selinux ObjectClassesPerms

来源：互联网发布：淘宝店铺图片轮播尺寸编辑：程序博客网时间：2024/05/29 18:47

ObjectClassesPerms

[hide]

1 SELinux Object Classes and Permissions Reference
- 1.1 Common Permission Sets
  - 1.1.1 common database
  - 1.1.2 common file
  - 1.1.3 common ipc
  - 1.1.4 common socket
  - 1.1.5 common x_device
- 1.2 Kernel Object Classes
  - 1.2.1 appletalk_socket
  - 1.2.2 association
  - 1.2.3 blk_file
  - 1.2.4 capability
  - 1.2.5 capability2
  - 1.2.6 chr_file
  - 1.2.7 dccp_socket
  - 1.2.8 dir
  - 1.2.9 fd
  - 1.2.10 fifo_file
  - 1.2.11 file
  - 1.2.12 filesystem
  - 1.2.13 ipc
  - 1.2.14 kernel_service
  - 1.2.15 key
  - 1.2.16 key_socket
  - 1.2.17 lnk_file
  - 1.2.18 memprotect
  - 1.2.19 msg
  - 1.2.20 msgq
  - 1.2.21 netif
  - 1.2.22 netlink_socket
  - 1.2.23 netlink_audit_socket
  - 1.2.24 netlink_dnrt_socket
  - 1.2.25 netlink_firewall_socket
  - 1.2.26 netlink_ip6fw_socket
  - 1.2.27 netlink_kobject_uevent_socket
  - 1.2.28 netlink_nflog_socket
  - 1.2.29 netlink_route_socket
  - 1.2.30 netlink_selinux_socket
  - 1.2.31 netlink_tcpdiag_socket
  - 1.2.32 netlink_xfrm_socket
  - 1.2.33 node
  - 1.2.34 packet
  - 1.2.35 packet_socket
  - 1.2.36 peer
  - 1.2.37 process
  - 1.2.38 rawip_socket
  - 1.2.39 security
  - 1.2.40 sem
  - 1.2.41 shm
  - 1.2.42 sock_file
  - 1.2.43 socket
  - 1.2.44 system
  - 1.2.45 tcp_socket
  - 1.2.46 tun_socket
  - 1.2.47 udp_socket
  - 1.2.48 unix_dgram_socket
  - 1.2.49 unix_stream_socket
- 1.3 Database Object Classes
  - 1.3.1 db_blob
  - 1.3.2 db_column
  - 1.3.3 db_database
  - 1.3.4 db_procedure
  - 1.3.5 db_table
  - 1.3.6 db_tuple
- 1.4 DBus Object Classes
  - 1.4.1 dbus
- 1.5 MLS Context Translation Object Classes
  - 1.5.1 context
- 1.6 NSCD Object Classes
  - 1.6.1 nscd
- 1.7 Password Object Classes
  - 1.7.1 passwd
- 1.8 X Server Object Classes
  - 1.8.1 x_application_data
  - 1.8.2 x_client
  - 1.8.3 x_colormap
  - 1.8.4 x_cursor
  - 1.8.5 x_device
  - 1.8.6 x_drawable
  - 1.8.7 x_event
  - 1.8.8 x_extension
  - 1.8.9 x_font
  - 1.8.10 x_gc
  - 1.8.11 x_keyboard
  - 1.8.12 x_pointer
  - 1.8.13 x_property
  - 1.8.14 x_resource
  - 1.8.15 x_screen
  - 1.8.16 x_selection
  - 1.8.17 x_server
  - 1.8.18 x_synthetic_event

[edit]SELinux Object Classes and Permissions Reference

This document contains a list of all of the object classes and permissions for modern SELinux systems (starting in kernel 2.6.0). Each permission has a brief description of of the semantics of each permission, in addition to the versions of the kernel which support the permission and the policy capability that enables its enforcement (if applicable).

The document has the following caveats:

The permission descriptions are only for providing a general idea of the purposes of the permissions; a permission may mediate many operations.
Since SELinux development is ongoing, this document may be be incomplete or inaccurate.

[edit]Common Permission Sets

[edit]common database

PermissionDescriptioncreateCreate a new database object.dropRemove a database object.getattrGet the attributes of a database object.setattrSet the attributes of a database object.relabelfromChange the security context based on existing type.relabeltoChange the security context based on the new type.

