NB ObjectClassesPermissions
Contents
- 1 Object Classes and Permissions
- 1.1 Introduction
- 1.2 Defining Object Classes and Permissions
- 1.3 Common Permissions
- 1.4 File Object Classes
- 1.5 Network Object Classes
- 1.6 IPC Object Classes
- 1.7 Process Object Class
- 1.8 Security Object Class
- 1.9 System Operation Object Class
- 1.10 Kernel Service Object Class
- 1.11 Capability Object Classes
- 1.12 X Windows Object Classes
- 1.13 Database Object Classes
- 1.14 Miscellaneous Object Classes
Object Classes and Permissions
Introduction
This section contains a list of object classes and their associated permissions that have been taken from the Fedora F-20 policy sources. There are also additional entries for Xen. The SEAndroid specific classes and permissions are shown in the Security Enhancements for Android section.
All objects are kernel objects unless marked as user space objects.
In most cases the permissions are self explanatory as they are those used in the standard Linux function calls (such as 'create a socket' or 'write to a file'). Some SELinux specific permissions are:
relabelfrom | Used on most objects to allow the objects security context to be changed from the current type. |
relabelto | Used on most objects to allow the objects security context to be changed to the new type. |
entrypoint | Used for files to indicate that they can be used as an entry point into a domain via a domain transition. |
execute_no_trans | Used for files to indicate that they can be used as an entry point into the calling domain (i.e. does not require a domain transition). |
execmod | Generally used for files to indicate that they can execute the modified file in memory. |
Where possible the specific object class permissions are explained, however for some permissions it is difficult to determine what they are used for (or if used at all) so a '?' has been added when doubt exists.
Defining Object Classes and Permissions
The Reference Policy already contains the default object classes and permissions required to manage the system and supporting services.
For those who write or manager SELinux policy, there is no need to define new objects and their associated permissions as these would be done by those who actually design and/or write object managers.
Common Permissions
Common File Permissions
Common file permissions inherited by a number of object classes.
Permissions | Description (17 permissions) |
append | Append to file. |
create | Create new file. |
execute | Execute the file with domain transition. |
getattr | Get file attributes. |
ioctl | I/O control system call requests. |
link | Create hard link. |
lock | Set and unset file locks. |
mounton | Use as mount point. |
quotaon | Enable quotas. |
read | Read file contents. |
relabelfrom | Change the security context based on existing type. |
relabelto | Change the security context based on the new type. |
rename | Rename file. |
setattr | Change file attributes. |
swapon | Allow file to be used for paging / swapping space. (not used ?) |
unlink | Delete file (or remove hard link). |
write | Write or append file contents. |
Common Socket Permissions
Common socket permissions inherited by a number of object classes.
Table 32: Common Socket Permissions
Permissions | Description (22 Permissions) |
accept | Accept a connection. |
append | Write or append socket contents |
bind | Bind to a name. |
connect | Initiate a connection. |
create | Create new socket. |
getattr | Get socket information. |
getopt | Get socket options. |
ioctl | Get and set attributes via ioctl call requests. |
listen | Listen for connections. |
lock | Lock and unlock socket file descriptor. |
name_bind | AF_INET - Controls relationship between a socket and the port number.
AF_UNIX - Controls relationship between a socket and the file. |
read | Read data from socket. |
recv_msg | Receive datagram. |
recvfrom | Receive datagrams from socket. |
relabelfrom | Change the security context based on existing type. |
relabelto | Change the security context based on the new type. |
send_msg | Send datagram. |
sendto | Send datagrams to socket. |
setattr | Change attributes. |
setopt | Set socket options. |
shutdown | Terminate connection. |
write | Write data to socket. |
Common IPC Permissions
Common IPC permissions inherited by a number of object classes.
Permissions | Description (9 Permissions) |
associate | shm - Get shared memory ID.
msgq - Get message ID. sem - Get semaphore ID. |
create | Create. |
destroy | Destroy. |
getattr | Get information from IPC object. |
read | shm - Attach shared memory to process.
msgq - Read message from queue. sem - Get semaphore value. |
setattr | Set IPC object information. |
unix_read | Read. |
unix_write | Write or append. |
write | shm - Attach shared memory to process.
msgq - Send message to message queue. sem - Change semaphore value. |
Common Database Permissions
Common database permissions inherited by a number of object classes. The "Security-Enhanced PostgreSQL Security Wiki" [2] explains the objects, their permissions and how they should be used in detail.
Permissions | Description (6 Permissions) |
create | Create a database object such as a 'TABLE'. |
drop | Delete (DROP) a database object. |
getattr | Get metadata - needed to reference an object (e.g. SELECT ... FROM ...). |
relabelfrom | Change the security context based on existing type. |
relabelto | Change the security context based on the new type. |
setattr | Set metadata - this permission is required to update information in the database (e.g. ALTER ...). |
Common X_Device Permissions
Common x_device permissions inherited by the X-Windows x_keyboard and x_pointer object classes.
