1#
2# Define common prefixes for access vectors
3#
4# common common_name { permission_name ... }
5
6
7#
8# Define a common prefix for file access vectors.
9#
10
11common file
12{
13	ioctl
14	read
15	write
16	create
17	getattr
18	setattr
19	lock
20	relabelfrom
21	relabelto
22	append
23	map
24	unlink
25	link
26	rename
27	execute
28	quotaon
29	mounton
30	audit_access
31	open
32	execmod
33	watch
34	watch_mount
35	watch_sb
36	watch_with_perm
37	watch_reads
38}
39
40
41#
42# Define a common prefix for socket access vectors.
43#
44
45common socket
46{
47# inherited from file
48	ioctl
49	read
50	write
51	create
52	getattr
53	setattr
54	lock
55	relabelfrom
56	relabelto
57	append
58	map
59# socket-specific
60	bind
61	connect
62	listen
63	accept
64	getopt
65	setopt
66	shutdown
67	recvfrom
68	sendto
69	name_bind
70}
71
72#
73# Define a common prefix for ipc access vectors.
74#
75
76common ipc
77{
78	create
79	destroy
80	getattr
81	setattr
82	read
83	write
84	associate
85	unix_read
86	unix_write
87}
88
89#
90# Define a common for capability access vectors.
91#
92common cap
93{
94	# The capabilities are defined in include/linux/capability.h
95	# Capabilities >= 32 are defined in the cap2 common.
96	# Care should be taken to ensure that these are consistent with
97	# those definitions. (Order matters)
98
99	chown
100	dac_override
101	dac_read_search
102	fowner
103	fsetid
104	kill
105	setgid
106	setuid
107	setpcap
108	linux_immutable
109	net_bind_service
110	net_broadcast
111	net_admin
112	net_raw
113	ipc_lock
114	ipc_owner
115	sys_module
116	sys_rawio
117	sys_chroot
118	sys_ptrace
119	sys_pacct
120	sys_admin
121	sys_boot
122	sys_nice
123	sys_resource
124	sys_time
125	sys_tty_config
126	mknod
127	lease
128	audit_write
129	audit_control
130	setfcap
131}
132
133common cap2
134{
135	mac_override	# unused by SELinux
136	mac_admin
137	syslog
138	wake_alarm
139	block_suspend
140	audit_read
141	perfmon
142}
143
144#
145# Define the access vectors.
146#
147# class class_name [ inherits common_name ] { permission_name ... }
148
149
150#
151# Define the access vector interpretation for file-related objects.
152#
153
154class filesystem
155{
156	mount
157	remount
158	unmount
159	getattr
160	relabelfrom
161	relabelto
162	associate
163	quotamod
164	quotaget
165	watch
166}
167
168class dir
169inherits file
170{
171	add_name
172	remove_name
173	reparent
174	search
175	rmdir
176}
177
178class file
179inherits file
180{
181	execute_no_trans
182	entrypoint
183}
184
185class lnk_file
186inherits file
187
188class chr_file
189inherits file
190{
191	execute_no_trans
192	entrypoint
193}
194
195class blk_file
196inherits file
197
198class sock_file
199inherits file
200
201class fifo_file
202inherits file
203
204class fd
205{
206	use
207}
208
209
210#
211# Define the access vector interpretation for network-related objects.
212#
213
214class socket
215inherits socket
216
217class tcp_socket
218inherits socket
219{
220	node_bind
221	name_connect
222}
223
224class udp_socket
225inherits socket
226{
227	node_bind
228}
229
230class rawip_socket
231inherits socket
232{
233	node_bind
234}
235
236class node
237{
238	recvfrom
239	sendto
240}
241
242class netif
243{
244	ingress
245	egress
246}
247
248class netlink_socket
249inherits socket
250
251class packet_socket
252inherits socket
253
254class key_socket
255inherits socket
256
257class unix_stream_socket
258inherits socket
259{
260	connectto
261}
262
263class unix_dgram_socket
264inherits socket
265
266#
267# Define the access vector interpretation for process-related objects
268#
269
270class process
271{
272	fork
273	transition
274	sigchld # commonly granted from child to parent
275	sigkill # cannot be caught or ignored
276	sigstop # cannot be caught or ignored
277	signull # for kill(pid, 0)
278	signal  # all other signals
279	ptrace
280	getsched
281	setsched
282	getsession
283	getpgid
284	setpgid
285	getcap
286	setcap
287	share
288	getattr
289	setexec
290	setfscreate
291	noatsecure
292	siginh
293	setrlimit
294	rlimitinh
295	dyntransition
296	setcurrent
297	execmem
298	execstack
299	execheap
300	setkeycreate
301	setsockcreate
302	getrlimit
303}
304
305class process2
306{
307	nnp_transition
308	nosuid_transition
309}
310
311#
312# Define the access vector interpretation for ipc-related objects
313#
314
315class ipc
316inherits ipc
317
318class sem
319inherits ipc
320
321class msgq
322inherits ipc
323{
324	enqueue
325}
326
327class msg
328{
329	send
330	receive
331}
332
333class shm
334inherits ipc
335{
336	lock
337}
338
339
340#
341# Define the access vector interpretation for the security server.
342#
343
344class security
345{
346	compute_av
347	compute_create
348	compute_member
349	check_context
350	load_policy
351	compute_relabel
352	compute_user
353	setenforce     # was avc_toggle in system class
354	setbool
355	setsecparam
356	setcheckreqprot
357	read_policy
358	validate_trans
359}
360
361
362#
363# Define the access vector interpretation for system operations.
