ObjectClassesPerms

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 01:08, 16 September 2011 (edit)
Jaxelson (Talk | contribs)
(dir - added some descriptions)
← Previous diff
Current revision (19:23, 5 February 2013) (edit) (undo)
StephenSmalley (Talk | contribs)
(process)
 
(18 intermediate revisions not shown.)
Line 30: Line 30:
! Description ! Description
|- |-
-||getattr||Get file attributes for block file, such as access mode. (e.g. stat, some ioctls. ...)+||getattr||Get file attributes for file, such as access mode. (e.g. stat, some ioctls. ...)
|- |-
-||relabelto||Change the security context based on the new type.+||relabelto||Relabel to new security context.
|- |-
||unlink||Remove hard link (delete). ||unlink||Remove hard link (delete).
Line 40: Line 40:
||execute||Execute ||execute||Execute
|- |-
-||append||Append file contents. i.e opened with O_APPEND flag.+||append||Write to a file opened with O_APPEND.
|- |-
||read||Read file contents. ||read||Read file contents.
|- |-
-||setattr||Change file attributes for block file such as access mode. (e.g. chmod, some ioctls, ...)+||setattr||Change file attributes for file such as access mode. (e.g. chmod, some ioctls, ...)
|- |-
||swapon||Allows file to be used for paging/swapping space. ||swapon||Allows file to be used for paging/swapping space.
|- |-
-||write||Write or append file contents.+||write||Write to a file.
|- |-
-||lock||Set and unset block file locks.+||lock||Set and unset file locks.
|- |-
-||create||Create new block file.+||create||Create new file.
|- |-
-||rename||Rename a hard link.+||rename||Rename a file.
|- |-
||mounton||Use as mount point; only useful for directories and files in Linux. ||mounton||Use as mount point; only useful for directories and files in Linux.
|- |-
-||quotaon||Enabling quotas.+||quotaon||Use as a quota file.
|- |-
-||relabelfrom||Change the security context based on existing type.+||relabelfrom||Relabel from old security context.
|- |-
-||link||Create hard link to block files+||link||Create another hard link to file
|} |}
Line 70: Line 70:
! Description ! Description
|- |-
-||write||Write or append.+||write||Write.
|- |-
||destroy||Destroy. ||destroy||Destroy.
|- |-
-||unix_write||Write or append; required by IPC operations.+||unix_write||Generic write access.
|- |-
-||getattr||Get file attributes, such as access mode. (e.g. stat, some ioctls. ...)+||getattr||Get attributes, e.g. IPC_STAT *ctl operation.
|- |-
||create||Create. ||create||Create.
|- |-
-||read||Read.+||read||Read
|- |-
-||setattr||Change file attributes for shared memory segment such as access mode. (e.g. chmod, some ioctls, ...)+||setattr||Change attributes, e.g. IPC_SET.
|- |-
-||unix_read||Read; required by IPC operations.+||unix_read||Generic read access.
|- |-
||associate||Associate a key ||associate||Associate a key
Line 94: Line 94:
! Description ! Description
|- |-
-||append||Write or append socket file contents.+||append||Write to open fd marked with O_APPEND.
|- |-
||relabelfrom||Change the security context based on existing type. ||relabelfrom||Change the security context based on existing type.
|- |-
-||create||Create new socket file.+||create||Create new socket.
|- |-
-||read||Read socket file contents.+||read||Read from socket.
|- |-
-||sendto||Send datagrams to socket.+||sendto||Send to socket.
|- |-
||connect||Initiate connection. ||connect||Initiate connection.
|- |-
-||recvfrom||Receive datagrams from socket.+||recvfrom||Legacy NetLabel check; obsoleted by peer recv
|- |-
-||send_msg||Send datagram message; implicitly granted if the message SID is equal to the sending socket SID.+||send_msg||Legacy check; no longer present.
|- |-
-||bind||Bind name.+||bind||Bind a name to the socket.
|- |-
-||lock||Set and unset socket file locks+||lock||Apply file lock on a socket.
|- |-
||ioctl||IO control system call requests not addressed by other permissions. ||ioctl||IO control system call requests not addressed by other permissions.
|- |-
-||getattr||Get file attributes for socket file, such as access mode. (e.g. stat, some ioctls. ...)+||getattr||Get socket attributes, e.g. fstat.
|- |-
-||write||Write or append socket file contents.+||write||Write to socket.
|- |-
||setopt||Set socket options. ||setopt||Set socket options.
Line 126: Line 126:
||listen||Listen for connections. ||listen||Listen for connections.
|- |-
-||setattr||Change file attributes for file such as access mode. (e.g. chmod, some ioctls)+||setattr||Change socket attributes.
|- |-
||shutdown||Shutdown connection. ||shutdown||Shutdown connection.
Line 132: Line 132:
||relabelto||Change the security context based on the new type. ||relabelto||Change the security context based on the new type.
|- |-
-||recv_msg||Receive datagram message; implicitly granted if the message SID is equal to the sending socket SID.+||recv_msg||Obsolete.
|- |-
||accept||Accept a connection. ||accept||Accept a connection.
|- |-
-||name_bind||Use port or file; for AF_INET sockets, controls relationship between a socket and it's port number; for AF_UNIX sockets, controls relationship between a socket and it's file+||name_bind||Associate with port or file; for AF_INET sockets, controls relationship between a socket and it's port number; for AF_UNIX sockets, controls relationship between a socket and it's file
