ObjectClassesPerms

From SELinux Wiki
Jump to: navigation, search

Contents

SELinux Object Classes and Permissions Reference

This document contains a list of all of the object classes and permissions for modern SELinux systems (starting in kernel 2.6.0). Each permission has a brief description of of the semantics of each permission, in addition to the versions of the kernel which support the permission and the policy capability that enables its enforcement (if applicable).

The document has the following caveats:

  • The permission descriptions are only for providing a general idea of the purposes of the permissions; a permission may mediate many operations.
  • Since SELinux development is ongoing, this document may be be incomplete or inaccurate.

Common Permission Sets

common database

Permission Description
create Create a new database object.
drop Remove a database object.
getattr Get the attributes of a database object.
setattr Set the attributes of a database object.
relabelfrom Change the security context based on existing type.
relabelto Change the security context based on the new type.

common file

Permission Description
getattr Get file attributes for file, such as access mode. (e.g. stat, some ioctls. ...)
relabelto Relabel to new security context.
unlink Remove hard link (delete).
ioctl IO control system call requests not addressed by other permissions.
execute Execute
append Write to a file opened with O_APPEND.
read Read file contents.
setattr Change file attributes for file such as access mode. (e.g. chmod, some ioctls, ...)
swapon Allows file to be used for paging/swapping space.
write Write to a file.
lock Set and unset file locks.
create Create new file.
rename Rename a file.
mounton Use as mount point; only useful for directories and files in Linux.
quotaon Use as a quota file.
relabelfrom Relabel from old security context.
link Create another hard link to file

common ipc

Permission Description
write Write.
destroy Destroy.
unix_write Generic write access.
getattr Get attributes, e.g. IPC_STAT *ctl operation.
create Create.
read Read
setattr Change attributes, e.g. IPC_SET.
unix_read Generic read access.
associate Associate a key

common socket

Permission Description
append Write to open fd marked with O_APPEND.
relabelfrom Change the security context based on existing type.
create Create new socket.
read Read from socket.
sendto Send to socket.
connect Initiate connection.
recvfrom Legacy NetLabel check; obsoleted by peer recv
send_msg Legacy check; no longer present.
bind Bind a name to the socket.
lock Apply file lock on a socket.
ioctl IO control system call requests not addressed by other permissions.
getattr Get socket attributes, e.g. fstat.
write Write to socket.
setopt Set socket options.
getopt Get socket options.
listen Listen for connections.
setattr Change socket attributes.
shutdown Shutdown connection.
relabelto Change the security context based on the new type.
recv_msg Obsolete.
accept Accept a connection.
name_bind Associate with port or file; for AF_INET sockets, controls relationship between a socket and it's port number; for AF_UNIX sockets, controls relationship between a socket and it's file

common x_device

Permission Description
getattr
setattr
use
read
write
getfocus
setfocus
bell
force_cursor
freeze
grab
manage
list_property
get_property
set_property
add
remove

Kernel Object Classes

appletalk_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append 2.6.18+
relabelfrom see common socket:relabelfrom 2.6.18+
create see common socket:create 2.6.18+
read see common socket:read 2.6.18+
sendto see common socket:sendto 2.6.18+
connect see common socket:connect 2.6.18+
recvfrom see common socket:recvfrom 2.6.18+
send_msg see common socket:send_msg 2.6.18+
bind see common socket:bind 2.6.18+
lock see common socket:lock 2.6.18+
ioctl see common socket:ioctl 2.6.18+
getattr see common socket:getattr 2.6.18+
write see common socket:write 2.6.18+
setopt see common socket:setopt 2.6.18+
getopt see common socket:getopt 2.6.18+
listen see common socket:listen 2.6.18+
setattr see common socket:setattr 2.6.18+
shutdown see common socket:shutdown 2.6.18+
relabelto see common socket:relabelto 2.6.18+
recv_msg see common socket:recv_msg 2.6.18+
accept see common socket:accept 2.6.18+
name_bind see common socket:name_bind 2.6.18+

association

Permission Description Kernel Version/Capability
sendto Send to an IPSEC assocation. 2.6.12+
recvfrom Receive from an IPSEC association. 2.6.12+
setcontext Set the context of an IPSEC association on creation. 2.6.16+
polmatch Match an IPSEC policy entry 2.6.19+

blk_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattr see common file:getattr
relabelto see common file:relabelto
unlink see common file:unlink
ioctl see common file:ioctl
execute see common file:execute
append see common file:append
read see common file:read
setattr see common file:setattr
swapon see common file:swapon
write see common file:write
lock see common file:lock
create see common file:create
rename see common file:rename
mounton see common file:mounton
quotaon see common file:quotaon
relabelfrom see common file:relabelfrom
link see common file:link
open Open a block device file. 2.6.26+ / open_perms

