NB ObjectClassesPermissions

From SELinux Wiki
Jump to: navigation, search

Object Classes and Permissions

Introduction

This section contains a list of object classes and their associated permissions that have been taken from the Fedora F-20 policy sources. There are also additional entries for Xen. The SEAndroid specific classes and permissions are shown in the Security Enhancements for Android section.

All objects are kernel objects unless marked as user space objects.

In most cases the permissions are self explanatory as they are those used in the standard Linux function calls (such as 'create a socket' or 'write to a file'). Some SELinux specific permissions are:

relabelfrom Used on most objects to allow the objects security context to be changed from the current type.
relabelto Used on most objects to allow the objects security context to be changed to the new type.
entrypoint Used for files to indicate that they can be used as an entry point into a domain via a domain transition.
execute_no_trans Used for files to indicate that they can be used as an entry point into the calling domain (i.e. does not require a domain transition).
execmod Generally used for files to indicate that they can execute the modified file in memory.


Where possible the specific object class permissions are explained, however for some permissions it is difficult to determine what they are used for (or if used at all) so a '?' has been added when doubt exists.

Defining Object Classes and Permissions

The Reference Policy already contains the default object classes and permissions required to manage the system and supporting services.

For those who write or manager SELinux policy, there is no need to define new objects and their associated permissions as these would be done by those who actually design and/or write object managers.

Common Permissions

Common File Permissions

Common file permissions inherited by a number of object classes.

Permissions Description (17 permissions)
append Append to file.
create Create new file.
execute Execute the file with domain transition.
getattr Get file attributes.
ioctl I/O control system call requests.
link Create hard link.
lock Set and unset file locks.
mounton Use as mount point.
quotaon Enable quotas.
read Read file contents.
relabelfrom Change the security context based on existing type.
relabelto Change the security context based on the new type.
rename Rename file.
setattr Change file attributes.
swapon Allow file to be used for paging / swapping space. (not used ?)
unlink Delete file (or remove hard link).
write Write or append file contents.


Common Socket Permissions

Common socket permissions inherited by a number of object classes.

Table 32: Common Socket Permissions

Permissions Description (22 Permissions)
accept Accept a connection.
append Write or append socket contents
bind Bind to a name.
connect Initiate a connection.
create Create new socket.
getattr Get socket information.
getopt Get socket options.
ioctl Get and set attributes via ioctl call requests.
listen Listen for connections.
lock Lock and unlock socket file descriptor.
name_bind AF_INET - Controls relationship between a socket and the port number.

AF_UNIX - Controls relationship between a socket and the file.

read Read data from socket.
recv_msg Receive datagram.
recvfrom Receive datagrams from socket.
relabelfrom Change the security context based on existing type.
relabelto Change the security context based on the new type.
send_msg Send datagram.
sendto Send datagrams to socket.
setattr Change attributes.
setopt Set socket options.
shutdown Terminate connection.
write Write data to socket.


Common IPC Permissions

Common IPC permissions inherited by a number of object classes.

Permissions Description (9 Permissions)
associate shm - Get shared memory ID.

msgq - Get message ID.

sem - Get semaphore ID.

create Create.
destroy Destroy.
getattr Get information from IPC object.
read shm - Attach shared memory to process.

msgq - Read message from queue.

sem - Get semaphore value.

setattr Set IPC object information.
unix_read Read.
unix_write Write or append.
write shm - Attach shared memory to process.

msgq - Send message to message queue.

sem - Change semaphore value.


Common Database Permissions

Common database permissions inherited by a number of object classes. The "Security-Enhanced PostgreSQL Security Wiki" [2] explains the objects, their permissions and how they should be used in detail.

Permissions Description (6 Permissions)
create Create a database object such as a 'TABLE'.
drop Delete (DROP) a database object.
getattr Get metadata - needed to reference an object (e.g. SELECT ... FROM ...).
relabelfrom Change the security context based on existing type.
relabelto Change the security context based on the new type.
setattr Set metadata - this permission is required to update information in the database (e.g. ALTER ...).


Common X_Device Permissions

Common x_device permissions inherited by the X-Windows x_keyboard and x_pointer object classes.

Permissions Description (19 permissions)
add
bell
create
destroy
force_cursor Get window focus.
freeze
get_property Required to create a device context. (source code)
getattr
getfocus
grab Set window focus.
list_property
manage
read
remove
set_property
setattr
setfocus
use
write


File Object Classes

Class filesystem - A mounted filesystem
Permissions Description (10 unique permissions)
associate Use type as label for file.
getattr Get file attributes.
mount Mount filesystem.
quotaget Get quota information.
quotamod Modify quota information.
relabelfrom Change the security context based on existing type.
relabelto Change the security context based on the new type.
remount Remount existing mount.
transition Transition to a new SID (change security context).
unmount Unmount filesystem.