|} |}
Line 297: Line 297:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||chown||Allow changing file ownership and group ownership.+||chown||Override restrictions on changing file ownership and group ownership.
|- |-
-||dac_override||Overrides all discretionary access control including ACL execute access if applicable. This does not include the access covered by LINUX_IMMUTABLE.+||dac_override||Override all DAC access restrictions. Checked before dac_read_search, so a dontaudit candidate.
|- |-
-||dac_read_search||Overrides all discretionary access control for reading and searching directories.+||dac_read_search||Override DAC read/search access restrictions.
|- |-
-||fowner||Grant all file operations otherwise restricted due to different ownership except where FSETID capability is applicable. DAC and MAC accesses are not overridden.+||fowner||Override all file owner requirements (e.g. for chmod, setxattr) except where fsetid applies.
|- |-
-||fsetid||Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.+||fsetid||Override file owner and group requirements when setting setuid or setgid bits on a file. Can be checked as a side effect on chmod and write operations; dontaudit candidate.
|- |-
-||kill||Allow signal raising for any process.+||kill||Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.
|- |-
-||setgid||Allow setgid(2) allow setgroups(2) allow fake gids on credentials passed over a socket.+||setgid||Allow setgid(2) or setgroups(2) or forged gids on credentials passed over a socket.
|- |-
-||setuid||Allow all setsuid(2) type calls including fsuid. Allow passing of forged pids on credentials passed over a socket.+||setuid||Allow set*uid(2). Allow passing of forged ids on credentials passed over a socket.
|- |-
-||setpcap||Transfer capability maps from current process to any process.+||setpcap||Add capability from bounding set to inheritable set, drop capability from bounding set, modify secure bits.
|- |-
||linux_immutable||Grant privilege to modify S_IMMUTABLE and S_APPEND file attributes on supporting filesystems. ||linux_immutable||Grant privilege to modify S_IMMUTABLE and S_APPEND file attributes on supporting filesystems.
Line 325: Line 325:
||net_raw||Allows opening of raw sockets and packet sockets. ||net_raw||Allows opening of raw sockets and packet sockets.
|- |-
-||ipc_lock||Grants the capability to lock non-shared and shared memory segments.+||ipc_lock||Allow locking shared memory segments and mlock/mlockall.
|- |-
-||ipc_owner||Grant the ability to ignore IPC ownership checks.+||ipc_owner||Override IPC ownership checks.
|- |-
||sys_module||Allow unrestricted kernel modification including but not limited to loading and removing kernel modules. Allows modification of kernels bounding capability mask. See sysctl. ||sys_module||Allow unrestricted kernel modification including but not limited to loading and removing kernel modules. Allows modification of kernels bounding capability mask. See sysctl.
Line 343: Line 343:
||sys_boot||Grant ability to reboot the system. ||sys_boot||Grant ability to reboot the system.
|- |-
-||sys_nice||Grants privilage to change priority of any process. Grants change of scheduling algorithm used by any process.+||sys_nice||Grants privilege to change priority of any process. Grants change of scheduling algorithm used by any process.
|- |-
||sys_resource||Too many to list here (see /usr/include/linux/capability.h for details.) ||sys_resource||Too many to list here (see /usr/include/linux/capability.h for details.)
Line 355: Line 355:
||lease||Grants ability to take leases on a file. For details on what leases are see fcntl(2). ||lease||Grants ability to take leases on a file. For details on what leases are see fcntl(2).
|- |-
-||audit_write||Send audit messsages from user space.||2.6.12++||audit_write||Generate audit messages from user space.||2.6.12+
|- |-
-||audit_control||Change auditing rules. Set login UID.||2.6.12++||audit_control||Control kernel audit configuration/rules. Set login UID.||2.6.12+
|- |-
||setfcap||Set file capabilities.||2.6.25+ ||setfcap||Set file capabilities.||2.6.25+
Line 368: Line 368:
! Kernel Version/Capability ! Kernel Version/Capability
|- |-
-||mac_override||''Unused by SELinux''||2.6.25++||mac_override||Override MAC restrictions - Ignored by SELinux||2.6.25+
|- |-
-||mac_admin||''Unused by SELinux''||2.6.25++||mac_admin||Change MAC configuration - For SELinux, get/set raw security context values unknown to the current policy.||2.6.25+
 +|-
 +|| syslog||Configure kernel syslog subsystem||
 +|-
 +|| wake_alarm||Trigger something that will wake the system||
 +|-
 +|| block_suspend|| Prevent system suspends||
|} |}
Line 418: Line 424:
||entrypoint||Can be executed as the entry point of the new domain in a transition.||2.6.11+ ||entrypoint||Can be executed as the entry point of the new domain in a transition.||2.6.11+
|- |-
-||execmod||Make executable a file mapping that has been modified by copy-on-write.||2.6.11++||execmod||Make executable a file mapping that has been modified by copy-on-write. (Text relocation)||2.6.11+
