Contents
[hide]- 1 SELinux Object Classes and Permissions Reference
- 1.1 Common Permission Sets
- 1.1.1 common database
- 1.1.2 common file
- 1.1.3 common ipc
- 1.1.4 common socket
- 1.1.5 common x_device
- 1.2 Kernel Object Classes
- 1.2.1 appletalk_socket
- 1.2.2 association
- 1.2.3 blk_file
- 1.2.4 capability
- 1.2.5 capability2
- 1.2.6 chr_file
- 1.2.7 dccp_socket
- 1.2.8 dir
- 1.2.9 fd
- 1.2.10 fifo_file
- 1.2.11 file
- 1.2.12 filesystem
- 1.2.13 ipc
- 1.2.14 kernel_service
- 1.2.15 key
- 1.2.16 key_socket
- 1.2.17 lnk_file
- 1.2.18 memprotect
- 1.2.19 msg
- 1.2.20 msgq
- 1.2.21 netif
- 1.2.22 netlink_socket
- 1.2.23 netlink_audit_socket
- 1.2.24 netlink_dnrt_socket
- 1.2.25 netlink_firewall_socket
- 1.2.26 netlink_ip6fw_socket
- 1.2.27 netlink_kobject_uevent_socket
- 1.2.28 netlink_nflog_socket
- 1.2.29 netlink_route_socket
- 1.2.30 netlink_selinux_socket
- 1.2.31 netlink_tcpdiag_socket
- 1.2.32 netlink_xfrm_socket
- 1.2.33 node
- 1.2.34 packet
- 1.2.35 packet_socket
- 1.2.36 peer
- 1.2.37 process
- 1.2.38 rawip_socket
- 1.2.39 security
- 1.2.40 sem
- 1.2.41 shm
- 1.2.42 sock_file
- 1.2.43 socket
- 1.2.44 system
- 1.2.45 tcp_socket
- 1.2.46 tun_socket
- 1.2.47 udp_socket
- 1.2.48 unix_dgram_socket
- 1.2.49 unix_stream_socket
- 1.3 Database Object Classes
- 1.3.1 db_blob
- 1.3.2 db_column
- 1.3.3 db_database
- 1.3.4 db_procedure
- 1.3.5 db_table
- 1.3.6 db_tuple
- 1.4 DBus Object Classes
- 1.5 MLS Context Translation Object Classes
- 1.6 NSCD Object Classes
- 1.7 Password Object Classes
- 1.8 X Server Object Classes
- 1.8.1 x_application_data
- 1.8.2 x_client
- 1.8.3 x_colormap
- 1.8.4 x_cursor
- 1.8.5 x_device
- 1.8.6 x_drawable
- 1.8.7 x_event
- 1.8.8 x_extension
- 1.8.9 x_font
- 1.8.10 x_gc
- 1.8.11 x_keyboard
- 1.8.12 x_pointer
- 1.8.13 x_property
- 1.8.14 x_resource
- 1.8.15 x_screen
- 1.8.16 x_selection
- 1.8.17 x_server
- 1.8.18 x_synthetic_event
[edit]SELinux Object Classes and Permissions Reference
This document contains a list of all of the object classes and permissions for modern SELinux systems (starting in kernel 2.6.0). Each permission has a brief description of of the semantics of each permission, in addition to the versions of the kernel which support the permission and the policy capability that enables its enforcement (if applicable).
The document has the following caveats:
- The permission descriptions are only for providing a general idea of the purposes of the permissions; a permission may mediate many operations.
- Since SELinux development is ongoing, this document may be be incomplete or inaccurate.
[edit]Common Permission Sets
[edit]common database
Permission | Description | createCreate a new database object.dropRemove a database object.getattrGet the attributes of a database object.setattrSet the attributes of a database object.relabelfromChange the security context based on existing type.relabeltoChange the security context based on the new type.[edit]common file
Permission | Description | getattrGet file attributes for file, such as access mode. (e.g. stat, some ioctls. ...)relabeltoRelabel to new security context.unlinkRemove hard link (delete).ioctlIO control system call requests not addressed by other permissions.executeExecuteappendWrite to a file opened with O_APPEND.readRead file contents.setattrChange file attributes for file such as access mode. (e.g. chmod, some ioctls, ...)swaponAllows file to be used for paging/swapping space.writeWrite to a file.lockSet and unset file locks.createCreate new file.renameRename a file.mountonUse as mount point; only useful for directories and files in Linux.quotaonUse as a quota file.relabelfromRelabel from old security context.linkCreate another hard link to file[edit]common ipc
Permission | Description | writeWrite.destroyDestroy.unix_writeGeneric write access.getattrGet attributes, e.g. IPC_STAT *ctl operation.createCreate.readReadsetattrChange attributes, e.g. IPC_SET.unix_readGeneric read access.associateAssociate a key[edit]common socket
Permission | Description | appendWrite to open fd marked with O_APPEND.relabelfromChange the security context based on existing type.createCreate new socket.readRead from socket.sendtoSend to socket.connectInitiate connection.recvfromLegacy NetLabel check; obsoleted by peer recvsend_msgLegacy check; no longer present.bindBind a name to the socket.lockApply file lock on a socket.ioctlIO control system call requests not addressed by other permissions.getattrGet socket attributes, e.g. fstat.writeWrite to socket.setoptSet socket options.getoptGet socket options.listenListen for connections.setattrChange socket attributes.shutdownShutdown connection.relabeltoChange the security context based on the new type.recv_msgObsolete.acceptAccept a connection.name_bindAssociate with port or file; for AF_INET sockets, controls relationship between a socket and it's port number; for AF_UNIX sockets, controls relationship between a socket and it's file[edit]common x_device
Permission | Description | getattrsetattrusereadwritegetfocussetfocusbellforce_cursorfreezegrabmanagelist_propertyget_propertyset_propertyaddremove[edit]Kernel Object Classes
[edit]appletalk_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:append2.6.18+relabelfromsee common socket:relabelfrom2.6.18+createsee common socket:create2.6.18+readsee common socket:read2.6.18+sendtosee common socket:sendto2.6.18+connectsee common socket:connect2.6.18+recvfromsee common socket:recvfrom2.6.18+send_msgsee common socket:send_msg2.6.18+bindsee common socket:bind2.6.18+locksee common socket:lock2.6.18+ioctlsee common socket:ioctl2.6.18+getattrsee common socket:getattr2.6.18+writesee common socket:write2.6.18+setoptsee common socket:setopt2.6.18+getoptsee common socket:getopt2.6.18+listensee common socket:listen2.6.18+setattrsee common socket:setattr2.6.18+shutdownsee common socket:shutdown2.6.18+relabeltosee common socket:relabelto2.6.18+recv_msgsee common socket:recv_msg2.6.18+acceptsee common socket:accept2.6.18+name_bindsee common socket:name_bind2.6.18+[edit]association
