1 # This is a permission map file for use in policy analysis. This 2 # file maps object permissions (read, getattr, setattr, ..., etc.) 3 # for an object class, to exactly one of the following: read, write, 4 # both, or none. This file may be edited as long as the specific 5 # syntax rules are obeyed. 6 # 7 # For each object class, there is a set of object permissions that are 8 # individually mapped to read, write, both, or none. If a new object 9 # class is added, make sure that the current number of object classes 10 # is increased. 11 # 12 # The syntax for an object class definition is: 13 # class <class_name> <num_permissions> 14 # 15 # This is followed by each permission and its individual mapping to one 16 # of the following: 17 # 18 # r = Read 19 # w = Write 20 # n = None 21 # b = Both 22 # 23 # Additionally, you can choose to follow the mapping with an optional 24 # permission weight value from 1 (less importance) to 10 (higher importance). 25 # 10 is the default weight value if one is not provided. 26 # 27 # Look to the examples below for further clarification. 28 # 29 # Number of object classes. 30 58 31 32 class security 11 33 compute_av n 1 34 compute_create n 1 35 compute_member n 1 36 check_context n 1 37 load_policy n 1 38 compute_relabel n 1 39 compute_user n 1 40 setenforce n 1 41 setbool n 1 42 setsecparam n 1 43 setcheckreqprot n 1 44 45 class process 29 46 fork n 1 47 transition w 5 48 sigchld w 1 49 sigkill w 1 50 sigstop w 1 51 signull n 1 52 signal w 5 53 ptrace b 10 54 getsched r 1 55 setsched w 1 56 getsession r 1 57 getpgid r 1 58 setpgid w 5 59 getcap r 3 60 setcap w 1 61 share b 1 62 getattr r 1 63 setexec w 1 64 setfscreate w 1 65 noatsecure n 1 66 siginh n 1 67 setrlimit n 1 68 rlimitinh n 1 69 dyntransition w 10 70 setcurrent w 1 71 execmem n 1 72 execstack n 1 73 execheap n 1 74 setkeycreate w 1 75 76 class system 4 77 ipc_info n 1 78 syslog_read n 1 79 syslog_mod n 1 80 syslog_console n 1 81 82 class capability 31 83 chown n 3 84 dac_override n 1 85 dac_read_search n 1 86 fowner n 1 87 fsetid n 1 88 kill n 1 89 setgid n 3 90 setuid n 1 91 setpcap n 3 92 linux_immutable n 1 93 net_bind_service n 1 94 net_broadcast n 1 95 net_admin n 1 96 net_raw n 1 97 ipc_lock n 1 98 ipc_owner n 1 99 sys_module n 1 100 sys_rawio n 1 101 sys_chroot n 1 102 sys_ptrace n 1 103 sys_pacct n 1 104 sys_admin n 3 105 sys_boot n 1 106 sys_nice n 1 107 sys_resource n 1 108 sys_time n 1 109 sys_tty_config n 1 110 mknod n 1 111 lease n 1 112 audit_write n 3 113 audit_control n 1 114 115 class filesystem 10 116 mount w 1 117 remount w 1 118 unmount w 1 119 getattr r 1 120 relabelfrom r 10 121 relabelto w 10 122 transition w 1 123 associate n 1 124 quotamod w 1 125 quotaget r 1 126 127 class file 21 128 execute_no_trans r 1 129 entrypoint r 1 130 execmod n 1 131 ioctl n 1 132 read r 10 133 write w 10 134 create w 1 135 getattr r 7 136 setattr w 7 137 lock n 1 138 relabelfrom r 10 139 relabelto w 10 140 append w 10 141 unlink w 1 142 link w 1 143 rename w 5 144 execute r 10 145 swapon b 1 146 quotaon b 1 147 mounton b 1 148 open r 1 149 150 class dir 23 151 add_name w 1 152 remove_name w 1 153 reparent w 1 154 search r 1 155 rmdir b 1 156 ioctl n 1 157 read r 1 158 write w 1 159 create w 1 160 getattr r 1 161 setattr w 1 162 lock n 1 163 relabelfrom r 1 164 relabelto