1 # 2 # Define common prefixes for access vectors 3 # 4 # common common_name { permission_name ... } 5 6 7 # 8 # Define a common prefix for file access vectors. 9 # 10 11 common file 12 { 13 ioctl 14 read 15 write 16 create 17 getattr 18 setattr 19 lock 20 relabelfrom 21 relabelto 22 append 23 unlink 24 link 25 rename 26 execute 27 swapon 28 quotaon 29 mounton 30 } 31 32 33 # 34 # Define a common prefix for socket access vectors. 35 # 36 37 common socket 38 { 39 # inherited from file 40 ioctl 41 read 42 write 43 create 44 getattr 45 setattr 46 lock 47 relabelfrom 48 relabelto 49 append 50 # socket-specific 51 bind 52 connect 53 listen 54 accept 55 getopt 56 setopt 57 shutdown 58 recvfrom 59 sendto 60 recv_msg 61 send_msg 62 name_bind 63 } 64 65 # 66 # Define a common prefix for ipc access vectors. 67 # 68 69 common ipc 70 { 71 create 72 destroy 73 getattr 74 setattr 75 read 76 write 77 associate 78 unix_read 79 unix_write 80 } 81 82 # 83 # Define a common prefix for userspace database object access vectors. 84 # 85 86 common database 87 { 88 create 89 drop 90 getattr 91 setattr 92 relabelfrom 93 relabelto 94 } 95 96 # 97 # Define a common prefix for pointer and keyboard access vectors. 98 # 99 100 common x_device 101 { 102 getattr 103 setattr 104 use 105 read 106 write 107 getfocus 108 setfocus 109 bell 110 force_cursor 111 freeze 112 grab 113 manage 114 list_property 115 get_property 116 set_property 117 add 118 remove 119 create 120 destroy 121 } 122 123 # 124 # Define the access vectors. 125 # 126 # class class_name [ inherits common_name ] { permission_name ... } 127 128 129 # 130 # Define the access vector interpretation for file-related objects. 131 # 132 133 class filesystem 134 { 135 mount 136 remount 137 unmount 138 getattr 139 relabelfrom 140 relabelto 141 transition 142 associate 143 quotamod 144 quotaget 145 } 146 147 class dir 148 inherits file 149 { 150 add_name 151 remove_name 152 reparent 153 search 154 rmdir 155 open 156 audit_access 157 execmod 158 } 159 160 class file 161 inherits file 162 { 163 execute_no_trans 164 entrypoint 165 execmod 166 open 167 audit_access 168 } 169 170 class lnk_file 171 inherits file 172 { 173 open 174 audit_access 175 execmod 176 } 177 178 class chr_file 179 inherits file 180 { 181 execute_no_trans 182 entrypoint 183 execmod 184 open 185 audit_access 186 } 187 188 class blk_file 189 inherits file 190 { 191 open 192 audit_access 193 execmod 194 } 195 196 class sock_file 197 inherits file 198 { 199 open 200 audit_access 201 execmod 202 } 203 204 class fifo_file 205 inherits file 206 { 207 open 208 audit_access 209 execmod 210 } 211 212 class fd 213 { 214 use 215 } 216 217 218 # 219 # Define the access vector interpretation for network-related objects. 220 # 221 222 class socket 223 inherits socket 224 225 class tcp_socket 226 inherits socket 227 { 228 connectto 229 newconn 230 acceptfrom 231 node_bind 232 name_connect 233 } 234 235 class udp_socket 236 inherits socket 237 { 238 node_bind 239 } 240 241 class rawip_socket 242 inherits socket 243 { 244 node_bind 245 } 246 247 class node 248 { 249 tcp_recv 250 tcp_send 251 udp_recv 252 udp_send 253 rawip_recv 254 rawip_send 255 enforce_dest 256 dccp_recv 257 dccp_send 258 recvfrom 259 sendto 260 } 261 262 class netif 263 { 264 tcp_recv 265 tcp_send 266 udp_recv 267 udp_send 268 rawip_recv 269 rawip_send 270 dccp_recv 271 dccp_send 272 ingress 273 egress 274 } 275 276 class netlink_socket 277 inherits socket 278 279 class packet_socket 280 inherits socket 281 282 class key_socket 283 inherits socket 284 285 class unix_stream_socket 286 inherits socket 287 { 288 connectto 289 newconn 290 acceptfrom 291 } 292 293 class unix_dgram_socket 294 inherits socket 295 296 # 297 # Define the access vector interpretation for process-related objects 298 # 299 300 class process 301 { 302 fork 303 transition 304 sigchld # commonly granted from child to parent 305 sigkill # cannot be caught or ignored 306 sigstop # cannot be caught or ignored 307 signull # for kill(pid, 