capability

Permission Description Kernel Version/Capability
chown Override restrictions on changing file ownership and group ownership.
dac_override Override all DAC access restrictions. Checked before dac_read_search, so a dontaudit candidate.
dac_read_search Override DAC read/search access restrictions.
fowner Override all file owner requirements (e.g. for chmod, setxattr) except where fsetid applies.
fsetid Override file owner and group requirements when setting setuid or setgid bits on a file. Can be checked as a side effect on chmod and write operations; dontaudit candidate.
kill Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.
setgid Allow setgid(2) or setgroups(2) or forged gids on credentials passed over a socket.
setuid Allow set*uid(2). Allow passing of forged ids on credentials passed over a socket.
setpcap Add capability from bounding set to inheritable set, drop capability from bounding set, modify secure bits.
linux_immutable Grant privilege to modify S_IMMUTABLE and S_APPEND file attributes on supporting filesystems.
net_bind_service Allow low port binding. Port < 1024 for TCP/UDP. VCI < 32 for ATM.
net_broadcast Grant network broadcasting and listening to incoming multicasts.
net_admin Allows all networking configurations and modifications. See linux/capability.h for details.
net_raw Allows opening of raw sockets and packet sockets.
ipc_lock Allow locking shared memory segments and mlock/mlockall.
ipc_owner Override IPC ownership checks.
sys_module Allow unrestricted kernel modification including but not limited to loading and removing kernel modules. Allows modification of kernels bounding capability mask. See sysctl.
sys_rawio Grant permission to use ioperm(2) and iopl(2) as well as the ability to send messages to USB devices via /proc/bus/usb.
sys_chroot Grant use of the chroot(2) call.
sys_ptrace Allow a ptrace of any process.
sys_pacct Allow modification of accounting for any process.
sys_admin Too many to list here (see /usr/include/linux/capability.h)
sys_boot Grant ability to reboot the system.
sys_nice Grants privilege to change priority of any process. Grants change of scheduling algorithm used by any process.
sys_resource Too many to list here (see /usr/include/linux/capability.h for details.)
sys_time Grant permission to set system time and to set the real-time lock.
sys_tty_config Grant permission to configure tty devices. Allow vhangup(2) call on a tty.
mknod Grants permission to creation of character and block device nodes.
lease Grants ability to take leases on a file. For details on what leases are see fcntl(2).
audit_write Generate audit messages from user space. 2.6.12+
audit_control Control kernel audit configuration/rules. Set login UID. 2.6.12+
setfcap Set file capabilities. 2.6.25+

capability2

Permission Description Kernel Version/Capability
mac_override Override MAC restrictions - Ignored by SELinux 2.6.25+
mac_admin Change MAC configuration - For SELinux, get/set raw security context values unknown to the current policy. 2.6.25+
syslog Configure kernel syslog subsystem
wake_alarm Trigger something that will wake the system
block_suspend Prevent system suspends

chr_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattr see common file:getattr
relabelto see common file:relabelto
unlink see common file:unlink
ioctl see common file:ioctl
execute see common file:execute
append see common file:append
read see common file:read
setattr see common file:setattr
swapon see common file:swapon
write see common file:write
lock see common file:lock
create see common file:create
rename see common file:rename
mounton see common file:mounton
quotaon see common file:quotaon
relabelfrom see common file:relabelfrom
link see common file:link
execute_no_trans Execute a file in the callers domain. 2.6.11+
entrypoint Can be executed as the entry point of the new domain in a transition. 2.6.11+
execmod Make executable a file mapping that has been modified by copy-on-write. (Text relocation) 2.6.11+
open Open a character device file. 2.6.26+ / open_perms

dccp_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append 2.6.20+
relabelfrom see common socket:relabelfrom 2.6.20+
create see common socket:create 2.6.20+
read see common socket:read 2.6.20+
sendto see common socket:sendto 2.6.20+
connect see common socket:connect 2.6.20+
recvfrom see common socket:recvfrom 2.6.20+
send_msg see common socket:send_msg 2.6.20+
bind see common socket:bind 2.6.20+
lock see common socket:lock 2.6.20+
ioctl see common socket:ioctl 2.6.20+
getattr see common socket:getattr 2.6.20+
write see common socket:write 2.6.20+
setopt see common socket:setopt 2.6.20+
getopt see common socket:getopt 2.6.20+
listen see common socket:listen 2.6.20+
setattr see common socket:setattr 2.6.20+
shutdown see common socket:shutdown 2.6.20+
relabelto see common socket:relabelto 2.6.20+
recv_msg see common socket:recv_msg 2.6.20+
accept see common socket:accept 2.6.20+
name_bind see common socket:name_bind 2.6.20+
connectto Connect to server socket. 2.6.20+
newconn Create new socket for connection. 2.6.20+
acceptfrom Accept connection from client socket. 2.6.20+
node_bind Ability to bind to a node. 2.6.20+
name_connect Connect to a specific port number. 2.6.20+

