1# 2# Define common prefixes for access vectors 3# 4# common common_name { permission_name ... } 5 6 7# 8# Define a common prefix for file access vectors. 9# 10 11common file 12{ 13 ioctl 14 read 15 write 16 create 17 getattr 18 setattr 19 lock 20 relabelfrom 21 relabelto 22 append 23 unlink 24 link 25 rename 26 execute 27 swapon 28 quotaon 29 mounton 30} 31 32 33# 34# Define a common prefix for socket access vectors. 35# 36 37common socket 38{ 39# inherited from file 40 ioctl 41 read 42 write 43 create 44 getattr 45 setattr 46 lock 47 relabelfrom 48 relabelto 49 append 50# socket-specific 51 bind 52 connect 53 listen 54 accept 55 getopt 56 setopt 57 shutdown 58 recvfrom 59 sendto 60 recv_msg 61 send_msg 62 name_bind 63} 64 65# 66# Define a common prefix for ipc access vectors. 67# 68 69common ipc 70{ 71 create 72 destroy 73 getattr 74 setattr 75 read 76 write 77 associate 78 unix_read 79 unix_write 80} 81 82# 83# Define the access vectors. 84# 85# class class_name [ inherits common_name ] { permission_name ... } 86 87 88# 89# Define the access vector interpretation for file-related objects. 90# 91 92class filesystem 93{ 94 mount 95 remount 96 unmount 97 getattr 98 relabelfrom 99 relabelto 100 transition 101 associate 102 quotamod 103 quotaget 104} 105 106class dir 107inherits file 108{ 109 add_name 110 remove_name 111 reparent 112 search 113 rmdir 114 open 115 audit_access 116 execmod 117} 118 119class file 120inherits file 121{ 122 execute_no_trans 123 entrypoint 124 execmod 125 open 126 audit_access 127} 128 129class lnk_file 130inherits file 131{ 132 open 133 audit_access 134 execmod 135} 136 137class chr_file 138inherits file 139{ 140 execute_no_trans 141 entrypoint 142 execmod 143 open 144 audit_access 145} 146 147class blk_file 148inherits file 149{ 150 open 151 audit_access 152 execmod 153} 154 155class sock_file 156inherits file 157{ 158 open 159 audit_access 160 execmod 161} 162 163class fifo_file 164inherits file 165{ 166 open 167 audit_access 168 execmod 169} 170 171class fd 172{ 173 use 174} 175 176 177# 178# Define the access vector interpretation for network-related objects. 179# 180 181class socket 182inherits socket 183 184class tcp_socket 185inherits socket 186{ 187 connectto 188 newconn 189 acceptfrom 190 node_bind 191 name_connect 192} 193 194class udp_socket 195inherits socket 196{ 197 node_bind 198} 199 200class rawip_socket 201inherits socket 202{ 203 node_bind 204} 205 206class node 207{ 208 tcp_recv 209 tcp_send 210 udp_recv 211 udp_send 212 rawip_recv 213 rawip_send 214 enforce_dest 215 dccp_recv 216 dccp_send 217 recvfrom 218 sendto 219} 220 221class netif 222{ 223 tcp_recv 224 tcp_send 225 udp_recv 226 udp_send 227 rawip_recv 228 rawip_send 229 dccp_recv 230 dccp_send 231 ingress 232 egress 233} 234 235class netlink_socket 236inherits socket 237 238class packet_socket 239inherits socket 240 241class key_socket 242inherits socket 243 244class unix_stream_socket 245inherits socket 246{ 247 connectto 248 newconn 249 acceptfrom 250} 251 252class unix_dgram_socket 253inherits socket 254 255# 256# Define the access vector interpretation for process-related objects 257# 258 259class process 260{ 261 fork 262 transition 263 sigchld # commonly granted from child to parent 264 sigkill # cannot be caught or ignored 265 sigstop # cannot be caught or ignored 266 signull # for kill(pid, 0) 267 signal # all other signals 268 ptrace 269 getsched 270 setsched 271 getsession 272 getpgid 273 setpgid 274 getcap 275 setcap 276 share 277 getattr 278 setexec 279 setfscreate 280 noatsecure 281 siginh 282 setrlimit 283 rlimitinh 284 dyntransition 285 setcurrent 286 execmem 287 execstack 288 execheap 289 setkeycreate 290 setsockcreate 291} 292 293 294# 295# Define the access vector interpretation for ipc-related objects 296# 297 298class ipc 299inherits ipc 300 301class sem 302inherits ipc 303 304class msgq 305inherits ipc 306{ 307 enqueue 308} 309 310class msg 311{ 312 send 313 receive 314} 315 316class shm 317inherits ipc 318{ 319 lock 320} 321 322 323# 324# Define the access vector interpretation for the security server. 