1 # 2 # Define common prefixes for access vectors 3 # 4 # common common_name { permission_name ... } 5 6 7 # 8 # Define a common prefix for file access vectors. 9 # 10 11 common file 12 { 13 ioctl 14 read 15 write 16 create 17 getattr 18 setattr 19 lock 20 relabelfrom 21 relabelto 22 append 23 unlink 24 link 25 rename 26 execute 27 swapon 28 quotaon 29 mounton 30 } 31 32 33 # 34 # Define a common prefix for socket access vectors. 35 # 36 37 common socket 38 { 39 # inherited from file 40 ioctl 41 read 42 write 43 create 44 getattr 45 setattr 46 lock 47 relabelfrom 48 relabelto 49 append 50 # socket-specific 51 bind 52 connect 53 listen 54 accept 55 getopt 56 setopt 57 shutdown 58 recvfrom 59 sendto 60 recv_msg 61 send_msg 62 name_bind 63 } 64 65 # 66 # Define a common prefix for ipc access vectors. 67 # 68 69 common ipc 70 { 71 create 72 destroy 73 getattr 74 setattr 75 read 76 write 77 associate 78 unix_read 79 unix_write 80 } 81 82 # 83 # Define a common prefix for userspace database object access vectors. 84 # 85 86 common database 87 { 88 create 89 drop 90 getattr 91 setattr 92 relabelfrom 93 relabelto 94 } 95 96 # 97 # Define a common prefix for pointer and keyboard access vectors. 98 # 99 100 common x_device 101 { 102 getattr 103 setattr 104 use 105 read 106 write 107 getfocus 108 setfocus 109 bell 110 force_cursor 111 freeze 112 grab 113 manage 114 list_property 115 get_property 116 set_property 117 add 118 remove 119 create 120 destroy 121 } 122 123 # 124 # Define the access vectors. 125 # 126 # class class_name [ inherits common_name ] { permission_name ... } 127 128 129 # 130 # Define the access vector interpretation for file-related objects. 131 # 132 133 class filesystem 134 { 135 mount 136 remount 137 unmount 138 getattr 139 relabelfrom 140 relabelto 141 transition 142 associate 143 quotamod 144 quotaget 145 } 146 147 class dir 148 inherits file 149 { 150 add_name 151 remove_name 152 reparent 153 search 154 rmdir 155 open 156 audit_access 157 execmod 158 } 159 160 class file 161 inherits file 162 { 163 execute_no_trans 164 entrypoint 165 execmod 166 open 167 audit_access 168 } 169 170 class lnk_file 171 inherits file 172 { 173 open 174 audit_access 175 execmod 176 } 177 178 class chr_file 179 inherits file 180 { 181 execute_no_trans 182 entrypoint 183 execmod 184 open 185 audit_access 186 } 187 188 class blk_file 189 inherits file 190 { 191 open 192 audit_access 193 execmod 194 } 195 196 class sock_file 197 inherits file 198 { 199 open 200 audit_access 201 execmod 202 } 203 204 class fifo_file 205 inherits file 206 { 207 open 208 audit_access 209 execmod 210 } 211 212 class fd 213 { 214 use 215 } 216 217 218 # 219 # Define the access vector interpretation for network-related objects. 220 # 221 222 class socket 223 inherits socket 224 225 class tcp_socket 226 inherits socket 227 { 228 connectto 229 newconn 230 acceptfrom 231 node_bind 232 name_connect 233 } 234 235 class udp_socket 236 inherits socket 237 { 238 node_bind 239 } 240 241 class rawip_socket 242 inherits socket 243 { 244 node_bind 245 } 246 247 class node 248 { 249 tcp_recv 250 tcp_send 251 udp_recv 252 udp_send 253 rawip_recv 254 rawip_send 255 enforce_dest 256 dccp_recv 257 dccp_send 258 recvfrom 259 sendto 260 } 261 262 class netif 263 { 264 tcp_recv 265 tcp_send 266 udp_recv 267 udp_send 268 rawip_recv 269 rawip_send 270 dccp_recv 271 dccp_send 272 ingress 273 egress 274 } 275 276 class netlink_socket 277 inherits socket 278 279 class packet_socket 280 inherits socket 281 282 class key_socket 283 inherits socket 284 285 class unix_stream_socket 286 inherits socket 287 { 288 connectto 289 newconn 290 acceptfrom 291 } 292 293 class unix_dgram_socket 294 inherits socket 295 296 # 297 # Define the access vector interpretation for process-related objects 298 # 299 300 class process 301 { 302 fork 303 transition 304 sigchld # commonly granted from child to parent 305 sigkill # cannot be caught or ignored 306 sigstop # cannot be caught or ignored 307 signull # for