Class dir - Directory
Permissions Description (Inherit 17 common file permissions + 7 unique)
Inherit Common File Permissions append, create, execute, getattr, ioctl, link, lock, mounton, quotaon, read, relabelfrom, relabelto, rename, setattr, swapon, unlink, write
add_name Add entry to the directory.
audit_access The rules for this permission work as follows:

If a process calls access() or faccessat() and SELinux denies their request there will be a check for a dontaudit rule on the audit_access permission. If there is a dontaudit rule on audit_access an AVC event will not be written. If there is no dontaudit rule an AVC event will be written for the permissions requested (read, write, or exec).

Notes:# There will never be a denial message with the audit_access permission as this permission does not control security decisions.

  1. allow and auditallow rules with this permission are therfore meaningless, however the kernel will accept a policy with such rules, but they will do nothing.


execmod Make executable a file that has been modified by copy-on-write.
open Added in 2.6.26 Kernel to control the open permission.
remove_name Remove an entry from the directory.
reparent Change parent directory.
rmdir Remove directory.
search Search directory.


Class file - Ordinary file
Permissions Description (Inherit 17 common file permissions + 5 unique)
Inherit Common File Permissions append, create, execute, getattr, ioctl, link, lock, mounton, quotaon, read, relabelfrom, relabelto, rename, setattr, swapon, unlink, write
audit_access See the dir class for details
entrypoint Entry point permission for a domain transition.
execute_no_trans Execute in the caller's domain (i.e. no domain transition).
execmod Make executable a file that has been modified by copy-on-write.
open Added in 2.6.26 Kernel to control the open permission.


Class lnk_file - Symbolic links
Permissions Description (Inherit 17 common file permissions + 3 unique)
Inherit Common File Permissions append, create, execute, getattr, ioctl, link, lock, mounton, quotaon, read, relabelfrom, relabelto, rename, setattr, swapon, unlink, write
audit_access See the dir class for details
execmod Make executable a file that has been modified by copy-on-write.
open Added in 2.6.26 Kernel to control the open permission.


Class chr_file - Character files
Permissions Description (Inherit 17 common file permissions + 5 unique)
Inherit Common File Permissions append, create, execute, getattr, ioctl, link, lock, mounton, quotaon, read, relabelfrom, relabelto, rename, setattr, swapon, unlink, write
audit_access See the dir class for details
entrypoint Entry point permission for a domain transition.
execute_no_trans Execute in the caller's domain (i.e. no domain transition).
execmod Make executable a file that has been modified by copy-on-write.
open Added in 2.6.26 Kernel to open a character device.


Class blk_file - Block files
Permissions Description (Inherit 17 common file permissions + 3 unique)
Inherit Common File Permissions append, create, execute, getattr, ioctl, link, lock, mounton, quotaon, read, relabelfrom, relabelto, rename, setattr, swapon, unlink, write
audit_access See the dir class for details
execmod Make executable a file that has been modified by copy-on-write.
open Added in 2.6.26 Kernel to control the open permission.


Class sock_file - UNIX domain sockets
Permissions Description (Inherit 17 common file permissions + 3 unique)
Inherit Common File Permissions append, create, execute, getattr, ioctl, link, lock, mounton, quotaon, read, relabelfrom, relabelto, rename, setattr, swapon, unlink, write
audit_access See the dir class for details
execmod Make executable a file that has been modified by copy-on-write.
open Added in 2.6.26 Kernel to control the open permission.


Class fifo_file - Named pipes
Permissions Description (Inherit 17 common file permissions + 3 unique)
Inherit Common File Permissions append, create, execute, getattr, ioctl, link, lock, mounton, quotaon, read, relabelfrom, relabelto, rename, setattr, swapon, unlink, write
audit_access See the dir class for details
execmod Make executable a file that has been modified by copy-on-write.
open Added in 2.6.26 Kernel to control the open permission.


Class fd - File descriptors
Permissions Description (1 unique permission)
use 1) Inherit fd when process is executed and domain has been changed.

2) Receive fd from another process by Unix domain socket.

3) Get and set attribute of fd.


Network Object Classes

Class node - IP address or range of IP addresses
Permissions Description (11 unique permissions)
dccp_recv Allow Datagram Congestion Control Protocol receive packets.
dccp_send Allow Datagram Congestion Control Protocol send packets.
enforce_dest Ensure that destination node can enforce restrictions on the destination socket.
rawip_recv Receive raw IP packet.
rawip_send Send raw IP packet.
recvfrom Network interface and address check permission for use with the ingress permission.
sendto Network interface and address check permission for use with the egress permission.
tcp_recv Receive TCP packet.
tcp_send Send TCP packet.
udp_recv Receive UDP packet.
udp_send Send UDP packet.


