1 # This is a permission map file for use in policy analysis. This 2 # file maps object permissions (read, getattr, setattr, ..., etc.) 3 # for an object class, to exactly one of the following: read, write, 4 # both, or none. This file may be edited as long as the specific 5 # syntax rules are obeyed. 6 # 7 # For each object class, there is a set of object permissions that are 8 # individually mapped to read, write, both, or none. If a new object 9 # class is added, make sure that the current number of object classes 10 # is increased. 11 # 12 # The syntax for an object class definition is: 13 # class <class_name> <num_permissions> 14 # 15 # This is followed by each permission and its individual mapping to one 16 # of the following: 17 # 18 # r = Read 19 # w = Write 20 # n = None 21 # b = Both 22 # 23 # Additionally, you can choose to follow the mapping with an optional 24 # permission weight value from 1 (less importance) to 10 (higher importance). 25 # 10 is the default weight value if one is not provided. 26 # 27 # Look to the examples below for further clarification. 28 # 29 # Number of object classes. 30 58 31 32 class security 11 33 compute_av n 1 34 compute_create n 1 35 compute_member n 1 36 check_context n 1 37 load_policy n 1 38 compute_relabel n 1 39 compute_user n 1 40 setenforce n 1 41 setbool n 1 42 setsecparam n 1 43 setcheckreqprot n 1 44 45 class process 29 46 fork n 1 47 transition w 5 48 sigchld w 1 49 sigkill w 1 50 sigstop w 1 51 signull n 1 52 signal w 5 53 ptrace b 10 54 getsched r 1 55 setsched w 1 56 getsession r 1 57 getpgid r 1 58 setpgid w 5 59 getcap r 3 60 setcap w 1 61 share b 1 62 getattr r 1 63 setexec w 1 64 setfscreate w 1 65 noatsecure n 1 66 siginh n 1 67 setrlimit n 1 68 rlimitinh n 1 69 dyntransition w 10 70 setcurrent w 1 71 execmem n 1 72 execstack n 1 73 execheap n 1 74 setkeycreate w 1 75 76 class system 4 77 ipc_info n 1 78 syslog_read n 1 79 syslog_mod n 1 80 syslog_console n 1 81 82 class capability 31 83 chown n 3 84 dac_override n 1 85 dac_read_search n 1 86 fowner n 1 87 fsetid n 1 88 kill n 1 89 setgid n 3 90 setuid n 1 91 setpcap n 3 92 linux_immutable n 1 93 net_bind_service n 1 94 net_broadcast n 1 95 net_admin n 1 96 net_raw n 1 97 ipc_lock n 1 98 ipc_owner n 1 99 sys_module n 1 100 sys_rawio n 1 101 sys_chroot n 1 102 sys_ptrace n 1 103 sys_pacct n 1 104 sys_admin n 3 105 sys_boot n 1 106 sys_nice n 1 107 sys_resource n 1 108 sys_time n 1 109 sys_tty_config n 1 110 mknod n 1 111 lease n 1 112 audit_write n 3 113 audit_control n 1 114 115 class filesystem 10 116 mount w 1 117 remount w 1 118 unmount w 1 119 getattr r 1 120 relabelfrom r 10 121 relabelto w 10 122 transition w 1 123 associate n 1 124 quotamod w 1 125 quotaget r 1 126 127 class file 20 128 execute_no_trans r 1 129 entrypoint r 1 130 execmod n 1 131 ioctl n 1 132 read r 10 133 write w 10 134 create w 1 135 getattr r 7 136 setattr w 7 137 lock n 1 138 relabelfrom r 10 139 relabelto w 10 140 append w 1 141 unlink w 1 142 link w 1 143 rename w 5 144 execute r 1 145 swapon b 1 146 quotaon b 1 147 mounton b 1 148 149 class dir 22 150 add_name w 5 151 remove_name w 1 152 reparent w 1 153 search r 1 154 rmdir b 1 155 ioctl n 1 156 read r 10 157 write w 10 158 create w 1 159 getattr r 7 160 setattr w 7 161 lock n 1 162 relabelfrom r 10 163 