[people/stevee/selinux-policy.git] / policy / support / obj_perm_sets.spt

########################################
# 
# Support macros for sets of object classes and permissions
#
# This file should only have object class and permission set macros - they
# can only reference object classes and/or permissions.

#
# All directory and file classes
#
define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')

#
# All non-directory file classes.
#
define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')

#
# Non-device file classes.
#
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')

#
# Device file classes.
#
define(`devfile_class_set', `{ chr_file blk_file }')

#
# All socket classes.
#
define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')


#
# Datagram socket classes.
# 
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')

#
# Stream socket classes.
#
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')

#
# Unprivileged socket classes (exclude rawip, netlink, packet).
#
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')

########################################
# 
# Macros for sets of permissions
#

# 
# Permissions for getting file attributes.
#
define(`stat_file_perms', `{ getattr } refpolicywarn(`$0 is deprecated please use getattr_file_perms instead.')')

# 
# Permissions for executing files.
#
define(`x_file_perms', `{ getattr open execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')')

# 
# Permissions for reading files and their attributes.
#
define(`r_file_perms', `{ open read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')')

# 
# Permissions for reading and executing files.
#
define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')')

# 
# Permissions for reading and appending to files.
#
define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')')

#
# Permissions for linking, unlinking and renaming files.
# 
define(`link_file_perms', `{ getattr link unlink rename } refpolicywarn(`$0 is deprecated please use { getattr link unlink rename } instead.')')

#
# Permissions for creating lnk_files.
#
define(`create_lnk_perms', `{ create read write getattr setattr link unlink rename } refpolicywarn(`$0 is deprecated please use manage_lnk_file_perms instead.')')

# 
# Permissions for reading directories and their attributes.
#
define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')')

# 
# Permissions for reading and adding names to directories.
#
define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')')


#
# Permissions to mount and unmount file systems.
#
define(`mount_fs_perms', `{ mount remount unmount getattr }')

#
# Permissions for using sockets.
# 
define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }')

#
# Permissions for creating and using sockets.
# 
define(`create_socket_perms', `{ create rw_socket_perms }')

#
# Permissions for using stream sockets.
# 
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')

#
# Permissions for creating and using stream sockets.
# 
define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')

#
# Permissions for creating and using sockets.
# 
define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')

#
# Permissions for creating and using sockets.
# 
define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')


#
# Permissions for creating and using netlink sockets.
# 
define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')

#
# Permissions for using netlink sockets for operations that modify state.
# 
define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')

#
# Permissions for using netlink sockets for operations that observe state.
# 
define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')

#
# Permissions for sending all signals.
#
define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')

#
# Permissions for sending and receiving network packets.
#
define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')

#
# Permissions for using System V IPC
#
define(`r_sem_perms', `{ associate getattr read unix_read }')
define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
define(`r_msgq_perms', `{ associate getattr read unix_read }')
define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
define(`r_shm_perms', `{ associate getattr read unix_read }')
define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')

########################################
#
# New permission sets
#

#
# Directory (dir)
#
define(`getattr_dir_perms',`{ getattr }')
define(`setattr_dir_perms',`{ setattr }')
define(`search_dir_perms',`{ getattr search open }')
define(`list_dir_perms',`{ getattr search open read lock ioctl }')
define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }')
define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }')
define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }')
define(`create_dir_perms',`{ getattr create }')
define(`rename_dir_perms',`{ getattr rename }')
define(`delete_dir_perms',`{ getattr rmdir }')
define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
define(`relabelfrom_dir_perms',`{ getattr relabelfrom }')
define(`relabelto_dir_perms',`{ getattr relabelto }')
define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')

#
# Regular file (file)
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
define(`read_file_perms',`{ open read_inherited_file_perms }')
define(`mmap_file_perms',`{ getattr open read execute ioctl }')
define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
define(`append_file_perms',`{ getattr open append lock ioctl }')
define(`write_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
define(`rw_file_perms',`{ open rw_inherited_file_perms }')
define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
define(`relabelto_file_perms',`{ getattr relabelto }')
define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')

#
# Symbolic link (lnk_file)
#
define(`getattr_lnk_file_perms',`{ getattr }')
define(`setattr_lnk_file_perms',`{ setattr }')
define(`read_lnk_file_perms',`{ getattr read }')
define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')

#
# (Un)named Pipes/FIFOs (fifo_file)
#
define(`getattr_fifo_file_perms',`{ getattr }')
define(`setattr_fifo_file_perms',`{ setattr }')
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
define(`manage_fifo_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }')
define(`relabelto_fifo_file_perms',`{ getattr relabelto }')
define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }')