Class netif - Network Interface (e.g. eth0)
Permissions Description (10 unique permissions)
dccp_recv Allow Datagram Congestion Control Protocol receive packets.
dccp_send Allow Datagram Congestion Control Protocol send packets.
egress Each packet leaving the system must pass an egress access control. Also requires the node sendto permission.
ingress Each packet entering the system must pass an ingress access control. Also requires the node recvfrom permission.
rawip_recv Receive raw IP packet.
rawip_send Send raw IP packet.
tcp_recv Receive TCP packet.
tcp_send Send TCP packet.
udp_recv Receive UDP packet.
udp_send Send UDP packet.


Class socket - Socket that is not part of any other specific SELinux socket object class.
Permissions Description (Inherit 22 common socket permissions)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write


Class tcp_socket - Protocol: PF_INET, PF_INET6 Family Type: SOCK_STREAM
Permissions Description (Inherit 22 common socket permissions + 5 unique)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write
acceptfrom Accept connection from client socket.
connectto Connect to server socket.
name_connect Connect to a specific port type.
newconn Create new connection.
node_bind Bind to a node.


Class udp_socket - Protocol: PF_INET, PF_INET6 Family Type: SOCK_DGRAM
Permissions Description (Inherit 22 common socket permissions + 1 unique)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write
node_bind Bind to a node.


Class rawip_socket - Protocol: PF_INET, PF_INET6 Family Type: SOCK_RAW
Permissions Description (Inherit 22 common socket permissions + 1 unique)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write
node_bind Bind to a node.


Class packet_socket - Protocol: PF_PACKET Family Type: All.
Permissions Description (Inherit 22 common socket permissions)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write


Class unix_stream_socket - Communicate with processes on same machine. Protocol: PF_STREAM Family Type: SOCK_STREAM
Permissions Description (Inherit 22 common socket permissions + 3 unique)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write
acceptfrom Accept connection from client socket.
connectto Connect to server socket.
newconn Create new socket for connection.


Class unix_dgram_socket - Communicate with processes on same machine. Protocol: PF_STREAM Family Type: SOCK_DGRAM
Permissions Description (Inherit 22 common socket permissions)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write


Class tun_socket - TUN is Virtual Point-to-Point network device driver to support IP tunneling.
Permissions Description (Inherit 22 common socket permissions + 1 unique)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write
attach_queue


IPSec Network Object Classes

Class association - IPSec security association
Permissions Description (4 unique permissions)
polmatch Match IPSec Security Policy Database (SPD) context (-ctx) entries to an SELinux domain (contained in the Security Association Database (SAD) .
recvfrom Receive from an IPSec association.
sendto Send to an IPSec assocation.
setcontext Set the context of an IPSec association on creation.


Class key_socket - IPSec key management. Protocol: PF_KEY Family Type: All
Permissions Description (Inherit 22 common socket permissions)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write


Class netlink_xfrm_socket - Netlink socket to maintain IPSec parameters.
Permissions Description (Inherit 22 common socket permissions + 2 unique)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write
nlmsg_read Get IPSec configuration information.
nlmsg_write Set IPSec configuration information.


Netlink Object Classes

Netlink sockets communicate between userspace and the kernel.


Class netlink_socket - Netlink socket that is not part of any specific SELinux Netlink socket class. Protocol: PF_NETLINK Family Type: All other types that are not part of any other specific netlink object class.
Permissions Description (Inherit 22 common socket permissions)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write



Class netlink_route_socket - Netlink socket to manage and control network resources.
Permissions Description (Inherit 22 common socket permissions + 2 unique)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write
nlmsg_read Read kernel routing table.
nlmsg_write Write to kernel routing table.


Class netlink_firewall_socket - Netlink socket for firewall filters.
Permissions Description (Inherit 22 common socket permissions + 2 unique)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write
nlmsg_read Read netlink message.
nlmsg_write Write netlink message.


Class netlink_tcpdiag_socket - Netlink socket to monitor TCP connections.
Permissions Description (Inherit 22 common socket permissions + 2 unique)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write
nlmsg_read Request information about a protocol.
nlmsg_write Write netlink message.


Class netlink_nflog_socket - Netlink socket for Netfilter logging
Permissions Description (Inherit 22 common socket permissions)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write


Class netlink_selinux_socket - Netlink socket to receive SELinux events such as a policy or boolean change.
Permissions Description (Inherit 22 common socket permissions)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write


Class netlink_audit_socket - Netlink socket for audit service.
Permissions Description (Inherit 22 common socket permissions + 5 unique)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write
nlmsg_read Query status of audit service.
nlmsg_readpriv List auditing configuration rules.
nlmsg_relay Send userspace audit messages to theaudit service.
nlmsg_tty_audit Control TTY auditing.
nlmsg_write Update audit service configuration.


Class netlink_ip6fw_socket - Netlink socket for IPv6 firewall filters.
Permissions Description (Inherit 22 common socket permissions + 2 unique)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write
nlmsg_read Read netlink message.
nlmsg_write Write netlink message.


