ObjectClassesPerms

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 13:14, 20 October 2009 (edit)
ChrisPeBenito (Talk | contribs)
(New page: = '''SELinux Object Classes and Permissions Reference''' = This document contains a list of all of the object classes and permissions for modern SELinux systems (starting in kernel 2.6.0)....)
← Previous diff
Revision as of 16:15, 15 November 2011 (edit) (undo)
ChrisPeBenito (Talk | contribs)

Next diff →
(3 intermediate revisions not shown.)
Line 12: Line 12:
! Description ! Description
|- |-
-||create||Create a new database object.||+||create||Create a new database object.
|- |-
-||drop||Remove a database object.||+||drop||Remove a database object.
|- |-
-||getattr||Get the attributes of a database object.||+||getattr||Get the attributes of a database object.
|- |-
-||setattr||Set the attributes of a database object.||+||setattr||Set the attributes of a database object.
|- |-
-||relabelfrom||Change the security context based on existing type.||+||relabelfrom||Change the security context based on existing type.
|- |-
-||relabelto||Change the security context based on the new type.||+||relabelto||Change the security context based on the new type.
|} |}
Line 30: Line 30:
! Description ! Description
|- |-
-||getattr||Get file attributes for block file, such as access mode. (e.g. stat, some ioctls. ...)||+||getattr||Get file attributes for block file, such as access mode. (e.g. stat, some ioctls. ...)
|- |-
-||relabelto||Change the security context based on the new type.||+||relabelto||Change the security context based on the new type.
|- |-
-||unlink||Remove hard link (delete).||+||unlink||Remove hard link (delete).
|- |-
-||ioctl||IO control system call requests not addressed by other permissions.||+||ioctl||IO control system call requests not addressed by other permissions.
|- |-
-||execute||Execute||+||execute||Execute
|- |-
-||append||Append file contents. i.e opened with O_APPEND flag.||+||append||Append file contents. i.e opened with O_APPEND flag.
|- |-
-||read||Read file contents.||+||read||Read file contents.
|- |-
-||setattr||Change file attributes for block file such as access mode. (e.g. chmod, some ioctls, ...)||+||setattr||Change file attributes for block file such as access mode. (e.g. chmod, some ioctls, ...)
|- |-
-||swapon||Allows file to be used for paging/swapping space.||+||swapon||Allows file to be used for paging/swapping space.
|- |-
-||write||Write or append file contents.||+||write||Write or append file contents.
|- |-
-||lock||Set and unset block file locks.||+||lock||Set and unset block file locks.
|- |-
-||create||Create new block file.||+||create||Create new block file.
|- |-
-||rename||Rename a hard link.||+||rename||Rename a hard link.
|- |-
-||mounton||Use as mount point; only useful for directories and files in Linux.||+||mounton||Use as mount point; only useful for directories and files in Linux.
|- |-
-||quotaon||Enabling quotas.||+||quotaon||Enabling quotas.
|- |-
-||relabelfrom||Change the security context based on existing type.||+||relabelfrom||Change the security context based on existing type.
|- |-
-||link||Create hard link to block files||+||link||Create hard link to block files
|} |}
Line 70: Line 70:
! Description ! Description
|- |-
-||write||Write or append.||+||write||Write or append.
|- |-
-||destroy||Destroy.||+||destroy||Destroy.
|- |-
-||unix_write||Write or append; required by IPC operations.||+||unix_write||Write or append; required by IPC operations.
|- |-
-||getattr||Get file attributes, such as access mode. (e.g. stat, some ioctls. ...)||+||getattr||Get file attributes, such as access mode. (e.g. stat, some ioctls. ...)
|- |-
-||create||Create.||+||create||Create.
|- |-
-||read||Read.||+||read||Read.
|- |-
-||setattr||Change file attributes for shared memory segment such as access mode. (e.g. chmod, some ioctls, ...)||+||setattr||Change file attributes for shared memory segment such as access mode. (e.g. chmod, some ioctls, ...)
|- |-
-||unix_read||Read; required by IPC operations.||+||unix_read||Read; required by IPC operations.
|- |-
-||associate||Associate a key||+||associate||Associate a key
|} |}
Line 94: Line 94:
! Description ! Description
|- |-
-||append||Write or append socket file contents.||+||append||Write or append socket file contents.
|- |-
-||relabelfrom||Change the security context based on existing type.||+||relabelfrom||Change the security context based on existing type.
|- |-
-||create||Create new socket file.||+||create||Create new socket file.
|- |-
-||read||Read socket file contents.||+||read||Read socket file contents.
|- |-
-||sendto||Send datagrams to socket.||+||sendto||Send datagrams to socket.
|- |-
-||connect||Initiate connection.||+||connect||Initiate connection.
|- |-
-||recvfrom||Receive datagrams from socket.||+||recvfrom||Receive datagrams from socket.
|- |-
-||send_msg||Send datagram message; implicitly granted if the message SID is equal to the sending socket SID.||+||send_msg||Send datagram message; implicitly granted if the message SID is equal to the sending socket SID.
|- |-
-||bind||Bind name.||+||bind||Bind name.
|- |-
-||lock||Set and unset socket file locks||+||lock||Set and unset socket file locks
|- |-
-||ioctl||IO control system call requests not addressed by other permissions.||+||ioctl||IO control system call requests not addressed by other permissions.
|- |-
-||getattr||Get file attributes for socket file, such as access mode. (e.g. stat, some ioctls. ...)||+||getattr||Get file attributes for socket file, such as access mode. (e.g. stat, some ioctls. ...)
|- |-
-||write||Write or append socket file contents.||+||write||Write or append socket file contents.
|- |-
-||setopt||Set socket options.||+||setopt||Set socket options.
|- |-
-||getopt||Get socket options.||+||getopt||Get socket options.
|- |-
-||listen||Listen for connections.||+||listen||Listen for connections.
|- |-
-||setattr||Change file attributes for file such as access mode. (e.g. chmod, some ioctls)||+||setattr||Change file attributes for file such as access mode. (e.g. chmod, some ioctls)
|- |-
-||shutdown||Shutdown connection.||+||shutdown||Shutdown connection.
|- |-
-||relabelto||Change the security context based on the new type.||+||relabelto||Change the security context based on the new type.
|- |-
-||recv_msg||Receive datagram message; implicitly granted if the message SID is equal to the sending socket SID.||+||recv_msg||Receive datagram message; implicitly granted if the message SID is equal to the sending socket SID.
|- |-
-||accept||Accept a connection.||+||accept||Accept a connection.
|- |-
-||name_bind||Use port or file; for AF_INET sockets, controls relationship between a socket and it's port number; for AF_UNIX sockets, controls relationship between a socket and it's file||+||name_bind||Use port or file; for AF_INET sockets, controls relationship between a socket and it's port number; for AF_UNIX sockets, controls relationship between a socket and it's file
 +|}
 + 
 +=== common x_device ===
 +{| border="1"
 +! Permission
 +! Description
 +|-
 +||getattr
 +|-
 +||setattr
 +|-
 +||use
 +|-
 +||read
 +|-
 +||write
 +|-
 +||getfocus
 +|-
 +||setfocus
 +|-
 +||bell
 +|-
 +||force_cursor
 +|-
 +||freeze
 +|-
 +||grab
 +|-
 +||manage
 +|-
 +||list_property
 +|-
 +||get_property
 +|-
 +||set_property
 +|-
 +||add
 +|-
 +||remove
|} |}
== Kernel Object Classes == == Kernel Object Classes ==
=== appletalk_socket === === appletalk_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 147: Line 187:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||2.6.18+||+||append||see common socket:append||2.6.18+
|- |-
-||relabelfrom||see common socket:relabelfrom||2.6.18+||+||relabelfrom||see common socket:relabelfrom||2.6.18+
|- |-
-||create||see common socket:create||2.6.18+||+||create||see common socket:create||2.6.18+
|- |-
-||read||see common socket:read||2.6.18+||+||read||see common socket:read||2.6.18+
|- |-
-||sendto||see common socket:sendto||2.6.18+||+||sendto||see common socket:sendto||2.6.18+
|- |-
-||connect||see common socket:connect||2.6.18+||+||connect||see common socket:connect||2.6.18+
|- |-
-||recvfrom||see common socket:recvfrom||2.6.18+||+||recvfrom||see common socket:recvfrom||2.6.18+
|- |-
-||send_msg||see common socket:send_msg||2.6.18+||+||send_msg||see common socket:send_msg||2.6.18+
|- |-
-||bind||see common socket:bind||2.6.18+||+||bind||see common socket:bind||2.6.18+
|- |-
-||lock||see common socket:lock||2.6.18+||+||lock||see common socket:lock||2.6.18+
|- |-
-||ioctl||see common socket:ioctl||2.6.18+||+||ioctl||see common socket:ioctl||2.6.18+
|- |-
-||getattr||see common socket:getattr||2.6.18+||+||getattr||see common socket:getattr||2.6.18+
|- |-
-||write||see common socket:write||2.6.18+||+||write||see common socket:write||2.6.18+
|- |-
-||setopt||see common socket:setopt||2.6.18+||+||setopt||see common socket:setopt||2.6.18+
|- |-
-||getopt||see common socket:getopt||2.6.18+||+||getopt||see common socket:getopt||2.6.18+
|- |-
-||listen||see common socket:listen||2.6.18+||+||listen||see common socket:listen||2.6.18+
|- |-
-||setattr||see common socket:setattr||2.6.18+||+||setattr||see common socket:setattr||2.6.18+
|- |-
-||shutdown||see common socket:shutdown||2.6.18+||+||shutdown||see common socket:shutdown||2.6.18+
|- |-
-||relabelto||see common socket:relabelto||2.6.18+||+||relabelto||see common socket:relabelto||2.6.18+
|- |-
-||recv_msg||see common socket:recv_msg||2.6.18+||+||recv_msg||see common socket:recv_msg||2.6.18+
|- |-
-||accept||see common socket:accept||2.6.18+||+||accept||see common socket:accept||2.6.18+
|- |-
-||name_bind||see common socket:name_bind||2.6.18+||+||name_bind||see common socket:name_bind||2.6.18+
|} |}
Line 198: Line 238:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||sendto||Send to an IPSEC assocation.||2.6.12+||+||sendto||Send to an IPSEC assocation.||2.6.12+
|- |-
-||recvfrom||Receive from an IPSEC association.||2.6.12+||+||recvfrom||Receive from an IPSEC association.||2.6.12+
|- |-
-||setcontext||Set the context of an IPSEC association on creation.||2.6.16+||+||setcontext||Set the context of an IPSEC association on creation.||2.6.16+
|- |-
-||polmatch||Match an IPSEC policy entry||2.6.19+||+||polmatch||Match an IPSEC policy entry||2.6.19+
|} |}
=== blk_file === === blk_file ===
-Inherits from: [#commonfile common file]+Inherits from: [[#common file|common file]]
{| border="1" {| border="1"
! Permission ! Permission
Line 214: Line 254:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||getattr||see common file:getattr||+||getattr||see common file:getattr
|- |-
-||relabelto||see common file:relabelto||+||relabelto||see common file:relabelto
|- |-
-||unlink||see common file:unlink||+||unlink||see common file:unlink
|- |-
-||ioctl||see common file:ioctl||+||ioctl||see common file:ioctl
|- |-
-||execute||see common file:execute||+||execute||see common file:execute
|- |-
-||append||see common file:append||+||append||see common file:append
|- |-
-||read||see common file:read||+||read||see common file:read
|- |-
-||setattr||see common file:setattr||+||setattr||see common file:setattr
|- |-
-||swapon||see common file:swapon||+||swapon||see common file:swapon
|- |-
-||write||see common file:write||+||write||see common file:write
|- |-
-||lock||see common file:lock||+||lock||see common file:lock
|- |-
-||create||see common file:create||+||create||see common file:create
|- |-
-||rename||see common file:rename||+||rename||see common file:rename
|- |-
-||mounton||see common file:mounton||+||mounton||see common file:mounton
|- |-
-||quotaon||see common file:quotaon||+||quotaon||see common file:quotaon
|- |-
-||relabelfrom||see common file:relabelfrom||+||relabelfrom||see common file:relabelfrom
|- |-
-||link||see common file:link||+||link||see common file:link
|- |-
-||open||Open a block device file.||2.6.26+ / open_perms||+||open||Open a block device file.||2.6.26+ / open_perms
|} |}
Line 257: Line 297:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||chown||Allow changing file ownership and group ownership.||+||chown||Allow changing file ownership and group ownership.
|- |-
-||dac_override||Overrides all discretionary access control including ACL execute access if applicable. This does not include the access covered by LINUX_IMMUTABLE.||+||dac_override||Overrides all discretionary access control including ACL execute access if applicable. This does not include the access covered by LINUX_IMMUTABLE.
|- |-
-||dac_read_search||Overrides all discretionary access control for reading and searching directories.||+||dac_read_search||Overrides all discretionary access control for reading and searching directories.
|- |-
-||fowner||Grant all file operations otherwise restricted due to different ownership except where FSETID capability is applicable. DAC and MAC accesses are not overridden.||+||fowner||Grant all file operations otherwise restricted due to different ownership except where FSETID capability is applicable. DAC and MAC accesses are not overridden.
|- |-
-||fsetid||Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.||+||fsetid||Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.
|- |-
-||kill||Allow signal raising for any process.||+||kill||Allow signal raising for any process.
|- |-
-||setgid||Allow setgid(2) allow setgroups(2) allow fake gids on credentials passed over a socket.||+||setgid||Allow setgid(2) allow setgroups(2) allow fake gids on credentials passed over a socket.
|- |-
-||setuid||Allow all setsuid(2) type calls including fsuid. Allow passing of forged pids on credentials passed over a socket.||+||setuid||Allow all setsuid(2) type calls including fsuid. Allow passing of forged pids on credentials passed over a socket.
|- |-
-||setpcap||Transfer capability maps from current process to any process.||+||setpcap||Transfer capability maps from current process to any process.
|- |-
-||linux_immutable||Grant privilege to modify S_IMMUTABLE and S_APPEND file attributes on supporting filesystems.||+||linux_immutable||Grant privilege to modify S_IMMUTABLE and S_APPEND file attributes on supporting filesystems.
|- |-
-||net_bind_service||Allow low port binding. Port < 1024 for TCP/UDP. VCI < 32 for ATM.||+||net_bind_service||Allow low port binding. Port < 1024 for TCP/UDP. VCI < 32 for ATM.
|- |-
-||net_broadcast||Grant network broadcasting and listening to incoming multicasts.||+||net_broadcast||Grant network broadcasting and listening to incoming multicasts.
|- |-
-||net_admin||Allows all networking configurations and modifications. See linux/capability.h for details.||+||net_admin||Allows all networking configurations and modifications. See linux/capability.h for details.
|- |-
-||net_raw||Allows opening of raw sockets and packet sockets.||+||net_raw||Allows opening of raw sockets and packet sockets.
|- |-
-||ipc_lock||Grants the capability to lock non-shared and shared memory segments.||+||ipc_lock||Grants the capability to lock non-shared and shared memory segments.
|- |-
-||ipc_owner||Grant the ability to ignore IPC ownership checks.||+||ipc_owner||Grant the ability to ignore IPC ownership checks.
|- |-
-||sys_module||Allow unrestricted kernel modification including but not limited to loading and removing kernel modules. Allows modification of kernels bounding capability mask. See sysctl.||+||sys_module||Allow unrestricted kernel modification including but not limited to loading and removing kernel modules. Allows modification of kernels bounding capability mask. See sysctl.
|- |-
-||sys_rawio||Grant permission to use ioperm(2) and iopl(2) as well as the ability to send messages to USB devices via /proc/bus/usb.||+||sys_rawio||Grant permission to use ioperm(2) and iopl(2) as well as the ability to send messages to USB devices via /proc/bus/usb.
|- |-
-||sys_chroot||Grant use of the chroot(2) call.||+||sys_chroot||Grant use of the chroot(2) call.
|- |-
-||sys_ptrace||Allow a ptrace of any process.||+||sys_ptrace||Allow a ptrace of any process.
|- |-
-||sys_pacct||Allow modification of accounting for any process.||+||sys_pacct||Allow modification of accounting for any process.
|- |-
-||sys_admin||Too many to list here (see /usr/include/linux/capability.h)||+||sys_admin||Too many to list here (see /usr/include/linux/capability.h)
|- |-
-||sys_boot||Grant ability to reboot the system.||+||sys_boot||Grant ability to reboot the system.
|- |-
-||sys_nice||Grants privilage to change priority of any process. Grants change of scheduling algorithm used by any process.||+||sys_nice||Grants privilage to change priority of any process. Grants change of scheduling algorithm used by any process.
|- |-
-||sys_resource||Too many to list here (see /usr/include/linux/capability.h for details.)||+||sys_resource||Too many to list here (see /usr/include/linux/capability.h for details.)
|- |-
-||sys_time||Grant permission to set system time and to set the real-time lock.||+||sys_time||Grant permission to set system time and to set the real-time lock.
|- |-
-||sys_tty_config||Grant permission to configure tty devices. Allow vhangup(2) call on a tty.||+||sys_tty_config||Grant permission to configure tty devices. Allow vhangup(2) call on a tty.
|- |-
-||mknod||Grants permission to creation of character and block device nodes.||+||mknod||Grants permission to creation of character and block device nodes.
