883 lines
8.9 KiB
Plaintext
883 lines
8.9 KiB
Plaintext
|
#
|
||
|
# Define common prefixes for access vectors
|
||
|
#
|
||
|
# common common_name { permission_name ... }
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define a common prefix for file access vectors.
|
||
|
#
|
||
|
|
||
|
common file
|
||
|
{
|
||
|
ioctl
|
||
|
read
|
||
|
write
|
||
|
create
|
||
|
getattr
|
||
|
setattr
|
||
|
lock
|
||
|
relabelfrom
|
||
|
relabelto
|
||
|
append
|
||
|
unlink
|
||
|
link
|
||
|
rename
|
||
|
execute
|
||
|
swapon
|
||
|
quotaon
|
||
|
mounton
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define a common prefix for socket access vectors.
|
||
|
#
|
||
|
|
||
|
common socket
|
||
|
{
|
||
|
# inherited from file
|
||
|
ioctl
|
||
|
read
|
||
|
write
|
||
|
create
|
||
|
getattr
|
||
|
setattr
|
||
|
lock
|
||
|
relabelfrom
|
||
|
relabelto
|
||
|
append
|
||
|
# socket-specific
|
||
|
bind
|
||
|
connect
|
||
|
listen
|
||
|
accept
|
||
|
getopt
|
||
|
setopt
|
||
|
shutdown
|
||
|
recvfrom
|
||
|
sendto
|
||
|
recv_msg
|
||
|
send_msg
|
||
|
name_bind
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Define a common prefix for ipc access vectors.
|
||
|
#
|
||
|
|
||
|
common ipc
|
||
|
{
|
||
|
create
|
||
|
destroy
|
||
|
getattr
|
||
|
setattr
|
||
|
read
|
||
|
write
|
||
|
associate
|
||
|
unix_read
|
||
|
unix_write
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Define a common prefix for userspace database object access vectors.
|
||
|
#
|
||
|
|
||
|
common database
|
||
|
{
|
||
|
create
|
||
|
drop
|
||
|
getattr
|
||
|
setattr
|
||
|
relabelfrom
|
||
|
relabelto
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Define a common prefix for pointer and keyboard access vectors.
|
||
|
#
|
||
|
|
||
|
common x_device
|
||
|
{
|
||
|
getattr
|
||
|
setattr
|
||
|
use
|
||
|
read
|
||
|
write
|
||
|
getfocus
|
||
|
setfocus
|
||
|
bell
|
||
|
force_cursor
|
||
|
freeze
|
||
|
grab
|
||
|
manage
|
||
|
list_property
|
||
|
get_property
|
||
|
set_property
|
||
|
add
|
||
|
remove
|
||
|
create
|
||
|
destroy
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Define the access vectors.
|
||
|
#
|
||
|
# class class_name [ inherits common_name ] { permission_name ... }
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for file-related objects.
|
||
|
#
|
||
|
|
||
|
class filesystem
|
||
|
{
|
||
|
mount
|
||
|
remount
|
||
|
unmount
|
||
|
getattr
|
||
|
relabelfrom
|
||
|
relabelto
|
||
|
transition
|
||
|
associate
|
||
|
quotamod
|
||
|
quotaget
|
||
|
}
|
||
|
|
||
|
class dir
|
||
|
inherits file
|
||
|
{
|
||
|
add_name
|
||
|
remove_name
|
||
|
reparent
|
||
|
search
|
||
|
rmdir
|
||
|
open
|
||
|
audit_access
|
||
|
execmod
|
||
|
}
|
||
|
|
||
|
class file
|
||
|
inherits file
|
||
|
{
|
||
|
execute_no_trans
|
||
|
entrypoint
|
||
|
execmod
|
||
|
open
|
||
|
audit_access
|
||
|
}
|
||
|
|
||
|
class lnk_file
|
||
|
inherits file
|
||
|
{
|
||
|
open
|
||
|
audit_access
|
||
|
execmod
|
||
|
}
|
||
|
|
||
|
class chr_file
|
||
|
inherits file
|
||
|
{
|
||
|
execute_no_trans
|
||
|
entrypoint
|
||
|
execmod
|
||
|
open
|
||
|
audit_access
|
||
|
}
|
||
|
|
||
|
class blk_file
|
||
|
inherits file
|
||
|
{
|
||
|
open
|
||
|
audit_access
|
||
|
execmod
|
||
|
}
|
||
|
|
||
|
class sock_file
|
||
|
inherits file
|
||
|
{
|
||
|
open
|
||
|
audit_access
|
||
|
execmod
|
||
|
}
|
||
|
|
||
|
class fifo_file
|
||
|
inherits file
|
||
|
{
|
||
|
open
|
||
|
audit_access
|
||
|
execmod
|
||
|
}
|
||
|
|
||
|
class fd
|
||
|
{
|
||
|
use
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for network-related objects.
