• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13	ioctl
14	read
15	write
16	create
17	getattr
18	setattr
19	lock
20	relabelfrom
21	relabelto
22	append
23	unlink
24	link
25	rename
26	execute
27	swapon
28	quotaon
29	mounton
30}
31
32
33#
34# Define a common prefix for socket access vectors.
35#
36
37common socket
38{
39# inherited from file
40	ioctl
41	read
42	write
43	create
44	getattr
45	setattr
46	lock
47	relabelfrom
48	relabelto
49	append
50# socket-specific
51	bind
52	connect
53	listen
54	accept
55	getopt
56	setopt
57	shutdown
58	recvfrom
59	sendto
60	recv_msg
61	send_msg
62	name_bind
63}
64
65#
66# Define a common prefix for ipc access vectors.
67#
68
69common ipc
70{
71	create
72	destroy
73	getattr
74	setattr
75	read
76	write
77	associate
78	unix_read
79	unix_write
80}
81
82#
83# Define the access vectors.
84#
85# class class_name [ inherits common_name ] { permission_name ... }
86
87
88#
89# Define the access vector interpretation for file-related objects.
90#
91
92class filesystem
93{
94	mount
95	remount
96	unmount
97	getattr
98	relabelfrom
99	relabelto
100	transition
101	associate
102	quotamod
103	quotaget
104}
105
106class dir
107inherits file
108{
109	add_name
110	remove_name
111	reparent
112	search
113	rmdir
114	open
115	audit_access
116	execmod
117}
118
119class file
120inherits file
121{
122	execute_no_trans
123	entrypoint
124	execmod
125	open
126	audit_access
127}
128
129class lnk_file
130inherits file
131{
132	open
133	audit_access
134	execmod
135}
136
137class chr_file
138inherits file
139{
140	execute_no_trans
141	entrypoint
142	execmod
143	open
144	audit_access
145}
146
147class blk_file
148inherits file
149{
150	open
151	audit_access
152	execmod
153}
154
155class sock_file
156inherits file
157{
158	open
159	audit_access
160	execmod
161}
162
163class fifo_file
164inherits file
165{
166	open
167	audit_access
168	execmod
169}
170
171class fd
172{
173	use
174}
175
176
177#
178# Define the access vector interpretation for network-related objects.
179#
180
181class socket
182inherits socket
183
184class tcp_socket
185inherits socket
186{
187	connectto
188	newconn
189	acceptfrom
190	node_bind
191	name_connect
192}
193
194class udp_socket
195inherits socket
196{
197	node_bind
198}
199
200class rawip_socket
201inherits socket
202{
203	node_bind
204}
205
206class node
207{
208	tcp_recv
209	tcp_send
210	udp_recv
211	udp_send
212	rawip_recv
213	rawip_send
214	enforce_dest
215	dccp_recv
216	dccp_send
217	recvfrom
218	sendto
219}
220
221class netif
222{
223	tcp_recv
224	tcp_send
225	udp_recv
226	udp_send
227	rawip_recv
228	rawip_send
229	dccp_recv
230	dccp_send
231	ingress
232	egress
233}
234
235class netlink_socket
236inherits socket
237
238class packet_socket
239inherits socket
240
241class key_socket
242inherits socket
243
244class unix_stream_socket
245inherits socket
246{
247	connectto
248	newconn
249	acceptfrom
250}
251
252class unix_dgram_socket
253inherits socket
254
255#
256# Define the access vector interpretation for process-related objects
257#
258
259class process
260{
261	fork
262	transition
263	sigchld # commonly granted from child to parent
264	sigkill # cannot be caught or ignored
265	sigstop # cannot be caught or ignored
266	signull # for kill(pid, 0)
267	signal  # all other signals
268	ptrace
269	getsched
270	setsched
271	getsession
272	getpgid
273	setpgid
274	getcap
275	setcap
276	share
277	getattr
278	setexec
279	setfscreate
280	noatsecure
281	siginh
282	setrlimit
283	rlimitinh
284	dyntransition
285	setcurrent
286	execmem
287	execstack
288	execheap
289	setkeycreate
290	setsockcreate
291}
292
293
294#
295# Define the access vector interpretation for ipc-related objects
296#
297
298class ipc
299inherits ipc
300
301class sem
302inherits ipc
303
304class msgq
305inherits ipc
306{
307	enqueue
308}
309
310class msg
311{
312	send
313	receive
314}
315
316class shm
317inherits ipc
318{
319	lock
320}
321
322
323#
324# Define the access vector interpretation for the security server.
325#
326
327class security
328{
329	compute_av
330	compute_create
331	compute_member
332	check_context
333	load_policy
334	compute_relabel
335	compute_user
336	setenforce     # was avc_toggle in system class
337	setbool
338	setsecparam
339	setcheckreqprot
340	read_policy
341}
342
343
344#
345# Define the access vector interpretation for system operations.