Class netlink_dnrt_socket - Netlink socket for DECnet routing
Permissions Description (Inherit 22 common socket permissions)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write


Class netlink_kobject_uevent_socket - Netlink socket to send kernel events to userspace.
Permissions Description (Inherit 22 common socket permissions)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write


Miscellaneous Network Object Classes

Class peer - NetLabel and Labeled IPsec have separate access controls, the network peer label consolidates these two access controls into a single one (see http://paulmoore.livejournal.com/1863.html for details).
Permissions Description (1 unique permission)
recv Receive packets from a labeled networking peer.


Class packet - Supports 'secmark' services where packets are labeled using iptables to select and label packets, SELinux thent enforces policy using these packet labels.
Permissions Description (7 unique permissions)
flow_in Receive external packets. (deprecated)
flow_out Send packets externally. (deprecated)
forward_in Allow inbound forwaded packets.
forward_out Allow outbound forwarded packets.
recv Receive inbound locally consumed packets.
relabelto Control how domains can apply specific labels to packets.
send Send outbound locally generated packets.


Class appletalk_socket - Appletalk socket
Permissions Description (Inherit 22 common socket permissions)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write


Class dccp_socket - Datagram Congestion Control Protocol (DCCP)
Permissions Description (Inherit 22 common socket permissions + 2 unique)
Inherit Common Socket Permissions accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write
name_connect Allow DCCP name connect().
node_bind Allow DCCP bind().


IPC Object Classes

Class ipc - Interprocess communications
Permissions Description (Inherit 9 common IPC permissions)
Inherit Common IPC Permissions associate, create, destroy, getattr, read, setattr, unix_read, unix_write, write


Class sem - Semaphores
Permissions Description (Inherit 9 common IPC permissions)
Inherit Common IPC Permissions associate, create, destroy, getattr, read, setattr, unix_read, unix_write, write


Class msgq - IPC Message queues
Permissions Description (Inherit 9 common IPC permissions + 1 unique)
Inherit Common IPC Permissions associate, create, destroy, getattr, read, setattr, unix_read, unix_write, write
enqueue Send message to message queue.


Class msg - Message in a queue
Permissions Description (2 unique permissions)
receive Read (and remove) message from queue.
send Add message to queue.


Class shm - Shared memory segment
Permissions Description (Inherit 9 common IPC permissions + 1 unique)
Inherit Common IPC Permissions associate, create, destroy, getattr, read, setattr, unix_read, unix_write, write
lock Lock or unlock shared memory.


Process Object Class

Class process - An object is instantiated for each process created by the system.
Permissions Description (31 unique permissions)
dyntransition Dynamically transition to a new context using setcon(3).
execheap Make the heap executable.
execmem Make executable an anonymous mapping or private file mapping that is writable.
execstack Make the main process stack executable.
fork Create new process using fork(2).
getattr Get process security information.
getcap Get Linux capabilities of process.
getpgid Get group Process ID of another process.
getsched Get scheduling information of another process.
getsession Get session ID of another process.
noatsecure Disable secure mode environment cleansing.
ptrace Trace program execution of parent (ptrace(2)).
ptrace_child Trace program execution of child (ptrace(2)).
rlimitinh Inherit rlimit information from parent process.
setcap Set Linux capabilities of process.
setcurrent Set the current process context.
setexec Set security context of executed process by setexecon(3).
setfscreate Set security context by setfscreatecon(3).
setkeycreate Set security context by setkeycreatecon(3).
setpgid Set group Process ID of another process.
setrlimit Change process rlimit information.
setsched Modify scheduling information of another process.
setsockcreate Set security context by setsockcreatecon(3).
share Allow state sharing with cloned or forked process.
sigchld Send SIGCHLD signal.
siginh Inherit signal state from parent process.
sigkill Send SIGKILL signal.
signal Send a signal other than SIGKILL, SIGSTOP, or SIGCHLD.
signull Test for exisitence of another process without sending a signal
sigstop Send SIGSTOP signal
transition Transition to a new context on exec().


Security Object Class

Class security - This is the security server object and there is only one instance of this object (for the SELinux security server).
Permissions Description (12 unique permissions)
check_context Determine whether the context is valid by querying the security server.
compute_av Compute an access vector given a source, target and class.
compute_create Determine context to use when querying the security server about a transition rule (type_transition).
compute_member Determine context to use when querying the security server about a membership decision (type_member for a polyinstantiated object).
compute_relabel Determines the context to use when querying the security server about a relabeling decision (type_change).
compute_user Determines the context to use when querying the security server about a user decision (user).
load_policy Load the security policy into the kernel (the security server).
read_policy Read the kernel policy to userspace.
setbool Change a boolean value within the active policy.
setcheckreqprot Set if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap / mprotect.
setenforce Change the enforcement state of SELinux (permissive or enforcing).
setsecparam Set kernel access vector cache tuning parameters.