|- |-
||open||Open a character device file.||2.6.26+ / open_perms ||open||Open a character device file.||2.6.26+ / open_perms
Line 496: Line 502:
||relabelto||see common file:relabelto ||relabelto||see common file:relabelto
|- |-
-||unlink||see common file:unlink+||unlink||N/A
|- |-
||ioctl||see common file:ioctl ||ioctl||see common file:ioctl
|- |-
-||execute||see common file:execute+||execute||N/A
|- |-
-||append||see common file:append+||append||N/A
|- |-
||read||see common file:read ||read||see common file:read
Line 508: Line 514:
||setattr||see common file:setattr ||setattr||see common file:setattr
|- |-
-||swapon||see common file:swapon+||swapon||N/A
|- |-
-||write||see common file:write+||write||General write access; required for adding or removing
|- |-
||lock||see common file:lock ||lock||see common file:lock
Line 520: Line 526:
||mounton||see common file:mounton ||mounton||see common file:mounton
|- |-
-||quotaon||see common file:quotaon+||quotaon||N/A
|- |-
||relabelfrom||see common file:relabelfrom ||relabelfrom||see common file:relabelfrom
|- |-
-||link||see common file:link+||link||N/A
|- |-
-||search||Required on all ancestor directories of a file being accessed, similar to DAC +x permission+||search||Search access
|- |-
||rmdir||Remove the directory ||rmdir||Remove the directory
Line 532: Line 538:
||remove_name||Remove a file from the directory. ||remove_name||Remove a file from the directory.
|- |-
-||reparent||Change parent directory.+||reparent||Rename into a different parent directory (.. change).
|- |-
||add_name||Add a file to the directory. ||add_name||Add a file to the directory.
Line 637: Line 643:
||entrypoint||Can be executed as the entry point of the new domain in a transition. ||entrypoint||Can be executed as the entry point of the new domain in a transition.
|- |-
-||execmod||Make executable a file mapping that has been modified by copy-on-write.||2.6.11++||execmod||Make executable a file mapping that has been modified by copy-on-write. (Text relocation)||2.6.11+
|- |-
||open||Open a file.||2.6.26+ / open_perms ||open||Open a file.||2.6.26+ / open_perms
Line 999: Line 1,005:
||name_bind||see common socket:name_bind||2.6.8+ ||name_bind||see common socket:name_bind||2.6.8+
|- |-
-||nlmsg_read||Read netlink message.||2.6.8++||nlmsg_read||Read audit subsystem state (e.g. AUDIT_GET).||2.6.8+
|- |-
-||nlmsg_write||Write netlink message.||2.6.8++||nlmsg_write||Write audit subsystem state (e.g. AUDIT_SET).||2.6.8+
|- |-
||nlmsg_relay||Send user space audit messages to the kernel audit system.||2.6.12+ ||nlmsg_relay||Send user space audit messages to the kernel audit system.||2.6.12+
|- |-
-||nlmsg_readpriv||List all auditing rules.||2.6.12++||nlmsg_readpriv||Read security-sensitive audit subsystem state.||2.6.12+
|- |-
||nlmsg_tty_audit||Control TTY auditing||2.6.30+ ||nlmsg_tty_audit||Control TTY auditing||2.6.30+
Line 1,113: Line 1,119:
||name_bind||see common socket:name_bind||2.6.8+ ||name_bind||see common socket:name_bind||2.6.8+
|- |-
-||nlmsg_read||Read netlink message.||2.6.8++||nlmsg_read||Read firewall configuration state.||2.6.8+
|- |-
-||nlmsg_write||Write netlink message.||2.6.8++||nlmsg_write||Write firewall configuration state.||2.6.8+
|} |}
Line 1,329: Line 1,335:
||name_bind||see common socket:name_bind||2.6.8+ ||name_bind||see common socket:name_bind||2.6.8+
|- |-
-||nlmsg_read||Read netlink message.||2.6.8++||nlmsg_read||Read route configuration state.||2.6.8+
|- |-
-||nlmsg_write||Write netlink message.||2.6.8++||nlmsg_write||Write route configuration state.||2.6.8+
|} |}
Line 1,437: Line 1,443:
||name_bind||see common socket:name_bind||2.6.8+ ||name_bind||see common socket:name_bind||2.6.8+
|- |-
-||nlmsg_read||Read netlink message.||2.6.8++||nlmsg_read||Read tcp diagnostics.||2.6.8+
|- |-
-||nlmsg_write||Write netlink message.||2.6.8++||nlmsg_write||Unused.||2.6.8+
|} |}
Line 1,493: Line 1,499:
||name_bind||see common socket:name_bind||2.6.8+ ||name_bind||see common socket:name_bind||2.6.8+
|- |-
-||nlmsg_read||Read netlink message.||2.6.8++||nlmsg_read||Read xfrm configuration state.||2.6.8+
|- |-
-||nlmsg_write||Write netlink message.||2.6.8++||nlmsg_write||Write xfrm configuration state.||2.6.8+
|} |}
||signal||Send a signal other than SIGKILL, SIGSTOP, or SIGCHLD. ||signal||Send a signal other than SIGKILL, SIGSTOP, or SIGCHLD.
|- |-
-||ptrace||Trace program execution of parent or child.+||ptrace||Attach to another process for tracing.
|- |-
||getsched||Get priority of a process. ||getsched||Get priority of a process.
||noatsecure||Disable secure mode environment cleansing (AT_SECURE).||v.16+ ||noatsecure||Disable secure mode environment cleansing (AT_SECURE).||v.16+
|- |-
-||siginh||Inherit signal state from old sid.||v.16++||siginh||Inherit signal state from caller.||v.16+
|- |-
-||rlimitinh||Inherit resource limits from old sid.||v.16++||rlimitinh||Inherit resource limits from caller.||v.16+
|- |-
||dyntransition||Dynamically transition to a new context.||2.6.11+ ||dyntransition||Dynamically transition to a new context.||2.6.11+

