diff options
Diffstat (limited to 'policy/support/obj_perm_sets.spt')
-rw-r--r-- | policy/support/obj_perm_sets.spt | 273 |
1 files changed, 273 insertions, 0 deletions
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt new file mode 100644 index 000000000..6e9131723 --- /dev/null +++ b/policy/support/obj_perm_sets.spt @@ -0,0 +1,273 @@ +######################################## +# +# Support macros for sets of object classes and permissions +# +# This file should only have object class and permission set macros - they +# can only reference object classes and/or permissions. + +# +# All directory and file classes +# +define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') + +# +# All non-directory file classes. +# +define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') + +# +# Non-device file classes. +# +define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') + +# +# Device file classes. +# +define(`devfile_class_set', `{ chr_file blk_file }') + +# +# All socket classes. +# +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') + + +# +# Datagram socket classes. +# +define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') + +# +# Stream socket classes. +# +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') + +# +# Unprivileged socket classes (exclude rawip, netlink, packet). +# +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') + +######################################## +# +# Macros for sets of permissions +# + +# +# Permissions to mount and unmount file systems. +# +define(`mount_fs_perms', `{ mount remount unmount getattr }') + +# +# Permissions for using sockets. +# +define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') + +# +# Permissions for creating and using sockets. +# +define(`create_socket_perms', `{ create rw_socket_perms }') + +# +# Permissions for using stream sockets. +# +define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') + +# +# Permissions for creating and using stream sockets. +# +define(`create_stream_socket_perms', `{ create_socket_perms listen accept }') + +# +# Permissions for creating and using sockets. +# +define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') + +# +# Permissions for creating and using sockets. +# +define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }') + + +# +# Permissions for creating and using netlink sockets. +# +define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') + +# +# Permissions for using netlink sockets for operations that modify state. +# +define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }') + +# +# Permissions for using netlink sockets for operations that observe state. +# +define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }') + +# +# Permissions for sending all signals. +# +define(`signal_perms', `{ sigchld sigkill sigstop signull signal }') + +# +# Permissions for sending and receiving network packets. +# +define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }') + +# +# Permissions for using System V IPC +# +define(`r_sem_perms', `{ associate getattr read unix_read }') +define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }') +define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }') +define(`r_msgq_perms', `{ associate getattr read unix_read }') +define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }') +define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }') +define(`r_shm_perms', `{ associate getattr read unix_read }') +define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }') +define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }') + +######################################## +# +# New permission sets +# + +# +# Directory (dir) +# +define(`getattr_dir_perms',`{ getattr }') +define(`setattr_dir_perms',`{ setattr }') +define(`search_dir_perms',`{ getattr search open }') +define(`list_dir_perms',`{ getattr search open read lock ioctl }') +define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }') +define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }') +define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }') +define(`create_dir_perms',`{ getattr create }') +define(`rename_dir_perms',`{ getattr rename }') +define(`delete_dir_perms',`{ getattr rmdir }') +define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }') +define(`relabelfrom_dir_perms',`{ getattr relabelfrom }') +define(`relabelto_dir_perms',`{ getattr relabelto }') +define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') + +# +# Regular file (file) +# +define(`getattr_file_perms',`{ getattr }') +define(`setattr_file_perms',`{ setattr }') +define(`read_file_perms',`{ getattr open read lock ioctl }') +define(`mmap_file_perms',`{ getattr open read execute ioctl }') +define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') +define(`append_file_perms',`{ getattr open append lock ioctl }') +define(`write_file_perms',`{ getattr open write append lock ioctl }') +define(`rw_file_perms',`{ getattr open read write append ioctl lock }') +define(`create_file_perms',`{ getattr create open }') +define(`rename_file_perms',`{ getattr rename }') +define(`delete_file_perms',`{ getattr unlink }') +define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') +define(`relabelfrom_file_perms',`{ getattr relabelfrom }') +define(`relabelto_file_perms',`{ getattr relabelto }') +define(`relabel_file_perms',`{ getattr relabelfrom relabelto }') + +# +# Symbolic link (lnk_file) +# +define(`getattr_lnk_file_perms',`{ getattr }') +define(`setattr_lnk_file_perms',`{ setattr }') +define(`read_lnk_file_perms',`{ getattr read }') +define(`append_lnk_file_perms',`{ getattr append lock ioctl }') +define(`write_lnk_file_perms',`{ getattr append write lock ioctl }') +define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') +define(`create_lnk_file_perms',`{ create getattr }') +define(`rename_lnk_file_perms',`{ getattr rename }') +define(`delete_lnk_file_perms',`{ getattr unlink }') +define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }') +define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') +define(`relabelto_lnk_file_perms',`{ getattr relabelto }') +define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') + +# +# (Un)named Pipes/FIFOs (fifo_file) +# +define(`getattr_fifo_file_perms',`{ getattr }') +define(`setattr_fifo_file_perms',`{ setattr }') +define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') +define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') +define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') +define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }') +define(`create_fifo_file_perms',`{ getattr create open }') +define(`rename_fifo_file_perms',`{ getattr rename }') +define(`delete_fifo_file_perms',`{ getattr unlink }') +define(`manage_fifo_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') +define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }') +define(`relabelto_fifo_file_perms',`{ getattr relabelto }') +define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }') + +# +# (Un)named Sockets (sock_file) +# +define(`getattr_sock_file_perms',`{ getattr }') +define(`setattr_sock_file_perms',`{ setattr }') +define(`read_sock_file_perms',`{ getattr open read }') +define(`write_sock_file_perms',`{ getattr write open append }') +define(`rw_sock_file_perms',`{ getattr open read write append }') +define(`create_sock_file_perms',`{ getattr create open }') +define(`rename_sock_file_perms',`{ getattr rename }') +define(`delete_sock_file_perms',`{ getattr unlink }') +define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }') +define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }') +define(`relabelto_sock_file_perms',`{ getattr relabelto }') +define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }') + +# +# Block device nodes (blk_file) +# +define(`getattr_blk_file_perms',`{ getattr }') +define(`setattr_blk_file_perms',`{ setattr }') +define(`read_blk_file_perms',`{ getattr open read lock ioctl }') +define(`append_blk_file_perms',`{ getattr open append lock ioctl }') +define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') +define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }') +define(`create_blk_file_perms',`{ getattr create }') +define(`rename_blk_file_perms',`{ getattr rename }') +define(`delete_blk_file_perms',`{ getattr unlink }') +define(`manage_blk_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') +define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }') +define(`relabelto_blk_file_perms',`{ getattr relabelto }') +define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }') + +# +# Character device nodes (chr_file) +# +define(`getattr_chr_file_perms',`{ getattr }') +define(`setattr_chr_file_perms',`{ setattr }') +define(`read_chr_file_perms',`{ getattr open read lock ioctl }') +define(`append_chr_file_perms',`{ getattr open append lock ioctl }') +define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') +define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }') +define(`create_chr_file_perms',`{ getattr create }') +define(`rename_chr_file_perms',`{ getattr rename }') +define(`delete_chr_file_perms',`{ getattr unlink }') +define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') +define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }') +define(`relabelto_chr_file_perms',`{ getattr relabelto }') +define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') + +######################################## +# +# Special permission sets +# + +# +# Use (read and write) terminals +# +define(`rw_term_perms', `{ getattr open read write append ioctl }') + +# +# Sockets +# +define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') +define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }') + +# +# Keys +# +define(`manage_key_perms', `{ create link read search setattr view write } ') |