w 1 165 append w 1 166 unlink w 1 167 link w 1 168 rename w 1 169 execute r 1 170 swapon b 1 171 quotaon b 1 172 mounton b 1 173 open r 1 174 175 class fd 1 176 use b 1 177 178 class lnk_file 18 179 ioctl n 1 180 read r 1 181 write w 1 182 create w 1 183 getattr r 1 184 setattr w 1 185 lock n 1 186 relabelfrom r 1 187 relabelto w 1 188 append w 1 189 unlink w 1 190 link w 1 191 rename w 1 192 execute r 1 193 swapon b 1 194 quotaon b 1 195 mounton b 1 196 open r 1 197 198 class chr_file 21 199 execute_no_trans r 1 200 entrypoint r 1 201 execmod n 1 202 ioctl n 1 203 read r 10 204 write w 10 205 create w 1 206 getattr r 7 207 setattr w 7 208 lock n 1 209 relabelfrom r 10 210 relabelto w 10 211 append w 1 212 unlink w 1 213 link w 1 214 rename w 5 215 execute r 1 216 swapon b 1 217 quotaon b 1 218 mounton b 1 219 open r 1 220 221 class blk_file 18 222 ioctl n 1 223 read r 10 224 write w 10 225 create w 1 226 getattr r 7 227 setattr w 7 228 lock n 1 229 relabelfrom r 10 230 relabelto w 10 231 append w 1 232 unlink w 1 233 link w 1 234 rename w 5 235 execute r 1 236 swapon b 1 237 quotaon b 1 238 mounton b 1 239 open r 1 240 241 class sock_file 18 242 ioctl n 1 243 read r 10 244 write w 10 245 create w 1 246 getattr r 7 247 setattr w 7 248 lock n 1 249 relabelfrom r 10 250 relabelto w 10 251 append w 1 252 unlink w 1 253 link w 1 254 rename w 1 255 execute r 1 256 swapon b 1 257 quotaon b 1 258 mounton b 1 259 open r 1 260 261 class fifo_file 18 262 ioctl n 1 263 read r 10 264 write w 10 265 create w 1 266 getattr r 7 267 setattr w 7 268 lock n 1 269 relabelfrom r 10 270 relabelto w 10 271 append w 1 272 unlink w 1 273 link w 1 274 rename w 5 275 execute r 1 276 swapon b 1 277 quotaon b 1 278 mounton b 1 279 open r 1 280 281 class socket 22 282 ioctl n 1 283 read r 10 284 write w 10 285 create w 1 286 getattr r 7 287 setattr w 7 288 lock n 1 289 relabelfrom r 10 290 relabelto w 10 291 append w 1 292 bind w 1 293 connect w 1 294 listen r 1 295 accept r 1 296 getopt r 1 297 setopt w 1 298 shutdown w 1 299 recvfrom r 10 300 sendto w 10 301 recv_msg r 10 302 send_msg w 10 303 name_bind n 1 304 305 class tcp_socket 27 306 connectto w 1 307 newconn w 1 308 acceptfrom r 1 309 node_bind n 1 310 ioctl n 1 311 read r 10 312 write w 10 313 create w 1 314 getattr r 7 315 setattr w 7 316 lock n 1 317 relabelfrom r 10 318 relabelto w 10 319 append w 1 320 bind w 1 321 connect w 1 322 listen r 1 323 accept r 1 324 getopt r 1 325 setopt w 1 326 shutdown w 1 327 recvfrom r 10 328 sendto w 10 329 recv_msg r 10 330 send_msg w 10 331 name_bind n 1 332 name_connect w 1 333 334 class udp_socket 23 335 node_bind n 1 336 ioctl n 1 337 read r 10 338 write w 10 339 create w 1 340 getattr r 7 341 setattr w 7 342 lock n 1 343 relabelfrom r 10 344 relabelto w 10 345 append w 1 346 bind w 1 347 connect w 1 348 listen r 1 349 accept r 1 350 getopt r 1 351 setopt w 1 352 shutdown w 1 353 recvfrom r 10 354 sendto w 10 355 recv_msg r 10 356 send_msg w 10 357 name_bind n 1 358 359 class rawip_socket 23 360 node_bind n 1 361 ioctl n 1 362 read r 10 363 write w 10 364 create w 1 365 getattr r 1 366 setattr w 1 367 lock n 1 368 relabelfrom r 10 369 relabelto w 10 370 append w 1 371 bind w 1 372 connect w 1 373 listen r 1 374 accept r 1 375 getopt r 1 376 setopt w 1 377 shutdown w 1 378 recvfrom r 10 379 