Permission | Description | Kernel Version/Capability | sendtoSend to an IPSEC assocation.2.6.12+recvfromReceive from an IPSEC association.2.6.12+setcontextSet the context of an IPSEC association on creation.2.6.16+polmatchMatch an IPSEC policy entry2.6.19+[edit]blk_file
Inherits from: common file
Permission | Description | Kernel Version/Capability | getattrsee common file:getattrrelabeltosee common file:relabeltounlinksee common file:unlinkioctlsee common file:ioctlexecutesee common file:executeappendsee common file:appendreadsee common file:readsetattrsee common file:setattrswaponsee common file:swaponwritesee common file:writelocksee common file:lockcreatesee common file:createrenamesee common file:renamemountonsee common file:mountonquotaonsee common file:quotaonrelabelfromsee common file:relabelfromlinksee common file:linkopenOpen a block device file.2.6.26+ / open_perms[edit]capability
Permission | Description | Kernel Version/Capability | chownOverride restrictions on changing file ownership and group ownership.dac_overrideOverride all DAC access restrictions. Checked before dac_read_search, so a dontaudit candidate.dac_read_searchOverride DAC read/search access restrictions.fownerOverride all file owner requirements (e.g. for chmod, setxattr) except where fsetid applies.fsetidOverride file owner and group requirements when setting setuid or setgid bits on a file. Can be checked as a side effect on chmod and write operations; dontaudit candidate.killOverrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.setgidAllow setgid(2) or setgroups(2) or forged gids on credentials passed over a socket.setuidAllow set*uid(2). Allow passing of forged ids on credentials passed over a socket.setpcapAdd capability from bounding set to inheritable set, drop capability from bounding set, modify secure bits.linux_immutableGrant privilege to modify S_IMMUTABLE and S_APPEND file attributes on supporting filesystems.net_bind_serviceAllow low port binding. Port < 1024 for TCP/UDP. VCI < 32 for ATM.net_broadcastGrant network broadcasting and listening to incoming multicasts.net_adminAllows all networking configurations and modifications. See linux/capability.h for details.net_rawAllows opening of raw sockets and packet sockets.ipc_lockAllow locking shared memory segments and mlock/mlockall.ipc_ownerOverride IPC ownership checks.sys_moduleAllow unrestricted kernel modification including but not limited to loading and removing kernel modules. Allows modification of kernels bounding capability mask. See sysctl.sys_rawioGrant permission to use ioperm(2) and iopl(2) as well as the ability to send messages to USB devices via /proc/bus/usb.sys_chrootGrant use of the chroot(2) call.sys_ptraceAllow a ptrace of any process.sys_pacctAllow modification of accounting for any process.sys_adminToo many to list here (see /usr/include/linux/capability.h)sys_bootGrant ability to reboot the system.sys_niceGrants privilege to change priority of any process. Grants change of scheduling algorithm used by any process.sys_resourceToo many to list here (see /usr/include/linux/capability.h for details.)sys_timeGrant permission to set system time and to set the real-time lock.sys_tty_configGrant permission to configure tty devices. Allow vhangup(2) call on a tty.mknodGrants permission to creation of character and block device nodes.leaseGrants ability to take leases on a file. For details on what leases are see fcntl(2).audit_writeGenerate audit messages from user space.2.6.12+audit_controlControl kernel audit configuration/rules. Set login UID.2.6.12+setfcapSet file capabilities.2.6.25+[edit]capability2
Permission | Description | Kernel Version/Capability | mac_overrideOverride MAC restrictions - Ignored by SELinux2.6.25+mac_adminChange MAC configuration - For SELinux, get/set raw security context values unknown to the current policy.2.6.25+syslogConfigure kernel syslog subsystem wake_alarmTrigger something that will wake the system block_suspendPrevent system suspends [edit]chr_file
Inherits from: common file
Permission | Description | Kernel Version/Capability | getattrsee common file:getattrrelabeltosee common file:relabeltounlinksee common file:unlinkioctlsee common file:ioctlexecutesee common file:executeappendsee common file:appendreadsee common file:readsetattrsee common file:setattrswaponsee common file:swaponwritesee common file:writelocksee common file:lockcreatesee common file:createrenamesee common file:renamemountonsee common file:mountonquotaonsee common file:quotaonrelabelfromsee common file:relabelfromlinksee common file:linkexecute_no_transExecute a file in the callers domain.2.6.11+entrypointCan be executed as the entry point of the new domain in a transition.2.6.11+execmodMake executable a file mapping that has been modified by copy-on-write. (Text relocation)2.6.11+openOpen a character device file.2.6.26+ / open_perms[edit]dccp_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:append2.6.20+relabelfromsee common socket:relabelfrom2.6.20+createsee common socket:create2.6.20+readsee common socket:read2.6.20+sendtosee common socket:sendto2.6.20+connectsee common socket:connect2.6.20+recvfromsee common socket:recvfrom2.6.20+send_msgsee common socket:send_msg2.6.20+bindsee common socket:bind2.6.20+locksee common socket:lock2.6.20+ioctlsee common socket:ioctl2.6.20+getattrsee common socket:getattr2.6.20+writesee common socket:write2.6.20+setoptsee common socket:setopt2.6.20+getoptsee common socket:getopt2.6.20+listensee common socket:listen2.6.20+setattrsee common socket:setattr2.6.20+shutdownsee common socket:shutdown2.6.20+relabeltosee common socket:relabelto2.6.20+recv_msgsee common socket:recv_msg2.6.20+acceptsee common socket:accept2.6.20+name_bindsee common socket:name_bind2.6.20+connecttoConnect to server socket.2.6.20+newconnCreate new socket for connection.2.6.20+acceptfromAccept connection from client socket.2.6.20+node_bindAbility to bind to a node.2.6.20+name_connectConnect to a specific port number.2.6.20+[edit]dir