Permissions | Description (19 permissions) |
add | |
bell | |
create | |
destroy | |
force_cursor | Get window focus. |
freeze | |
get_property | Required to create a device context. (source code) |
getattr | |
getfocus | |
grab | Set window focus. |
list_property | |
manage | |
read | |
remove | |
set_property | |
setattr | |
setfocus | |
use | |
write |
File Object Classes
Class | filesystem - A mounted filesystem |
Permissions | Description (10 unique permissions) |
associate | Use type as label for file. |
getattr | Get file attributes. |
mount | Mount filesystem. |
quotaget | Get quota information. |
quotamod | Modify quota information. |
relabelfrom | Change the security context based on existing type. |
relabelto | Change the security context based on the new type. |
remount | Remount existing mount. |
transition | Transition to a new SID (change security context). |
unmount | Unmount filesystem. |
Class | dir - Directory |
Permissions | Description (Inherit 17 common file permissions + 7 unique) |
Inherit Common File Permissions | append, create, execute, getattr, ioctl, link, lock, mounton, quotaon, read, relabelfrom, relabelto, rename, setattr, swapon, unlink, write |
add_name | Add entry to the directory. |
audit_access | The rules for this permission work as follows:
If a process calls access() or faccessat() and SELinux denies their request there will be a check for a dontaudit rule on the audit_access permission. If there is a dontaudit rule on audit_access an AVC event will not be written. If there is no dontaudit rule an AVC event will be written for the permissions requested (read, write, or exec). Notes:# There will never be a denial message with the audit_access permission as this permission does not control security decisions.
|
execmod | Make executable a file that has been modified by copy-on-write. |
open | Added in 2.6.26 Kernel to control the open permission. |
remove_name | Remove an entry from the directory. |
reparent | Change parent directory. |
rmdir | Remove directory. |
search | Search directory. |
Class | file - Ordinary file |
Permissions | Description (Inherit 17 common file permissions + 5 unique) |
Inherit Common File Permissions | append, create, execute, getattr, ioctl, link, lock, mounton, quotaon, read, relabelfrom, relabelto, rename, setattr, swapon, unlink, write |
audit_access | See the dir class for details |
entrypoint | Entry point permission for a domain transition. |
execute_no_trans | Execute in the caller's domain (i.e. no domain transition). |
execmod | Make executable a file that has been modified by copy-on-write. |
open | Added in 2.6.26 Kernel to control the open permission. |
Class | lnk_file - Symbolic links |
Permissions | Description (Inherit 17 common file permissions + 3 unique) |
Inherit Common File Permissions | append, create, execute, getattr, ioctl, link, lock, mounton, quotaon, read, relabelfrom, relabelto, rename, setattr, swapon, unlink, write |
audit_access | See the dir class for details |
execmod | Make executable a file that has been modified by copy-on-write. |
open | Added in 2.6.26 Kernel to control the open permission. |
Class | chr_file - Character files |
Permissions | Description (Inherit 17 common file permissions + 5 unique) |
Inherit Common File Permissions | append, create, execute, getattr, ioctl, link, lock, mounton, quotaon, read, relabelfrom, relabelto, rename, setattr, swapon, unlink, write |
audit_access | See the dir class for details |
entrypoint | Entry point permission for a domain transition. |
execute_no_trans | Execute in the caller's domain (i.e. no domain transition). |
execmod | Make executable a file that has been modified by copy-on-write. |
open | Added in 2.6.26 Kernel to open a character device. |
Class | blk_file - Block files |
Permissions | Description (Inherit 17 common file permissions + 3 unique) |
Inherit Common File Permissions | append, create, execute, getattr, ioctl, link, lock, mounton, quotaon, read, relabelfrom, relabelto, rename, setattr, swapon, unlink, write |
audit_access | See the dir class for details |
execmod | Make executable a file that has been modified by copy-on-write. |
open | Added in 2.6.26 Kernel to control the open permission. |
Class | sock_file - UNIX domain sockets |
Permissions | Description (Inherit 17 common file permissions + 3 unique) |
Inherit Common File Permissions | append, create, execute, getattr, ioctl, link, lock, mounton, quotaon, read, relabelfrom, relabelto, rename, setattr, swapon, unlink, write |
audit_access | See the dir class for details |
execmod | Make executable a file that has been modified by copy-on-write. |
open | Added in 2.6.26 Kernel to control the open permission. |
Class | fifo_file - Named pipes |
Permissions | Description (Inherit 17 common file permissions + 3 unique) |
Inherit Common File Permissions | append, create, execute, getattr, ioctl, link, lock, mounton, quotaon, read, relabelfrom, relabelto, rename, setattr, swapon, unlink, write |
audit_access | See the dir class for details |
execmod | Make executable a file that has been modified by copy-on-write. |
open | Added in 2.6.26 Kernel to control the open permission. |
Class | fd - File descriptors |
Permissions | Description (1 unique permission) |
use | 1) Inherit fd when process is executed and domain has been changed.