sendto w 10 380 recv_msg r 10 381 send_msg w 10 382 name_bind n 1 383 384 class node 7 385 tcp_recv r 10 386 tcp_send w 10 387 udp_recv r 10 388 udp_send w 10 389 rawip_recv r 10 390 rawip_send w 10 391 enforce_dest n 1 392 393 class netif 6 394 tcp_recv r 10 395 tcp_send w 10 396 udp_recv r 10 397 udp_send w 10 398 rawip_recv r 10 399 rawip_send w 10 400 401 class netlink_socket 22 402 ioctl n 1 403 read r 10 404 write w 10 405 create w 1 406 getattr r 7 407 setattr w 7 408 lock n 1 409 relabelfrom r 10 410 relabelto w 10 411 append w 1 412 bind w 1 413 connect w 1 414 listen r 1 415 accept r 1 416 getopt r 1 417 setopt w 1 418 shutdown w 1 419 recvfrom r 10 420 sendto w 10 421 recv_msg r 10 422 send_msg w 10 423 name_bind n 1 424 425 class packet_socket 22 426 ioctl n 1 427 read r 10 428 write w 10 429 create w 1 430 getattr r 7 431 setattr w 7 432 lock n 1 433 relabelfrom r 10 434 relabelto w 10 435 append w 1 436 bind w 1 437 connect w 1 438 listen r 1 439 accept r 1 440 getopt r 1 441 setopt w 1 442 shutdown w 1 443 recvfrom r 10 444 sendto w 10 445 recv_msg r 10 446 send_msg w 10 447 name_bind n 1 448 449 class key_socket 22 450 ioctl n 1 451 read r 10 452 write w 10 453 create w 1 454 getattr r 7 455 setattr w 7 456 lock n 1 457 relabelfrom r 10 458 relabelto w 10 459 append w 1 460 bind w 1 461 connect w 1 462 listen r 1 463 accept r 1 464 getopt r 1 465 setopt w 1 466 shutdown w 1 467 recvfrom r 10 468 sendto w 10 469 recv_msg r 10 470 send_msg w 10 471 name_bind n 1 472 473 class unix_stream_socket 25 474 connectto w 1 475 newconn w 1 476 acceptfrom r 1 477 ioctl n 1 478 read r 10 479 write w 10 480 create w 1 481 getattr r 7 482 setattr w 7 483 lock n 1 484 relabelfrom r 10 485 relabelto w 10 486 append w 1 487 bind w 1 488 connect w 1 489 listen r 1 490 accept r 1 491 getopt r 1 492 setopt w 1 493 shutdown w 1 494 recvfrom r 10 495 sendto w 10 496 recv_msg r 10 497 send_msg w 10 498 name_bind n 1 499 500 class unix_dgram_socket 22 501 ioctl n 1 502 read r 10 503 write w 10 504 create w 1 505 getattr r 7 506 setattr w 7 507 lock n 1 508 relabelfrom r 10 509 relabelto w 10 510 append w 1 511 bind w 1 512 connect w 1 513 listen r 1 514 accept r 1 515 getopt r 1 516 setopt w 1 517 shutdown w 1 518 recvfrom r 10 519 sendto w 10 520 recv_msg r 10 521 send_msg w 10 522 name_bind n 1 523 524 class sem 9 525 create w 1 526 destroy w 1 527 getattr r 1 528 setattr w 1 529 read r 10 530 write w 10 531 associate n 1 532 unix_read r 3 533 unix_write w 3 534 535 class msg 2 536 send w 10 537 receive r 10 538 539 class msgq 10 540 enqueue w 1 541 create w 1 542 destroy w 1 543 getattr r 1 544 setattr w 1 545 read r 10 546 write w 10 547 associate n 1 548 unix_read r 3 549 unix_write w 3 550 551 class shm 10 552 lock w 1 553 create w 1 554 destroy w 1 555 getattr r 1 556 setattr w 1 557 read r 10 558 write w 10 559 associate n 1 560 unix_read r 3 561 unix_write w 3 562 563 class ipc 9 564 create w 1 565 destroy w 1 566 getattr r 1 567 setattr w 1 568 read r 10 569 write w 10 570 associate n 1 571 unix_read r 3 572 unix_write w 3 573 574 class passwd 5 575 passwd w 1 576 chfn w 5 577 chsh w 5 578 rootok n 1 579 crontab w 5 580 581 class drawable 5 582 create w 1 583 destroy w 1 584 draw w 10 585 copy r 10 586 getattr r 7 587 588 class window 26 589 addchild w 1 590 create