Home | History | Annotate | Download | only in sepolicy
      1 #
      2 # Define common prefixes for access vectors
      3 #
      4 # common common_name { permission_name ... }
      5 
      6 
      7 #
      8 # Define a common prefix for file access vectors.
      9 #
     10 
     11 common file
     12 {
     13 	ioctl
     14 	read
     15 	write
     16 	create
     17 	getattr
     18 	setattr
     19 	lock
     20 	relabelfrom
     21 	relabelto
     22 	append
     23 	unlink
     24 	link
     25 	rename
     26 	execute
     27 	swapon
     28 	quotaon
     29 	mounton
     30 }
     31 
     32 
     33 #
     34 # Define a common prefix for socket access vectors.
     35 #
     36 
     37 common socket
     38 {
     39 # inherited from file
     40 	ioctl
     41 	read
     42 	write
     43 	create
     44 	getattr
     45 	setattr
     46 	lock
     47 	relabelfrom
     48 	relabelto
     49 	append
     50 # socket-specific
     51 	bind
     52 	connect
     53 	listen
     54 	accept
     55 	getopt
     56 	setopt
     57 	shutdown
     58 	recvfrom
     59 	sendto
     60 	recv_msg
     61 	send_msg
     62 	name_bind
     63 }
     64 
     65 #
     66 # Define a common prefix for ipc access vectors.
     67 #
     68 
     69 common ipc
     70 {
     71 	create
     72 	destroy
     73 	getattr
     74 	setattr
     75 	read
     76 	write
     77 	associate
     78 	unix_read
     79 	unix_write
     80 }
     81 
     82 #
     83 #  Define a common prefix for userspace database object access vectors.
     84 #
     85 
     86 common database
     87 {
     88 	create
     89 	drop
     90 	getattr
     91 	setattr
     92 	relabelfrom
     93 	relabelto
     94 }
     95 
     96 #
     97 # Define a common prefix for pointer and keyboard access vectors.
     98 #
     99 
    100 common x_device
    101 {
    102 	getattr
    103 	setattr
    104 	use
    105 	read
    106 	write
    107 	getfocus
    108 	setfocus
    109 	bell
    110 	force_cursor
    111 	freeze
    112 	grab
    113 	manage
    114 	list_property
    115 	get_property
    116 	set_property
    117 	add
    118 	remove
    119 	create
    120 	destroy
    121 }
    122 
    123 #
    124 # Define the access vectors.
    125 #
    126 # class class_name [ inherits common_name ] { permission_name ... }
    127 
    128 
    129 #
    130 # Define the access vector interpretation for file-related objects.
    131 #
    132 
    133 class filesystem
    134 {
    135 	mount
    136 	remount
    137 	unmount
    138 	getattr
    139 	relabelfrom
    140 	relabelto
    141 	transition
    142 	associate
    143 	quotamod
    144 	quotaget
    145 }
    146 
    147 class dir
    148 inherits file
    149 {
    150 	add_name
    151 	remove_name
    152 	reparent
    153 	search
    154 	rmdir
    155 	open
    156 	audit_access
    157 	execmod
    158 }
    159 
    160 class file
    161 inherits file
    162 {
    163 	execute_no_trans
    164 	entrypoint
    165 	execmod
    166 	open
    167 	audit_access
    168 }
    169 
    170 class lnk_file
    171 inherits file
    172 {
    173 	open
    174 	audit_access
    175 	execmod
    176 }
    177 
    178 class chr_file
    179 inherits file
    180 {
    181 	execute_no_trans
    182 	entrypoint
    183 	execmod
    184 	open
    185 	audit_access
    186 }
    187 
    188 class blk_file
    189 inherits file
    190 {
    191 	open
    192 	audit_access
    193 	execmod
    194 }
    195 
    196 class sock_file
    197 inherits file
    198 {
    199 	open
    200 	audit_access
    201 	execmod
    202 }
    203 
    204 class fifo_file
    205 inherits file
    206 {
    207 	open
    208 	audit_access
    209 	execmod
    210 }
    211 
    212 class fd
    213 {
    214 	use
    215 }
    216 
    217 
    218 #
    219 # Define the access vector interpretation for network-related objects.
