1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13	ioctl
14	read
15	write
16	create
17	getattr
18	setattr
19	lock
20	relabelfrom
21	relabelto
22	append
23	map
24	unlink
25	link
26	rename
27	execute
28	quotaon
29	mounton
30}
31
32
33#
34# Define a common prefix for socket access vectors.
35#
36
37common socket
38{
39# inherited from file
40	ioctl
41	read
42	write
43	create
44	getattr
45	setattr
46	lock
47	relabelfrom
48	relabelto
49	append
50	map
51# socket-specific
52	bind
53	connect
54	listen
55	accept
56	getopt
57	setopt
58	shutdown
59	recvfrom
60	sendto
61	name_bind
62}
63
64#
65# Define a common prefix for ipc access vectors.
66#
67
68common ipc
69{
70	create
71	destroy
72	getattr
73	setattr
74	read
75	write
76	associate
77	unix_read
78	unix_write
79}
80
81#
82# Define a common for capability access vectors.
83#
84common cap
85{
86	# The capabilities are defined in include/linux/capability.h
87	# Capabilities >= 32 are defined in the cap2 common.
88	# Care should be taken to ensure that these are consistent with
89	# those definitions. (Order matters)
90
91	chown
92	dac_override
93	dac_read_search
94	fowner
95	fsetid
96	kill
97	setgid
98	setuid
99	setpcap
100	linux_immutable
101	net_bind_service
102	net_broadcast
103	net_admin
104	net_raw
105	ipc_lock
106	ipc_owner
107	sys_module
108	sys_rawio
109	sys_chroot
110	sys_ptrace
111	sys_pacct
112	sys_admin
113	sys_boot
114	sys_nice
115	sys_resource
116	sys_time
117	sys_tty_config
118	mknod
119	lease
120	audit_write
121	audit_control
122	setfcap
123}
124
125common cap2
126{
127	mac_override	# unused by SELinux
128	mac_admin	# unused by SELinux
129	syslog
130	wake_alarm
131	block_suspend
132	audit_read
133}
134
135#
136# Define the access vectors.
137#
138# class class_name [ inherits common_name ] { permission_name ... }
139
140
141#
142# Define the access vector interpretation for file-related objects.
143#
144
145class filesystem
146{
147	mount
148	remount
149	unmount
150	getattr
151	relabelfrom
152	relabelto
153	associate
154	quotamod
155	quotaget
156}
157
158class dir
159inherits file
160{
161	add_name
162	remove_name
163	reparent
164	search
165	rmdir
166	open
167	audit_access
168	execmod
169}
170
171class file
172inherits file
173{
174	execute_no_trans
175	entrypoint
176	execmod
177	open
178	audit_access
179}
180
181class lnk_file
182inherits file
183{
184	open
185	audit_access
186	execmod
187}
188
189class chr_file
190inherits file
191{
192	execute_no_trans
193	entrypoint
194	execmod
195	open
196	audit_access
197}
198
199class blk_file
200inherits file
201{
202	open
203	audit_access
204	execmod
205}
206
207class sock_file
208inherits file
209{
210	open
211	audit_access
212	execmod
213}
214
215class fifo_file
216inherits file
217{
218	open
219	audit_access
220	execmod
221}
222
223class fd
224{
225	use
226}
227
228
229#
230# Define the access vector interpretation for network-related objects.
231#
232
233class socket
234inherits socket
235
236class tcp_socket
237inherits socket
238{
239	node_bind
240	name_connect
241}
242
243class udp_socket
244inherits socket
245{
246	node_bind
247}
248
249class rawip_socket
250inherits socket
251{
252	node_bind
253}
254
255class node
256{
257	recvfrom
258	sendto
259}
260
261class netif
262{
263	ingress
264	egress
265}
266
267class netlink_socket
268inherits socket
269
270class packet_socket
271inherits socket
272
273class key_socket
274inherits socket
275
276class unix_stream_socket
277inherits socket
278{
279	connectto
280}
281
282class unix_dgram_socket
283inherits socket
284
285#
286# Define the access vector interpretation for process-related objects
287#
288
289class process
290{
291	fork
292	transition
293	sigchld # commonly granted from child to parent
294	sigkill # cannot be caught or ignored
295	sigstop # cannot be caught or ignored
296	signull # for kill(pid, 0)
297	signal  # all other signals
298	ptrace
299	getsched
300	setsched
301	getsession
302	getpgid
303	setpgid
304	getcap
305	setcap
306	share
307	getattr
308	setexec
309	setfscreate
310	noatsecure
311	siginh
312	setrlimit
313	rlimitinh
314	dyntransition
315	setcurrent
316	execmem
317	execstack
318	execheap
319	setkeycreate
320	setsockcreate
321	getrlimit
322}
323
324
325#
326# Define the access vector interpretation for ipc-related objects
327#
328
329class ipc
330inherits ipc
331
332class sem
333inherits ipc
334
335class msgq
336inherits ipc
337{
338	enqueue
339}
340
341class msg
342{
343	send
344	receive
345}
346
347class shm
348inherits ipc
349{
350	lock
351}
352
353
354#
355# Define the access vector interpretation for the security server.
356#
357
358class security
359{
360	compute_av
361	compute_create
362	compute_member
363	check_context
364	load_policy
365	compute_relabel
366	compute_user
367	setenforce     # was avc_toggle in system class
368	setbool
369	setsecparam
370	setcheckreqprot
371	read_policy
372	validate_trans
373}
374
375
376#
377# Define the access vector interpretation for system operations.