dir

Inherits from: common file

Permission Description Kernel Version/Capability
getattr see common file:getattr
relabelto see common file:relabelto
unlink N/A
ioctl see common file:ioctl
execute N/A
append N/A
read see common file:read
setattr see common file:setattr
swapon N/A
write General write access; required for adding or removing
lock see common file:lock
create see common file:create
rename see common file:rename
mounton see common file:mounton
quotaon N/A
relabelfrom see common file:relabelfrom
link N/A
search Search access
rmdir Remove the directory
remove_name Remove a file from the directory.
reparent Rename into a different parent directory (.. change).
add_name Add a file to the directory.
open Open a directory. 2.6.26+ / open_perms

fd

Permission Description Kernel Version/Capability
use Permission to use an inherited file descriptor

fifo_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattr see common file:getattr
relabelto see common file:relabelto
unlink see common file:unlink
ioctl see common file:ioctl
execute see common file:execute
append see common file:append
read see common file:read
setattr see common file:setattr
swapon see common file:swapon
write see common file:write
lock see common file:lock
create see common file:create
rename see common file:rename
mounton see common file:mounton
quotaon see common file:quotaon
relabelfrom see common file:relabelfrom
link see common file:link
open Open a FIFO. 2.6.26+ / open_perms

file

Inherits from: common file

Permission Description Kernel Version/Capability
getattr see common file:getattr
relabelto see common file:relabelto
unlink see common file:unlink
ioctl see common file:ioctl
execute see common file:execute
append see common file:append
read see common file:read
setattr see common file:setattr
swapon see common file:swapon
write see common file:write
lock see common file:lock
create see common file:create
rename see common file:rename
mounton see common file:mounton
quotaon see common file:quotaon
relabelfrom see common file:relabelfrom
link see common file:link
execute_no_trans Execute a file in the callers domain.
entrypoint Can be executed as the entry point of the new domain in a transition.
execmod Make executable a file mapping that has been modified by copy-on-write. (Text relocation) 2.6.11+
open Open a file. 2.6.26+ / open_perms

filesystem

Permission Description Kernel Version/Capability
mount Mount the filesystem.
remount Change filesystem mount flags.
unmount Unmount the filesystem.
getattr Get file attributes, such as access mode. (e.g. stat, some ioctls. ...)
relabelfrom Change the security context based on existing type.
relabelto Change the security context based on the new type.
transition Transition to a new SID (change security context).
associate Associate a file to the filesystem.
quotamod Modify quota information.
quotaget Get quota information

ipc

Inherits from: common ipc

Permission Description Kernel Version/Capability
write see common ipc:write
destroy see common ipc:destroy
unix_write see common ipc:unix_write
getattr see common ipc:getattr
create see common ipc:create
read see common ipc:read
setattr see common ipc:setattr
unix_read see common ipc:unix_read
associate see common ipc:associate

kernel_service

Permission Description Kernel Version/Capability
use_as_override Grant a process the right to nominate an alternate process security ID for the kernel to use as an override for the SELinux subjective security when accessing stuff on behalf of another process. 2.6.29+
create_files_as Grant a process the right to nominate a file creation label for a kernel service to use. 2.6.29+

key

Permission Description Kernel Version/Capability
view 2.6.18+
read 2.6.18+
write 2.6.18+
search 2.6.18+
link 2.6.18+
setattr 2.6.18+
create 2.6.18+

key_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind

lnk_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattr see common file:getattr
relabelto see common file:relabelto
unlink see common file:unlink
ioctl see common file:ioctl
execute see common file:execute
append see common file:append
read see common file:read
setattr see common file:setattr
swapon see common file:swapon
write see common file:write
lock see common file:lock
create see common file:create
rename see common file:rename
mounton see common file:mounton
quotaon see common file:quotaon
relabelfrom see common file:relabelfrom
link see common file:link

memprotect

Permission Description Kernel Version/Capability
mmap_zero Mmap the first page of memory. 2.6.23+

msg

Permission Description Kernel Version/Capability
receive Remove a message from a queue.
send Add a message to a queue.

msgq

Inherits from: common ipc

Permission Description Kernel Version/Capability
write see common ipc:write
destroy see common ipc:destroy
unix_write see common ipc:unix_write
getattr see common ipc:getattr
create see common ipc:create
read see common ipc:read
setattr see common ipc:setattr
unix_read see common ipc:unix_read
associate see common ipc:associate
enqueue Message can be added to a queue.

