blob: 265587220aaee9893163f77d33c20807c01b4235 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -05001#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13 ioctl
14 read
15 write
16 create
17 getattr
18 setattr
19 lock
20 relabelfrom
21 relabelto
22 append
23 unlink
24 link
25 rename
26 execute
27 swapon
28 quotaon
29 mounton
30}
31
32
33#
34# Define a common prefix for socket access vectors.
35#
36
37common socket
38{
39# inherited from file
40 ioctl
41 read
42 write
43 create
44 getattr
45 setattr
46 lock
47 relabelfrom
48 relabelto
49 append
50# socket-specific
51 bind
52 connect
53 listen
54 accept
55 getopt
56 setopt
57 shutdown
58 recvfrom
59 sendto
60 recv_msg
61 send_msg
62 name_bind
63}
64
65#
66# Define a common prefix for ipc access vectors.
67#
68
69common ipc
70{
71 create
72 destroy
73 getattr
74 setattr
75 read
76 write
77 associate
78 unix_read
79 unix_write
80}
81
82#
83# Define a common prefix for userspace database object access vectors.
84#
85
86common database
87{
88 create
89 drop
90 getattr
91 setattr
92 relabelfrom
93 relabelto
94}
95
96#
97# Define a common prefix for pointer and keyboard access vectors.
98#
99
100common x_device
101{
102 getattr
103 setattr
104 use
105 read
106 write
107 getfocus
108 setfocus
109 bell
110 force_cursor
111 freeze
112 grab
113 manage
114 list_property
115 get_property
116 set_property
117 add
118 remove
119 create
120 destroy
121}
122
123#
124# Define the access vectors.
125#
126# class class_name [ inherits common_name ] { permission_name ... }
127
128
129#
130# Define the access vector interpretation for file-related objects.
131#
132
133class filesystem
134{
135 mount
136 remount
137 unmount
138 getattr
139 relabelfrom
140 relabelto
141 transition
142 associate
143 quotamod
144 quotaget
145}
146
147class dir
148inherits file
149{
150 add_name
151 remove_name
152 reparent
153 search
154 rmdir
155 open
156 audit_access
157 execmod
158}
159
160class file
161inherits file
162{
163 execute_no_trans
164 entrypoint
165 execmod
166 open
167 audit_access
168}
169
170class lnk_file
171inherits file
172{
173 open
174 audit_access
175 execmod
176}
177
178class chr_file
179inherits file
180{
181 execute_no_trans
182 entrypoint
183 execmod
184 open
185 audit_access
186}
187
188class blk_file
189inherits file
190{
191 open
192 audit_access
193 execmod
194}
195
196class sock_file
197inherits file
198{
199 open
200 audit_access
201 execmod
202}
203
204class fifo_file
205inherits file
206{
207 open
208 audit_access
209 execmod
210}
211
212class fd
213{
214 use
215}
216
217
218#
219# Define the access vector interpretation for network-related objects.
220#
221
222class socket
223inherits socket
224
225class tcp_socket
226inherits socket
227{
228 connectto
229 newconn
230 acceptfrom
231 node_bind
232 name_connect
233}
234
235class udp_socket
236inherits socket
237{
238 node_bind
239}
240
241class rawip_socket
242inherits socket
243{
244 node_bind
245}
246
247class node
248{
249 tcp_recv
250 tcp_send
251 udp_recv
252 udp_send
253 rawip_recv
254 rawip_send
255 enforce_dest
256 dccp_recv
257 dccp_send
258 recvfrom
259 sendto
260}
261
262class netif
263{
264 tcp_recv
265 tcp_send
266 udp_recv
267 udp_send
268 rawip_recv
269 rawip_send
270 dccp_recv
271 dccp_send
272 ingress
273 egress
274}
275
276class netlink_socket
277inherits socket
278
279class packet_socket
280inherits socket
281
282class key_socket
283inherits socket
284
285class unix_stream_socket
286inherits socket
287{
288 connectto
289 newconn
290 acceptfrom
291}
292
293class unix_dgram_socket
294inherits socket
295
296#
297# Define the access vector interpretation for process-related objects
298#
299
300class process
301{
302 fork
303 transition
304 sigchld # commonly granted from child to parent
305 sigkill # cannot be caught or ignored
306 sigstop # cannot be caught or ignored
307 signull # for kill(pid, 0)
308 signal # all other signals
309 ptrace
310 getsched
311 setsched
312 getsession
313 getpgid
314 setpgid
315 getcap
316 setcap
317 share
318 getattr
319 setexec
320 setfscreate
321 noatsecure
322 siginh
323 setrlimit
324 rlimitinh
325 dyntransition
326 setcurrent
327 execmem
328 execstack
329 execheap
330 setkeycreate
331 setsockcreate
332}
333
334
335#
336# Define the access vector interpretation for ipc-related objects
337#
338
339class ipc
340inherits ipc
341
342class sem
343inherits ipc
344
345class msgq
346inherits ipc
347{
348 enqueue
349}
350
351class msg
352{
353 send
354 receive
355}
356
357class shm
358inherits ipc
359{
360 lock
361}
362
363
364#
365# Define the access vector interpretation for the security server.