364#
365
366class system
367{
368	ipc_info
369	syslog_read
370	syslog_mod
371	syslog_console
372	module_request
373	module_load
374}
375
376#
377# Define the access vector interpretation for controlling capabilities
378#
379
380class capability
381inherits cap
382
383class capability2
384inherits cap2
385
386#
387# Extended Netlink classes
388#
389class netlink_route_socket
390inherits socket
391{
392	nlmsg_read
393	nlmsg_write
394	nlmsg_readpriv
395}
396
397class netlink_tcpdiag_socket
398inherits socket
399{
400	nlmsg_read
401	nlmsg_write
402}
403
404class netlink_nflog_socket
405inherits socket
406
407class netlink_xfrm_socket
408inherits socket
409{
410	nlmsg_read
411	nlmsg_write
412}
413
414class netlink_selinux_socket
415inherits socket
416
417class netlink_audit_socket
418inherits socket
419{
420	nlmsg_read
421	nlmsg_write
422	nlmsg_relay
423	nlmsg_readpriv
424	nlmsg_tty_audit
425}
426
427class netlink_dnrt_socket
428inherits socket
429
430# Define the access vector interpretation for controlling
431# access to IPSec network data by association
432#
433class association
434{
435	sendto
436	recvfrom
437	setcontext
438	polmatch
439}
440
441# Updated Netlink class for KOBJECT_UEVENT family.
442class netlink_kobject_uevent_socket
443inherits socket
444
445class appletalk_socket
446inherits socket
447
448class packet
449{
450	send
451	recv
452	relabelto
453	forward_in
454	forward_out
455}
456
457class key
458{
459	view
460	read
461	write
462	search
463	link
464	setattr
465	create
466}
467
468class dccp_socket
469inherits socket
470{
471	node_bind
472	name_connect
473}
474
475class memprotect
476{
477	mmap_zero
478}
479
480# network peer labels
481class peer
482{
483	recv
484}
485
486class kernel_service
487{
488	use_as_override
489	create_files_as
490}
491
492class tun_socket
493inherits socket
494{
495	attach_queue
496}
497
498class binder
499{
500	impersonate
501	call
502	set_context_mgr
503	transfer
504}
505
506class netlink_iscsi_socket
507inherits socket
508
509class netlink_fib_lookup_socket
510inherits socket
511
512class netlink_connector_socket
513inherits socket
514
515class netlink_netfilter_socket
516inherits socket
517
518class netlink_generic_socket
519inherits socket
520
521class netlink_scsitransport_socket
522inherits socket
523
524class netlink_rdma_socket
525inherits socket
526
527class netlink_crypto_socket
528inherits socket
529
530class infiniband_pkey
531{
532	access
533}
534
535class infiniband_endport
536{
537	manage_subnet
538}
539
540#
541# Define the access vector interpretation for controlling capabilities
542# in user namespaces
543#
544
545class cap_userns
546inherits cap
547
548class cap2_userns
549inherits cap2
550
551
552#
553# Define the access vector interpretation for the new socket classes
554# enabled by the extended_socket_class policy capability.
555#
556
557#
558# The next two classes were previously mapped to rawip_socket and therefore
559# have the same definition as rawip_socket (until further permissions
560# are defined).
561#
562class sctp_socket
563inherits socket
564{
565	node_bind
566	name_connect
567	association
568}
569
570class icmp_socket
571inherits socket
572{
573	node_bind
574}
575
576#
577# The remaining network socket classes were previously
578# mapped to the socket class and therefore have the
579# same definition as socket.
580#
581
582class ax25_socket
583inherits socket
584
585class ipx_socket
586inherits socket
587
588class netrom_socket
589inherits socket
590
591class atmpvc_socket
592inherits socket
593
594class x25_socket
595inherits socket
596
597class rose_socket
598inherits socket
599
600class decnet_socket
601inherits socket
602
603class atmsvc_socket
604inherits socket
605
606class rds_socket
607inherits socket
608
609class irda_socket
610inherits socket
611
612class pppox_socket
613inherits socket
614
615class llc_socket
616inherits socket
617
618class can_socket
619inherits socket
620
621class tipc_socket
622inherits socket
623
624class bluetooth_socket
625inherits socket
626
627class iucv_socket
628inherits socket
629
630class rxrpc_socket
631inherits socket
632
633class isdn_socket
634inherits socket
635
636class phonet_socket
637inherits socket
638
639class ieee802154_socket
640inherits socket
641
642class caif_socket
643inherits socket
644
645class alg_socket
646inherits socket
647
648class nfc_socket
649inherits socket
650
651class vsock_socket
652inherits socket
653
654class kcm_socket
655inherits socket
656
657class qipcrtr_socket
658inherits socket
659
660class smc_socket
661inherits socket
662
663class bpf
664{
665	map_create
666	map_read
667	map_write
668	prog_load
669	prog_run
670}
671
672class property_service
673{
674	set
675}
676
677class service_manager
678{
679	add
680	find
681	list
682}
683
684class hwservice_manager
685{
686	add
687	find
688	list
689}
690
691class keystore_key
692{
693	get_state
694	get
695	insert
696	delete
697	exist
698	list
699	reset
700	password
701	lock
702	unlock
703	is_empty
704	sign
705	verify
706	grant
707	duplicate
708	clear_uid
709	add_auth
710	user_changed
711	gen_unique_id
712}
713
714class drmservice {
715	consumeRights
716	setPlaybackStatus
717	openDecryptSession
718	closeDecryptSession
719	initializeDecryptUnit
720	decrypt
721	finalizeDecryptUnit
722	pread
723}
724
725class xdp_socket
726inherits socket
727
728class perf_event
729{
730	open
731	cpu
732	kernel
733	tracepoint
734	read
735	write
736}
737
738class lockdown
739{
740	integrity
741	confidentiality
742}
743