w 1 591 destroy w 1 592 map w 1 593 unmap w 1 594 chstack w 10 595 chproplist w 7 596 chprop w 10 597 listprop r 5 598 getattr r 5 599 setattr w 5 600 setfocus w 1 601 move w 10 602 chselection w 10 603 chparent w 5 604 ctrllife w 5 605 enumerate w 1 606 transparent w 1 607 mousemotion w 10 608 clientcomevent w 5 609 inputevent w 5 610 drawevent w 5 611 windowchangeevent w 5 612 windowchangerequest w 5 613 serverchangeevent w 5 614 extensionevent w 5 615 616 class gc 4 617 create w 1 618 free w 1 619 getattr r 5 620 setattr w 5 621 622 class font 4 623 load r 1 624 free w 1 625 getattr r 5 626 use r 1 627 628 class colormap 9 629 create w 1 630 free w 1 631 install w 10 632 uninstall w 1 633 list r 5 634 read r 10 635 store w 10 636 getattr r 5 637 setattr w 5 638 639 class property 4 640 create w 1 641 free w 1 642 read r 10 643 write w 10 644 645 class cursor 5 646 create w 1 647 createglyph w 10 648 free w 1 649 assign w 10 650 setattr w 5 651 652 class xclient 1 653 kill w 1 654 655 class xinput 11 656 lookup r 10 657 getattr r 5 658 setattr w 5 659 setfocus w 10 660 warppointer w 10 661 activegrab w 1 662 passivegrab w 1 663 ungrab w 1 664 bell w 3 665 mousemotion w 10 666 relabelinput b 3 667 668 class xserver 8 669 screensaver w 10 670 gethostlist r 7 671 sethostlist w 7 672 getfontpath r 7 673 setfontpath w 7 674 getattr r 7 675 grab w 10 676 ungrab w 1 677 678 class xextension 2 679 query r 10 680 use b 1 681 682 class pax 6 683 pageexec n 1 684 emutramp n 1 685 mprotect n 1 686 randmmap n 1 687 randexec n 1 688 segmexec n 1 689 690 class netlink_route_socket 24 691 nlmsg_read r 10 692 nlmsg_write w 10 693 ioctl n 1 694 read r 10 695 write w 10 696 create w 1 697 getattr r 7 698 setattr w 7 699 lock n 1 700 relabelfrom r 10 701 relabelto w 10 702 append w 1 703 bind w 1 704 connect w 1 705 listen r 1 706 accept r 1 707 getopt r 1 708 setopt w 1 709 shutdown w 1 710 recvfrom r 10 711 sendto r 10 712 recv_msg r 10 713 send_msg w 10 714 name_bind n 1 715 716 class netlink_firewall_socket 24 717 nlmsg_read r 10 718 nlmsg_write w 10 719 ioctl n 1 720 read r 10 721 write w 10 722 create w 1 723 getattr r 7 724 setattr w 7 725 lock n 1 726 relabelfrom r 10 727 relabelto w 10 728 append w 1 729 bind w 1 730 connect w 1 731 listen r 1 732 accept r 1 733 getopt r 1 734 setopt w 1 735 shutdown w 1 736 recvfrom r 10 737 sendto r 10 738 recv_msg r 10 739 send_msg w 10 740 name_bind n 1 741 742 class netlink_tcpdiag_socket 24 743 nlmsg_read r 10 744 nlmsg_write w 10 745 ioctl n 1 746 read r 10 747 write w 10 748 create w 1 749 getattr r 7 750 setattr w 7 751 lock n 1 752 relabelfrom r 10 753 relabelto w 10 754 append w 1 755 bind w 1 756 connect w 1 757 listen r 1 758 accept r 1 759 getopt r 1 760 setopt w 1 761 shutdown w 1 762 recvfrom r 10 763 sendto r 10 764 recv_msg r 10 765 send_msg w 10 766 name_bind n 1 767 768 class netlink_nflog_socket 22 769 ioctl n 1 770 read r 10 771 write w 10 772 create w 1 773 getattr r 7 774 setattr w 7 775 lock n 1 776 relabelfrom r 10 777 relabelto w 10 778 append w 1 779 bind w 1 780 connect w 1 781 listen r 1 782 accept r 1 783 getopt r 1 784 setopt w 1 785 shutdown w 1 786 recvfrom r 10 787 sendto r 10 788 recv_msg r 10 789 send_msg w 10 790 name_bind n 1 791 792 class netlink_xfrm_socket 24 793 nlmsg_read r 10 794 nlmsg_write w 10 