#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }


#
# Define a common prefix for file access vectors.
#

common file
{
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
	unlink
	link
	rename
	execute
	swapon
	quotaon
	mounton
}


#
# Define a common prefix for socket access vectors.
#

common socket
{
# inherited from file
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	append
# socket-specific
	bind
	connect
	listen
	accept
	getopt
	setopt
	shutdown
	recvfrom
	sendto
	recv_msg
	send_msg
	name_bind
}	

#
# Define a common prefix for ipc access vectors.
#

common ipc
{
	create
	destroy
	getattr
	setattr
	read
	write
	associate
	unix_read
	unix_write
}

#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }


#
# Define the access vector interpretation for file-related objects.
#

class filesystem
{
	mount
	remount
	unmount
	getattr
	relabelfrom
	relabelto
	transition
	associate
	quotamod
	quotaget
}

class dir
inherits file
{
	add_name
	remove_name
	reparent
	search
	rmdir
}

class file
inherits file
{
	execute_no_trans
	entrypoint
	execmod
}

class lnk_file
inherits file

class chr_file
inherits file
{
	execute_no_trans
	entrypoint
	execmod
}

class blk_file
inherits file

class sock_file
inherits file

class fifo_file
inherits file

class fd
{
	use
}


#
# Define the access vector interpretation for network-related objects.
#

class socket
inherits socket

class tcp_socket
inherits socket
{
	connectto
	newconn
	acceptfrom
	node_bind
}

class udp_socket
inherits socket
{
	node_bind
}

class rawip_socket
inherits socket
{
	node_bind
}

class node 
{
	tcp_recv
	tcp_send
	udp_recv
	udp_send
	rawip_recv
	rawip_send
	enforce_dest
}

class netif
{
	tcp_recv
	tcp_send
	udp_recv
	udp_send
	rawip_recv
	rawip_send
}

class netlink_socket
inherits socket

class packet_socket
inherits socket

class key_socket
inherits socket

class unix_stream_socket
inherits socket
{
	connectto
	newconn
	acceptfrom
}

class unix_dgram_socket
inherits socket


#
# Define the access vector interpretation for process-related objects
#

class process
{
	fork
	transition
	sigchld # commonly granted from child to parent
	sigkill # cannot be caught or ignored
	sigstop # cannot be caught or ignored
	signull # for kill(pid, 0)
	signal  # all other signals
	ptrace
	getsched
	setsched
	getsession
	getpgid
	setpgid
	getcap
	setcap
	share
	getattr
	setexec
	setfscreate
	noatsecure
	siginh
	setrlimit
	rlimitinh
	dyntransition
	setcurrent
	execmem
}


#
# Define the access vector interpretation for ipc-related objects
#

class ipc
inherits ipc

class sem
inherits ipc

class msgq
inherits ipc
{
	enqueue
}

class msg
{
	send
	receive
}

class shm
inherits ipc
{
	lock
}


#
# Define the access vector interpretation for the security server. 
#

class security
{
	compute_av
	compute_create
	compute_member
	check_context
	load_policy
	compute_relabel
	compute_user
	setenforce     # was avc_toggle in system class
	setbool
	setsecparam
	setcheckreqprot
}


#
# Define the access vector interpretation for system operations.
#

class system
{
	ipc_info
	syslog_read  
	syslog_mod
	syslog_console
}

#
# Define the access vector interpretation for controling capabilies
#

class capability
{
	# The capabilities are defined in include/linux/capability.h
	# Care should be taken to ensure that these are consistent with
	# those definitions. (Order matters)

	chown           
	dac_override    
	dac_read_search 
	fowner          
	fsetid          
	kill            
	setgid           
	setuid           
	setpcap          
	linux_immutable  
	net_bind_service 
	net_broadcast    
	net_admin        
	net_raw          
	ipc_lock         
	ipc_owner        
	sys_module       
	sys_rawio        
	sys_chroot       
	sys_ptrace       
	sys_pacct        
	sys_admin        
	sys_boot         
	sys_nice         
	sys_resource     
	sys_time         
	sys_tty_config  
	mknod
	lease
	audit_write
	audit_control
}


#
# Define the access vector interpretation for controlling
# changes to passwd information.
#
class passwd
{
	passwd	# change another user passwd
	chfn	# change another user finger info
	chsh	# change another user shell
	rootok  # pam_rootok check (skip auth)
	crontab # crontab on another user
}

#
# SE-X Windows stuff
#
class drawable
{
	create
	destroy
	draw
	copy
	getattr
}

class gc
{
	create
	free
	getattr
	setattr
}

class window 
{
	addchild
	create
	destroy
	map
	unmap
	chstack
	chproplist
	chprop	
	listprop
	getattr
	setattr
	setfocus
	move
	chselection
	chparent
	ctrllife
	enumerate
	transparent
	mousemotion
	clientcomevent
	inputevent
	drawevent
	windowchangeevent
	windowchangerequest
	serverchangeevent
	extensionevent
}

class font
{
	load
	free
	getattr
	use
}

class colormap
{
	create
	free
	install
	uninstall
	list
	read
	store
	getattr
	setattr
}

class property
{
	create
	free
	read
	write
}

class cursor
{
	create
	createglyph
	free
	assign
	setattr
}

class xclient
{
	kill
}

class xinput
{
	lookup
	getattr
	setattr
	setfocus
	warppointer
	activegrab
	passivegrab
	ungrab
	bell
	mousemotion
	relabelinput
}

class xserver
{
	screensaver
	gethostlist
	sethostlist
	getfontpath
	setfontpath
	getattr
	grab
	ungrab
}

class xextension
{
	query
	use
}

#
# Define the access vector interpretation for controlling
# PaX flags
#
class pax
{
        pageexec        # Paging based non-executable pages
        emutramp        # Emulate trampolines
        mprotect        # Restrict mprotect()
        randmmap        # Randomize mmap() base
        randexec        # Randomize ET_EXEC base
        segmexec        # Segmentation based non-executable pages
}

#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_firewall_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_tcpdiag_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_nflog_socket
inherits socket

class netlink_xfrm_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_selinux_socket
inherits socket

class netlink_audit_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_ip6fw_socket
inherits socket
{
	nlmsg_read
	nlmsg_write
}

class netlink_dnrt_socket
inherits socket

# Define the access vector interpretation for controlling
# access and communication through the D-BUS messaging
# system.
#
class dbus
{
	acquire_svc
	send_msg
}

# Define the access vector interpretation for controlling
# access through the name service cache daemon (nscd).
#
class nscd
{
	getpwd
	getgrp
	gethost
	getstat
	admin
       shmempwd
       shmemgrp
       shmemhost
}

# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
       sendto
       recvfrom
}