relabelto w 10 164 append w 1 165 unlink w 1 166 link w 1 167 rename w 5 168 execute r 1 169 swapon b 1 170 quotaon b 1 171 mounton b 1 172 173 class fd 1 174 use b 1 175 176 class lnk_file 17 177 ioctl n 1 178 read r 10 179 write w 10 180 create w 1 181 getattr r 7 182 setattr w 7 183 lock n 1 184 relabelfrom r 10 185 relabelto w 10 186 append w 1 187 unlink w 1 188 link w 1 189 rename w 1 190 execute r 1 191 swapon b 1 192 quotaon b 1 193 mounton b 1 194 195 class chr_file 20 196 execute_no_trans r 1 197 entrypoint r 1 198 execmod n 1 199 ioctl n 1 200 read r 10 201 write w 10 202 create w 1 203 getattr r 7 204 setattr w 7 205 lock n 1 206 relabelfrom r 10 207 relabelto w 10 208 append w 1 209 unlink w 1 210 link w 1 211 rename w 5 212 execute r 1 213 swapon b 1 214 quotaon b 1 215 mounton b 1 216 217 class blk_file 17 218 ioctl n 1 219 read r 10 220 write w 10 221 create w 1 222 getattr r 7 223 setattr w 7 224 lock n 1 225 relabelfrom r 10 226 relabelto w 10 227 append w 1 228 unlink w 1 229 link w 1 230 rename w 5 231 execute r 1 232 swapon b 1 233 quotaon b 1 234 mounton b 1 235 236 class sock_file 17 237 ioctl n 1 238 read r 10 239 write w 10 240 create w 1 241 getattr r 7 242 setattr w 7 243 lock n 1 244 relabelfrom r 10 245 relabelto w 10 246 append w 1 247 unlink w 1 248 link w 1 249 rename w 1 250 execute r 1 251 swapon b 1 252 quotaon b 1 253 mounton b 1 254 255 class fifo_file 17 256 ioctl n 1 257 read r 10 258 write w 10 259 create w 1 260 getattr r 7 261 setattr w 7 262 lock n 1 263 relabelfrom r 10 264 relabelto w 10 265 append w 1 266 unlink w 1 267 link w 1 268 rename w 5 269 execute r 1 270 swapon b 1 271 quotaon b 1 272 mounton b 1 273 274 class socket 22 275 ioctl n 1 276 read r 10 277 write w 10 278 create w 1 279 getattr r 7 280 setattr w 7 281 lock n 1 282 relabelfrom r 10 283 relabelto w 10 284 append w 1 285 bind w 1 286 connect w 1 287 listen r 1 288 accept r 1 289 getopt r 1 290 setopt w 1 291 shutdown w 1 292 recvfrom r 10 293 sendto w 10 294 recv_msg r 10 295 send_msg w 10 296 name_bind n 1 297 298 class tcp_socket 27 299 connectto w 1 300 newconn w 1 301 acceptfrom r 1 302 node_bind n 1 303 ioctl n 1 304 read r 10 305 write w 10 306 create w 1 307 getattr r 7 308 setattr w 7 309 lock n 1 310 relabelfrom r 10 311 relabelto w 10 312 append w 1 313 bind w 1 314 connect w 1 315 listen r 1 316 accept r 1 317 getopt r 1 318 setopt w 1 319 shutdown w 1 320 recvfrom r 10 321 sendto w 10 322 recv_msg r 10 323 send_msg w 10 324 name_bind n 1 325 name_connect w 1 326 327 class udp_socket 23 328 node_bind n 1 329 ioctl n 1 330 read r 10 331 write w 10 332 create w 1 333 getattr r 7 334 setattr w 7 335 lock n 1 336 relabelfrom r 10 337 relabelto w 10 338 append w 1 339 bind w 1 340 connect w 1 341 listen r 1 342 accept r 1 343 getopt r 1 344 setopt w 1 345 shutdown w 1 346 recvfrom r 10 347 sendto w 10 348 recv_msg r 10 349 send_msg w 10 350 name_bind n 1 351 352 class rawip_socket 23 353 node_bind n 1 354 ioctl n 1 355 read r 10 356 write w 10 357 create w 1 358 getattr r 1 359 setattr w 1 360 lock n 1 361 relabelfrom r 10 362 relabelto w 10 363 append w 1 364 bind w 1 365 connect w 1 366 listen r 1 367 accept r 1 368 getopt r 1 369 setopt w 1 370 shutdown w 1 371 recvfrom r 10 372 sendto w 10 373 recv_msg r 10 374 send_msg w 10 375 