600 lines
6.7 KiB
Plaintext
600 lines
6.7 KiB
Plaintext
|
#
|
||
|
# Define common prefixes for access vectors
|
||
|
#
|
||
|
# common common_name { permission_name ... }
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define a common prefix for file access vectors.
|
||
|
#
|
||
|
|
||
|
common file
|
||
|
{
|
||
|
ioctl
|
||
|
read
|
||
|
write
|
||
|
create
|
||
|
getattr
|
||
|
setattr
|
||
|
lock
|
||
|
relabelfrom
|
||
|
relabelto
|
||
|
append
|
||
|
unlink
|
||
|
link
|
||
|
rename
|
||
|
execute
|
||
|
swapon
|
||
|
quotaon
|
||
|
mounton
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define a common prefix for socket access vectors.
|
||
|
#
|
||
|
|
||
|
common socket
|
||
|
{
|
||
|
# inherited from file
|
||
|
ioctl
|
||
|
read
|
||
|
write
|
||
|
create
|
||
|
getattr
|
||
|
setattr
|
||
|
lock
|
||
|
relabelfrom
|
||
|
relabelto
|
||
|
append
|
||
|
# socket-specific
|
||
|
bind
|
||
|
connect
|
||
|
listen
|
||
|
accept
|
||
|
getopt
|
||
|
setopt
|
||
|
shutdown
|
||
|
recvfrom
|
||
|
sendto
|
||
|
recv_msg
|
||
|
send_msg
|
||
|
name_bind
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Define a common prefix for ipc access vectors.
|
||
|
#
|
||
|
|
||
|
common ipc
|
||
|
{
|
||
|
create
|
||
|
destroy
|
||
|
getattr
|
||
|
setattr
|
||
|
read
|
||
|
write
|
||
|
associate
|
||
|
unix_read
|
||
|
unix_write
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Define the access vectors.
|
||
|
#
|
||
|
# class class_name [ inherits common_name ] { permission_name ... }
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for file-related objects.
|
||
|
#
|
||
|
|
||
|
class filesystem
|
||
|
{
|
||
|
mount
|
||
|
remount
|
||
|
unmount
|
||
|
getattr
|
||
|
relabelfrom
|
||
|
relabelto
|
||
|
transition
|
||
|
associate
|
||
|
quotamod
|
||
|
quotaget
|
||
|
}
|
||
|
|
||
|
class dir
|
||
|
inherits file
|
||
|
{
|
||
|
add_name
|
||
|
remove_name
|
||
|
reparent
|
||
|
search
|
||
|
rmdir
|
||
|
}
|
||
|
|
||
|
class file
|
||
|
inherits file
|
||
|
{
|
||
|
execute_no_trans
|
||
|
entrypoint
|
||
|
execmod
|
||
|
}
|
||
|
|
||
|
class lnk_file
|
||
|
inherits file
|
||
|
|
||
|
class chr_file
|
||
|
inherits file
|
||
|
{
|
||
|
execute_no_trans
|
||
|
entrypoint
|
||
|
execmod
|
||
|
}
|
||
|
|
||
|
class blk_file
|
||
|
inherits file
|
||
|
|
||
|
class sock_file
|
||
|
inherits file
|
||
|
|
||
|
class fifo_file
|
||
|
inherits file
|
||
|
|
||
|
class fd
|
||
|
{
|
||
|
use
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for network-related objects.