|- |-
-||lease||Grants ability to take leases on a file. For details on what leases are see fcntl(2).||+||lease||Grants ability to take leases on a file. For details on what leases are see fcntl(2).
|- |-
-||audit_write||Send audit messsages from user space.||2.6.12+||+||audit_write||Send audit messsages from user space.||2.6.12+
|- |-
-||audit_control||Change auditing rules. Set login UID.||2.6.12+||+||audit_control||Change auditing rules. Set login UID.||2.6.12+
|- |-
-||setfcap||Set file capabilities.||2.6.25+||+||setfcap||Set file capabilities.||2.6.25+
|} |}
Line 328: Line 368:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||mac_override||''Unused by SELinux''||2.6.25+||+||mac_override||''Unused by SELinux''||2.6.25+
|- |-
-||mac_admin||''Unused by SELinux''||2.6.25+||+||mac_admin||''Unused by SELinux''||2.6.25+
|} |}
=== chr_file === === chr_file ===
-Inherits from: [#commonfile common file]+Inherits from: [[#common file|common file]]
{| border="1" {| border="1"
! Permission ! Permission
Line 340: Line 380:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||getattr||see common file:getattr||+||getattr||see common file:getattr
|- |-
-||relabelto||see common file:relabelto||+||relabelto||see common file:relabelto
|- |-
-||unlink||see common file:unlink||+||unlink||see common file:unlink
|- |-
-||ioctl||see common file:ioctl||+||ioctl||see common file:ioctl
|- |-
-||execute||see common file:execute||+||execute||see common file:execute
|- |-
-||append||see common file:append||+||append||see common file:append
|- |-
-||read||see common file:read||+||read||see common file:read
|- |-
-||setattr||see common file:setattr||+||setattr||see common file:setattr
|- |-
-||swapon||see common file:swapon||+||swapon||see common file:swapon
|- |-
-||write||see common file:write||+||write||see common file:write
|- |-
-||lock||see common file:lock||+||lock||see common file:lock
|- |-
-||create||see common file:create||+||create||see common file:create
|- |-
-||rename||see common file:rename||+||rename||see common file:rename
|- |-
-||mounton||see common file:mounton||+||mounton||see common file:mounton
|- |-
-||quotaon||see common file:quotaon||+||quotaon||see common file:quotaon
|- |-
-||relabelfrom||see common file:relabelfrom||+||relabelfrom||see common file:relabelfrom
|- |-
-||link||see common file:link||+||link||see common file:link
|- |-
-||execute_no_trans||Execute a file in the callers domain.||2.6.11+||+||execute_no_trans||Execute a file in the callers domain.||2.6.11+
|- |-
-||entrypoint||Can be executed as the entry point of the new domain in a transition.||2.6.11+||+||entrypoint||Can be executed as the entry point of the new domain in a transition.||2.6.11+
|- |-
-||execmod||Make executable a file mapping that has been modified by copy-on-write.||2.6.11+||+||execmod||Make executable a file mapping that has been modified by copy-on-write. (Text relocation)||2.6.11+
|- |-
-||open||Open a character device file.||2.6.26+ / open_perms||+||open||Open a character device file.||2.6.26+ / open_perms
|} |}
=== dccp_socket === === dccp_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 390: Line 430:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||2.6.20+||+||append||see common socket:append||2.6.20+
|- |-
-||relabelfrom||see common socket:relabelfrom||2.6.20+||+||relabelfrom||see common socket:relabelfrom||2.6.20+
|- |-
-||create||see common socket:create||2.6.20+||+||create||see common socket:create||2.6.20+
|- |-
-||read||see common socket:read||2.6.20+||+||read||see common socket:read||2.6.20+
|- |-
-||sendto||see common socket:sendto||2.6.20+||+||sendto||see common socket:sendto||2.6.20+
|- |-
-||connect||see common socket:connect||2.6.20+||+||connect||see common socket:connect||2.6.20+
|- |-
-||recvfrom||see common socket:recvfrom||2.6.20+||+||recvfrom||see common socket:recvfrom||2.6.20+
|- |-
-||send_msg||see common socket:send_msg||2.6.20+||+||send_msg||see common socket:send_msg||2.6.20+
|- |-
-||bind||see common socket:bind||2.6.20+||+||bind||see common socket:bind||2.6.20+
|- |-
-||lock||see common socket:lock||2.6.20+||+||lock||see common socket:lock||2.6.20+
|- |-
-||ioctl||see common socket:ioctl||2.6.20+||+||ioctl||see common socket:ioctl||2.6.20+
|- |-
-||getattr||see common socket:getattr||2.6.20+||+||getattr||see common socket:getattr||2.6.20+
|- |-
-||write||see common socket:write||2.6.20+||+||write||see common socket:write||2.6.20+
|- |-
-||setopt||see common socket:setopt||2.6.20+||+||setopt||see common socket:setopt||2.6.20+
|- |-
-||getopt||see common socket:getopt||2.6.20+||+||getopt||see common socket:getopt||2.6.20+
|- |-
-||listen||see common socket:listen||2.6.20+||+||listen||see common socket:listen||2.6.20+
|- |-
-||setattr||see common socket:setattr||2.6.20+||+||setattr||see common socket:setattr||2.6.20+
|- |-
-||shutdown||see common socket:shutdown||2.6.20+||+||shutdown||see common socket:shutdown||2.6.20+
|- |-
-||relabelto||see common socket:relabelto||2.6.20+||+||relabelto||see common socket:relabelto||2.6.20+
|- |-
-||recv_msg||see common socket:recv_msg||2.6.20+||+||recv_msg||see common socket:recv_msg||2.6.20+
|- |-
-||accept||see common socket:accept||2.6.20+||+||accept||see common socket:accept||2.6.20+
|- |-
-||name_bind||see common socket:name_bind||2.6.20+||+||name_bind||see common socket:name_bind||2.6.20+
|- |-
-||connectto||Connect to server socket.||2.6.20+||+||connectto||Connect to server socket.||2.6.20+
|- |-
-||newconn||Create new socket for connection.||2.6.20+||+||newconn||Create new socket for connection.||2.6.20+
|- |-
-||acceptfrom||Accept connection from client socket.||2.6.20+||+||acceptfrom||Accept connection from client socket.||2.6.20+
|- |-
-||node_bind||Ability to bind to a node.||2.6.20+||+||node_bind||Ability to bind to a node.||2.6.20+
|- |-
-||name_connect||Connect to a specific port number.||2.6.20+||+||name_connect||Connect to a specific port number.||2.6.20+
|} |}
=== dir === === dir ===
-Inherits from: [#commonfile common file]+Inherits from: [[#common file|common file]]
{| border="1" {| border="1"
! Permission ! Permission
Line 452: Line 492:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||getattr||see common file:getattr||+||getattr||see common file:getattr
|- |-
-||relabelto||see common file:relabelto||+||relabelto||see common file:relabelto
|- |-
-||unlink||see common file:unlink||+||unlink||see common file:unlink
|- |-
-||ioctl||see common file:ioctl||+||ioctl||see common file:ioctl
|- |-
-||execute||see common file:execute||+||execute||see common file:execute
|- |-
-||append||see common file:append||+||append||see common file:append
|- |-
-||read||see common file:read||+||read||see common file:read
|- |-
-||setattr||see common file:setattr||+||setattr||see common file:setattr
|- |-
-||swapon||see common file:swapon||+||swapon||see common file:swapon
|- |-
-||write||see common file:write||+||write||see common file:write
|- |-
-||lock||see common file:lock||+||lock||see common file:lock
|- |-
-||create||see common file:create||+||create||see common file:create
|- |-
-||rename||see common file:rename||+||rename||see common file:rename
|- |-
-||mounton||see common file:mounton||+||mounton||see common file:mounton
|- |-
-||quotaon||see common file:quotaon||+||quotaon||see common file:quotaon
|- |-
-||relabelfrom||see common file:relabelfrom||+||relabelfrom||see common file:relabelfrom
|- |-
-||link||see common file:link||+||link||see common file:link
|- |-
-||search||Search.||+||search||Required on all ancestor directories of a file being accessed, similar to DAC +x permission
|- |-
-||rmdir||Remove.||+||rmdir||Remove the directory
|- |-
-||remove_name||Remove a file from the directory.||+||remove_name||Remove a file from the directory.
|- |-
-||reparent||Change parent directory.||+||reparent||Change parent directory.
|- |-
-||add_name||Add a file to the directory.||+||add_name||Add a file to the directory.
|- |-
-||open||Open a directory.||2.6.26+ / open_perms||+||open||Open a directory.||2.6.26+ / open_perms
|} |}
Line 505: Line 545:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||use||Permission to use an inherited file descriptor||+||use||Permission to use an inherited file descriptor
|} |}
=== fifo_file === === fifo_file ===
-Inherits from: [#commonfile common file]+Inherits from: [[#common file|common file]]
{| border="1" {| border="1"
! Permission ! Permission
Line 515: Line 555:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||getattr||see common file:getattr||+||getattr||see common file:getattr
|- |-
-||relabelto||see common file:relabelto||+||relabelto||see common file:relabelto
|- |-
-||unlink||see common file:unlink||+||unlink||see common file:unlink
|- |-
-||ioctl||see common file:ioctl||+||ioctl||see common file:ioctl
|- |-
-||execute||see common file:execute||+||execute||see common file:execute
|- |-
-||append||see common file:append||+||append||see common file:append
|- |-
-||read||see common file:read||+||read||see common file:read
|- |-
-||setattr||see common file:setattr||+||setattr||see common file:setattr
|- |-
-||swapon||see common file:swapon||+||swapon||see common file:swapon
|- |-
-||write||see common file:write||+||write||see common file:write
|- |-
-||lock||see common file:lock||+||lock||see common file:lock
|- |-
-||create||see common file:create||+||create||see common file:create
|- |-
-||rename||see common file:rename||+||rename||see common file:rename
|- |-
-||mounton||see common file:mounton||+||mounton||see common file:mounton
|- |-
-||quotaon||see common file:quotaon||+||quotaon||see common file:quotaon
|- |-
-||relabelfrom||see common file:relabelfrom||+||relabelfrom||see common file:relabelfrom
|- |-
-||link||see common file:link||+||link||see common file:link
|- |-
-||open||Open a FIFO.||2.6.26+ / open_perms||+||open||Open a FIFO.||2.6.26+ / open_perms
|} |}
=== file === === file ===
-Inherits from: [#commonfile common file]+Inherits from: [[#common file|common file]]
{| border="1" {| border="1"
! Permission ! Permission
Line 559: Line 599:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||getattr||see common file:getattr||+||getattr||see common file:getattr
|- |-
-||relabelto||see common file:relabelto||+||relabelto||see common file:relabelto
|- |-
-||unlink||see common file:unlink||+||unlink||see common file:unlink
|- |-
-||ioctl||see common file:ioctl||+||ioctl||see common file:ioctl
|- |-
-||execute||see common file:execute||+||execute||see common file:execute
|- |-
-||append||see common file:append||+||append||see common file:append
|- |-
-||read||see common file:read||+||read||see common file:read
|- |-
-||setattr||see common file:setattr||+||setattr||see common file:setattr
|- |-
-||swapon||see common file:swapon||+||swapon||see common file:swapon
|- |-
-||write||see common file:write||+||write||see common file:write
|- |-
-||lock||see common file:lock||+||lock||see common file:lock
|- |-
-||create||see common file:create||+||create||see common file:create
|- |-
-||rename||see common file:rename||+||rename||see common file:rename
|- |-
-||mounton||see common file:mounton||+||mounton||see common file:mounton
|- |-
-||quotaon||see common file:quotaon||+||quotaon||see common file:quotaon
|- |-
-||relabelfrom||see common file:relabelfrom||+||relabelfrom||see common file:relabelfrom
|- |-
-||link||see common file:link||+||link||see common file:link
|- |-
-||execute_no_trans||Execute a file in the callers domain.||+||execute_no_trans||Execute a file in the callers domain.
|- |-
-||entrypoint||Can be executed as the entry point of the new domain in a transition.||+||entrypoint||Can be executed as the entry point of the new domain in a transition.
|- |-
-||execmod||Make executable a file mapping that has been modified by copy-on-write.||2.6.11+||+||execmod||Make executable a file mapping that has been modified by copy-on-write. (Text relocation)||2.6.11+
|- |-
-||open||Open a file.||2.6.26+ / open_perms||+||open||Open a file.||2.6.26+ / open_perms
|} |}
Line 608: Line 648:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||mount||Mount the filesystem.||+||mount||Mount the filesystem.
|- |-
-||remount||Change filesystem mount flags.||+||remount||Change filesystem mount flags.
|- |-
-||unmount||Unmount the filesystem.||+||unmount||Unmount the filesystem.
|- |-
-||getattr||Get file attributes, such as access mode. (e.g. stat, some ioctls. ...)||+||getattr||Get file attributes, such as access mode. (e.g. stat, some ioctls. ...)
|- |-
-||relabelfrom||Change the security context based on existing type.||+||relabelfrom||Change the security context based on existing type.
|- |-
-||relabelto||Change the security context based on the new type.||+||relabelto||Change the security context based on the new type.
|- |-
-||transition||Transition to a new SID (change security context).||+||transition||Transition to a new SID (change security context).
|- |-
-||associate||Associate a file to the filesystem.||+||associate||Associate a file to the filesystem.
|- |-
-||quotamod||Modify quota information.||+||quotamod||Modify quota information.
|- |-
-||quotaget||Get quota information||+||quotaget||Get quota information
|} |}
=== ipc === === ipc ===
-Inherits from: [#commonipc common ipc]+Inherits from: [[#common ipc|common ipc]]
{| border="1" {| border="1"
! Permission ! Permission
Line 636: Line 676:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||write||see common ipc:write||+||write||see common ipc:write
|- |-
-||destroy||see common ipc:destroy||+||destroy||see common ipc:destroy
|- |-
-||unix_write||see common ipc:unix_write||+||unix_write||see common ipc:unix_write
|- |-
-||getattr||see common ipc:getattr||+||getattr||see common ipc:getattr
|- |-
-||create||see common ipc:create||+||create||see common ipc:create
|- |-
-||read||see common ipc:read||+||read||see common ipc:read
|- |-
-||setattr||see common ipc:setattr||+||setattr||see common ipc:setattr
|- |-
-||unix_read||see common ipc:unix_read||+||unix_read||see common ipc:unix_read
|- |-
-||associate||see common ipc:associate||+||associate||see common ipc:associate
|} |}
Line 661: Line 701:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||use_as_override||Grant a process the right to nominate an alternate process security ID for the kernel to use as an override for the SELinux subjective security when accessing stuff on behalf of another process.||2.6.29+||+||use_as_override||Grant a process the right to nominate an alternate process security ID for the kernel to use as an override for the SELinux subjective security when accessing stuff on behalf of another process.||2.6.29+
|- |-
-||create_files_as||Grant a process the right to nominate a file creation label for a kernel service to use.||2.6.29+||+||create_files_as||Grant a process the right to nominate a file creation label for a kernel service to use.||2.6.29+
|} |}
Line 672: Line 712:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||view||||2.6.18+||+||view||||2.6.18+
|- |-
-||read||||2.6.18+||+||read||||2.6.18+
|- |-
-||write||||2.6.18+||+||write||||2.6.18+
|- |-
-||search||||2.6.18+||+||search||||2.6.18+
|- |-
-||link||||2.6.18+||+||link||||2.6.18+
|- |-
-||setattr||||2.6.18+||+||setattr||||2.6.18+
|- |-
-||create||||2.6.18+||+||create||||2.6.18+
|} |}
=== key_socket === === key_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 694: Line 734:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||+||append||see common socket:append
|- |-
-||relabelfrom||see common socket:relabelfrom||+||relabelfrom||see common socket:relabelfrom
|- |-
-||create||see common socket:create||+||create||see common socket:create
|- |-
-||read||see common socket:read||+||read||see common socket:read
|- |-
-||sendto||see common socket:sendto||+||sendto||see common socket:sendto
|- |-
-||connect||see common socket:connect||+||connect||see common socket:connect
|- |-
-||recvfrom||see common socket:recvfrom||+||recvfrom||see common socket:recvfrom
|- |-
-||send_msg||see common socket:send_msg||+||send_msg||see common socket:send_msg
|- |-
-||bind||see common socket:bind||+||bind||see common socket:bind
|- |-
-||lock||see common socket:lock||+||lock||see common socket:lock
|- |-
-||ioctl||see common socket:ioctl||+||ioctl||see common socket:ioctl
|- |-
-||getattr||see common socket:getattr||+||getattr||see common socket:getattr
|- |-
-||write||see common socket:write||+||write||see common socket:write
|- |-
-||setopt||see common socket:setopt||+||setopt||see common socket:setopt
|- |-
-||getopt||see common socket:getopt||+||getopt||see common socket:getopt
|- |-
-||listen||see common socket:listen||+||listen||see common socket:listen
|- |-
-||setattr||see common socket:setattr||+||setattr||see common socket:setattr
|- |-
-||shutdown||see common socket:shutdown||+||shutdown||see common socket:shutdown
|- |-
-||relabelto||see common socket:relabelto||+||relabelto||see common socket:relabelto
|- |-
-||recv_msg||see common socket:recv_msg||+||recv_msg||see common socket:recv_msg
|- |-
-||accept||see common socket:accept||+||accept||see common socket:accept
|- |-
-||name_bind||see common socket:name_bind||+||name_bind||see common socket:name_bind
|} |}
=== lnk_file === === lnk_file ===
-Inherits from: [#commonfile common file]+Inherits from: [[#common file|common file]]