Current revision

Contents

[edit] SELinux Object Classes and Permissions Reference

This document contains a list of all of the object classes and permissions for modern SELinux systems (starting in kernel 2.6.0). Each permission has a brief description of of the semantics of each permission, in addition to the versions of the kernel which support the permission and the policy capability that enables its enforcement (if applicable).

The document has the following caveats:

  • The permission descriptions are only for providing a general idea of the purposes of the permissions; a permission may mediate many operations.
  • Since SELinux development is ongoing, this document may be be incomplete or inaccurate.

[edit] Common Permission Sets

[edit] common database

Permission Description
createCreate a new database object.
dropRemove a database object.
getattrGet the attributes of a database object.
setattrSet the attributes of a database object.
relabelfromChange the security context based on existing type.
relabeltoChange the security context based on the new type.

[edit] common file

Permission Description
getattrGet file attributes for file, such as access mode. (e.g. stat, some ioctls. ...)
relabeltoRelabel to new security context.
unlinkRemove hard link (delete).
ioctlIO control system call requests not addressed by other permissions.
executeExecute
appendWrite to a file opened with O_APPEND.
readRead file contents.
setattrChange file attributes for file such as access mode. (e.g. chmod, some ioctls, ...)
swaponAllows file to be used for paging/swapping space.
writeWrite to a file.
lockSet and unset file locks.
createCreate new file.
renameRename a file.
mountonUse as mount point; only useful for directories and files in Linux.
quotaonUse as a quota file.
relabelfromRelabel from old security context.
linkCreate another hard link to file

[edit] common ipc

Permission Description
writeWrite.
destroyDestroy.
unix_writeGeneric write access.
getattrGet attributes, e.g. IPC_STAT *ctl operation.
createCreate.
readRead
setattrChange attributes, e.g. IPC_SET.
unix_readGeneric read access.
associateAssociate a key

[edit] common socket

Permission Description
appendWrite to open fd marked with O_APPEND.
relabelfromChange the security context based on existing type.
createCreate new socket.
readRead from socket.
sendtoSend to socket.
connectInitiate connection.
recvfromLegacy NetLabel check; obsoleted by peer recv
send_msgLegacy check; no longer present.
bindBind a name to the socket.
lockApply file lock on a socket.
ioctlIO control system call requests not addressed by other permissions.
getattrGet socket attributes, e.g. fstat.
writeWrite to socket.
setoptSet socket options.
getoptGet socket options.
listenListen for connections.
setattrChange socket attributes.
shutdownShutdown connection.
relabeltoChange the security context based on the new type.
recv_msgObsolete.
acceptAccept a connection.
name_bindAssociate with port or file; for AF_INET sockets, controls relationship between a socket and it's port number; for AF_UNIX sockets, controls relationship between a socket and it's file

[edit] common x_device

Permission Description
getattr
setattr
use
read
write
getfocus
setfocus
bell
force_cursor
freeze
grab
manage
list_property
get_property
set_property
add
remove

[edit] Kernel Object Classes

[edit] appletalk_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.18+
relabelfromsee common socket:relabelfrom2.6.18+
createsee common socket:create2.6.18+
readsee common socket:read2.6.18+
sendtosee common socket:sendto2.6.18+
connectsee common socket:connect2.6.18+
recvfromsee common socket:recvfrom2.6.18+
send_msgsee common socket:send_msg2.6.18+
bindsee common socket:bind2.6.18+
locksee common socket:lock2.6.18+
ioctlsee common socket:ioctl2.6.18+
getattrsee common socket:getattr2.6.18+
writesee common socket:write2.6.18+
setoptsee common socket:setopt2.6.18+
getoptsee common socket:getopt2.6.18+
listensee common socket:listen2.6.18+
setattrsee common socket:setattr2.6.18+
shutdownsee common socket:shutdown2.6.18+
relabeltosee common socket:relabelto2.6.18+
recv_msgsee common socket:recv_msg2.6.18+
acceptsee common socket:accept2.6.18+
name_bindsee common socket:name_bind2.6.18+

[edit] association

Permission Description Kernel Version/Capability
sendtoSend to an IPSEC assocation.2.6.12+
recvfromReceive from an IPSEC association.2.6.12+
setcontextSet the context of an IPSEC association on creation.2.6.16+
polmatchMatch an IPSEC policy entry2.6.19+

[edit] blk_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattrsee common file:getattr
relabeltosee common file:relabelto
unlinksee common file:unlink
ioctlsee common file:ioctl
executesee common file:execute
appendsee common file:append
readsee common file:read
setattrsee common file:setattr
swaponsee common file:swapon
writesee common file:write
locksee common file:lock
createsee common file:create
renamesee common file:rename
mountonsee common file:mounton
quotaonsee common file:quotaon
relabelfromsee common file:relabelfrom
linksee common file:link
openOpen a block device file.2.6.26+ / open_perms

[edit] capability

Permission Description Kernel Version/Capability
chownOverride restrictions on changing file ownership and group ownership.
dac_overrideOverride all DAC access restrictions. Checked before dac_read_search, so a dontaudit candidate.
dac_read_searchOverride DAC read/search access restrictions.
fownerOverride all file owner requirements (e.g. for chmod, setxattr) except where fsetid applies.
fsetidOverride file owner and group requirements when setting setuid or setgid bits on a file. Can be checked as a side effect on chmod and write operations; dontaudit candidate.
killOverrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.
setgidAllow setgid(2) or setgroups(2) or forged gids on credentials passed over a socket.
setuidAllow set*uid(2). Allow passing of forged ids on credentials passed over a socket.
setpcapAdd capability from bounding set to inheritable set, drop capability from bounding set, modify secure bits.
linux_immutableGrant privilege to modify S_IMMUTABLE and S_APPEND file attributes on supporting filesystems.
net_bind_serviceAllow low port binding. Port < 1024 for TCP/UDP. VCI < 32 for ATM.
net_broadcastGrant network broadcasting and listening to incoming multicasts.
net_adminAllows all networking configurations and modifications. See linux/capability.h for details.
net_rawAllows opening of raw sockets and packet sockets.
ipc_lockAllow locking shared memory segments and mlock/mlockall.
ipc_ownerOverride IPC ownership checks.
sys_moduleAllow unrestricted kernel modification including but not limited to loading and removing kernel modules. Allows modification of kernels bounding capability mask. See sysctl.
sys_rawioGrant permission to use ioperm(2) and iopl(2) as well as the ability to send messages to USB devices via /proc/bus/usb.
sys_chrootGrant use of the chroot(2) call.
sys_ptraceAllow a ptrace of any process.
sys_pacctAllow modification of accounting for any process.
sys_adminToo many to list here (see /usr/include/linux/capability.h)
sys_bootGrant ability to reboot the system.
sys_niceGrants privilege to change priority of any process. Grants change of scheduling algorithm used by any process.
sys_resourceToo many to list here (see /usr/include/linux/capability.h for details.)
sys_timeGrant permission to set system time and to set the real-time lock.
sys_tty_configGrant permission to configure tty devices. Allow vhangup(2) call on a tty.
mknodGrants permission to creation of character and block device nodes.
leaseGrants ability to take leases on a file. For details on what leases are see fcntl(2).
audit_writeGenerate audit messages from user space.2.6.12+
audit_controlControl kernel audit configuration/rules. Set login UID.2.6.12+
setfcapSet file capabilities.2.6.25+