|
||
|
#
|
||
|
|
||
|
class socket
|
||
|
inherits socket
|
||
|
|
||
|
class tcp_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
connectto
|
||
|
newconn
|
||
|
acceptfrom
|
||
|
node_bind
|
||
|
}
|
||
|
|
||
|
class udp_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
node_bind
|
||
|
}
|
||
|
|
||
|
class rawip_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
node_bind
|
||
|
}
|
||
|
|
||
|
class node
|
||
|
{
|
||
|
tcp_recv
|
||
|
tcp_send
|
||
|
udp_recv
|
||
|
udp_send
|
||
|
rawip_recv
|
||
|
rawip_send
|
||
|
enforce_dest
|
||
|
}
|
||
|
|
||
|
class netif
|
||
|
{
|
||
|
tcp_recv
|
||
|
tcp_send
|
||
|
udp_recv
|
||
|
udp_send
|
||
|
rawip_recv
|
||
|
rawip_send
|
||
|
}
|
||
|
|
||
|
class netlink_socket
|
||
|
inherits socket
|
||
|
|
||
|
class packet_socket
|
||
|
inherits socket
|
||
|
|
||
|
class key_socket
|
||
|
inherits socket
|
||
|
|
||
|
class unix_stream_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
connectto
|
||
|
newconn
|
||
|
acceptfrom
|
||
|
}
|
||
|
|
||
|
class unix_dgram_socket
|
||
|
inherits socket
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for process-related objects
|
||
|
#
|
||
|
|
||
|
class process
|
||
|
{
|
||
|
fork
|
||
|
transition
|
||
|
sigchld # commonly granted from child to parent
|
||
|
sigkill # cannot be caught or ignored
|
||
|
sigstop # cannot be caught or ignored
|
||
|
signull # for kill(pid, 0)
|
||
|
signal # all other signals
|
||
|
ptrace
|
||
|
getsched
|
||
|
setsched
|
||
|
getsession
|
||
|
getpgid
|
||
|
setpgid
|
||
|
getcap
|
||
|
setcap
|
||
|
share
|
||
|
getattr
|
||
|
setexec
|
||
|
setfscreate
|
||
|
noatsecure
|
||
|
siginh
|
||
|
setrlimit
|
||
|
rlimitinh
|
||
|
dyntransition
|
||
|
setcurrent
|
||
|
execmem
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for ipc-related objects
|
||
|
#
|
||
|
|
||
|
class ipc
|
||
|
inherits ipc
|
||
|
|
||
|
class sem
|
||
|
inherits ipc
|
||
|
|
||
|
class msgq
|
||
|
inherits ipc
|
||
|
{
|
||
|
enqueue
|
||
|
}
|
||
|
|
||
|
class msg
|
||
|
{
|
||
|
send
|
||
|
receive
|
||
|
}
|
||
|
|
||
|
class shm
|
||
|
inherits ipc
|
||
|
{
|
||
|
lock
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for the security server.
|
||
|
#
|
||
|
|
||
|
class security
|
||
|
{
|
||
|
compute_av
|
||
|
compute_create
|
||
|
compute_member
|
||
|
check_context
|
||
|
load_policy
|
||
|
compute_relabel
|
||
|
compute_user
|
||
|
setenforce # was avc_toggle in system class
|
||
|
setbool
|
||
|
setsecparam
|
||
|
setcheckreqprot
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for system operations.