kill(pid, 0) 308 signal # all other signals 309 ptrace 310 getsched 311 setsched 312 getsession 313 getpgid 314 setpgid 315 getcap 316 setcap 317 share 318 getattr 319 setexec 320 setfscreate 321 noatsecure 322 siginh 323 setrlimit 324 rlimitinh 325 dyntransition 326 setcurrent 327 execmem 328 execstack 329 execheap 330 setkeycreate 331 setsockcreate 332 } 333 334 335 # 336 # Define the access vector interpretation for ipc-related objects 337 # 338 339 class ipc 340 inherits ipc 341 342 class sem 343 inherits ipc 344 345 class msgq 346 inherits ipc 347 { 348 enqueue 349 } 350 351 class msg 352 { 353 send 354 receive 355 } 356 357 class shm 358 inherits ipc 359 { 360 lock 361 } 362 363 364 # 365 # Define the access vector interpretation for the security server. 366 # 367 368 class security 369 { 370 compute_av 371 compute_create 372 compute_member 373 check_context 374 load_policy 375 compute_relabel 376 compute_user 377 setenforce # was avc_toggle in system class 378 setbool 379 setsecparam 380 setcheckreqprot 381 read_policy 382 } 383 384 385 # 386 # Define the access vector interpretation for system operations. 387 # 388 389 class system 390 { 391 ipc_info 392 syslog_read 393 syslog_mod 394 syslog_console 395 module_request 396 } 397 398 # 399 # Define the access vector interpretation for controling capabilies 400 # 401 402 class capability 403 { 404 # The capabilities are defined in include/linux/capability.h 405 # Capabilities >= 32 are defined in the capability2 class. 406 # Care should be taken to ensure that these are consistent with 407 # those definitions. (Order matters) 408 409 chown 410 dac_override 411 dac_read_search 412 fowner 413 fsetid 414 kill 415 setgid 416 setuid 417 setpcap 418 linux_immutable 419 net_bind_service 420 net_broadcast 421 net_admin 422 net_raw 423 ipc_lock 424 ipc_owner 425 sys_module 426 sys_rawio 427 sys_chroot 428 sys_ptrace 429 sys_pacct 430 sys_admin 431 sys_boot 432 sys_nice 433 sys_resource 434 sys_time 435 sys_tty_config 436 mknod 437 lease 438 audit_write 439 audit_control 440 setfcap 441 } 442 443 class capability2 444 { 445 mac_override # unused by SELinux 446 mac_admin # unused by SELinux 447 syslog 448 } 449 450 # 451 # Define the access vector interpretation for controlling 452 # changes to passwd information. 453 # 454 class passwd 455 { 456 passwd # change another user passwd 457 chfn # change another user finger info 458 chsh # change another user shell 459 rootok # pam_rootok check (skip auth) 460 crontab # crontab on another user 461 } 462 463 # 464 # SE-X Windows stuff 465 # 466 class x_drawable 467 { 468 create 469 destroy 470 read 471 write 472 blend 473 getattr 474 setattr 475 list_child 476 add_child 477 remove_child 478 list_property 479 get_property 480 set_property 481 manage 482 override 483 show 484 hide 485 send 486 receive 487 } 488 489 class x_screen 490 { 491 getattr 492 setattr 493 hide_cursor 494 show_cursor 495 saver_getattr 496 saver_setattr 497 saver_hide 498 saver_show 499 } 500 501 class x_gc 502 { 503 create 504 destroy 505 getattr 506 setattr 507 use 508 } 509 510 class x_font 511 { 512 create 513 destroy 514 getattr 515 add_glyph 516 remove_glyph 517 use 518 } 519 520 class x_colormap 521 { 522 create 523 destroy 524 read 525 write 526 getattr 527 add_color 528 remove_color 529 install 530 uninstall 531 use 532 } 533 534 class x_property 535 { 536 create 537 destroy 538 read 539 write 540 append 541 getattr 542 setattr 543 } 544 545 class x_selection 546 { 547 read 548 write 549 getattr 550 setattr 551 } 552 553 class x_cursor 554 { 555 create 556 destroy 557 read 558 write 559 getattr 560 setattr 561 use 562 } 563 564 class x_client 565 { 566 destroy 567 getattr 568 setattr 569 manage 570 } 571 572 class x_device 573 inherits x_device 574 575 class x_server 576 { 577 getattr 578 setattr 579 record 580 debug 581 grab 582 manage 583 } 584 585 class x_extension 586 { 587 query 588 use 589 } 590 591 class x_resource 592 { 593 read 594 write 595 } 596 597 class x_event 