[edit]common file

PermissionDescriptiongetattrGet file attributes for file, such as access mode. (e.g. stat, some ioctls. ...)relabeltoRelabel to new security context.unlinkRemove hard link (delete).ioctlIO control system call requests not addressed by other permissions.executeExecuteappendWrite to a file opened with O_APPEND.readRead file contents.setattrChange file attributes for file such as access mode. (e.g. chmod, some ioctls, ...)swaponAllows file to be used for paging/swapping space.writeWrite to a file.lockSet and unset file locks.createCreate new file.renameRename a file.mountonUse as mount point; only useful for directories and files in Linux.quotaonUse as a quota file.relabelfromRelabel from old security context.linkCreate another hard link to file

[edit]common ipc

PermissionDescriptionwriteWrite.destroyDestroy.unix_writeGeneric write access.getattrGet attributes, e.g. IPC_STAT *ctl operation.createCreate.readReadsetattrChange attributes, e.g. IPC_SET.unix_readGeneric read access.associateAssociate a key

[edit]common socket

PermissionDescriptionappendWrite to open fd marked with O_APPEND.relabelfromChange the security context based on existing type.createCreate new socket.readRead from socket.sendtoSend to socket.connectInitiate connection.recvfromLegacy NetLabel check; obsoleted by peer recvsend_msgLegacy check; no longer present.bindBind a name to the socket.lockApply file lock on a socket.ioctlIO control system call requests not addressed by other permissions.getattrGet socket attributes, e.g. fstat.writeWrite to socket.setoptSet socket options.getoptGet socket options.listenListen for connections.setattrChange socket attributes.shutdownShutdown connection.relabeltoChange the security context based on the new type.recv_msgObsolete.acceptAccept a connection.name_bindAssociate with port or file; for AF_INET sockets, controls relationship between a socket and it's port number; for AF_UNIX sockets, controls relationship between a socket and it's file

[edit]common x_device

PermissionDescriptiongetattrsetattrusereadwritegetfocussetfocusbellforce_cursorfreezegrabmanagelist_propertyget_propertyset_propertyaddremove

[edit]Kernel Object Classes

[edit]appletalk_socket

Inherits from: common socket

PermissionDescriptionKernel Version/Capabilityappendsee common socket:append2.6.18+relabelfromsee common socket:relabelfrom2.6.18+createsee common socket:create2.6.18+readsee common socket:read2.6.18+sendtosee common socket:sendto2.6.18+connectsee common socket:connect2.6.18+recvfromsee common socket:recvfrom2.6.18+send_msgsee common socket:send_msg2.6.18+bindsee common socket:bind2.6.18+locksee common socket:lock2.6.18+ioctlsee common socket:ioctl2.6.18+getattrsee common socket:getattr2.6.18+writesee common socket:write2.6.18+setoptsee common socket:setopt2.6.18+getoptsee common socket:getopt2.6.18+listensee common socket:listen2.6.18+setattrsee common socket:setattr2.6.18+shutdownsee common socket:shutdown2.6.18+relabeltosee common socket:relabelto2.6.18+recv_msgsee common socket:recv_msg2.6.18+acceptsee common socket:accept2.6.18+name_bindsee common socket:name_bind2.6.18+

[edit]association

PermissionDescriptionKernel Version/CapabilitysendtoSend to an IPSEC assocation.2.6.12+recvfromReceive from an IPSEC association.2.6.12+setcontextSet the context of an IPSEC association on creation.2.6.16+polmatchMatch an IPSEC policy entry2.6.19+