System Operation Object Class

Class system - This is the overall system object and there is only one instance of this object.
Permissions Description (12 unique permissions)
disable Allow services to be disabled.
enable Allow services to be enabled.
halt Allow the system to be halted.
ipc_info Get info about an IPC object.
module_request Request the kernel to load a module.
reboot Allow system to be rebooted.
reload Allow services to be reloaded.
status Get system status information.
syslog_console Control output of kernel messages to the console with syslog(2).
syslog_mod Clear kernel message buffer with syslog(2).
syslog_read Read kernel message with syslog(2).
undefined Allow an undefined operation.


Kernel Service Object Class

Class kernel_service - Used to add kernel services.
Permissions Description (2 unique permissions)
use_as_override Grant a process the right to nominate an alternate process SID for the kernel to use as an override for the SELinux subjective security when accessing information on behalf of another process.

For example, CacheFiles when accessing the cache on behalf of a process accessing an NFS file needs to use a subjective security ID appropriate to the cache rather than the one the calling process is using. The cachefilesd daemon will nominate the security ID to be used.

create_files_as Grant a process the right to nominate a file creation label for a kernel service to use.


Capability Object Classes

Class capability - Used to manage the Linux capabilities granted to root processes. Taken from the header file:

/usr/include/linux/capability.h

Permissions Description (32 unique permissions)
audit_control Change auditing rules. Set login UID.
audit_write Send audit messsages from user space.
chown Allow changing file and group ownership.
dac_override Overrides all DAC including ACL execute access.
dac_read_search Overrides DAC for read and directory search.
fowner Grant all file operations otherwise restricted due to different ownership except where FSETID capability is applicable. DAC and MAC accesses are not overridden.
fsetid Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.
ipc_lock Grants the capability to lock non-shared and shared memory segments.
ipc_owner Grant the ability to ignore IPC ownership checks.
kill Allow signal raising for any process.
lease Grants ability to take leases on a file.
linux_immutable Grant privilege to modify S_IMMUTABLE and S_APPEND file attributes on supporting filesystems.
mknod Grants permission to creation of character and block device nodes.
net_admin Allow the following: interface configuration; administration of IP firewall; masquerading and accounting; setting debug option on sockets; modification of routing tables; setting arbitrary process / group ownership on sockets; binding to any address for transparent proxying; setting TOS (type of service); setting promiscuous mode; clearing driver statistics; multicasting; read/write of device-specific registers; activation of ATM control sockets.
net_bind_service Allow low port binding. Port < 1024 for TCP/UDP. VCI < 32 for ATM.
net_raw Allows opening of raw sockets and packet sockets.
netbroadcast Grant network broadcasting and listening to incoming multicasts.
setfcap Allow the assignment of file capabilities.
setgid Allow setgid(2) allow setgroups(2) allow fake gids on credentials passed over a socket.
setpcap Transfer capability maps from current process to any process.
setuid Allow all setsuid(2) type calls including fsuid. Allow passing of forged pids on credentials passed over a socket.
sys_admin Allow the following: configuration of the secure attention key; administration of the random device; examination and configuration of disk quotas; configuring the kernel's syslog; setting the domainname; setting the hostname; calling bdflush(); mount() and umount(), setting up new smb connection; some autofs root ioctls; nfsservctl; VM86_REQUEST_IRQ; to read/write pci config on alpha; irix_prctl on mips (setstacksize); flushing all cache on m68k (sys_cacheflush); removing semaphores; locking/unlocking of shared memory segment; turning swap on/off; forged pids on socket credentials passing; setting readahead and flushing buffers on block devices; setting geometry in floppy driver; turning DMA on/off in xd driver; administration of md devices; tuning the ide driver; access to the nvram device; administration of apm_bios, serial and bttv (TV) device; manufacturer commands in isdn CAPI support driver; reading non-standardized portions of pci configuration space; DDI debug ioctl on sbpcd driver; setting up serial ports; sending raw qic-117 commands; enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands; setting encryption key on loopback filesystem; setting zone reclaim policy.
sys_boot Grant ability to reboot the system.
sys_chroot Grant use of the chroot(2) call.
sys_module Allow unrestricted kernel modification including but not limited to loading and removing kernel modules. Allows modification of kernel's bounding capability mask. See sysctl.
sys_nice Grants privilage to change priority of any process. Grants change of scheduling algorithm used by any process.
sys_pacct Allow modification of accounting for any process.
sys_ptrace Allow ptrace of any process.
sys_rawio Grant permission to use ioperm(2) and iopl(2) as well as the ability to send messages to USB devices via /proc/bus/usb.
sys_resource Override the following: resource limits; quota limits; reserved space on ext2 filesystem; size restrictions on IPC message queues; max number of consoles on console allocation; max number of keymaps.

Set resource limits.

Modify data journaling mode on ext3 filesystem,

Allow more than 64hz interrupts from the real-time clock.

sys_time Grant permission to set system time and to set the real-time lock.
sys_tty_config Grant permission to configure tty devices.