{| border="1" {| border="1"
! Permission ! Permission
Line 746: Line 786:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||getattr||see common file:getattr||+||getattr||see common file:getattr
|- |-
-||relabelto||see common file:relabelto||+||relabelto||see common file:relabelto
|- |-
-||unlink||see common file:unlink||+||unlink||see common file:unlink
|- |-
-||ioctl||see common file:ioctl||+||ioctl||see common file:ioctl
|- |-
-||execute||see common file:execute||+||execute||see common file:execute
|- |-
-||append||see common file:append||+||append||see common file:append
|- |-
-||read||see common file:read||+||read||see common file:read
|- |-
-||setattr||see common file:setattr||+||setattr||see common file:setattr
|- |-
-||swapon||see common file:swapon||+||swapon||see common file:swapon
|- |-
-||write||see common file:write||+||write||see common file:write
|- |-
-||lock||see common file:lock||+||lock||see common file:lock
|- |-
-||create||see common file:create||+||create||see common file:create
|- |-
-||rename||see common file:rename||+||rename||see common file:rename
|- |-
-||mounton||see common file:mounton||+||mounton||see common file:mounton
|- |-
-||quotaon||see common file:quotaon||+||quotaon||see common file:quotaon
|- |-
-||relabelfrom||see common file:relabelfrom||+||relabelfrom||see common file:relabelfrom
|- |-
-||link||see common file:link||+||link||see common file:link
|} |}
Line 787: Line 827:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||mmap_zero||Mmap the first page of memory.||2.6.23+||+||mmap_zero||Mmap the first page of memory.||2.6.23+
|} |}
Line 796: Line 836:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||receive||Remove a message from a queue.||+||receive||Remove a message from a queue.
|- |-
-||send||Add a message to a queue.||+||send||Add a message to a queue.
|} |}
=== msgq === === msgq ===
-Inherits from: [#commonipc common ipc]+Inherits from: [[#common ipc|common ipc]]
{| border="1" {| border="1"
! Permission ! Permission
Line 808: Line 848:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||write||see common ipc:write||+||write||see common ipc:write
|- |-
-||destroy||see common ipc:destroy||+||destroy||see common ipc:destroy
|- |-
-||unix_write||see common ipc:unix_write||+||unix_write||see common ipc:unix_write
|- |-
-||getattr||see common ipc:getattr||+||getattr||see common ipc:getattr
|- |-
-||create||see common ipc:create||+||create||see common ipc:create
|- |-
-||read||see common ipc:read||+||read||see common ipc:read
|- |-
-||setattr||see common ipc:setattr||+||setattr||see common ipc:setattr
|- |-
-||unix_read||see common ipc:unix_read||+||unix_read||see common ipc:unix_read
|- |-
-||associate||see common ipc:associate||+||associate||see common ipc:associate
|- |-
-||enqueue||Message can be added to a queue.||+||enqueue||Message can be added to a queue.
|} |}
Line 835: Line 875:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||tcp_recv||Receive TCP packet.||+||tcp_recv||Receive TCP packet.
|- |-
-||tcp_send||Send TCP packet.||+||tcp_send||Send TCP packet.
|- |-
-||udp_recv||Receive UDP packet.||+||udp_recv||Receive UDP packet.
|- |-
-||udp_send||Send UDP packet.||+||udp_send||Send UDP packet.
|- |-
-||rawip_recv||Receive raw IP packet.||+||rawip_recv||Receive raw IP packet.
|- |-
-||rawip_send||Send raw IP packet.||+||rawip_send||Send raw IP packet.
|- |-
-||dccp_recv||Receive DCCP packet.||2.6.20+||+||dccp_recv||Receive DCCP packet.||2.6.20+
|- |-
-||dccp_send||Send DCCP packet.||2.6.20+||+||dccp_send||Send DCCP packet.||2.6.20+
|- |-
-||ingress||||2.6.25+ / network_peer_controls||+||ingress||||2.6.25+ / network_peer_controls
|- |-
-||egress||||2.6.25+ / network_peer_controls||+||egress||||2.6.25+ / network_peer_controls
|} |}
=== netlink_socket === === netlink_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 863: Line 903:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||+||append||see common socket:append
|- |-
-||relabelfrom||see common socket:relabelfrom||+||relabelfrom||see common socket:relabelfrom
|- |-
-||create||see common socket:create||+||create||see common socket:create
|- |-
-||read||see common socket:read||+||read||see common socket:read
|- |-
-||sendto||see common socket:sendto||+||sendto||see common socket:sendto
|- |-
-||connect||see common socket:connect||+||connect||see common socket:connect
|- |-
-||recvfrom||see common socket:recvfrom||+||recvfrom||see common socket:recvfrom
|- |-
-||send_msg||see common socket:send_msg||+||send_msg||see common socket:send_msg
|- |-
-||bind||see common socket:bind||+||bind||see common socket:bind
|- |-
-||lock||see common socket:lock||+||lock||see common socket:lock
|- |-
-||ioctl||see common socket:ioctl||+||ioctl||see common socket:ioctl
|- |-
-||getattr||see common socket:getattr||+||getattr||see common socket:getattr
|- |-
-||write||see common socket:write||+||write||see common socket:write
|- |-
-||setopt||see common socket:setopt||+||setopt||see common socket:setopt
|- |-
-||getopt||see common socket:getopt||+||getopt||see common socket:getopt
|- |-
-||listen||see common socket:listen||+||listen||see common socket:listen
|- |-
-||setattr||see common socket:setattr||+||setattr||see common socket:setattr
|- |-
-||shutdown||see common socket:shutdown||+||shutdown||see common socket:shutdown
|- |-
-||relabelto||see common socket:relabelto||+||relabelto||see common socket:relabelto
|- |-
-||recv_msg||see common socket:recv_msg||+||recv_msg||see common socket:recv_msg
|- |-
-||accept||see common socket:accept||+||accept||see common socket:accept
|- |-
-||name_bind||see common socket:name_bind||+||name_bind||see common socket:name_bind
|} |}
=== netlink_audit_socket === === netlink_audit_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 915: Line 955:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||2.6.8+||+||append||see common socket:append||2.6.8+
|- |-
-||relabelfrom||see common socket:relabelfrom||2.6.8+||+||relabelfrom||see common socket:relabelfrom||2.6.8+
|- |-
-||create||see common socket:create||2.6.8+||+||create||see common socket:create||2.6.8+
|- |-
-||read||see common socket:read||2.6.8+||+||read||see common socket:read||2.6.8+
|- |-
-||sendto||see common socket:sendto||2.6.8+||+||sendto||see common socket:sendto||2.6.8+
|- |-
-||connect||see common socket:connect||2.6.8+||+||connect||see common socket:connect||2.6.8+
|- |-
-||recvfrom||see common socket:recvfrom||2.6.8+||+||recvfrom||see common socket:recvfrom||2.6.8+
|- |-
-||send_msg||see common socket:send_msg||2.6.8+||+||send_msg||see common socket:send_msg||2.6.8+
|- |-
-||bind||see common socket:bind||2.6.8+||+||bind||see common socket:bind||2.6.8+
|- |-
-||lock||see common socket:lock||2.6.8+||+||lock||see common socket:lock||2.6.8+
|- |-
-||ioctl||see common socket:ioctl||2.6.8+||+||ioctl||see common socket:ioctl||2.6.8+
|- |-
-||getattr||see common socket:getattr||2.6.8+||+||getattr||see common socket:getattr||2.6.8+
|- |-
-||write||see common socket:write||2.6.8+||+||write||see common socket:write||2.6.8+
|- |-
-||setopt||see common socket:setopt||2.6.8+||+||setopt||see common socket:setopt||2.6.8+
|- |-
-||getopt||see common socket:getopt||2.6.8+||+||getopt||see common socket:getopt||2.6.8+
|- |-
-||listen||see common socket:listen||2.6.8+||+||listen||see common socket:listen||2.6.8+
|- |-
-||setattr||see common socket:setattr||2.6.8+||+||setattr||see common socket:setattr||2.6.8+
|- |-
-||shutdown||see common socket:shutdown||2.6.8+||+||shutdown||see common socket:shutdown||2.6.8+
|- |-
-||relabelto||see common socket:relabelto||2.6.8+||+||relabelto||see common socket:relabelto||2.6.8+
|- |-
-||recv_msg||see common socket:recv_msg||2.6.8+||+||recv_msg||see common socket:recv_msg||2.6.8+
|- |-
-||accept||see common socket:accept||2.6.8+||+||accept||see common socket:accept||2.6.8+
|- |-
-||name_bind||see common socket:name_bind||2.6.8+||+||name_bind||see common socket:name_bind||2.6.8+
|- |-
-||nlmsg_read||Read netlink message.||2.6.8+||+||nlmsg_read||Read netlink message.||2.6.8+
|- |-
-||nlmsg_write||Write netlink message.||2.6.8+||+||nlmsg_write||Write netlink message.||2.6.8+
|- |-
-||nlmsg_relay||Send user space audit messages to the kernel audit system.||2.6.12+||+||nlmsg_relay||Send user space audit messages to the kernel audit system.||2.6.12+
|- |-
-||nlmsg_readpriv||List all auditing rules.||2.6.12+||+||nlmsg_readpriv||List all auditing rules.||2.6.12+
|- |-
-||nlmsg_tty_audit||Control TTY auditing||2.6.30+||+||nlmsg_tty_audit||Control TTY auditing||2.6.30+
|} |}
=== netlink_dnrt_socket === === netlink_dnrt_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 977: Line 1,017:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||2.6.8+||+||append||see common socket:append||2.6.8+
|- |-
-||relabelfrom||see common socket:relabelfrom||2.6.8+||+||relabelfrom||see common socket:relabelfrom||2.6.8+
|- |-
-||create||see common socket:create||2.6.8+||+||create||see common socket:create||2.6.8+
|- |-
-||read||see common socket:read||2.6.8+||+||read||see common socket:read||2.6.8+
|- |-
-||sendto||see common socket:sendto||2.6.8+||+||sendto||see common socket:sendto||2.6.8+
|- |-
-||connect||see common socket:connect||2.6.8+||+||connect||see common socket:connect||2.6.8+
|- |-
-||recvfrom||see common socket:recvfrom||2.6.8+||+||recvfrom||see common socket:recvfrom||2.6.8+
|- |-
-||send_msg||see common socket:send_msg||2.6.8+||+||send_msg||see common socket:send_msg||2.6.8+
|- |-
-||bind||see common socket:bind||2.6.8+||+||bind||see common socket:bind||2.6.8+
|- |-
-||lock||see common socket:lock||2.6.8+||+||lock||see common socket:lock||2.6.8+
|- |-
-||ioctl||see common socket:ioctl||2.6.8+||+||ioctl||see common socket:ioctl||2.6.8+
|- |-
-||getattr||see common socket:getattr||2.6.8+||+||getattr||see common socket:getattr||2.6.8+
|- |-
-||write||see common socket:write||2.6.8+||+||write||see common socket:write||2.6.8+
|- |-
-||setopt||see common socket:setopt||2.6.8+||+||setopt||see common socket:setopt||2.6.8+
|- |-
-||getopt||see common socket:getopt||2.6.8+||+||getopt||see common socket:getopt||2.6.8+
|- |-
-||listen||see common socket:listen||2.6.8+||+||listen||see common socket:listen||2.6.8+
|- |-
-||setattr||see common socket:setattr||2.6.8+||+||setattr||see common socket:setattr||2.6.8+
|- |-
-||shutdown||see common socket:shutdown||2.6.8+||+||shutdown||see common socket:shutdown||2.6.8+
|- |-
-||relabelto||see common socket:relabelto||2.6.8+||+||relabelto||see common socket:relabelto||2.6.8+
|- |-
-||recv_msg||see common socket:recv_msg||2.6.8+||+||recv_msg||see common socket:recv_msg||2.6.8+
|- |-
-||accept||see common socket:accept||2.6.8+||+||accept||see common socket:accept||2.6.8+
|- |-
-||name_bind||see common socket:name_bind||2.6.8+||+||name_bind||see common socket:name_bind||2.6.8+
|} |}
=== netlink_firewall_socket === === netlink_firewall_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,029: Line 1,069:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||2.6.8+||+||append||see common socket:append||2.6.8+
|- |-
-||relabelfrom||see common socket:relabelfrom||2.6.8+||+||relabelfrom||see common socket:relabelfrom||2.6.8+
|- |-
-||create||see common socket:create||2.6.8+||+||create||see common socket:create||2.6.8+
|- |-
-||read||see common socket:read||2.6.8+||+||read||see common socket:read||2.6.8+
|- |-
-||sendto||see common socket:sendto||2.6.8+||+||sendto||see common socket:sendto||2.6.8+
|- |-
-||connect||see common socket:connect||2.6.8+||+||connect||see common socket:connect||2.6.8+
|- |-
-||recvfrom||see common socket:recvfrom||2.6.8+||+||recvfrom||see common socket:recvfrom||2.6.8+
|- |-
-||send_msg||see common socket:send_msg||2.6.8+||+||send_msg||see common socket:send_msg||2.6.8+
|- |-
-||bind||see common socket:bind||2.6.8+||+||bind||see common socket:bind||2.6.8+
|- |-
-||lock||see common socket:lock||2.6.8+||+||lock||see common socket:lock||2.6.8+
|- |-
-||ioctl||see common socket:ioctl||2.6.8+||+||ioctl||see common socket:ioctl||2.6.8+
|- |-
-||getattr||see common socket:getattr||2.6.8+||+||getattr||see common socket:getattr||2.6.8+
|- |-
-||write||see common socket:write||2.6.8+||+||write||see common socket:write||2.6.8+
|- |-
-||setopt||see common socket:setopt||2.6.8+||+||setopt||see common socket:setopt||2.6.8+
|- |-
-||getopt||see common socket:getopt||2.6.8+||+||getopt||see common socket:getopt||2.6.8+
|- |-
-||listen||see common socket:listen||2.6.8+||+||listen||see common socket:listen||2.6.8+
|- |-
-||setattr||see common socket:setattr||2.6.8+||+||setattr||see common socket:setattr||2.6.8+
|- |-
-||shutdown||see common socket:shutdown||2.6.8+||+||shutdown||see common socket:shutdown||2.6.8+
|- |-
-||relabelto||see common socket:relabelto||2.6.8+||+||relabelto||see common socket:relabelto||2.6.8+
|- |-
-||recv_msg||see common socket:recv_msg||2.6.8+||+||recv_msg||see common socket:recv_msg||2.6.8+
|- |-
-||accept||see common socket:accept||2.6.8+||+||accept||see common socket:accept||2.6.8+
|- |-
-||name_bind||see common socket:name_bind||2.6.8+||+||name_bind||see common socket:name_bind||2.6.8+
|- |-
-||nlmsg_read||Read netlink message.||2.6.8+||+||nlmsg_read||Read netlink message.||2.6.8+
|- |-
-||nlmsg_write||Write netlink message.||2.6.8+||+||nlmsg_write||Write netlink message.||2.6.8+
|} |}
=== netlink_ip6fw_socket === === netlink_ip6fw_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,085: Line 1,125:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||2.6.8+||+||append||see common socket:append||2.6.8+
|- |-
-||relabelfrom||see common socket:relabelfrom||2.6.8+||+||relabelfrom||see common socket:relabelfrom||2.6.8+
|- |-
-||create||see common socket:create||2.6.8+||+||create||see common socket:create||2.6.8+
|- |-
-||read||see common socket:read||2.6.8+||+||read||see common socket:read||2.6.8+
|- |-
-||sendto||see common socket:sendto||2.6.8+||+||sendto||see common socket:sendto||2.6.8+
|- |-
-||connect||see common socket:connect||2.6.8+||+||connect||see common socket:connect||2.6.8+
|- |-
-||recvfrom||see common socket:recvfrom||2.6.8+||+||recvfrom||see common socket:recvfrom||2.6.8+
|- |-
-||send_msg||see common socket:send_msg||2.6.8+||+||send_msg||see common socket:send_msg||2.6.8+
|- |-
-||bind||see common socket:bind||2.6.8+||+||bind||see common socket:bind||2.6.8+
|- |-
-||lock||see common socket:lock||2.6.8+||+||lock||see common socket:lock||2.6.8+
|- |-
-||ioctl||see common socket:ioctl||2.6.8+||+||ioctl||see common socket:ioctl||2.6.8+
|- |-
-||getattr||see common socket:getattr||2.6.8+||+||getattr||see common socket:getattr||2.6.8+
|- |-
-||write||see common socket:write||2.6.8+||+||write||see common socket:write||2.6.8+
|- |-
-||setopt||see common socket:setopt||2.6.8+||+||setopt||see common socket:setopt||2.6.8+
|- |-
-||getopt||see common socket:getopt||2.6.8+||+||getopt||see common socket:getopt||2.6.8+
|- |-
-||listen||see common socket:listen||2.6.8+||+||listen||see common socket:listen||2.6.8+
|- |-
-||setattr||see common socket:setattr||2.6.8+||+||setattr||see common socket:setattr||2.6.8+
|- |-
-||shutdown||see common socket:shutdown||2.6.8+||+||shutdown||see common socket:shutdown||2.6.8+
|- |-
-||relabelto||see common socket:relabelto||2.6.8+||+||relabelto||see common socket:relabelto||2.6.8+
|- |-
-||recv_msg||see common socket:recv_msg||2.6.8+||+||recv_msg||see common socket:recv_msg||2.6.8+
|- |-
-||accept||see common socket:accept||2.6.8+||+||accept||see common socket:accept||2.6.8+
|- |-
-||name_bind||see common socket:name_bind||2.6.8+||+||name_bind||see common socket:name_bind||2.6.8+
|- |-
-||nlmsg_read||Read netlink message.||2.6.8+||+||nlmsg_read||Read netlink message.||2.6.8+
|- |-
-||nlmsg_write||Write netlink message.||2.6.8+||+||nlmsg_write||Write netlink message.||2.6.8+
|} |}
=== netlink_kobject_uevent_socket === === netlink_kobject_uevent_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,141: Line 1,181:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||2.6.12+||+||append||see common socket:append||2.6.12+
|- |-
-||relabelfrom||see common socket:relabelfrom||2.6.12+||+||relabelfrom||see common socket:relabelfrom||2.6.12+
|- |-
-||create||see common socket:create||2.6.12+||+||create||see common socket:create||2.6.12+
|- |-
-||read||see common socket:read||2.6.12+||+||read||see common socket:read||2.6.12+
|- |-
-||sendto||see common socket:sendto||2.6.12+||+||sendto||see common socket:sendto||2.6.12+
|- |-
-||connect||see common socket:connect||2.6.12+||+||connect||see common socket:connect||2.6.12+
|- |-
-||recvfrom||see common socket:recvfrom||2.6.12+||+||recvfrom||see common socket:recvfrom||2.6.12+
|- |-
-||send_msg||see common socket:send_msg||2.6.12+||+||send_msg||see common socket:send_msg||2.6.12+
|- |-
-||bind||see common socket:bind||2.6.12+||+||bind||see common socket:bind||2.6.12+
|- |-
-||lock||see common socket:lock||2.6.12+||+||lock||see common socket:lock||2.6.12+
|- |-
-||ioctl||see common socket:ioctl||2.6.12+||+||ioctl||see common socket:ioctl||2.6.12+
|- |-
-||getattr||see common socket:getattr||2.6.12+||+||getattr||see common socket:getattr||2.6.12+
|- |-
-||write||see common socket:write||2.6.12+||+||write||see common socket:write||2.6.12+
|- |-
-||setopt||see common socket:setopt||2.6.12+||+||setopt||see common socket:setopt||2.6.12+
|- |-
-||getopt||see common socket:getopt||2.6.12+||+||getopt||see common socket:getopt||2.6.12+