[edit] capability2

Permission Description Kernel Version/Capability
mac_overrideOverride MAC restrictions - Ignored by SELinux2.6.25+
mac_adminChange MAC configuration - For SELinux, get/set raw security context values unknown to the current policy.2.6.25+
syslogConfigure kernel syslog subsystem
wake_alarmTrigger something that will wake the system
block_suspend Prevent system suspends

[edit] chr_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattrsee common file:getattr
relabeltosee common file:relabelto
unlinksee common file:unlink
ioctlsee common file:ioctl
executesee common file:execute
appendsee common file:append
readsee common file:read
setattrsee common file:setattr
swaponsee common file:swapon
writesee common file:write
locksee common file:lock
createsee common file:create
renamesee common file:rename
mountonsee common file:mounton
quotaonsee common file:quotaon
relabelfromsee common file:relabelfrom
linksee common file:link
execute_no_transExecute a file in the callers domain.2.6.11+
entrypointCan be executed as the entry point of the new domain in a transition.2.6.11+
execmodMake executable a file mapping that has been modified by copy-on-write. (Text relocation)2.6.11+
openOpen a character device file.2.6.26+ / open_perms

[edit] dccp_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.20+
relabelfromsee common socket:relabelfrom2.6.20+
createsee common socket:create2.6.20+
readsee common socket:read2.6.20+
sendtosee common socket:sendto2.6.20+
connectsee common socket:connect2.6.20+
recvfromsee common socket:recvfrom2.6.20+
send_msgsee common socket:send_msg2.6.20+
bindsee common socket:bind2.6.20+
locksee common socket:lock2.6.20+
ioctlsee common socket:ioctl2.6.20+
getattrsee common socket:getattr2.6.20+
writesee common socket:write2.6.20+
setoptsee common socket:setopt2.6.20+
getoptsee common socket:getopt2.6.20+
listensee common socket:listen2.6.20+
setattrsee common socket:setattr2.6.20+
shutdownsee common socket:shutdown2.6.20+
relabeltosee common socket:relabelto2.6.20+
recv_msgsee common socket:recv_msg2.6.20+
acceptsee common socket:accept2.6.20+
name_bindsee common socket:name_bind2.6.20+
connecttoConnect to server socket.2.6.20+
newconnCreate new socket for connection.2.6.20+
acceptfromAccept connection from client socket.2.6.20+
node_bindAbility to bind to a node.2.6.20+
name_connectConnect to a specific port number.2.6.20+

[edit] dir

Inherits from: common file

Permission Description Kernel Version/Capability
getattrsee common file:getattr
relabeltosee common file:relabelto
unlinkN/A
ioctlsee common file:ioctl
executeN/A
appendN/A
readsee common file:read
setattrsee common file:setattr
swaponN/A
writeGeneral write access; required for adding or removing
locksee common file:lock
createsee common file:create
renamesee common file:rename
mountonsee common file:mounton
quotaonN/A
relabelfromsee common file:relabelfrom
linkN/A
searchSearch access
rmdirRemove the directory
remove_nameRemove a file from the directory.
reparentRename into a different parent directory (.. change).
add_nameAdd a file to the directory.
openOpen a directory.2.6.26+ / open_perms

[edit] fd

Permission Description Kernel Version/Capability
usePermission to use an inherited file descriptor

[edit] fifo_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattrsee common file:getattr
relabeltosee common file:relabelto
unlinksee common file:unlink
ioctlsee common file:ioctl
executesee common file:execute
appendsee common file:append
readsee common file:read
setattrsee common file:setattr
swaponsee common file:swapon
writesee common file:write
locksee common file:lock
createsee common file:create
renamesee common file:rename
mountonsee common file:mounton
quotaonsee common file:quotaon
relabelfromsee common file:relabelfrom
linksee common file:link
openOpen a FIFO.2.6.26+ / open_perms

[edit] file

Inherits from: common file

Permission Description Kernel Version/Capability
getattrsee common file:getattr
relabeltosee common file:relabelto
unlinksee common file:unlink
ioctlsee common file:ioctl
executesee common file:execute
appendsee common file:append
readsee common file:read
setattrsee common file:setattr
swaponsee common file:swapon
writesee common file:write
locksee common file:lock
createsee common file:create
renamesee common file:rename
mountonsee common file:mounton
quotaonsee common file:quotaon
relabelfromsee common file:relabelfrom
linksee common file:link
execute_no_transExecute a file in the callers domain.
entrypointCan be executed as the entry point of the new domain in a transition.
execmodMake executable a file mapping that has been modified by copy-on-write. (Text relocation)2.6.11+
openOpen a file.2.6.26+ / open_perms

[edit] filesystem

Permission Description Kernel Version/Capability
mountMount the filesystem.
remountChange filesystem mount flags.
unmountUnmount the filesystem.
getattrGet file attributes, such as access mode. (e.g. stat, some ioctls. ...)
relabelfromChange the security context based on existing type.
relabeltoChange the security context based on the new type.
transitionTransition to a new SID (change security context).
associateAssociate a file to the filesystem.
quotamodModify quota information.
quotagetGet quota information

[edit] ipc

Inherits from: common ipc

Permission Description Kernel Version/Capability
writesee common ipc:write
destroysee common ipc:destroy
unix_writesee common ipc:unix_write
getattrsee common ipc:getattr
createsee common ipc:create
readsee common ipc:read
setattrsee common ipc:setattr
unix_readsee common ipc:unix_read
associatesee common ipc:associate

[edit] kernel_service

Permission Description Kernel Version/Capability
use_as_overrideGrant a process the right to nominate an alternate process security ID for the kernel to use as an override for the SELinux subjective security when accessing stuff on behalf of another process.2.6.29+
create_files_asGrant a process the right to nominate a file creation label for a kernel service to use.2.6.29+

[edit] key

Permission Description Kernel Version/Capability
view2.6.18+
read2.6.18+
write2.6.18+
search2.6.18+
link2.6.18+
setattr2.6.18+
create2.6.18+

[edit] key_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind

[edit] lnk_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattrsee common file:getattr
relabeltosee common file:relabelto
unlinksee common file:unlink
ioctlsee common file:ioctl
executesee common file:execute
appendsee common file:append
readsee common file:read
setattrsee common file:setattr
swaponsee common file:swapon
writesee common file:write
locksee common file:lock
createsee common file:create
renamesee common file:rename
mountonsee common file:mounton
quotaonsee common file:quotaon
relabelfromsee common file:relabelfrom
linksee common file:link

[edit] memprotect

Permission Description Kernel Version/Capability
mmap_zeroMmap the first page of memory.2.6.23+

[edit] msg

Permission Description Kernel Version/Capability
receiveRemove a message from a queue.
sendAdd a message to a queue.