Class capability2
Permissions Description (7 unique permissions)
block_suspend Prevent system suspends (was epollwakeup)
compromise_kernel Allow tasks that can modify the running kernel (Secure Boot).
mac_admin Allow MAC configuration state changes. For SELinux allow contexts not defined in the policy to be assigned. This is called 'deferred mapping of security contexts' and is explained at:

http://www.nsa.gov/research/selinux/list-archive/0805/26046.shtml

mac_override Allow MAC policy to be overridden.
syslog Allow configuration of kernel syslog (printk behaviour).
wake_alarm Trigger the system to wake up


X Windows Object Classes

These are userspace objects managed by XSELinux.


Class x_drawable - The drawable parameter specifies the area into which the text will be drawn. It may be either a pixmap or a window.

Some of the permission information has been extracted from an email describing them in terms of an MLS system.

Permissions Description (19 unique permissions)
add_child Add new window. Normally SystemLow for MLS systems.
blend There are two cases: 1) Allow a non-root window to have a transparent background. 2) The application is redirecting the contents of the window and its sub-windows into a memory buffer when using the Composite extension. Only SystemHigh processes should have the blend permission on the root window.
create Create a drawable object. Not applicable to the root windows as it cannot be created.
destroy Destroy a drawable object. Not applicable to the root windows as it cannot be destroyed.
get_property Read property information. Normally SystemLow for MLS systems.
getattr Get attributes from a drawable object. Most applications will need this so SystemLow.
hide Hide a drawable object. Not applicable to the root windows as it cannot be hidden.
list_child Allows all child window IDs to be returned. From the root window it will show the client that owns the window and their stacking order. If hiding this information is required then processes should be SystemHigh.
list_property List property associated with a window. Normally SystemLow for MLS systems.
manage Required to create a context, move and resize windows. Not applicable to the root windows as it cannot be resized etc.
override Allow setting the override-redirect bit on the window. Not applicable to the root windows as it cannot be overridden.
read Read window contents. Note that this will also give read permission to all child windows, therefore (for MLS), only SystemHigh processes should have read permission on the root window.
receive Allow receiving of events. Normally SystemLow for MLS systems (but could leak information between clients running at different levels, therefore needs investigation).
remove_child Remove child window. Normally SystemLow for MLS systems.
send Allow sending of events. Normally SystemLow for MLS systems (but could leak information between clients running at different levels, therefore needs investigation).
set_property Set property. Normally SystemLow for MLS systems (but could leak information between clients running at different levels, therefore needs investigation. Polyinstantiation may be required).
setattr Allow window attributes to be set. This permission protects operations on the root window such as setting the background image or colour, setting the colormap and setting the mouse cursor to display when the cursor is in nthe window, therefore only SystemHigh processes should have the setattr permission.
show Show window. Not applicable to the root windows as it cannot be hidden.
write Draw within a window. Note that this will also give write permission to all child windows, therefore (for MLS), only SystemHigh processes should have write permission on the root window.



Class x_screen - The specific screen available to the display (X-server) (hostname:display_number.screen)
Permissions Description (8 unique permissions)
getattr
hide_cursor
saver_getattr
saver_hide
saver_setattr
saver_show
setattr
show_cursor


Class x_gc - The graphics contexts allows the X-server to cache information about how graphics requests should be interpreted. It reduces the network traffic.
Permissions Description (5 unique permissions)
create Create Graphic Contexts object.
destroy Free (dereference) a Graphics Contexts object.
getattr Get attributes from Graphic Contexts object.
setattr Set attributes for Graphic Contexts object.
use Allow GC contexts to be used.


Class x_font - An X-server resource for managing the different fonts.
Permissions Description (6 unique permissions)
add_glyph Create glyph for cursor
create Load a font.
destroy Free a font.
getattr Obtain font names, path, etc.
remove_glyph Free glyph
use Use a font.


Class x_colormap - An X-server resource for managing colour mapping. A new colormap can be created using XCreateColormap.
Permissions Description (10 unique permissions)
add_color Add a colour
create Create a new Colormap.
destroy Free a Colormap.
getattr Get the color gamut of a screen.
install Copy a virtual colormap into the display hardware.
read Read color cells of colormap.
remove_color Remove a colour
uninstall Remove a virtual colormap from the display hardware.
use Use a colormap
write Change color cells in colormap.


Class x_property - An InterClient Communications (ICC) service where each property has a name and ID (or Atom). Properties are attached to windows and can be uniquely identified by the windowID and propertyID. XSELinux supports polyinstantiation of properties.
Permissions Description (7 unique permissions)
append Append a property.
create Create property object.
destroy Free (dereference) a property object.
getattr Get attributes of a property.
read Read a property.
setattr Set attributes of a property.
write Write a property.