|- |-
-||listen||see common socket:listen||2.6.12+||+||listen||see common socket:listen||2.6.12+
|- |-
-||setattr||see common socket:setattr||2.6.12+||+||setattr||see common socket:setattr||2.6.12+
|- |-
-||shutdown||see common socket:shutdown||2.6.12+||+||shutdown||see common socket:shutdown||2.6.12+
|- |-
-||relabelto||see common socket:relabelto||2.6.12+||+||relabelto||see common socket:relabelto||2.6.12+
|- |-
-||recv_msg||see common socket:recv_msg||2.6.12+||+||recv_msg||see common socket:recv_msg||2.6.12+
|- |-
-||accept||see common socket:accept||2.6.12+||+||accept||see common socket:accept||2.6.12+
|- |-
-||name_bind||see common socket:name_bind||2.6.12+||+||name_bind||see common socket:name_bind||2.6.12+
|} |}
=== netlink_nflog_socket === === netlink_nflog_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,193: Line 1,233:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||2.6.8+||+||append||see common socket:append||2.6.8+
|- |-
-||relabelfrom||see common socket:relabelfrom||2.6.8+||+||relabelfrom||see common socket:relabelfrom||2.6.8+
|- |-
-||create||see common socket:create||2.6.8+||+||create||see common socket:create||2.6.8+
|- |-
-||read||see common socket:read||2.6.8+||+||read||see common socket:read||2.6.8+
|- |-
-||sendto||see common socket:sendto||2.6.8+||+||sendto||see common socket:sendto||2.6.8+
|- |-
-||connect||see common socket:connect||2.6.8+||+||connect||see common socket:connect||2.6.8+
|- |-
-||recvfrom||see common socket:recvfrom||2.6.8+||+||recvfrom||see common socket:recvfrom||2.6.8+
|- |-
-||send_msg||see common socket:send_msg||2.6.8+||+||send_msg||see common socket:send_msg||2.6.8+
|- |-
-||bind||see common socket:bind||2.6.8+||+||bind||see common socket:bind||2.6.8+
|- |-
-||lock||see common socket:lock||2.6.8+||+||lock||see common socket:lock||2.6.8+
|- |-
-||ioctl||see common socket:ioctl||2.6.8+||+||ioctl||see common socket:ioctl||2.6.8+
|- |-
-||getattr||see common socket:getattr||2.6.8+||+||getattr||see common socket:getattr||2.6.8+
|- |-
-||write||see common socket:write||2.6.8+||+||write||see common socket:write||2.6.8+
|- |-
-||setopt||see common socket:setopt||2.6.8+||+||setopt||see common socket:setopt||2.6.8+
|- |-
-||getopt||see common socket:getopt||2.6.8+||+||getopt||see common socket:getopt||2.6.8+
|- |-
-||listen||see common socket:listen||2.6.8+||+||listen||see common socket:listen||2.6.8+
|- |-
-||setattr||see common socket:setattr||2.6.8+||+||setattr||see common socket:setattr||2.6.8+
|- |-
-||shutdown||see common socket:shutdown||2.6.8+||+||shutdown||see common socket:shutdown||2.6.8+
|- |-
-||relabelto||see common socket:relabelto||2.6.8+||+||relabelto||see common socket:relabelto||2.6.8+
|- |-
-||recv_msg||see common socket:recv_msg||2.6.8+||+||recv_msg||see common socket:recv_msg||2.6.8+
|- |-
-||accept||see common socket:accept||2.6.8+||+||accept||see common socket:accept||2.6.8+
|- |-
-||name_bind||see common socket:name_bind||2.6.8+||+||name_bind||see common socket:name_bind||2.6.8+
|} |}
=== netlink_route_socket === === netlink_route_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,245: Line 1,285:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||2.6.8+||+||append||see common socket:append||2.6.8+
|- |-
-||relabelfrom||see common socket:relabelfrom||2.6.8+||+||relabelfrom||see common socket:relabelfrom||2.6.8+
|- |-
-||create||see common socket:create||2.6.8+||+||create||see common socket:create||2.6.8+
|- |-
-||read||see common socket:read||2.6.8+||+||read||see common socket:read||2.6.8+
|- |-
-||sendto||see common socket:sendto||2.6.8+||+||sendto||see common socket:sendto||2.6.8+
|- |-
-||connect||see common socket:connect||2.6.8+||+||connect||see common socket:connect||2.6.8+
|- |-
-||recvfrom||see common socket:recvfrom||2.6.8+||+||recvfrom||see common socket:recvfrom||2.6.8+
|- |-
-||send_msg||see common socket:send_msg||2.6.8+||+||send_msg||see common socket:send_msg||2.6.8+
|- |-
-||bind||see common socket:bind||2.6.8+||+||bind||see common socket:bind||2.6.8+
|- |-
-||lock||see common socket:lock||2.6.8+||+||lock||see common socket:lock||2.6.8+
|- |-
-||ioctl||see common socket:ioctl||2.6.8+||+||ioctl||see common socket:ioctl||2.6.8+
|- |-
-||getattr||see common socket:getattr||2.6.8+||+||getattr||see common socket:getattr||2.6.8+
|- |-
-||write||see common socket:write||2.6.8+||+||write||see common socket:write||2.6.8+
|- |-
-||setopt||see common socket:setopt||2.6.8+||+||setopt||see common socket:setopt||2.6.8+
|- |-
-||getopt||see common socket:getopt||2.6.8+||+||getopt||see common socket:getopt||2.6.8+
|- |-
-||listen||see common socket:listen||2.6.8+||+||listen||see common socket:listen||2.6.8+
|- |-
-||setattr||see common socket:setattr||2.6.8+||+||setattr||see common socket:setattr||2.6.8+
|- |-
-||shutdown||see common socket:shutdown||2.6.8+||+||shutdown||see common socket:shutdown||2.6.8+
|- |-
-||relabelto||see common socket:relabelto||2.6.8+||+||relabelto||see common socket:relabelto||2.6.8+
|- |-
-||recv_msg||see common socket:recv_msg||2.6.8+||+||recv_msg||see common socket:recv_msg||2.6.8+
|- |-
-||accept||see common socket:accept||2.6.8+||+||accept||see common socket:accept||2.6.8+
|- |-
-||name_bind||see common socket:name_bind||2.6.8+||+||name_bind||see common socket:name_bind||2.6.8+
|- |-
-||nlmsg_read||Read netlink message.||2.6.8+||+||nlmsg_read||Read netlink message.||2.6.8+
|- |-
-||nlmsg_write||Write netlink message.||2.6.8+||+||nlmsg_write||Write netlink message.||2.6.8+
|} |}
=== netlink_selinux_socket === === netlink_selinux_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,301: Line 1,341:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||2.6.8+||+||append||see common socket:append||2.6.8+
|- |-
-||relabelfrom||see common socket:relabelfrom||2.6.8+||+||relabelfrom||see common socket:relabelfrom||2.6.8+
|- |-
-||create||see common socket:create||2.6.8+||+||create||see common socket:create||2.6.8+
|- |-
-||read||see common socket:read||2.6.8+||+||read||see common socket:read||2.6.8+
|- |-
-||sendto||see common socket:sendto||2.6.8+||+||sendto||see common socket:sendto||2.6.8+
|- |-
-||connect||see common socket:connect||2.6.8+||+||connect||see common socket:connect||2.6.8+
|- |-
-||recvfrom||see common socket:recvfrom||2.6.8+||+||recvfrom||see common socket:recvfrom||2.6.8+
|- |-
-||send_msg||see common socket:send_msg||2.6.8+||+||send_msg||see common socket:send_msg||2.6.8+
|- |-
-||bind||see common socket:bind||2.6.8+||+||bind||see common socket:bind||2.6.8+
|- |-
-||lock||see common socket:lock||2.6.8+||+||lock||see common socket:lock||2.6.8+
|- |-
-||ioctl||see common socket:ioctl||2.6.8+||+||ioctl||see common socket:ioctl||2.6.8+
|- |-
-||getattr||see common socket:getattr||2.6.8+||+||getattr||see common socket:getattr||2.6.8+
|- |-
-||write||see common socket:write||2.6.8+||+||write||see common socket:write||2.6.8+
|- |-
-||setopt||see common socket:setopt||2.6.8+||+||setopt||see common socket:setopt||2.6.8+
|- |-
-||getopt||see common socket:getopt||2.6.8+||+||getopt||see common socket:getopt||2.6.8+
|- |-
-||listen||see common socket:listen||2.6.8+||+||listen||see common socket:listen||2.6.8+
|- |-
-||setattr||see common socket:setattr||2.6.8+||+||setattr||see common socket:setattr||2.6.8+
|- |-
-||shutdown||see common socket:shutdown||2.6.8+||+||shutdown||see common socket:shutdown||2.6.8+
|- |-
-||relabelto||see common socket:relabelto||2.6.8+||+||relabelto||see common socket:relabelto||2.6.8+
|- |-
-||recv_msg||see common socket:recv_msg||2.6.8+||+||recv_msg||see common socket:recv_msg||2.6.8+
|- |-
-||accept||see common socket:accept||2.6.8+||+||accept||see common socket:accept||2.6.8+
|- |-
-||name_bind||see common socket:name_bind||2.6.8+||+||name_bind||see common socket:name_bind||2.6.8+
|} |}
=== netlink_tcpdiag_socket === === netlink_tcpdiag_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,353: Line 1,393:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||2.6.8+||+||append||see common socket:append||2.6.8+
|- |-
-||relabelfrom||see common socket:relabelfrom||2.6.8+||+||relabelfrom||see common socket:relabelfrom||2.6.8+
|- |-
-||create||see common socket:create||2.6.8+||+||create||see common socket:create||2.6.8+
|- |-
-||read||see common socket:read||2.6.8+||+||read||see common socket:read||2.6.8+
|- |-
-||sendto||see common socket:sendto||2.6.8+||+||sendto||see common socket:sendto||2.6.8+
|- |-
-||connect||see common socket:connect||2.6.8+||+||connect||see common socket:connect||2.6.8+
|- |-
-||recvfrom||see common socket:recvfrom||2.6.8+||+||recvfrom||see common socket:recvfrom||2.6.8+
|- |-
-||send_msg||see common socket:send_msg||2.6.8+||+||send_msg||see common socket:send_msg||2.6.8+
|- |-
-||bind||see common socket:bind||2.6.8+||+||bind||see common socket:bind||2.6.8+
|- |-
-||lock||see common socket:lock||2.6.8+||+||lock||see common socket:lock||2.6.8+
|- |-
-||ioctl||see common socket:ioctl||2.6.8+||+||ioctl||see common socket:ioctl||2.6.8+
|- |-
-||getattr||see common socket:getattr||2.6.8+||+||getattr||see common socket:getattr||2.6.8+
|- |-
-||write||see common socket:write||2.6.8+||+||write||see common socket:write||2.6.8+
|- |-
-||setopt||see common socket:setopt||2.6.8+||+||setopt||see common socket:setopt||2.6.8+
|- |-
-||getopt||see common socket:getopt||2.6.8+||+||getopt||see common socket:getopt||2.6.8+
|- |-
-||listen||see common socket:listen||2.6.8+||+||listen||see common socket:listen||2.6.8+
|- |-
-||setattr||see common socket:setattr||2.6.8+||+||setattr||see common socket:setattr||2.6.8+
|- |-
-||shutdown||see common socket:shutdown||2.6.8+||+||shutdown||see common socket:shutdown||2.6.8+
|- |-
-||relabelto||see common socket:relabelto||2.6.8+||+||relabelto||see common socket:relabelto||2.6.8+
|- |-
-||recv_msg||see common socket:recv_msg||2.6.8+||+||recv_msg||see common socket:recv_msg||2.6.8+
|- |-
-||accept||see common socket:accept||2.6.8+||+||accept||see common socket:accept||2.6.8+
|- |-
-||name_bind||see common socket:name_bind||2.6.8+||+||name_bind||see common socket:name_bind||2.6.8+
|- |-
-||nlmsg_read||Read netlink message.||2.6.8+||+||nlmsg_read||Read netlink message.||2.6.8+
|- |-
-||nlmsg_write||Write netlink message.||2.6.8+||+||nlmsg_write||Write netlink message.||2.6.8+
|} |}
=== netlink_xfrm_socket === === netlink_xfrm_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,409: Line 1,449:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||2.6.8+||+||append||see common socket:append||2.6.8+
|- |-
-||relabelfrom||see common socket:relabelfrom||2.6.8+||+||relabelfrom||see common socket:relabelfrom||2.6.8+
|- |-
-||create||see common socket:create||2.6.8+||+||create||see common socket:create||2.6.8+
|- |-
-||read||see common socket:read||2.6.8+||+||read||see common socket:read||2.6.8+
|- |-
-||sendto||see common socket:sendto||2.6.8+||+||sendto||see common socket:sendto||2.6.8+
|- |-
-||connect||see common socket:connect||2.6.8+||+||connect||see common socket:connect||2.6.8+
|- |-
-||recvfrom||see common socket:recvfrom||2.6.8+||+||recvfrom||see common socket:recvfrom||2.6.8+
|- |-
-||send_msg||see common socket:send_msg||2.6.8+||+||send_msg||see common socket:send_msg||2.6.8+
|- |-
-||bind||see common socket:bind||2.6.8+||+||bind||see common socket:bind||2.6.8+
|- |-
-||lock||see common socket:lock||2.6.8+||+||lock||see common socket:lock||2.6.8+
|- |-
-||ioctl||see common socket:ioctl||2.6.8+||+||ioctl||see common socket:ioctl||2.6.8+
|- |-
-||getattr||see common socket:getattr||2.6.8+||+||getattr||see common socket:getattr||2.6.8+
|- |-
-||write||see common socket:write||2.6.8+||+||write||see common socket:write||2.6.8+
|- |-
-||setopt||see common socket:setopt||2.6.8+||+||setopt||see common socket:setopt||2.6.8+
|- |-
-||getopt||see common socket:getopt||2.6.8+||+||getopt||see common socket:getopt||2.6.8+
|- |-
-||listen||see common socket:listen||2.6.8+||+||listen||see common socket:listen||2.6.8+
|- |-
-||setattr||see common socket:setattr||2.6.8+||+||setattr||see common socket:setattr||2.6.8+
|- |-
-||shutdown||see common socket:shutdown||2.6.8+||+||shutdown||see common socket:shutdown||2.6.8+
|- |-
-||relabelto||see common socket:relabelto||2.6.8+||+||relabelto||see common socket:relabelto||2.6.8+
|- |-
-||recv_msg||see common socket:recv_msg||2.6.8+||+||recv_msg||see common socket:recv_msg||2.6.8+
|- |-
-||accept||see common socket:accept||2.6.8+||+||accept||see common socket:accept||2.6.8+
|- |-
-||name_bind||see common socket:name_bind||2.6.8+||+||name_bind||see common socket:name_bind||2.6.8+
|- |-
-||nlmsg_read||Read netlink message.||2.6.8+||+||nlmsg_read||Read netlink message.||2.6.8+
|- |-
-||nlmsg_write||Write netlink message.||2.6.8+||+||nlmsg_write||Write netlink message.||2.6.8+
|} |}
Line 1,464: Line 1,504:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||tcp_recv||Receive TCP packet.||+||tcp_recv||Receive TCP packet.
|- |-
-||tcp_send||Send TCP packet.||+||tcp_send||Send TCP packet.
|- |-
-||udp_recv||Receive UDP packet.||+||udp_recv||Receive UDP packet.
|- |-
-||udp_send||Send UDP packet.||+||udp_send||Send UDP packet.
|- |-
-||rawip_recv||Receive raw IP packet.||+||rawip_recv||Receive raw IP packet.
|- |-
-||rawip_send||Send raw IP packet.||+||rawip_send||Send raw IP packet.
|- |-
-||enforce_dest||Ensure that the destination node can enforce restrictions on the destination socket.||+||enforce_dest||Ensure that the destination node can enforce restrictions on the destination socket.
|- |-
-||dccp_recv||Receive DCCP packet.||2.6.20+||+||dccp_recv||Receive DCCP packet.||2.6.20+
|- |-
-||dccp_send||Send DCCP packet.||2.6.20+||+||dccp_send||Send DCCP packet.||2.6.20+
|- |-
-||recvfrom||||2.6.25+ / network_peer_controls||+||recvfrom||||2.6.25+ / network_peer_controls
|- |-
-||sendto||||2.6.25+ / network_peer_controls||+||sendto||||2.6.25+ / network_peer_controls
|} |}
Line 1,493: Line 1,533:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||send||Send a packet.||2.6.18+||+||send||Send a packet.||2.6.18+
|- |-
-||receive||Receive a packet.||2.6.18+||+||receive||Receive a packet.||2.6.18+
|- |-
-||relabelto||Set a labeling rule to the specified type.||2.6.18+||+||relabelto||Set a labeling rule to the specified type.||2.6.18+
|- |-
-||flow_in||''Deprecated''||2.6.25+||+||flow_in||''Deprecated''||2.6.25+
|- |-
-||flow_out||''Deprecated''||2.6.25+||+||flow_out||''Deprecated''||2.6.25+
|- |-
-||forward_in||||2.6.25+||+||forward_in||||2.6.25+
|- |-
-||forward_out||||2.6.25+||+||forward_out||||2.6.25+
|} |}
=== packet_socket === === packet_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,515: Line 1,555:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||+||append||see common socket:append
|- |-
-||relabelfrom||see common socket:relabelfrom||+||relabelfrom||see common socket:relabelfrom
|- |-
-||create||see common socket:create||+||create||see common socket:create
|- |-
-||read||see common socket:read||+||read||see common socket:read
|- |-
-||sendto||see common socket:sendto||+||sendto||see common socket:sendto
|- |-
-||connect||see common socket:connect||+||connect||see common socket:connect
|- |-
-||recvfrom||see common socket:recvfrom||+||recvfrom||see common socket:recvfrom
|- |-
-||send_msg||see common socket:send_msg||+||send_msg||see common socket:send_msg
|- |-
-||bind||see common socket:bind||+||bind||see common socket:bind
|- |-
-||lock||see common socket:lock||+||lock||see common socket:lock
|- |-
-||ioctl||see common socket:ioctl||+||ioctl||see common socket:ioctl
|- |-
-||getattr||see common socket:getattr||+||getattr||see common socket:getattr
|- |-
-||write||see common socket:write||+||write||see common socket:write
|- |-
-||setopt||see common socket:setopt||+||setopt||see common socket:setopt
|- |-
-||getopt||see common socket:getopt||+||getopt||see common socket:getopt
|- |-
-||listen||see common socket:listen||+||listen||see common socket:listen
|- |-
-||setattr||see common socket:setattr||+||setattr||see common socket:setattr
|- |-
-||shutdown||see common socket:shutdown||+||shutdown||see common socket:shutdown
|- |-
-||relabelto||see common socket:relabelto||+||relabelto||see common socket:relabelto
|- |-
-||recv_msg||see common socket:recv_msg||+||recv_msg||see common socket:recv_msg
|- |-
-||accept||see common socket:accept||+||accept||see common socket:accept
|- |-
-||name_bind||see common socket:name_bind||+||name_bind||see common socket:name_bind
|} |}
Line 1,566: Line 1,606:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||recv||Receive from a labeled networking peer.||2.6.25+ / network_peer_controls||+||recv||Receive from a labeled networking peer.||2.6.25+ / network_peer_controls
|} |}
Line 1,575: Line 1,615:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||fork||Fork into two processes.||+||fork||Fork into two processes.
|- |-
-||transition||Transition to a new context on exec().||+||transition||Transition to a new context on exec().
|- |-
-||sigchld||Send SIGCHLD signal.||+||sigchld||Send SIGCHLD signal.
|- |-
-||sigkill||Send SIGKILL signal.||+||sigkill||Send SIGKILL signal.
|- |-
-||sigstop||Send SIGSTOP signal||+||sigstop||Send SIGSTOP signal
|- |-
-||signull||Test for exisitence of another process without sending a signal||+||signull||Test for exisitence of another process without sending a signal
|- |-