|
||
|
#
|
||
|
|
||
|
class socket
|
||
|
inherits socket
|
||
|
|
||
|
class tcp_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
connectto
|
||
|
newconn
|
||
|
acceptfrom
|
||
|
node_bind
|
||
|
name_connect
|
||
|
}
|
||
|
|
||
|
class udp_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
node_bind
|
||
|
}
|
||
|
|
||
|
class rawip_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
node_bind
|
||
|
}
|
||
|
|
||
|
class node
|
||
|
{
|
||
|
tcp_recv
|
||
|
tcp_send
|
||
|
udp_recv
|
||
|
udp_send
|
||
|
rawip_recv
|
||
|
rawip_send
|
||
|
enforce_dest
|
||
|
dccp_recv
|
||
|
dccp_send
|
||
|
recvfrom
|
||
|
sendto
|
||
|
}
|
||
|
|
||
|
class netif
|
||
|
{
|
||
|
tcp_recv
|
||
|
tcp_send
|
||
|
udp_recv
|
||
|
udp_send
|
||
|
rawip_recv
|
||
|
rawip_send
|
||
|
dccp_recv
|
||
|
dccp_send
|
||
|
ingress
|
||
|
egress
|
||
|
}
|
||
|
|
||
|
class netlink_socket
|
||
|
inherits socket
|
||
|
|
||
|
class packet_socket
|
||
|
inherits socket
|
||
|
|
||
|
class key_socket
|
||
|
inherits socket
|
||
|
|
||
|
class unix_stream_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
connectto
|
||
|
newconn
|
||
|
acceptfrom
|
||
|
}
|
||
|
|
||
|
class unix_dgram_socket
|
||
|
inherits socket
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for process-related objects
|
||
|
#
|
||
|
|
||
|
class process
|
||
|
{
|
||
|
fork
|
||
|
transition
|
||
|
sigchld # commonly granted from child to parent
|
||
|
sigkill # cannot be caught or ignored
|
||
|
sigstop # cannot be caught or ignored
|
||
|
signull # for kill(pid, 0)
|
||
|
signal # all other signals
|
||
|
ptrace
|
||
|
getsched
|
||
|
setsched
|
||
|
getsession
|
||
|
getpgid
|
||
|
setpgid
|
||
|
getcap
|
||
|
setcap
|
||
|
share
|
||
|
getattr
|
||
|
setexec
|
||
|
setfscreate
|
||
|
noatsecure
|
||
|
siginh
|
||
|
setrlimit
|
||
|
rlimitinh
|
||
|
dyntransition
|
||
|
setcurrent
|
||
|
execmem
|
||
|
execstack
|
||
|
execheap
|
||
|
setkeycreate
|
||
|
setsockcreate
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for ipc-related objects
|
||
|
#
|
||
|
|
||
|
class ipc
|
||
|
inherits ipc
|
||
|
|
||
|
class sem
|
||
|
inherits ipc
|
||
|
|
||
|
class msgq
|
||
|
inherits ipc
|
||
|
{
|
||
|
enqueue
|
||
|
}
|
||
|
|
||
|
class msg
|
||
|
{
|
||
|
send
|
||
|
receive
|
||
|
}
|
||
|
|
||
|
class shm
|
||
|
inherits ipc
|
||
|
{
|
||
|
lock
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for the security server.