Class x_selection - An InterClient Communications (ICC) service that allows two parties to communicate about passing information. The information uses properties to define the the format (e.g. whether text or graphics). XSELinux supports polyinstantiation of selections.
Permissions Description (4 unique permissions)
getattr Get selection owner (XGetSelectionOwner).
read Read the information from the selection owner
setattr Set the selection owner (XSetSelectionOwner).
write Send the information to the selection requestor.


Class x_cursor - The cursor on the screen
Permissions Description (7 unique permissions)
create Create an arbitrary cursor object.
destroy Free (dereference) a cursor object.
getattr Get attributes of the cursor.
read Read the cursor.
setattr Set attributes of the cursor.
use Associate a cursor object with a window.
write Write a cursor


Class x_client - The X-client connecting to the X-server.
Permissions Description (4 unique permissions)
destroy Close down a client.
getattr Get attributes of X-client.
manage Required to create an X-client context. (source code)
setattr Set attributes of X-client.


Class x_device - These are any other devices used by the X-server as the keyboard and pointer devices have their own object classes.
Permissions Description (Inherit 19 common x_device permissions)
Inherit Common X_Device Permissions add, bell, create, destroy, force_cursor, freeze, get_property, getattr, getfocus, grab, list_property, manage, read, remove, set_property, setattr, setfocus, use, write


Class x_server - The X-server that manages the display, keyboard and pointer.
Permissions Description (6 unique permissions)
debug
getattr
grab
manage Required to create a context. (source code)
record
setattr


Class x_extension - An X-Windows extension that can be added to the X-server (such as the XSELinux object manager itself).
Permissions Description (2 unique permissions)
query Query for an extension.
use Use the extensions services.


Class x_resource - These consist of Windows, Pixmaps, Fonts, Colormaps etc. that are classed as resources.
Permissions Description (2 unique permissions)
read Allow reading a resource.
write Allow writing to a resource.


Class x_event - Manage X-server events.
Permissions Description (2 unique permissions)
receive Receive an event
send Send an event


Class x_synthetic_event - Manage some X-server events (e.g. confignotify). Note the x_event permissions will still be required (its magic).
Permissions Description (2 unique permissions)
receive Receive an event
send Send an event


Class x_application_data - Not specifically used by XSELinux, however is used by userspace applications that need to manage copy and paste services (such as the CUT_BUFFERs).
Permission Description (3 unique permissions)
copy Copy the data
paste Paste the data
paste_after_confirm Need to confirm that the paste is allowed.


Class x_pointer - The mouse or other pointing device managed by the X-server.
Permissions Description (Inherit 19 common x_device permissions)
Inherit Common X_Device Permissions add, bell, create, destroy, force_cursor, freeze, get_property, getattr, getfocus, grab, list_property, manage, read, remove, set_property, setattr, setfocus, use, write


Class x_keyboard - The keyboard managed by the X-server.
Permissions Description (Inherit 19 common x_device permissions)
Inherit Common X_Device Permissions add, bell, create, destroy, force_cursor, freeze, get_property, getattr, getfocus, grab, list_property, manage, read, remove, set_property, setattr, setfocus, use, write


Database Object Classes

These are userspace objects - The PostgreSQL database supports these with their SE- PostgreSQL database extension. The "Security-Enhanced PostgreSQL Security Wiki" [2] explains the objects, their permissions and how they should be used in detail.


Class db_database
Permission Description (Inherit 6 common database permissions + 3 unique)
Inherit Common Database Permissions create, drop, getattr, relabelfrom, relabelto, setattr
access Required to connect to the database - this is the minimum permission required by an SE-PostgreSQL client.
install_module Required to install a dynmic link library.
load_module Required to load a dynmic link library.



Class db_table
Permission Description (Inherit 6 common database permissions + 5 unique)
Inherit Common Database Permissions create, drop, getattr, relabelfrom, relabelto, setattr
delete Required to delete from a table with a DELETE statement, or when removing the table contents with a TRUNCATE statement.
insert Required to insert into a table with an INSERT statement, or when restoring it with a COPY FROM statement.
lock Required to get a table lock with a LOCK statement.
select Required to refer to a table with a SELECT statement or to dump the table contents with a COPY TO statement.
update Required to update a table with an UPDATE statement.


Class db_schema
Permission Description (Inherit 6 common database permissions + 3 unique)
Inherit Common Database Permissions create, drop, getattr, relabelfrom, relabelto, setattr
search Search for an object in the schema.
add_name Add an object to the schema.
remove_name Remove an object from the schema.


Class db_procedure
Permission Description (Inherit 6 common database permissions + 3 unique)
Inherit Common Database Permissions create, drop, getattr, relabelfrom, relabelto, setattr
entrypoint Required for any functions defined as Trusted Procedures.
execute Required for functions executed with SQL queries.
install


Class db_column
Permission Description (Inherit 6 common database permissions + 3 unique)
Inherit Common Database Permissions create, drop, getattr, relabelfrom, relabelto, setattr
insert Required to insert a new entry using the INSERT statement.
select Required to reference columns.
update Required to update a table with an UPDATE statement.