-||signal||Send a signal other than SIGKILL, SIGSTOP, or SIGCHLD.||+||signal||Send a signal other than SIGKILL, SIGSTOP, or SIGCHLD.
|- |-
-||ptrace||Trace program execution of parent or child.||+||ptrace||Trace program execution of parent or child.
|- |-
-||getsched||Get priority of a process.||+||getsched||Get priority of a process.
|- |-
-||setsched||Set priority of a process.||+||setsched||Set priority of a process.
|- |-
-||getsession||Get session ID of another process.||+||getsession||Get session ID of another process.
|- |-
-||getpgid||Get group Process ID of a process.||+||getpgid||Get group Process ID of a process.
|- |-
-||setpgid||Set group Process ID of a process.||+||setpgid||Set group Process ID of a process.
|- |-
-||getcap||Get Linux capabilities.||+||getcap||Get Linux capabilities.
|- |-
-||setcap||Set Linux capabilities.||+||setcap||Set Linux capabilities.
|- |-
-||share||Allow state sharing with cloned or forked process.||+||share||Allow state sharing with cloned or forked process.
|- |-
-||getattr||Get attributes of a file.||+||getattr||Get attributes of a file.
|- |-
-||setexec||Override the default context for the next exec().||+||setexec||Override the default context for the next exec().
|- |-
-||setfscreate||Override the default context for file creation.||+||setfscreate||Override the default context for file creation.
|- |-
-||setrlimit||Change process hard limits.||+||setrlimit||Change process hard limits.
|- |-
-||noatsecure||Disable secure mode environment cleansing (AT_SECURE).||v.16+||+||noatsecure||Disable secure mode environment cleansing (AT_SECURE).||v.16+
|- |-
-||siginh||Inherit signal state from old sid.||v.16+||+||siginh||Inherit signal state from old sid.||v.16+
|- |-
-||rlimitinh||Inherit resource limits from old sid.||v.16+||+||rlimitinh||Inherit resource limits from old sid.||v.16+
|- |-
-||dyntransition||Dynamically transition to a new context.||2.6.11+||+||dyntransition||Dynamically transition to a new context.||2.6.11+
|- |-
-||setcurrent||Set the current process context.||2.6.11+||+||setcurrent||Set the current process context.||2.6.11+
|- |-
-||execmem||Make executable an anonymous mapping or private file mapping that is writable.||2.6.13+||+||execmem||Make executable an anonymous mapping or private file mapping that is writable.||2.6.13+
|- |-
-||execstack||Make the main process stack executable.||2.6.13+||+||execstack||Make the main process stack executable.||2.6.13+
|- |-
-||execheap||Make the heap executable.||2.6.13+||+||execheap||Make the heap executable.||2.6.13+
|- |-
-||setkeycreate||Override the default context for key creation.||2.6.18+||+||setkeycreate||Override the default context for key creation.||2.6.18+
|- |-
-||setsockcreate||Override the default context for socket creation.||2.6.18+||+||setsockcreate||Override the default context for socket creation.||2.6.18+
|} |}
=== rawip_socket === === rawip_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,643: Line 1,683:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||+||append||see common socket:append
|- |-
-||relabelfrom||see common socket:relabelfrom||+||relabelfrom||see common socket:relabelfrom
|- |-
-||create||see common socket:create||+||create||see common socket:create
|- |-
-||read||see common socket:read||+||read||see common socket:read
|- |-
-||sendto||see common socket:sendto||+||sendto||see common socket:sendto
|- |-
-||connect||see common socket:connect||+||connect||see common socket:connect
|- |-
-||recvfrom||see common socket:recvfrom||+||recvfrom||see common socket:recvfrom
|- |-
-||send_msg||see common socket:send_msg||+||send_msg||see common socket:send_msg
|- |-
-||bind||see common socket:bind||+||bind||see common socket:bind
|- |-
-||lock||see common socket:lock||+||lock||see common socket:lock
|- |-
-||ioctl||see common socket:ioctl||+||ioctl||see common socket:ioctl
|- |-
-||getattr||see common socket:getattr||+||getattr||see common socket:getattr
|- |-
-||write||see common socket:write||+||write||see common socket:write
|- |-
-||setopt||see common socket:setopt||+||setopt||see common socket:setopt
|- |-
-||getopt||see common socket:getopt||+||getopt||see common socket:getopt
|- |-
-||listen||see common socket:listen||+||listen||see common socket:listen
|- |-
-||setattr||see common socket:setattr||+||setattr||see common socket:setattr
|- |-
-||shutdown||see common socket:shutdown||+||shutdown||see common socket:shutdown
|- |-
-||relabelto||see common socket:relabelto||+||relabelto||see common socket:relabelto
|- |-
-||recv_msg||see common socket:recv_msg||+||recv_msg||see common socket:recv_msg
|- |-
-||accept||see common socket:accept||+||accept||see common socket:accept
|- |-
-||name_bind||see common socket:name_bind||+||name_bind||see common socket:name_bind
|- |-
-||node_bind||Ability to bind to a node.||v.17+||+||node_bind||Ability to bind to a node.||v.17+
|} |}
Line 1,696: Line 1,736:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||compute_user||Get user info in selinuxfs.||+||compute_user||Get user info in selinuxfs.
|- |-
-||compute_relabel||Get relabel info in selinuxfs.||+||compute_relabel||Get relabel info in selinuxfs.
|- |-
-||compute_create||Get create info in selinuxfs.||+||compute_create||Get create info in selinuxfs.
|- |-
-||compute_av||Compute an access vector given a source/target/class.||+||compute_av||Compute an access vector given a source/target/class.
|- |-
-||compute_member||Determines the context to use when selecting a member of a polyinstantiated object.||+||compute_member||Determines the context to use when selecting a member of a polyinstantiated object.
|- |-
-||setenforce||Change the enforcement state of SELinux.||+||setenforce||Change the enforcement state of SELinux.
|- |-
-||check_context||Write context in selinuxfs.||+||check_context||Write context in selinuxfs.
|- |-
-||load_policy||Load the security policy.||+||load_policy||Load the security policy.
|- |-
-||setbool||Set a boolean value.||2.6.5+||+||setbool||Set a boolean value.||2.6.5+
|- |-
-||setsecparam||Set kernel access vector cache tuning parameters.||2.6.11+||+||setsecparam||Set kernel access vector cache tuning parameters.||2.6.11+
|- |-
-||setcheckreqprot||Set if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect.||2.6.12+||+||setcheckreqprot||Set if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect.||2.6.12+
|} |}
=== sem === === sem ===
-Inherits from: [#commonipc common ipc]+Inherits from: [[#common ipc|common ipc]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,726: Line 1,766:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||write||see common ipc:write||+||write||see common ipc:write
|- |-
-||destroy||see common ipc:destroy||+||destroy||see common ipc:destroy
|- |-
-||unix_write||see common ipc:unix_write||+||unix_write||see common ipc:unix_write
|- |-
-||getattr||see common ipc:getattr||+||getattr||see common ipc:getattr
|- |-
-||create||see common ipc:create||+||create||see common ipc:create
|- |-
-||read||see common ipc:read||+||read||see common ipc:read
|- |-
-||setattr||see common ipc:setattr||+||setattr||see common ipc:setattr
|- |-
-||unix_read||see common ipc:unix_read||+||unix_read||see common ipc:unix_read
|- |-
-||associate||see common ipc:associate||+||associate||see common ipc:associate
|} |}
=== shm === === shm ===
-Inherits from: [#commonipc common ipc]+Inherits from: [[#common ipc|common ipc]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,752: Line 1,792:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||write||see common ipc:write||+||write||see common ipc:write
|- |-
-||destroy||see common ipc:destroy||+||destroy||see common ipc:destroy
|- |-
-||unix_write||see common ipc:unix_write||+||unix_write||see common ipc:unix_write
|- |-
-||getattr||see common ipc:getattr||+||getattr||see common ipc:getattr
|- |-
-||create||see common ipc:create||+||create||see common ipc:create
|- |-
-||read||see common ipc:read||+||read||see common ipc:read
|- |-
-||setattr||see common ipc:setattr||+||setattr||see common ipc:setattr
|- |-
-||unix_read||see common ipc:unix_read||+||unix_read||see common ipc:unix_read
|- |-
-||associate||see common ipc:associate||+||associate||see common ipc:associate
|- |-
-||lock||(Un)lock page(s) in memory.||+||lock||(Un)lock page(s) in memory.
|} |}
=== sock_file === === sock_file ===
-Inherits from: [#commonfile common file]+Inherits from: [[#common file|common file]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,780: Line 1,820:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||getattr||see common file:getattr||+||getattr||see common file:getattr
|- |-
-||relabelto||see common file:relabelto||+||relabelto||see common file:relabelto
|- |-
-||unlink||see common file:unlink||+||unlink||see common file:unlink
|- |-
-||ioctl||see common file:ioctl||+||ioctl||see common file:ioctl
|- |-
-||execute||see common file:execute||+||execute||see common file:execute
|- |-
-||append||see common file:append||+||append||see common file:append
|- |-
-||read||see common file:read||+||read||see common file:read
|- |-
-||setattr||see common file:setattr||+||setattr||see common file:setattr
|- |-
-||swapon||see common file:swapon||+||swapon||see common file:swapon
|- |-
-||write||see common file:write||+||write||see common file:write
|- |-
-||lock||see common file:lock||+||lock||see common file:lock
|- |-
-||create||see common file:create||+||create||see common file:create
|- |-
-||rename||see common file:rename||+||rename||see common file:rename
|- |-
-||mounton||see common file:mounton||+||mounton||see common file:mounton
|- |-
-||quotaon||see common file:quotaon||+||quotaon||see common file:quotaon
|- |-
-||relabelfrom||see common file:relabelfrom||+||relabelfrom||see common file:relabelfrom
|- |-
-||link||see common file:link||+||link||see common file:link
|- |-
-||open||Open a named socket file.||2.6.26+ / open_perms||+||open||Open a named socket file.||2.6.26+ / open_perms
|} |}
=== socket === === socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,824: Line 1,864:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||+||append||see common socket:append
|- |-
-||relabelfrom||see common socket:relabelfrom||+||relabelfrom||see common socket:relabelfrom
|- |-
-||create||see common socket:create||+||create||see common socket:create
|- |-
-||read||see common socket:read||+||read||see common socket:read
|- |-
-||sendto||see common socket:sendto||+||sendto||see common socket:sendto
|- |-
-||connect||see common socket:connect||+||connect||see common socket:connect
|- |-
-||recvfrom||see common socket:recvfrom||+||recvfrom||see common socket:recvfrom
|- |-
-||send_msg||see common socket:send_msg||+||send_msg||see common socket:send_msg
|- |-
-||bind||see common socket:bind||+||bind||see common socket:bind
|- |-
-||lock||see common socket:lock||+||lock||see common socket:lock
|- |-
-||ioctl||see common socket:ioctl||+||ioctl||see common socket:ioctl
|- |-
-||getattr||see common socket:getattr||+||getattr||see common socket:getattr
|- |-
-||write||see common socket:write||+||write||see common socket:write
|- |-
-||setopt||see common socket:setopt||+||setopt||see common socket:setopt
|- |-
-||getopt||see common socket:getopt||+||getopt||see common socket:getopt
|- |-
-||listen||see common socket:listen||+||listen||see common socket:listen
|- |-
-||setattr||see common socket:setattr||+||setattr||see common socket:setattr
|- |-
-||shutdown||see common socket:shutdown||+||shutdown||see common socket:shutdown
|- |-
-||relabelto||see common socket:relabelto||+||relabelto||see common socket:relabelto
|- |-
-||recv_msg||see common socket:recv_msg||+||recv_msg||see common socket:recv_msg
|- |-
-||accept||see common socket:accept||+||accept||see common socket:accept
|- |-
-||name_bind||see common socket:name_bind||+||name_bind||see common socket:name_bind
|} |}
Line 1,875: Line 1,915:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||ipc_info||Get info for an ipc socket.||+||ipc_info||Get info for an ipc socket.
|- |-
-||syslog_mod||Perform syslog operation other than syslog_read or console logging.||+||syslog_mod||Perform syslog operation other than syslog_read or console logging.
|- |-
-||syslog_read||Perform syslog read.||+||syslog_read||Perform syslog read.
|- |-
-||syslog_console||Perform syslog console.||+||syslog_console||Perform syslog console.
|} |}
=== tcp_socket === === tcp_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,891: Line 1,931:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||+||append||see common socket:append
|- |-
-||relabelfrom||see common socket:relabelfrom||+||relabelfrom||see common socket:relabelfrom
|- |-
-||create||see common socket:create||+||create||see common socket:create
|- |-
-||read||see common socket:read||+||read||see common socket:read
|- |-
-||sendto||see common socket:sendto||+||sendto||see common socket:sendto
|- |-
-||connect||see common socket:connect||+||connect||see common socket:connect
|- |-
-||recvfrom||see common socket:recvfrom||+||recvfrom||see common socket:recvfrom
|- |-
-||send_msg||see common socket:send_msg||+||send_msg||see common socket:send_msg
|- |-
-||bind||see common socket:bind||+||bind||see common socket:bind
|- |-
-||lock||see common socket:lock||+||lock||see common socket:lock
|- |-
-||ioctl||see common socket:ioctl||+||ioctl||see common socket:ioctl
|- |-
-||getattr||see common socket:getattr||+||getattr||see common socket:getattr
|- |-
-||write||see common socket:write||+||write||see common socket:write
|- |-
-||setopt||see common socket:setopt||+||setopt||see common socket:setopt
|- |-
-||getopt||see common socket:getopt||+||getopt||see common socket:getopt
|- |-
-||listen||see common socket:listen||+||listen||see common socket:listen
|- |-
-||setattr||see common socket:setattr||+||setattr||see common socket:setattr
|- |-
-||shutdown||see common socket:shutdown||+||shutdown||see common socket:shutdown
|- |-
-||relabelto||see common socket:relabelto||+||relabelto||see common socket:relabelto
|- |-
-||recv_msg||see common socket:recv_msg||+||recv_msg||see common socket:recv_msg
|- |-
-||accept||see common socket:accept||+||accept||see common socket:accept
|- |-
-||name_bind||see common socket:name_bind||+||name_bind||see common socket:name_bind
|- |-
-||connectto||Connect to server socket.||+||connectto||Connect to server socket.
|- |-
-||newconn||Create new socket for connection.||+||newconn||Create new socket for connection.
|- |-
-||acceptfrom||Accept connection from client socket.||+||acceptfrom||Accept connection from client socket.
|- |-
-||node_bind||Ability to bind to a node.||2.6.2+||+||node_bind||Ability to bind to a node.||2.6.2+
|- |-
-||name_connect||Connect to a specific port number.||2.6.12+||+||name_connect||Connect to a specific port number.||2.6.12+
 +|}
 + 
 +=== tun_socket ===
 +Inherits from: [[#common socket|common socket]]
 +{| border="1"
 +! Permission
 +! Description
 +! Kernel Version/Capability
 +|-
 +||append||see common socket:append||2.6.32+
 +|-
 +||relabelfrom||see common socket:relabelfrom||2.6.32+
 +|-
 +||create||see common socket:create||2.6.32+
 +|-
 +||read||see common socket:read||2.6.32+
 +|-
 +||sendto||see common socket:sendto||2.6.32+
 +|-
 +||connect||see common socket:connect||2.6.32+
 +|-
 +||recvfrom||see common socket:recvfrom||2.6.32+
 +|-
 +||send_msg||see common socket:send_msg||2.6.32+
 +|-
 +||bind||see common socket:bind||2.6.32+
 +|-
 +||lock||see common socket:lock||2.6.32+
 +|-
 +||ioctl||see common socket:ioctl||2.6.32+
 +|-
 +||getattr||see common socket:getattr||2.6.32+
 +|-
 +||write||see common socket:write||2.6.32+
 +|-
 +||setopt||see common socket:setopt||2.6.32+
 +|-
 +||getopt||see common socket:getopt||2.6.32+
 +|-
 +||listen||see common socket:listen||2.6.32+
 +|-
 +||setattr||see common socket:setattr||2.6.32+
 +|-
 +||shutdown||see common socket:shutdown||2.6.32+
 +|-
 +||relabelto||see common socket:relabelto||2.6.32+
 +|-
 +||recv_msg||see common socket:recv_msg||2.6.32+
 +|-
 +||accept||see common socket:accept||2.6.32+
 +|-
 +||name_bind||see common socket:name_bind||2.6.32+
|} |}
=== udp_socket === === udp_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 1,953: Line 2,045:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||+||append||see common socket:append
|- |-
-||relabelfrom||see common socket:relabelfrom||+||relabelfrom||see common socket:relabelfrom
|- |-
-||create||see common socket:create||+||create||see common socket:create
|- |-
-||read||see common socket:read||+||read||see common socket:read
|- |-
-||sendto||see common socket:sendto||+||sendto||see common socket:sendto
|- |-
-||connect||see common socket:connect||+||connect||see common socket:connect
|- |-
-||recvfrom||see common socket:recvfrom||+||recvfrom||see common socket:recvfrom
|- |-
-||send_msg||see common socket:send_msg||+||send_msg||see common socket:send_msg
|- |-
-||bind||see common socket:bind||+||bind||see common socket:bind
|- |-
-||lock||see common socket:lock||+||lock||see common socket:lock
|- |-
-||ioctl||see common socket:ioctl||+||ioctl||see common socket:ioctl
|- |-
-||getattr||see common socket:getattr||+||getattr||see common socket:getattr
|- |-
-||write||see common socket:write||+||write||see common socket:write
|- |-
-||setopt||see common socket:setopt||+||setopt||see common socket:setopt
|- |-
-||getopt||see common socket:getopt||+||getopt||see common socket:getopt