    220 #
    221 
    222 class socket
    223 inherits socket
    224 
    225 class tcp_socket
    226 inherits socket
    227 {
    228 	connectto
    229 	newconn
    230 	acceptfrom
    231 	node_bind
    232 	name_connect
    233 }
    234 
    235 class udp_socket
    236 inherits socket
    237 {
    238 	node_bind
    239 }
    240 
    241 class rawip_socket
    242 inherits socket
    243 {
    244 	node_bind
    245 }
    246 
    247 class node
    248 {
    249 	tcp_recv
    250 	tcp_send
    251 	udp_recv
    252 	udp_send
    253 	rawip_recv
    254 	rawip_send
    255 	enforce_dest
    256 	dccp_recv
    257 	dccp_send
    258 	recvfrom
    259 	sendto
    260 }
    261 
    262 class netif
    263 {
    264 	tcp_recv
    265 	tcp_send
    266 	udp_recv
    267 	udp_send
    268 	rawip_recv
    269 	rawip_send
    270 	dccp_recv
    271 	dccp_send
    272 	ingress
    273 	egress
    274 }
    275 
    276 class netlink_socket
    277 inherits socket
    278 
    279 class packet_socket
    280 inherits socket
    281 
    282 class key_socket
    283 inherits socket
    284 
    285 class unix_stream_socket
    286 inherits socket
    287 {
    288 	connectto
    289 	newconn
    290 	acceptfrom
    291 }
    292 
    293 class unix_dgram_socket
    294 inherits socket
    295 
    296 #
    297 # Define the access vector interpretation for process-related objects
    298 #
    299 
    300 class process
    301 {
    302 	fork
    303 	transition
    304 	sigchld # commonly granted from child to parent
    305 	sigkill # cannot be caught or ignored
    306 	sigstop # cannot be caught or ignored
    307 	signull # for kill(pid, 0)
    308 	signal  # all other signals
    309 	ptrace
    310 	getsched
    311 	setsched
    312 	getsession
    313 	getpgid
    314 	setpgid
    315 	getcap
    316 	setcap
    317 	share
    318 	getattr
    319 	setexec
    320 	setfscreate
    321 	noatsecure
    322 	siginh
    323 	setrlimit
    324 	rlimitinh
    325 	dyntransition
    326 	setcurrent
    327 	execmem
    328 	execstack
    329 	execheap
    330 	setkeycreate
    331 	setsockcreate
    332 }
    333 
    334 
    335 #
    336 # Define the access vector interpretation for ipc-related objects
    337 #
    338 
    339 class ipc
    340 inherits ipc
    341 
    342 class sem
    343 inherits ipc
    344 
    345 class msgq
    346 inherits ipc
    347 {
    348 	enqueue
    349 }
    350 
    351 class msg
    352 {
    353 	send
    354 	receive
    355 }
    356 
    357 class shm
    358 inherits ipc
    359 {
    360 	lock
    361 }
    362 
    363 
    364 #
    365 # Define the access vector interpretation for the security server.
    366 #
    367 
    368 class security
    369 {
    370 	compute_av
    371 	compute_create
    372 	compute_member
    373 	check_context
    374 	load_policy
    375 	compute_relabel
    376 	compute_user
    377 	setenforce     # was avc_toggle in system class
    378 	setbool
    379 	setsecparam
    380 	setcheckreqprot
    381 	read_policy
    382 }
    383 
    384 
    385 #
    386 # Define the access vector interpretation for system operations.
    387 #
    388 
    389 class system
    390 {
    391 	ipc_info
    392 	syslog_read
    393 	syslog_mod
    394 	syslog_console
    395 	module_request
    396 }
    397 
    398 #
    399 # Define the access vector interpretation for controling capabilies
    400 #
    401 
    402 class capability
    403 {
    404 	# The capabilities are defined in include/linux/capability.h
    405 	# Capabilities >= 32 are defined in the capability2 class.
    406 	# Care should be taken to ensure that these are consistent with
    407 	# those definitions. (Order matters)
    408 
    409 	chown
    410 	dac_override
    411 	dac_read_search
    412 	fowner
    413 	fsetid
    414 	kill
    415 	setgid
    416 	setuid
    417 	setpcap
    418 	linux_immutable
    419 	net_bind_service
    420 	net_broadcast
    421 	net_admin
    422 	net_raw
    423 	ipc_lock
    424 	ipc_owner
    425 	sys_module
    426 	sys_rawio
    427 	sys_chroot
    428 	sys_ptrace
    429 	sys_pacct
    430 	sys_admin
    431 	sys_boot
    432 	sys_nice
    433 	sys_resource
    434 	sys_time
    435 	sys_tty_config
    436 	mknod
    437 	lease
    438 	audit_write
    439 	audit_control
    440 	setfcap
    441 }
    442 
    443 class capability2
    444 {
    445 	mac_override	# unused by SELinux
    446 	mac_admin	# unused by SELinux
    447 	syslog
    448 }
    449 
    450 #
    451 # Define the access vector interpretation for controlling
    452 # changes to passwd information.