[edit] msgq

Inherits from: common ipc

Permission Description Kernel Version/Capability
writesee common ipc:write
destroysee common ipc:destroy
unix_writesee common ipc:unix_write
getattrsee common ipc:getattr
createsee common ipc:create
readsee common ipc:read
setattrsee common ipc:setattr
unix_readsee common ipc:unix_read
associatesee common ipc:associate
enqueueMessage can be added to a queue.

[edit] netif

Permission Description Kernel Version/Capability
tcp_recvReceive TCP packet.
tcp_sendSend TCP packet.
udp_recvReceive UDP packet.
udp_sendSend UDP packet.
rawip_recvReceive raw IP packet.
rawip_sendSend raw IP packet.
dccp_recvReceive DCCP packet.2.6.20+
dccp_sendSend DCCP packet.2.6.20+
ingress2.6.25+ / network_peer_controls
egress2.6.25+ / network_peer_controls

[edit] netlink_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind

[edit] netlink_audit_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+
nlmsg_readRead audit subsystem state (e.g. AUDIT_GET).2.6.8+
nlmsg_writeWrite audit subsystem state (e.g. AUDIT_SET).2.6.8+
nlmsg_relaySend user space audit messages to the kernel audit system.2.6.12+
nlmsg_readprivRead security-sensitive audit subsystem state.2.6.12+
nlmsg_tty_auditControl TTY auditing2.6.30+

[edit] netlink_dnrt_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+

[edit] netlink_firewall_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+
nlmsg_readRead firewall configuration state.2.6.8+
nlmsg_writeWrite firewall configuration state.2.6.8+

[edit] netlink_ip6fw_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+
nlmsg_readRead netlink message.2.6.8+
nlmsg_writeWrite netlink message.2.6.8+

[edit] netlink_kobject_uevent_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.12+
relabelfromsee common socket:relabelfrom2.6.12+
createsee common socket:create2.6.12+
readsee common socket:read2.6.12+
sendtosee common socket:sendto2.6.12+
connectsee common socket:connect2.6.12+
recvfromsee common socket:recvfrom2.6.12+
send_msgsee common socket:send_msg2.6.12+
bindsee common socket:bind2.6.12+
locksee common socket:lock2.6.12+
ioctlsee common socket:ioctl2.6.12+
getattrsee common socket:getattr2.6.12+
writesee common socket:write2.6.12+
setoptsee common socket:setopt2.6.12+
getoptsee common socket:getopt2.6.12+
listensee common socket:listen2.6.12+
setattrsee common socket:setattr2.6.12+
shutdownsee common socket:shutdown2.6.12+
relabeltosee common socket:relabelto2.6.12+
recv_msgsee common socket:recv_msg2.6.12+
acceptsee common socket:accept2.6.12+
name_bindsee common socket:name_bind2.6.12+

[edit] netlink_nflog_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+

[edit] netlink_route_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+
nlmsg_readRead route configuration state.2.6.8+
nlmsg_writeWrite route configuration state.2.6.8+

[edit] netlink_selinux_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+

[edit] netlink_tcpdiag_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+
nlmsg_readRead tcp diagnostics.2.6.8+
nlmsg_writeUnused.2.6.8+

[edit] netlink_xfrm_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.8+
relabelfromsee common socket:relabelfrom2.6.8+
createsee common socket:create2.6.8+
readsee common socket:read2.6.8+
sendtosee common socket:sendto2.6.8+
connectsee common socket:connect2.6.8+
recvfromsee common socket:recvfrom2.6.8+
send_msgsee common socket:send_msg2.6.8+
bindsee common socket:bind2.6.8+
locksee common socket:lock2.6.8+
ioctlsee common socket:ioctl2.6.8+
getattrsee common socket:getattr2.6.8+
writesee common socket:write2.6.8+
setoptsee common socket:setopt2.6.8+
getoptsee common socket:getopt2.6.8+
listensee common socket:listen2.6.8+
setattrsee common socket:setattr2.6.8+
shutdownsee common socket:shutdown2.6.8+
relabeltosee common socket:relabelto2.6.8+
recv_msgsee common socket:recv_msg2.6.8+
acceptsee common socket:accept2.6.8+
name_bindsee common socket:name_bind2.6.8+
nlmsg_readRead xfrm configuration state.2.6.8+
nlmsg_writeWrite xfrm configuration state.2.6.8+

[edit] node

Permission Description Kernel Version/Capability
tcp_recvReceive TCP packet.
tcp_sendSend TCP packet.
udp_recvReceive UDP packet.
udp_sendSend UDP packet.
rawip_recvReceive raw IP packet.
rawip_sendSend raw IP packet.
enforce_destEnsure that the destination node can enforce restrictions on the destination socket.
dccp_recvReceive DCCP packet.2.6.20+
dccp_sendSend DCCP packet.2.6.20+
recvfrom2.6.25+ / network_peer_controls
sendto2.6.25+ / network_peer_controls

[edit] packet

Permission Description Kernel Version/Capability
sendSend a packet.2.6.18+
receiveReceive a packet.2.6.18+
relabeltoSet a labeling rule to the specified type.2.6.18+
flow_inDeprecated2.6.25+
flow_outDeprecated2.6.25+
forward_in2.6.25+
forward_out2.6.25+