[edit]blk_file

Inherits from: common file

[edit]capability

PermissionDescriptionKernel Version/CapabilitychownOverride restrictions on changing file ownership and group ownership.dac_overrideOverride all DAC access restrictions. Checked before dac_read_search, so a dontaudit candidate.dac_read_searchOverride DAC read/search access restrictions.fownerOverride all file owner requirements (e.g. for chmod, setxattr) except where fsetid applies.fsetidOverride file owner and group requirements when setting setuid or setgid bits on a file. Can be checked as a side effect on chmod and write operations; dontaudit candidate.killOverrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.setgidAllow setgid(2) or setgroups(2) or forged gids on credentials passed over a socket.setuidAllow set*uid(2). Allow passing of forged ids on credentials passed over a socket.setpcapAdd capability from bounding set to inheritable set, drop capability from bounding set, modify secure bits.linux_immutableGrant privilege to modify S_IMMUTABLE and S_APPEND file attributes on supporting filesystems.net_bind_serviceAllow low port binding. Port < 1024 for TCP/UDP. VCI < 32 for ATM.net_broadcastGrant network broadcasting and listening to incoming multicasts.net_adminAllows all networking configurations and modifications. See linux/capability.h for details.net_rawAllows opening of raw sockets and packet sockets.ipc_lockAllow locking shared memory segments and mlock/mlockall.ipc_ownerOverride IPC ownership checks.sys_moduleAllow unrestricted kernel modification including but not limited to loading and removing kernel modules. Allows modification of kernels bounding capability mask. See sysctl.sys_rawioGrant permission to use ioperm(2) and iopl(2) as well as the ability to send messages to USB devices via /proc/bus/usb.sys_chrootGrant use of the chroot(2) call.sys_ptraceAllow a ptrace of any process.sys_pacctAllow modification of accounting for any process.sys_adminToo many to list here (see /usr/include/linux/capability.h)sys_bootGrant ability to reboot the system.sys_niceGrants privilege to change priority of any process. Grants change of scheduling algorithm used by any process.sys_resourceToo many to list here (see /usr/include/linux/capability.h for details.)sys_timeGrant permission to set system time and to set the real-time lock.sys_tty_configGrant permission to configure tty devices. Allow vhangup(2) call on a tty.mknodGrants permission to creation of character and block device nodes.leaseGrants ability to take leases on a file. For details on what leases are see fcntl(2).audit_writeGenerate audit messages from user space.2.6.12+audit_controlControl kernel audit configuration/rules. Set login UID.2.6.12+setfcapSet file capabilities.2.6.25+

[edit]capability2

PermissionDescriptionKernel Version/Capabilitymac_overrideOverride MAC restrictions - Ignored by SELinux2.6.25+mac_adminChange MAC configuration - For SELinux, get/set raw security context values unknown to the current policy.2.6.25+syslogConfigure kernel syslog subsystem wake_alarmTrigger something that will wake the system block_suspendPrevent system suspends

[edit]chr_file

Inherits from: common file

PermissionDescriptionKernel Version/Capabilitygetattrsee common file:getattrrelabeltosee common file:relabeltounlinksee common file:unlinkioctlsee common file:ioctlexecutesee common file:executeappendsee common file:appendreadsee common file:readsetattrsee common file:setattrswaponsee common file:swaponwritesee common file:writelocksee common file:lockcreatesee common file:createrenamesee common file:renamemountonsee common file:mountonquotaonsee common file:quotaonrelabelfromsee common file:relabelfromlinksee common file:linkexecute_no_transExecute a file in the callers domain.2.6.11+entrypointCan be executed as the entry point of the new domain in a transition.2.6.11+execmodMake executable a file mapping that has been modified by copy-on-write. (Text relocation)2.6.11+openOpen a character device file.2.6.26+ / open_perms

[edit]dccp_socket

Inherits from: common socket

PermissionDescriptionKernel Version/Capabilityappendsee common socket:append2.6.20+relabelfromsee common socket:relabelfrom2.6.20+createsee common socket:create2.6.20+readsee common socket:read2.6.20+sendtosee common socket:sendto2.6.20+connectsee common socket:connect2.6.20+recvfromsee common socket:recvfrom2.6.20+send_msgsee common socket:send_msg2.6.20+bindsee common socket:bind2.6.20+locksee common socket:lock2.6.20+ioctlsee common socket:ioctl2.6.20+getattrsee common socket:getattr2.6.20+writesee common socket:write2.6.20+setoptsee common socket:setopt2.6.20+getoptsee common socket:getopt2.6.20+listensee common socket:listen2.6.20+setattrsee common socket:setattr2.6.20+shutdownsee common socket:shutdown2.6.20+relabeltosee common socket:relabelto2.6.20+recv_msgsee common socket:recv_msg2.6.20+acceptsee common socket:accept2.6.20+name_bindsee common socket:name_bind2.6.20+connecttoConnect to server socket.2.6.20+newconnCreate new socket for connection.2.6.20+acceptfromAccept connection from client socket.2.6.20+node_bindAbility to bind to a node.2.6.20+name_connectConnect to a specific port number.2.6.20+