|- |-
-||listen||see common socket:listen||+||listen||see common socket:listen
|- |-
-||setattr||see common socket:setattr||+||setattr||see common socket:setattr
|- |-
-||shutdown||see common socket:shutdown||+||shutdown||see common socket:shutdown
|- |-
-||relabelto||see common socket:relabelto||+||relabelto||see common socket:relabelto
|- |-
-||recv_msg||see common socket:recv_msg||+||recv_msg||see common socket:recv_msg
|- |-
-||accept||see common socket:accept||+||accept||see common socket:accept
|- |-
-||name_bind||see common socket:name_bind||+||name_bind||see common socket:name_bind
|- |-
-||node_bind||Ability to bind to a node.||2.6.2+||+||node_bind||Ability to bind to a node.||2.6.2+
|} |}
=== unix_dgram_socket === === unix_dgram_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 2,007: Line 2,099:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||+||append||see common socket:append
|- |-
-||relabelfrom||see common socket:relabelfrom||+||relabelfrom||see common socket:relabelfrom
|- |-
-||create||see common socket:create||+||create||see common socket:create
|- |-
-||read||see common socket:read||+||read||see common socket:read
|- |-
-||sendto||see common socket:sendto||+||sendto||see common socket:sendto
|- |-
-||connect||see common socket:connect||+||connect||see common socket:connect
|- |-
-||recvfrom||see common socket:recvfrom||+||recvfrom||see common socket:recvfrom
|- |-
-||send_msg||see common socket:send_msg||+||send_msg||see common socket:send_msg
|- |-
-||bind||see common socket:bind||+||bind||see common socket:bind
|- |-
-||lock||see common socket:lock||+||lock||see common socket:lock
|- |-
-||ioctl||see common socket:ioctl||+||ioctl||see common socket:ioctl
|- |-
-||getattr||see common socket:getattr||+||getattr||see common socket:getattr
|- |-
-||write||see common socket:write||+||write||see common socket:write
|- |-
-||setopt||see common socket:setopt||+||setopt||see common socket:setopt
|- |-
-||getopt||see common socket:getopt||+||getopt||see common socket:getopt
|- |-
-||listen||see common socket:listen||+||listen||see common socket:listen
|- |-
-||setattr||see common socket:setattr||+||setattr||see common socket:setattr
|- |-
-||shutdown||see common socket:shutdown||+||shutdown||see common socket:shutdown
|- |-
-||relabelto||see common socket:relabelto||+||relabelto||see common socket:relabelto
|- |-
-||recv_msg||see common socket:recv_msg||+||recv_msg||see common socket:recv_msg
|- |-
-||accept||see common socket:accept||+||accept||see common socket:accept
|- |-
-||name_bind||see common socket:name_bind||+||name_bind||see common socket:name_bind
|} |}
=== unix_stream_socket === === unix_stream_socket ===
-Inherits from: [#commonsocket common socket]+Inherits from: [[#common socket|common socket]]
{| border="1" {| border="1"
! Permission ! Permission
Line 2,059: Line 2,151:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||append||see common socket:append||+||append||see common socket:append
|- |-
-||relabelfrom||see common socket:relabelfrom||+||relabelfrom||see common socket:relabelfrom
|- |-
-||create||see common socket:create||+||create||see common socket:create
|- |-
-||read||see common socket:read||+||read||see common socket:read
|- |-
-||sendto||see common socket:sendto||+||sendto||see common socket:sendto
|- |-
-||connect||see common socket:connect||+||connect||see common socket:connect
|- |-
-||recvfrom||see common socket:recvfrom||+||recvfrom||see common socket:recvfrom
|- |-
-||send_msg||see common socket:send_msg||+||send_msg||see common socket:send_msg
|- |-
-||bind||see common socket:bind||+||bind||see common socket:bind
|- |-
-||lock||see common socket:lock||+||lock||see common socket:lock
|- |-
-||ioctl||see common socket:ioctl||+||ioctl||see common socket:ioctl
|- |-
-||getattr||see common socket:getattr||+||getattr||see common socket:getattr
|- |-
-||write||see common socket:write||+||write||see common socket:write
|- |-
-||setopt||see common socket:setopt||+||setopt||see common socket:setopt
|- |-
-||getopt||see common socket:getopt||+||getopt||see common socket:getopt
|- |-
-||listen||see common socket:listen||+||listen||see common socket:listen
|- |-
-||setattr||see common socket:setattr||+||setattr||see common socket:setattr
|- |-
-||shutdown||see common socket:shutdown||+||shutdown||see common socket:shutdown
|- |-
-||relabelto||see common socket:relabelto||+||relabelto||see common socket:relabelto
|- |-
-||recv_msg||see common socket:recv_msg||+||recv_msg||see common socket:recv_msg
|- |-
-||accept||see common socket:accept||+||accept||see common socket:accept
|- |-
-||name_bind||see common socket:name_bind||+||name_bind||see common socket:name_bind
|- |-
-||connectto||Connect to server socket.||+||connectto||Connect to server socket.
|- |-
-||newconn||Create new socket for connection.||+||newconn||Create new socket for connection.
|- |-
-||acceptfrom||Accept connection from client socket.||+||acceptfrom||Accept connection from client socket.
|} |}
== Database Object Classes == == Database Object Classes ==
=== db_blob === === db_blob ===
-Inherits from: [#commondatabase common database]+Inherits from: [[#common database|common database]]
{| border="1" {| border="1"
! Permission ! Permission
! Description ! Description
|- |-
-||read||Read a blob.||+||read||Read a blob.
|- |-
-||write||Write a blob.||+||write||Write a blob.
|- |-
-||import||Import a blob.||+||import||Import a blob.
|- |-
-||export||Export a blob.||+||export||Export a blob.
|} |}
=== db_column === === db_column ===
-Inherits from: [#commondatabase common database]+Inherits from: [[#common database|common database]]
{| border="1" {| border="1"
! Permission ! Permission
! Description ! Description
|- |-
-||use||''Deprecated''||+||use||''Deprecated''
|- |-
-||select||+||select
|- |-
-||update||+||update
|- |-
-||insert||+||insert
|} |}
=== db_database === === db_database ===
-Inherits from: [#commondatabase common database]+Inherits from: [[#common database|common database]]
{| border="1" {| border="1"
! Permission ! Permission
! Description ! Description
|- |-
-||access||+||access
|- |-
-||install_module||+||install_module
|- |-
-||load_module||+||load_module
|- |-
-||get_param||''Deprecated''||+||get_param||''Deprecated''
|- |-
-||set_param||''Deprecated''||+||set_param||''Deprecated''
|} |}
=== db_procedure === === db_procedure ===
-Inherits from: [#commondatabase common database]+Inherits from: [[#common database|common database]]
{| border="1" {| border="1"
! Permission ! Permission
! Description ! Description
|- |-
-||execute||Execute a stored procedure.||+||execute||Execute a stored procedure.
|- |-
-||entrypoint||+||entrypoint
|- |-
-||install||+||install
|} |}
=== db_table === === db_table ===
-Inherits from: [#commondatabase common database]+Inherits from: [[#common database|common database]]
{| border="1" {| border="1"
! Permission ! Permission
! Description ! Description
|- |-
-||use||''Deprecated''||+||use||''Deprecated''
|- |-
-||select||+||select
|- |-
-||update||+||update
|- |-
-||insert||+||insert
|- |-
-||delete||+||delete
|- |-
-||lock||+||lock
|} |}
Line 2,195: Line 2,287:
! Description ! Description
|- |-
-||relabelfrom||+||relabelfrom
|- |-
-||relabelto||+||relabelto
|- |-
-||use||''Deprecated''||+||use||''Deprecated''
|- |-
-||select||+||select
|- |-
-||update||+||update
|- |-
-||insert||+||insert
|- |-
-||delete||+||delete
|} |}
Line 2,216: Line 2,308:
! Description ! Description
|- |-
-||acquire_svc||+||acquire_svc
|- |-
-||send_msg||Send a message on the bus.||+||send_msg||Send a message on the bus.
|} |}
Line 2,227: Line 2,319:
! Description ! Description
|- |-
-||translate||Translate a raw MLS label.||+||translate||Translate a raw MLS label.
|- |-
-||contains||Calculate a MLS subset.||+||contains||Calculate a MLS subset.
|} |}
Line 2,238: Line 2,330:
! Description ! Description
|- |-
-||getpwd||+||getpwd
|- |-
-||getgrp||+||getgrp
|- |-
-||gethost||+||gethost
|- |-
-||getstat||+||getstat
|- |-
-||admin||+||admin
|- |-
-||shmempwd||+||shmempwd
|- |-
-||shmemgrp||+||shmemgrp
|- |-
-||shmemhost||+||shmemhost
|- |-
-||getserv||+||getserv
|- |-
-||shmemserv||+||shmemserv
|} |}
Line 2,265: Line 2,357:
! Description ! Description
|- |-
-||passwd||Update user password.||+||passwd||Update user password.
|- |-
-||chfn||Change finger information. e.g real name, work room and phone and home phone.||+||chfn||Change finger information. e.g real name, work room and phone and home phone.
|- |-
-||chsh||Change login shell.||+||chsh||Change login shell.
|- |-
-||rootok||Allow update if the user is root and the process has the rootok PAM permission.||+||rootok||Allow update if the user is root and the process has the rootok PAM permission.
|- |-
-||crontab||crontab on another user.||+||crontab||crontab on another user.
|} |}
Line 2,282: Line 2,374:
! Description ! Description
|- |-
-||paste||+||paste
|- |-
-||paste_after_confirm||+||paste_after_confirm
|- |-
-||copy||+||copy
|} |}
Line 2,294: Line 2,386:
! Description ! Description
|- |-
-||destroy||Close down a client.||+||destroy||Close down a client.
|- |-
-||getattr||Get the attributes of an X client||+||getattr||Get the attributes of an X client
|- |-
-||setattr||Set the attributes of an X client||+||setattr||Set the attributes of an X client
|- |-
-||manage||+||manage
|} |}
Line 2,308: Line 2,400:
! Description ! Description
|- |-
-||create||Create a new Colormap.||+||create||Create a new Colormap.
|- |-
-||destroy||Free a Colormap.||+||destroy||Free a Colormap.
|- |-
-||read||Read color cells of colormap.||+||read||Read color cells of colormap.
|- |-
-||write||+||write
|- |-
-||getattr||Get the color gamut of a screen.||+||getattr||Get the color gamut of a screen.
|- |-
-||add_color||+||add_color
|- |-
-||remove_color||+||remove_color
|- |-
-||install||Copy a virtual colormap into the display hardware.||+||install||Copy a virtual colormap into the display hardware.
|- |-
-||uninstall||Remove a virtual colormap from the display hardware.||+||uninstall||Remove a virtual colormap from the display hardware.
|- |-
-||use||+||use
|} |}
Line 2,334: Line 2,426:
! Description ! Description
|- |-
-||create||Create an arbitrary cursor object.||+||create||Create an arbitrary cursor object.
|- |-
-||destroy||Delete a cursor object.||+||destroy||Delete a cursor object.
|- |-
-||read||+||read
|- |-
-||write||+||write
|- |-
-||getattr||Get attributes of the cursor.||+||getattr||Get attributes of the cursor.
|- |-
-||setattr||Set attributes of the cursor.||+||setattr||Set attributes of the cursor.
|- |-
-||use||Associate a cursor object with a window.||+||use||Associate a cursor object with a window.
|} |}
=== x_device === === x_device ===
 +Inherits from: [[#common x_device|common x_device]]
{| border="1" {| border="1"
! Permission ! Permission
! Description ! Description
|- |-
-||getattr||+||getattr||see common x_device: getattr
|- |-
-||setattr||+||setattr||see common x_device: setattr
|- |-
-||use||+||use||see common x_device: use
|- |-
-||read||+||read||see common x_device: read
|- |-
-||write||+||write||see common x_device: write
|- |-
-||getfocus||+||getfocus||see common x_device: getfocus
|- |-
-||setfocus||+||setfocus||see common x_device: setfocus
|- |-
-||bell||+||bell||see common x_device: bell
|- |-
-||force_cursor||+||force_cursor||see common x_device: force_cursor
|- |-
-||freeze||+||freeze||see common x_device: freeze
|- |-
-||grab||+||grab||see common x_device: grab
|- |-
-||manage||+||manage||see common x_device: manage
|- |-
-||list_property||+||list_property||see common x_device: list_property
|- |-
-||get_property||+||get_property||see common x_device: get_property
|- |-
-||set_property||+||set_property||see common x_device: set_property
|- |-
-||add||+||add||see common x_device: add
|- |-
-||remove||+||remove||see common x_device: remove
|} |}
Line 2,394: Line 2,487:
! Description ! Description
|- |-
-||create||Create a Drawable object.||+||create||Create a Drawable object.
|- |-
-||destroy||Destroy a Drawable.||+||destroy||Destroy a Drawable.
|- |-
-||read||+||read
|- |-
-||write||+||write
|- |-
-||blend||+||blend
|- |-
-||getattr||Get attributes of a Drawable object||+||getattr||Get attributes of a Drawable object
|- |-
-||setattr||Set attributes of a Drawable object||+||setattr||Set attributes of a Drawable object
|- |-
-||list_child||+||list_child
|- |-
-||add_child||+||add_child
|- |-
-||remove_child||+||remove_child
|- |-
-||list_property||+||list_property
|- |-
-||get_property||+||get_property
|- |-
-||set_property||+||set_property
|- |-
-||manage||+||manage
|- |-
-||override||+||override
|- |-
-||show||+||show
|- |-
-||hide||+||hide
|- |-
-||send||+||send
|- |-
-||receive||+||receive
|} |}
Line 2,438: Line 2,531:
! Description ! Description
|- |-
-||send||+||send
|- |-
-||receive||+||receive
|} |}
Line 2,448: Line 2,541:
! Description ! Description
|- |-
-||query||+||query
|- |-
-||use||+||use
|} |}
Line 2,458: Line 2,551:
! Description ! Description
|- |-
-||create||Load a font.||+||create||Load a font.
|- |-
-||destroy||Free (dereference) a font.||+||destroy||Free (dereference) a font.
|- |-
-||getattr||Obtain font names, path, etc.||+||getattr||Obtain font names, path, etc.
|- |-
-||add_glyph||+||add_glyph
|- |-
-||remove_glyph||+||remove_glyph
|- |-
-||use||Use a font for drawing.||+||use||Use a font for drawing.
|} |}
Line 2,476: Line 2,569:
! Description ! Description
|- |-
-||create||Create Graphic Contexts object.||+||create||Create Graphic Contexts object.
 +|-
 +||destroy||Free (dereference) a Graphics Contexts object.
 +|-
 +||getattr||Get attributes for Graphic Contexts object.
 +|-
 +||setattr||Set attributes for Graphic Contexts object.
 +|-
 +||use
 +|}
 + 
 +=== x_keyboard ===
 +Inherits from: [[#common x_device|common x_device]]
 +{| border="1"
 +! Permission
 +! Description
 +|-
 +||getattr||see common x_device: getattr
 +|-
 +||setattr||see common x_device: setattr
 +|-
 +||use||see common x_device: use
 +|-
 +||read||see common x_device: read
 +|-
 +||write||see common x_device: write
 +|-
 +||getfocus||see common x_device: getfocus
 +|-
 +||setfocus||see common x_device: setfocus
 +|-
 +||bell||see common x_device: bell
 +|-
 +||force_cursor||see common x_device: force_cursor
 +|-
 +||freeze||see common x_device: freeze
 +|-
 +||grab||see common x_device: grab
 +|-
 +||manage||see common x_device: manage
 +|-
 +||list_property||see common x_device: list_property
 +|-
 +||get_property||see common x_device: get_property
 +|-
 +||set_property||see common x_device: set_property
 +|-
 +||add||see common x_device: add
 +|-
 +||remove||see common x_device: remove
 +|}
 + 
 +=== x_pointer ===
 +Inherits from: [[#common x_device|common x_device]]
 +{| border="1"
 +! Permission
 +! Description
 +|-
 +||getattr||see common x_device: getattr
 +|-
 +||setattr||see common x_device: setattr
 +|-
 +||use||see common x_device: use
 +|-
 +||read||see common x_device: read
 +|-
 +||write||see common x_device: write
 +|-
 +||getfocus||see common x_device: getfocus
 +|-
 +||setfocus||see common x_device: setfocus
 +|-
 +||bell||see common x_device: bell
 +|-
 +||force_cursor||see common x_device: force_cursor
 +|-
 +||freeze||see common x_device: freeze
 +|-
 +||grab||see common x_device: grab
 +|-
 +||manage||see common x_device: manage
 +|-
 +||list_property||see common x_device: list_property
|- |-
-||destroy||Free (dereference) a Graphics Contexts object.||+||get_property||see common x_device: get_property
|- |-
-||getattr||Get attributes for Graphic Contexts object.||+||set_property||see common x_device: set_property
|- |-
-||setattr||Set attributes for Graphic Contexts object.||+||add||see common x_device: add
|- |-
-||use||+||remove||see common x_device: remove
|} |}
Line 2,492: Line 2,667:
! Description ! Description
|- |-
-||create||Create property object.||+||create||Create property object.
|- |-
-||destroy||Free (dereference) a property object.||+||destroy||Free (dereference) a property object.
|- |-
-||read||Read a property.||+||read||Read a property.
|- |-
-||write||Write a property.||+||write||Write a property.
|- |-
-||append||Append a property.||+||append||Append a property.
|- |-
-||getattr||Get the attributes of a property.||+||getattr||Get the attributes of a property.
|- |-
-||setattr||Set the attributes of a property.||+||setattr||Set the attributes of a property.
|} |}
Line 2,512: Line 2,687:
! Description ! Description
|- |-
-||read||+||read
|- |-
-||write||+||write
|} |}
Line 2,522: Line 2,697:
! Description ! Description
|- |-
-||getattr||+||getattr
|- |-
-||setattr||+||setattr
|- |-
-||hide_cursor||+||hide_cursor
|- |-
-||show_cursor||+||show_cursor
|- |-
-||saver_getattr||+||saver_getattr
|- |-
-||saver_setattr||+||saver_setattr
|- |-
-||saver_hide||+||saver_hide
|- |-
-||saver_show||+||saver_show
|} |}
Line 2,544: Line 2,719:
! Description ! Description
|- |-
-||read||+||read
|- |-
-||write||+||write
|- |-
-||getattr||+||getattr
|- |-
-||setattr||+||setattr
|} |}
Line 2,558: Line 2,733:
! Description ! Description
|- |-
-||getattr||+||getattr
|- |-
-||setattr||+||setattr
|- |-
-||record||+||record
|- |-
-||debug||+||debug
|- |-
-||grab||+||grab
|- |-
-||manage||+||manage
|} |}
Line 2,576: Line 2,751:
! Description ! Description
|- |-
-||send||+||send
|- |-
-||receive||+||receive
|} |}