    453 #
    454 class passwd
    455 {
    456 	passwd	# change another user passwd
    457 	chfn	# change another user finger info
    458 	chsh	# change another user shell
    459 	rootok  # pam_rootok check (skip auth)
    460 	crontab # crontab on another user
    461 }
    462 
    463 #
    464 # SE-X Windows stuff
    465 #
    466 class x_drawable
    467 {
    468 	create
    469 	destroy
    470 	read
    471 	write
    472 	blend
    473 	getattr
    474 	setattr
    475 	list_child
    476 	add_child
    477 	remove_child
    478 	list_property
    479 	get_property
    480 	set_property
    481 	manage
    482 	override
    483 	show
    484 	hide
    485 	send
    486 	receive
    487 }
    488 
    489 class x_screen
    490 {
    491 	getattr
    492 	setattr
    493 	hide_cursor
    494 	show_cursor
    495 	saver_getattr
    496 	saver_setattr
    497 	saver_hide
    498 	saver_show
    499 }
    500 
    501 class x_gc
    502 {
    503 	create
    504 	destroy
    505 	getattr
    506 	setattr
    507 	use
    508 }
    509 
    510 class x_font
    511 {
    512 	create
    513 	destroy
    514 	getattr
    515 	add_glyph
    516 	remove_glyph
    517 	use
    518 }
    519 
    520 class x_colormap
    521 {
    522 	create
    523 	destroy
    524 	read
    525 	write
    526 	getattr
    527 	add_color
    528 	remove_color
    529 	install
    530 	uninstall
    531 	use
    532 }
    533 
    534 class x_property
    535 {
    536 	create
    537 	destroy
    538 	read
    539 	write
    540 	append
    541 	getattr
    542 	setattr
    543 }
    544 
    545 class x_selection
    546 {
    547 	read
    548 	write
    549 	getattr
    550 	setattr
    551 }
    552 
    553 class x_cursor
    554 {
    555 	create
    556 	destroy
    557 	read
    558 	write
    559 	getattr
    560 	setattr
    561 	use
    562 }
    563 
    564 class x_client
    565 {
    566 	destroy
    567 	getattr
    568 	setattr
    569 	manage
    570 }
    571 
    572 class x_device
    573 inherits x_device
    574 
    575 class x_server
    576 {
    577 	getattr
    578 	setattr
    579 	record
    580 	debug
    581 	grab
    582 	manage
    583 }
    584 
    585 class x_extension
    586 {
    587 	query
    588 	use
    589 }
    590 
    591 class x_resource
    592 {
    593 	read
    594 	write
    595 }
    596 
    597 class x_event
    598 {
    599 	send
    600 	receive
    601 }
    602 
    603 class x_synthetic_event
    604 {
    605 	send
    606 	receive
    607 }
    608 
    609 #
    610 # Extended Netlink classes
    611 #
    612 class netlink_route_socket
    613 inherits socket
    614 {
    615 	nlmsg_read
    616 	nlmsg_write
    617 }
    618 
    619 class netlink_firewall_socket
    620 inherits socket
    621 {
    622 	nlmsg_read
    623 	nlmsg_write
    624 }
    625 
    626 class netlink_tcpdiag_socket
    627 inherits socket
    628 {
    629 	nlmsg_read
    630 	nlmsg_write
    631 }
    632 
    633 class netlink_nflog_socket
    634 inherits socket
    635 
    636 class netlink_xfrm_socket
    637 inherits socket
    638 {
    639 	nlmsg_read
    640 	nlmsg_write
    641 }
    642 
    643 class netlink_selinux_socket
    644 inherits socket
    645 
    646 class netlink_audit_socket
    647 inherits socket
    648 {
    649 	nlmsg_read
    650 	nlmsg_write
    651 	nlmsg_relay
    652 	nlmsg_readpriv
    653 	nlmsg_tty_audit
    654 }
    655 
    656 class netlink_ip6fw_socket
    657 inherits socket
    658 {
    659 	nlmsg_read
    660 	nlmsg_write
    661 }
    662 
    663 class netlink_dnrt_socket
    664 inherits socket
    665 
    666 # Define the access vector interpretation for controlling
    667 # access and communication through the D-BUS messaging
    668 # system.