[edit] packet_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind

[edit] peer

Permission Description Kernel Version/Capability
recvReceive from a labeled networking peer.2.6.25+ / network_peer_controls

[edit] process

Permission Description Kernel Version/Capability
forkFork into two processes.
transitionTransition to a new context on exec().
sigchldSend SIGCHLD signal.
sigkillSend SIGKILL signal.
sigstopSend SIGSTOP signal
signullTest for exisitence of another process without sending a signal
signalSend a signal other than SIGKILL, SIGSTOP, or SIGCHLD.
ptraceAttach to another process for tracing.
getschedGet priority of a process.
setschedSet priority of a process.
getsessionGet session ID of another process.
getpgidGet group Process ID of a process.
setpgidSet group Process ID of a process.
getcapGet Linux capabilities.
setcapSet Linux capabilities.
shareAllow state sharing with cloned or forked process.
getattrGet attributes of a file.
setexecOverride the default context for the next exec().
setfscreateOverride the default context for file creation.
setrlimitChange process hard limits.
noatsecureDisable secure mode environment cleansing (AT_SECURE).v.16+
siginhInherit signal state from caller.v.16+
rlimitinhInherit resource limits from caller.v.16+
dyntransitionDynamically transition to a new context.2.6.11+
setcurrentSet the current process context.2.6.11+
execmemMake executable an anonymous mapping or private file mapping that is writable.2.6.13+
execstackMake the main process stack executable.2.6.13+
execheapMake the heap executable.2.6.13+
setkeycreateOverride the default context for key creation.2.6.18+
setsockcreateOverride the default context for socket creation.2.6.18+

[edit] rawip_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind
node_bindAbility to bind to a node.v.17+

[edit] security

Permission Description Kernel Version/Capability
compute_userGet user info in selinuxfs.
compute_relabelGet relabel info in selinuxfs.
compute_createGet create info in selinuxfs.
compute_avCompute an access vector given a source/target/class.
compute_memberDetermines the context to use when selecting a member of a polyinstantiated object.
setenforceChange the enforcement state of SELinux.
check_contextWrite context in selinuxfs.
load_policyLoad the security policy.
setboolSet a boolean value.2.6.5+
setsecparamSet kernel access vector cache tuning parameters.2.6.11+
setcheckreqprotSet if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect.2.6.12+

[edit] sem

Inherits from: common ipc

Permission Description Kernel Version/Capability
writesee common ipc:write
destroysee common ipc:destroy
unix_writesee common ipc:unix_write
getattrsee common ipc:getattr
createsee common ipc:create
readsee common ipc:read
setattrsee common ipc:setattr
unix_readsee common ipc:unix_read
associatesee common ipc:associate

[edit] shm

Inherits from: common ipc

Permission Description Kernel Version/Capability
writesee common ipc:write
destroysee common ipc:destroy
unix_writesee common ipc:unix_write
getattrsee common ipc:getattr
createsee common ipc:create
readsee common ipc:read
setattrsee common ipc:setattr
unix_readsee common ipc:unix_read
associatesee common ipc:associate
lock(Un)lock page(s) in memory.

[edit] sock_file

Inherits from: common file

Permission Description Kernel Version/Capability
getattrsee common file:getattr
relabeltosee common file:relabelto
unlinksee common file:unlink
ioctlsee common file:ioctl
executesee common file:execute
appendsee common file:append
readsee common file:read
setattrsee common file:setattr
swaponsee common file:swapon
writesee common file:write
locksee common file:lock
createsee common file:create
renamesee common file:rename
mountonsee common file:mounton
quotaonsee common file:quotaon
relabelfromsee common file:relabelfrom
linksee common file:link
openOpen a named socket file.2.6.26+ / open_perms

[edit] socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind

[edit] system

Permission Description Kernel Version/Capability
ipc_infoGet info for an ipc socket.
syslog_modPerform syslog operation other than syslog_read or console logging.
syslog_readPerform syslog read.
syslog_consolePerform syslog console.

[edit] tcp_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind
connecttoConnect to server socket.
newconnCreate new socket for connection.
acceptfromAccept connection from client socket.
node_bindAbility to bind to a node.2.6.2+
name_connectConnect to a specific port number.2.6.12+

[edit] tun_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append2.6.32+
relabelfromsee common socket:relabelfrom2.6.32+
createsee common socket:create2.6.32+
readsee common socket:read2.6.32+
sendtosee common socket:sendto2.6.32+
connectsee common socket:connect2.6.32+
recvfromsee common socket:recvfrom2.6.32+
send_msgsee common socket:send_msg2.6.32+
bindsee common socket:bind2.6.32+
locksee common socket:lock2.6.32+
ioctlsee common socket:ioctl2.6.32+
getattrsee common socket:getattr2.6.32+
writesee common socket:write2.6.32+
setoptsee common socket:setopt2.6.32+
getoptsee common socket:getopt2.6.32+
listensee common socket:listen2.6.32+
setattrsee common socket:setattr2.6.32+
shutdownsee common socket:shutdown2.6.32+
relabeltosee common socket:relabelto2.6.32+
recv_msgsee common socket:recv_msg2.6.32+
acceptsee common socket:accept2.6.32+
name_bindsee common socket:name_bind2.6.32+

[edit] udp_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind
node_bindAbility to bind to a node.2.6.2+

[edit] unix_dgram_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind

[edit] unix_stream_socket

Inherits from: common socket

Permission Description Kernel Version/Capability
appendsee common socket:append
relabelfromsee common socket:relabelfrom
createsee common socket:create
readsee common socket:read
sendtosee common socket:sendto
connectsee common socket:connect
recvfromsee common socket:recvfrom
send_msgsee common socket:send_msg
bindsee common socket:bind
locksee common socket:lock
ioctlsee common socket:ioctl
getattrsee common socket:getattr
writesee common socket:write
setoptsee common socket:setopt
getoptsee common socket:getopt
listensee common socket:listen
setattrsee common socket:setattr
shutdownsee common socket:shutdown
relabeltosee common socket:relabelto
recv_msgsee common socket:recv_msg
acceptsee common socket:accept
name_bindsee common socket:name_bind
connecttoConnect to server socket.
newconnCreate new socket for connection.
acceptfromAccept connection from client socket.