Revision as of 16:15, 15 November 2011

Contents

SELinux Object Classes and Permissions Reference

This document contains a list of all of the object classes and permissions for modern SELinux systems (starting in kernel 2.6.0). Each permission has a brief description of of the semantics of each permission, in addition to the versions of the kernel which support the permission and the policy capability that enables its enforcement (if applicable).

The document has the following caveats:

  • The permission descriptions are only for providing a general idea of the purposes of the permissions; a permission may mediate many operations.
  • Since SELinux development is ongoing, this document may be be incomplete or inaccurate.

Common Permission Sets

common database

Permission Description
createCreate a new database object.
dropRemove a database object.
getattrGet the attributes of a database object.
setattrSet the attributes of a database object.
relabelfromChange the security context based on existing type.
relabeltoChange the security context based on the new type.

common file

Permission Description
getattrGet file attributes for block file, such as access mode. (e.g. stat, some ioctls. ...)
relabeltoChange the security context based on the new type.
unlinkRemove hard link (delete).
ioctlIO control system call requests not addressed by other permissions.
executeExecute
appendAppend file contents. i.e opened with O_APPEND flag.
readRead file contents.
setattrChange file attributes for block file such as access mode. (e.g. chmod, some ioctls, ...)
swaponAllows file to be used for paging/swapping space.
writeWrite or append file contents.
lockSet and unset block file locks.
createCreate new block file.
renameRename a hard link.
mountonUse as mount point; only useful for directories and files in Linux.
quotaonEnabling quotas.
relabelfromChange the security context based on existing type.
linkCreate hard link to block files

common ipc

Permission Description
writeWrite or append.
destroyDestroy.
unix_writeWrite or append; required by IPC operations.
getattrGet file attributes, such as access mode. (e.g. stat, some ioctls. ...)
createCreate.
readRead.
setattrChange file attributes for shared memory segment such as access mode. (e.g. chmod, some ioctls, ...)
unix_readRead; required by IPC operations.
associateAssociate a key

common socket

Permission Description
appendWrite or append socket file contents.
relabelfromChange the security context based on existing type.
createCreate new socket file.
readRead socket file contents.
sendtoSend datagrams to socket.
connectInitiate connection.
recvfromReceive datagrams from socket.
send_msgSend datagram message; implicitly granted if the message SID is equal to the sending socket SID.
bindBind name.
lockSet and unset socket file locks
ioctlIO control system call requests not addressed by other permissions.
getattrGet file attributes for socket file, such as access mode. (e.g. stat, some ioctls. ...)
writeWrite or append socket file contents.
setoptSet socket options.
getoptGet socket options.
listenListen for connections.
setattrChange file attributes for file such as access mode. (e.g. chmod, some ioctls)
shutdownShutdown connection.
relabeltoChange the security context based on the new type.
recv_msgReceive datagram message; implicitly granted if the message SID is equal to the sending socket SID.
acceptAccept a connection.
name_bindUse port or file; for AF_INET sockets, controls relationship between a socket and it's port number; for AF_UNIX sockets, controls relationship between a socket and it's file

common x_device

Permission Description
getattr
setattr
use
read
write
getfocus
setfocus
bell
force_cursor
freeze
grab
manage
list_property
get_property
set_property
add
remove

Kernel Object Classes

appletalk_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.18+
relabelfromsee common socket:relabelfrom2.6.18+
createsee common socket:create2.6.18+
readsee common socket:read2.6.18+
sendtosee common socket:sendto2.6.18+
connectsee common socket:connect2.6.18+
recvfromsee common socket:recvfrom2.6.18+
send_msgsee common socket:send_msg2.6.18+
bindsee common socket:bind2.6.18+
locksee common socket:lock2.6.18+
ioctlsee common socket:ioctl2.6.18+
getattrsee common socket:getattr2.6.18+
writesee common socket:write2.6.18+
setoptsee common socket:setopt2.6.18+
getoptsee common socket:getopt2.6.18+
listensee common socket:listen2.6.18+
setattrsee common socket:setattr2.6.18+
shutdownsee common socket:shutdown2.6.18+
relabeltosee common socket:relabelto2.6.18+
recv_msgsee common socket:recv_msg2.6.18+
acceptsee common socket:accept2.6.18+
name_bindsee common socket:name_bind2.6.18+

association

Permission Description Kernel Version/Capability
sendtoSend to an IPSEC assocation.2.6.12+
recvfromReceive from an IPSEC association.2.6.12+
setcontextSet the context of an IPSEC association on creation.2.6.16+
polmatchMatch an IPSEC policy entry2.6.19+

blk_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattrsee common file:getattr
relabeltosee common file:relabelto
unlinksee common file:unlink
ioctlsee common file:ioctl
executesee common file:execute
appendsee common file:append
readsee common file:read
setattrsee common file:setattr
swaponsee common file:swapon
writesee common file:write
locksee common file:lock
createsee common file:create
renamesee common file:rename
mountonsee common file:mounton
quotaonsee common file:quotaon
relabelfromsee common file:relabelfrom
linksee common file:link
openOpen a block device file.2.6.26+ / open_perms

capability

Permission Description Kernel Version/Capability
chownAllow changing file ownership and group ownership.
dac_overrideOverrides all discretionary access control including ACL execute access if applicable. This does not include the access covered by LINUX_IMMUTABLE.
dac_read_searchOverrides all discretionary access control for reading and searching directories.
fownerGrant all file operations otherwise restricted due to different ownership except where FSETID capability is applicable. DAC and MAC accesses are not overridden.
fsetidOverrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.
killAllow signal raising for any process.
setgidAllow setgid(2) allow setgroups(2) allow fake gids on credentials passed over a socket.
setuidAllow all setsuid(2) type calls including fsuid. Allow passing of forged pids on credentials passed over a socket.
setpcapTransfer capability maps from current process to any process.
linux_immutableGrant privilege to modify S_IMMUTABLE and S_APPEND file attributes on supporting filesystems.
net_bind_serviceAllow low port binding. Port < 1024 for TCP/UDP. VCI < 32 for ATM.
net_broadcastGrant network broadcasting and listening to incoming multicasts.
net_adminAllows all networking configurations and modifications. See linux/capability.h for details.
net_rawAllows opening of raw sockets and packet sockets.
ipc_lockGrants the capability to lock non-shared and shared memory segments.
ipc_ownerGrant the ability to ignore IPC ownership checks.
sys_moduleAllow unrestricted kernel modification including but not limited to loading and removing kernel modules. Allows modification of kernels bounding capability mask. See sysctl.
sys_rawioGrant permission to use ioperm(2) and iopl(2) as well as the ability to send messages to USB devices via /proc/bus/usb.
sys_chrootGrant use of the chroot(2) call.
sys_ptraceAllow a ptrace of any process.
sys_pacctAllow modification of accounting for any process.
sys_adminToo many to list here (see /usr/include/linux/capability.h)
sys_bootGrant ability to reboot the system.
sys_niceGrants privilage to change priority of any process. Grants change of scheduling algorithm used by any process.
sys_resourceToo many to list here (see /usr/include/linux/capability.h for details.)
sys_timeGrant permission to set system time and to set the real-time lock.
sys_tty_configGrant permission to configure tty devices. Allow vhangup(2) call on a tty.
mknodGrants permission to creation of character and block device nodes.
leaseGrants ability to take leases on a file. For details on what leases are see fcntl(2).
audit_writeSend audit messsages from user space.2.6.12+
audit_controlChange auditing rules. Set login UID.2.6.12+
setfcapSet file capabilities.2.6.25+

capability2

Permission Description Kernel Version/Capability
mac_overrideUnused by SELinux2.6.25+
mac_adminUnused by SELinux2.6.25+

chr_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattrsee common file:getattr
relabeltosee common file:relabelto
unlinksee common file:unlink
ioctlsee common file:ioctl
executesee common file:execute
appendsee common file:append
readsee common file:read
setattrsee common file:setattr
swaponsee common file:swapon
writesee common file:write
locksee common file:lock
createsee common file:create
renamesee common file:rename
mountonsee common file:mounton
quotaonsee common file:quotaon
relabelfromsee common file:relabelfrom
linksee common file:link
execute_no_transExecute a file in the callers domain.2.6.11+
entrypointCan be executed as the entry point of the new domain in a transition.2.6.11+
execmodMake executable a file mapping that has been modified by copy-on-write. (Text relocation)2.6.11+
openOpen a character device file.2.6.26+ / open_perms

dccp_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.20+
relabelfromsee common socket:relabelfrom2.6.20+
createsee common socket:create2.6.20+
readsee common socket:read2.6.20+
sendtosee common socket:sendto2.6.20+
connectsee common socket:connect2.6.20+
recvfromsee common socket:recvfrom2.6.20+
send_msgsee common socket:send_msg2.6.20+
bindsee common socket:bind2.6.20+
locksee common socket:lock2.6.20+
ioctlsee common socket:ioctl2.6.20+
getattrsee common socket:getattr2.6.20+
writesee common socket:write2.6.20+
setoptsee common socket:setopt2.6.20+
getoptsee common socket:getopt2.6.20+
listensee common socket:listen2.6.20+
setattrsee common socket:setattr2.6.20+
shutdownsee common socket:shutdown2.6.20+
relabeltosee common socket:relabelto2.6.20+
recv_msgsee common socket:recv_msg2.6.20+
acceptsee common socket:accept2.6.20+
name_bindsee common socket:name_bind2.6.20+
connecttoConnect to server socket.2.6.20+
newconnCreate new socket for connection.2.6.20+
acceptfromAccept connection from client socket.2.6.20+
node_bindAbility to bind to a node.2.6.20+
name_connectConnect to a specific port number.2.6.20+

dir

Inherits from: common file

Permission Description Kernel Version/Capability
getattrsee common file:getattr
relabeltosee common file:relabelto
unlinksee common file:unlink
ioctlsee common file:ioctl
executesee common file:execute
appendsee common file:append
readsee common file:read
setattrsee common file:setattr
swaponsee common file:swapon
writesee common file:write
locksee common file:lock
createsee common file:create
renamesee common file:rename
mountonsee common file:mounton
quotaonsee common file:quotaon
relabelfromsee common file:relabelfrom
linksee common file:link
searchRequired on all ancestor directories of a file being accessed, similar to DAC +x permission
rmdirRemove the directory
remove_nameRemove a file from the directory.
reparentChange parent directory.
add_nameAdd a file to the directory.
openOpen a directory.2.6.26+ / open_perms

fd

Permission Description Kernel Version/Capability
usePermission to use an inherited file descriptor