0) 308 signal # all other signals 309 ptrace 310 getsched 311 setsched 312 getsession 313 getpgid 314 setpgid 315 getcap 316 setcap 317 share 318 getattr 319 setexec 320 setfscreate 321 noatsecure 322 siginh 323 setrlimit 324 rlimitinh 325 dyntransition 326 setcurrent 327 execmem 328 execstack 329 execheap 330 setkeycreate 331 setsockcreate 332 } 333 334 335 # 336 # Define the access vector interpretation for ipc-related objects 337 # 338 339 class ipc 340 inherits ipc 341 342 class sem 343 inherits ipc 344 345 class msgq 346 inherits ipc 347 { 348 enqueue 349 } 350 351 class msg 352 { 353 send 354 receive 355 } 356 357 class shm 358 inherits ipc 359 { 360 lock 361 } 362 363 364 # 365 # Define the access vector interpretation for the security server. 366 # 367 368 class security 369 { 370 compute_av 371 compute_create 372 compute_member 373 check_context 374 load_policy 375 compute_relabel 376 compute_user 377 setenforce # was avc_toggle in system class 378 setbool 379 setsecparam 380 setcheckreqprot 381 read_policy 382 } 383 384 385 # 386 # Define the access vector interpretation for system operations. 387 # 388 389 class system 390 { 391 ipc_info 392 syslog_read 393 syslog_mod 394 syslog_console 395 module_request 396 } 397 398 # 399 # Define the access vector interpretation for controling capabilies 400 # 401 402 class capability 403 { 404 # The capabilities are defined in include/linux/capability.h 405 # Capabilities >= 32 are defined in the capability2 class. 406 # Care should be taken to ensure that these are consistent with 407 # those definitions. (Order matters) 408 409 chown 410 dac_override 411 dac_read_search 412 fowner 413 fsetid 414 kill 415 setgid 416 setuid 417 setpcap 418 linux_immutable 419 net_bind_service 420 net_broadcast 421 net_admin 422 net_raw 423 ipc_lock 424 ipc_owner 425 sys_module 426 sys_rawio 427 sys_chroot 428 sys_ptrace 429 sys_pacct 430 sys_admin 431 sys_boot 432 sys_nice 433 sys_resource 434 sys_time 435 sys_tty_config 436 mknod 437 lease 438 audit_write 439 audit_control 440 setfcap 441 } 442 443 class capability2 444 { 445 mac_override # unused by SELinux 446 mac_admin # unused by SELinux 447 syslog 448 wake_alarm 449 block_suspend 450 } 451 452 # 453 # Define the access vector interpretation for controlling 454 # changes to passwd information. 455 # 456 class passwd 457 { 458 passwd # change another user passwd 459 chfn # change another user finger info 460 chsh # change another user shell 461 rootok # pam_rootok check (skip auth) 462 crontab # crontab on another user 463 } 464 465 # 466 # SE-X Windows stuff 467 # 468 class x_drawable 469 { 470 create 471 destroy 472 read 473 write 474 blend 475 getattr 476 setattr 477 list_child 478 add_child 479 remove_child 480 list_property 481 get_property 482 set_property 483 manage 484 override 485 show 486 hide 487 send 488 receive 489 } 490 491 class x_screen 492 { 493 getattr 494 setattr 495 hide_cursor 496 show_cursor 497 saver_getattr 498 saver_setattr 499 saver_hide 500 saver_show 501 } 502 503 class x_gc 504 { 505 create 506 destroy 507 getattr 508 setattr 509 use 510 } 511 512 class x_font 513 { 514 create 515 destroy 516 getattr 517 add_glyph 518 remove_glyph 519 use 520 } 521 522 class x_colormap 523 { 524 create 525 destroy 526 read 527 write 528 getattr 529 add_color 530 remove_color 531 install 532 uninstall 533 use 534 } 535 536 class x_property 537 { 538 create 539 destroy 540 read 541 write 542 append 543 getattr 544 setattr 545 } 546 547 class x_selection 548 { 549 read 550 write 551 getattr 552 setattr 553 } 554 555 class x_cursor 556 { 557 create 558 destroy 559 read 560 write 561 getattr 562 setattr 563 use 564 } 565 566 class x_client 567 { 568 destroy 569 getattr 570 setattr 571 manage 572 } 573 574 class x_device 575 inherits x_device 576 577 class x_server 578 { 579 getattr 580 setattr 581 record 582 debug 583 grab 584 manage 585 } 586 587 class x_extension 588 { 589 query 590 use 591 } 592 593 class x_resource 594 { 595 read 596 write 597 } 