Class db_tuple
Permission Description (7 unique)
delete Required to delete entries with a DELETE or TRUNCATE statement.
insert Required when inserting a entry with an INSERT statement, or restoring tables with a COPY FROM statement.
relabelfrom The security context of an entry can be changed with an UPDATE to the security_context column at which time relabelfrom and relabelto permission is evaluated. The client must have relabelfrom permission to the security context before the entry is changed, and relabelto permission to the security context after the entry is changed.
relabelto
select Required when: reading entries with a SELECT statement, returning entries that are subjects for updating queries with a RETURNING clause, or dumping tables with a COPY TO statement.

Entries that the client does not have select permission on will be filtered from the result set.

update Required when updating an entry with an UPDATE statement. Entries that the client does not have update permission on will not be updated.
use Controls usage of system objects that require permission to "use" objects such as data types, tablespaces and operators.


Class db_blob
Permission Description (Inherit 6 common database permissions + 4 unique)
Inherit Common Database Permissions create, drop, getattr, relabelfrom, relabelto, setattr
export Export a binary large object by calling the lo_export() function.
import Import a file as a binary large object by calling the lo_import() function.
read Read a binary large object the loread() function.
write Write a binary large objecty with the lowrite() function.


Class db_view
Permission Description (Inherit 6 common database permissions + 1 unique)
Inherit Common Database Permissions create, drop, getattr, relabelfrom, relabelto, setattr
expand Allows the expansion of a 'view'.


Class db_sequence - A sequential number generator
Permission Description (Inherit 6 common database permissions + 3 unique)
Inherit Common Database Permissions create, drop, getattr, relabelfrom, relabelto, setattr
get_value Get a value from the sequence generator object.
next_value Get and increment value.
set_value Set an arbitrary value.


Class db_language - Support for script languages such as Perl and Tcl for SQL Procedures
Permission Description (Inherit 6 common database permissions + 2 unique)
Inherit Common Database Permissions create, drop, getattr, relabelfrom, relabelto, setattr
implement Whether the language can be implemented or not for the SQL procedure.
execute Allow the execution of a code block using a 'DO' statement.


Miscellaneous Object Classes

Class passwd - This is a userspace object for controlling changes to passwd information.
Permissions Description (5 unique permissions)
chfn Change another users finger info.
chsh Change another users shell.
crontab crontab another user.
passwd Change another users passwd.
rootok pam_rootok check - skip authentication.


Class nscd - This is a userspace object for the Name Service Cache Daemon.
Permission Description (12 unique permissions)
admin Allow the nscd daemon to be shut down.
getgrp Get group information.
gethost Get host information.
getnetgrp
getpwd Get password information.
getserv Get ?? information.
getstat Get the AVC stats from the nscd daemon.
shmemgrp Get shmem group file descriptor.
shmemhost Get shmem host descriptor. ??
shmemnetgrp
shmempwd
shmemserv


Class dbus - This is a userspace object for the D-BUS Messaging service that is required to run various services.
Permission Description (2 unique permissions)
acquire_svc Open a virtual circuit (communications channel).
send_msg Send a message.


Class context - This is a userspace object for the translation daemon mcstransd. These permissions are required to allow translation and querying of level and ranges for MCS and MLS systems.
Permission Description (2 unique permissions)
contains Calculate a MLS/MCS subset - Required to check what the configuration file contains.
translate Translate a raw MLS/MCS label - Required to allow a domain to translate contexts.


Class key - This is a kernel object to manage Keyrings.
Permission Description (7 unique permissions)
create Create a keyring.
link Link a key into the keyring.
read Read a keyring.
search Search a keyring.
setattr Change permissions on a keyring.
view View a keyring.
write Add a key to the keyring.


Class memprotect - This is a kernel object to protect lower memory blocks.
Permission Description (1 unique permission)
mmap_zero Security check on mmap operations to see if the user is attempting to mmap to low area of the address space. The amount of space protected is indicated by a proc tunable (/proc/sys/vm/mmap_min_addr). Setting this value to 0 will disable the checks. The "SELinux hardening for mmap_min_addr protections" describes additional checks that will be added to the kernel to protect against some kernel exploits (by requiring CAP_SYS_RAWIO (root) and the SELinux memprotect / mmap_zero permission instead of only one or the other).


Class service - This is a userspace object to manage systemd services.
Permission Description (8 unique permissions)
disable Disable services.
enable Enable services.
kill Kill services.
load Load services
reload Restart systemd services.
start Start systemd services.
status Read service status.
stop Stop systemd services.


Class proxy - This is a userspace object for gssd services.
Permission Description (1 unique permission)
read Read credentials.


Previous
Home
Next