Skip to content
Snippets Groups Projects
Select Git revision
  • 7469d816b61fa4c7524b71ca388ede39a1e9e1b5
  • master default protected
  • android-7.1.2_r28_klist
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
41 results

file_contexts

Blame
  • access_vectors 8.94 KiB
    #
    # Define common prefixes for access vectors
    #
    # common common_name { permission_name ... }
    
    
    #
    # Define a common prefix for file access vectors.
    #
    
    common file
    {
    	ioctl
    	read
    	write
    	create
    	getattr
    	setattr
    	lock
    	relabelfrom
    	relabelto
    	append
    	unlink
    	link
    	rename
    	execute
    	swapon
    	quotaon
    	mounton
    }
    
    
    #
    # Define a common prefix for socket access vectors.
    #
    
    common socket
    {
    # inherited from file
    	ioctl
    	read
    	write
    	create
    	getattr
    	setattr
    	lock
    	relabelfrom
    	relabelto
    	append
    # socket-specific
    	bind
    	connect
    	listen
    	accept
    	getopt
    	setopt
    	shutdown
    	recvfrom
    	sendto
    	recv_msg
    	send_msg
    	name_bind
    }
    
    #
    # Define a common prefix for ipc access vectors.
    #
    
    common ipc
    {
    	create
    	destroy
    	getattr
    	setattr
    	read
    	write
    	associate
    	unix_read
    	unix_write
    }
    
    #
    #  Define a common prefix for userspace database object access vectors.
    #
    
    common database
    {
    	create
    	drop
    	getattr
    	setattr
    	relabelfrom
    	relabelto
    }
    
    #
    # Define a common prefix for pointer and keyboard access vectors.
    #
    
    common x_device
    {
    	getattr
    	setattr
    	use
    	read
    	write
    	getfocus
    	setfocus
    	bell
    	force_cursor
    	freeze
    	grab
    	manage
    	list_property
    	get_property
    	set_property
    	add
    	remove
    	create
    	destroy
    }
    
    #
    # Define the access vectors.
    #
    # class class_name [ inherits common_name ] { permission_name ... }
    
    
    #
    # Define the access vector interpretation for file-related objects.
    #
    
    class filesystem
    {
    	mount
    	remount
    	unmount
    	getattr
    	relabelfrom
    	relabelto
    	transition
    	associate
    	quotamod
    	quotaget
    }
    
    class dir
    inherits file
    {
    	add_name
    	remove_name
    	reparent
    	search
    	rmdir
    	open
    	audit_access
    	execmod
    }
    
    class file
    inherits file
    {
    	execute_no_trans
    	entrypoint
    	execmod
    	open
    	audit_access
    }
    
    class lnk_file
    inherits file
    {
    	open
    	audit_access
    	execmod
    }
    
    class chr_file
    inherits file
    {
    	execute_no_trans
    	entrypoint
    	execmod
    	open
    	audit_access
    }
    
    class blk_file
    inherits file
    {
    	open
    	audit_access
    	execmod
    }
    
    class sock_file
    inherits file
    {
    	open
    	audit_access
    	execmod
    }
    
    class fifo_file
    inherits file
    {
    	open
    	audit_access
    	execmod
    }
    
    class fd
    {
    	use
    }
    
    
    #
    # Define the access vector interpretation for network-related objects.
    #
    
    class socket
    inherits socket
    
    class tcp_socket
    inherits socket
    {
    	connectto
    	newconn
    	acceptfrom
    	node_bind
    	name_connect
    }
    
    class udp_socket
    inherits socket
    {
    	node_bind
    }
    
    class rawip_socket
    inherits socket
    {
    	node_bind
    }
    
    class node
    {
    	tcp_recv
    	tcp_send
    	udp_recv
    	udp_send
    	rawip_recv
    	rawip_send
    	enforce_dest
    	dccp_recv
    	dccp_send
    	recvfrom
    	sendto
    }
    
    class netif
    {
    	tcp_recv
    	tcp_send
    	udp_recv
    	udp_send
    	rawip_recv
    	rawip_send
    	dccp_recv
    	dccp_send
    	ingress
    	egress
    }
    
    class netlink_socket
    inherits socket
    
    class packet_socket
    inherits socket
    
    class key_socket
    inherits socket
    
    class unix_stream_socket
    inherits socket
    {
    	connectto
    	newconn
    	acceptfrom
    }
    
