########################################

# 

# Support macros for sets of object classes and permissions

#

# This file should only have object class and permission set macros - they

# can only reference object classes and/or permissions.

#

# All directory and file classes

#

define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')

#

# All non-directory file classes.

#

define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')

#

# Non-device file classes.

#

define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')

#

# Device file classes.

#

define(`devfile_class_set', `{ chr_file blk_file }')

#

# All socket classes.

#

define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')

#

# Datagram socket classes.

# 

define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')

#

# Stream socket classes.

#

define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')

#

# Unprivileged socket classes (exclude rawip, netlink, packet).

#

define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')

########################################

# 

# Macros for sets of permissions

#

# 

# Permissions for getting file attributes.

#

define(`stat_file_perms', `{ getattr } refpolicywarn(`$0 is deprecated please use getattr_file_perms instead.')')

# 

# Permissions for executing files.

#

define(`x_file_perms', `{ getattr open execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')')

# 

# Permissions for reading files and their attributes.

#

define(`r_file_perms', `{ open read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')')

# 

# Permissions for reading and executing files.

#

define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')')

# 

# Permissions for reading and appending to files.

#

define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')')

#

# Permissions for linking, unlinking and renaming files.

# 

define(`link_file_perms', `{ getattr link unlink rename } refpolicywarn(`$0 is deprecated please use { getattr link unlink rename } instead.')')

#

# Permissions for creating lnk_files.

#

define(`create_lnk_perms', `{ create read getattr setattr link unlink rename } refpolicywarn(`$0 is deprecated please use manage_lnk_file_perms instead.')')

# 

# Permissions for reading directories and their attributes.

#

define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')')

# 

# Permissions for reading and adding names to directories.

#

define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')')

#

# Permissions to mount and unmount file systems.

#

define(`mount_fs_perms', `{ mount remount unmount getattr }')

#

# Permissions for using sockets.

# 

define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')

#

# Permissions for creating and using sockets.

# 

define(`create_socket_perms', `{ create rw_socket_perms }')

#

# Permissions for using stream sockets.

# 

define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')

#

# Permissions for creating and using stream sockets.

# 

define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')

#

# Permissions for creating and using sockets.

# 

define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')

#

# Permissions for creating and using sockets.

# 

define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')

#

# Permissions for creating and using netlink sockets.

# 

define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')

#

# Permissions for using netlink sockets for operations that modify state.

# 

define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')

#

# Permissions for using netlink sockets for operations that observe state.

# 

define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')

#

# Permissions for sending all signals.

#

define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')

#

# Permissions for sending and receiving network packets.

#

define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')

#

# Permissions for using System V IPC

#

define(`r_sem_perms', `{ associate getattr read unix_read }')

define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')

define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')

define(`r_msgq_perms', `{ associate getattr read unix_read }')

define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')

define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')

define(`r_shm_perms', `{ associate getattr read unix_read }')

define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')

define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')

########################################

#

# New permission sets

#

#

# Directory (dir)

#

define(`getattr_dir_perms',`{ getattr }')

define(`setattr_dir_perms',`{ setattr }')

define(`search_dir_perms',`{ getattr search open }')

define(`list_dir_perms',`{ getattr search open read lock ioctl }')

define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }')

define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }')

define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }')

define(`create_dir_perms',`{ getattr create }')

define(`rename_dir_perms',`{ getattr rename }')

define(`delete_dir_perms',`{ getattr rmdir }')

define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')

define(`relabelfrom_dir_perms',`{ getattr relabelfrom }')

define(`relabelto_dir_perms',`{ getattr relabelto }')

define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')

