access_vectors

#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }


#
# Define a common prefix for file access vectors.
#

common file
{
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
	map
	unlink
	link
	rename
	execute
	quotaon
	mounton
}


#
# Define a common prefix for socket access vectors.
#

common socket
{
# inherited from file
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
	map
# socket-specific
	bind
	connect
	listen
	accept
	getopt
	setopt
	shutdown
	recvfrom
	sendto
	name_bind
}

#
# Define a common prefix for ipc access vectors.
#

common ipc
{
	create
	destroy
	getattr
	setattr
	read
	write
	associate
	unix_read
	unix_write
}

#
# Define a common for capability access vectors.
#
common cap
{
	# The capabilities are defined in include/linux/capability.h
	# Capabilities >= 32 are defined in the cap2 common.
	# Care should be taken to ensure that these are consistent with
	# those definitions. (Order matters)

	chown
	dac_override
	dac_read_search
	fowner
	fsetid
	kill
	setgid
	setuid
	setpcap
	linux_immutable
	net_bind_service
	net_broadcast
	net_admin
	net_raw
	ipc_lock
	ipc_owner
	sys_module
	sys_rawio
	sys_chroot
	sys_ptrace
	sys_pacct
	sys_admin
	sys_boot
	sys_nice
	sys_resource
	sys_time
	sys_tty_config
	mknod
	lease
	audit_write
	audit_control
	setfcap
}

common cap2
{
	mac_override	# unused by SELinux
	mac_admin	# unused by SELinux
	syslog
	wake_alarm
	block_suspend
	audit_read
}

#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }


#
# Define the access vector interpretation for file-related objects.
#

class filesystem
{
	mount
	remount
	unmount
	getattr
	relabelfrom
	relabelto
	associate
	quotamod
	quotaget
}

class dir
inherits file
{
	add_name
	remove_name
	reparent
	search
	rmdir
	open
	audit_access
	execmod
}

class file
inherits file
{
	execute_no_trans
	entrypoint
	execmod
	open
	audit_access
}

class lnk_file
inherits file
{
	open
	audit_access
	execmod
}

class chr_file
inherits file
{
	execute_no_trans
	entrypoint
	execmod
	open
	audit_access
}

class blk_file
inherits file
{
	open
	audit_access
	execmod
}

class sock_file
inherits file
{
	open
	audit_access
	execmod
}

class fifo_file
inherits file
{
	open
	audit_access
	execmod
}

class fd
{
	use
}


#
# Define the access vector interpretation for network-related objects.
#

class socket
inherits socket

class tcp_socket
inherits socket
{
	node_bind
	name_connect
}

class udp_socket
inherits socket
{
	node_bind
}

class rawip_socket
inherits socket
{
	node_bind
}

class node
{
	recvfrom
	sendto
}

class netif
{
	ingress
	egress
}

class netlink_socket
inherits socket

class packet_socket
inherits socket

class key_socket
inherits socket

class unix_stream_socket
inherits socket
{
	connectto
}

class unix_dgram_socket
inherits socket

#
# Define the access vector interpretation for process-related objects
#

class process
{
	fork
	transition
	sigchld # commonly granted from child to parent
	sigkill # cannot be caught or ignored
	sigstop # cannot be caught or ignored
	signull # for kill(pid, 0)
	signal  # all other signals
	ptrace
	getsched
	setsched
	getsession
	getpgid
	setpgid
	getcap
	setcap
	share
	getattr
	setexec
	setfscreate
	noatsecure
	siginh
	setrlimit
	rlimitinh
	dyntransition
	setcurrent
	execmem
	execstack
	execheap
	setkeycreate
	setsockcreate
	getrlimit
}


#
# Define the access vector interpretation for ipc-related objects
#

class ipc
inherits ipc

class sem
inherits ipc

class msgq
inherits ipc
{
	enqueue
}

class msg
{
	send
	receive
}

class shm
inherits ipc
{
	lock
}


#
# Define the access vector interpretation for the security server.
#

class security
{
	compute_av
	compute_create
	compute_member
	check_context
	load_policy
	compute_relabel
	compute_user
	setenforce     # was avc_toggle in system class
	setbool
	setsecparam
	setcheckreqprot
	read_policy
}


