]>
Commit | Line | Data |
---|---|---|
ca83afe7 CP |
1 | ######################################## |
2 | # | |
eb5e2375 | 3 | # Support macros for sets of object classes and permissions |
ca83afe7 | 4 | # |
eb5e2375 KM |
5 | # This file should only have object class and permission set macros - they |
6 | # can only reference object classes and/or permissions. | |
ca83afe7 CP |
7 | |
8 | # | |
9 | # All directory and file classes | |
10 | # | |
11 | define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') | |
12 | ||
13 | # | |
14 | # All non-directory file classes. | |
15 | # | |
16 | define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') | |
17 | ||
18 | # | |
19 | # Non-device file classes. | |
20 | # | |
21 | define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') | |
22 | ||
23 | # | |
24 | # Device file classes. | |
25 | # | |
26 | define(`devfile_class_set', `{ chr_file blk_file }') | |
27 | ||
28 | # | |
29 | # All socket classes. | |
30 | # | |
3eaa9939 | 31 | define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') |
ca83afe7 CP |
32 | |
33 | ||
34 | # | |
35 | # Datagram socket classes. | |
36 | # | |
37 | define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') | |
38 | ||
39 | # | |
40 | # Stream socket classes. | |
41 | # | |
42 | define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') | |
43 | ||
44 | # | |
45 | # Unprivileged socket classes (exclude rawip, netlink, packet). | |
46 | # | |
47 | define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') | |
48 | ||
49 | ######################################## | |
50 | # | |
51 | # Macros for sets of permissions | |
52 | # | |
53 | ||
54 | # | |
55 | # Permissions for getting file attributes. | |
56 | # | |
ef659a47 | 57 | define(`stat_file_perms', `{ getattr } refpolicywarn(`$0 is deprecated please use getattr_file_perms instead.')') |
ca83afe7 CP |
58 | |
59 | # | |
60 | # Permissions for executing files. | |
61 | # | |
0b36a214 | 62 | define(`x_file_perms', `{ getattr open execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')') |
ca83afe7 CP |
63 | |
64 | # | |
65 | # Permissions for reading files and their attributes. | |
66 | # | |
0b36a214 | 67 | define(`r_file_perms', `{ open read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')') |
ca83afe7 CP |
68 | |
69 | # | |
70 | # Permissions for reading and executing files. | |
71 | # | |
0b36a214 | 72 | define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')') |
ca83afe7 | 73 | |
ca83afe7 CP |
74 | # |
75 | # Permissions for reading and appending to files. | |
76 | # | |
0b36a214 | 77 | define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')') |
ca83afe7 CP |
78 | |
79 | # | |
80 | # Permissions for linking, unlinking and renaming files. | |
81 | # | |
ef659a47 | 82 | define(`link_file_perms', `{ getattr link unlink rename } refpolicywarn(`$0 is deprecated please use { getattr link unlink rename } instead.')') |
ca83afe7 CP |
83 | |
84 | # | |
85 | # Permissions for creating lnk_files. | |
86 | # | |
155635e3 | 87 | define(`create_lnk_perms', `{ create read write getattr setattr link unlink rename } refpolicywarn(`$0 is deprecated please use manage_lnk_file_perms instead.')') |
ca83afe7 CP |
88 | |
89 | # | |
90 | # Permissions for reading directories and their attributes. | |
91 | # | |
0b36a214 | 92 | define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')') |
ca83afe7 CP |
93 | |
94 | # | |
95 | # Permissions for reading and adding names to directories. | |
96 | # | |
0b36a214 | 97 | define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')') |
ca83afe7 CP |
98 | |
99 | ||
ca83afe7 CP |
100 | # |
101 | # Permissions to mount and unmount file systems. | |
102 | # | |
103 | define(`mount_fs_perms', `{ mount remount unmount getattr }') | |
104 | ||
105 | # | |
106 | # Permissions for using sockets. | |
107 | # | |
3eaa9939 | 108 | define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }') |
ca83afe7 CP |
109 | |
110 | # | |
111 | # Permissions for creating and using sockets. | |
112 | # | |
113 | define(`create_socket_perms', `{ create rw_socket_perms }') | |
114 | ||
115 | # | |
116 | # Permissions for using stream sockets. | |
117 | # | |
118 | define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') | |
119 | ||
120 | # | |
121 | # Permissions for creating and using stream sockets. | |
122 | # | |
123 | define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') | |
124 | ||
125 | # | |
126 | # Permissions for creating and using sockets. | |
127 | # | |
128 | define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') | |
129 | ||
130 | # | |
131 | # Permissions for creating and using sockets. | |
132 | # | |
133 | define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') | |
134 | ||
135 | ||
136 | # | |
137 | # Permissions for creating and using netlink sockets. | |
138 | # | |
139 | define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') | |
140 | ||
141 | # | |
142 | # Permissions for using netlink sockets for operations that modify state. | |
143 | # | |
144 | define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') | |
145 | ||
146 | # | |