#
# (Un)named Sockets (sock_file)
#
define(`getattr_sock_file_perms',`{ getattr }')
define(`setattr_sock_file_perms',`{ setattr }')
define(`read_sock_file_perms',`{ getattr open read }')
define(`write_sock_file_perms',`{ getattr write open append }')
define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
define(`create_sock_file_perms',`{ getattr create open }')
define(`rename_sock_file_perms',`{ getattr rename }')
define(`delete_sock_file_perms',`{ getattr unlink }')
define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }')
define(`relabelto_sock_file_perms',`{ getattr relabelto }')
define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }')

#
# Block device nodes (blk_file)
#
define(`getattr_blk_file_perms',`{ getattr }')
define(`setattr_blk_file_perms',`{ setattr }')
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
define(`create_blk_file_perms',`{ getattr create }')
define(`rename_blk_file_perms',`{ getattr rename }')
define(`delete_blk_file_perms',`{ getattr unlink }')
define(`manage_blk_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_blk_file_perms',`{ getattr relabelto }')
define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }')

#
# Character device nodes (chr_file)
#
define(`getattr_chr_file_perms',`{ getattr }')
define(`setattr_chr_file_perms',`{ setattr }')
define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
define(`create_chr_file_perms',`{ getattr create }')
define(`rename_chr_file_perms',`{ getattr rename }')
define(`delete_chr_file_perms',`{ getattr unlink }')
define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }')
define(`relabelto_chr_file_perms',`{ getattr relabelto }')
define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')

########################################
#
# Special permission sets
#

#
# Use (read and write) terminals
#
define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }')
define(`rw_term_perms', `{ open rw_inherited_term_perms }')

