1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
|
########################################
#
# Support macros for sets of object classes and permissions
#
# This file should only have object class and permission set macros - they
# can only reference object classes and/or permissions.
#
# All directory and file classes
#
define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
#
# All non-directory file classes.
#
define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
#
# Non-device file classes.
#
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
#
# Device file classes.
#
define(`devfile_class_set', `{ chr_file blk_file }')
#
# All socket classes.
#
define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
#
# Datagram socket classes.
#
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
#
# Stream socket classes.
#
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
#
# Unprivileged socket classes (exclude rawip, netlink, packet).
#
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
########################################
#
# Macros for sets of permissions
#
#
# Permissions for getting file attributes.
#
define(`stat_file_perms', `{ getattr }')
#
# Permissions for executing files.
#
define(`x_file_perms', `{ getattr execute }')
#
# Permissions for reading files and their attributes.
#
define(`r_file_perms', `{ read getattr lock ioctl }')
#
# Permissions for reading and executing files.
#
define(`rx_file_perms', `{ read getattr lock execute ioctl }')
#
# Permissions for reading and appending to files.
#
define(`ra_file_perms', `{ ioctl read getattr lock append }')
#
# Permissions for linking, unlinking and renaming files.
#
define(`link_file_perms', `{ getattr link unlink rename }')
#
# Permissions for creating lnk_files.
#
define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
#
# Permissions for creating and using files.
#
define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
#
# Permissions for reading directories and their attributes.
#
define(`r_dir_perms', `{ read getattr lock search ioctl }')
#
# Permissions for reading and writing directories and their attributes.
#
define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
#
# Permissions for reading and adding names to directories.
#
define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
#
# Permissions for creating and using directories.
#
define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
#
# Permissions to mount and unmount file systems.
#
define(`mount_fs_perms', `{ mount remount unmount getattr }')
#
# Permissions for using sockets.
#
define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
#
# Permissions for creating and using sockets.
#
define(`create_socket_perms', `{ create rw_socket_perms }')
#
# Permissions for using stream sockets.
#
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
#
# Permissions for creating and using stream sockets.
#
define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
#
# Permissions for creating and using sockets.
#
define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
#
# Permissions for creating and using sockets.
#
define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
#
# Permissions for creating and using netlink sockets.
#
define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
#
# Permissions for using netlink sockets for operations that modify state.
#
define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
#
# Permissions for using netlink sockets for operations that observe state.
#
define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
#
# Permissions for sending all signals.
#
define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
#
# Permissions for sending and receiving network packets.
#
define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
#
# Permissions for using System V IPC
#
define(`r_sem_perms', `{ associate getattr read unix_read }')
define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
define(`r_msgq_perms', `{ associate getattr read unix_read }')
define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
define(`r_shm_perms', `{ associate getattr read unix_read }')
define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
########################################
#
# New permission sets
#
#
# Directory
#
define(`search_dir_perms',`{ getattr search }')
define(`getattr_dir_perms',`{ getattr }')
define(`setattr_dir_perms',`{ setattr }')
define(`list_dir_perms',`{ getattr search read lock ioctl }')
define(`add_entry_dir_perms',`{ getattr search lock ioctl write add_name }')
define(`del_entry_dir_perms',`{ getattr search lock ioctl write remove_name }')
define(`manage_dir_perms',`{ create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
#
# File
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr read lock ioctl }')
define(`append_file_perms',`{ getattr append lock ioctl }')
define(`write_file_perms',`{ getattr write append lock ioctl }')
define(`rw_file_perms',`{ getattr read write append ioctl lock }')
define(`delete_file_perms',`{ getattr unlink }')
define(`manage_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
#
# Use (read and write) terminals
#
define(`rw_term_perms', `{ getattr read write ioctl }')
#
# Sockets
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
|