147 | # Permissions for using netlink sockets for operations that observe state. | |
148 | # | |
149 | define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') | |
150 | ||
151 | # | |
152 | # Permissions for sending all signals. | |
153 | # | |
154 | define(`signal_perms', `{ sigchld sigkill sigstop signull signal }') | |
155 | ||
156 | # | |
157 | # Permissions for sending and receiving network packets. | |
158 | # | |
159 | define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }') | |
160 | ||
161 | # | |
162 | # Permissions for using System V IPC | |
163 | # | |
164 | define(`r_sem_perms', `{ associate getattr read unix_read }') | |
165 | define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') | |
166 | define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') | |
167 | define(`r_msgq_perms', `{ associate getattr read unix_read }') | |
168 | define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') | |
169 | define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') | |
170 | define(`r_shm_perms', `{ associate getattr read unix_read }') | |
171 | define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') | |
172 | define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }') | |
c9b7f1a2 CP |
173 | |
174 | ######################################## | |
175 | # | |
c4bf9793 CP |
176 | # New permission sets |
177 | # | |
178 | ||
179 | # | |
c0868a7a | 180 | # Directory (dir) |
c4bf9793 | 181 | # |
c4bf9793 CP |
182 | define(`getattr_dir_perms',`{ getattr }') |
183 | define(`setattr_dir_perms',`{ setattr }') | |
7ca3f559 | 184 | define(`search_dir_perms',`{ getattr search open }') |
0b36a214 CP |
185 | define(`list_dir_perms',`{ getattr search open read lock ioctl }') |
186 | define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }') | |
187 | define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }') | |
188 | define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }') | |
c0868a7a | 189 | define(`create_dir_perms',`{ getattr create }') |
7f819d80 | 190 | define(`rename_dir_perms',`{ getattr rename }') |
c0868a7a | 191 | define(`delete_dir_perms',`{ getattr rmdir }') |
cbe82b17 | 192 | define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }') |
c0868a7a CP |
193 | define(`relabelfrom_dir_perms',`{ getattr relabelfrom }') |
194 | define(`relabelto_dir_perms',`{ getattr relabelto }') | |
195 | define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') | |
c4bf9793 CP |
196 | |
197 | # | |
c0868a7a | 198 | # Regular file (file) |
c9b7f1a2 | 199 | # |
c4bf9793 CP |
200 | define(`getattr_file_perms',`{ getattr }') |
201 | define(`setattr_file_perms',`{ setattr }') | |
3eaa9939 DW |
202 | define(`read_inherited_file_perms',`{ getattr read ioctl lock }') |
203 | define(`read_file_perms',`{ open read_inherited_file_perms }') | |
0b36a214 | 204 | define(`mmap_file_perms',`{ getattr open read execute ioctl }') |
c8d563fc | 205 | define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') |
0b36a214 CP |
206 | define(`append_file_perms',`{ getattr open append lock ioctl }') |
207 | define(`write_file_perms',`{ getattr open write append lock ioctl }') | |
3eaa9939 DW |
208 | define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') |
209 | define(`rw_file_perms',`{ open rw_inherited_file_perms }') | |
cbe82b17 | 210 | define(`create_file_perms',`{ getattr create open }') |
c0868a7a | 211 | define(`rename_file_perms',`{ getattr rename }') |
1c1ac67f | 212 | define(`delete_file_perms',`{ getattr unlink }') |
cbe82b17 | 213 | define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') |
c0868a7a CP |
214 | define(`relabelfrom_file_perms',`{ getattr relabelfrom }') |
215 | define(`relabelto_file_perms',`{ getattr relabelto }') | |
216 | define(`relabel_file_perms',`{ getattr relabelfrom relabelto }') | |
217 | ||
218 | # | |
219 | # Symbolic link (lnk_file) | |
220 | # | |
221 | define(`getattr_lnk_file_perms',`{ getattr }') | |
222 | define(`setattr_lnk_file_perms',`{ setattr }') | |
223 | define(`read_lnk_file_perms',`{ getattr read }') | |
b34db7a8 CP |
224 | define(`append_lnk_file_perms',`{ getattr append lock ioctl }') |
225 | define(`write_lnk_file_perms',`{ getattr append write lock ioctl }') | |
c0868a7a CP |
226 | define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') |
227 | define(`create_lnk_file_perms',`{ create getattr }') | |
228 | define(`rename_lnk_file_perms',`{ getattr rename }') | |
229 | define(`delete_lnk_file_perms',`{ getattr unlink }') | |
3eaa9939 | 230 | define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') |
c0868a7a CP |
231 | define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') |
232 | define(`relabelto_lnk_file_perms',`{ getattr relabelto }') | |
233 | define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') | |
234 | ||
235 | # | |
236 | # (Un)named Pipes/FIFOs (fifo_file) | |
237 | # | |
238 | define(`getattr_fifo_file_perms',`{ getattr }') | |
239 | define(`setattr_fifo_file_perms',`{ setattr }') | |
0b36a214 CP |
240 | define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') |
241 | define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') | |
