1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13	ioctl
14	read
15	write
16	create
17	getattr
18	setattr
19	lock
20	relabelfrom
21	relabelto
22	append
23	unlink
24	link
25	rename
26	execute
27	quotaon
28	mounton
29}
30
31
32#
33# Define a common prefix for socket access vectors.
34#
35
36common socket
37{
38# inherited from file
39	ioctl
40	read
41	write
42	create
43	getattr
44	setattr
45	lock
46	relabelfrom
47	relabelto
48	append
49# socket-specific
50	bind
51	connect
52	listen
53	accept
54	getopt
55	setopt
56	shutdown
57	recvfrom
58	sendto
59	name_bind
60}
61
62#
63# Define a common prefix for ipc access vectors.
64#
65
66common ipc
67{
68	create
69	destroy
70	getattr
71	setattr
72	read
73	write
74	associate
75	unix_read
76	unix_write
77}
78
79#
80# Define a common for capability access vectors.
81#
82common cap
83{
84	# The capabilities are defined in include/linux/capability.h
85	# Capabilities >= 32 are defined in the cap2 common.
86	# Care should be taken to ensure that these are consistent with
87	# those definitions. (Order matters)
88
89	chown
90	dac_override
91	dac_read_search
92	fowner
93	fsetid
94	kill
95	setgid
96	setuid
97	setpcap
98	linux_immutable
99	net_bind_service
100	net_broadcast
101	net_admin
102	net_raw
103	ipc_lock
104	ipc_owner
105	sys_module
106	sys_rawio
107	sys_chroot
108	sys_ptrace
109	sys_pacct
110	sys_admin
111	sys_boot
112	sys_nice
113	sys_resource
114	sys_time
115	sys_tty_config
116	mknod
117	lease
118	audit_write
119	audit_control
120	setfcap
121}
122
123common cap2
124{
125	mac_override	# unused by SELinux
126	mac_admin	# unused by SELinux
127	syslog
128	wake_alarm
129	block_suspend
130	audit_read
131}
132
133#
134# Define the access vectors.
135#
136# class class_name [ inherits common_name ] { permission_name ... }
137
138
139#
140# Define the access vector interpretation for file-related objects.
141#
142
143class filesystem
144{
145	mount
146	remount
147	unmount
148	getattr
149	relabelfrom
150	relabelto
151	associate
152	quotamod
153	quotaget
154}
155
156class dir
157inherits file
158{
159	add_name
160	remove_name
161	reparent
162	search
163	rmdir
164	open
165	audit_access
166	execmod
167}
168
169class file
170inherits file
171{
172	execute_no_trans
173	entrypoint
174	execmod
175	open
176	audit_access
177}
178
179class lnk_file
180inherits file
181{
182	open
183	audit_access
184	execmod
185}
186
187class chr_file
188inherits file
189{
190	execute_no_trans
191	entrypoint
192	execmod
193	open
194	audit_access
195}
196
197class blk_file
198inherits file
199{
200	open
201	audit_access
202	execmod
203}
204
205class sock_file
206inherits file
207{
208	open
209	audit_access
210	execmod
211}
212
213class fifo_file
214inherits file
215{
216	open
217	audit_access
218	execmod
219}
220
221class fd
222{
223	use
224}
225
226
227#
228# Define the access vector interpretation for network-related objects.
229#
230
231class socket
232inherits socket
233
234class tcp_socket
235inherits socket
236{
237	node_bind
238	name_connect
239}
240
241class udp_socket
242inherits socket
243{
244	node_bind
245}
246
247class rawip_socket
248inherits socket
249{
250	node_bind
251}
252
253class node
254{
255	recvfrom
256	sendto
257}
258
259class netif
260{
261	ingress
262	egress
263}
264
265class netlink_socket
266inherits socket
267
268class packet_socket
269inherits socket
270
271class key_socket
272inherits socket
273
274class unix_stream_socket
275inherits socket
276{
277	connectto
278}
279
280class unix_dgram_socket
281inherits socket
282
283#
284# Define the access vector interpretation for process-related objects
285#
286
287class process
288{
289	fork
290	transition
291	sigchld # commonly granted from child to parent
292	sigkill # cannot be caught or ignored
293	sigstop # cannot be caught or ignored
294	signull # for kill(pid, 0)
295	signal  # all other signals
296	ptrace
297	getsched
298	setsched
299	getsession
300	getpgid
301	setpgid
302	getcap
303	setcap
304	share
305	getattr
306	setexec
307	setfscreate
308	noatsecure
309	siginh
310	setrlimit
311	rlimitinh
312	dyntransition
313	setcurrent
314	execmem
315	execstack
316	execheap
317	setkeycreate
318	setsockcreate
319}
320
321
322#
323# Define the access vector interpretation for ipc-related objects
324#
325
326class ipc
327inherits ipc
328
329class sem
330inherits ipc
331
332class msgq
333inherits ipc
334{
335	enqueue
336}
337
338class msg
339{
340	send
341	receive
342}
343
344class shm
345inherits ipc
346{
347	lock
348}
349
350
351#
352# Define the access vector interpretation for the security server.
353#
354
355class security
356{
357	compute_av
358	compute_create
359	compute_member
360	check_context
361	load_policy
362	compute_relabel
363	compute_user
364	setenforce     # was avc_toggle in system class
365	setbool
366	setsecparam
367	setcheckreqprot
368	read_policy
369}
370
371
372#
373# Define the access vector interpretation for system operations.
