SE Android policy.
diff --git a/access_vectors b/access_vectors
new file mode 100644
index 0000000..90927e7
--- /dev/null
+++ b/access_vectors
@@ -0,0 +1,882 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define a common prefix for userspace database object access vectors.
+#
+
+common database
+{
+ create
+ drop
+ getattr
+ setattr
+ relabelfrom
+ relabelto
+}
+
+#
+# Define a common prefix for pointer and keyboard access vectors.
+#
+
+common x_device
+{
+ getattr
+ setattr
+ use
+ read
+ write
+ getfocus
+ setfocus
+ bell
+ force_cursor
+ freeze
+ grab
+ manage
+ list_property
+ get_property
+ set_property
+ add
+ remove
+ create
+ destroy
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+ open
+ audit_access
+ execmod
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class lnk_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class blk_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class sock_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class fifo_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+ dccp_recv
+ dccp_send
+ recvfrom
+ sendto
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ dccp_recv
+ dccp_send
+ ingress
+ egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+ setkeycreate
+ setsockcreate
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+ read_policy
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+ module_request
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the capability2 class.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+class capability2
+{
+ mac_override # unused by SELinux
+ mac_admin # unused by SELinux
+ syslog
+}
+
+#
+# Define the access vector interpretation for controlling
+# changes to passwd information.
+#
+class passwd
+{
+ passwd # change another user passwd
+ chfn # change another user finger info
+ chsh # change another user shell
+ rootok # pam_rootok check (skip auth)
+ crontab # crontab on another user
+}
+
+#
+# SE-X Windows stuff
+#
+class x_drawable
+{
+ create
+ destroy
+ read
+ write
+ blend
+ getattr
+ setattr
+ list_child
+ add_child
+ remove_child
+ list_property
+ get_property
+ set_property
+ manage
+ override
+ show
+ hide
+ send
+ receive
+}
+
+class x_screen
+{
+ getattr
+ setattr
+ hide_cursor
+ show_cursor
+ saver_getattr
+ saver_setattr
+ saver_hide
+ saver_show
+}
+
+class x_gc
+{
+ create
+ destroy
+ getattr
+ setattr
+ use
+}
+
+class x_font
+{
+ create
+ destroy
+ getattr
+ add_glyph
+ remove_glyph
+ use
+}
+
+class x_colormap
+{
+ create
+ destroy
+ read
+ write
+ getattr
+ add_color
+ remove_color
+ install
+ uninstall
+ use
+}
+
+class x_property
+{
+ create
+ destroy
+ read
+ write
+ append
+ getattr
+ setattr
+}
+
+class x_selection
+{
+ read
+ write
+ getattr
+ setattr
+}
+
+class x_cursor
+{
+ create
+ destroy
+ read
+ write
+ getattr
+ setattr
+ use
+}
+
+class x_client
+{
+ destroy
+ getattr
+ setattr
+ manage
+}
+
+class x_device
+inherits x_device
+
+class x_server
+{
+ getattr
+ setattr
+ record
+ debug
+ grab
+ manage
+}
+
+class x_extension
+{
+ query
+ use
+}
+
+class x_resource
+{
+ read
+ write
+}
+
+class x_event
+{
+ send
+ receive
+}
+
+class x_synthetic_event
+{
+ send
+ receive
+}
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_firewall_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+ nlmsg_tty_audit
+}
+
+class netlink_ip6fw_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access and communication through the D-BUS messaging
+# system.
+#
+class dbus
+{
+ acquire_svc
+ send_msg
+}
+
+# Define the access vector interpretation for controlling
+# access through the name service cache daemon (nscd).
+#
+class nscd
+{
+ getpwd
+ getgrp
+ gethost
+ getstat
+ admin
+ shmempwd
+ shmemgrp
+ shmemhost
+ getserv
+ shmemserv
+}
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+ setcontext
+ polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+ send
+ recv
+ relabelto
+ flow_in # deprecated
+ flow_out # deprecated
+ forward_in
+ forward_out
+}
+
+class key
+{
+ view
+ read
+ write
+ search
+ link
+ setattr
+ create
+}
+
+class context
+{
+ translate
+ contains
+}
+
+class dccp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class memprotect
+{
+ mmap_zero
+}
+
+class db_database
+inherits database
+{
+ access
+ install_module
+ load_module
+ get_param # deprecated
+ set_param # deprecated
+}
+
+class db_table
+inherits database
+{
+ use # deprecated
+ select
+ update
+ insert
+ delete
+ lock
+}
+
+class db_procedure
+inherits database
+{
+ execute
+ entrypoint
+ install
+}
+
+class db_column
+inherits database
+{
+ use # deprecated
+ select
+ update
+ insert
+}
+
+class db_tuple
+{
+ relabelfrom
+ relabelto
+ use # deprecated
+ select
+ update
+ insert
+ delete
+}
+
+class db_blob
+inherits database
+{
+ read
+ write
+ import
+ export
+}
+
+# network peer labels
+class peer
+{
+ recv
+}
+
+class x_application_data
+{
+ paste
+ paste_after_confirm
+ copy
+}
+
+class kernel_service
+{
+ use_as_override
+ create_files_as
+}
+
+class tun_socket
+inherits socket
+
+class x_pointer
+inherits x_device
+
+class x_keyboard
+inherits x_device
+
+class db_schema
+inherits database
+{
+ search
+ add_name
+ remove_name
+}
+
+class db_view
+inherits database
+{
+ expand
+}
+
+class db_sequence
+inherits database
+{
+ get_value
+ next_value
+ set_value
+}
+
+class db_language
+inherits database
+{
+ implement
+ execute
+}
+
+class binder
+{
+ impersonate
+ call
+ set_context_mgr
+ transfer
+ receive
+}
+
+class zygote
+{
+ specifyids
+ specifyrlimits
+ specifycapabilities
+ specifyinvokewith
+ specifyseinfo
+}