Inherits from: common file
Permission | Description | Kernel Version/Capability | getattrsee common file:getattrrelabeltosee common file:relabeltounlinkN/Aioctlsee common file:ioctlexecuteN/AappendN/Areadsee common file:readsetattrsee common file:setattrswaponN/AwriteGeneral write access; required for adding or removinglocksee common file:lockcreatesee common file:createrenamesee common file:renamemountonsee common file:mountonquotaonN/Arelabelfromsee common file:relabelfromlinkN/AsearchSearch accessrmdirRemove the directoryremove_nameRemove a file from the directory.reparentRename into a different parent directory (.. change).add_nameAdd a file to the directory.openOpen a directory.2.6.26+ / open_perms[edit]fd
Permission | Description | Kernel Version/Capability | usePermission to use an inherited file descriptor[edit]fifo_file
Inherits from: common file
Permission | Description | Kernel Version/Capability | getattrsee common file:getattrrelabeltosee common file:relabeltounlinksee common file:unlinkioctlsee common file:ioctlexecutesee common file:executeappendsee common file:appendreadsee common file:readsetattrsee common file:setattrswaponsee common file:swaponwritesee common file:writelocksee common file:lockcreatesee common file:createrenamesee common file:renamemountonsee common file:mountonquotaonsee common file:quotaonrelabelfromsee common file:relabelfromlinksee common file:linkopenOpen a FIFO.2.6.26+ / open_perms[edit]file
Inherits from: common file
Permission | Description | Kernel Version/Capability | getattrsee common file:getattrrelabeltosee common file:relabeltounlinksee common file:unlinkioctlsee common file:ioctlexecutesee common file:executeappendsee common file:appendreadsee common file:readsetattrsee common file:setattrswaponsee common file:swaponwritesee common file:writelocksee common file:lockcreatesee common file:createrenamesee common file:renamemountonsee common file:mountonquotaonsee common file:quotaonrelabelfromsee common file:relabelfromlinksee common file:linkexecute_no_transExecute a file in the callers domain.entrypointCan be executed as the entry point of the new domain in a transition.execmodMake executable a file mapping that has been modified by copy-on-write. (Text relocation)2.6.11+openOpen a file.2.6.26+ / open_perms[edit]filesystem
Permission | Description | Kernel Version/Capability | mountMount the filesystem.remountChange filesystem mount flags.unmountUnmount the filesystem.getattrGet file attributes, such as access mode. (e.g. stat, some ioctls. ...)relabelfromChange the security context based on existing type.relabeltoChange the security context based on the new type.transitionTransition to a new SID (change security context).associateAssociate a file to the filesystem.quotamodModify quota information.quotagetGet quota information[edit]ipc
Inherits from: common ipc
Permission | Description | Kernel Version/Capability | writesee common ipc:writedestroysee common ipc:destroyunix_writesee common ipc:unix_writegetattrsee common ipc:getattrcreatesee common ipc:createreadsee common ipc:readsetattrsee common ipc:setattrunix_readsee common ipc:unix_readassociatesee common ipc:associate[edit]kernel_service
Permission | Description | Kernel Version/Capability | use_as_overrideGrant a process the right to nominate an alternate process security ID for the kernel to use as an override for the SELinux subjective security when accessing stuff on behalf of another process.2.6.29+create_files_asGrant a process the right to nominate a file creation label for a kernel service to use.2.6.29+[edit]key
Permission | Description | Kernel Version/Capability | view 2.6.18+read 2.6.18+write 2.6.18+search 2.6.18+link 2.6.18+setattr 2.6.18+create 2.6.18+[edit]key_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:appendrelabelfromsee common socket:relabelfromcreatesee common socket:createreadsee common socket:readsendtosee common socket:sendtoconnectsee common socket:connectrecvfromsee common socket:recvfromsend_msgsee common socket:send_msgbindsee common socket:bindlocksee common socket:lockioctlsee common socket:ioctlgetattrsee common socket:getattrwritesee common socket:writesetoptsee common socket:setoptgetoptsee common socket:getoptlistensee common socket:listensetattrsee common socket:setattrshutdownsee common socket:shutdownrelabeltosee common socket:relabeltorecv_msgsee common socket:recv_msgacceptsee common socket:acceptname_bindsee common socket:name_bind[edit]lnk_file
Inherits from: common file
Permission | Description | Kernel Version/Capability | getattrsee common file:getattrrelabeltosee common file:relabeltounlinksee common file:unlinkioctlsee common file:ioctlexecutesee common file:executeappendsee common file:appendreadsee common file:readsetattrsee common file:setattrswaponsee common file:swaponwritesee common file:writelocksee common file:lockcreatesee common file:createrenamesee common file:renamemountonsee common file:mountonquotaonsee common file:quotaonrelabelfromsee common file:relabelfromlinksee common file:link[edit]memprotect