374#
375
376class system
377{
378	ipc_info
379	syslog_read
380	syslog_mod
381	syslog_console
382	module_request
383	module_load
384}
385
386#
387# Define the access vector interpretation for controlling capabilities
388#
389
390class capability
391inherits cap
392
393class capability2
394inherits cap2
395
396#
397# Extended Netlink classes
398#
399class netlink_route_socket
400inherits socket
401{
402	nlmsg_read
403	nlmsg_write
404}
405
406class netlink_tcpdiag_socket
407inherits socket
408{
409	nlmsg_read
410	nlmsg_write
411}
412
413class netlink_nflog_socket
414inherits socket
415
416class netlink_xfrm_socket
417inherits socket
418{
419	nlmsg_read
420	nlmsg_write
421}
422
423class netlink_selinux_socket
424inherits socket
425
426class netlink_audit_socket
427inherits socket
428{
429	nlmsg_read
430	nlmsg_write
431	nlmsg_relay
432	nlmsg_readpriv
433	nlmsg_tty_audit
434}
435
436class netlink_dnrt_socket
437inherits socket
438
439# Define the access vector interpretation for controlling
440# access to IPSec network data by association
441#
442class association
443{
444	sendto
445	recvfrom
446	setcontext
447	polmatch
448}
449
450# Updated Netlink class for KOBJECT_UEVENT family.
451class netlink_kobject_uevent_socket
452inherits socket
453
454class appletalk_socket
455inherits socket
456
457class packet
458{
459	send
460	recv
461	relabelto
462	flow_in		# deprecated
463	flow_out	# deprecated
464	forward_in
465	forward_out
466}
467
468class key
469{
470	view
471	read
472	write
473	search
474	link
475	setattr
476	create
477}
478
479class dccp_socket
480inherits socket
481{
482	node_bind
483	name_connect
484}
485
486class memprotect
487{
488	mmap_zero
489}
490
491# network peer labels
492class peer
493{
494	recv
495}
496
497class kernel_service
498{
499	use_as_override
500	create_files_as
501}
502
503class tun_socket
504inherits socket
505{
506	attach_queue
507}
508
509class binder
510{
511	impersonate
512	call
513	set_context_mgr
514	transfer
515}
516
517class netlink_iscsi_socket
518inherits socket
519
520class netlink_fib_lookup_socket
521inherits socket
522
523class netlink_connector_socket
524inherits socket
525
526class netlink_netfilter_socket
527inherits socket
528
529class netlink_generic_socket
530inherits socket
531
532class netlink_scsitransport_socket
533inherits socket
534
535class netlink_rdma_socket
536inherits socket
537
538class netlink_crypto_socket
539inherits socket
540
541#
542# Define the access vector interpretation for controlling capabilities
543# in user namespaces
544#
545
546class cap_userns
547inherits cap
548
549class cap2_userns
550inherits cap2
551
552
553#
554# Define the access vector interpretation for the new socket classes
555# enabled by the extended_socket_class policy capability.
556#
557
558#
559# The next two classes were previously mapped to rawip_socket and therefore
560# have the same definition as rawip_socket (until further permissions
561# are defined).
562#
563class sctp_socket
564inherits socket
565{
566	node_bind
567}
568
569class icmp_socket
570inherits socket
571{
572	node_bind
573}
574
575#
576# The remaining network socket classes were previously
577# mapped to the socket class and therefore have the
578# same definition as socket.
579#
580
581class ax25_socket
582inherits socket
583
584class ipx_socket
585inherits socket
586
587class netrom_socket
588inherits socket
589
590class atmpvc_socket
591inherits socket
592
593class x25_socket
594inherits socket
595
596class rose_socket
597inherits socket
598
599class decnet_socket
600inherits socket
601
602class atmsvc_socket
603inherits socket
604
605class rds_socket
606inherits socket
607
608class irda_socket
609inherits socket
610
611class pppox_socket
612inherits socket
613
614class llc_socket
615inherits socket
616
617class can_socket
618inherits socket
619
620class tipc_socket
621inherits socket
622
623class bluetooth_socket
624inherits socket
625
626class iucv_socket
627inherits socket
628
629class rxrpc_socket
630inherits socket
631
632class isdn_socket
633inherits socket
634
635class phonet_socket
636inherits socket
637
638class ieee802154_socket
639inherits socket
640
641class caif_socket
642inherits socket
643
644class alg_socket
645inherits socket
646
647class nfc_socket
648inherits socket
649
650class vsock_socket
651inherits socket
652
653class kcm_socket
654inherits socket
655
656class qipcrtr_socket
657inherits socket
658
659class property_service
660{
661	set
662}
663
664class service_manager
665{
666	add
667	find
668	list
669}
670
671class hwservice_manager
672{
673	add
674	find
675	list
676}
677
678class keystore_key
679{
680	get_state
681	get
682	insert
683	delete
684	exist
685	list
686	reset
687	password
688	lock
689	unlock
690	is_empty
691	sign
692	verify
693	grant
694	duplicate
695	clear_uid
696	add_auth
697	user_changed
698	gen_unique_id
699}
700
701class drmservice {
702	consumeRights
703	setPlaybackStatus
704	openDecryptSession
705	closeDecryptSession
706	initializeDecryptUnit
707	decrypt
708	finalizeDecryptUnit
709	pread
710}
711