325# 326 327class security 328{ 329 compute_av 330 compute_create 331 compute_member 332 check_context 333 load_policy 334 compute_relabel 335 compute_user 336 setenforce # was avc_toggle in system class 337 setbool 338 setsecparam 339 setcheckreqprot 340 read_policy 341} 342 343 344# 345# Define the access vector interpretation for system operations. 346# 347 348class system 349{ 350 ipc_info 351 syslog_read 352 syslog_mod 353 syslog_console 354 module_request 355 module_load 356} 357 358# 359# Define the access vector interpretation for controling capabilies 360# 361 362class capability 363{ 364 # The capabilities are defined in include/linux/capability.h 365 # Capabilities >= 32 are defined in the capability2 class. 366 # Care should be taken to ensure that these are consistent with 367 # those definitions. (Order matters) 368 369 chown 370 dac_override 371 dac_read_search 372 fowner 373 fsetid 374 kill 375 setgid 376 setuid 377 setpcap 378 linux_immutable 379 net_bind_service 380 net_broadcast 381 net_admin 382 net_raw 383 ipc_lock 384 ipc_owner 385 sys_module 386 sys_rawio 387 sys_chroot 388 sys_ptrace 389 sys_pacct 390 sys_admin 391 sys_boot 392 sys_nice 393 sys_resource 394 sys_time 395 sys_tty_config 396 mknod 397 lease 398 audit_write 399 audit_control 400 setfcap 401} 402 403class capability2 404{ 405 mac_override # unused by SELinux 406 mac_admin # unused by SELinux 407 syslog 408 wake_alarm 409 block_suspend 410 audit_read 411} 412 413# 414# Extended Netlink classes 415# 416class netlink_route_socket 417inherits socket 418{ 419 nlmsg_read 420 nlmsg_write 421} 422 423class netlink_firewall_socket 424inherits socket 425{ 426 nlmsg_read 427 nlmsg_write 428} 429 430class netlink_tcpdiag_socket 431inherits socket 432{ 433 nlmsg_read 434 nlmsg_write 435} 436 437class netlink_nflog_socket 438inherits socket 439 440class netlink_xfrm_socket 441inherits socket 442{ 443 nlmsg_read 444 nlmsg_write 445} 446 447class netlink_selinux_socket 448inherits socket 449 450class netlink_audit_socket 451inherits socket 452{ 453 nlmsg_read 454 nlmsg_write 455 nlmsg_relay 456 nlmsg_readpriv 457 nlmsg_tty_audit 458} 459 460class netlink_ip6fw_socket 461inherits socket 462{ 463 nlmsg_read 464 nlmsg_write 465} 466 467class netlink_dnrt_socket 468inherits socket 469 470# Define the access vector interpretation for controlling 471# access to IPSec network data by association 472# 473class association 474{ 475 sendto 476 recvfrom 477 setcontext 478 polmatch 479} 480 481# Updated Netlink class for KOBJECT_UEVENT family. 482class netlink_kobject_uevent_socket 483inherits socket 484 485class appletalk_socket 486inherits socket 487 488class packet 489{ 490 send 491 recv 492 relabelto 493 flow_in # deprecated 494 flow_out # deprecated 495 forward_in 496 forward_out 497} 498 499class key 500{ 501 view 502 read 503 write 504 search 505 link 506 setattr 507 create 508} 509 510class dccp_socket 511inherits socket 512{ 513 node_bind 514 name_connect 515} 516 517class memprotect 518{ 519 mmap_zero 520} 521 522# network peer labels 523class peer 524{ 525 recv 526} 527 528class kernel_service 529{ 530 use_as_override 531 create_files_as 532} 533 534class tun_socket 535inherits socket 536{ 537 attach_queue 538} 539 540class binder 541{ 542 impersonate 543 call 544 set_context_mgr 545 transfer 546} 547 548class netlink_iscsi_socket 549inherits socket 550 551class netlink_fib_lookup_socket 552inherits socket 553 554class netlink_connector_socket 555inherits socket 556 557class netlink_netfilter_socket 558inherits socket 559 560class netlink_generic_socket 561inherits socket 562 563class netlink_scsitransport_socket 564inherits socket 565 566class netlink_rdma_socket 567inherits socket 568 569class netlink_crypto_socket 570inherits socket 571 572class property_service 573{ 574 set 575} 576 577class service_manager 578{ 579 add 580 find 581 list 582} 583 584class keystore_key 585{ 586 get_state 587 get 588 insert 589 delete 590 exist 591 list 592 reset 593 password 594 lock 595 unlock 596 is_empty 597 sign 598 verify 599 grant 600 duplicate 601 clear_uid 602 add_auth 603 user_changed 604} 605 606class debuggerd 607{ 608 dump_tombstone 609 dump_backtrace 610} 611 612class drmservice { 613 consumeRights 614 setPlaybackStatus 615 openDecryptSession 616 closeDecryptSession 617 initializeDecryptUnit 618 decrypt 619 finalizeDecryptUnit 620 pread 621} 622