[edit]dir

Inherits from: common file

PermissionDescriptionKernel Version/Capabilitygetattrsee common file:getattrrelabeltosee common file:relabeltounlinkN/Aioctlsee common file:ioctlexecuteN/AappendN/Areadsee common file:readsetattrsee common file:setattrswaponN/AwriteGeneral write access; required for adding or removinglocksee common file:lockcreatesee common file:createrenamesee common file:renamemountonsee common file:mountonquotaonN/Arelabelfromsee common file:relabelfromlinkN/AsearchSearch accessrmdirRemove the directoryremove_nameRemove a file from the directory.reparentRename into a different parent directory (.. change).add_nameAdd a file to the directory.openOpen a directory.2.6.26+ / open_perms

[edit]fd

PermissionDescriptionKernel Version/CapabilityusePermission to use an inherited file descriptor

[edit]fifo_file

Inherits from: common file

[edit]file

Inherits from: common file

PermissionDescriptionKernel Version/Capabilitygetattrsee common file:getattrrelabeltosee common file:relabeltounlinksee common file:unlinkioctlsee common file:ioctlexecutesee common file:executeappendsee common file:appendreadsee common file:readsetattrsee common file:setattrswaponsee common file:swaponwritesee common file:writelocksee common file:lockcreatesee common file:createrenamesee common file:renamemountonsee common file:mountonquotaonsee common file:quotaonrelabelfromsee common file:relabelfromlinksee common file:linkexecute_no_transExecute a file in the callers domain.entrypointCan be executed as the entry point of the new domain in a transition.execmodMake executable a file mapping that has been modified by copy-on-write. (Text relocation)2.6.11+openOpen a file.2.6.26+ / open_perms

[edit]filesystem

PermissionDescriptionKernel Version/CapabilitymountMount the filesystem.remountChange filesystem mount flags.unmountUnmount the filesystem.getattrGet file attributes, such as access mode. (e.g. stat, some ioctls. ...)relabelfromChange the security context based on existing type.relabeltoChange the security context based on the new type.transitionTransition to a new SID (change security context).associateAssociate a file to the filesystem.quotamodModify quota information.quotagetGet quota information

[edit]ipc

Inherits from: common ipc

PermissionDescriptionKernel Version/Capabilitywritesee common ipc:writedestroysee common ipc:destroyunix_writesee common ipc:unix_writegetattrsee common ipc:getattrcreatesee common ipc:createreadsee common ipc:readsetattrsee common ipc:setattrunix_readsee common ipc:unix_readassociatesee common ipc:associate

[edit]kernel_service

PermissionDescriptionKernel Version/Capabilityuse_as_overrideGrant a process the right to nominate an alternate process security ID for the kernel to use as an override for the SELinux subjective security when accessing stuff on behalf of another process.2.6.29+create_files_asGrant a process the right to nominate a file creation label for a kernel service to use.2.6.29+

[edit]key

PermissionDescriptionKernel Version/Capabilityview 2.6.18+read 2.6.18+write 2.6.18+search 2.6.18+link 2.6.18+setattr 2.6.18+create 2.6.18+

[edit]key_socket

Inherits from: common socket

PermissionDescriptionKernel Version/Capabilityappendsee common socket:appendrelabelfromsee common socket:relabelfromcreatesee common socket:createreadsee common socket:readsendtosee common socket:sendtoconnectsee common socket:connectrecvfromsee common socket:recvfromsend_msgsee common socket:send_msgbindsee common socket:bindlocksee common socket:lockioctlsee common socket:ioctlgetattrsee common socket:getattrwritesee common socket:writesetoptsee common socket:setoptgetoptsee common socket:getoptlistensee common socket:listensetattrsee common socket:setattrshutdownsee common socket:shutdownrelabeltosee common socket:relabeltorecv_msgsee common socket:recv_msgacceptsee common socket:acceptname_bindsee common socket:name_bind

[edit]lnk_file

Inherits from: common file

[edit]memprotect

PermissionDescriptionKernel Version/Capabilitymmap_zeroMmap the first page of memory.2.6.23+

[edit]msg

PermissionDescriptionKernel Version/CapabilityreceiveRemove a message from a queue.sendAdd a message to a queue.