#
# Sockets
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')

#
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')

#
# All 
#
define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
')

define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
define(`all_dbus_perms', `{ acquire_svc send_msg } ')
define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
Commit	Line	Data
ca83afe7 CP	1	########################################
ca83afe7 CP	2	#
eb5e2375	3	# Support macros for sets of object classes and permissions
ca83afe7	4	#
eb5e2375 KM	5	# This file should only have object class and permission set macros - they
eb5e2375 KM	6	# can only reference object classes and/or permissions.
ca83afe7 CP	7
	8	#
	9	# All directory and file classes
	10	#
	11	define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
	12
	13	#
	14	# All non-directory file classes.
	15	#
	16	define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
	17
	18	#
	19	# Non-device file classes.
	20	#
	21	define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
	22
	23	#
	24	# Device file classes.
	25	#
	26	define(`devfile_class_set', `{ chr_file blk_file }')
	27
	28	#
	29	# All socket classes.
	30	#
3eaa9939	31	define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
ca83afe7 CP	32
	33
	34	#
	35	# Datagram socket classes.
	36	#
	37	define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
	38
	39	#
	40	# Stream socket classes.
	41	#
	42	define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
	43
	44	#
	45	# Unprivileged socket classes (exclude rawip, netlink, packet).
	46	#
	47	define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
	48
	49	########################################
	50	#
	51	# Macros for sets of permissions
	52	#
	53
	54	#
	55	# Permissions for getting file attributes.
	56	#
ef659a47	57	define(`stat_file_perms', `{ getattr } refpolicywarn(`$0 is deprecated please use getattr_file_perms instead.')')
ca83afe7 CP	58
	59	#
	60	# Permissions for executing files.
	61	#
0b36a214	62	define(`x_file_perms', `{ getattr open execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')')
ca83afe7 CP	63
	64	#
	65	# Permissions for reading files and their attributes.
	66	#
0b36a214	67	define(`r_file_perms', `{ open read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')')
ca83afe7 CP	68
	69	#
	70	# Permissions for reading and executing files.
	71	#
0b36a214	72	define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')')
ca83afe7	73
ca83afe7 CP	74	#
	75	# Permissions for reading and appending to files.
	76	#
0b36a214	77	define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')')
ca83afe7 CP	78
	79	#
	80	# Permissions for linking, unlinking and renaming files.
	81	#
ef659a47	82	define(`link_file_perms', `{ getattr link unlink rename } refpolicywarn(`$0 is deprecated please use { getattr link unlink rename } instead.')')
ca83afe7 CP	83
	84	#
	85	# Permissions for creating lnk_files.
	86	#
155635e3	87	define(`create_lnk_perms', `{ create read write getattr setattr link unlink rename } refpolicywarn(`$0 is deprecated please use manage_lnk_file_perms instead.')')
ca83afe7 CP	88
	89	#
	90	# Permissions for reading directories and their attributes.
	91	#
0b36a214	92	define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')')
ca83afe7 CP	93
	94	#
	95	# Permissions for reading and adding names to directories.
	96	#
0b36a214	97	define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')')
ca83afe7 CP	98
ca83afe7 CP	99
ca83afe7 CP	100	#
	101	# Permissions to mount and unmount file systems.
	102	#
	103	define(`mount_fs_perms', `{ mount remount unmount getattr }')
	104
	105	#
	106	# Permissions for using sockets.
	107	#
3eaa9939	108	define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }')
ca83afe7 CP	109
	110	#
	111	# Permissions for creating and using sockets.
	112	#
	113	define(`create_socket_perms', `{ create rw_socket_perms }')
	114
	115	#
	116	# Permissions for using stream sockets.
	117	#
	118	define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
	119
	120	#
	121	# Permissions for creating and using stream sockets.
	122	#
	123	define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
	124
	125	#
	126	# Permissions for creating and using sockets.
	127	#
	128	define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
	129
	130	#
	131	# Permissions for creating and using sockets.
	132	#
	133	define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
	134
	135
	136	#
	137	# Permissions for creating and using netlink sockets.
	138	#
	139	define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
	140
	141	#
	142	# Permissions for using netlink sockets for operations that modify state.
	143	#
	144	define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
	145
	146	#
	147	# Permissions for using netlink sockets for operations that observe state.
	148	#
	149	define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
	150
	151	#
	152	# Permissions for sending all signals.
	153	#
	154	define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
	155
	156	#
	157	# Permissions for sending and receiving network packets.
	158	#
	159	define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
	160
	161	#
	162	# Permissions for using System V IPC
	163	#
	164	define(`r_sem_perms', `{ associate getattr read unix_read }')
	165	define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
	166	define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
	167	define(`r_msgq_perms', `{ associate getattr read unix_read }')
	168	define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
	169	define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
	170	define(`r_shm_perms', `{ associate getattr read unix_read }')
	171	define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
	172	define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
c9b7f1a2 CP	173
	174	########################################
	175	#
c4bf9793 CP	176	# New permission sets
	177	#
	178
	179	#
c0868a7a	180	# Directory (dir)
c4bf9793	181	#
c4bf9793 CP	182	define(`getattr_dir_perms',`{ getattr }')
c4bf9793 CP	183	define(`setattr_dir_perms',`{ setattr }')
7ca3f559	184	define(`search_dir_perms',`{ getattr search open }')
0b36a214 CP	185	define(`list_dir_perms',`{ getattr search open read lock ioctl }')
	186	define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }')
	187	define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }')
	188	define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }')
c0868a7a	189	define(`create_dir_perms',`{ getattr create }')
7f819d80	190	define(`rename_dir_perms',`{ getattr rename }')
c0868a7a	191	define(`delete_dir_perms',`{ getattr rmdir }')
cbe82b17	192	define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
c0868a7a CP	193	define(`relabelfrom_dir_perms',`{ getattr relabelfrom }')
	194	define(`relabelto_dir_perms',`{ getattr relabelto }')
	195	define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
c4bf9793 CP	196
c4bf9793 CP	197	#
c0868a7a	198	# Regular file (file)
c9b7f1a2	199	#
