Blame - access_vectors - fp2-dev/platform/external/sepolicy

blob: 4b0c4b1939e39aa0877e87cafda77fad523bb1b0 [file] [log] [blame]

Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	1	#
				2	# Define common prefixes for access vectors
				3	#
				4	# common common_name { permission_name ... }
				5
				6
				7	#
				8	# Define a common prefix for file access vectors.
				9	#
				10
				11	common file
				12	{
				13	ioctl
				14	read
				15	write
				16	create
				17	getattr
				18	setattr
				19	lock
				20	relabelfrom
				21	relabelto
				22	append
				23	unlink
				24	link
				25	rename
				26	execute
				27	swapon
				28	quotaon
				29	mounton
				30	}
				31
				32
				33	#
				34	# Define a common prefix for socket access vectors.
				35	#
				36
				37	common socket
				38	{
				39	# inherited from file
				40	ioctl
				41	read
				42	write
				43	create
				44	getattr
				45	setattr
				46	lock
				47	relabelfrom
				48	relabelto
				49	append
				50	# socket-specific
				51	bind
				52	connect
				53	listen
				54	accept
				55	getopt
				56	setopt
				57	shutdown
				58	recvfrom
				59	sendto
				60	recv_msg
				61	send_msg
				62	name_bind
				63	}
				64
				65	#
				66	# Define a common prefix for ipc access vectors.
				67	#
				68
				69	common ipc
				70	{
				71	create
				72	destroy
				73	getattr
				74	setattr
				75	read
				76	write
				77	associate
				78	unix_read
				79	unix_write
				80	}
				81
				82	#
				83	# Define a common prefix for userspace database object access vectors.
				84	#
				85
				86	common database
				87	{
				88	create
				89	drop
				90	getattr
				91	setattr
				92	relabelfrom
				93	relabelto
				94	}
				95
				96	#
				97	# Define a common prefix for pointer and keyboard access vectors.
				98	#
				99
				100	common x_device
				101	{
				102	getattr
				103	setattr
				104	use
				105	read
				106	write
				107	getfocus
				108	setfocus
				109	bell
				110	force_cursor
				111	freeze
				112	grab
				113	manage
				114	list_property
				115	get_property
				116	set_property
				117	add
				118	remove
				119	create
				120	destroy
				121	}
				122
				123	#
				124	# Define the access vectors.
				125	#
				126	# class class_name [ inherits common_name ] { permission_name ... }
				127
				128
				129	#
				130	# Define the access vector interpretation for file-related objects.
				131	#
				132
				133	class filesystem
				134	{
				135	mount
				136	remount
				137	unmount
				138	getattr
				139	relabelfrom
				140	relabelto
				141	transition
				142	associate
				143	quotamod
				144	quotaget
				145	}
				146
				147	class dir
				148	inherits file
				149	{
				150	add_name
				151	remove_name
				152	reparent
				153	search
				154	rmdir
				155	open
				156	audit_access
				157	execmod
				158	}
				159
				160	class file
				161	inherits file
				162	{
				163	execute_no_trans
				164	entrypoint
				165	execmod
				166	open
				167	audit_access
				168	}
				169
				170	class lnk_file
				171	inherits file
				172	{
				173	open
				174	audit_access
				175	execmod
				176	}
				177
				178	class chr_file
				179	inherits file
				180	{
				181	execute_no_trans
				182	entrypoint
				183	execmod
				184	open
				185	audit_access
				186	}
				187
				188	class blk_file
				189	inherits file
				190	{
				191	open
				192	audit_access
				193	execmod
				194	}
				195
				196	class sock_file
				197	inherits file
				198	{
				199	open
				200	audit_access
				201	execmod
				202	}
				203
				204	class fifo_file
				205	inherits file
				206	{
				207	open
				208	audit_access
				209	execmod
				210	}
				211
				212	class fd
				213	{
				214	use
				215	}
				216
				217
				218	#
				219	# Define the access vector interpretation for network-related objects.