    669 #
    670 class dbus
    671 {
    672 	acquire_svc
    673 	send_msg
    674 }
    675 
    676 # Define the access vector interpretation for controlling
    677 # access through the name service cache daemon (nscd).
    678 #
    679 class nscd
    680 {
    681 	getpwd
    682 	getgrp
    683 	gethost
    684 	getstat
    685 	admin
    686 	shmempwd
    687 	shmemgrp
    688 	shmemhost
    689 	getserv
    690 	shmemserv
    691 }
    692 
    693 # Define the access vector interpretation for controlling
    694 # access to IPSec network data by association
    695 #
    696 class association
    697 {
    698 	sendto
    699 	recvfrom
    700 	setcontext
    701 	polmatch
    702 }
    703 
    704 # Updated Netlink class for KOBJECT_UEVENT family.
    705 class netlink_kobject_uevent_socket
    706 inherits socket
    707 
    708 class appletalk_socket
    709 inherits socket
    710 
    711 class packet
    712 {
    713 	send
    714 	recv
    715 	relabelto
    716 	flow_in		# deprecated
    717 	flow_out	# deprecated
    718 	forward_in
    719 	forward_out
    720 }
    721 
    722 class key
    723 {
    724 	view
    725 	read
    726 	write
    727 	search
    728 	link
    729 	setattr
    730 	create
    731 }
    732 
    733 class context
    734 {
    735 	translate
    736 	contains
    737 }
    738 
    739 class dccp_socket
    740 inherits socket
    741 {
    742 	node_bind
    743 	name_connect
    744 }
    745 
    746 class memprotect
    747 {
    748 	mmap_zero
    749 }
    750 
    751 class db_database
    752 inherits database
    753 {
    754 	access
    755 	install_module
    756 	load_module
    757 	get_param	# deprecated
    758 	set_param	# deprecated
    759 }
    760 
    761 class db_table
    762 inherits database
    763 {
    764 	use		# deprecated
    765 	select
    766 	update
    767 	insert
    768 	delete
    769 	lock
    770 }
    771 
    772 class db_procedure
    773 inherits database
    774 {
    775 	execute
    776 	entrypoint
    777 	install
    778 }
    779 
    780 class db_column
    781 inherits database
    782 {
    783 	use		# deprecated
    784 	select
    785 	update
    786 	insert
    787 }
    788 
    789 class db_tuple
    790 {
    791 	relabelfrom
    792 	relabelto
    793 	use		# deprecated
    794 	select
    795 	update
    796 	insert
    797 	delete
    798 }
    799 
    800 class db_blob
    801 inherits database
    802 {
    803 	read
    804 	write
    805 	import
    806 	export
    807 }
    808 
    809 # network peer labels
    810 class peer
    811 {
    812 	recv
    813 }
    814 
    815 class x_application_data
    816 {
    817 	paste
    818 	paste_after_confirm
    819 	copy
    820 }
    821 
    822 class kernel_service
    823 {
    824 	use_as_override
    825 	create_files_as
    826 }
    827 
    828 class tun_socket
    829 inherits socket
    830 
    831 class x_pointer
    832 inherits x_device
    833 
    834 class x_keyboard
    835 inherits x_device
    836 
    837 class db_schema
    838 inherits database
    839 {
    840 	search
    841 	add_name
    842 	remove_name
    843 }
    844 
    845 class db_view
    846 inherits database
    847 {
    848 	expand
    849 }
    850 
    851 class db_sequence
    852 inherits database
    853 {
    854 	get_value
    855 	next_value
    856 	set_value
    857 }
    858 
    859 class db_language
    860 inherits database
    861 {
    862 	implement
    863 	execute
    864 }
    865 
    866 class binder
    867 {
    868 	impersonate
    869 	call
    870 	set_context_mgr
    871 	transfer
    872 	receive
    873 }
    874 
    875 class zygote
    876 {
    877 	specifyids
    878 	specifyrlimits
    879 	specifycapabilities
    880 	specifyinvokewith
    881 	specifyseinfo
    882 }
    883 
    884 class property_service
    885 {
    886 	set
    887 }
    888