    class unix_dgram_socket
    inherits socket
    
    #
    # Define the access vector interpretation for process-related objects
    #
    
    class process
    {
    	fork
    	transition
    	sigchld # commonly granted from child to parent
    	sigkill # cannot be caught or ignored
    	sigstop # cannot be caught or ignored
    	signull # for kill(pid, 0)
    	signal  # all other signals
    	ptrace
    	getsched
    	setsched
    	getsession
    	getpgid
    	setpgid
    	getcap
    	setcap
    	share
    	getattr
    	setexec
    	setfscreate
    	noatsecure
    	siginh
    	setrlimit
    	rlimitinh
    	dyntransition
    	setcurrent
    	execmem
    	execstack
    	execheap
    	setkeycreate
    	setsockcreate
    }
    
    
    #
    # Define the access vector interpretation for ipc-related objects
    #
    
    class ipc
    inherits ipc
    
    class sem
    inherits ipc
    
    class msgq
    inherits ipc
    {
    	enqueue
    }
    
    class msg
    {
    	send
    	receive
    }
    
    class shm
    inherits ipc
    {
    	lock
    }
    
    
    #
    # Define the access vector interpretation for the security server.
    #
    
    class security
    {
    	compute_av
    	compute_create
    	compute_member
    	check_context
    	load_policy
    	compute_relabel
    	compute_user
    	setenforce     # was avc_toggle in system class
    	setbool
    	setsecparam
    	setcheckreqprot
    	read_policy
    }
    
    
    #
    # Define the access vector interpretation for system operations.
    #
    
    class system
    {
    	ipc_info
    	syslog_read
    	syslog_mod
    	syslog_console
    	module_request
    }
    
    #
    # Define the access vector interpretation for controling capabilies
    #
    
    class capability
    {
    	# The capabilities are defined in include/linux/capability.h
    	# Capabilities >= 32 are defined in the capability2 class.
    	# Care should be taken to ensure that these are consistent with
    	# those definitions. (Order matters)
    
    	chown
    	dac_override
    	dac_read_search
    	fowner
    	fsetid
    	kill
    	setgid
    	setuid
    	setpcap
    	linux_immutable
    	net_bind_service
    	net_broadcast
    	net_admin
    	net_raw
    	ipc_lock
    	ipc_owner
    	sys_module
    	sys_rawio
    	sys_chroot
    	sys_ptrace
    	sys_pacct
    	sys_admin
    	sys_boot
    	sys_nice
    	sys_resource
    	sys_time
    	sys_tty_config
    	mknod
    	lease
    	audit_write
    	audit_control
    	setfcap
    }
    
    class capability2
    {
    	mac_override	# unused by SELinux
    	mac_admin	# unused by SELinux
    	syslog
    	wake_alarm
    	block_suspend
    }
    
    #
    # Define the access vector interpretation for controlling
    # changes to passwd information.
    #
    class passwd
    {
    	passwd	# change another user passwd
    	chfn	# change another user finger info
    	chsh	# change another user shell
    	rootok  # pam_rootok check (skip auth)
    	crontab # crontab on another user
    }
    
    #
    # SE-X Windows stuff
    #
    class x_drawable
    {
    	create
    	destroy
    	read
    	write
    	blend
    	getattr
    	setattr
    	list_child
    	add_child
    	remove_child
    	list_property
    	get_property
    	set_property
    	manage
    	override
    	show
    	hide
    	send
    	receive
    }
    
    class x_screen
    {
    	getattr
    	setattr
    	hide_cursor
    	show_cursor
    	saver_getattr
    	saver_setattr
    	saver_hide
    	saver_show
    }
    
    class x_gc
    {
    	create
    	destroy
    	getattr
    	setattr
    	use
    }
    
    class x_font
    {
    	create
    	destroy
    	getattr
    	add_glyph
    	remove_glyph
    	use
    }
    
    class x_colormap
    {
    	create
    	destroy
    	read
    	write
    	getattr
    	add_color
    	remove_color
    	install
    	uninstall
    	use
    }
    
    class x_property
    {
    	create
    	destroy
    	read
    	write
    	append
    	getattr
    	setattr
    }
    
    class x_selection
    {
    	read
    	write
    	getattr
    	setattr
    }
    
    class x_cursor
    {
    	create
    	destroy
    	read
    	write
    	getattr
    	setattr
    	use
    }
    
    class x_client
    {
    	destroy
    	getattr
    	setattr
    	manage
    }
    
    class x_device
    inherits x_device
    
    class x_server
    {
    	getattr
    	setattr
    	record
    	debug
    	grab
    	manage
    }
    