Permission | Description | Kernel Version/Capability | mmap_zeroMmap the first page of memory.2.6.23+[edit]msg
Permission | Description | Kernel Version/Capability | receiveRemove a message from a queue.sendAdd a message to a queue.[edit]msgq
Inherits from: common ipc
Permission | Description | Kernel Version/Capability | writesee common ipc:writedestroysee common ipc:destroyunix_writesee common ipc:unix_writegetattrsee common ipc:getattrcreatesee common ipc:createreadsee common ipc:readsetattrsee common ipc:setattrunix_readsee common ipc:unix_readassociatesee common ipc:associateenqueueMessage can be added to a queue.[edit]netif
Permission | Description | Kernel Version/Capability | tcp_recvReceive TCP packet.tcp_sendSend TCP packet.udp_recvReceive UDP packet.udp_sendSend UDP packet.rawip_recvReceive raw IP packet.rawip_sendSend raw IP packet.dccp_recvReceive DCCP packet.2.6.20+dccp_sendSend DCCP packet.2.6.20+ingress 2.6.25+ / network_peer_controlsegress 2.6.25+ / network_peer_controls[edit]netlink_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:appendrelabelfromsee common socket:relabelfromcreatesee common socket:createreadsee common socket:readsendtosee common socket:sendtoconnectsee common socket:connectrecvfromsee common socket:recvfromsend_msgsee common socket:send_msgbindsee common socket:bindlocksee common socket:lockioctlsee common socket:ioctlgetattrsee common socket:getattrwritesee common socket:writesetoptsee common socket:setoptgetoptsee common socket:getoptlistensee common socket:listensetattrsee common socket:setattrshutdownsee common socket:shutdownrelabeltosee common socket:relabeltorecv_msgsee common socket:recv_msgacceptsee common socket:acceptname_bindsee common socket:name_bind[edit]netlink_audit_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:append2.6.8+relabelfromsee common socket:relabelfrom2.6.8+createsee common socket:create2.6.8+readsee common socket:read2.6.8+sendtosee common socket:sendto2.6.8+connectsee common socket:connect2.6.8+recvfromsee common socket:recvfrom2.6.8+send_msgsee common socket:send_msg2.6.8+bindsee common socket:bind2.6.8+locksee common socket:lock2.6.8+ioctlsee common socket:ioctl2.6.8+getattrsee common socket:getattr2.6.8+writesee common socket:write2.6.8+setoptsee common socket:setopt2.6.8+getoptsee common socket:getopt2.6.8+listensee common socket:listen2.6.8+setattrsee common socket:setattr2.6.8+shutdownsee common socket:shutdown2.6.8+relabeltosee common socket:relabelto2.6.8+recv_msgsee common socket:recv_msg2.6.8+acceptsee common socket:accept2.6.8+name_bindsee common socket:name_bind2.6.8+nlmsg_readRead audit subsystem state (e.g. AUDIT_GET).2.6.8+nlmsg_writeWrite audit subsystem state (e.g. AUDIT_SET).2.6.8+nlmsg_relaySend user space audit messages to the kernel audit system.2.6.12+nlmsg_readprivRead security-sensitive audit subsystem state.2.6.12+nlmsg_tty_auditControl TTY auditing2.6.30+[edit]netlink_dnrt_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:append2.6.8+relabelfromsee common socket:relabelfrom2.6.8+createsee common socket:create2.6.8+readsee common socket:read2.6.8+sendtosee common socket:sendto2.6.8+connectsee common socket:connect2.6.8+recvfromsee common socket:recvfrom2.6.8+send_msgsee common socket:send_msg2.6.8+bindsee common socket:bind2.6.8+locksee common socket:lock2.6.8+ioctlsee common socket:ioctl2.6.8+getattrsee common socket:getattr2.6.8+writesee common socket:write2.6.8+setoptsee common socket:setopt2.6.8+getoptsee common socket:getopt2.6.8+listensee common socket:listen2.6.8+setattrsee common socket:setattr2.6.8+shutdownsee common socket:shutdown2.6.8+relabeltosee common socket:relabelto2.6.8+recv_msgsee common socket:recv_msg2.6.8+acceptsee common socket:accept2.6.8+name_bindsee common socket:name_bind2.6.8+[edit]netlink_firewall_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:append2.6.8+relabelfromsee common socket:relabelfrom2.6.8+createsee common socket:create2.6.8+readsee common socket:read2.6.8+sendtosee common socket:sendto2.6.8+connectsee common socket:connect2.6.8+recvfromsee common socket:recvfrom2.6.8+send_msgsee common socket:send_msg2.6.8+bindsee common socket:bind2.6.8+locksee common socket:lock2.6.8+ioctlsee common socket:ioctl2.6.8+getattrsee common socket:getattr2.6.8+writesee common socket:write2.6.8+setoptsee common socket:setopt2.6.8+getoptsee common socket:getopt2.6.8+listensee common socket:listen2.6.8+setattrsee common socket:setattr2.6.8+shutdownsee common socket:shutdown2.6.8+relabeltosee common socket:relabelto2.6.8+recv_msgsee common socket:recv_msg2.6.8+acceptsee common socket:accept2.6.8+name_bindsee common socket:name_bind2.6.8+nlmsg_readRead firewall configuration state.2.6.8+nlmsg_writeWrite firewall configuration state.2.6.8+[edit]netlink_ip6fw_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:append2.6.8+relabelfromsee common socket:relabelfrom2.6.8+createsee common socket:create2.6.8+readsee common socket:read2.6.8+sendtosee common socket:sendto2.6.8+connectsee common socket:connect2.6.8+recvfromsee common socket:recvfrom2.6.8+send_msgsee common socket:send_msg2.6.8+bindsee common socket:bind2.6.8+locksee common socket:lock2.6.8+ioctlsee common socket:ioctl2.6.8+getattrsee common socket:getattr2.6.8+writesee common socket:write2.6.8+setoptsee common socket:setopt2.6.8+getoptsee common socket:getopt2.6.8+listensee common socket:listen2.6.8+setattrsee common socket:setattr2.6.8+shutdownsee common socket:shutdown2.6.8+relabeltosee