netif

Permission Description Kernel Version/Capability
tcp_recv Receive TCP packet.
tcp_send Send TCP packet.
udp_recv Receive UDP packet.
udp_send Send UDP packet.
rawip_recv Receive raw IP packet.
rawip_send Send raw IP packet.
dccp_recv Receive DCCP packet. 2.6.20+
dccp_send Send DCCP packet. 2.6.20+
ingress 2.6.25+ / network_peer_controls
egress 2.6.25+ / network_peer_controls

netlink_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind

netlink_audit_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append 2.6.8+
relabelfrom see common socket:relabelfrom 2.6.8+
create see common socket:create 2.6.8+
read see common socket:read 2.6.8+
sendto see common socket:sendto 2.6.8+
connect see common socket:connect 2.6.8+
recvfrom see common socket:recvfrom 2.6.8+
send_msg see common socket:send_msg 2.6.8+
bind see common socket:bind 2.6.8+
lock see common socket:lock 2.6.8+
ioctl see common socket:ioctl 2.6.8+
getattr see common socket:getattr 2.6.8+
write see common socket:write 2.6.8+
setopt see common socket:setopt 2.6.8+
getopt see common socket:getopt 2.6.8+
listen see common socket:listen 2.6.8+
setattr see common socket:setattr 2.6.8+
shutdown see common socket:shutdown 2.6.8+
relabelto see common socket:relabelto 2.6.8+
recv_msg see common socket:recv_msg 2.6.8+
accept see common socket:accept 2.6.8+
name_bind see common socket:name_bind 2.6.8+
nlmsg_read Read audit subsystem state (e.g. AUDIT_GET). 2.6.8+
nlmsg_write Write audit subsystem state (e.g. AUDIT_SET). 2.6.8+
nlmsg_relay Send user space audit messages to the kernel audit system. 2.6.12+
nlmsg_readpriv Read security-sensitive audit subsystem state. 2.6.12+
nlmsg_tty_audit Control TTY auditing 2.6.30+

netlink_dnrt_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append 2.6.8+
relabelfrom see common socket:relabelfrom 2.6.8+
create see common socket:create 2.6.8+
read see common socket:read 2.6.8+
sendto see common socket:sendto 2.6.8+
connect see common socket:connect 2.6.8+
recvfrom see common socket:recvfrom 2.6.8+
send_msg see common socket:send_msg 2.6.8+
bind see common socket:bind 2.6.8+
lock see common socket:lock 2.6.8+
ioctl see common socket:ioctl 2.6.8+
getattr see common socket:getattr 2.6.8+
write see common socket:write 2.6.8+
setopt see common socket:setopt 2.6.8+
getopt see common socket:getopt 2.6.8+
listen see common socket:listen 2.6.8+
setattr see common socket:setattr 2.6.8+
shutdown see common socket:shutdown 2.6.8+
relabelto see common socket:relabelto 2.6.8+
recv_msg see common socket:recv_msg 2.6.8+
accept see common socket:accept 2.6.8+
name_bind see common socket:name_bind 2.6.8+

netlink_firewall_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append 2.6.8+
relabelfrom see common socket:relabelfrom 2.6.8+
create see common socket:create 2.6.8+
read see common socket:read 2.6.8+
sendto see common socket:sendto 2.6.8+
connect see common socket:connect 2.6.8+
recvfrom see common socket:recvfrom 2.6.8+
send_msg see common socket:send_msg 2.6.8+
bind see common socket:bind 2.6.8+
lock see common socket:lock 2.6.8+
ioctl see common socket:ioctl 2.6.8+
getattr see common socket:getattr 2.6.8+
write see common socket:write 2.6.8+
setopt see common socket:setopt 2.6.8+
getopt see common socket:getopt 2.6.8+
listen see common socket:listen 2.6.8+
setattr see common socket:setattr 2.6.8+
shutdown see common socket:shutdown 2.6.8+
relabelto see common socket:relabelto 2.6.8+
recv_msg see common socket:recv_msg 2.6.8+
accept see common socket:accept 2.6.8+
name_bind see common socket:name_bind 2.6.8+
nlmsg_read Read firewall configuration state. 2.6.8+
nlmsg_write Write firewall configuration state. 2.6.8+

