	uninstall
533	use
534}
535
536class x_property
537{
538	create
539	destroy
540	read
541	write
542	append
543	getattr
544	setattr
545}
546
547class x_selection
548{
549	read
550	write
551	getattr
552	setattr
553}
554
555class x_cursor
556{
557	create
558	destroy
559	read
560	write
561	getattr
562	setattr
563	use
564}
565
566class x_client
567{
568	destroy
569	getattr
570	setattr
571	manage
572}
573
574class x_device
575inherits x_device
576
577class x_server
578{
579	getattr
580	setattr
581	record
582	debug
583	grab
584	manage
585}
586
587class x_extension
588{
589	query
590	use
591}
592
593class x_resource
594{
595	read
596	write
597}
598
599class x_event
600{
601	send
602	receive
603}
604
605class x_synthetic_event
606{
607	send
608	receive
609}
610
611#
612# Extended Netlink classes
613#
614class netlink_route_socket
615inherits socket
616{
617	nlmsg_read
618	nlmsg_write
619}
620
621class netlink_firewall_socket
622inherits socket
623{
624	nlmsg_read
625	nlmsg_write
626}
627
628class netlink_tcpdiag_socket
629inherits socket
630{
631	nlmsg_read
632	nlmsg_write
633}
634
635class netlink_nflog_socket
636inherits socket
637
638class netlink_xfrm_socket
639inherits socket
640{
641	nlmsg_read
642	nlmsg_write
643}
644
645class netlink_selinux_socket
646inherits socket
647
648class netlink_audit_socket
649inherits socket
650{
651	nlmsg_read
652	nlmsg_write
653	nlmsg_relay
654	nlmsg_readpriv
655	nlmsg_tty_audit
656}
657
658class netlink_ip6fw_socket
659inherits socket
660{
661	nlmsg_read
662	nlmsg_write
663}
664
665class netlink_dnrt_socket
666inherits socket
667
668# Define the access vector interpretation for controlling
669# access and communication through the D-BUS messaging
670# system.
671#
672class dbus
673{
674	acquire_svc
675	send_msg
676}
677
678# Define the access vector interpretation for controlling
679# access through the name service cache daemon (nscd).
680#
681class nscd
682{
683	getpwd
684	getgrp
685	gethost
686	getstat
687	admin
688	shmempwd
689	shmemgrp
690	shmemhost
691	getserv
692	shmemserv
693}
694
695# Define the access vector interpretation for controlling
696# access to IPSec network data by association
697#
698class association
699{
700	sendto
701	recvfrom
702	setcontext
703	polmatch
704}
705
706# Updated Netlink class for KOBJECT_UEVENT family.
707class netlink_kobject_uevent_socket
708inherits socket
709
710class appletalk_socket
711inherits socket
712
713class packet
714{
715	send
716	recv
717	relabelto
718	flow_in		# deprecated
719	flow_out	# deprecated
720	forward_in
721	forward_out
722}
723
724class key
725{
726	view
727	read
728	write
729	search
730	link
731	setattr
732	create
733}
734
735class context
736{
737	translate
738	contains
739}
740
741class dccp_socket
742inherits socket
743{
744	node_bind
745	name_connect
746}
747
748class memprotect
749{
750	mmap_zero
751}
752
753class db_database
754inherits database
755{
756	access
757	install_module
758	load_module
759	get_param	# deprecated
760	set_param	# deprecated
761}
762
763class db_table
764inherits database
765{
766	use		# deprecated
767	select
768	update
769	insert
770	delete
771	lock
772}
773
774class db_procedure
775inherits database
776{
777	execute
778	entrypoint
779	install
780}
781
782class db_column
783inherits database
784{
785	use		# deprecated
786	select
787	update
788	insert
789}
790
791class db_tuple
792{
793	relabelfrom
794	relabelto
795	use		# deprecated
796	select
797	update
798	insert
799	delete
800}
801
802class db_blob
803inherits database
804{
805	read
806	write
807	import
808	export
809}
810
811# network peer labels
812class peer
813{
814	recv
815}
816
817class x_application_data
818{
819	paste
820	paste_after_confirm
821	copy
822}
823
824class kernel_service
825{
826	use_as_override
827	create_files_as
828}
829
830class tun_socket
831inherits socket
832{
833	attach_queue
834}
835
836class x_pointer
837inherits x_device
838
839class x_keyboard
840inherits x_device
841
842class db_schema
843inherits database
844{
845	search
846	add_name
847	remove_name
848}
849
850class db_view
851inherits database
852{
853	expand
854}
855
856class db_sequence
857inherits database
858{
859	get_value
860	next_value
861	set_value
862}
863
864class db_language
865inherits database
866{
867	implement
868	execute
869}
870
871class binder
872{
873	impersonate
874	call
875	set_context_mgr
876	transfer
877}
878
879class zygote
880{
881	specifyids
882	specifyrlimits
883	specifyinvokewith
884	specifyseinfo
885}
886
887class property_service
888{
889	set
890}
891
892class service_manager
893{
894	add
895	find
896	list
897}
898
899class keystore_key
900{
901	test
902	get
903	insert
904	delete
905	exist
906	saw
907	reset
908	password
909	lock
910	unlock
911	zero
912	sign
913	verify
914	grant
915	duplicate
916	clear_uid
917	reset_uid
918	sync_uid
919	password_uid
920}
921