name_bind n 1 376 377 class node 7 378 tcp_recv r 10 379 tcp_send w 10 380 udp_recv r 10 381 udp_send w 10 382 rawip_recv r 10 383 rawip_send w 10 384 enforce_dest n 1 385 386 class netif 6 387 tcp_recv r 10 388 tcp_send w 10 389 udp_recv r 10 390 udp_send w 10 391 rawip_recv r 10 392 rawip_send w 10 393 394 class netlink_socket 22 395 ioctl n 1 396 read r 10 397 write w 10 398 create w 1 399 getattr r 7 400 setattr w 7 401 lock n 1 402 relabelfrom r 10 403 relabelto w 10 404 append w 1 405 bind w 1 406 connect w 1 407 listen r 1 408 accept r 1 409 getopt r 1 410 setopt w 1 411 shutdown w 1 412 recvfrom r 10 413 sendto w 10 414 recv_msg r 10 415 send_msg w 10 416 name_bind n 1 417 418 class packet_socket 22 419 ioctl n 1 420 read r 10 421 write w 10 422 create w 1 423 getattr r 7 424 setattr w 7 425 lock n 1 426 relabelfrom r 10 427 relabelto w 10 428 append w 1 429 bind w 1 430 connect w 1 431 listen r 1 432 accept r 1 433 getopt r 1 434 setopt w 1 435 shutdown w 1 436 recvfrom r 10 437 sendto w 10 438 recv_msg r 10 439 send_msg w 10 440 name_bind n 1 441 442 class key_socket 22 443 ioctl n 1 444 read r 10 445 write w 10 446 create w 1 447 getattr r 7 448 setattr w 7 449 lock n 1 450 relabelfrom r 10 451 relabelto w 10 452 append w 1 453 bind w 1 454 connect w 1 455 listen r 1 456 accept r 1 457 getopt r 1 458 setopt w 1 459 shutdown w 1 460 recvfrom r 10 461 sendto w 10 462 recv_msg r 10 463 send_msg w 10 464 name_bind n 1 465 466 class unix_stream_socket 25 467 connectto w 1 468 newconn w 1 469 acceptfrom r 1 470 ioctl n 1 471 read r 10 472 write w 10 473 create w 1 474 getattr r 7 475 setattr w 7 476 lock n 1 477 relabelfrom r 10 478 relabelto w 10 479 append w 1 480 bind w 1 481 connect w 1 482 listen r 1 483 accept r 1 484 getopt r 1 485 setopt w 1 486 shutdown w 1 487 recvfrom r 10 488 sendto w 10 489 recv_msg r 10 490 send_msg w 10 491 name_bind n 1 492 493 class unix_dgram_socket 22 494 ioctl n 1 495 read r 10 496 write w 10 497 create w 1 498 getattr r 7 499 setattr w 7 500 lock n 1 501 relabelfrom r 10 502 relabelto w 10 503 append w 1 504 bind w 1 505 connect w 1 506 listen r 1 507 accept r 1 508 getopt r 1 509 setopt w 1 510 shutdown w 1 511 recvfrom r 10 512 sendto w 10 513 recv_msg r 10 514 send_msg w 10 515 name_bind n 1 516 517 class sem 9 518 create w 1 519 destroy w 1 520 getattr r 1 521 setattr w 1 522 read r 10 523 write w 10 524 associate n 1 525 unix_read r 3 526 unix_write w 3 527 528 class msg 2 529 send w 10 530 receive r 10 531 532 class msgq 10 533 enqueue w 1 534 create w 1 535 destroy w 1 536 getattr r 1 537 setattr w 1 538 read r 10 539 write w 10 540 associate n 1 541 unix_read r 3 542 unix_write w 3 543 544 class shm 10 545 lock w 1 546 create w 1 547 destroy w 1 548 getattr r 1 549 setattr w 1 550 read r 10 551 write w 10 552 associate n 1 553 unix_read r 3 554 unix_write w 3 555 556 class ipc 9 557 create w 1 558 destroy w 1 559 getattr r 1 560 setattr w 1 561 read r 10 562 write w 10 563 associate n 1 564 unix_read r 3 565 unix_write w 3 566 567 class passwd 5 568 passwd w 1 569 chfn w 5 570 chsh w 5 571 rootok n 1 572 crontab w 5 573 574 class drawable 5 575 create w 1 576 destroy w 1 577 draw w 10 578 copy r 10 579 getattr r 7 580 581 class window 26 582 addchild w 1 583 create w 1 584 destroy w 1 585 map w 1 