|
||
|
#
|
||
|
|
||
|
class security
|
||
|
{
|
||
|
compute_av
|
||
|
compute_create
|
||
|
compute_member
|
||
|
check_context
|
||
|
load_policy
|
||
|
compute_relabel
|
||
|
compute_user
|
||
|
setenforce # was avc_toggle in system class
|
||
|
setbool
|
||
|
setsecparam
|
||
|
setcheckreqprot
|
||
|
read_policy
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for system operations.
|
||
|
#
|
||
|
|
||
|
class system
|
||
|
{
|
||
|
ipc_info
|
||
|
syslog_read
|
||
|
syslog_mod
|
||
|
syslog_console
|
||
|
module_request
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for controling capabilies
|
||
|
#
|
||
|
|
||
|
class capability
|
||
|
{
|
||
|
# The capabilities are defined in include/linux/capability.h
|
||
|
# Capabilities >= 32 are defined in the capability2 class.
|
||
|
# Care should be taken to ensure that these are consistent with
|
||
|
# those definitions. (Order matters)
|
||
|
|
||
|
chown
|
||
|
dac_override
|
||
|
dac_read_search
|
||
|
fowner
|
||
|
fsetid
|
||
|
kill
|
||
|
setgid
|
||
|
setuid
|
||
|
setpcap
|
||
|
linux_immutable
|
||
|
net_bind_service
|
||
|
net_broadcast
|
||
|
net_admin
|
||
|
net_raw
|
||
|
ipc_lock
|
||
|
ipc_owner
|
||
|
sys_module
|
||
|
sys_rawio
|
||
|
sys_chroot
|
||
|
sys_ptrace
|
||
|
sys_pacct
|
||
|
sys_admin
|
||
|
sys_boot
|
||
|
sys_nice
|
||
|
sys_resource
|
||
|
sys_time
|
||
|
sys_tty_config
|
||
|
mknod
|
||
|
lease
|
||
|
audit_write
|
||
|
audit_control
|
||
|
setfcap
|
||
|
}
|
||
|
|
||
|
class capability2
|
||
|
{
|
||
|
mac_override # unused by SELinux
|
||
|
mac_admin # unused by SELinux
|
||
|
syslog
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for controlling
|
||
|
# changes to passwd information.
|
||
|
#
|
||
|
class passwd
|
||
|
{
|
||
|
passwd # change another user passwd
|
||
|
chfn # change another user finger info
|
||
|
chsh # change another user shell
|
||
|
rootok # pam_rootok check (skip auth)