[edit]msgq

Inherits from: common ipc

[edit]netif

PermissionDescriptionKernel Version/Capabilitytcp_recvReceive TCP packet.tcp_sendSend TCP packet.udp_recvReceive UDP packet.udp_sendSend UDP packet.rawip_recvReceive raw IP packet.rawip_sendSend raw IP packet.dccp_recvReceive DCCP packet.2.6.20+dccp_sendSend DCCP packet.2.6.20+ingress 2.6.25+ / network_peer_controlsegress 2.6.25+ / network_peer_controls

[edit]netlink_socket

Inherits from: common socket

[edit]netlink_audit_socket

Inherits from: common socket

PermissionDescriptionKernel Version/Capabilityappendsee common socket:append2.6.8+relabelfromsee common socket:relabelfrom2.6.8+createsee common socket:create2.6.8+readsee common socket:read2.6.8+sendtosee common socket:sendto2.6.8+connectsee common socket:connect2.6.8+recvfromsee common socket:recvfrom2.6.8+send_msgsee common socket:send_msg2.6.8+bindsee common socket:bind2.6.8+locksee common socket:lock2.6.8+ioctlsee common socket:ioctl2.6.8+getattrsee common socket:getattr2.6.8+writesee common socket:write2.6.8+setoptsee common socket:setopt2.6.8+getoptsee common socket:getopt2.6.8+listensee common socket:listen2.6.8+setattrsee common socket:setattr2.6.8+shutdownsee common socket:shutdown2.6.8+relabeltosee common socket:relabelto2.6.8+recv_msgsee common socket:recv_msg2.6.8+acceptsee common socket:accept2.6.8+name_bindsee common socket:name_bind2.6.8+nlmsg_readRead audit subsystem state (e.g. AUDIT_GET).2.6.8+nlmsg_writeWrite audit subsystem state (e.g. AUDIT_SET).2.6.8+nlmsg_relaySend user space audit messages to the kernel audit system.2.6.12+nlmsg_readprivRead security-sensitive audit subsystem state.2.6.12+nlmsg_tty_auditControl TTY auditing2.6.30+

[edit]netlink_dnrt_socket

Inherits from: common socket

[edit]netlink_firewall_socket

Inherits from: common socket

PermissionDescriptionKernel Version/Capabilityappendsee common socket:append2.6.8+relabelfromsee common socket:relabelfrom2.6.8+createsee common socket:create2.6.8+readsee common socket:read2.6.8+sendtosee common socket:sendto2.6.8+connectsee common socket:connect2.6.8+recvfromsee common socket:recvfrom2.6.8+send_msgsee common socket:send_msg2.6.8+bindsee common socket:bind2.6.8+locksee common socket:lock2.6.8+ioctlsee common socket:ioctl2.6.8+getattrsee common socket:getattr2.6.8+writesee common socket:write2.6.8+setoptsee common socket:setopt2.6.8+getoptsee common socket:getopt2.6.8+listensee common socket:listen2.6.8+setattrsee common socket:setattr2.6.8+shutdownsee common socket:shutdown2.6.8+relabeltosee common socket:relabelto2.6.8+recv_msgsee common socket:recv_msg2.6.8+acceptsee common socket:accept2.6.8+name_bindsee common socket:name_bind2.6.8+nlmsg_readRead firewall configuration state.2.6.8+nlmsg_writeWrite firewall configuration state.2.6.8+

[edit]netlink_ip6fw_socket

Inherits from: common socket

PermissionDescriptionKernel Version/Capabilityappendsee common socket:append2.6.8+relabelfromsee common socket:relabelfrom2.6.8+createsee common socket:create2.6.8+readsee common socket:read2.6.8+sendtosee common socket:sendto2.6.8+connectsee common socket:connect2.6.8+recvfromsee common socket:recvfrom2.6.8+send_msgsee common socket:send_msg2.6.8+bindsee common socket:bind2.6.8+locksee common socket:lock2.6.8+ioctlsee common socket:ioctl2.6.8+getattrsee common socket:getattr2.6.8+writesee common socket:write2.6.8+setoptsee common socket:setopt2.6.8+getoptsee common socket:getopt2.6.8+listensee common socket:listen2.6.8+setattrsee common socket:setattr2.6.8+shutdownsee common socket:shutdown2.6.8+relabeltosee common socket:relabelto2.6.8+recv_msgsee common socket:recv_msg2.6.8+acceptsee common socket:accept2.6.8+name_bindsee common socket:name_bind2.6.8+nlmsg_readRead netlink message.2.6.8+nlmsg_writeWrite netlink message.2.6.8+