586 unmap w 1 587 chstack w 10 588 chproplist w 7 589 chprop w 10 590 listprop r 5 591 getattr r 5 592 setattr w 5 593 setfocus w 1 594 move w 10 595 chselection w 10 596 chparent w 5 597 ctrllife w 5 598 enumerate w 1 599 transparent w 1 600 mousemotion w 10 601 clientcomevent w 5 602 inputevent w 5 603 drawevent w 5 604 windowchangeevent w 5 605 windowchangerequest w 5 606 serverchangeevent w 5 607 extensionevent w 5 608 609 class gc 4 610 create w 1 611 free w 1 612 getattr r 5 613 setattr w 5 614 615 class font 4 616 load r 1 617 free w 1 618 getattr r 5 619 use r 1 620 621 class colormap 9 622 create w 1 623 free w 1 624 install w 10 625 uninstall w 1 626 list r 5 627 read r 10 628 store w 10 629 getattr r 5 630 setattr w 5 631 632 class property 4 633 create w 1 634 free w 1 635 read r 10 636 write w 10 637 638 class cursor 5 639 create w 1 640 createglyph w 10 641 free w 1 642 assign w 10 643 setattr w 5 644 645 class xclient 1 646 kill w 1 647 648 class xinput 11 649 lookup r 10 650 getattr r 5 651 setattr w 5 652 setfocus w 10 653 warppointer w 10 654 activegrab w 1 655 passivegrab w 1 656 ungrab w 1 657 bell w 3 658 mousemotion w 10 659 relabelinput b 3 660 661 class xserver 8 662 screensaver w 10 663 gethostlist r 7 664 sethostlist w 7 665 getfontpath r 7 666 setfontpath w 7 667 getattr r 7 668 grab w 10 669 ungrab w 1 670 671 class xextension 2 672 query r 10 673 use b 1 674 675 class pax 6 676 pageexec n 1 677 emutramp n 1 678 mprotect n 1 679 randmmap n 1 680 randexec n 1 681 segmexec n 1 682 683 class netlink_route_socket 24 684 nlmsg_read r 10 685 nlmsg_write w 10 686 ioctl n 1 687 read r 10 688 write w 10 689 create w 1 690 getattr r 7 691 setattr w 7 692 lock n 1 693 relabelfrom r 10 694 relabelto w 10 695 append w 1 696 bind w 1 697 connect w 1 698 listen r 1 699 accept r 1 700 getopt r 1 701 setopt w 1 702 shutdown w 1 703 recvfrom r 10 704 sendto r 10 705 recv_msg r 10 706 send_msg w 10 707 name_bind n 1 708 709 class netlink_firewall_socket 24 710 nlmsg_read r 10 711 nlmsg_write w 10 712 ioctl n 1 713 read r 10 714 write w 10 715 create w 1 716 getattr r 7 717 setattr w 7 718 lock n 1 719 relabelfrom r 10 720 relabelto w 10 721 append w 1 722 bind w 1 723 connect w 1 724 listen r 1 725 accept r 1 726 getopt r 1 727 setopt w 1 728 shutdown w 1 729 recvfrom r 10 730 sendto r 10 731 recv_msg r 10 732 send_msg w 10 733 name_bind n 1 734 735 class netlink_tcpdiag_socket 24 736 nlmsg_read r 10 737 nlmsg_write w 10 738 ioctl n 1 739 read r 10 740 write w 10 741 create w 1 742 getattr r 7 743 setattr w 7 744 lock n 1 745 relabelfrom r 10 746 relabelto w 10 747 append w 1 748 bind w 1 749 connect w 1 750 listen r 1 751 accept r 1 752 getopt r 1 753 setopt w 1 754 shutdown w 1 755 recvfrom r 10 756 sendto r 10 757 recv_msg r 10 758 send_msg w 10 759 name_bind n 1 760 761 class netlink_nflog_socket 22 762 ioctl n 1 763 read r 10 764 write w 10 765 create w 1 766 getattr r 7 767 setattr w 7 768 lock n 1 769 relabelfrom r 10 770 relabelto w 10 771 append w 1 772 bind w 1 773 connect w 1 774 listen r 1 775 accept r 1 776 getopt r 1 777 setopt w 1 778 shutdown w 1 779 recvfrom r 10 780 sendto r 10 781 recv_msg r 10 782 send_msg w 10 783 name_bind n 1 784 785 class netlink_xfrm_socket 24 786 nlmsg_read r 10 787 nlmsg_write w 10 788 ioctl n 1 789 