|
||
|
crontab # crontab on another user
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# SE-X Windows stuff
|
||
|
#
|
||
|
class x_drawable
|
||
|
{
|
||
|
create
|
||
|
destroy
|
||
|
read
|
||
|
write
|
||
|
blend
|
||
|
getattr
|
||
|
setattr
|
||
|
list_child
|
||
|
add_child
|
||
|
remove_child
|
||
|
list_property
|
||
|
get_property
|
||
|
set_property
|
||
|
manage
|
||
|
override
|
||
|
show
|
||
|
hide
|
||
|
send
|
||
|
receive
|
||
|
}
|
||
|
|
||
|
class x_screen
|
||
|
{
|
||
|
getattr
|
||
|
setattr
|
||
|
hide_cursor
|
||
|
show_cursor
|
||
|
saver_getattr
|
||
|
saver_setattr
|
||
|
saver_hide
|
||
|
saver_show
|
||
|
}
|
||
|
|
||
|
class x_gc
|
||
|
{
|
||
|
create
|
||
|
destroy
|
||
|
getattr
|
||
|
setattr
|
||
|
use
|
||
|
}
|
||
|
|
||
|
class x_font
|
||
|
{
|
||
|
create
|
||
|
destroy
|
||
|
getattr
|
||
|
add_glyph
|
||
|
remove_glyph
|
||
|
use
|
||
|
}
|
||
|
|
||
|
class x_colormap
|
||
|
{
|
||
|
create
|
||
|
destroy
|
||
|
read
|
||
|
write
|
||
|
getattr
|
||
|
add_color
|
||
|
remove_color
|
||
|
install
|
||
|
uninstall
|
||
|
use
|
||
|
}
|
||
|
|
||
|
class x_property
|
||
|
{
|
||
|
create
|
||
|
destroy
|
||
|
read
|
||
|
write
|
||
|
append
|
||
|
getattr
|
||
|
setattr
|
||
|
}
|
||
|
|
||
|
class x_selection
|
||
|
{
|
||
|
read
|
||
|
write
|
||
|
getattr
|
||
|
setattr
|
||
|
}
|
||
|
|
||
|
class x_cursor
|
||
|
{
|
||
|
create
|
||
|
destroy
|
||
|
read
|
||
|
write
|
||
|
getattr
|
||
|
setattr
|
||
|
use
|
||
|
}
|
||
|
|
||
|
class x_client
|
||
|
{
|
||
|
destroy
|
||
|
getattr
|
||
|
setattr
|
||
|
manage
|
||
|
}
|
||
|
|
||
|
class x_device
|
||
|
inherits x_device
|
||
|
|
||
|
class x_server
|
||
|
{
|
||
|
getattr
|
||
|
setattr
|
||
|
record
|
||
|
debug
|
||
|
grab
|
||
|
manage
|
||
|
}
|
||
|
|
||
|
class x_extension
|
||
|
{
|
||
|
query
|
||
|
use
|
||
|
}
|
||
|
|
||
|
class x_resource
|
||
|
{
|
||
|
read
|
||
|
write
|
||
|
}
|
||
|
|
||
|
class x_event
|
||
|
{
|
||
|
send
|
||
|
receive
|
||
|
}
|
||
|
|
||
|
class x_synthetic_event
|
||
|
{
|
||
|
send
|
||
|
receive
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Extended Netlink classes
|
||
|
#
|
||
|
class netlink_route_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
nlmsg_read
|
||
|
nlmsg_write
|
||
|
}
|
||
|
|
||
|
class netlink_firewall_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
nlmsg_read
|
||
|
nlmsg_write
|
||
|
}
|
||
|
|
||
|
class netlink_tcpdiag_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
nlmsg_read
|
||
|
nlmsg_write
|
||
|
}
|
||
|
|
||
|
class netlink_nflog_socket
|
||
|
inherits socket
|
||
|
|
||
|
class netlink_xfrm_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
nlmsg_read
|
||
|
nlmsg_write
|
||
|
}
|
||
|
|
||
|
class netlink_selinux_socket
|
||
|
inherits socket
|
||
|
|
||
|
class netlink_audit_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
nlmsg_read
|
||
|
nlmsg_write
|
||
|
nlmsg_relay
|
||
|
nlmsg_readpriv
|
||
|
nlmsg_tty_audit
|
||
|
}
|
||
|
|
||
|
class netlink_ip6fw_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
nlmsg_read
|
||
|
nlmsg_write
|
||
|
}
|
||
|
|
||
|
class netlink_dnrt_socket
|
||
|
inherits socket
|
||
|
|
||
|
# Define the access vector interpretation for controlling
|
||
|
# access and communication through the D-BUS messaging
|
||
|
# system.
|
||
|
#
|
||
|
class dbus
|
||
|
{
|
||
|
acquire_svc
|
||
|
send_msg
|
||
|
}
|
||
|
|
