#

# Define common prefixes for access vectors

#

# common common_name { permission_name ... }

#

# Define a common prefix for file access vectors.

#

common file

{

	ioctl

	read

	write

	create

	getattr

	setattr

	lock

	relabelfrom

	relabelto

	append

	unlink

	link

	rename

	execute

	swapon

	quotaon

	mounton

}

#

# Define a common prefix for socket access vectors.

#

common socket

{

# inherited from file

	ioctl

	read

	write

	create

	getattr

	setattr

	lock

	relabelfrom

	relabelto

	append

# socket-specific

	bind

	connect

	listen

	accept

	getopt

	setopt

	shutdown

	recvfrom

	sendto

	recv_msg

	send_msg

	name_bind

}	

#

# Define a common prefix for ipc access vectors.

#

common ipc

{

	create

	destroy

	getattr

	setattr

	read

	write

	associate

	unix_read

	unix_write

}

#

#  Define a common prefix for userspace database object access vectors.

#

common database

{

	create

	drop

	getattr

	setattr

	relabelfrom

	relabelto

}

#

# Define the access vectors.

#

# class class_name [ inherits common_name ] { permission_name ... }

#

# Define the access vector interpretation for file-related objects.

#

class filesystem

{

	mount

	remount

	unmount

	getattr

	relabelfrom

	relabelto

	transition

	associate

	quotamod

	quotaget

}

class dir

inherits file

{

	add_name

	remove_name

	reparent

	search

	rmdir

	open

}

class file

inherits file

{

	execute_no_trans

	entrypoint

	execmod

	open

}

class lnk_file

inherits file

class chr_file

inherits file

{

	execute_no_trans

	entrypoint

	execmod

	open

}

class blk_file

inherits file

{

	open

}

class sock_file

inherits file

class fifo_file

inherits file

{

	open

}

class fd

{

	use

}

#

# Define the access vector interpretation for network-related objects.

#

class socket

inherits socket

class tcp_socket

inherits socket

{

	connectto

	newconn

	acceptfrom

	node_bind

	name_connect

}

class udp_socket

inherits socket

{

	node_bind

}

class rawip_socket

inherits socket

{

	node_bind

}

class node 

{

	tcp_recv

	tcp_send

	udp_recv

	udp_send

	rawip_recv

	rawip_send

	enforce_dest

	dccp_recv

	dccp_send

	recvfrom

	sendto

}

class netif

{

	tcp_recv

	tcp_send

	udp_recv

	udp_send

	rawip_recv

	rawip_send

	dccp_recv

	dccp_send

	ingress

	egress

}

class netlink_socket

inherits socket

class packet_socket

inherits socket

class key_socket

inherits socket

class unix_stream_socket

inherits socket

{

	connectto

	newconn

	acceptfrom

}

class unix_dgram_socket

inherits socket

#

# Define the access vector interpretation for process-related objects

#

class process

{

	fork

	transition

	sigchld # commonly granted from child to parent

	sigkill # cannot be caught or ignored

	sigstop # cannot be caught or ignored

	signull # for kill(pid, 0)

	signal  # all other signals

	ptrace

	getsched

	setsched

	getsession

	getpgid

	setpgid

	getcap

	setcap

	share

	getattr

	setexec

	setfscreate

	noatsecure

	siginh

	setrlimit

	rlimitinh

	dyntransition

	setcurrent

	execmem

	execstack

	execheap

	setkeycreate

	setsockcreate

}

#

# Define the access vector interpretation for ipc-related objects

#

class ipc

inherits ipc

class sem

inherits ipc

class msgq

inherits ipc

{

	enqueue

}

class msg

{

	send

	receive

}

class shm

inherits ipc

{

	lock

}

#

# Define the access vector interpretation for the security server. 

#

class security

{

	compute_av

	compute_create

	compute_member

	check_context

	load_policy

	compute_relabel

	compute_user

	setenforce     # was avc_toggle in system class

	setbool

	setsecparam

	setcheckreqprot

}

#

# Define the access vector interpretation for system operations.

#

class system

{

	ipc_info

	syslog_read  

	syslog_mod

	syslog_console

}

#

# Define the access vector interpretation for controling capabilies

#

class capability

{

	# The capabilities are defined in include/linux/capability.h

	# Capabilities >= 32 are defined in the capability2 class.

	# Care should be taken to ensure that these are consistent with

	# those definitions. (Order matters)

	chown           

	dac_override    

	dac_read_search 

	fowner          

	fsetid          

	kill            

	setgid           

	setuid           

	setpcap          

	linux_immutable  

	net_bind_service 

	net_broadcast    

	net_admin        

	net_raw          

	ipc_lock         

	ipc_owner        

	sys_module       

	sys_rawio        

	sys_chroot       

	sys_ptrace       

	sys_pacct        

	sys_admin        

	sys_boot         

	sys_nice         

	sys_resource     

	sys_time         

	sys_tty_config  

	mknod

	lease

	audit_write

	audit_control

	setfcap

}

class capability2 

{

	mac_override	# unused by SELinux

	mac_admin	# unused by SELinux

}

#

# Define the access vector interpretation for controlling

# changes to passwd information.

#

class passwd

{

	passwd	# change another user passwd

	chfn	# change another user finger info

	chsh	# change another user shell

	rootok  # pam_rootok check (skip auth)