				220	#
				221
				222	class socket
				223	inherits socket
				224
				225	class tcp_socket
				226	inherits socket
				227	{
				228	connectto
				229	newconn
				230	acceptfrom
				231	node_bind
				232	name_connect
				233	}
				234
				235	class udp_socket
				236	inherits socket
				237	{
				238	node_bind
				239	}
				240
				241	class rawip_socket
				242	inherits socket
				243	{
				244	node_bind
				245	}
				246
				247	class node
				248	{
				249	tcp_recv
				250	tcp_send
				251	udp_recv
				252	udp_send
				253	rawip_recv
				254	rawip_send
				255	enforce_dest
				256	dccp_recv
				257	dccp_send
				258	recvfrom
				259	sendto
				260	}
				261
				262	class netif
				263	{
				264	tcp_recv
				265	tcp_send
				266	udp_recv
				267	udp_send
				268	rawip_recv
				269	rawip_send
				270	dccp_recv
				271	dccp_send
				272	ingress
				273	egress
				274	}
				275
				276	class netlink_socket
				277	inherits socket
				278
				279	class packet_socket
				280	inherits socket
				281
				282	class key_socket
				283	inherits socket
				284
				285	class unix_stream_socket
				286	inherits socket
				287	{
				288	connectto
				289	newconn
				290	acceptfrom
				291	}
				292
				293	class unix_dgram_socket
				294	inherits socket
				295
				296	#
				297	# Define the access vector interpretation for process-related objects
				298	#
				299
				300	class process
				301	{
				302	fork
				303	transition
				304	sigchld # commonly granted from child to parent
				305	sigkill # cannot be caught or ignored
				306	sigstop # cannot be caught or ignored
				307	signull # for kill(pid, 0)
				308	signal # all other signals
				309	ptrace
				310	getsched
				311	setsched
				312	getsession
				313	getpgid
				314	setpgid
				315	getcap
				316	setcap
				317	share
				318	getattr
				319	setexec
				320	setfscreate
				321	noatsecure
				322	siginh
				323	setrlimit
				324	rlimitinh
				325	dyntransition
				326	setcurrent
				327	execmem
				328	execstack
				329	execheap
				330	setkeycreate
				331	setsockcreate
				332	}
				333
				334
				335	#
				336	# Define the access vector interpretation for ipc-related objects
				337	#
				338
				339	class ipc
				340	inherits ipc
				341
				342	class sem
				343	inherits ipc
				344
				345	class msgq
				346	inherits ipc
				347	{
				348	enqueue
				349	}
				350
				351	class msg
				352	{
				353	send
				354	receive
				355	}
				356
				357	class shm
				358	inherits ipc
				359	{
				360	lock
				361	}
				362
				363
				364	#
				365	# Define the access vector interpretation for the security server.
				366	#
				367
				368	class security
				369	{
				370	compute_av
				371	compute_create
				372	compute_member
				373	check_context
				374	load_policy
				375	compute_relabel
				376	compute_user
				377	setenforce # was avc_toggle in system class
				378	setbool
				379	setsecparam
				380	setcheckreqprot
				381	read_policy
				382	}
				383
				384
				385	#
				386	# Define the access vector interpretation for system operations.
				387	#
				388
				389	class system
				390	{
				391	ipc_info
				392	syslog_read
				393	syslog_mod
				394	syslog_console
				395	module_request
				396	}
				397
				398	#
				399	# Define the access vector interpretation for controling capabilies
				400	#
				401
				402	class capability
				403	{
				404	# The capabilities are defined in include/linux/capability.h
				405	# Capabilities >= 32 are defined in the capability2 class.
				406	# Care should be taken to ensure that these are consistent with
				407	# those definitions. (Order matters)
				408
				409	chown
				410	dac_override
				411	dac_read_search
				412	fowner
				413	fsetid
				414	kill
				415	setgid
				416	setuid
				417	setpcap
				418	linux_immutable
				419	net_bind_service
				420	net_broadcast
				421	net_admin
				422	net_raw
				423	ipc_lock
				424	ipc_owner
				425	sys_module
				426	sys_rawio
				427	sys_chroot
				428	sys_ptrace
				429	sys_pacct
				430	sys_admin
				431	sys_boot
				432	sys_nice
				433	sys_resource
				434	sys_time
				435	sys_tty_config
				436	mknod
				437	lease
				438	audit_write
				439	audit_control
				440	setfcap
				441	}
				442
				443	class capability2
				444	{
				445	mac_override # unused by SELinux
				446	mac_admin # unused by SELinux
				447	syslog
				448	}
				449
				450	#
				451	# Define the access vector interpretation for controlling
				452	# changes to passwd information.
