#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
#
# Define a common prefix for ipc access vectors.
#
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
#
# Define a common prefix for userspace database object access vectors.
#
common database
{
create
drop
getattr
setattr
relabelfrom
relabelto
}
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
transition
associate
quotamod
quotaget
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
open
}
class file
inherits file
{
execute_no_trans
entrypoint
execmod
open
}
class lnk_file
inherits file
class chr_file
inherits file
{
execute_no_trans
entrypoint
execmod
open
}
class blk_file
inherits file
{
open
}
class sock_file
inherits file
class fifo_file
inherits file
{
open
}
class fd
{
use
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
connectto
newconn
acceptfrom
node_bind
name_connect
}
class udp_socket
inherits socket
{
node_bind
}
class rawip_socket
inherits socket
{
node_bind
}
class node
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
enforce_dest
dccp_recv
dccp_send
recvfrom
sendto
}
class netif
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
dccp_recv
dccp_send
ingress
egress
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
newconn
acceptfrom
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
setexec
setfscreate
noatsecure
siginh
setrlimit
rlimitinh
dyntransition
setcurrent
execmem
execstack
execheap
setkeycreate
setsockcreate
}
#
# Define the access vector interpretation for ipc-related objects
#
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
#
# Define the access vector interpretation for the security server.
#
class security
{
compute_av
compute_create
compute_member
check_context
load_policy
compute_relabel
compute_user
setenforce # was avc_toggle in system class
setbool
setsecparam
setcheckreqprot
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
}
#
# Define the access vector interpretation for controling capabilies
#
class capability
{
# The capabilities are defined in include/linux/capability.h
# Capabilities >= 32 are defined in the capability2 class.
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
audit_write
audit_control
setfcap
}
class capability2
{
mac_override # unused by SELinux
mac_admin # unused by SELinux
}
#
# Define the access vector interpretation for controlling
# changes to passwd information.
#
class passwd
{
passwd # change another user passwd
chfn # change another user finger info
chsh # change another user shell
rootok # pam_rootok check (skip auth)
crontab # crontab on another user
}
#
# SE-X Windows stuff
#
class x_drawable
{
create
destroy
read
write
blend
getattr
setattr
list_child
add_child
remove_child
list_property
get_property
set_property
manage
override
show
hide
send
receive
}
class x_screen
{
getattr
setattr
hide_cursor
show_cursor
saver_getattr
saver_setattr
saver_hide
saver_show
}
class x_gc
{
create
destroy
getattr
setattr
use
}
class x_font
{
create
destroy
getattr
add_glyph
remove_glyph
use
}
class x_colormap
{
create
destroy
read
write
getattr
add_color
remove_color
install
uninstall
use
}
class x_property
{
create
destroy
read
write
append
getattr
setattr
}
class x_selection
{
read
write
getattr
setattr
}
class x_cursor
{
create
destroy
read
write
getattr
setattr
use
}
class x_client
{
destroy
getattr
setattr
manage
}
class x_device
{
getattr
setattr
use
read
write
getfocus
setfocus
bell
force_cursor
freeze
grab
manage
}
class x_server
{
getattr
setattr
record
debug
grab
manage
}
class x_extension
{
query
use
}
class x_resource
{
read
write
}
class x_event
{
send
receive
}
class x_synthetic_event
{
send
receive
}
#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_firewall_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_tcpdiag_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_nflog_socket
inherits socket
class netlink_xfrm_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_selinux_socket
inherits socket
class netlink_audit_socket
inherits socket
{
nlmsg_read
nlmsg_write
nlmsg_relay
nlmsg_readpriv
}
class netlink_ip6fw_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_dnrt_socket
inherits socket
# Define the access vector interpretation for controlling
# access and communication through the D-BUS messaging
# system.
#
class dbus
{
acquire_svc
send_msg
}
# Define the access vector interpretation for controlling
# access through the name service cache daemon (nscd).
#
class nscd
{
getpwd
getgrp
gethost
getstat
admin
shmempwd
shmemgrp
shmemhost
getserv
shmemserv
}
# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
sendto
recvfrom
setcontext
polmatch
}
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket
class appletalk_socket
inherits socket
class packet
{
send
recv
relabelto
flow_in # not currently in use
flow_out # not currently in use
forward_in
forward_out
}
class key
{
view
read
write
search
link
setattr
create
}
class context
{
translate
contains
}
class dccp_socket
inherits socket
{
node_bind
name_connect
}
class memprotect
{
mmap_zero
}
class db_database
inherits database
{
access
install_module
load_module
get_param
set_param
}
class db_table
inherits database
{
use
select
update
insert
delete
lock
}
class db_procedure
inherits database
{
execute
entrypoint
}
class db_column
inherits database
{
use
select
update
insert
}
class db_tuple
{
relabelfrom
relabelto
use
select
update
insert
delete
}
class db_blob
inherits database
{
read
write
import
export
}
# network peer labels
class peer
{
recv
}