	crontab # crontab on another user

}

#

# SE-X Windows stuff

#

class x_drawable

{

	create

	destroy

	read

	write

	blend

	getattr

	setattr

	list_child

	add_child

	remove_child

	list_property

	get_property

	set_property

	manage

	override

	show

	hide

	send

	receive

}

class x_screen

{

	getattr

	setattr

	hide_cursor

	show_cursor

	saver_getattr

	saver_setattr

	saver_hide

	saver_show

}

class x_gc

{

	create

	destroy

	getattr

	setattr

	use

}

class x_font

{

	create

	destroy

	getattr

	add_glyph

	remove_glyph

	use

}

class x_colormap

{

	create

	destroy

	read

	write

	getattr

	add_color

	remove_color

	install

	uninstall

	use

}

class x_property

{

	create

	destroy

	read

	write

	append

	getattr

	setattr

}

class x_selection

{

	read

	write

	getattr

	setattr

}

class x_cursor

{

	create

	destroy

	read

	write

	getattr

	setattr

	use

}

class x_client

{

	destroy

	getattr

	setattr

	manage

}

class x_device

{

	getattr

	setattr

	use

	read

	write

	getfocus

	setfocus

	bell

	force_cursor

	freeze

	grab

	manage

}

class x_server

{

	getattr

	setattr

	record

	debug

	grab

	manage

}

class x_extension

{

	query

	use

}

class x_resource

{

	read

	write

}

class x_event

{

	send

	receive

}

class x_synthetic_event

{

	send

	receive

}

#

# Extended Netlink classes

#

class netlink_route_socket

inherits socket

{

	nlmsg_read

	nlmsg_write

}

class netlink_firewall_socket

inherits socket

{

	nlmsg_read

	nlmsg_write

}

class netlink_tcpdiag_socket

inherits socket

{

	nlmsg_read

	nlmsg_write

}

class netlink_nflog_socket

inherits socket

class netlink_xfrm_socket

inherits socket

{

	nlmsg_read

	nlmsg_write

}

class netlink_selinux_socket

inherits socket

class netlink_audit_socket

inherits socket

{

	nlmsg_read

	nlmsg_write

	nlmsg_relay

	nlmsg_readpriv

}

class netlink_ip6fw_socket

inherits socket

{

	nlmsg_read

	nlmsg_write

}

class netlink_dnrt_socket

inherits socket

# Define the access vector interpretation for controlling

# access and communication through the D-BUS messaging

# system.

#

class dbus

{

	acquire_svc

	send_msg

}

# Define the access vector interpretation for controlling

# access through the name service cache daemon (nscd).

#

class nscd

{

	getpwd

	getgrp

	gethost

	getstat

	admin

	shmempwd

	shmemgrp

	shmemhost

	getserv

	shmemserv

}

# Define the access vector interpretation for controlling

# access to IPSec network data by association

#

class association

{

	sendto

	recvfrom

	setcontext

	polmatch

}

# Updated Netlink class for KOBJECT_UEVENT family.

class netlink_kobject_uevent_socket

inherits socket

class appletalk_socket

inherits socket

class packet

{

	send

	recv

	relabelto

	flow_in		# not currently in use

	flow_out	# not currently in use

	forward_in

	forward_out

}

class key

{

	view

	read

	write

	search

	link

	setattr

	create

}

class context

{

	translate

	contains

}

class dccp_socket

inherits socket

{

	node_bind

	name_connect

}

class memprotect

{

	mmap_zero

}

class db_database

inherits database

{

	access

	install_module

	load_module

	get_param

	set_param

}

class db_table

inherits database

{

	use

	select

	update

	insert

	delete

	lock

}

class db_procedure

inherits database

{

	execute

	entrypoint

}

class db_column

inherits database

{

	use

	select

	update

	insert

}

class db_tuple

{

	relabelfrom

	relabelto

	use

	select

	update

	insert

	delete

}

class db_blob

inherits database

{

	read

	write

	import

	export

}

# network peer labels

class peer

{

	recv

}

class x_application_data

{

	paste

	paste_after_confirm

	copy

}