2) Receive fd from another process by Unix domain socket. 3) Get and set attribute of fd. |
Network Object Classes
Class | node - IP address or range of IP addresses |
Permissions | Description (11 unique permissions) |
dccp_recv | Allow Datagram Congestion Control Protocol receive packets. |
dccp_send | Allow Datagram Congestion Control Protocol send packets. |
enforce_dest | Ensure that destination node can enforce restrictions on the destination socket. |
rawip_recv | Receive raw IP packet. |
rawip_send | Send raw IP packet. |
recvfrom | Network interface and address check permission for use with the ingress permission. |
sendto | Network interface and address check permission for use with the egress permission. |
tcp_recv | Receive TCP packet. |
tcp_send | Send TCP packet. |
udp_recv | Receive UDP packet. |
udp_send | Send UDP packet. |
Class | netif - Network Interface (e.g. eth0) |
Permissions | Description (10 unique permissions) |
dccp_recv | Allow Datagram Congestion Control Protocol receive packets. |
dccp_send | Allow Datagram Congestion Control Protocol send packets. |
egress | Each packet leaving the system must pass an egress access control. Also requires the node sendto permission. |
ingress | Each packet entering the system must pass an ingress access control. Also requires the node recvfrom permission. |
rawip_recv | Receive raw IP packet. |
rawip_send | Send raw IP packet. |
tcp_recv | Receive TCP packet. |
tcp_send | Send TCP packet. |
udp_recv | Receive UDP packet. |
udp_send | Send UDP packet. |
Class | socket - Socket that is not part of any other specific SELinux socket object class. |
Permissions | Description (Inherit 22 common socket permissions) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
Class | tcp_socket - Protocol: PF_INET, PF_INET6 Family Type: SOCK_STREAM |
Permissions | Description (Inherit 22 common socket permissions + 5 unique) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
acceptfrom | Accept connection from client socket. |
connectto | Connect to server socket. |
name_connect | Connect to a specific port type. |
newconn | Create new connection. |
node_bind | Bind to a node. |
Class | udp_socket - Protocol: PF_INET, PF_INET6 Family Type: SOCK_DGRAM |
Permissions | Description (Inherit 22 common socket permissions + 1 unique) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
node_bind | Bind to a node. |
Class | rawip_socket - Protocol: PF_INET, PF_INET6 Family Type: SOCK_RAW |
Permissions | Description (Inherit 22 common socket permissions + 1 unique) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
node_bind | Bind to a node. |
Class | packet_socket - Protocol: PF_PACKET Family Type: All. |
Permissions | Description (Inherit 22 common socket permissions) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
Class | unix_stream_socket - Communicate with processes on same machine. Protocol: PF_STREAM Family Type: SOCK_STREAM |
Permissions | Description (Inherit 22 common socket permissions + 3 unique) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
acceptfrom | Accept connection from client socket. |
connectto | Connect to server socket. |
newconn | Create new socket for connection. |
Class | unix_dgram_socket - Communicate with processes on same machine. Protocol: PF_STREAM Family Type: SOCK_DGRAM |
Permissions | Description (Inherit 22 common socket permissions) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
Class | tun_socket - TUN is Virtual Point-to-Point network device driver to support IP tunneling. |
Permissions | Description (Inherit 22 common socket permissions + 1 unique) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
attach_queue |
IPSec Network Object Classes
Class | association - IPSec security association |
Permissions | Description (4 unique permissions) |
polmatch | Match IPSec Security Policy Database (SPD) context (-ctx) entries to an SELinux domain (contained in the Security Association Database (SAD) . |
recvfrom | Receive from an IPSec association. |
sendto | Send to an IPSec assocation. |
setcontext | Set the context of an IPSec association on creation. |
Class | key_socket - IPSec key management. Protocol: PF_KEY Family Type: All |
Permissions | Description (Inherit 22 common socket permissions) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
Class | netlink_xfrm_socket - Netlink socket to maintain IPSec parameters. |
Permissions | Description (Inherit 22 common socket permissions + 2 unique) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
nlmsg_read | Get IPSec configuration information. |
nlmsg_write | Set IPSec configuration information. |
Netlink Object Classes
Netlink sockets communicate between userspace and the kernel.
Class | netlink_socket - Netlink socket that is not part of any specific SELinux Netlink socket class. Protocol: PF_NETLINK Family Type: All other types that are not part of any other specific netlink object class. |
Permissions | Description (Inherit 22 common socket permissions) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
Class | netlink_route_socket - Netlink socket to manage and control network resources. |
Permissions | Description (Inherit 22 common socket permissions + 2 unique) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
nlmsg_read | Read kernel routing table. |
nlmsg_write | Write to kernel routing table. |
Class | netlink_firewall_socket - Netlink socket for firewall filters. |
Permissions | Description (Inherit 22 common socket permissions + 2 unique) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
nlmsg_read | Read netlink message. |
nlmsg_write | Write netlink message. |
Class | netlink_tcpdiag_socket - Netlink socket to monitor TCP connections. |
Permissions | Description (Inherit 22 common socket permissions + 2 unique) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
nlmsg_read | Request information about a protocol. |
nlmsg_write | Write netlink message. |
Class | netlink_nflog_socket - Netlink socket for Netfilter logging |
Permissions | Description (Inherit 22 common socket permissions) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
Class | netlink_selinux_socket - Netlink socket to receive SELinux events such as a policy or boolean change. |
Permissions | Description (Inherit 22 common socket permissions) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
Class | netlink_audit_socket - Netlink socket for audit service. |
Permissions | Description (Inherit 22 common socket permissions + 5 unique) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
nlmsg_read | Query status of audit service. |
nlmsg_readpriv | List auditing configuration rules. |
nlmsg_relay | Send userspace audit messages to theaudit service. |
nlmsg_tty_audit | Control TTY auditing. |
nlmsg_write | Update audit service configuration. |
Class | netlink_ip6fw_socket - Netlink socket for IPv6 firewall filters. |
Permissions | Description (Inherit 22 common socket permissions + 2 unique) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
nlmsg_read | Read netlink message. |
nlmsg_write | Write netlink message. |
Class | netlink_dnrt_socket - Netlink socket for DECnet routing |
Permissions | Description (Inherit 22 common socket permissions) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