common socket:relabelto2.6.8+recv_msgsee common socket:recv_msg2.6.8+acceptsee common socket:accept2.6.8+name_bindsee common socket:name_bind2.6.8+nlmsg_readRead netlink message.2.6.8+nlmsg_writeWrite netlink message.2.6.8+[edit]netlink_kobject_uevent_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:append2.6.12+relabelfromsee common socket:relabelfrom2.6.12+createsee common socket:create2.6.12+readsee common socket:read2.6.12+sendtosee common socket:sendto2.6.12+connectsee common socket:connect2.6.12+recvfromsee common socket:recvfrom2.6.12+send_msgsee common socket:send_msg2.6.12+bindsee common socket:bind2.6.12+locksee common socket:lock2.6.12+ioctlsee common socket:ioctl2.6.12+getattrsee common socket:getattr2.6.12+writesee common socket:write2.6.12+setoptsee common socket:setopt2.6.12+getoptsee common socket:getopt2.6.12+listensee common socket:listen2.6.12+setattrsee common socket:setattr2.6.12+shutdownsee common socket:shutdown2.6.12+relabeltosee common socket:relabelto2.6.12+recv_msgsee common socket:recv_msg2.6.12+acceptsee common socket:accept2.6.12+name_bindsee common socket:name_bind2.6.12+[edit]netlink_nflog_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:append2.6.8+relabelfromsee common socket:relabelfrom2.6.8+createsee common socket:create2.6.8+readsee common socket:read2.6.8+sendtosee common socket:sendto2.6.8+connectsee common socket:connect2.6.8+recvfromsee common socket:recvfrom2.6.8+send_msgsee common socket:send_msg2.6.8+bindsee common socket:bind2.6.8+locksee common socket:lock2.6.8+ioctlsee common socket:ioctl2.6.8+getattrsee common socket:getattr2.6.8+writesee common socket:write2.6.8+setoptsee common socket:setopt2.6.8+getoptsee common socket:getopt2.6.8+listensee common socket:listen2.6.8+setattrsee common socket:setattr2.6.8+shutdownsee common socket:shutdown2.6.8+relabeltosee common socket:relabelto2.6.8+recv_msgsee common socket:recv_msg2.6.8+acceptsee common socket:accept2.6.8+name_bindsee common socket:name_bind2.6.8+[edit]netlink_route_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:append2.6.8+relabelfromsee common socket:relabelfrom2.6.8+createsee common socket:create2.6.8+readsee common socket:read2.6.8+sendtosee common socket:sendto2.6.8+connectsee common socket:connect2.6.8+recvfromsee common socket:recvfrom2.6.8+send_msgsee common socket:send_msg2.6.8+bindsee common socket:bind2.6.8+locksee common socket:lock2.6.8+ioctlsee common socket:ioctl2.6.8+getattrsee common socket:getattr2.6.8+writesee common socket:write2.6.8+setoptsee common socket:setopt2.6.8+getoptsee common socket:getopt2.6.8+listensee common socket:listen2.6.8+setattrsee common socket:setattr2.6.8+shutdownsee common socket:shutdown2.6.8+relabeltosee common socket:relabelto2.6.8+recv_msgsee common socket:recv_msg2.6.8+acceptsee common socket:accept2.6.8+name_bindsee common socket:name_bind2.6.8+nlmsg_readRead route configuration state.2.6.8+nlmsg_writeWrite route configuration state.2.6.8+[edit]netlink_selinux_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:append2.6.8+relabelfromsee common socket:relabelfrom2.6.8+createsee common socket:create2.6.8+readsee common socket:read2.6.8+sendtosee common socket:sendto2.6.8+connectsee common socket:connect2.6.8+recvfromsee common socket:recvfrom2.6.8+send_msgsee common socket:send_msg2.6.8+bindsee common socket:bind2.6.8+locksee common socket:lock2.6.8+ioctlsee common socket:ioctl2.6.8+getattrsee common socket:getattr2.6.8+writesee common socket:write2.6.8+setoptsee common socket:setopt2.6.8+getoptsee common socket:getopt2.6.8+listensee common socket:listen2.6.8+setattrsee common socket:setattr2.6.8+shutdownsee common socket:shutdown2.6.8+relabeltosee common socket:relabelto2.6.8+recv_msgsee common socket:recv_msg2.6.8+acceptsee common socket:accept2.6.8+name_bindsee common socket:name_bind2.6.8+[edit]netlink_tcpdiag_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:append2.6.8+relabelfromsee common socket:relabelfrom2.6.8+createsee common socket:create2.6.8+readsee common socket:read2.6.8+sendtosee common socket:sendto2.6.8+connectsee common socket:connect2.6.8+recvfromsee common socket:recvfrom2.6.8+send_msgsee common socket:send_msg2.6.8+bindsee common socket:bind2.6.8+locksee common socket:lock2.6.8+ioctlsee common socket:ioctl2.6.8+getattrsee common socket:getattr2.6.8+writesee common socket:write2.6.8+setoptsee common socket:setopt2.6.8+getoptsee common socket:getopt2.6.8+listensee common socket:listen2.6.8+setattrsee common socket:setattr2.6.8+shutdownsee common socket:shutdown2.6.8+relabeltosee common socket:relabelto2.6.8+recv_msgsee common socket:recv_msg2.6.8+acceptsee common socket:accept2.6.8+name_bindsee common socket:name_bind2.6.8+nlmsg_readRead tcp diagnostics.2.6.8+nlmsg_writeUnused.2.6.8+[edit]netlink_xfrm_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:append2.6.8+relabelfromsee common socket:relabelfrom2.6.8+createsee common socket:create2.6.8+readsee common socket:read2.6.8+sendtosee common socket:sendto2.6.8+connectsee common socket:connect2.6.8+recvfromsee common socket:recvfrom2.6.8+send_msgsee common socket:send_msg2.6.8+bindsee common socket:bind2.6.8+locksee common socket:lock2.6.8+ioctlsee common socket:ioctl2.6.8+getattrsee common socket:getattr2.6.8+writesee common socket:write2.6.8+setoptsee common socket:setopt2.6.8+getoptsee common socket:getopt2.6.8+listensee common socket:listen2.6.8+setattrsee common socket:setattr2.6.8+shutdownsee common socket:shutdown2.6.8+relabeltosee common socket:relabelto2.6.8+recv_msgsee common socket:recv_msg2.6.8+acceptsee common socket:accept2.6.8+name_bindsee common socket:name_bind2.6.8+nlmsg_readRead xfrm configuration state.2.6.8+nlmsg_writeWrite xfrm configuration state.2.6.8+[edit]node