#

# Regular file (file)

#

define(`getattr_file_perms',`{ getattr }')

define(`setattr_file_perms',`{ setattr }')

define(`read_file_perms',`{ getattr open read lock ioctl }')

define(`mmap_file_perms',`{ getattr open read execute ioctl }')

define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')

define(`append_file_perms',`{ getattr open append lock ioctl }')

define(`write_file_perms',`{ getattr open write append lock ioctl }')

define(`rw_file_perms',`{ getattr open read write append ioctl lock }')

define(`create_file_perms',`{ getattr create open }')

define(`rename_file_perms',`{ getattr rename }')

define(`delete_file_perms',`{ getattr unlink }')

define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')

define(`relabelfrom_file_perms',`{ getattr relabelfrom }')

define(`relabelto_file_perms',`{ getattr relabelto }')

define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')

#

# Symbolic link (lnk_file)

#

define(`getattr_lnk_file_perms',`{ getattr }')

define(`setattr_lnk_file_perms',`{ setattr }')

define(`read_lnk_file_perms',`{ getattr read }')

define(`append_lnk_file_perms',`{ getattr append lock ioctl }')

define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')

define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')

define(`create_lnk_file_perms',`{ create getattr }')

define(`rename_lnk_file_perms',`{ getattr rename }')

define(`delete_lnk_file_perms',`{ getattr unlink }')

define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }')

define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')

define(`relabelto_lnk_file_perms',`{ getattr relabelto }')

define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')

#

# (Un)named Pipes/FIFOs (fifo_file)

#

define(`getattr_fifo_file_perms',`{ getattr }')

define(`setattr_fifo_file_perms',`{ setattr }')

define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')

define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')

define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')

define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')

define(`create_fifo_file_perms',`{ getattr create open }')

define(`rename_fifo_file_perms',`{ getattr rename }')

define(`delete_fifo_file_perms',`{ getattr unlink }')

define(`manage_fifo_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')

define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }')

define(`relabelto_fifo_file_perms',`{ getattr relabelto }')

define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }')

#

# (Un)named Sockets (sock_file)

#

define(`getattr_sock_file_perms',`{ getattr }')

define(`setattr_sock_file_perms',`{ setattr }')

define(`read_sock_file_perms',`{ getattr open read }')

define(`write_sock_file_perms',`{ getattr write open append }')

define(`rw_sock_file_perms',`{ getattr open read write append }')

define(`create_sock_file_perms',`{ getattr create open }')

define(`rename_sock_file_perms',`{ getattr rename }')

define(`delete_sock_file_perms',`{ getattr unlink }')

define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')

define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }')

define(`relabelto_sock_file_perms',`{ getattr relabelto }')

define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }')

#

# Block device nodes (blk_file)

#

define(`getattr_blk_file_perms',`{ getattr }')

define(`setattr_blk_file_perms',`{ setattr }')

define(`read_blk_file_perms',`{ getattr open read lock ioctl }')

define(`append_blk_file_perms',`{ getattr open append lock ioctl }')

define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')

define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')

define(`create_blk_file_perms',`{ getattr create }')

define(`rename_blk_file_perms',`{ getattr rename }')

define(`delete_blk_file_perms',`{ getattr unlink }')

define(`manage_blk_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')

define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }')

define(`relabelto_blk_file_perms',`{ getattr relabelto }')

define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }')

#

# Character device nodes (chr_file)

#

define(`getattr_chr_file_perms',`{ getattr }')

define(`setattr_chr_file_perms',`{ setattr }')

define(`read_chr_file_perms',`{ getattr open read lock ioctl }')

define(`append_chr_file_perms',`{ getattr open append lock ioctl }')

define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')

define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')

define(`create_chr_file_perms',`{ getattr create }')

define(`rename_chr_file_perms',`{ getattr rename }')

define(`delete_chr_file_perms',`{ getattr unlink }')

define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')

define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }')

define(`relabelto_chr_file_perms',`{ getattr relabelto }')

define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')

########################################

#

# Special permission sets

#

#

# Use (read and write) terminals

#

define(`rw_term_perms', `{ getattr open read write ioctl }')

#

# Sockets

#

define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')

define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')

#

# Keys

#

define(`manage_key_perms', `{ create link read search setattr view write } ')