Class | netlink_kobject_uevent_socket - Netlink socket to send kernel events to userspace. |
Permissions | Description (Inherit 22 common socket permissions) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
Miscellaneous Network Object Classes
Class | peer - NetLabel and Labeled IPsec have separate access controls, the network peer label consolidates these two access controls into a single one (see http://paulmoore.livejournal.com/1863.html for details). |
Permissions | Description (1 unique permission) |
recv | Receive packets from a labeled networking peer. |
Class | packet - Supports 'secmark' services where packets are labeled using iptables to select and label packets, SELinux thent enforces policy using these packet labels. |
Permissions | Description (7 unique permissions) |
flow_in | Receive external packets. (deprecated) |
flow_out | Send packets externally. (deprecated) |
forward_in | Allow inbound forwaded packets. |
forward_out | Allow outbound forwarded packets. |
recv | Receive inbound locally consumed packets. |
relabelto | Control how domains can apply specific labels to packets. |
send | Send outbound locally generated packets. |
Class | appletalk_socket - Appletalk socket |
Permissions | Description (Inherit 22 common socket permissions) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
Class | dccp_socket - Datagram Congestion Control Protocol (DCCP) |
Permissions | Description (Inherit 22 common socket permissions + 2 unique) |
Inherit Common Socket Permissions | accept, append, bind, connect, create, getattr, getopt, ioctl, listen, lock, name_bind, read, recv_msg, recvfrom, relabelfrom, relabelto, send_msg, sendto, setattr, setopt, shutdown, write |
name_connect | Allow DCCP name connect(). |
node_bind | Allow DCCP bind(). |
IPC Object Classes
Class | ipc - Interprocess communications |
Permissions | Description (Inherit 9 common IPC permissions) |
Inherit Common IPC Permissions | associate, create, destroy, getattr, read, setattr, unix_read, unix_write, write |
Class | sem - Semaphores |
Permissions | Description (Inherit 9 common IPC permissions) |
Inherit Common IPC Permissions | associate, create, destroy, getattr, read, setattr, unix_read, unix_write, write |
Class | msgq - IPC Message queues |
Permissions | Description (Inherit 9 common IPC permissions + 1 unique) |
Inherit Common IPC Permissions | associate, create, destroy, getattr, read, setattr, unix_read, unix_write, write |
enqueue | Send message to message queue. |
Class | msg - Message in a queue |
Permissions | Description (2 unique permissions) |
receive | Read (and remove) message from queue. |
send | Add message to queue. |
Class | shm - Shared memory segment |
Permissions | Description (Inherit 9 common IPC permissions + 1 unique) |
Inherit Common IPC Permissions | associate, create, destroy, getattr, read, setattr, unix_read, unix_write, write |
lock | Lock or unlock shared memory. |
Process Object Class
Class | process - An object is instantiated for each process created by the system. |
Permissions | Description (31 unique permissions) |
dyntransition | Dynamically transition to a new context using setcon(3). |
execheap | Make the heap executable. |
execmem | Make executable an anonymous mapping or private file mapping that is writable. |
execstack | Make the main process stack executable. |
fork | Create new process using fork(2). |
getattr | Get process security information. |
getcap | Get Linux capabilities of process. |
getpgid | Get group Process ID of another process. |
getsched | Get scheduling information of another process. |
getsession | Get session ID of another process. |
noatsecure | Disable secure mode environment cleansing. |
ptrace | Trace program execution of parent (ptrace(2)). |
ptrace_child | Trace program execution of child (ptrace(2)). |
rlimitinh | Inherit rlimit information from parent process. |
setcap | Set Linux capabilities of process. |
setcurrent | Set the current process context. |
setexec | Set security context of executed process by setexecon(3). |
setfscreate | Set security context by setfscreatecon(3). |
setkeycreate | Set security context by setkeycreatecon(3). |
setpgid | Set group Process ID of another process. |
setrlimit | Change process rlimit information. |
setsched | Modify scheduling information of another process. |
setsockcreate | Set security context by setsockcreatecon(3). |
share | Allow state sharing with cloned or forked process. |
sigchld | Send SIGCHLD signal. |
siginh | Inherit signal state from parent process. |
sigkill | Send SIGKILL signal. |
signal | Send a signal other than SIGKILL, SIGSTOP, or SIGCHLD. |
signull | Test for exisitence of another process without sending a signal |
sigstop | Send SIGSTOP signal |
transition | Transition to a new context on exec(). |
Security Object Class
Class | security - This is the security server object and there is only one instance of this object (for the SELinux security server). |
Permissions | Description (12 unique permissions) |
check_context | Determine whether the context is valid by querying the security server. |
compute_av | Compute an access vector given a source, target and class. |
compute_create | Determine context to use when querying the security server about a transition rule (type_transition). |
compute_member | Determine context to use when querying the security server about a membership decision (type_member for a polyinstantiated object). |
compute_relabel | Determines the context to use when querying the security server about a relabeling decision (type_change). |
compute_user | Determines the context to use when querying the security server about a user decision (user). |
load_policy | Load the security policy into the kernel (the security server). |
read_policy | Read the kernel policy to userspace. |
setbool | Change a boolean value within the active policy. |
setcheckreqprot | Set if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap / mprotect. |
setenforce | Change the enforcement state of SELinux (permissive or enforcing). |
setsecparam | Set kernel access vector cache tuning parameters. |
System Operation Object Class
Class | system - This is the overall system object and there is only one instance of this object. |
Permissions | Description (12 unique permissions) |
disable | Allow services to be disabled. |
enable | Allow services to be enabled. |
halt | Allow the system to be halted. |
ipc_info | Get info about an IPC object. |
module_request | Request the kernel to load a module. |
reboot | Allow system to be rebooted. |
reload | Allow services to be reloaded. |
status | Get system status information. |
syslog_console | Control output of kernel messages to the console with syslog(2). |
syslog_mod | Clear kernel message buffer with syslog(2). |
syslog_read | Read kernel message with syslog(2). |
undefined | Allow an undefined operation. |
Kernel Service Object Class
Class | kernel_service - Used to add kernel services. |
Permissions | Description (2 unique permissions) |
use_as_override | Grant a process the right to nominate an alternate process SID for the kernel to use as an override for the SELinux subjective security when accessing information on behalf of another process.