				453	#
				454	class passwd
				455	{
				456	passwd # change another user passwd
				457	chfn # change another user finger info
				458	chsh # change another user shell
				459	rootok # pam_rootok check (skip auth)
				460	crontab # crontab on another user
				461	}
				462
				463	#
				464	# SE-X Windows stuff
				465	#
				466	class x_drawable
				467	{
				468	create
				469	destroy
				470	read
				471	write
				472	blend
				473	getattr
				474	setattr
				475	list_child
				476	add_child
				477	remove_child
				478	list_property
				479	get_property
				480	set_property
				481	manage
				482	override
				483	show
				484	hide
				485	send
				486	receive
				487	}
				488
				489	class x_screen
				490	{
				491	getattr
				492	setattr
				493	hide_cursor
				494	show_cursor
				495	saver_getattr
				496	saver_setattr
				497	saver_hide
				498	saver_show
				499	}
				500
				501	class x_gc
				502	{
				503	create
				504	destroy
				505	getattr
				506	setattr
				507	use
				508	}
				509
				510	class x_font
				511	{
				512	create
				513	destroy
				514	getattr
				515	add_glyph
				516	remove_glyph
				517	use
				518	}
				519
				520	class x_colormap
				521	{
				522	create
				523	destroy
				524	read
				525	write
				526	getattr
				527	add_color
				528	remove_color
				529	install
				530	uninstall
				531	use
				532	}
				533
				534	class x_property
				535	{
				536	create
				537	destroy
				538	read
				539	write
				540	append
				541	getattr
				542	setattr
				543	}
				544
				545	class x_selection
				546	{
				547	read
				548	write
				549	getattr
				550	setattr
				551	}
				552
				553	class x_cursor
				554	{
				555	create
				556	destroy
				557	read
				558	write
				559	getattr
				560	setattr
				561	use
				562	}
				563
				564	class x_client
				565	{
				566	destroy
				567	getattr
				568	setattr
				569	manage
				570	}
				571
				572	class x_device
				573	inherits x_device
				574
				575	class x_server
				576	{
				577	getattr
				578	setattr
				579	record
				580	debug
				581	grab
				582	manage
				583	}
				584
				585	class x_extension
				586	{
				587	query
				588	use
				589	}
				590
				591	class x_resource
				592	{
				593	read
				594	write
				595	}
				596
				597	class x_event
				598	{
				599	send
				600	receive
				601	}
				602
				603	class x_synthetic_event
				604	{
				605	send
				606	receive
				607	}
				608
				609	#
				610	# Extended Netlink classes
				611	#
				612	class netlink_route_socket
				613	inherits socket
				614	{
				615	nlmsg_read
				616	nlmsg_write
				617	}
				618
				619	class netlink_firewall_socket
				620	inherits socket
				621	{
				622	nlmsg_read
				623	nlmsg_write
				624	}
				625
				626	class netlink_tcpdiag_socket
				627	inherits socket
				628	{
				629	nlmsg_read
				630	nlmsg_write
				631	}
				632
				633	class netlink_nflog_socket
				634	inherits socket
				635
				636	class netlink_xfrm_socket
				637	inherits socket
				638	{
				639	nlmsg_read
				640	nlmsg_write
				641	}
				642
				643	class netlink_selinux_socket
				644	inherits socket
				645
				646	class netlink_audit_socket
				647	inherits socket
				648	{
				649	nlmsg_read
				650	nlmsg_write
				651	nlmsg_relay
				652	nlmsg_readpriv
				653	nlmsg_tty_audit
				654	}
				655
				656	class netlink_ip6fw_socket
				657	inherits socket
				658	{
				659	nlmsg_read
				660	nlmsg_write
				661	}
				662
				663	class netlink_dnrt_socket
				664	inherits socket
				665
				666	# Define the access vector interpretation for controlling
				667	# access and communication through the D-BUS messaging
				668	# system.