[edit] Database Object Classes

[edit] db_blob

Inherits from: common database

Permission Description
readRead a blob.
writeWrite a blob.
importImport a blob.
exportExport a blob.

[edit] db_column

Inherits from: common database

Permission Description
useDeprecated
select
update
insert

[edit] db_database

Inherits from: common database

Permission Description
access
install_module
load_module
get_paramDeprecated
set_paramDeprecated

[edit] db_procedure

Inherits from: common database

Permission Description
executeExecute a stored procedure.
entrypoint
install

[edit] db_table

Inherits from: common database

Permission Description
useDeprecated
select
update
insert
delete
lock

[edit] db_tuple

Permission Description
relabelfrom
relabelto
useDeprecated
select
update
insert
delete

[edit] DBus Object Classes

[edit] dbus

Permission Description
acquire_svc
send_msgSend a message on the bus.

[edit] MLS Context Translation Object Classes

[edit] context

Permission Description
translateTranslate a raw MLS label.
containsCalculate a MLS subset.

[edit] NSCD Object Classes

[edit] nscd

Permission Description
getpwd
getgrp
gethost
getstat
admin
shmempwd
shmemgrp
shmemhost
getserv
shmemserv

[edit] Password Object Classes

[edit] passwd

Permission Description
passwdUpdate user password.
chfnChange finger information. e.g real name, work room and phone and home phone.
chshChange login shell.
rootokAllow update if the user is root and the process has the rootok PAM permission.
crontabcrontab on another user.

[edit] X Server Object Classes

[edit] x_application_data

Permission Description
paste
paste_after_confirm
copy

[edit] x_client

Permission Description
destroyClose down a client.
getattrGet the attributes of an X client
setattrSet the attributes of an X client
manage

[edit] x_colormap

Permission Description
createCreate a new Colormap.
destroyFree a Colormap.
readRead color cells of colormap.
write
getattrGet the color gamut of a screen.
add_color
remove_color
installCopy a virtual colormap into the display hardware.
uninstallRemove a virtual colormap from the display hardware.
use

[edit] x_cursor

Permission Description
createCreate an arbitrary cursor object.
destroyDelete a cursor object.
read
write
getattrGet attributes of the cursor.
setattrSet attributes of the cursor.
useAssociate a cursor object with a window.

[edit] x_device

Inherits from: common x_device

Permission Description
getattrsee common x_device: getattr
setattrsee common x_device: setattr
usesee common x_device: use
readsee common x_device: read
writesee common x_device: write
getfocussee common x_device: getfocus
setfocussee common x_device: setfocus
bellsee common x_device: bell
force_cursorsee common x_device: force_cursor
freezesee common x_device: freeze
grabsee common x_device: grab
managesee common x_device: manage
list_propertysee common x_device: list_property
get_propertysee common x_device: get_property
set_propertysee common x_device: set_property
addsee common x_device: add
removesee common x_device: remove

[edit] x_drawable

Permission Description
createCreate a Drawable object.
destroyDestroy a Drawable.
read
write
blend
getattrGet attributes of a Drawable object
setattrSet attributes of a Drawable object
list_child
add_child
remove_child
list_property
get_property
set_property
manage
override
show
hide
send
receive

[edit] x_event

Permission Description
send
receive

[edit] x_extension

Permission Description
query
use

[edit] x_font

Permission Description
createLoad a font.
destroyFree (dereference) a font.
getattrObtain font names, path, etc.
add_glyph
remove_glyph
useUse a font for drawing.

[edit] x_gc

Permission Description
createCreate Graphic Contexts object.
destroyFree (dereference) a Graphics Contexts object.
getattrGet attributes for Graphic Contexts object.
setattrSet attributes for Graphic Contexts object.
use

[edit] x_keyboard

Inherits from: common x_device

Permission Description
getattrsee common x_device: getattr
setattrsee common x_device: setattr
usesee common x_device: use
readsee common x_device: read
writesee common x_device: write
getfocussee common x_device: getfocus
setfocussee common x_device: setfocus
bellsee common x_device: bell
force_cursorsee common x_device: force_cursor
freezesee common x_device: freeze
grabsee common x_device: grab
managesee common x_device: manage
list_propertysee common x_device: list_property
get_propertysee common x_device: get_property
set_propertysee common x_device: set_property
addsee common x_device: add
removesee common x_device: remove

[edit] x_pointer

Inherits from: common x_device

Permission Description
getattrsee common x_device: getattr
setattrsee common x_device: setattr
usesee common x_device: use
readsee common x_device: read
writesee common x_device: write
getfocussee common x_device: getfocus
setfocussee common x_device: setfocus
bellsee common x_device: bell
force_cursorsee common x_device: force_cursor
freezesee common x_device: freeze
grabsee common x_device: grab
managesee common x_device: manage
list_propertysee common x_device: list_property
get_propertysee common x_device: get_property
set_propertysee common x_device: set_property
addsee common x_device: add
removesee common x_device: remove

[edit] x_property

Permission Description
createCreate property object.
destroyFree (dereference) a property object.
readRead a property.
writeWrite a property.
appendAppend a property.
getattrGet the attributes of a property.
setattrSet the attributes of a property.

[edit] x_resource

Permission Description
read
write

[edit] x_screen

Permission Description
getattr
setattr
hide_cursor
show_cursor
saver_getattr
saver_setattr
saver_hide
saver_show

[edit] x_selection

Permission Description
read
write
getattr
setattr

[edit] x_server

Permission Description
getattr
setattr
record
debug
grab
manage

[edit] x_synthetic_event

Permission Description
send
receive
Personal tools