read r 10 790 write w 10 791 create w 1 792 getattr r 7 793 setattr w 7 794 lock n 1 795 relabelfrom r 10 796 relabelto w 10 797 append w 1 798 bind w 1 799 connect w 1 800 listen r 1 801 accept r 1 802 getopt r 1 803 setopt w 1 804 shutdown w 1 805 recvfrom r 10 806 sendto r 10 807 recv_msg r 10 808 send_msg w 10 809 name_bind n 1 810 811 class netlink_selinux_socket 22 812 ioctl n 1 813 read r 10 814 write w 10 815 create w 1 816 getattr r 7 817 setattr w 7 818 lock n 1 819 relabelfrom r 10 820 relabelto w 10 821 append w 1 822 bind w 1 823 connect w 1 824 listen r 1 825 accept r 1 826 getopt r 1 827 setopt w 1 828 shutdown w 1 829 recvfrom r 10 830 sendto r 10 831 recv_msg r 10 832 send_msg w 10 833 name_bind n 1 834 835 class netlink_audit_socket 26 836 nlmsg_read r 10 837 nlmsg_write w 10 838 ioctl n 1 839 read r 10 840 write w 10 841 create w 1 842 getattr r 7 843 setattr w 7 844 lock n 1 845 relabelfrom r 10 846 relabelto w 10 847 append w 1 848 bind w 1 849 connect w 1 850 listen r 1 851 accept r 1 852 getopt r 1 853 setopt w 1 854 shutdown w 1 855 recvfrom r 10 856 sendto r 10 857 recv_msg r 10 858 send_msg w 10 859 name_bind n 1 860 nlmsg_relay w 10 861 nlmsg_readpriv r 10 862 863 class netlink_ip6fw_socket 24 864 nlmsg_read r 10 865 nlmsg_write w 10 866 ioctl n 1 867 read r 10 868 write w 10 869 create w 1 870 getattr r 7 871 setattr w 7 872 lock n 1 873 relabelfrom r 10 874 relabelto w 10 875 append w 1 876 bind w 1 877 connect w 1 878 listen r 1 879 accept r 1 880 getopt r 1 881 setopt w 1 882 shutdown w 1 883 recvfrom r 10 884 sendto r 10 885 recv_msg r 10 886 send_msg w 10 887 name_bind n 1 888 889 class netlink_dnrt_socket 22 890 ioctl n 1 891 read r 10 892 write w 10 893 create w 1 894 getattr r 7 895 setattr w 7 896 lock n 1 897 relabelfrom r 10 898 relabelto w 10 899 append w 1 900 bind w 1 901 connect w 1 902 listen r 1 903 accept r 1 904 getopt r 1 905 setopt w 1 906 shutdown w 1 907 recvfrom r 10 908 sendto r 10 909 recv_msg r 10 910 send_msg w 10 911 name_bind n 1 912 913 class netlink_kobject_uevent_socket 22 914 ioctl n 1 915 read r 10 916 write w 10 917 create w 1 918 getattr r 7 919 setattr w 7 920 lock n 1 921 relabelfrom r 10 922 relabelto w 10 923 append w 1 924 bind w 1 925 connect w 1 926 listen r 1 927 accept r 1 928 getopt r 1 929 setopt w 1 930 shutdown w 1 931 recvfrom r 10 932 sendto w 10 933 recv_msg r 10 934 send_msg w 10 935 name_bind n 1 936 937 class dbus 2 938 acquire_svc b 1 939 send_msg w 10 940 941 class nscd 8 942 getpwd r 7 943 getgrp r 7 944 gethost r 7 945 getstat r 7 946 admin w 5 947 shmempwd r 7 948 shmemgrp r 7 949 shmemhost r 7 950 951 class association 4 952 sendto w 10 953 recvfrom r 10 954 setcontext w 3 955 polmatch r 1 956 957 class appletalk_socket 22 958 ioctl n 1 959 read r 10 960 write w 10 961 create w 1 962 getattr r 1 963 setattr w 1 964 lock n 1 965 relabelfrom r 10 966 relabelto w 10 967 append w 1 968 bind w 1 969 connect w 1 970 listen r 1 971 accept r 1 972 getopt r 1 973 setopt w 1 974 shutdown w 1 975 recvfrom r 10 976 sendto w 10 977 recv_msg r 10 978 send_msg w 10 979 name_bind n 1 980 981 class key 7 982 view r 7 983 read r 10 984 write w 10 985 search r 5 986 link w 7 987 setattr w 7 988 create w 10 989 990 class packet 3 991 send w 10 992 recv r 10 993 relabelto w 3 994
