// // Define common prefixes for access vectors // // common common_name { permission_name ... } // // Define a common prefix for file access vectors. // common file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton } // // Define a common prefix for socket access vectors. // common socket { // inherited from file ioctl read write create getattr setattr lock relabelfrom relabelto append // socket-specific bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind } // // Define a common prefix for ipc access vectors. // common ipc { create destroy getattr setattr read write associate unix_read unix_write } // // Define a common prefix for userspace database object access vectors. // common database { create drop getattr setattr relabelfrom relabelto } // // Define a common prefix for pointer and keyboard access vectors. // common x_device { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy } // // Define the access vectors. // // class class_name [ inherits common_name ] { permission_name ... } // // Define the access vector interpretation for file-related objects. // class filesystem { mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget } class dir inherits file { add_name remove_name reparent search rmdir open } class file inherits file { execute_no_trans entrypoint execmod open } class lnk_file inherits file class chr_file inherits file { execute_no_trans entrypoint execmod open } class blk_file inherits file { open } class sock_file inherits file { open } class fifo_file inherits file { open } class fd { use } // // Define the access vector interpretation for network-related objects. // class socket inherits socket class tcp_socket inherits socket { connectto newconn acceptfrom node_bind name_connect } class udp_socket inherits socket { node_bind } class rawip_socket inherits socket { node_bind } class node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest dccp_recv dccp_send recvfrom sendto } class netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress } class netlink_socket inherits socket class packet_socket inherits socket class key_socket inherits socket class unix_stream_socket inherits socket { connectto newconn acceptfrom } class unix_dgram_socket inherits socket // // Define the access vector interpretation for process-related objects // class process { fork transition sigchld // commonly granted from child to parent sigkill // cannot be caught or ignored sigstop // cannot be caught or ignored signull // for kill(pid, 0) signal // all other signals ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate } // // Define the access vector interpretation for ipc-related objects // class ipc inherits ipc class sem inherits ipc class msgq inherits ipc { enqueue } class msg { send receive } class shm inherits ipc { lock } // // Define the access vector interpretation for the security server. // class security { compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce // was avc_toggle in system class setbool setsecparam setcheckreqprot } // // Define the access vector interpretation for system operations. // class system { ipc_info syslog_read syslog_mod syslog_console module_request } // // Define the access vector interpretation for controling capabilies // class capability { // The capabilities are defined in include/linux/capability.h // Capabilities >= 32 are defined in the capability2 class. // Care should be taken to ensure that these are consistent with // those definitions. (Order matters) chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap } class capability2 { mac_override // unused by SELinux mac_admin // unused by SELinux } // // Define the access vector interpretation for controlling // changes to passwd information. // class passwd { passwd // change another user passwd chfn // change another user finger info chsh // change another user shell rootok // pam_rootok check (skip auth) crontab // crontab on another user } // // SE-X Windows stuff // class x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive } class x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show } class x_gc { create destroy getattr setattr use } class x_font { create destroy getattr add_glyph remove_glyph use } class x_colormap { create destroy read write getattr add_color remove_color install uninstall use } class x_property { create destroy read write append getattr setattr } class x_selection { read write getattr setattr } class x_cursor { create destroy read write getattr setattr use } class x_client { destroy getattr setattr manage } class x_device inherits x_device class x_server { getattr setattr record debug grab manage } class x_extension { query use } class x_resource { read write } class x_event { send receive } class x_synthetic_event { send receive } // // Extended Netlink classes // class netlink_route_socket inherits socket { nlmsg_read nlmsg_write } class netlink_firewall_socket inherits socket { nlmsg_read nlmsg_write } class netlink_tcpdiag_socket inherits socket { nlmsg_read nlmsg_write } class netlink_nflog_socket inherits socket class netlink_xfrm_socket inherits socket { nlmsg_read nlmsg_write } class netlink_selinux_socket inherits socket class netlink_audit_socket inherits socket { nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit } class netlink_ip6fw_socket inherits socket { nlmsg_read nlmsg_write } class netlink_dnrt_socket inherits socket // Define the access vector interpretation for controlling // access and communication through the D-BUS messaging // system. // class dbus { acquire_svc send_msg } // Define the access vector interpretation for controlling // access through the name service cache daemon (nscd). // class nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv } // Define the access vector interpretation for controlling // access to IPSec network data by association // class association { sendto recvfrom setcontext polmatch } // Updated Netlink class for KOBJECT_UEVENT family. class netlink_kobject_uevent_socket inherits socket class appletalk_socket inherits socket class packet { send recv relabelto flow_in // deprecated flow_out // deprecated forward_in forward_out } class key { view read write search link setattr create } class context { translate contains } class dccp_socket inherits socket { node_bind name_connect } class memprotect { mmap_zero } class db_database inherits database { access install_module load_module get_param // deprecated set_param // deprecated } class db_table inherits database { use // deprecated select update insert delete lock } class db_procedure inherits database { execute entrypoint install } class db_column inherits database { use // deprecated select update insert } class db_tuple { relabelfrom relabelto use // deprecated select update insert delete } class db_blob inherits database { read write import export } // network peer labels class peer { recv } class x_application_data { paste paste_after_confirm copy } class kernel_service { use_as_override create_files_as } class tun_socket inherits socket class x_pointer inherits x_device class x_keyboard inherits x_device