netlink_ip6fw_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append 2.6.8+
relabelfrom see common socket:relabelfrom 2.6.8+
create see common socket:create 2.6.8+
read see common socket:read 2.6.8+
sendto see common socket:sendto 2.6.8+
connect see common socket:connect 2.6.8+
recvfrom see common socket:recvfrom 2.6.8+
send_msg see common socket:send_msg 2.6.8+
bind see common socket:bind 2.6.8+
lock see common socket:lock 2.6.8+
ioctl see common socket:ioctl 2.6.8+
getattr see common socket:getattr 2.6.8+
write see common socket:write 2.6.8+
setopt see common socket:setopt 2.6.8+
getopt see common socket:getopt 2.6.8+
listen see common socket:listen 2.6.8+
setattr see common socket:setattr 2.6.8+
shutdown see common socket:shutdown 2.6.8+
relabelto see common socket:relabelto 2.6.8+
recv_msg see common socket:recv_msg 2.6.8+
accept see common socket:accept 2.6.8+
name_bind see common socket:name_bind 2.6.8+
nlmsg_read Read netlink message. 2.6.8+
nlmsg_write Write netlink message. 2.6.8+

netlink_kobject_uevent_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append 2.6.12+
relabelfrom see common socket:relabelfrom 2.6.12+
create see common socket:create 2.6.12+
read see common socket:read 2.6.12+
sendto see common socket:sendto 2.6.12+
connect see common socket:connect 2.6.12+
recvfrom see common socket:recvfrom 2.6.12+
send_msg see common socket:send_msg 2.6.12+
bind see common socket:bind 2.6.12+
lock see common socket:lock 2.6.12+
ioctl see common socket:ioctl 2.6.12+
getattr see common socket:getattr 2.6.12+
write see common socket:write 2.6.12+
setopt see common socket:setopt 2.6.12+
getopt see common socket:getopt 2.6.12+
listen see common socket:listen 2.6.12+
setattr see common socket:setattr 2.6.12+
shutdown see common socket:shutdown 2.6.12+
relabelto see common socket:relabelto 2.6.12+
recv_msg see common socket:recv_msg 2.6.12+
accept see common socket:accept 2.6.12+
name_bind see common socket:name_bind 2.6.12+

netlink_nflog_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append 2.6.8+
relabelfrom see common socket:relabelfrom 2.6.8+
create see common socket:create 2.6.8+
read see common socket:read 2.6.8+
sendto see common socket:sendto 2.6.8+
connect see common socket:connect 2.6.8+
recvfrom see common socket:recvfrom 2.6.8+
send_msg see common socket:send_msg 2.6.8+
bind see common socket:bind 2.6.8+
lock see common socket:lock 2.6.8+
ioctl see common socket:ioctl 2.6.8+
getattr see common socket:getattr 2.6.8+
write see common socket:write 2.6.8+
setopt see common socket:setopt 2.6.8+
getopt see common socket:getopt 2.6.8+
listen see common socket:listen 2.6.8+
setattr see common socket:setattr 2.6.8+
shutdown see common socket:shutdown 2.6.8+
relabelto see common socket:relabelto 2.6.8+
recv_msg see common socket:recv_msg 2.6.8+
accept see common socket:accept 2.6.8+
name_bind see common socket:name_bind 2.6.8+

netlink_route_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append 2.6.8+
relabelfrom see common socket:relabelfrom 2.6.8+
create see common socket:create 2.6.8+
read see common socket:read 2.6.8+
sendto see common socket:sendto 2.6.8+
connect see common socket:connect 2.6.8+
recvfrom see common socket:recvfrom 2.6.8+
send_msg see common socket:send_msg 2.6.8+
bind see common socket:bind 2.6.8+
lock see common socket:lock 2.6.8+
ioctl see common socket:ioctl 2.6.8+
getattr see common socket:getattr 2.6.8+
write see common socket:write 2.6.8+
setopt see common socket:setopt 2.6.8+
getopt see common socket:getopt 2.6.8+
listen see common socket:listen 2.6.8+
setattr see common socket:setattr 2.6.8+
shutdown see common socket:shutdown 2.6.8+
relabelto see common socket:relabelto 2.6.8+
recv_msg see common socket:recv_msg 2.6.8+
accept see common socket:accept 2.6.8+
name_bind see common socket:name_bind 2.6.8+
nlmsg_read Read route configuration state. 2.6.8+
nlmsg_write Write route configuration state. 2.6.8+

netlink_selinux_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append 2.6.8+
relabelfrom see common socket:relabelfrom 2.6.8+
create see common socket:create 2.6.8+
read see common socket:read 2.6.8+
sendto see common socket:sendto 2.6.8+
connect see common socket:connect 2.6.8+
recvfrom see common socket:recvfrom 2.6.8+
send_msg see common socket:send_msg 2.6.8+
bind see common socket:bind 2.6.8+
lock see common socket:lock 2.6.8+
ioctl see common socket:ioctl 2.6.8+
getattr see common socket:getattr 2.6.8+
write see common socket:write 2.6.8+
setopt see common socket:setopt 2.6.8+
getopt see common socket:getopt 2.6.8+
listen see common socket:listen 2.6.8+
setattr see common socket:setattr 2.6.8+
shutdown see common socket:shutdown 2.6.8+
relabelto see common socket:relabelto 2.6.8+
recv_msg see common socket:recv_msg 2.6.8+
accept see common socket:accept 2.6.8+
name_bind see common socket:name_bind 2.6.8+