598 599 class x_event 600 { 601 send 602 receive 603 } 604 605 class x_synthetic_event 606 { 607 send 608 receive 609 } 610 611 # 612 # Extended Netlink classes 613 # 614 class netlink_route_socket 615 inherits socket 616 { 617 nlmsg_read 618 nlmsg_write 619 } 620 621 class netlink_firewall_socket 622 inherits socket 623 { 624 nlmsg_read 625 nlmsg_write 626 } 627 628 class netlink_tcpdiag_socket 629 inherits socket 630 { 631 nlmsg_read 632 nlmsg_write 633 } 634 635 class netlink_nflog_socket 636 inherits socket 637 638 class netlink_xfrm_socket 639 inherits socket 640 { 641 nlmsg_read 642 nlmsg_write 643 } 644 645 class netlink_selinux_socket 646 inherits socket 647 648 class netlink_audit_socket 649 inherits socket 650 { 651 nlmsg_read 652 nlmsg_write 653 nlmsg_relay 654 nlmsg_readpriv 655 nlmsg_tty_audit 656 } 657 658 class netlink_ip6fw_socket 659 inherits socket 660 { 661 nlmsg_read 662 nlmsg_write 663 } 664 665 class netlink_dnrt_socket 666 inherits socket 667 668 # Define the access vector interpretation for controlling 669 # access and communication through the D-BUS messaging 670 # system. 671 # 672 class dbus 673 { 674 acquire_svc 675 send_msg 676 } 677 678 # Define the access vector interpretation for controlling 679 # access through the name service cache daemon (nscd). 680 # 681 class nscd 682 { 683 getpwd 684 getgrp 685 gethost 686 getstat 687 admin 688 shmempwd 689 shmemgrp 690 shmemhost 691 getserv 692 shmemserv 693 } 694 695 # Define the access vector interpretation for controlling 696 # access to IPSec network data by association 697 # 698 class association 699 { 700 sendto 701 recvfrom 702 setcontext 703 polmatch 704 } 705 706 # Updated Netlink class for KOBJECT_UEVENT family. 707 class netlink_kobject_uevent_socket 708 inherits socket 709 710 class appletalk_socket 711 inherits socket 712 713 class packet 714 { 715 send 716 recv 717 relabelto 718 flow_in # deprecated 719 flow_out # deprecated 720 forward_in 721 forward_out 722 } 723 724 class key 725 { 726 view 727 read 728 write 729 search 730 link 731 setattr 732 create 733 } 734 735 class context 736 { 737 translate 738 contains 739 } 740 741 class dccp_socket 742 inherits socket 743 { 744 node_bind 745 name_connect 746 } 747 748 class memprotect 749 { 750 mmap_zero 751 } 752 753 class db_database 754 inherits database 755 { 756 access 757 install_module 758 load_module 759 get_param # deprecated 760 set_param # deprecated 761 } 762 763 class db_table 764 inherits database 765 { 766 use # deprecated 767 select 768 update 769 insert 770 delete 771 lock 772 } 773 774 class db_procedure 775 inherits database 776 { 777 execute 778 entrypoint 779 install 780 } 781 782 class db_column 783 inherits database 784 { 785 use # deprecated 786 select 787 update 788 insert 789 } 790 791 class db_tuple 792 { 793 relabelfrom 794 relabelto 795 use # deprecated 796 select 797 update 798 insert 799 delete 800 } 801 802 class db_blob 803 inherits database 804 { 805 read 806 write 807 import 808 export 809 } 810 811 # network peer labels 812 class peer 813 { 814 recv 815 } 816 817 class x_application_data 818 { 819 paste 820 paste_after_confirm 821 copy 822 } 823 824 class kernel_service 825 { 826 use_as_override 827 create_files_as 828 } 829 830 class tun_socket 831 inherits socket 832 833 class x_pointer 834 inherits x_device 835 836 class x_keyboard 837 inherits x_device 838 839 class db_schema 840 inherits database 841 { 842 search 843 add_name 844 remove_name 845 } 846 847 class db_view 848 inherits database 849 { 850 expand 851 } 852 853 class db_sequence 854 inherits database 855 { 856 get_value 857 next_value 858 set_value 859 } 860 861 class db_language 862 inherits database 863 { 864 implement 865 execute 866 } 867 868 class binder 869 { 870 impersonate 871 call 872 set_context_mgr 873 transfer 874 } 875 876 class zygote 877 { 878 specifyids 879 specifyrlimits 880 specifycapabilities 881 specifyinvokewith 882 specifyseinfo 883 } 884 885 class property_service 886 { 887 set 888 } 889