366#
367
368class security
369{
370 compute_av
371 compute_create
372 compute_member
373 check_context
374 load_policy
375 compute_relabel
376 compute_user
377 setenforce # was avc_toggle in system class
378 setbool
379 setsecparam
380 setcheckreqprot
381 read_policy
382}
383
384
385#
386# Define the access vector interpretation for system operations.
387#
388
389class system
390{
391 ipc_info
392 syslog_read
393 syslog_mod
394 syslog_console
395 module_request
396}
397
398#
399# Define the access vector interpretation for controling capabilies
400#
401
402class capability
403{
404 # The capabilities are defined in include/linux/capability.h
405 # Capabilities >= 32 are defined in the capability2 class.
406 # Care should be taken to ensure that these are consistent with
407 # those definitions. (Order matters)
408
409 chown
410 dac_override
411 dac_read_search
412 fowner
413 fsetid
414 kill
415 setgid
416 setuid
417 setpcap
418 linux_immutable
419 net_bind_service
420 net_broadcast
421 net_admin
422 net_raw
423 ipc_lock
424 ipc_owner
425 sys_module
426 sys_rawio
427 sys_chroot
428 sys_ptrace
429 sys_pacct
430 sys_admin
431 sys_boot
432 sys_nice
433 sys_resource
434 sys_time
435 sys_tty_config
436 mknod
437 lease
438 audit_write
439 audit_control
440 setfcap
441}
442
443class capability2
444{
445 mac_override # unused by SELinux
446 mac_admin # unused by SELinux
447 syslog
Stephen Smalleya1ce2fa2012-08-10 09:23:21 -0400448 wake_alarm
449 block_suspend
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500450}
451
452#
453# Define the access vector interpretation for controlling
454# changes to passwd information.
455#
456class passwd
457{
458 passwd # change another user passwd
459 chfn # change another user finger info
460 chsh # change another user shell
461 rootok # pam_rootok check (skip auth)
462 crontab # crontab on another user
463}
464
465#
466# SE-X Windows stuff
467#
468class x_drawable
469{
470 create
471 destroy
472 read
473 write
474 blend
475 getattr
476 setattr
477 list_child
478 add_child
479 remove_child
480 list_property
481 get_property
482 set_property
483 manage
484 override
485 show
486 hide
487 send
488 receive
489}
490
491class x_screen
492{
493 getattr
494 setattr
495 hide_cursor
496 show_cursor
497 saver_getattr
498 saver_setattr
499 saver_hide
500 saver_show
501}
502
503class x_gc
504{
505 create
506 destroy
507 getattr
508 setattr
509 use
510}
511
512class x_font
513{
514 create
515 destroy
516 getattr
517 add_glyph
518 remove_glyph
519 use
520}
521
522class x_colormap
523{
524 create
525 destroy
526 read
527 write
528 getattr
529 add_color
530 remove_color
531 install
532 uninstall
533 use
534}
535
536class x_property
537{
538 create
539 destroy
540 read
541 write
542 append
543 getattr
544 setattr
545}
546
547class x_selection
548{
549 read
550 write
551 getattr
552 setattr
553}
554
555class x_cursor
556{
557 create
558 destroy
559 read
560 write
561 getattr
562 setattr
563 use
564}
565
566class x_client
567{
568 destroy
569 getattr
570 setattr
571 manage
572}
573
574class x_device
575inherits x_device
576
577class x_server
578{
579 getattr
580 setattr
581 record
582 debug
583 grab
584 manage
585}
586
587class x_extension
588{
589 query
590 use
591}
592
593class x_resource
594{
595 read
596 write
597}
598
599class x_event
600{
601 send
602 receive
603}
604
605class x_synthetic_event
606{
607 send
608 receive
609}
610
611#
612# Extended Netlink classes
613#
614class netlink_route_socket
615inherits socket
616{
617 nlmsg_read
618 nlmsg_write
619}
620
621class netlink_firewall_socket
622inherits socket
623{
624 nlmsg_read
625 nlmsg_write
626}
627
628class netlink_tcpdiag_socket
629inherits socket
630{
631 nlmsg_read
632 nlmsg_write
633}
634
635class netlink_nflog_socket
636inherits socket
637
638class netlink_xfrm_socket
639inherits socket
640{
641 nlmsg_read
642 nlmsg_write
643}
644
645class netlink_selinux_socket
646inherits socket
647
648class netlink_audit_socket
649inherits socket
650{
651 nlmsg_read
652 nlmsg_write
653 nlmsg_relay
654 nlmsg_readpriv
655 nlmsg_tty_audit
656}
657
658class netlink_ip6fw_socket
659inherits socket
660{
661 nlmsg_read
662 nlmsg_write
663}
664
665class netlink_dnrt_socket
666inherits socket
667
668# Define the access vector interpretation for controlling
669# access and communication through the D-BUS messaging
670# system.