netlink_tcpdiag_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append 2.6.8+
relabelfrom see common socket:relabelfrom 2.6.8+
create see common socket:create 2.6.8+
read see common socket:read 2.6.8+
sendto see common socket:sendto 2.6.8+
connect see common socket:connect 2.6.8+
recvfrom see common socket:recvfrom 2.6.8+
send_msg see common socket:send_msg 2.6.8+
bind see common socket:bind 2.6.8+
lock see common socket:lock 2.6.8+
ioctl see common socket:ioctl 2.6.8+
getattr see common socket:getattr 2.6.8+
write see common socket:write 2.6.8+
setopt see common socket:setopt 2.6.8+
getopt see common socket:getopt 2.6.8+
listen see common socket:listen 2.6.8+
setattr see common socket:setattr 2.6.8+
shutdown see common socket:shutdown 2.6.8+
relabelto see common socket:relabelto 2.6.8+
recv_msg see common socket:recv_msg 2.6.8+
accept see common socket:accept 2.6.8+
name_bind see common socket:name_bind 2.6.8+
nlmsg_read Read tcp diagnostics. 2.6.8+
nlmsg_write Unused. 2.6.8+

netlink_xfrm_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append 2.6.8+
relabelfrom see common socket:relabelfrom 2.6.8+
create see common socket:create 2.6.8+
read see common socket:read 2.6.8+
sendto see common socket:sendto 2.6.8+
connect see common socket:connect 2.6.8+
recvfrom see common socket:recvfrom 2.6.8+
send_msg see common socket:send_msg 2.6.8+
bind see common socket:bind 2.6.8+
lock see common socket:lock 2.6.8+
ioctl see common socket:ioctl 2.6.8+
getattr see common socket:getattr 2.6.8+
write see common socket:write 2.6.8+
setopt see common socket:setopt 2.6.8+
getopt see common socket:getopt 2.6.8+
listen see common socket:listen 2.6.8+
setattr see common socket:setattr 2.6.8+
shutdown see common socket:shutdown 2.6.8+
relabelto see common socket:relabelto 2.6.8+
recv_msg see common socket:recv_msg 2.6.8+
accept see common socket:accept 2.6.8+
name_bind see common socket:name_bind 2.6.8+
nlmsg_read Read xfrm configuration state. 2.6.8+
nlmsg_write Write xfrm configuration state. 2.6.8+

node

Permission Description Kernel Version/Capability
tcp_recv Receive TCP packet.
tcp_send Send TCP packet.
udp_recv Receive UDP packet.
udp_send Send UDP packet.
rawip_recv Receive raw IP packet.
rawip_send Send raw IP packet.
enforce_dest Ensure that the destination node can enforce restrictions on the destination socket.
dccp_recv Receive DCCP packet. 2.6.20+
dccp_send Send DCCP packet. 2.6.20+
recvfrom 2.6.25+ / network_peer_controls
sendto 2.6.25+ / network_peer_controls

packet

Permission Description Kernel Version/Capability
send Send a packet. 2.6.18+
receive Receive a packet. 2.6.18+
relabelto Set a labeling rule to the specified type. 2.6.18+
flow_in Deprecated 2.6.25+
flow_out Deprecated 2.6.25+
forward_in 2.6.25+
forward_out 2.6.25+

packet_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind

peer

Permission Description Kernel Version/Capability
recv Receive from a labeled networking peer. 2.6.25+ / network_peer_controls

process

Permission Description Kernel Version/Capability
fork Fork into two processes.
transition Transition to a new context on exec().
sigchld Send SIGCHLD signal.
sigkill Send SIGKILL signal.
sigstop Send SIGSTOP signal
signull Test for exisitence of another process without sending a signal
signal Send a signal other than SIGKILL, SIGSTOP, or SIGCHLD.
ptrace Attach to another process for tracing.
getsched Get priority of a process.
setsched Set priority of a process.
getsession Get session ID of another process.
getpgid Get group Process ID of a process.
setpgid Set group Process ID of a process.
getcap Get Linux capabilities.
setcap Set Linux capabilities.
share Allow state sharing with cloned or forked process.
getattr Get attributes of a file.
setexec Override the default context for the next exec().
setfscreate Override the default context for file creation.
setrlimit Change process hard limits.
noatsecure Disable secure mode environment cleansing (AT_SECURE). v.16+
siginh Inherit signal state from caller. v.16+
rlimitinh Inherit resource limits from caller. v.16+
dyntransition Dynamically transition to a new context. 2.6.11+
setcurrent Set the current process context. 2.6.11+
execmem Make executable an anonymous mapping or private file mapping that is writable. 2.6.13+
execstack Make the main process stack executable. 2.6.13+
execheap Make the heap executable. 2.6.13+
setkeycreate Override the default context for key creation. 2.6.18+
setsockcreate Override the default context for socket creation. 2.6.18+