				669	#
				670	class dbus
				671	{
				672	acquire_svc
				673	send_msg
				674	}
				675
				676	# Define the access vector interpretation for controlling
				677	# access through the name service cache daemon (nscd).
				678	#
				679	class nscd
				680	{
				681	getpwd
				682	getgrp
				683	gethost
				684	getstat
				685	admin
				686	shmempwd
				687	shmemgrp
				688	shmemhost
				689	getserv
				690	shmemserv
				691	}
				692
				693	# Define the access vector interpretation for controlling
				694	# access to IPSec network data by association
				695	#
				696	class association
				697	{
				698	sendto
				699	recvfrom
				700	setcontext
				701	polmatch
				702	}
				703
				704	# Updated Netlink class for KOBJECT_UEVENT family.
				705	class netlink_kobject_uevent_socket
				706	inherits socket
				707
				708	class appletalk_socket
				709	inherits socket
				710
				711	class packet
				712	{
				713	send
				714	recv
				715	relabelto
				716	flow_in # deprecated
				717	flow_out # deprecated
				718	forward_in
				719	forward_out
				720	}
				721
				722	class key
				723	{
				724	view
				725	read
				726	write
				727	search
				728	link
				729	setattr
				730	create
				731	}
				732
				733	class context
				734	{
				735	translate
				736	contains
				737	}
				738
				739	class dccp_socket
				740	inherits socket
				741	{
				742	node_bind
				743	name_connect
				744	}
				745
				746	class memprotect
				747	{
				748	mmap_zero
				749	}
				750
				751	class db_database
				752	inherits database
				753	{
				754	access
				755	install_module
				756	load_module
				757	get_param # deprecated
				758	set_param # deprecated
				759	}
				760
				761	class db_table
				762	inherits database
				763	{
				764	use # deprecated
				765	select
				766	update
				767	insert
				768	delete
				769	lock
				770	}
				771
				772	class db_procedure
				773	inherits database
				774	{
				775	execute
				776	entrypoint
				777	install
				778	}
				779
				780	class db_column
				781	inherits database
				782	{
				783	use # deprecated
				784	select
				785	update
				786	insert
				787	}
				788
				789	class db_tuple
				790	{
				791	relabelfrom
				792	relabelto
				793	use # deprecated
				794	select
				795	update
				796	insert
				797	delete
				798	}
				799
				800	class db_blob
				801	inherits database
				802	{
				803	read
				804	write
				805	import
				806	export
				807	}
				808
				809	# network peer labels
				810	class peer
				811	{
				812	recv
				813	}
				814
				815	class x_application_data
				816	{
				817	paste
				818	paste_after_confirm
				819	copy
				820	}
				821
				822	class kernel_service
				823	{
				824	use_as_override
				825	create_files_as
				826	}
				827
				828	class tun_socket
				829	inherits socket
				830
				831	class x_pointer
				832	inherits x_device
				833
				834	class x_keyboard
				835	inherits x_device
				836
				837	class db_schema
				838	inherits database
				839	{
				840	search
				841	add_name
				842	remove_name
				843	}
				844
				845	class db_view
				846	inherits database
				847	{
				848	expand
				849	}
				850
				851	class db_sequence
				852	inherits database
				853	{
				854	get_value
				855	next_value
				856	set_value
				857	}
				858
				859	class db_language
				860	inherits database
				861	{
				862	implement
				863	execute
				864	}
				865
				866	class binder
				867	{
				868	impersonate
				869	call
				870	set_context_mgr
				871	transfer
				872	receive
				873	}
				874
				875	class zygote
				876	{
				877	specifyids
				878	specifyrlimits
				879	specifycapabilities
				880	specifyinvokewith
				881	specifyseinfo
				882	}
Stephen Smalley	124720a	2012-04-04 10:11:16 -0400	[diff] [blame]	883
				884	class property_service
				885	{
				886	set
				887	}