[edit]netlink_kobject_uevent_socket

Inherits from: common socket

PermissionDescriptionKernel Version/Capabilityappendsee common socket:append2.6.12+relabelfromsee common socket:relabelfrom2.6.12+createsee common socket:create2.6.12+readsee common socket:read2.6.12+sendtosee common socket:sendto2.6.12+connectsee common socket:connect2.6.12+recvfromsee common socket:recvfrom2.6.12+send_msgsee common socket:send_msg2.6.12+bindsee common socket:bind2.6.12+locksee common socket:lock2.6.12+ioctlsee common socket:ioctl2.6.12+getattrsee common socket:getattr2.6.12+writesee common socket:write2.6.12+setoptsee common socket:setopt2.6.12+getoptsee common socket:getopt2.6.12+listensee common socket:listen2.6.12+setattrsee common socket:setattr2.6.12+shutdownsee common socket:shutdown2.6.12+relabeltosee common socket:relabelto2.6.12+recv_msgsee common socket:recv_msg2.6.12+acceptsee common socket:accept2.6.12+name_bindsee common socket:name_bind2.6.12+

[edit]netlink_nflog_socket

Inherits from: common socket

[edit]netlink_route_socket

Inherits from: common socket

PermissionDescriptionKernel Version/Capabilityappendsee common socket:append2.6.8+relabelfromsee common socket:relabelfrom2.6.8+createsee common socket:create2.6.8+readsee common socket:read2.6.8+sendtosee common socket:sendto2.6.8+connectsee common socket:connect2.6.8+recvfromsee common socket:recvfrom2.6.8+send_msgsee common socket:send_msg2.6.8+bindsee common socket:bind2.6.8+locksee common socket:lock2.6.8+ioctlsee common socket:ioctl2.6.8+getattrsee common socket:getattr2.6.8+writesee common socket:write2.6.8+setoptsee common socket:setopt2.6.8+getoptsee common socket:getopt2.6.8+listensee common socket:listen2.6.8+setattrsee common socket:setattr2.6.8+shutdownsee common socket:shutdown2.6.8+relabeltosee common socket:relabelto2.6.8+recv_msgsee common socket:recv_msg2.6.8+acceptsee common socket:accept2.6.8+name_bindsee common socket:name_bind2.6.8+nlmsg_readRead route configuration state.2.6.8+nlmsg_writeWrite route configuration state.2.6.8+

[edit]netlink_selinux_socket

Inherits from: common socket

[edit]netlink_tcpdiag_socket

Inherits from: common socket

[edit]netlink_xfrm_socket

Inherits from: common socket

PermissionDescriptionKernel Version/Capabilityappendsee common socket:append2.6.8+relabelfromsee common socket:relabelfrom2.6.8+createsee common socket:create2.6.8+readsee common socket:read2.6.8+sendtosee common socket:sendto2.6.8+connectsee common socket:connect2.6.8+recvfromsee common socket:recvfrom2.6.8+send_msgsee common socket:send_msg2.6.8+bindsee common socket:bind2.6.8+locksee common socket:lock2.6.8+ioctlsee common socket:ioctl2.6.8+getattrsee common socket:getattr2.6.8+writesee common socket:write2.6.8+setoptsee common socket:setopt2.6.8+getoptsee common socket:getopt2.6.8+listensee common socket:listen2.6.8+setattrsee common socket:setattr2.6.8+shutdownsee common socket:shutdown2.6.8+relabeltosee common socket:relabelto2.6.8+recv_msgsee common socket:recv_msg2.6.8+acceptsee common socket:accept2.6.8+name_bindsee common socket:name_bind2.6.8+nlmsg_readRead xfrm configuration state.2.6.8+nlmsg_writeWrite xfrm configuration state.2.6.8+

[edit]node

PermissionDescriptionKernel Version/Capabilitytcp_recvReceive TCP packet.tcp_sendSend TCP packet.udp_recvReceive UDP packet.udp_sendSend UDP packet.rawip_recvReceive raw IP packet.rawip_sendSend raw IP packet.enforce_destEnsure that the destination node can enforce restrictions on the destination socket.dccp_recvReceive DCCP packet.2.6.20+dccp_sendSend DCCP packet.2.6.20+recvfrom 2.6.25+ / network_peer_controlssendto 2.6.25+ / network_peer_controls