671#
672class dbus
673{
674 acquire_svc
675 send_msg
676}
677
678# Define the access vector interpretation for controlling
679# access through the name service cache daemon (nscd).
680#
681class nscd
682{
683 getpwd
684 getgrp
685 gethost
686 getstat
687 admin
688 shmempwd
689 shmemgrp
690 shmemhost
691 getserv
692 shmemserv
693}
694
695# Define the access vector interpretation for controlling
696# access to IPSec network data by association
697#
698class association
699{
700 sendto
701 recvfrom
702 setcontext
703 polmatch
704}
705
706# Updated Netlink class for KOBJECT_UEVENT family.
707class netlink_kobject_uevent_socket
708inherits socket
709
710class appletalk_socket
711inherits socket
712
713class packet
714{
715 send
716 recv
717 relabelto
718 flow_in # deprecated
719 flow_out # deprecated
720 forward_in
721 forward_out
722}
723
724class key
725{
726 view
727 read
728 write
729 search
730 link
731 setattr
732 create
733}
734
735class context
736{
737 translate
738 contains
739}
740
741class dccp_socket
742inherits socket
743{
744 node_bind
745 name_connect
746}
747
748class memprotect
749{
750 mmap_zero
751}
752
753class db_database
754inherits database
755{
756 access
757 install_module
758 load_module
759 get_param # deprecated
760 set_param # deprecated
761}
762
763class db_table
764inherits database
765{
766 use # deprecated
767 select
768 update
769 insert
770 delete
771 lock
772}
773
774class db_procedure
775inherits database
776{
777 execute
778 entrypoint
779 install
780}
781
782class db_column
783inherits database
784{
785 use # deprecated
786 select
787 update
788 insert
789}
790
791class db_tuple
792{
793 relabelfrom
794 relabelto
795 use # deprecated
796 select
797 update
798 insert
799 delete
800}
801
802class db_blob
803inherits database
804{
805 read
806 write
807 import
808 export
809}
810
811# network peer labels
812class peer
813{
814 recv
815}
816
817class x_application_data
818{
819 paste
820 paste_after_confirm
821 copy
822}
823
824class kernel_service
825{
826 use_as_override
827 create_files_as
828}
829
830class tun_socket
831inherits socket
Nick Kralevichd7af45d2014-06-06 16:51:11 -0700832{
833 attach_queue
834}
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500835
836class x_pointer
837inherits x_device
838
839class x_keyboard
840inherits x_device
841
842class db_schema
843inherits database
844{
845 search
846 add_name
847 remove_name
848}
849
850class db_view
851inherits database
852{
853 expand
854}
855
856class db_sequence
857inherits database
858{
859 get_value
860 next_value
861 set_value
862}
863
864class db_language
865inherits database
866{
867 implement
868 execute
869}
870
871class binder
872{
873 impersonate
874 call
875 set_context_mgr
876 transfer
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500877}
878
879class zygote
880{
881 specifyids
882 specifyrlimits
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500883 specifyinvokewith
884 specifyseinfo
885}
Stephen Smalley124720a2012-04-04 10:11:16 -0400886
887class property_service
888{
889 set
890}