For example, CacheFiles when accessing the cache on behalf of a process accessing an NFS file needs to use a subjective security ID appropriate to the cache rather than the one the calling process is using. The cachefilesd daemon will nominate the security ID to be used. |
create_files_as | Grant a process the right to nominate a file creation label for a kernel service to use. |
Capability Object Classes
Class | capability - Used to manage the Linux capabilities granted to root processes. Taken from the header file:
/usr/include/linux/capability.h |
Permissions | Description (32 unique permissions) |
audit_control | Change auditing rules. Set login UID. |
audit_write | Send audit messsages from user space. |
chown | Allow changing file and group ownership. |
dac_override | Overrides all DAC including ACL execute access. |
dac_read_search | Overrides DAC for read and directory search. |
fowner | Grant all file operations otherwise restricted due to different ownership except where FSETID capability is applicable. DAC and MAC accesses are not overridden. |
fsetid | Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal. |
ipc_lock | Grants the capability to lock non-shared and shared memory segments. |
ipc_owner | Grant the ability to ignore IPC ownership checks. |
kill | Allow signal raising for any process. |
lease | Grants ability to take leases on a file. |
linux_immutable | Grant privilege to modify S_IMMUTABLE and S_APPEND file attributes on supporting filesystems. |
mknod | Grants permission to creation of character and block device nodes. |
net_admin | Allow the following: interface configuration; administration of IP firewall; masquerading and accounting; setting debug option on sockets; modification of routing tables; setting arbitrary process / group ownership on sockets; binding to any address for transparent proxying; setting TOS (type of service); setting promiscuous mode; clearing driver statistics; multicasting; read/write of device-specific registers; activation of ATM control sockets. |
net_bind_service | Allow low port binding. Port < 1024 for TCP/UDP. VCI < 32 for ATM. |
net_raw | Allows opening of raw sockets and packet sockets. |
netbroadcast | Grant network broadcasting and listening to incoming multicasts. |
setfcap | Allow the assignment of file capabilities. |
setgid | Allow setgid(2) allow setgroups(2) allow fake gids on credentials passed over a socket. |
setpcap | Transfer capability maps from current process to any process. |
setuid | Allow all setsuid(2) type calls including fsuid. Allow passing of forged pids on credentials passed over a socket. |
sys_admin | Allow the following: configuration of the secure attention key; administration of the random device; examination and configuration of disk quotas; configuring the kernel's syslog; setting the domainname; setting the hostname; calling bdflush(); mount() and umount(), setting up new smb connection; some autofs root ioctls; nfsservctl; VM86_REQUEST_IRQ; to read/write pci config on alpha; irix_prctl on mips (setstacksize); flushing all cache on m68k (sys_cacheflush); removing semaphores; locking/unlocking of shared memory segment; turning swap on/off; forged pids on socket credentials passing; setting readahead and flushing buffers on block devices; setting geometry in floppy driver; turning DMA on/off in xd driver; administration of md devices; tuning the ide driver; access to the nvram device; administration of apm_bios, serial and bttv (TV) device; manufacturer commands in isdn CAPI support driver; reading non-standardized portions of pci configuration space; DDI debug ioctl on sbpcd driver; setting up serial ports; sending raw qic-117 commands; enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands; setting encryption key on loopback filesystem; setting zone reclaim policy. |
sys_boot | Grant ability to reboot the system. |
sys_chroot | Grant use of the chroot(2) call. |
sys_module | Allow unrestricted kernel modification including but not limited to loading and removing kernel modules. Allows modification of kernel's bounding capability mask. See sysctl. |
sys_nice | Grants privilage to change priority of any process. Grants change of scheduling algorithm used by any process. |
sys_pacct | Allow modification of accounting for any process. |
sys_ptrace | Allow ptrace of any process. |
sys_rawio | Grant permission to use ioperm(2) and iopl(2) as well as the ability to send messages to USB devices via /proc/bus/usb. |
sys_resource | Override the following: resource limits; quota limits; reserved space on ext2 filesystem; size restrictions on IPC message queues; max number of consoles on console allocation; max number of keymaps.