346#
347
348class system
349{
350	ipc_info
351	syslog_read
352	syslog_mod
353	syslog_console
354	module_request
355	module_load
356}
357
358#
359# Define the access vector interpretation for controling capabilies
360#
361
362class capability
363{
364	# The capabilities are defined in include/linux/capability.h
365	# Capabilities >= 32 are defined in the capability2 class.
366	# Care should be taken to ensure that these are consistent with
367	# those definitions. (Order matters)
368
369	chown
370	dac_override
371	dac_read_search
372	fowner
373	fsetid
374	kill
375	setgid
376	setuid
377	setpcap
378	linux_immutable
379	net_bind_service
380	net_broadcast
381	net_admin
382	net_raw
383	ipc_lock
384	ipc_owner
385	sys_module
386	sys_rawio
387	sys_chroot
388	sys_ptrace
389	sys_pacct
390	sys_admin
391	sys_boot
392	sys_nice
393	sys_resource
394	sys_time
395	sys_tty_config
396	mknod
397	lease
398	audit_write
399	audit_control
400	setfcap
401}
402
403class capability2
404{
405	mac_override	# unused by SELinux
406	mac_admin	# unused by SELinux
407	syslog
408	wake_alarm
409	block_suspend
410	audit_read
411}
412
413#
414# Extended Netlink classes
415#
416class netlink_route_socket
417inherits socket
418{
419	nlmsg_read
420	nlmsg_write
421}
422
423class netlink_firewall_socket
424inherits socket
425{
426	nlmsg_read
427	nlmsg_write
428}
429
430class netlink_tcpdiag_socket
431inherits socket
432{
433	nlmsg_read
434	nlmsg_write
435}
436
437class netlink_nflog_socket
438inherits socket
439
440class netlink_xfrm_socket
441inherits socket
442{
443	nlmsg_read
444	nlmsg_write
445}
446
447class netlink_selinux_socket
448inherits socket
449
450class netlink_audit_socket
451inherits socket
452{
453	nlmsg_read
454	nlmsg_write
455	nlmsg_relay
456	nlmsg_readpriv
457	nlmsg_tty_audit
458}
459
460class netlink_ip6fw_socket
461inherits socket
462{
463	nlmsg_read
464	nlmsg_write
465}
466
467class netlink_dnrt_socket
468inherits socket
469
470# Define the access vector interpretation for controlling
471# access to IPSec network data by association
472#
473class association
474{
475	sendto
476	recvfrom
477	setcontext
478	polmatch
479}
480
481# Updated Netlink class for KOBJECT_UEVENT family.
482class netlink_kobject_uevent_socket
483inherits socket
484
485class appletalk_socket
486inherits socket
487
488class packet
489{
490	send
491	recv
492	relabelto
493	flow_in		# deprecated
494	flow_out	# deprecated
495	forward_in
496	forward_out
497}
498
499class key
500{
501	view
502	read
503	write
504	search
505	link
506	setattr
507	create
508}
509
510class dccp_socket
511inherits socket
512{
513	node_bind
514	name_connect
515}
516
517class memprotect
518{
519	mmap_zero
520}
521
522# network peer labels
523class peer
524{
525	recv
526}
527
528class kernel_service
529{
530	use_as_override
531	create_files_as
532}
533
534class tun_socket
535inherits socket
536{
537	attach_queue
538}
539
540class binder
541{
542	impersonate
543	call
544	set_context_mgr
545	transfer
546}
547
548class netlink_iscsi_socket
549inherits socket
550
551class netlink_fib_lookup_socket
552inherits socket
553
554class netlink_connector_socket
555inherits socket
556
557class netlink_netfilter_socket
558inherits socket
559
560class netlink_generic_socket
561inherits socket
562
563class netlink_scsitransport_socket
564inherits socket
565
566class netlink_rdma_socket
567inherits socket
568
569class netlink_crypto_socket
570inherits socket
571
572class property_service
573{
574	set
575}
576
577class service_manager
578{
579	add
580	find
581	list
582}
583
584class keystore_key
585{
586	get_state
587	get
588	insert
589	delete
590	exist
591	list
592	reset
593	password
594	lock
595	unlock
596	is_empty
597	sign
598	verify
599	grant
600	duplicate
601	clear_uid
602	add_auth
603	user_changed
604}
605
606class debuggerd
607{
608	dump_tombstone
609	dump_backtrace
610}
611
612class drmservice {
613	consumeRights
614	setPlaybackStatus
615	openDecryptSession
616	closeDecryptSession
617	initializeDecryptUnit
618	decrypt
619	finalizeDecryptUnit
620	pread
621}
622