795 ioctl n 1 796 read r 10 797 write w 10 798 create w 1 799 getattr r 7 800 setattr w 7 801 lock n 1 802 relabelfrom r 10 803 relabelto w 10 804 append w 1 805 bind w 1 806 connect w 1 807 listen r 1 808 accept r 1 809 getopt r 1 810 setopt w 1 811 shutdown w 1 812 recvfrom r 10 813 sendto r 10 814 recv_msg r 10 815 send_msg w 10 816 name_bind n 1 817 818 class netlink_selinux_socket 22 819 ioctl n 1 820 read r 10 821 write w 10 822 create w 1 823 getattr r 7 824 setattr w 7 825 lock n 1 826 relabelfrom r 10 827 relabelto w 10 828 append w 1 829 bind w 1 830 connect w 1 831 listen r 1 832 accept r 1 833 getopt r 1 834 setopt w 1 835 shutdown w 1 836 recvfrom r 10 837 sendto r 10 838 recv_msg r 10 839 send_msg w 10 840 name_bind n 1 841 842 class netlink_audit_socket 26 843 nlmsg_read r 10 844 nlmsg_write w 10 845 ioctl n 1 846 read r 10 847 write w 10 848 create w 1 849 getattr r 7 850 setattr w 7 851 lock n 1 852 relabelfrom r 10 853 relabelto w 10 854 append w 1 855 bind w 1 856 connect w 1 857 listen r 1 858 accept r 1 859 getopt r 1 860 setopt w 1 861 shutdown w 1 862 recvfrom r 10 863 sendto r 10 864 recv_msg r 10 865 send_msg w 10 866 name_bind n 1 867 nlmsg_relay w 10 868 nlmsg_readpriv r 10 869 870 class netlink_ip6fw_socket 24 871 nlmsg_read r 10 872 nlmsg_write w 10 873 ioctl n 1 874 read r 10 875 write w 10 876 create w 1 877 getattr r 7 878 setattr w 7 879 lock n 1 880 relabelfrom r 10 881 relabelto w 10 882 append w 1 883 bind w 1 884 connect w 1 885 listen r 1 886 accept r 1 887 getopt r 1 888 setopt w 1 889 shutdown w 1 890 recvfrom r 10 891 sendto r 10 892 recv_msg r 10 893 send_msg w 10 894 name_bind n 1 895 896 class netlink_dnrt_socket 22 897 ioctl n 1 898 read r 10 899 write w 10 900 create w 1 901 getattr r 7 902 setattr w 7 903 lock n 1 904 relabelfrom r 10 905 relabelto w 10 906 append w 1 907 bind w 1 908 connect w 1 909 listen r 1 910 accept r 1 911 getopt r 1 912 setopt w 1 913 shutdown w 1 914 recvfrom r 10 915 sendto r 10 916 recv_msg r 10 917 send_msg w 10 918 name_bind n 1 919 920 class netlink_kobject_uevent_socket 22 921 ioctl n 1 922 read r 10 923 write w 10 924 create w 1 925 getattr r 7 926 setattr w 7 927 lock n 1 928 relabelfrom r 10 929 relabelto w 10 930 append w 1 931 bind w 1 932 connect w 1 933 listen r 1 934 accept r 1 935 getopt r 1 936 setopt w 1 937 shutdown w 1 938 recvfrom r 10 939 sendto w 10 940 recv_msg r 10 941 send_msg w 10 942 name_bind n 1 943 944 class dbus 2 945 acquire_svc b 1 946 send_msg w 10 947 948 class nscd 8 949 getpwd r 7 950 getgrp r 7 951 gethost r 7 952 getstat r 7 953 admin w 5 954 shmempwd r 7 955 shmemgrp r 7 956 shmemhost r 7 957 958 class association 4 959 sendto w 10 960 recvfrom r 10 961 setcontext w 3 962 polmatch r 1 963 964 class appletalk_socket 22 965 ioctl n 1 966 read r 10 967 write w 10 968 create w 1 969 getattr r 1 970 setattr w 1 971 lock n 1 972 relabelfrom r 10 973 relabelto w 10 974 append w 1 975 bind w 1 976 connect w 1 977 listen r 1 978 accept r 1 979 getopt r 1 980 setopt w 1 981 shutdown w 1 982 recvfrom r 10 983 sendto w 10 984 recv_msg r 10 985 send_msg w 10 986 name_bind n 1 987 988 class key 7 989 view r 7 990 read r 10 991 write w 10 992 search r 5 993 link w 7 994 setattr w 7 995 create w 10 996 997 class packet 3 998 send w 10 999 recv r 10 1000 relabelto w 3 1001