Set resource limits. Modify data journaling mode on ext3 filesystem, Allow more than 64hz interrupts from the real-time clock. |
sys_time | Grant permission to set system time and to set the real-time lock. |
sys_tty_config | Grant permission to configure tty devices. |
Class | capability2 |
Permissions | Description (7 unique permissions) |
block_suspend | Prevent system suspends (was epollwakeup) |
compromise_kernel | Allow tasks that can modify the running kernel (Secure Boot). |
mac_admin | Allow MAC configuration state changes. For SELinux allow contexts not defined in the policy to be assigned. This is called 'deferred mapping of security contexts' and is explained at:
http://www.nsa.gov/research/selinux/list-archive/0805/26046.shtml |
mac_override | Allow MAC policy to be overridden. |
syslog | Allow configuration of kernel syslog (printk behaviour). |
wake_alarm | Trigger the system to wake up |
X Windows Object Classes
These are userspace objects managed by XSELinux.
Class | x_drawable - The drawable parameter specifies the area into which the text will be drawn. It may be either a pixmap or a window.
Some of the permission information has been extracted from an email describing them in terms of an MLS system. |
Permissions | Description (19 unique permissions) |
add_child | Add new window. Normally SystemLow for MLS systems. |
blend | There are two cases: 1) Allow a non-root window to have a transparent background. 2) The application is redirecting the contents of the window and its sub-windows into a memory buffer when using the Composite extension. Only SystemHigh processes should have the blend permission on the root window. |
create | Create a drawable object. Not applicable to the root windows as it cannot be created. |
destroy | Destroy a drawable object. Not applicable to the root windows as it cannot be destroyed. |
get_property | Read property information. Normally SystemLow for MLS systems. |
getattr | Get attributes from a drawable object. Most applications will need this so SystemLow. |
hide | Hide a drawable object. Not applicable to the root windows as it cannot be hidden. |
list_child | Allows all child window IDs to be returned. From the root window it will show the client that owns the window and their stacking order. If hiding this information is required then processes should be SystemHigh. |
list_property | List property associated with a window. Normally SystemLow for MLS systems. |
manage | Required to create a context, move and resize windows. Not applicable to the root windows as it cannot be resized etc. |
override | Allow setting the override-redirect bit on the window. Not applicable to the root windows as it cannot be overridden. |
read | Read window contents. Note that this will also give read permission to all child windows, therefore (for MLS), only SystemHigh processes should have read permission on the root window. |
receive | Allow receiving of events. Normally SystemLow for MLS systems (but could leak information between clients running at different levels, therefore needs investigation). |
remove_child | Remove child window. Normally SystemLow for MLS systems. |
send | Allow sending of events. Normally SystemLow for MLS systems (but could leak information between clients running at different levels, therefore needs investigation). |
set_property | Set property. Normally SystemLow for MLS systems (but could leak information between clients running at different levels, therefore needs investigation. Polyinstantiation may be required). |
setattr | Allow window attributes to be set. This permission protects operations on the root window such as setting the background image or colour, setting the colormap and setting the mouse cursor to display when the cursor is in nthe window, therefore only SystemHigh processes should have the setattr permission. |
show | Show window. Not applicable to the root windows as it cannot be hidden. |
write | Draw within a window. Note that this will also give write permission to all child windows, therefore (for MLS), only SystemHigh processes should have write permission on the root window. |
Class | x_screen - The specific screen available to the display (X-server) (hostname:display_number.screen) |
Permissions | Description (8 unique permissions) |
getattr | |
hide_cursor | |
saver_getattr | |
saver_hide | |
saver_setattr | |
saver_show | |
setattr | |
show_cursor |
Class | x_gc - The graphics contexts allows the X-server to cache information about how graphics requests should be interpreted. It reduces the network traffic. |
Permissions | Description (5 unique permissions) |
create | Create Graphic Contexts object. |
destroy | Free (dereference) a Graphics Contexts object. |
getattr | Get attributes from Graphic Contexts object. |
setattr | Set attributes for Graphic Contexts object. |
use | Allow GC contexts to be used. |
Class | x_font - An X-server resource for managing the different fonts. |
Permissions | Description (6 unique permissions) |
add_glyph | Create glyph for cursor |
create | Load a font. |
destroy | Free a font. |
getattr | Obtain font names, path, etc. |
remove_glyph | Free glyph |
use | Use a font. |
Class | x_colormap - An X-server resource for managing colour mapping. A new colormap can be created using XCreateColormap. |
Permissions | Description (10 unique permissions) |
add_color | Add a colour |
create | Create a new Colormap. |
destroy | Free a Colormap. |
getattr | Get the color gamut of a screen. |
install | Copy a virtual colormap into the display hardware. |
read | Read color cells of colormap. |
remove_color | Remove a colour |
uninstall | Remove a virtual colormap from the display hardware. |
use | Use a colormap |
write | Change color cells in colormap. |
Class | x_property - An InterClient Communications (ICC) service where each property has a name and ID (or Atom). Properties are attached to windows and can be uniquely identified by the windowID and propertyID. XSELinux supports polyinstantiation of properties. |
Permissions | Description (7 unique permissions) |
append | Append a property. |
create | Create property object. |
destroy | Free (dereference) a property object. |
getattr | Get attributes of a property. |
read | Read a property. |
setattr | Set attributes of a property. |
write | Write a property. |
Class | x_selection - An InterClient Communications (ICC) service that allows two parties to communicate about passing information. The information uses properties to define the the format (e.g. whether text or graphics). XSELinux supports polyinstantiation of selections. |
Permissions | Description (4 unique permissions) |
