2 # Define common prefixes for access vectors
4 # common common_name { permission_name ... }
8 # Define a common prefix for file access vectors.
34 # Define a common prefix for socket access vectors.
66 # Define a common prefix for ipc access vectors.
83 # Define a common prefix for userspace database object access vectors.
97 # Define the access vectors.
99 # class class_name [ inherits common_name ] { permission_name ... }
103 # Define the access vector interpretation for file-related objects.
165 # Define the access vector interpretation for network-related objects.
227 class unix_stream_socket
235 class unix_dgram_socket
240 # Define the access vector interpretation for process-related objects
247 sigchld # commonly granted from child to parent
248 sigkill # cannot be caught or ignored
249 sigstop # cannot be caught or ignored
250 signull # for kill(pid, 0)
251 signal # all other signals
279 # Define the access vector interpretation for ipc-related objects
308 # Define the access vector interpretation for the security server.
320 setenforce # was avc_toggle in system class
328 # Define the access vector interpretation for system operations.
340 # Define the access vector interpretation for controling capabilies
345 # The capabilities are defined in include/linux/capability.h
346 # Care should be taken to ensure that these are consistent with
347 # those definitions. (Order matters)
384 # Define the access vector interpretation for controlling
385 # changes to passwd information.
389 passwd # change another user passwd
390 chfn # change another user finger info
391 chsh # change another user shell
392 rootok # pam_rootok check (skip auth)
393 crontab # crontab on another user
523 # Define the access vector interpretation for controlling
528 pageexec # Paging based non-executable pages
529 emutramp # Emulate trampolines
530 mprotect # Restrict mprotect()
531 randmmap # Randomize mmap() base
532 randexec # Randomize ET_EXEC base
533 segmexec # Segmentation based non-executable pages
537 # Extended Netlink classes
539 class netlink_route_socket
546 class netlink_firewall_socket
553 class netlink_tcpdiag_socket
560 class netlink_nflog_socket
563 class netlink_xfrm_socket
570 class netlink_selinux_socket
573 class netlink_audit_socket
582 class netlink_ip6fw_socket
589 class netlink_dnrt_socket
592 # Define the access vector interpretation for controlling
593 # access and communication through the D-BUS messaging
602 # Define the access vector interpretation for controlling
603 # access through the name service cache daemon (nscd).
619 # Define the access vector interpretation for controlling
620 # access to IPSec network data by association
630 # Updated Netlink class for KOBJECT_UEVENT family.
631 class netlink_kobject_uevent_socket
634 class appletalk_socket