rawip_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind
node_bind Ability to bind to a node. v.17+

security

Permission Description Kernel Version/Capability
compute_user Get user info in selinuxfs.
compute_relabel Get relabel info in selinuxfs.
compute_create Get create info in selinuxfs.
compute_av Compute an access vector given a source/target/class.
compute_member Determines the context to use when selecting a member of a polyinstantiated object.
setenforce Change the enforcement state of SELinux.
check_context Write context in selinuxfs.
load_policy Load the security policy.
setbool Set a boolean value. 2.6.5+
setsecparam Set kernel access vector cache tuning parameters. 2.6.11+
setcheckreqprot Set if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect. 2.6.12+

sem

Inherits from: common ipc

Permission Description Kernel Version/Capability
write see common ipc:write
destroy see common ipc:destroy
unix_write see common ipc:unix_write
getattr see common ipc:getattr
create see common ipc:create
read see common ipc:read
setattr see common ipc:setattr
unix_read see common ipc:unix_read
associate see common ipc:associate

shm

Inherits from: common ipc

Permission Description Kernel Version/Capability
write see common ipc:write
destroy see common ipc:destroy
unix_write see common ipc:unix_write
getattr see common ipc:getattr
create see common ipc:create
read see common ipc:read
setattr see common ipc:setattr
unix_read see common ipc:unix_read
associate see common ipc:associate
lock (Un)lock page(s) in memory.

sock_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattr see common file:getattr
relabelto see common file:relabelto
unlink see common file:unlink
ioctl see common file:ioctl
execute see common file:execute
append see common file:append
read see common file:read
setattr see common file:setattr
swapon see common file:swapon
write see common file:write
lock see common file:lock
create see common file:create
rename see common file:rename
mounton see common file:mounton
quotaon see common file:quotaon
relabelfrom see common file:relabelfrom
link see common file:link
open Open a named socket file. 2.6.26+ / open_perms

socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind

system

Permission Description Kernel Version/Capability
ipc_info Get info for an ipc socket.
syslog_mod Perform syslog operation other than syslog_read or console logging.
syslog_read Perform syslog read.
syslog_console Perform syslog console.

tcp_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind
connectto Connect to server socket.
newconn Create new socket for connection.
acceptfrom Accept connection from client socket.
node_bind Ability to bind to a node. 2.6.2+
name_connect Connect to a specific port number. 2.6.12+

tun_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append 2.6.32+
relabelfrom see common socket:relabelfrom 2.6.32+
create see common socket:create 2.6.32+
read see common socket:read 2.6.32+
sendto see common socket:sendto 2.6.32+
connect see common socket:connect 2.6.32+
recvfrom see common socket:recvfrom 2.6.32+
send_msg see common socket:send_msg 2.6.32+
bind see common socket:bind 2.6.32+
lock see common socket:lock 2.6.32+
ioctl see common socket:ioctl 2.6.32+
getattr see common socket:getattr 2.6.32+
write see common socket:write 2.6.32+
setopt see common socket:setopt 2.6.32+
getopt see common socket:getopt 2.6.32+
listen see common socket:listen 2.6.32+
setattr see common socket:setattr 2.6.32+
shutdown see common socket:shutdown 2.6.32+
relabelto see common socket:relabelto 2.6.32+
recv_msg see common socket:recv_msg 2.6.32+
accept see common socket:accept 2.6.32+
name_bind see common socket:name_bind 2.6.32+

udp_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind
node_bind Ability to bind to a node. 2.6.2+

unix_dgram_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind

unix_stream_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind
connectto Connect to server socket.
newconn Create new socket for connection.
acceptfrom Accept connection from client socket.

Database Object Classes

db_blob

Inherits from: common database

Permission Description
read Read a blob.
write Write a blob.
import Import a blob.
export Export a blob.

db_column

Inherits from: common database

Permission Description
use Deprecated
select
update
insert

db_database

Inherits from: common database

Permission Description
access
install_module
load_module
get_param Deprecated
set_param Deprecated

db_procedure

Inherits from: common database

Permission Description
execute Execute a stored procedure.
entrypoint
install

db_table

Inherits from: common database

Permission Description
use Deprecated
select
update
insert
delete
lock

db_tuple

Permission Description
relabelfrom
relabelto
use Deprecated
select
update
insert
delete

DBus Object Classes

dbus

Permission Description
acquire_svc
send_msg Send a message on the bus.