[edit]packet

PermissionDescriptionKernel Version/CapabilitysendSend a packet.2.6.18+receiveReceive a packet.2.6.18+relabeltoSet a labeling rule to the specified type.2.6.18+flow_inDeprecated2.6.25+flow_outDeprecated2.6.25+forward_in 2.6.25+forward_out 2.6.25+

[edit]packet_socket

Inherits from: common socket

[edit]peer

PermissionDescriptionKernel Version/CapabilityrecvReceive from a labeled networking peer.2.6.25+ / network_peer_controls

[edit]process

PermissionDescriptionKernel Version/CapabilityforkFork into two processes.transitionTransition to a new context on exec().sigchldSend SIGCHLD signal.sigkillSend SIGKILL signal.sigstopSend SIGSTOP signalsignullTest for exisitence of another process without sending a signalsignalSend a signal other than SIGKILL, SIGSTOP, or SIGCHLD.ptraceAttach to another process for tracing.getschedGet priority of a process.setschedSet priority of a process.getsessionGet session ID of another process.getpgidGet group Process ID of a process.setpgidSet group Process ID of a process.getcapGet Linux capabilities.setcapSet Linux capabilities.shareAllow state sharing with cloned or forked process.getattrGet attributes of a file.setexecOverride the default context for the next exec().setfscreateOverride the default context for file creation.setrlimitChange process hard limits.noatsecureDisable secure mode environment cleansing (AT_SECURE).v.16+siginhInherit signal state from caller.v.16+rlimitinhInherit resource limits from caller.v.16+dyntransitionDynamically transition to a new context.2.6.11+setcurrentSet the current process context.2.6.11+execmemMake executable an anonymous mapping or private file mapping that is writable.2.6.13+execstackMake the main process stack executable.2.6.13+execheapMake the heap executable.2.6.13+setkeycreateOverride the default context for key creation.2.6.18+setsockcreateOverride the default context for socket creation.2.6.18+

[edit]rawip_socket

Inherits from: common socket

[edit]security

PermissionDescriptionKernel Version/Capabilitycompute_userGet user info in selinuxfs.compute_relabelGet relabel info in selinuxfs.compute_createGet create info in selinuxfs.compute_avCompute an access vector given a source/target/class.compute_memberDetermines the context to use when selecting a member of a polyinstantiated object.setenforceChange the enforcement state of SELinux.check_contextWrite context in selinuxfs.load_policyLoad the security policy.setboolSet a boolean value.2.6.5+setsecparamSet kernel access vector cache tuning parameters.2.6.11+setcheckreqprotSet if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect.2.6.12+

[edit]sem

Inherits from: common ipc

[edit]shm

Inherits from: common ipc

[edit]sock_file

Inherits from: common file

[edit]socket

Inherits from: common socket

[edit]system

PermissionDescriptionKernel Version/Capabilityipc_infoGet info for an ipc socket.syslog_modPerform syslog operation other than syslog_read or console logging.syslog_readPerform syslog read.syslog_consolePerform syslog console.

[edit]tcp_socket

Inherits from: common socket

[edit]tun_socket

Inherits from: common socket

PermissionDescriptionKernel Version/Capabilityappendsee common socket:append2.6.32+relabelfromsee common socket:relabelfrom2.6.32+createsee common socket:create2.6.32+readsee common socket:read2.6.32+sendtosee common socket:sendto2.6.32+connectsee common socket:connect2.6.32+recvfromsee common socket:recvfrom2.6.32+send_msgsee common socket:send_msg2.6.32+bindsee common socket:bind2.6.32+locksee common socket:lock2.6.32+ioctlsee common socket:ioctl2.6.32+getattrsee common socket:getattr2.6.32+writesee common socket:write2.6.32+setoptsee common socket:setopt2.6.32+getoptsee common socket:getopt2.6.32+listensee common socket:listen2.6.32+setattrsee common socket:setattr2.6.32+shutdownsee common socket:shutdown2.6.32+relabeltosee common socket:relabelto2.6.32+recv_msgsee common socket:recv_msg2.6.32+acceptsee common socket:accept2.6.32+name_bindsee common socket:name_bind2.6.32+

[edit]udp_socket

Inherits from: common socket

[edit]unix_dgram_socket

Inherits from: common socket