fifo_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattrsee common file:getattr
relabeltosee common file:relabelto
unlinksee common file:unlink
ioctlsee common file:ioctl
executesee common file:execute
appendsee common file:append
readsee common file:read
setattrsee common file:setattr
swaponsee common file:swapon
writesee common file:write
locksee common file:lock
createsee common file:create
renamesee common file:rename
mountonsee common file:mounton
quotaonsee common file:quotaon
relabelfromsee common file:relabelfrom
linksee common file:link
openOpen a FIFO.2.6.26+ / open_perms

file

Inherits from: common file

Permission Description Kernel Version/Capability
getattrsee common file:getattr
relabeltosee common file:relabelto
unlinksee common file:unlink
ioctlsee common file:ioctl
executesee common file:execute
appendsee common file:append
readsee common file:read
setattrsee common file:setattr
swaponsee common file:swapon
writesee common file:write
locksee common file:lock
createsee common file:create
renamesee common file:rename
mountonsee common file:mounton
quotaonsee common file:quotaon
relabelfromsee common file:relabelfrom
linksee common file:link
execute_no_transExecute a file in the callers domain.
entrypointCan be executed as the entry point of the new domain in a transition.
execmodMake executable a file mapping that has been modified by copy-on-write. (Text relocation)2.6.11+
openOpen a file.2.6.26+ / open_perms

filesystem

Permission Description Kernel Version/Capability
mountMount the filesystem.
remountChange filesystem mount flags.
unmountUnmount the filesystem.
getattrGet file attributes, such as access mode. (e.g. stat, some ioctls. ...)
relabelfromChange the security context based on existing type.
relabeltoChange the security context based on the new type.
transitionTransition to a new SID (change security context).
associateAssociate a file to the filesystem.
quotamodModify quota information.
quotagetGet quota information

ipc

Inherits from: common ipc

Permission Description Kernel Version/Capability
writesee common ipc:write
destroysee common ipc:destroy
unix_writesee common ipc:unix_write
getattrsee common ipc:getattr
createsee common ipc:create
readsee common ipc:read
setattrsee common ipc:setattr
unix_readsee common ipc:unix_read
associatesee common ipc:associate

kernel_service

Permission Description Kernel Version/Capability
use_as_overrideGrant a process the right to nominate an alternate process security ID for the kernel to use as an override for the SELinux subjective security when accessing stuff on behalf of another process.2.6.29+
create_files_asGrant a process the right to nominate a file creation label for a kernel service to use.2.6.29+

key

Permission Description Kernel Version/Capability
view2.6.18+
read2.6.18+
write2.6.18+
search2.6.18+
link2.6.18+
setattr2.6.18+
create2.6.18+

key_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind

lnk_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattrsee common file:getattr
relabeltosee common file:relabelto
unlinksee common file:unlink
ioctlsee common file:ioctl
executesee common file:execute
appendsee common file:append
readsee common file:read
setattrsee common file:setattr
swaponsee common file:swapon
writesee common file:write
locksee common file:lock
createsee common file:create
renamesee common file:rename
mountonsee common file:mounton
quotaonsee common file:quotaon
relabelfromsee common file:relabelfrom
linksee common file:link

memprotect

Permission Description Kernel Version/Capability
mmap_zeroMmap the first page of memory.2.6.23+

msg

Permission Description Kernel Version/Capability
receiveRemove a message from a queue.
sendAdd a message to a queue.

msgq

Inherits from: common ipc

Permission Description Kernel Version/Capability
writesee common ipc:write
destroysee common ipc:destroy
unix_writesee common ipc:unix_write
getattrsee common ipc:getattr
createsee common ipc:create
readsee common ipc:read
setattrsee common ipc:setattr
unix_readsee common ipc:unix_read
associatesee common ipc:associate
enqueueMessage can be added to a queue.

netif

Permission Description Kernel Version/Capability
tcp_recvReceive TCP packet.
tcp_sendSend TCP packet.
udp_recvReceive UDP packet.
udp_sendSend UDP packet.
rawip_recvReceive raw IP packet.
rawip_sendSend raw IP packet.
dccp_recvReceive DCCP packet.2.6.20+
dccp_sendSend DCCP packet.2.6.20+
ingress2.6.25+ / network_peer_controls
egress2.6.25+ / network_peer_controls

netlink_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind

netlink_audit_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+
nlmsg_readRead netlink message.2.6.8+
nlmsg_writeWrite netlink message.2.6.8+
nlmsg_relaySend user space audit messages to the kernel audit system.2.6.12+
nlmsg_readprivList all auditing rules.2.6.12+
nlmsg_tty_auditControl TTY auditing2.6.30+

netlink_dnrt_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+

netlink_firewall_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+
nlmsg_readRead netlink message.2.6.8+
nlmsg_writeWrite netlink message.2.6.8+

netlink_ip6fw_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+
nlmsg_readRead netlink message.2.6.8+
nlmsg_writeWrite netlink message.2.6.8+

netlink_kobject_uevent_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.12+
relabelfromsee common socket:relabelfrom2.6.12+
createsee common socket:create2.6.12+
readsee common socket:read2.6.12+
sendtosee common socket:sendto2.6.12+
connectsee common socket:connect2.6.12+
recvfromsee common socket:recvfrom2.6.12+
send_msgsee common socket:send_msg2.6.12+
bindsee common socket:bind2.6.12+
locksee common socket:lock2.6.12+
ioctlsee common socket:ioctl2.6.12+
getattrsee common socket:getattr2.6.12+
writesee common socket:write2.6.12+
setoptsee common socket:setopt2.6.12+
getoptsee common socket:getopt2.6.12+
listensee common socket:listen2.6.12+
setattrsee common socket:setattr2.6.12+
shutdownsee common socket:shutdown2.6.12+
relabeltosee common socket:relabelto2.6.12+
recv_msgsee common socket:recv_msg2.6.12+
acceptsee common socket:accept2.6.12+
name_bindsee common socket:name_bind2.6.12+

netlink_nflog_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+

netlink_route_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+
nlmsg_readRead netlink message.2.6.8+
nlmsg_writeWrite netlink message.2.6.8+

netlink_selinux_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+

netlink_tcpdiag_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+
nlmsg_readRead netlink message.2.6.8+
nlmsg_writeWrite netlink message.2.6.8+

netlink_xfrm_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+
nlmsg_readRead netlink message.2.6.8+
nlmsg_writeWrite netlink message.2.6.8+

node

Permission Description Kernel Version/Capability
tcp_recvReceive TCP packet.
tcp_sendSend TCP packet.
udp_recvReceive UDP packet.
udp_sendSend UDP packet.
rawip_recvReceive raw IP packet.
rawip_sendSend raw IP packet.
enforce_destEnsure that the destination node can enforce restrictions on the destination socket.
dccp_recvReceive DCCP packet.2.6.20+
dccp_sendSend DCCP packet.2.6.20+
recvfrom2.6.25+ / network_peer_controls
sendto2.6.25+ / network_peer_controls

packet

Permission Description Kernel Version/Capability
sendSend a packet.2.6.18+
receiveReceive a packet.2.6.18+
relabeltoSet a labeling rule to the specified type.2.6.18+
flow_inDeprecated2.6.25+
flow_outDeprecated2.6.25+
forward_in2.6.25+
forward_out2.6.25+

packet_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind

peer

Permission Description Kernel Version/Capability
recvReceive from a labeled networking peer.2.6.25+ / network_peer_controls

process

Permission Description Kernel Version/Capability
forkFork into two processes.
transitionTransition to a new context on exec().
sigchldSend SIGCHLD signal.
sigkillSend SIGKILL signal.
sigstopSend SIGSTOP signal
signullTest for exisitence of another process without sending a signal
signalSend a signal other than SIGKILL, SIGSTOP, or SIGCHLD.
ptraceTrace program execution of parent or child.
getschedGet priority of a process.
setschedSet priority of a process.
getsessionGet session ID of another process.
getpgidGet group Process ID of a process.
setpgidSet group Process ID of a process.
getcapGet Linux capabilities.
setcapSet Linux capabilities.
shareAllow state sharing with cloned or forked process.
getattrGet attributes of a file.
setexecOverride the default context for the next exec().
setfscreateOverride the default context for file creation.
setrlimitChange process hard limits.
noatsecureDisable secure mode environment cleansing (AT_SECURE).v.16+
siginhInherit signal state from old sid.v.16+
rlimitinhInherit resource limits from old sid.v.16+
dyntransitionDynamically transition to a new context.2.6.11+
setcurrentSet the current process context.2.6.11+
execmemMake executable an anonymous mapping or private file mapping that is writable.2.6.13+
execstackMake the main process stack executable.2.6.13+
execheapMake the heap executable.2.6.13+
setkeycreateOverride the default context for key creation.2.6.18+
setsockcreateOverride the default context for socket creation.2.6.18+

rawip_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind
node_bindAbility to bind to a node.v.17+

security

Permission Description Kernel Version/Capability
compute_userGet user info in selinuxfs.
compute_relabelGet relabel info in selinuxfs.
compute_createGet create info in selinuxfs.
compute_avCompute an access vector given a source/target/class.
compute_memberDetermines the context to use when selecting a member of a polyinstantiated object.
setenforceChange the enforcement state of SELinux.
check_contextWrite context in selinuxfs.
load_policyLoad the security policy.
setboolSet a boolean value.2.6.5+
setsecparamSet kernel access vector cache tuning parameters.2.6.11+
setcheckreqprotSet if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect.2.6.12+

sem

Inherits from: common ipc

Permission Description Kernel Version/Capability
writesee common ipc:write
destroysee common ipc:destroy
unix_writesee common ipc:unix_write
getattrsee common ipc:getattr
createsee common ipc:create
readsee common ipc:read
setattrsee common ipc:setattr
unix_readsee common ipc:unix_read
associatesee common ipc:associate

shm

Inherits from: common ipc

Permission Description Kernel Version/Capability
writesee common ipc:write
destroysee common ipc:destroy
unix_writesee common ipc:unix_write
getattrsee common ipc:getattr
createsee common ipc:create
readsee common ipc:read
setattrsee common ipc:setattr
unix_readsee common ipc:unix_read
associatesee common ipc:associate
lock(Un)lock page(s) in memory.

sock_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattrsee common file:getattr
relabeltosee common file:relabelto
unlinksee common file:unlink
ioctlsee common file:ioctl
executesee common file:execute
appendsee common file:append
readsee common file:read
setattrsee common file:setattr
swaponsee common file:swapon
writesee common file:write
locksee common file:lock
createsee common file:create
renamesee common file:rename
mountonsee common file:mounton
quotaonsee common file:quotaon
relabelfromsee common file:relabelfrom
linksee common file:link
openOpen a named socket file.2.6.26+ / open_perms

socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind

system

Permission Description Kernel Version/Capability
ipc_infoGet info for an ipc socket.
syslog_modPerform syslog operation other than syslog_read or console logging.
syslog_readPerform syslog read.
syslog_consolePerform syslog console.

tcp_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind
connecttoConnect to server socket.
newconnCreate new socket for connection.
acceptfromAccept connection from client socket.
node_bindAbility to bind to a node.2.6.2+
name_connectConnect to a specific port number.2.6.12+

tun_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.32+
relabelfromsee common socket:relabelfrom2.6.32+
createsee common socket:create2.6.32+
readsee common socket:read2.6.32+
sendtosee common socket:sendto2.6.32+
connectsee common socket:connect2.6.32+
recvfromsee common socket:recvfrom2.6.32+
send_msgsee common socket:send_msg2.6.32+
bindsee common socket:bind2.6.32+
locksee common socket:lock2.6.32+
ioctlsee common socket:ioctl2.6.32+
getattrsee common socket:getattr2.6.32+
writesee common socket:write2.6.32+
setoptsee common socket:setopt2.6.32+
getoptsee common socket:getopt2.6.32+
listensee common socket:listen2.6.32+
setattrsee common socket:setattr2.6.32+
shutdownsee common socket:shutdown2.6.32+
relabeltosee common socket:relabelto2.6.32+
recv_msgsee common socket:recv_msg2.6.32+
acceptsee common socket:accept2.6.32+
name_bindsee common socket:name_bind2.6.32+

udp_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind
node_bindAbility to bind to a node.2.6.2+

unix_dgram_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind

unix_stream_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind
connecttoConnect to server socket.
newconnCreate new socket for connection.
acceptfromAccept connection from client socket.

Database Object Classes

db_blob

Inherits from: common database

Permission Description
readRead a blob.
writeWrite a blob.
importImport a blob.
exportExport a blob.

db_column

Inherits from: common database

Permission Description
useDeprecated
select
update
insert

db_database

Inherits from: common database

Permission Description
access
install_module
load_module
get_paramDeprecated
set_paramDeprecated

db_procedure

Inherits from: common database

Permission Description
executeExecute a stored procedure.
entrypoint
install

db_table

Inherits from: common database

Permission Description
useDeprecated
select
update
insert
delete
lock

db_tuple

Permission Description
relabelfrom
relabelto
useDeprecated
select
update
insert
delete

DBus Object Classes

dbus

Permission Description
acquire_svc
send_msgSend a message on the bus.

MLS Context Translation Object Classes

context

Permission Description
translateTranslate a raw MLS label.
containsCalculate a MLS subset.

NSCD Object Classes

nscd

Permission Description
getpwd
getgrp
gethost
getstat
admin
shmempwd
shmemgrp
shmemhost
getserv
shmemserv

Password Object Classes

passwd

Permission Description
passwdUpdate user password.
chfnChange finger information. e.g real name, work room and phone and home phone.
chshChange login shell.
rootokAllow update if the user is root and the process has the rootok PAM permission.
crontabcrontab on another user.

X Server Object Classes

x_application_data

Permission Description
paste
paste_after_confirm
copy

x_client

Permission Description
destroyClose down a client.
getattrGet the attributes of an X client
setattrSet the attributes of an X client
manage

x_colormap

Permission Description
createCreate a new Colormap.
destroyFree a Colormap.
readRead color cells of colormap.
write
getattrGet the color gamut of a screen.
add_color
remove_color
installCopy a virtual colormap into the display hardware.
uninstallRemove a virtual colormap from the display hardware.
use

x_cursor

Permission Description
createCreate an arbitrary cursor object.
destroyDelete a cursor object.
read
write
getattrGet attributes of the cursor.
setattrSet attributes of the cursor.
useAssociate a cursor object with a window.

x_device

Inherits from: common x_device

Permission Description
getattrsee common x_device: getattr
setattrsee common x_device: setattr
usesee common x_device: use
readsee common x_device: read
writesee common x_device: write
getfocussee common x_device: getfocus
setfocussee common x_device: setfocus
bellsee common x_device: bell
force_cursorsee common x_device: force_cursor
freezesee common x_device: freeze
grabsee common x_device: grab
managesee common x_device: manage
list_propertysee common x_device: list_property
get_propertysee common x_device: get_property
set_propertysee common x_device: set_property
addsee common x_device: add
removesee common x_device: remove

x_drawable

Permission Description
createCreate a Drawable object.
destroyDestroy a Drawable.
read
write
blend
getattrGet attributes of a Drawable object
setattrSet attributes of a Drawable object
list_child
add_child
remove_child
list_property
get_property
set_property
manage
override
show
hide
send
receive

x_event

Permission Description
send
receive

x_extension

Permission Description
query
use

x_font

Permission Description
createLoad a font.
destroyFree (dereference) a font.
getattrObtain font names, path, etc.
add_glyph
remove_glyph
useUse a font for drawing.

x_gc

Permission Description
createCreate Graphic Contexts object.
destroyFree (dereference) a Graphics Contexts object.
getattrGet attributes for Graphic Contexts object.
setattrSet attributes for Graphic Contexts object.
use

x_keyboard

Inherits from: common x_device

Permission Description
getattrsee common x_device: getattr
setattrsee common x_device: setattr
usesee common x_device: use
readsee common x_device: read
writesee common x_device: write
getfocussee common x_device: getfocus
setfocussee common x_device: setfocus
bellsee common x_device: bell
force_cursorsee common x_device: force_cursor
freezesee common x_device: freeze
grabsee common x_device: grab
managesee common x_device: manage
list_propertysee common x_device: list_property
get_propertysee common x_device: get_property
set_propertysee common x_device: set_property
addsee common x_device: add
removesee common x_device: remove

x_pointer

Inherits from: common x_device

Permission Description
getattrsee common x_device: getattr
setattrsee common x_device: setattr
usesee common x_device: use
readsee common x_device: read
writesee common x_device: write
getfocussee common x_device: getfocus
setfocussee common x_device: setfocus
bellsee common x_device: bell
force_cursorsee common x_device: force_cursor
freezesee common x_device: freeze
grabsee common x_device: grab
managesee common x_device: manage
list_propertysee common x_device: list_property
get_propertysee common x_device: get_property
set_propertysee common x_device: set_property
addsee common x_device: add
removesee common x_device: remove

x_property

Permission Description
createCreate property object.
destroyFree (dereference) a property object.
readRead a property.
writeWrite a property.
appendAppend a property.
getattrGet the attributes of a property.
setattrSet the attributes of a property.

x_resource

Permission Description
read
write

x_screen

Permission Description
getattr
setattr
hide_cursor
show_cursor
saver_getattr
saver_setattr
saver_hide
saver_show

x_selection

Permission Description
read
write
getattr
setattr

x_server

Permission Description
getattr
setattr
record
debug
grab
manage

x_synthetic_event

Permission Description
send
receive
Personal tools