242 | define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') | |
3eaa9939 DW |
243 | define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }') |
244 | define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }') | |
cbe82b17 | 245 | define(`create_fifo_file_perms',`{ getattr create open }') |
c040ea12 | 246 | define(`rename_fifo_file_perms',`{ getattr rename }') |
c0868a7a | 247 | define(`delete_fifo_file_perms',`{ getattr unlink }') |
cbe82b17 | 248 | define(`manage_fifo_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') |
c0868a7a CP |
249 | define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }') |
250 | define(`relabelto_fifo_file_perms',`{ getattr relabelto }') | |
251 | define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }') | |
252 | ||
253 | # | |
254 | # (Un)named Sockets (sock_file) | |
255 | # | |
256 | define(`getattr_sock_file_perms',`{ getattr }') | |
257 | define(`setattr_sock_file_perms',`{ setattr }') | |
d3cdc3d0 CP |
258 | define(`read_sock_file_perms',`{ getattr open read }') |
259 | define(`write_sock_file_perms',`{ getattr write open append }') | |
3eaa9939 DW |
260 | define(`rw_inherited_sock_file_perms',`{ getattr read write append }') |
261 | define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }') | |
d3cdc3d0 | 262 | define(`create_sock_file_perms',`{ getattr create open }') |
c040ea12 | 263 | define(`rename_sock_file_perms',`{ getattr rename }') |
c0868a7a | 264 | define(`delete_sock_file_perms',`{ getattr unlink }') |
d3cdc3d0 | 265 | define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }') |
c0868a7a CP |
266 | define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }') |
267 | define(`relabelto_sock_file_perms',`{ getattr relabelto }') | |
268 | define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }') | |
269 | ||
270 | # | |
271 | # Block device nodes (blk_file) | |
272 | # | |
273 | define(`getattr_blk_file_perms',`{ getattr }') | |
274 | define(`setattr_blk_file_perms',`{ setattr }') | |
0b36a214 CP |
275 | define(`read_blk_file_perms',`{ getattr open read lock ioctl }') |
276 | define(`append_blk_file_perms',`{ getattr open append lock ioctl }') | |
277 | define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') | |
3eaa9939 DW |
278 | define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }') |
279 | define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }') | |
c0868a7a CP |
280 | define(`create_blk_file_perms',`{ getattr create }') |
281 | define(`rename_blk_file_perms',`{ getattr rename }') | |
282 | define(`delete_blk_file_perms',`{ getattr unlink }') | |
cbe82b17 | 283 | define(`manage_blk_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') |
c0868a7a CP |
284 | define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }') |
285 | define(`relabelto_blk_file_perms',`{ getattr relabelto }') | |
286 | define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }') | |
287 | ||
288 | # | |
289 | # Character device nodes (chr_file) | |
290 | # | |
291 | define(`getattr_chr_file_perms',`{ getattr }') | |
292 | define(`setattr_chr_file_perms',`{ setattr }') | |
0b36a214 CP |
293 | define(`read_chr_file_perms',`{ getattr open read lock ioctl }') |
294 | define(`append_chr_file_perms',`{ getattr open append lock ioctl }') | |
295 | define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') | |
3eaa9939 DW |
296 | define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }') |
297 | define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }') | |
c0868a7a CP |
298 | define(`create_chr_file_perms',`{ getattr create }') |
299 | define(`rename_chr_file_perms',`{ getattr rename }') | |
300 | define(`delete_chr_file_perms',`{ getattr unlink }') | |
cbe82b17 | 301 | define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') |
c0868a7a CP |
302 | define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }') |
303 | define(`relabelto_chr_file_perms',`{ getattr relabelto }') | |
304 | define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') | |
305 | ||
306 | ######################################## | |
307 | # | |
308 | # Special permission sets | |
309 | # | |
c9b7f1a2 CP |
310 | |
311 | # | |
312 | # Use (read and write) terminals | |
313 | # | |
3eaa9939 DW |
314 | define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }') |
315 | define(`rw_term_perms', `{ open rw_inherited_term_perms }') | |
157c6941 | 316 | |
b7b1d238 CP |
317 | # |
318 | # Sockets | |
319 | # | |
320 | define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') | |
321 | define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }') | |
c8d563fc CP |
322 | |
323 | # | |
324 | # Keys | |
325 | # | |
326 | define(`manage_key_perms', `{ create link read search setattr view write } ') | |
3eaa9939 DW |
327 | |
328 | # | |
329 | # All | |
330 | # | |
331 | define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap } | |
332 | ') | |
333 | ||
334 | define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ') | |
335 | define(`all_dbus_perms', `{ acquire_svc send_msg } ') | |
336 | define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') | |
337 | define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') |