Permission | Description | Kernel Version/Capability | tcp_recvReceive TCP packet.tcp_sendSend TCP packet.udp_recvReceive UDP packet.udp_sendSend UDP packet.rawip_recvReceive raw IP packet.rawip_sendSend raw IP packet.enforce_destEnsure that the destination node can enforce restrictions on the destination socket.dccp_recvReceive DCCP packet.2.6.20+dccp_sendSend DCCP packet.2.6.20+recvfrom 2.6.25+ / network_peer_controlssendto 2.6.25+ / network_peer_controls[edit]packet
Permission | Description | Kernel Version/Capability | sendSend a packet.2.6.18+receiveReceive a packet.2.6.18+relabeltoSet a labeling rule to the specified type.2.6.18+flow_inDeprecated2.6.25+flow_outDeprecated2.6.25+forward_in 2.6.25+forward_out 2.6.25+[edit]packet_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:appendrelabelfromsee common socket:relabelfromcreatesee common socket:createreadsee common socket:readsendtosee common socket:sendtoconnectsee common socket:connectrecvfromsee common socket:recvfromsend_msgsee common socket:send_msgbindsee common socket:bindlocksee common socket:lockioctlsee common socket:ioctlgetattrsee common socket:getattrwritesee common socket:writesetoptsee common socket:setoptgetoptsee common socket:getoptlistensee common socket:listensetattrsee common socket:setattrshutdownsee common socket:shutdownrelabeltosee common socket:relabeltorecv_msgsee common socket:recv_msgacceptsee common socket:acceptname_bindsee common socket:name_bind[edit]peer
Permission | Description | Kernel Version/Capability | recvReceive from a labeled networking peer.2.6.25+ / network_peer_controls[edit]process
Permission | Description | Kernel Version/Capability | forkFork into two processes.transitionTransition to a new context on exec().sigchldSend SIGCHLD signal.sigkillSend SIGKILL signal.sigstopSend SIGSTOP signalsignullTest for exisitence of another process without sending a signalsignalSend a signal other than SIGKILL, SIGSTOP, or SIGCHLD.ptraceAttach to another process for tracing.getschedGet priority of a process.setschedSet priority of a process.getsessionGet session ID of another process.getpgidGet group Process ID of a process.setpgidSet group Process ID of a process.getcapGet Linux capabilities.setcapSet Linux capabilities.shareAllow state sharing with cloned or forked process.getattrGet attributes of a file.setexecOverride the default context for the next exec().setfscreateOverride the default context for file creation.setrlimitChange process hard limits.noatsecureDisable secure mode environment cleansing (AT_SECURE).v.16+siginhInherit signal state from caller.v.16+rlimitinhInherit resource limits from caller.v.16+dyntransitionDynamically transition to a new context.2.6.11+setcurrentSet the current process context.2.6.11+execmemMake executable an anonymous mapping or private file mapping that is writable.2.6.13+execstackMake the main process stack executable.2.6.13+execheapMake the heap executable.2.6.13+setkeycreateOverride the default context for key creation.2.6.18+setsockcreateOverride the default context for socket creation.2.6.18+[edit]rawip_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:appendrelabelfromsee common socket:relabelfromcreatesee common socket:createreadsee common socket:readsendtosee common socket:sendtoconnectsee common socket:connectrecvfromsee common socket:recvfromsend_msgsee common socket:send_msgbindsee common socket:bindlocksee common socket:lockioctlsee common socket:ioctlgetattrsee common socket:getattrwritesee common socket:writesetoptsee common socket:setoptgetoptsee common socket:getoptlistensee common socket:listensetattrsee common socket:setattrshutdownsee common socket:shutdownrelabeltosee common socket:relabeltorecv_msgsee common socket:recv_msgacceptsee common socket:acceptname_bindsee common socket:name_bindnode_bindAbility to bind to a node.v.17+[edit]security
Permission | Description | Kernel Version/Capability | compute_userGet user info in selinuxfs.compute_relabelGet relabel info in selinuxfs.compute_createGet create info in selinuxfs.compute_avCompute an access vector given a source/target/class.compute_memberDetermines the context to use when selecting a member of a polyinstantiated object.setenforceChange the enforcement state of SELinux.check_contextWrite context in selinuxfs.load_policyLoad the security policy.setboolSet a boolean value.2.6.5+setsecparamSet kernel access vector cache tuning parameters.2.6.11+setcheckreqprotSet if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect.2.6.12+[edit]sem
Inherits from: common ipc
Permission | Description | Kernel Version/Capability | writesee common ipc:writedestroysee common ipc:destroyunix_writesee common ipc:unix_writegetattrsee common ipc:getattrcreatesee common ipc:createreadsee common ipc:readsetattrsee common ipc:setattrunix_readsee common ipc:unix_readassociatesee common ipc:associate[edit]shm
Inherits from: common ipc
Permission | Description | Kernel Version/Capability | writesee common ipc:writedestroysee common ipc:destroyunix_writesee common ipc:unix_writegetattrsee common ipc:getattrcreatesee common ipc:createreadsee common ipc:readsetattrsee common ipc:setattrunix_readsee common ipc:unix_readassociatesee common ipc:associatelock(Un)lock page(s) in memory.[edit]sock_file
Inherits from: common file
