Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/support/obj_perm_sets.spt
diff options
context:
space:
mode:
Diffstat (limited to 'policy/support/obj_perm_sets.spt')
-rw-r--r--policy/support/obj_perm_sets.spt273
1 files changed, 273 insertions, 0 deletions
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
new file mode 100644
index 000000000..6e9131723
--- /dev/null
+++ b/policy/support/obj_perm_sets.spt
@@ -0,0 +1,273 @@
+########################################
+#
+# Support macros for sets of object classes and permissions
+#
+# This file should only have object class and permission set macros - they
+# can only reference object classes and/or permissions.
+
+#
+# All directory and file classes
+#
+define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
+
+#
+# All non-directory file classes.
+#
+define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
+
+#
+# Non-device file classes.
+#
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+
+#
+# Device file classes.
+#
+define(`devfile_class_set', `{ chr_file blk_file }')
+
+#
+# All socket classes.
+#
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+
+
+#
+# Datagram socket classes.
+#
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+
+#
+# Stream socket classes.
+#
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+
+#
+# Unprivileged socket classes (exclude rawip, netlink, packet).
+#
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+
+########################################
+#
+# Macros for sets of permissions
+#
+
+#
+# Permissions to mount and unmount file systems.
+#
+define(`mount_fs_perms', `{ mount remount unmount getattr }')
+
+#
+# Permissions for using sockets.
+#
+define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`create_socket_perms', `{ create rw_socket_perms }')
+
+#
+# Permissions for using stream sockets.
+#
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+
+#
+# Permissions for creating and using stream sockets.
+#
+define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
+
+
+#
+# Permissions for creating and using netlink sockets.
+#
+define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+
+#
+# Permissions for using netlink sockets for operations that modify state.
+#
+define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+
+#
+# Permissions for using netlink sockets for operations that observe state.
+#
+define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
+
+#
+# Permissions for sending all signals.
+#
+define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
+
+#
+# Permissions for sending and receiving network packets.
+#
+define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
+
+#
+# Permissions for using System V IPC
+#
+define(`r_sem_perms', `{ associate getattr read unix_read }')
+define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
+define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
+define(`r_msgq_perms', `{ associate getattr read unix_read }')
+define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
+define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
+define(`r_shm_perms', `{ associate getattr read unix_read }')
+define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
+define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
+
+########################################
+#
+# New permission sets
+#
+
+#
+# Directory (dir)
+#
+define(`getattr_dir_perms',`{ getattr }')
+define(`setattr_dir_perms',`{ setattr }')
+define(`search_dir_perms',`{ getattr search open }')
+define(`list_dir_perms',`{ getattr search open read lock ioctl }')
+define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }')
+define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }')
+define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }')
+define(`create_dir_perms',`{ getattr create }')
+define(`rename_dir_perms',`{ getattr rename }')
+define(`delete_dir_perms',`{ getattr rmdir }')
+define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
+define(`relabelfrom_dir_perms',`{ getattr relabelfrom }')
+define(`relabelto_dir_perms',`{ getattr relabelto }')
+define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Regular file (file)
+#
+define(`getattr_file_perms',`{ getattr }')
+define(`setattr_file_perms',`{ setattr }')
+define(`read_file_perms',`{ getattr open read lock ioctl }')
+define(`mmap_file_perms',`{ getattr open read execute ioctl }')
+define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
+define(`append_file_perms',`{ getattr open append lock ioctl }')
+define(`write_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
+define(`create_file_perms',`{ getattr create open }')
+define(`rename_file_perms',`{ getattr rename }')
+define(`delete_file_perms',`{ getattr unlink }')
+define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_file_perms',`{ getattr relabelto }')
+define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Symbolic link (lnk_file)
+#
+define(`getattr_lnk_file_perms',`{ getattr }')
+define(`setattr_lnk_file_perms',`{ setattr }')
+define(`read_lnk_file_perms',`{ getattr read }')
+define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
+define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
+define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
+define(`create_lnk_file_perms',`{ create getattr }')
+define(`rename_lnk_file_perms',`{ getattr rename }')
+define(`delete_lnk_file_perms',`{ getattr unlink }')
+define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }')
+define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
+define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# (Un)named Pipes/FIFOs (fifo_file)
+#
+define(`getattr_fifo_file_perms',`{ getattr }')
+define(`setattr_fifo_file_perms',`{ setattr }')
+define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
+define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
+define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
+define(`create_fifo_file_perms',`{ getattr create open }')
+define(`rename_fifo_file_perms',`{ getattr rename }')
+define(`delete_fifo_file_perms',`{ getattr unlink }')
+define(`manage_fifo_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_fifo_file_perms',`{ getattr relabelto }')
+define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# (Un)named Sockets (sock_file)
+#
+define(`getattr_sock_file_perms',`{ getattr }')
+define(`setattr_sock_file_perms',`{ setattr }')
+define(`read_sock_file_perms',`{ getattr open read }')
+define(`write_sock_file_perms',`{ getattr write open append }')
+define(`rw_sock_file_perms',`{ getattr open read write append }')
+define(`create_sock_file_perms',`{ getattr create open }')
+define(`rename_sock_file_perms',`{ getattr rename }')
+define(`delete_sock_file_perms',`{ getattr unlink }')
+define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
+define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_sock_file_perms',`{ getattr relabelto }')
+define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Block device nodes (blk_file)
+#
+define(`getattr_blk_file_perms',`{ getattr }')
+define(`setattr_blk_file_perms',`{ setattr }')
+define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
+define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
+define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
+define(`create_blk_file_perms',`{ getattr create }')
+define(`rename_blk_file_perms',`{ getattr rename }')
+define(`delete_blk_file_perms',`{ getattr unlink }')
+define(`manage_blk_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_blk_file_perms',`{ getattr relabelto }')
+define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Character device nodes (chr_file)
+#
+define(`getattr_chr_file_perms',`{ getattr }')
+define(`setattr_chr_file_perms',`{ setattr }')
+define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
+define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
+define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
+define(`create_chr_file_perms',`{ getattr create }')
+define(`rename_chr_file_perms',`{ getattr rename }')
+define(`delete_chr_file_perms',`{ getattr unlink }')
+define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_chr_file_perms',`{ getattr relabelto }')
+define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
+
+########################################
+#
+# Special permission sets
+#
+
+#
+# Use (read and write) terminals
+#
+define(`rw_term_perms', `{ getattr open read write append ioctl }')
+
+#
+# Sockets
+#
+define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
+
+#
+# Keys
+#
+define(`manage_key_perms', `{ create link read search setattr view write } ')