# # Define common prefixes for access vectors # # common common_name { permission_name ... } # # Define a common prefix for file access vectors. # common file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads } # # Define a common prefix for socket access vectors. # common socket { # inherited from file ioctl read write create getattr setattr lock relabelfrom relabelto append map # socket-specific bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind } # # Define a common prefix for ipc access vectors. # common ipc { create destroy getattr setattr read write associate unix_read unix_write } # # Define a common for capability access vectors. # common cap { # The capabilities are defined in include/linux/capability.h # Capabilities >= 32 are defined in the cap2 common. # Care should be taken to ensure that these are consistent with # those definitions. (Order matters) chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap } common cap2 { mac_override # unused by SELinux mac_admin syslog wake_alarm block_suspend audit_read perfmon } # # Define the access vectors. # # class class_name [ inherits common_name ] { permission_name ... } # # Define the access vector interpretation for file-related objects. # class filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch } class dir inherits file { add_name remove_name reparent search rmdir } class file inherits file { execute_no_trans entrypoint } class lnk_file inherits file class chr_file inherits file { execute_no_trans entrypoint } class blk_file inherits file class sock_file inherits file class fifo_file inherits file class fd { use } # # Define the access vector interpretation for network-related objects. # class socket inherits socket class tcp_socket inherits socket { node_bind name_connect } class udp_socket inherits socket { node_bind } class rawip_socket inherits socket { node_bind } class node { recvfrom sendto } class netif { ingress egress } class netlink_socket inherits socket class packet_socket inherits socket class key_socket inherits socket class unix_stream_socket inherits socket { connectto } class unix_dgram_socket inherits socket # # Define the access vector interpretation for process-related objects # class process { fork transition sigchld # commonly granted from child to parent sigkill # cannot be caught or ignored sigstop # cannot be caught or ignored signull # for kill(pid, 0) signal # all other signals ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit } class process2 { nnp_transition nosuid_transition } # # Define the access vector interpretation for ipc-related objects # class ipc inherits ipc class sem inherits ipc class msgq inherits ipc { enqueue } class msg { send receive } class shm inherits ipc { lock } # # Define the access vector interpretation for the security server. # class security { compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce # was avc_toggle in system class setbool setsecparam setcheckreqprot read_policy validate_trans } # # Define the access vector interpretation for system operations. # class system { ipc_info syslog_read syslog_mod syslog_console module_request module_load } # # Define the access vector interpretation for controlling capabilities # class capability inherits cap class capability2 inherits cap2 # # Extended Netlink classes # class netlink_route_socket inherits socket { nlmsg_read nlmsg_write nlmsg_readpriv } class netlink_tcpdiag_socket inherits socket { nlmsg_read nlmsg_write } class netlink_nflog_socket inherits socket class netlink_xfrm_socket inherits socket { nlmsg_read nlmsg_write } class netlink_selinux_socket inherits socket class netlink_audit_socket inherits socket { nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit } class netlink_dnrt_socket inherits socket # Define the access vector interpretation for controlling # access to IPSec network data by association # class association { sendto recvfrom setcontext polmatch } # Updated Netlink class for KOBJECT_UEVENT family. class netlink_kobject_uevent_socket inherits socket class appletalk_socket inherits socket class packet { send recv relabelto forward_in forward_out } class key { view read write search link setattr create } class dccp_socket inherits socket { node_bind name_connect } class memprotect { mmap_zero } # network peer labels class peer { recv } class kernel_service { use_as_override create_files_as } class tun_socket inherits socket { attach_queue } class binder { impersonate call set_context_mgr transfer } class netlink_iscsi_socket inherits socket class netlink_fib_lookup_socket inherits socket class netlink_connector_socket inherits socket class netlink_netfilter_socket inherits socket class netlink_generic_socket inherits socket class netlink_scsitransport_socket inherits socket class netlink_rdma_socket inherits socket class netlink_crypto_socket inherits socket class infiniband_pkey { access } class infiniband_endport { manage_subnet } # # Define the access vector interpretation for controlling capabilities # in user namespaces # class cap_userns inherits cap class cap2_userns inherits cap2 # # Define the access vector interpretation for the new socket classes # enabled by the extended_socket_class policy capability. # # # The next two classes were previously mapped to rawip_socket and therefore # have the same definition as rawip_socket (until further permissions # are defined). # class sctp_socket inherits socket { node_bind name_connect association } class icmp_socket inherits socket { node_bind } # # The remaining network socket classes were previously # mapped to the socket class and therefore have the # same definition as socket. # class ax25_socket inherits socket class ipx_socket inherits socket class netrom_socket inherits socket class atmpvc_socket inherits socket class x25_socket inherits socket class rose_socket inherits socket class decnet_socket inherits socket class atmsvc_socket inherits socket class rds_socket inherits socket class irda_socket inherits socket class pppox_socket inherits socket class llc_socket inherits socket class can_socket inherits socket class tipc_socket inherits socket class bluetooth_socket inherits socket class iucv_socket inherits socket class rxrpc_socket inherits socket class isdn_socket inherits socket class phonet_socket inherits socket class ieee802154_socket inherits socket class caif_socket inherits socket class alg_socket inherits socket class nfc_socket inherits socket class vsock_socket inherits socket class kcm_socket inherits socket class qipcrtr_socket inherits socket class smc_socket inherits socket class bpf { map_create map_read map_write prog_load prog_run } class property_service { set } class service_manager { add find list } class hwservice_manager { add find list } class keystore_key { get_state get insert delete exist list reset password lock unlock is_empty sign verify grant duplicate clear_uid add_auth user_changed gen_unique_id } class drmservice { consumeRights setPlaybackStatus openDecryptSession closeDecryptSession initializeDecryptUnit decrypt finalizeDecryptUnit pread } class xdp_socket inherits socket class perf_event { open cpu kernel tracepoint read write } class lockdown { integrity confidentiality }