||
|
# Define the access vector interpretation for controlling
|
||
|
# access through the name service cache daemon (nscd).
|
||
|
#
|
||
|
class nscd
|
||
|
{
|
||
|
getpwd
|
||
|
getgrp
|
||
|
gethost
|
||
|
getstat
|
||
|
admin
|
||
|
shmempwd
|
||
|
shmemgrp
|
||
|
shmemhost
|
||
|
getserv
|
||
|
shmemserv
|
||
|
}
|
||
|
|
||
|
# Define the access vector interpretation for controlling
|
||
|
# access to IPSec network data by association
|
||
|
#
|
||
|
class association
|
||
|
{
|
||
|
sendto
|
||
|
recvfrom
|
||
|
setcontext
|
||
|
polmatch
|
||
|
}
|
||
|
|
||
|
# Updated Netlink class for KOBJECT_UEVENT family.
|
||
|
class netlink_kobject_uevent_socket
|
||
|
inherits socket
|
||
|
|
||
|
class appletalk_socket
|
||
|
inherits socket
|
||
|
|
||
|
class packet
|
||
|
{
|
||
|
send
|
||
|
recv
|
||
|
relabelto
|
||
|
flow_in # deprecated
|
||
|
flow_out # deprecated
|
||
|
forward_in
|
||
|
forward_out
|
||
|
}
|
||
|
|
||
|
class key
|
||
|
{
|
||
|
view
|
||
|
read
|
||
|
write
|
||
|
search
|
||
|
link
|
||
|
setattr
|
||
|
create
|
||
|
}
|
||
|
|
||
|
class context
|
||
|
{
|
||
|
translate
|
||
|
contains
|
||
|
}
|
||
|
|
||
|
class dccp_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
node_bind
|
||
|
name_connect
|
||
|
}
|
||
|
|
||
|
class memprotect
|
||
|
{
|
||
|
mmap_zero
|
||
|
}
|
||
|
|
||
|
class db_database
|
||
|
inherits database
|
||
|
{
|
||
|
access
|
||
|
install_module
|
||
|
load_module
|
||
|
get_param # deprecated
|
||
|
set_param # deprecated
|
||
|
}
|
||
|
|
||
|
class db_table
|
||
|
inherits database
|
||
|
{
|
||
|
use # deprecated
|
||
|
select
|
||
|
update
|
||
|
insert
|
||
|
delete
|
||
|
lock
|
||
|
}
|
||
|
|
||
|
class db_procedure
|
||
|
inherits database
|
||
|
{
|
||
|
execute
|
||
|
entrypoint
|
||
|
install
|
||
|
}
|
||
|
|
||
|
class db_column
|
||
|
inherits database
|
||
|
{
|
||
|
use # deprecated
|
||
|
select
|
||
|
update
|
||
|
insert
|
||
|
}
|
||
|
|
||
|
class db_tuple
|
||
|
{
|
||
|
relabelfrom
|
||
|
relabelto
|
||
|
use # deprecated
|
||
|
select
|
||
|
update
|
||
|
insert
|
||
|
delete
|
||
|
}
|
||
|
|
||
|
class db_blob
|
||
|
inherits database
|
||
|
{
|
||
|
read
|
||
|
write
|
||
|
import
|
||
|
export
|
||
|
}
|
||
|
|
||
|
# network peer labels
|
||
|
class peer
|
||
|
{
|
||
|
recv
|
||
|
}
|
||
|
|
||
|
class x_application_data
|
||
|
{
|
||
|
paste
|
||
|
paste_after_confirm
|
||
|
copy
|
||
|
}
|
||
|
|
||
|
class kernel_service
|
||
|
{
|
||
|
use_as_override
|
||
|
create_files_as
|
||
|
}
|
||
|
|
||
|
class tun_socket
|
||
|
inherits socket
|
||
|
|
||
|
class x_pointer
|
||
|
inherits x_device
|
||
|
|
||
|
class x_keyboard
|
||
|
inherits x_device
|
||
|
|
||
|
class db_schema
|
||
|
inherits database
|
||
|
{
|
||
|
search
|
||
|
add_name
|
||
|
remove_name
|
||
|
}
|
||
|
|
||
|
class db_view
|
||
|
inherits database
|
||
|
{
|
||
|
expand
|
||
|
}
|
||
|
|
||
|
class db_sequence
|
||
|
inherits database
|
||
|
{
|
||
|
get_value
|
||
|
next_value
|
||
|
set_value
|
||
|
}
|
||
|
|
||
|
class db_language
|
||
|
inherits database
|
||
|
{
|
||
|
implement
|
||
|
execute
|
||
|
}
|
||
|
|
||
|
class binder
|
||
|
{
|
||
|
impersonate
|
||
|
call
|
||
|
set_context_mgr
|
||
|
transfer
|
||
|
receive
|
||
|
}
|
||
|
|
||
|
class zygote
|
||
|
{
|
||
|
specifyids
|
||
|
specifyrlimits
|
||
|
specifycapabilities
|
||
|
specifyinvokewith
|
||
|
specifyseinfo
|
||
|
}
|