Permission | Description | Kernel Version/Capability | getattrsee common file:getattrrelabeltosee common file:relabeltounlinksee common file:unlinkioctlsee common file:ioctlexecutesee common file:executeappendsee common file:appendreadsee common file:readsetattrsee common file:setattrswaponsee common file:swaponwritesee common file:writelocksee common file:lockcreatesee common file:createrenamesee common file:renamemountonsee common file:mountonquotaonsee common file:quotaonrelabelfromsee common file:relabelfromlinksee common file:linkopenOpen a named socket file.2.6.26+ / open_perms[edit]socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:appendrelabelfromsee common socket:relabelfromcreatesee common socket:createreadsee common socket:readsendtosee common socket:sendtoconnectsee common socket:connectrecvfromsee common socket:recvfromsend_msgsee common socket:send_msgbindsee common socket:bindlocksee common socket:lockioctlsee common socket:ioctlgetattrsee common socket:getattrwritesee common socket:writesetoptsee common socket:setoptgetoptsee common socket:getoptlistensee common socket:listensetattrsee common socket:setattrshutdownsee common socket:shutdownrelabeltosee common socket:relabeltorecv_msgsee common socket:recv_msgacceptsee common socket:acceptname_bindsee common socket:name_bind[edit]system
Permission | Description | Kernel Version/Capability | ipc_infoGet info for an ipc socket.syslog_modPerform syslog operation other than syslog_read or console logging.syslog_readPerform syslog read.syslog_consolePerform syslog console.[edit]tcp_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:appendrelabelfromsee common socket:relabelfromcreatesee common socket:createreadsee common socket:readsendtosee common socket:sendtoconnectsee common socket:connectrecvfromsee common socket:recvfromsend_msgsee common socket:send_msgbindsee common socket:bindlocksee common socket:lockioctlsee common socket:ioctlgetattrsee common socket:getattrwritesee common socket:writesetoptsee common socket:setoptgetoptsee common socket:getoptlistensee common socket:listensetattrsee common socket:setattrshutdownsee common socket:shutdownrelabeltosee common socket:relabeltorecv_msgsee common socket:recv_msgacceptsee common socket:acceptname_bindsee common socket:name_bindconnecttoConnect to server socket.newconnCreate new socket for connection.acceptfromAccept connection from client socket.node_bindAbility to bind to a node.2.6.2+name_connectConnect to a specific port number.2.6.12+[edit]tun_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:append2.6.32+relabelfromsee common socket:relabelfrom2.6.32+createsee common socket:create2.6.32+readsee common socket:read2.6.32+sendtosee common socket:sendto2.6.32+connectsee common socket:connect2.6.32+recvfromsee common socket:recvfrom2.6.32+send_msgsee common socket:send_msg2.6.32+bindsee common socket:bind2.6.32+locksee common socket:lock2.6.32+ioctlsee common socket:ioctl2.6.32+getattrsee common socket:getattr2.6.32+writesee common socket:write2.6.32+setoptsee common socket:setopt2.6.32+getoptsee common socket:getopt2.6.32+listensee common socket:listen2.6.32+setattrsee common socket:setattr2.6.32+shutdownsee common socket:shutdown2.6.32+relabeltosee common socket:relabelto2.6.32+recv_msgsee common socket:recv_msg2.6.32+acceptsee common socket:accept2.6.32+name_bindsee common socket:name_bind2.6.32+[edit]udp_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:appendrelabelfromsee common socket:relabelfromcreatesee common socket:createreadsee common socket:readsendtosee common socket:sendtoconnectsee common socket:connectrecvfromsee common socket:recvfromsend_msgsee common socket:send_msgbindsee common socket:bindlocksee common socket:lockioctlsee common socket:ioctlgetattrsee common socket:getattrwritesee common socket:writesetoptsee common socket:setoptgetoptsee common socket:getoptlistensee common socket:listensetattrsee common socket:setattrshutdownsee common socket:shutdownrelabeltosee common socket:relabeltorecv_msgsee common socket:recv_msgacceptsee common socket:acceptname_bindsee common socket:name_bindnode_bindAbility to bind to a node.2.6.2+[edit]unix_dgram_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:appendrelabelfromsee common socket:relabelfromcreatesee common socket:createreadsee common socket:readsendtosee common socket:sendtoconnectsee common socket:connectrecvfromsee common socket:recvfromsend_msgsee common socket:send_msgbindsee common socket:bindlocksee common socket:lockioctlsee common socket:ioctlgetattrsee common socket:getattrwritesee common socket:writesetoptsee common socket:setoptgetoptsee common socket:getoptlistensee common socket:listensetattrsee common socket:setattrshutdownsee common socket:shutdownrelabeltosee common socket:relabeltorecv_msgsee common socket:recv_msgacceptsee common socket:acceptname_bindsee common socket:name_bind[edit]unix_stream_socket
Inherits from: common socket
Permission | Description | Kernel Version/Capability | appendsee common socket:appendrelabelfromsee common socket:relabelfromcreatesee common socket:createreadsee common socket:readsendtosee common socket:sendtoconnectsee common socket:connectrecvfromsee common socket:recvfromsend_msgsee common socket:send_msgbindsee common socket:bindlocksee common socket:lockioctlsee common socket:ioctlgetattrsee common socket:getattrwritesee common socket:writesetoptsee common socket:setoptgetoptsee common socket:getoptlistensee common socket:listensetattrsee common socket:setattrshutdownsee common socket:shutdownrelabeltosee common socket:relabeltorecv_msgsee common socket:recv_msgacceptsee common socket:acceptname_bindsee common socket:name_bindconnecttoConnect to server socket.newconnCreate new socket for connection.acceptfromAccept connection from client socket.[edit]Database Object Classes
[edit]db_blob
Inherits from: common database