#
# Define the access vector interpretation for system operations.
#

class system
{
	ipc_info
	syslog_read
	syslog_mod
	syslog_console
	module_request
	module_load
}

#
# Define the access vector interpretation for controlling capabilities
#

class capability
inherits cap

class capability2
inherits cap2

#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_tcpdiag_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_nflog_socket
inherits socket

class netlink_xfrm_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_selinux_socket
inherits socket

class netlink_audit_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
	nlmsg_relay
	nlmsg_readpriv
	nlmsg_tty_audit
}

class netlink_dnrt_socket
inherits socket

# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
	sendto
	recvfrom
	setcontext
	polmatch
}

# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket

class appletalk_socket
inherits socket

class packet
{
	send
	recv
	relabelto
	flow_in		# deprecated
	flow_out	# deprecated
	forward_in
	forward_out
}

class key
{
	view
	read
	write
	search
	link
	setattr
	create
}

class dccp_socket
inherits socket
{
	node_bind
	name_connect
}

class memprotect
{
	mmap_zero
}

# network peer labels
class peer
{
	recv
}

class kernel_service
{
	use_as_override
	create_files_as
}

class tun_socket
inherits socket
{
	attach_queue
}

class binder
{
	impersonate
	call
	set_context_mgr
	transfer
}

class netlink_iscsi_socket
inherits socket

class netlink_fib_lookup_socket
inherits socket

class netlink_connector_socket
inherits socket

class netlink_netfilter_socket
inherits socket

class netlink_generic_socket
inherits socket

class netlink_scsitransport_socket
inherits socket

class netlink_rdma_socket
inherits socket

class netlink_crypto_socket
inherits socket

#
# Define the access vector interpretation for controlling capabilities
# in user namespaces
#

class cap_userns
inherits cap

class cap2_userns
inherits cap2


#
# Define the access vector interpretation for the new socket classes
# enabled by the extended_socket_class policy capability.
#

#
# The next two classes were previously mapped to rawip_socket and therefore
# have the same definition as rawip_socket (until further permissions
# are defined).
#
class sctp_socket
inherits socket
{
	node_bind
}

class icmp_socket
inherits socket
{
	node_bind
}

#
# The remaining network socket classes were previously
# mapped to the socket class and therefore have the
# same definition as socket.
#

class ax25_socket
inherits socket

class ipx_socket
inherits socket

class netrom_socket
inherits socket

class atmpvc_socket
inherits socket

class x25_socket
inherits socket

class rose_socket
inherits socket

class decnet_socket
inherits socket

class atmsvc_socket
inherits socket

class rds_socket
inherits socket

class irda_socket
inherits socket

class pppox_socket
inherits socket

class llc_socket
inherits socket

class can_socket
inherits socket

class tipc_socket
inherits socket

class bluetooth_socket
inherits socket

class iucv_socket
inherits socket

class rxrpc_socket
inherits socket

class isdn_socket
inherits socket

class phonet_socket
inherits socket

class ieee802154_socket
inherits socket

class caif_socket
inherits socket

class alg_socket
inherits socket

class nfc_socket
inherits socket

class vsock_socket
inherits socket

class kcm_socket
inherits socket

class qipcrtr_socket
inherits socket

class smc_socket
inherits socket

class property_service
{
	set
}

class service_manager
{
	add
	find
	list
}

class keystore_key
{
	get_state
	get
	insert
	delete
	exist
	list
	reset
	password
	lock
	unlock
	is_empty
	sign
	verify
	grant
	duplicate
	clear_uid
	add_auth
	user_changed
}

class drmservice {
	consumeRights
	setPlaybackStatus
	openDecryptSession
	closeDecryptSession
	initializeDecryptUnit
	decrypt
	finalizeDecryptUnit
	pread
}