598 { 599 send 600 receive 601 } 602 603 class x_synthetic_event 604 { 605 send 606 receive 607 } 608 609 # 610 # Extended Netlink classes 611 # 612 class netlink_route_socket 613 inherits socket 614 { 615 nlmsg_read 616 nlmsg_write 617 } 618 619 class netlink_firewall_socket 620 inherits socket 621 { 622 nlmsg_read 623 nlmsg_write 624 } 625 626 class netlink_tcpdiag_socket 627 inherits socket 628 { 629 nlmsg_read 630 nlmsg_write 631 } 632 633 class netlink_nflog_socket 634 inherits socket 635 636 class netlink_xfrm_socket 637 inherits socket 638 { 639 nlmsg_read 640 nlmsg_write 641 } 642 643 class netlink_selinux_socket 644 inherits socket 645 646 class netlink_audit_socket 647 inherits socket 648 { 649 nlmsg_read 650 nlmsg_write 651 nlmsg_relay 652 nlmsg_readpriv 653 nlmsg_tty_audit 654 } 655 656 class netlink_ip6fw_socket 657 inherits socket 658 { 659 nlmsg_read 660 nlmsg_write 661 } 662 663 class netlink_dnrt_socket 664 inherits socket 665 666 # Define the access vector interpretation for controlling 667 # access and communication through the D-BUS messaging 668 # system. 669 # 670 class dbus 671 { 672 acquire_svc 673 send_msg 674 } 675 676 # Define the access vector interpretation for controlling 677 # access through the name service cache daemon (nscd). 678 # 679 class nscd 680 { 681 getpwd 682 getgrp 683 gethost 684 getstat 685 admin 686 shmempwd 687 shmemgrp 688 shmemhost 689 getserv 690 shmemserv 691 } 692 693 # Define the access vector interpretation for controlling 694 # access to IPSec network data by association 695 # 696 class association 697 { 698 sendto 699 recvfrom 700 setcontext 701 polmatch 702 } 703 704 # Updated Netlink class for KOBJECT_UEVENT family. 705 class netlink_kobject_uevent_socket 706 inherits socket 707 708 class appletalk_socket 709 inherits socket 710 711 class packet 712 { 713 send 714 recv 715 relabelto 716 flow_in # deprecated 717 flow_out # deprecated 718 forward_in 719 forward_out 720 } 721 722 class key 723 { 724 view 725 read 726 write 727 search 728 link 729 setattr 730 create 731 } 732 733 class context 734 { 735 translate 736 contains 737 } 738 739 class dccp_socket 740 inherits socket 741 { 742 node_bind 743 name_connect 744 } 745 746 class memprotect 747 { 748 mmap_zero 749 } 750 751 class db_database 752 inherits database 753 { 754 access 755 install_module 756 load_module 757 get_param # deprecated 758 set_param # deprecated 759 } 760 761 class db_table 762 inherits database 763 { 764 use # deprecated 765 select 766 update 767 insert 768 delete 769 lock 770 } 771 772 class db_procedure 773 inherits database 774 { 775 execute 776 entrypoint 777 install 778 } 779 780 class db_column 781 inherits database 782 { 783 use # deprecated 784 select 785 update 786 insert 787 } 788 789 class db_tuple 790 { 791 relabelfrom 792 relabelto 793 use # deprecated 794 select 795 update 796 insert 797 delete 798 } 799 800 class db_blob 801 inherits database 802 { 803 read 804 write 805 import 806 export 807 } 808 809 # network peer labels 810 class peer 811 { 812 recv 813 } 814 815 class x_application_data 816 { 817 paste 818 paste_after_confirm 819 copy 820 } 821 822 class kernel_service 823 { 824 use_as_override 825 create_files_as 826 } 827 828 class tun_socket 829 inherits socket 830 831 class x_pointer 832 inherits x_device 833 834 class x_keyboard 835 inherits x_device 836 837 class db_schema 838 inherits database 839 { 840 search 841 add_name 842 remove_name 843 } 844 845 class db_view 846 inherits database 847 { 848 expand 849 } 850 851 class db_sequence 852 inherits database 853 { 854 get_value 855 next_value 856 set_value 857 } 858 859 class db_language 860 inherits database 861 { 862 implement 863 execute 864 } 865 866 class binder 867 { 868 impersonate 869 call 870 set_context_mgr 871 transfer 872 receive 873 } 874 875 class zygote 876 { 877 specifyids 878 specifyrlimits 879 specifycapabilities 880 specifyinvokewith 881 specifyseinfo 882 } 883 884 class property_service 885 { 886 set 887 } 888