    class x_extension
    {
    	query
    	use
    }
    
    class x_resource
    {
    	read
    	write
    }
    
    class x_event
    {
    	send
    	receive
    }
    
    class x_synthetic_event
    {
    	send
    	receive
    }
    
    #
    # Extended Netlink classes
    #
    class netlink_route_socket
    inherits socket
    {
    	nlmsg_read
    	nlmsg_write
    }
    
    class netlink_firewall_socket
    inherits socket
    {
    	nlmsg_read
    	nlmsg_write
    }
    
    class netlink_tcpdiag_socket
    inherits socket
    {
    	nlmsg_read
    	nlmsg_write
    }
    
    class netlink_nflog_socket
    inherits socket
    
    class netlink_xfrm_socket
    inherits socket
    {
    	nlmsg_read
    	nlmsg_write
    }
    
    class netlink_selinux_socket
    inherits socket
    
    class netlink_audit_socket
    inherits socket
    {
    	nlmsg_read
    	nlmsg_write
    	nlmsg_relay
    	nlmsg_readpriv
    	nlmsg_tty_audit
    }
    
    class netlink_ip6fw_socket
    inherits socket
    {
    	nlmsg_read
    	nlmsg_write
    }
    
    class netlink_dnrt_socket
    inherits socket
    
    # Define the access vector interpretation for controlling
    # access and communication through the D-BUS messaging
    # system.
    #
    class dbus
    {
    	acquire_svc
    	send_msg
    }
    
    # Define the access vector interpretation for controlling
    # access through the name service cache daemon (nscd).
    #
    class nscd
    {
    	getpwd
    	getgrp
    	gethost
    	getstat
    	admin
    	shmempwd
    	shmemgrp
    	shmemhost
    	getserv
    	shmemserv
    }
    
    # Define the access vector interpretation for controlling
    # access to IPSec network data by association
    #
    class association
    {
    	sendto
    	recvfrom
    	setcontext
    	polmatch
    }
    
    # Updated Netlink class for KOBJECT_UEVENT family.
    class netlink_kobject_uevent_socket
    inherits socket
    
    class appletalk_socket
    inherits socket
    
    class packet
    {
    	send
    	recv
    	relabelto
    	flow_in		# deprecated
    	flow_out	# deprecated
    	forward_in
    	forward_out
    }
    
    class key
    {
    	view
    	read
    	write
    	search
    	link
    	setattr
    	create
    }
    
    class context
    {
    	translate
    	contains
    }
    
    class dccp_socket
    inherits socket
    {
    	node_bind
    	name_connect
    }
    
    class memprotect
    {
    	mmap_zero
    }
    
    class db_database
    inherits database
    {
    	access
    	install_module
    	load_module
    	get_param	# deprecated
    	set_param	# deprecated
    }
    
    class db_table
    inherits database
    {
    	use		# deprecated
    	select
    	update
    	insert
    	delete
    	lock
    }
    
    class db_procedure
    inherits database
    {
    	execute
    	entrypoint
    	install
    }
    
    class db_column
    inherits database
    {
    	use		# deprecated
    	select
    	update
    	insert
    }
    
    class db_tuple
    {
    	relabelfrom
    	relabelto
    	use		# deprecated
    	select
    	update
    	insert
    	delete
    }
    
    class db_blob
    inherits database
    {
    	read
    	write
    	import
    	export
    }
    
    # network peer labels
    class peer
    {
    	recv
    }
    
    class x_application_data
    {
    	paste
    	paste_after_confirm
    	copy
    }
    
    class kernel_service
    {
    	use_as_override
    	create_files_as
    }
    
    class tun_socket
    inherits socket
    
    class x_pointer
    inherits x_device
    
    class x_keyboard
    inherits x_device
    
    class db_schema
    inherits database
    {
    	search
    	add_name
    	remove_name
    }
    
    class db_view
    inherits database
    {
    	expand
    }
    
    class db_sequence
    inherits database
    {
    	get_value
    	next_value
    	set_value
    }
    
    class db_language
    inherits database
    {
    	implement
    	execute
    }
    
    class binder
    {
    	impersonate
    	call
    	set_context_mgr
    	transfer
    }
    
    class zygote
    {
    	specifyids
    	specifyrlimits
    	specifycapabilities
    	specifyinvokewith
    	specifyseinfo
    }
    
    class property_service
    {
    	set
    }