c4bf9793 CP	200	define(`getattr_file_perms',`{ getattr }')
c4bf9793 CP	201	define(`setattr_file_perms',`{ setattr }')
3eaa9939 DW	202	define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
3eaa9939 DW	203	define(`read_file_perms',`{ open read_inherited_file_perms }')
0b36a214	204	define(`mmap_file_perms',`{ getattr open read execute ioctl }')
c8d563fc	205	define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
0b36a214 CP	206	define(`append_file_perms',`{ getattr open append lock ioctl }')
0b36a214 CP	207	define(`write_file_perms',`{ getattr open write append lock ioctl }')
3eaa9939 DW	208	define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
3eaa9939 DW	209	define(`rw_file_perms',`{ open rw_inherited_file_perms }')
cbe82b17	210	define(`create_file_perms',`{ getattr create open }')
c0868a7a	211	define(`rename_file_perms',`{ getattr rename }')
1c1ac67f	212	define(`delete_file_perms',`{ getattr unlink }')
cbe82b17	213	define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
c0868a7a CP	214	define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
	215	define(`relabelto_file_perms',`{ getattr relabelto }')
	216	define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
	217
	218	#
	219	# Symbolic link (lnk_file)
	220	#
	221	define(`getattr_lnk_file_perms',`{ getattr }')
	222	define(`setattr_lnk_file_perms',`{ setattr }')
	223	define(`read_lnk_file_perms',`{ getattr read }')
b34db7a8 CP	224	define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
b34db7a8 CP	225	define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
c0868a7a CP	226	define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
	227	define(`create_lnk_file_perms',`{ create getattr }')
	228	define(`rename_lnk_file_perms',`{ getattr rename }')
	229	define(`delete_lnk_file_perms',`{ getattr unlink }')
3eaa9939	230	define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
c0868a7a CP	231	define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
	232	define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
	233	define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
	234
	235	#
	236	# (Un)named Pipes/FIFOs (fifo_file)
	237	#
	238	define(`getattr_fifo_file_perms',`{ getattr }')
	239	define(`setattr_fifo_file_perms',`{ setattr }')
0b36a214 CP	240	define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
	241	define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
	242	define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
3eaa9939 DW	243	define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
3eaa9939 DW	244	define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
cbe82b17	245	define(`create_fifo_file_perms',`{ getattr create open }')
c040ea12	246	define(`rename_fifo_file_perms',`{ getattr rename }')
c0868a7a	247	define(`delete_fifo_file_perms',`{ getattr unlink }')
cbe82b17	248	define(`manage_fifo_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
c0868a7a CP	249	define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }')
	250	define(`relabelto_fifo_file_perms',`{ getattr relabelto }')
	251	define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }')
	252
	253	#
	254	# (Un)named Sockets (sock_file)
	255	#
	256	define(`getattr_sock_file_perms',`{ getattr }')
	257	define(`setattr_sock_file_perms',`{ setattr }')
d3cdc3d0 CP	258	define(`read_sock_file_perms',`{ getattr open read }')
d3cdc3d0 CP	259	define(`write_sock_file_perms',`{ getattr write open append }')
3eaa9939 DW	260	define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
3eaa9939 DW	261	define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
d3cdc3d0	262	define(`create_sock_file_perms',`{ getattr create open }')
c040ea12	263	define(`rename_sock_file_perms',`{ getattr rename }')
c0868a7a	264	define(`delete_sock_file_perms',`{ getattr unlink }')
d3cdc3d0	265	define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
c0868a7a CP	266	define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }')
	267	define(`relabelto_sock_file_perms',`{ getattr relabelto }')
	268	define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }')
	269
	270	#
	271	# Block device nodes (blk_file)
	272	#
	273	define(`getattr_blk_file_perms',`{ getattr }')
	274	define(`setattr_blk_file_perms',`{ setattr }')
0b36a214 CP	275	define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
	276	define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
	277	define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
3eaa9939 DW	278	define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
3eaa9939 DW	279	define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
c0868a7a CP	280	define(`create_blk_file_perms',`{ getattr create }')
	281	define(`rename_blk_file_perms',`{ getattr rename }')
	282	define(`delete_blk_file_perms',`{ getattr unlink }')
cbe82b17	283	define(`manage_blk_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
c0868a7a CP	284	define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }')
	285	define(`relabelto_blk_file_perms',`{ getattr relabelto }')
	286	define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }')
	287
	288	#
	289	# Character device nodes (chr_file)
	290	#
	291	define(`getattr_chr_file_perms',`{ getattr }')
	292	define(`setattr_chr_file_perms',`{ setattr }')
0b36a214 CP	293	define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
	294	define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
	295	define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
3eaa9939 DW	296	define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
3eaa9939 DW	297	define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
c0868a7a CP	298	define(`create_chr_file_perms',`{ getattr create }')
	299	define(`rename_chr_file_perms',`{ getattr rename }')
	300	define(`delete_chr_file_perms',`{ getattr unlink }')
cbe82b17	301	define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
c0868a7a CP	302	define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }')
	303	define(`relabelto_chr_file_perms',`{ getattr relabelto }')
	304	define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
	305
	306	########################################
	307	#
	308	# Special permission sets
	309	#
c9b7f1a2 CP	310
	311	#
	312	# Use (read and write) terminals
	313	#
3eaa9939 DW	314	define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }')
3eaa9939 DW	315	define(`rw_term_perms', `{ open rw_inherited_term_perms }')
157c6941	316
b7b1d238 CP	317	#
	318	# Sockets
	319	#
	320	define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
	321	define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
c8d563fc CP	322
	323	#
	324	# Keys
	325	#
	326	define(`manage_key_perms', `{ create link read search setattr view write } ')
3eaa9939 DW	327
	328	#
	329	# All
	330	#
	331	define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
	332	')
	333
	334	define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
	335	define(`all_dbus_perms', `{ acquire_svc send_msg } ')
	336	define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
	337	define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')