getattr | Get selection owner (XGetSelectionOwner). |
read | Read the information from the selection owner |
setattr | Set the selection owner (XSetSelectionOwner). |
write | Send the information to the selection requestor. |
Class | x_cursor - The cursor on the screen |
Permissions | Description (7 unique permissions) |
create | Create an arbitrary cursor object. |
destroy | Free (dereference) a cursor object. |
getattr | Get attributes of the cursor. |
read | Read the cursor. |
setattr | Set attributes of the cursor. |
use | Associate a cursor object with a window. |
write | Write a cursor |
Class | x_client - The X-client connecting to the X-server. |
Permissions | Description (4 unique permissions) |
destroy | Close down a client. |
getattr | Get attributes of X-client. |
manage | Required to create an X-client context. (source code) |
setattr | Set attributes of X-client. |
Class | x_device - These are any other devices used by the X-server as the keyboard and pointer devices have their own object classes. |
Permissions | Description (Inherit 19 common x_device permissions) |
Inherit Common X_Device Permissions | add, bell, create, destroy, force_cursor, freeze, get_property, getattr, getfocus, grab, list_property, manage, read, remove, set_property, setattr, setfocus, use, write |
Class | x_server - The X-server that manages the display, keyboard and pointer. |
Permissions | Description (6 unique permissions) |
debug | |
getattr | |
grab | |
manage | Required to create a context. (source code) |
record | |
setattr |
Class | x_extension - An X-Windows extension that can be added to the X-server (such as the XSELinux object manager itself). |
Permissions | Description (2 unique permissions) |
query | Query for an extension. |
use | Use the extensions services. |
Class | x_resource - These consist of Windows, Pixmaps, Fonts, Colormaps etc. that are classed as resources. |
Permissions | Description (2 unique permissions) |
read | Allow reading a resource. |
write | Allow writing to a resource. |
Class | x_event - Manage X-server events. |
Permissions | Description (2 unique permissions) |
receive | Receive an event |
send | Send an event |
Class | x_synthetic_event - Manage some X-server events (e.g. confignotify). Note the x_event permissions will still be required (its magic). |
Permissions | Description (2 unique permissions) |
receive | Receive an event |
send | Send an event |
Class | x_application_data - Not specifically used by XSELinux, however is used by userspace applications that need to manage copy and paste services (such as the CUT_BUFFERs). |
Permission | Description (3 unique permissions) |
copy | Copy the data |
paste | Paste the data |
paste_after_confirm | Need to confirm that the paste is allowed. |
Class | x_pointer - The mouse or other pointing device managed by the X-server. |
Permissions | Description (Inherit 19 common x_device permissions) |
Inherit Common X_Device Permissions | add, bell, create, destroy, force_cursor, freeze, get_property, getattr, getfocus, grab, list_property, manage, read, remove, set_property, setattr, setfocus, use, write |
Class | x_keyboard - The keyboard managed by the X-server. |
Permissions | Description (Inherit 19 common x_device permissions) |
Inherit Common X_Device Permissions | add, bell, create, destroy, force_cursor, freeze, get_property, getattr, getfocus, grab, list_property, manage, read, remove, set_property, setattr, setfocus, use, write |
Database Object Classes
These are userspace objects - The PostgreSQL database supports these with their SE- PostgreSQL database extension. The "Security-Enhanced PostgreSQL Security Wiki" [2] explains the objects, their permissions and how they should be used in detail.
Class | db_database |
Permission | Description (Inherit 6 common database permissions + 3 unique) |
Inherit Common Database Permissions | create, drop, getattr, relabelfrom, relabelto, setattr |
access | Required to connect to the database - this is the minimum permission required by an SE-PostgreSQL client. |
install_module | Required to install a dynmic link library. |
load_module | Required to load a dynmic link library. |
Class | db_table |
Permission | Description (Inherit 6 common database permissions + 5 unique) |
Inherit Common Database Permissions | create, drop, getattr, relabelfrom, relabelto, setattr |
delete | Required to delete from a table with a DELETE statement, or when removing the table contents with a TRUNCATE statement. |
insert | Required to insert into a table with an INSERT statement, or when restoring it with a COPY FROM statement. |
lock | Required to get a table lock with a LOCK statement. |
select | Required to refer to a table with a SELECT statement or to dump the table contents with a COPY TO statement. |
update | Required to update a table with an UPDATE statement. |
Class | db_schema |
Permission | Description (Inherit 6 common database permissions + 3 unique) |
Inherit Common Database Permissions | create, drop, getattr, relabelfrom, relabelto, setattr |
search | Search for an object in the schema. |
add_name | Add an object to the schema. |
remove_name | Remove an object from the schema. |
Class | db_procedure |
Permission | Description (Inherit 6 common database permissions + 3 unique) |
Inherit Common Database Permissions | create, drop, getattr, relabelfrom, relabelto, setattr |
entrypoint | Required for any functions defined as Trusted Procedures. |
execute | Required for functions executed with SQL queries. |
install |
Class | db_column |
Permission | Description (Inherit 6 common database permissions + 3 unique) |
Inherit Common Database Permissions | create, drop, getattr, relabelfrom, relabelto, setattr |
insert | Required to insert a new entry using the INSERT statement. |
select | Required to reference columns. |
update | Required to update a table with an UPDATE statement. |
Class | db_tuple |
Permission | Description (7 unique) |
delete | Required to delete entries with a DELETE or TRUNCATE statement. |
insert | Required when inserting a entry with an INSERT statement, or restoring tables with a COPY FROM statement. |
relabelfrom | The security context of an entry can be changed with an UPDATE to the security_context column at which time relabelfrom and relabelto permission is evaluated. The client must have relabelfrom permission to the security context before the entry is changed, and relabelto permission to the security context after the entry is changed. |
relabelto | |
select | Required when: reading entries with a SELECT statement, returning entries that are subjects for updating queries with a RETURNING clause, or dumping tables with a COPY TO statement.