Permission | Description | readRead a blob.writeWrite a blob.importImport a blob.exportExport a blob.[edit]db_column
Inherits from: common database
Permission | Description | useDeprecatedselectupdateinsert[edit]db_database
Inherits from: common database
Permission | Description | accessinstall_moduleload_moduleget_paramDeprecatedset_paramDeprecated[edit]db_procedure
Inherits from: common database
Permission | Description | executeExecute a stored procedure.entrypointinstall[edit]db_table
Inherits from: common database
Permission | Description | useDeprecatedselectupdateinsertdeletelock[edit]db_tuple
Permission | Description | relabelfromrelabeltouseDeprecatedselectupdateinsertdelete[edit]DBus Object Classes
[edit]dbus
Permission | Description | acquire_svcsend_msgSend a message on the bus.[edit]MLS Context Translation Object Classes
[edit]context
Permission | Description | translateTranslate a raw MLS label.containsCalculate a MLS subset.[edit]NSCD Object Classes
[edit]nscd
Permission | Description | getpwdgetgrpgethostgetstatadminshmempwdshmemgrpshmemhostgetservshmemserv[edit]Password Object Classes
[edit]passwd
Permission | Description | passwdUpdate user password.chfnChange finger information. e.g real name, work room and phone and home phone.chshChange login shell.rootokAllow update if the user is root and the process has the rootok PAM permission.crontabcrontab on another user.[edit]X Server Object Classes
[edit]x_application_data
Permission | Description | pastepaste_after_confirmcopy[edit]x_client
Permission | Description | destroyClose down a client.getattrGet the attributes of an X clientsetattrSet the attributes of an X clientmanage[edit]x_colormap
Permission | Description | createCreate a new Colormap.destroyFree a Colormap.readRead color cells of colormap.writegetattrGet the color gamut of a screen.add_colorremove_colorinstallCopy a virtual colormap into the display hardware.uninstallRemove a virtual colormap from the display hardware.use[edit]x_cursor
Permission | Description | createCreate an arbitrary cursor object.destroyDelete a cursor object.readwritegetattrGet attributes of the cursor.setattrSet attributes of the cursor.useAssociate a cursor object with a window.[edit]x_device
Inherits from: common x_device
Permission | Description | getattrsee common x_device: getattrsetattrsee common x_device: setattrusesee common x_device: usereadsee common x_device: readwritesee common x_device: writegetfocussee common x_device: getfocussetfocussee common x_device: setfocusbellsee common x_device: bellforce_cursorsee common x_device: force_cursorfreezesee common x_device: freezegrabsee common x_device: grabmanagesee common x_device: managelist_propertysee common x_device: list_propertyget_propertysee common x_device: get_propertyset_propertysee common x_device: set_propertyaddsee common x_device: addremovesee common x_device: remove[edit]x_drawable
Permission | Description | createCreate a Drawable object.destroyDestroy a Drawable.readwriteblendgetattrGet attributes of a Drawable objectsetattrSet attributes of a Drawable objectlist_childadd_childremove_childlist_propertyget_propertyset_propertymanageoverrideshowhidesendreceive[edit]x_event
Permission | Description | sendreceive[edit]x_extension
Permission | Description | queryuse[edit]x_font
Permission | Description | createLoad a font.destroyFree (dereference) a font.getattrObtain font names, path, etc.add_glyphremove_glyphuseUse a font for drawing.[edit]x_gc
Permission | Description | createCreate Graphic Contexts object.destroyFree (dereference) a Graphics Contexts object.getattrGet attributes for Graphic Contexts object.setattrSet attributes for Graphic Contexts object.use[edit]x_keyboard
Inherits from: common x_device
Permission | Description | getattrsee common x_device: getattrsetattrsee common x_device: setattrusesee common x_device: usereadsee common x_device: readwritesee common x_device: writegetfocussee common x_device: getfocussetfocussee common x_device: setfocusbellsee common x_device: bellforce_cursorsee common x_device: force_cursorfreezesee common x_device: freezegrabsee common x_device: grabmanagesee common x_device: managelist_propertysee common x_device: list_propertyget_propertysee common x_device: get_propertyset_propertysee common x_device: set_propertyaddsee common x_device: addremovesee common x_device: remove[edit]x_pointer
Inherits from: common x_device
Permission | Description | getattrsee common x_device: getattrsetattrsee common x_device: setattrusesee common x_device: usereadsee common x_device: readwritesee common x_device: writegetfocussee common x_device: getfocussetfocussee common x_device: setfocusbellsee common x_device: bellforce_cursorsee common x_device: force_cursorfreezesee common x_device: freezegrabsee common x_device: grabmanagesee common x_device: managelist_propertysee common x_device: list_propertyget_propertysee common x_device: get_propertyset_propertysee common x_device: set_propertyaddsee common x_device: addremovesee common x_device: remove[edit]x_property
Permission | Description | createCreate property object.destroyFree (dereference) a property object.readRead a property.writeWrite a property.appendAppend a property.getattrGet the attributes of a property.setattrSet the attributes of a property.[edit]x_resource
Permission | Description | readwrite[edit]x_screen
Permission | Description | getattrsetattrhide_cursorshow_cursorsaver_getattrsaver_setattrsaver_hidesaver_show[edit]x_selection
Permission | Description | readwritegetattrsetattr[edit]x_server
Permission | Description | getattrsetattrrecorddebuggrabmanage[edit]x_synthetic_event
Permission | Description | sendreceive