|
||
|
#
|
||
|
|
||
|
class system
|
||
|
{
|
||
|
ipc_info
|
||
|
syslog_read
|
||
|
syslog_mod
|
||
|
syslog_console
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for controling capabilies
|
||
|
#
|
||
|
|
||
|
class capability
|
||
|
{
|
||
|
# The capabilities are defined in include/linux/capability.h
|
||
|
# Care should be taken to ensure that these are consistent with
|
||
|
# those definitions. (Order matters)
|
||
|
|
||
|
chown
|
||
|
dac_override
|
||
|
dac_read_search
|
||
|
fowner
|
||
|
fsetid
|
||
|
kill
|
||
|
setgid
|
||
|
setuid
|
||
|
setpcap
|
||
|
linux_immutable
|
||
|
net_bind_service
|
||
|
net_broadcast
|
||
|
net_admin
|
||
|
net_raw
|
||
|
ipc_lock
|
||
|
ipc_owner
|
||
|
sys_module
|
||
|
sys_rawio
|
||
|
sys_chroot
|
||
|
sys_ptrace
|
||
|
sys_pacct
|
||
|
sys_admin
|
||
|
sys_boot
|
||
|
sys_nice
|
||
|
sys_resource
|
||
|
sys_time
|
||
|
sys_tty_config
|
||
|
mknod
|
||
|
lease
|
||
|
audit_write
|
||
|
audit_control
|
||
|
}
|
||
|
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for controlling
|
||
|
# changes to passwd information.
|
||
|
#
|
||
|
class passwd
|
||
|
{
|
||
|
passwd # change another user passwd
|
||
|
chfn # change another user finger info
|
||
|
chsh # change another user shell
|
||
|
rootok # pam_rootok check (skip auth)
|
||
|
crontab # crontab on another user
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# SE-X Windows stuff
|
||
|
#
|
||
|
class drawable
|
||
|
{
|
||
|
create
|
||
|
destroy
|
||
|
draw
|
||
|
copy
|
||
|
getattr
|
||
|
}
|
||
|
|
||
|
class gc
|
||
|
{
|
||
|
create
|
||
|
free
|
||
|
getattr
|
||
|
setattr
|
||
|
}
|
||
|
|
||
|
class window
|
||
|
{
|
||
|
addchild
|
||
|
create
|
||
|
destroy
|
||
|
map
|
||
|
unmap
|
||
|
chstack
|
||
|
chproplist
|
||
|
chprop
|
||
|
listprop
|
||
|
getattr
|
||
|
setattr
|
||
|
setfocus
|
||
|
move
|
||
|
chselection
|
||
|
chparent
|
||
|
ctrllife
|
||
|
enumerate
|
||
|
transparent
|
||
|
mousemotion
|
||
|
clientcomevent
|
||
|
inputevent
|
||
|
drawevent
|
||
|
windowchangeevent
|
||
|
windowchangerequest
|
||
|
serverchangeevent
|
||
|
extensionevent
|
||
|
}
|
||
|
|
||
|
class font
|
||
|
{
|
||
|
load
|
||
|
free
|
||
|
getattr
|
||
|
use
|
||
|
}
|
||
|
|
||
|
class colormap
|
||
|
{
|
||
|
create
|
||
|
free
|
||
|
install
|
||
|
uninstall
|
||
|
list
|
||
|
read
|
||
|
store
|
||
|
getattr
|
||
|
setattr
|
||
|
}
|
||
|
|
||
|
class property
|
||
|
{
|
||
|
create
|
||
|
free
|
||
|
read
|
||
|
write
|
||
|
}
|
||
|
|
||
|
class cursor
|
||
|
{
|
||
|
create
|
||
|
createglyph
|
||
|
free
|
||
|
assign
|
||
|
setattr
|
||
|
}
|
||
|
|
||
|
class xclient
|
||
|
{
|
||
|
kill
|
||
|
}
|
||
|
|
||
|
class xinput
|
||
|
{
|
||
|
lookup
|
||
|
getattr
|
||
|
setattr
|
||
|
setfocus
|
||
|
warppointer
|
||
|
activegrab
|
||
|
passivegrab
|
||
|
ungrab
|
||
|
bell
|
||
|
mousemotion
|
||
|
relabelinput
|
||
|
}
|
||
|
|
||
|
class xserver
|
||
|
{
|
||
|
screensaver
|
||
|
gethostlist
|
||
|
sethostlist
|
||
|
getfontpath
|
||
|
setfontpath
|
||
|
getattr
|
||
|
grab
|
||
|
ungrab
|
||
|
}
|
||
|
|
||
|
class xextension
|
||
|
{
|
||
|
query
|
||
|
use
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Define the access vector interpretation for controlling
|
||
|
# PaX flags
|
||
|
#
|
||
|
class pax
|
||
|
{
|
||
|
pageexec # Paging based non-executable pages
|
||
|
emutramp # Emulate trampolines
|
||
|
mprotect # Restrict mprotect()
|
||
|
randmmap # Randomize mmap() base
|
||
|
randexec # Randomize ET_EXEC base
|
||
|
segmexec # Segmentation based non-executable pages
|
||
|
}
|
||
|
|
||
|
#
|
||
|
# Extended Netlink classes
|
||
|
#
|
||
|
class netlink_route_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
nlmsg_read
|
||
|
nlmsg_write
|
||
|
}
|
||
|
|
||
|
class netlink_firewall_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
nlmsg_read
|
||
|
nlmsg_write
|
||
|
}
|
||
|
|
||
|
class netlink_tcpdiag_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
nlmsg_read
|
||
|
nlmsg_write
|
||
|
}
|
||
|
|
||
|
class netlink_nflog_socket
|
||
|
inherits socket
|
||
|
|
||
|
class netlink_xfrm_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
nlmsg_read
|
||
|
nlmsg_write
|
||
|
}
|
||
|
|
||
|
class netlink_selinux_socket
|
||
|
inherits socket
|
||
|
|
||
|
class netlink_audit_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
nlmsg_read
|
||
|
nlmsg_write
|
||
|
}
|
||
|
|
||
|
class netlink_ip6fw_socket
|
||
|
inherits socket
|
||
|
{
|
||
|
nlmsg_read
|
||
|
nlmsg_write
|
||
|
}
|
||
|
|
||
|
class netlink_dnrt_socket
|
||
|
inherits socket
|
||
|
|
||
|
# Define the access vector interpretation for controlling
|
||
|
# access and communication through the D-BUS messaging
|
||
|
# system.
|
||
|
#
|
||
|
class dbus
|
||
|
{
|
||
|
acquire_svc
|
||
|
send_msg
|
||
|
}
|
||
|
|
||
|
# Define the access vector interpretation for controlling
|
||
|
# access through the name service cache daemon (nscd).
|
||
|
#
|
||
|
class nscd
|
||
|
{
|
||
|
getpwd
|
||
|
getgrp
|
||
|
gethost
|
||
|
getstat
|
||
|
admin
|
||
|
shmempwd
|
||
|
shmemgrp
|
||
|
shmemhost
|
||
|
}
|
||
|
|
||
|
# Define the access vector interpretation for controlling
|
||
|
# access to IPSec network data by association
|
||
|
#
|
||
|
class association
|
||
|
{
|
||
|
sendto
|
||
|
recvfrom
|
||
|
}
|