378#
379
380class system
381{
382	ipc_info
383	syslog_read
384	syslog_mod
385	syslog_console
386	module_request
387	module_load
388}
389
390#
391# Define the access vector interpretation for controlling capabilities
392#
393
394class capability
395inherits cap
396
397class capability2
398inherits cap2
399
400#
401# Extended Netlink classes
402#
403class netlink_route_socket
404inherits socket
405{
406	nlmsg_read
407	nlmsg_write
408}
409
410class netlink_tcpdiag_socket
411inherits socket
412{
413	nlmsg_read
414	nlmsg_write
415}
416
417class netlink_nflog_socket
418inherits socket
419
420class netlink_xfrm_socket
421inherits socket
422{
423	nlmsg_read
424	nlmsg_write
425}
426
427class netlink_selinux_socket
428inherits socket
429
430class netlink_audit_socket
431inherits socket
432{
433	nlmsg_read
434	nlmsg_write
435	nlmsg_relay
436	nlmsg_readpriv
437	nlmsg_tty_audit
438}
439
440class netlink_dnrt_socket
441inherits socket
442
443# Define the access vector interpretation for controlling
444# access to IPSec network data by association
445#
446class association
447{
448	sendto
449	recvfrom
450	setcontext
451	polmatch
452}
453
454# Updated Netlink class for KOBJECT_UEVENT family.
455class netlink_kobject_uevent_socket
456inherits socket
457
458class appletalk_socket
459inherits socket
460
461class packet
462{
463	send
464	recv
465	relabelto
466	flow_in		# deprecated
467	flow_out	# deprecated
468	forward_in
469	forward_out
470}
471
472class key
473{
474	view
475	read
476	write
477	search
478	link
479	setattr
480	create
481}
482
483class dccp_socket
484inherits socket
485{
486	node_bind
487	name_connect
488}
489
490class memprotect
491{
492	mmap_zero
493}
494
495# network peer labels
496class peer
497{
498	recv
499}
500
501class kernel_service
502{
503	use_as_override
504	create_files_as
505}
506
507class tun_socket
508inherits socket
509{
510	attach_queue
511}
512
513class binder
514{
515	impersonate
516	call
517	set_context_mgr
518	transfer
519}
520
521class netlink_iscsi_socket
522inherits socket
523
524class netlink_fib_lookup_socket
525inherits socket
526
527class netlink_connector_socket
528inherits socket
529
530class netlink_netfilter_socket
531inherits socket
532
533class netlink_generic_socket
534inherits socket
535
536class netlink_scsitransport_socket
537inherits socket
538
539class netlink_rdma_socket
540inherits socket
541
542class netlink_crypto_socket
543inherits socket
544
545#
546# Define the access vector interpretation for controlling capabilities
547# in user namespaces
548#
549
550class cap_userns
551inherits cap
552
553class cap2_userns
554inherits cap2
555
556
557#
558# Define the access vector interpretation for the new socket classes
559# enabled by the extended_socket_class policy capability.
560#
561
562#
563# The next two classes were previously mapped to rawip_socket and therefore
564# have the same definition as rawip_socket (until further permissions
565# are defined).
566#
567class sctp_socket
568inherits socket
569{
570	node_bind
571}
572
573class icmp_socket
574inherits socket
575{
576	node_bind
577}
578
579#
580# The remaining network socket classes were previously
581# mapped to the socket class and therefore have the
582# same definition as socket.
583#
584
585class ax25_socket
586inherits socket
587
588class ipx_socket
589inherits socket
590
591class netrom_socket
592inherits socket
593
594class atmpvc_socket
595inherits socket
596
597class x25_socket
598inherits socket
599
600class rose_socket
601inherits socket
602
603class decnet_socket
604inherits socket
605
606class atmsvc_socket
607inherits socket
608
609class rds_socket
610inherits socket
611
612class irda_socket
613inherits socket
614
615class pppox_socket
616inherits socket
617
618class llc_socket
619inherits socket
620
621class can_socket
622inherits socket
623
624class tipc_socket
625inherits socket
626
627class bluetooth_socket
628inherits socket
629
630class iucv_socket
631inherits socket
632
633class rxrpc_socket
634inherits socket
635
636class isdn_socket
637inherits socket
638
639class phonet_socket
640inherits socket
641
642class ieee802154_socket
643inherits socket
644
645class caif_socket
646inherits socket
647
648class alg_socket
649inherits socket
650
651class nfc_socket
652inherits socket
653
654class vsock_socket
655inherits socket
656
657class kcm_socket
658inherits socket
659
660class qipcrtr_socket
661inherits socket
662
663class smc_socket
664inherits socket
665
666class property_service
667{
668	set
669}
670
671class service_manager
672{
673	add
674	find
675	list
676}
677
678class hwservice_manager
679{
680	add
681	find
682	list
683}
684
685class keystore_key
686{
687	get_state
688	get
689	insert
690	delete
691	exist
692	list
693	reset
694	password
695	lock
696	unlock
697	is_empty
698	sign
699	verify
700	grant
701	duplicate
702	clear_uid
703	add_auth
704	user_changed
705	gen_unique_id
706}
707
708class drmservice {
709	consumeRights
710	setPlaybackStatus
711	openDecryptSession
712	closeDecryptSession
713	initializeDecryptUnit
714	decrypt
715	finalizeDecryptUnit
716	pread
717}
718