MLS Context Translation Object Classes

context

Permission Description
translate Translate a raw MLS label.
contains Calculate a MLS subset.

NSCD Object Classes

nscd

Permission Description
getpwd
getgrp
gethost
getstat
admin
shmempwd
shmemgrp
shmemhost
getserv
shmemserv

Password Object Classes

passwd

Permission Description
passwd Update user password.
chfn Change finger information. e.g real name, work room and phone and home phone.
chsh Change login shell.
rootok Allow update if the user is root and the process has the rootok PAM permission.
crontab crontab on another user.

X Server Object Classes

x_application_data

Permission Description
paste
paste_after_confirm
copy

x_client

Permission Description
destroy Close down a client.
getattr Get the attributes of an X client
setattr Set the attributes of an X client
manage

x_colormap

Permission Description
create Create a new Colormap.
destroy Free a Colormap.
read Read color cells of colormap.
write
getattr Get the color gamut of a screen.
add_color
remove_color
install Copy a virtual colormap into the display hardware.
uninstall Remove a virtual colormap from the display hardware.
use

x_cursor

Permission Description
create Create an arbitrary cursor object.
destroy Delete a cursor object.
read
write
getattr Get attributes of the cursor.
setattr Set attributes of the cursor.
use Associate a cursor object with a window.

x_device

Inherits from: common x_device

Permission Description
getattr see common x_device: getattr
setattr see common x_device: setattr
use see common x_device: use
read see common x_device: read
write see common x_device: write
getfocus see common x_device: getfocus
setfocus see common x_device: setfocus
bell see common x_device: bell
force_cursor see common x_device: force_cursor
freeze see common x_device: freeze
grab see common x_device: grab
manage see common x_device: manage
list_property see common x_device: list_property
get_property see common x_device: get_property
set_property see common x_device: set_property
add see common x_device: add
remove see common x_device: remove

x_drawable

Permission Description
create Create a Drawable object.
destroy Destroy a Drawable.
read
write
blend
getattr Get attributes of a Drawable object
setattr Set attributes of a Drawable object
list_child
add_child
remove_child
list_property
get_property
set_property
manage
override
show
hide
send
receive

x_event

Permission Description
send
receive

x_extension

Permission Description
query
use

x_font

Permission Description
create Load a font.
destroy Free (dereference) a font.
getattr Obtain font names, path, etc.
add_glyph
remove_glyph
use Use a font for drawing.

x_gc

Permission Description
create Create Graphic Contexts object.
destroy Free (dereference) a Graphics Contexts object.
getattr Get attributes for Graphic Contexts object.
setattr Set attributes for Graphic Contexts object.
use

x_keyboard

Inherits from: common x_device

Permission Description
getattr see common x_device: getattr
setattr see common x_device: setattr
use see common x_device: use
read see common x_device: read
write see common x_device: write
getfocus see common x_device: getfocus
setfocus see common x_device: setfocus
bell see common x_device: bell
force_cursor see common x_device: force_cursor
freeze see common x_device: freeze
grab see common x_device: grab
manage see common x_device: manage
list_property see common x_device: list_property
get_property see common x_device: get_property
set_property see common x_device: set_property
add see common x_device: add
remove see common x_device: remove

x_pointer

Inherits from: common x_device

Permission Description
getattr see common x_device: getattr
setattr see common x_device: setattr
use see common x_device: use
read see common x_device: read
write see common x_device: write
getfocus see common x_device: getfocus
setfocus see common x_device: setfocus
bell see common x_device: bell
force_cursor see common x_device: force_cursor
freeze see common x_device: freeze
grab see common x_device: grab
manage see common x_device: manage
list_property see common x_device: list_property
get_property see common x_device: get_property
set_property see common x_device: set_property
add see common x_device: add
remove see common x_device: remove

x_property

Permission Description
create Create property object.
destroy Free (dereference) a property object.
read Read a property.
write Write a property.
append Append a property.
getattr Get the attributes of a property.
setattr Set the attributes of a property.

x_resource

Permission Description
read
write

x_screen

Permission Description
getattr
setattr
hide_cursor
show_cursor
saver_getattr
saver_setattr
saver_hide
saver_show

x_selection

Permission Description
read
write
getattr
setattr

x_server

Permission Description
getattr
setattr
record
debug
grab
manage

x_synthetic_event

Permission Description
send
receive