Entries that the client does not have select permission on will be filtered from the result set. |
update | Required when updating an entry with an UPDATE statement. Entries that the client does not have update permission on will not be updated. |
use | Controls usage of system objects that require permission to "use" objects such as data types, tablespaces and operators. |
Class | db_blob |
Permission | Description (Inherit 6 common database permissions + 4 unique) |
Inherit Common Database Permissions | create, drop, getattr, relabelfrom, relabelto, setattr |
export | Export a binary large object by calling the lo_export() function. |
import | Import a file as a binary large object by calling the lo_import() function. |
read | Read a binary large object the loread() function. |
write | Write a binary large objecty with the lowrite() function. |
Class | db_view |
Permission | Description (Inherit 6 common database permissions + 1 unique) |
Inherit Common Database Permissions | create, drop, getattr, relabelfrom, relabelto, setattr |
expand | Allows the expansion of a 'view'. |
Class | db_sequence - A sequential number generator |
Permission | Description (Inherit 6 common database permissions + 3 unique) |
Inherit Common Database Permissions | create, drop, getattr, relabelfrom, relabelto, setattr |
get_value | Get a value from the sequence generator object. |
next_value | Get and increment value. |
set_value | Set an arbitrary value. |
Class | db_language - Support for script languages such as Perl and Tcl for SQL Procedures |
Permission | Description (Inherit 6 common database permissions + 2 unique) |
Inherit Common Database Permissions | create, drop, getattr, relabelfrom, relabelto, setattr |
implement | Whether the language can be implemented or not for the SQL procedure. |
execute | Allow the execution of a code block using a 'DO' statement. |
Miscellaneous Object Classes
Class | passwd - This is a userspace object for controlling changes to passwd information. |
Permissions | Description (5 unique permissions) |
chfn | Change another users finger info. |
chsh | Change another users shell. |
crontab | crontab another user. |
passwd | Change another users passwd. |
rootok | pam_rootok check - skip authentication. |
Class | nscd - This is a userspace object for the Name Service Cache Daemon. |
Permission | Description (12 unique permissions) |
admin | Allow the nscd daemon to be shut down. |
getgrp | Get group information. |
gethost | Get host information. |
getnetgrp | |
getpwd | Get password information. |
getserv | Get ?? information. |
getstat | Get the AVC stats from the nscd daemon. |
shmemgrp | Get shmem group file descriptor. |
shmemhost | Get shmem host descriptor. ?? |
shmemnetgrp | |
shmempwd | |
shmemserv |
Class | dbus - This is a userspace object for the D-BUS Messaging service that is required to run various services. |
Permission | Description (2 unique permissions) |
acquire_svc | Open a virtual circuit (communications channel). |
send_msg | Send a message. |
Class | context - This is a userspace object for the translation daemon mcstransd. These permissions are required to allow translation and querying of level and ranges for MCS and MLS systems. |
Permission | Description (2 unique permissions) |
contains | Calculate a MLS/MCS subset - Required to check what the configuration file contains. |
translate | Translate a raw MLS/MCS label - Required to allow a domain to translate contexts. |
Class | key - This is a kernel object to manage Keyrings. |
Permission | Description (7 unique permissions) |
create | Create a keyring. |
link | Link a key into the keyring. |
read | Read a keyring. |
search | Search a keyring. |
setattr | Change permissions on a keyring. |
view | View a keyring. |
write | Add a key to the keyring. |
Class | memprotect - This is a kernel object to protect lower memory blocks. |
Permission | Description (1 unique permission) |
mmap_zero | Security check on mmap operations to see if the user is attempting to mmap to low area of the address space. The amount of space protected is indicated by a proc tunable (/proc/sys/vm/mmap_min_addr). Setting this value to 0 will disable the checks. The "SELinux hardening for mmap_min_addr protections" describes additional checks that will be added to the kernel to protect against some kernel exploits (by requiring CAP_SYS_RAWIO (root) and the SELinux memprotect / mmap_zero permission instead of only one or the other). |
Class | service - This is a userspace object to manage systemd services. |
Permission | Description (8 unique permissions) |
disable | Disable services. |
enable | Enable services. |
kill | Kill services. |
load | Load services |
reload | Restart systemd services. |
start | Start systemd services. |
status | Read service status. |
stop | Stop systemd services. |
Class | proxy - This is a userspace object for gssd services. |
Permission | Description (1 unique permission) |
read | Read credentials. |
Previous | |
|