diff options
author | Miroslav Grepl <mgrepl@redhat.com> | 2014-04-11 09:37:53 +0200 |
---|---|---|
committer | Miroslav Grepl <mgrepl@redhat.com> | 2014-04-11 09:37:53 +0200 |
commit | 47be9ff57e72906660bb62a515222f482131e1fb (patch) | |
tree | 2cb0ef0ba48d73b1df7cc0915754a17e19464bb6 /apol/perm_maps/apol_perm_mapping_ver17 | |
download | setools-master.tar.gz setools-master.tar.xz setools-master.zip |
Create setools-3.3.7 git repomaster
Diffstat (limited to 'apol/perm_maps/apol_perm_mapping_ver17')
-rw-r--r-- | apol/perm_maps/apol_perm_mapping_ver17 | 561 |
1 files changed, 561 insertions, 0 deletions
diff --git a/apol/perm_maps/apol_perm_mapping_ver17 b/apol/perm_maps/apol_perm_mapping_ver17 new file mode 100644 index 0000000..648b538 --- /dev/null +++ b/apol/perm_maps/apol_perm_mapping_ver17 @@ -0,0 +1,561 @@ +# This is a permission map file for use in policy analysis. This +# file maps object permissions (read, getattr, setattr, ..., etc.) +# for an object class, to exactly one of the following: read, write, +# both, or none. This file may be edited as long as the specific +# syntax rules are obeyed. +# +# For each object class, there is a set of object permissions that are +# individually mapped to read, write, both, or none. If a new object +# class is added, make sure that the current number of object classes +# is increased. +# +# The syntax for an object class definition is: +# class <class_name> <num_permissions> +# +# This is followed by each permission and its individual mapping to one +# of the following: +# +# r = Read +# w = Write +# n = None +# b = Both +# +# Additionally, you can choose to follow the mapping with an optional +# permission weight value from 1 (less importance) to 10 (higher importance). +# 10 is the default weight value if one is not provided. +# +# Look to the examples below for further clarification. +# +# Number of object classes. +41 + +class security 9 + compute_av n 1 + compute_create n 1 + compute_member n 1 + check_context n 1 + load_policy n 1 + compute_relabel n 1 + compute_user n 1 + setenforce n 1 + setbool n 1 + +class process 23 + fork n 1 + transition w 1 + sigchld w 1 + sigkill w 1 + sigstop w 1 + signull n 1 + signal w 5 + ptrace b 10 + getsched r 1 + setsched w 1 + getsession r 1 + getpgid r 1 + setpgid w 5 + getcap r 3 + setcap w 1 + share b 1 + getattr r 1 + setexec w 1 + setfscreate w 1 + noatsecure n 1 + siginh n 1 + setrlimit n 1 + rlimitinh n 1 + + +class system 4 + ipc_info n 1 + syslog_read n 1 + syslog_mod n 1 + syslog_console n 1 + +class capability 29 + net_bind_service n 1 + sys_module n 1 + sys_admin n 3 + fowner n 1 + net_raw n 1 + setuid n 1 + sys_chroot n 1 + lease n 1 + net_admin n 1 + ipc_owner n 1 + fsetid n 1 + sys_resource n 1 + sys_rawio n 1 + sys_ptrace n 1 + sys_nice n 1 + setpcap n 3 + kill n 1 + sys_pacct n 1 + sys_boot n 1 + dac_override n 1 + setgid n 3 + net_broadcast n 1 + chown n 3 + sys_tty_config n 1 + linux_immutable n 1 + sys_time n 1 + ipc_lock n 1 + mknod n 1 + dac_read_search n 1 + +class filesystem 10 + remount w 1 + relabelfrom r 10 + getattr r 1 + relabelto w 10 + mount w 1 + transition w 1 + quotaget r 1 + quotamod w 1 + unmount w 1 + associate n 1 + +class file 19 + setattr w 7 + swapon b 1 + write w 10 + lock n 1 + create w 1 + rename w 5 + mounton b 1 + quotaon b 1 + relabelfrom r 10 + link w 1 + entrypoint r 1 + getattr r 7 + relabelto w 10 + unlink w 1 + execute_no_trans r 1 + ioctl n 1 + execute r 1 + append w 1 + read r 10 + +class dir 22 + mounton b 1 + search r 1 + link w 1 + quotaon b 1 + append w 1 + swapon b 1 + rmdir b 1 + create w 1 + ioctl n 1 + getattr r 7 + remove_name w 1 + rename w 5 + read r 10 + write w 10 + relabelfrom r 10 + execute r 1 + relabelto w 10 + lock n 1 + setattr w 7 + reparent w 1 + add_name w 5 + unlink w 1 + +class fd 1 + use b 1 + +class lnk_file 17 + relabelfrom r 10 + append w 1 + ioctl n 1 + swapon b 1 + create w 1 + read r 10 + write w 10 + rename w 1 + mounton b 1 + quotaon b 1 + lock n 1 + relabelto w 10 + getattr r 7 + unlink w 1 + execute r 1 + link w 1 + setattr w 7 + +class chr_file 17 + append w 1 + swapon b 1 + mounton b 1 + quotaon b 1 + create w 1 + rename w 5 + ioctl n 1 + getattr r 7 + link w 1 + write w 10 + execute r 1 + relabelto w 10 + setattr w 7 + relabelfrom r 10 + read r 10 + unlink w 1 + lock n 1 + +class blk_file 17 + getattr r 7 + relabelto w 10 + unlink w 1 + ioctl n 1 + execute r 1 + append w 1 + read r 10 + setattr w 7 + swapon b 1 + write w 10 + lock n 1 + create w 1 + rename w 5 + mounton b 1 + quotaon b 1 + relabelfrom r 10 + link w 1 + +class sock_file 17 + setattr w 7 + rename w 1 + ioctl n 1 + link w 1 + write w 10 + mounton b 1 + relabelto w 10 + quotaon b 1 + read r 10 + unlink w 1 + append w 1 + lock n 1 + getattr r 7 + swapon b 1 + relabelfrom r 10 + execute r 1 + create w 1 + +class fifo_file 17 + relabelto w 10 + getattr r 7 + lock n 1 + execute r 1 + unlink w 1 + ioctl n 1 + setattr w 7 + append w 1 + write w 10 + swapon b 1 + create w 1 + link w 1 + rename w 5 + relabelfrom r 10 + mounton b 1 + quotaon b 1 + read r 10 + +class socket 22 + append w 1 + relabelfrom r 10 + create w 1 + read r 10 + sendto w 10 + connect w 1 + recvfrom r 10 + send_msg w 10 + bind w 1 + lock n 1 + ioctl n 1 + getattr r 7 + write w 10 + setopt w 1 + getopt r 1 + listen r 1 + setattr w 7 + shutdown w 1 + relabelto w 10 + recv_msg r 10 + accept r 1 + name_bind n 1 + +class tcp_socket 26 + connectto w 1 + newconn w 1 + acceptfrom r 1 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + + +class udp_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + + +class rawip_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 1 + setattr w 1 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + + +class node 7 + rawip_recv r 10 + rawip_send w 10 + tcp_recv r 10 + tcp_send w 10 + enforce_dest n 1 + udp_recv r 10 + udp_send w 10 + +class netif 6 + rawip_recv r 10 + rawip_send w 10 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + +class netlink_socket 22 + listen r 1 + accept r 1 + read r 10 + setattr w 7 + append w 1 + bind w 1 + lock n 1 + shutdown w 1 + recv_msg r 10 + create w 1 + sendto w 10 + relabelto w 10 + ioctl n 1 + name_bind n 1 + connect w 1 + write w 10 + recvfrom r 10 + send_msg w 10 + relabelfrom r 10 + setopt w 1 + getattr r 7 + getopt r 1 + +class packet_socket 22 + setattr w 7 + read r 10 + relabelto w 10 + shutdown w 1 + name_bind n 1 + recv_msg r 10 + setopt w 1 + bind w 1 + lock n 1 + ioctl n 1 + getopt r 1 + connect w 1 + relabelfrom r 10 + listen r 1 + write w 10 + accept r 1 + append w 1 + recvfrom r 10 + send_msg w 10 + getattr r 7 + create w 1 + sendto w 10 + +class key_socket 22 + connect w 1 + setopt w 1 + relabelto w 10 + read r 10 + name_bind n 1 + getopt r 1 + getattr r 7 + recvfrom r 10 + send_msg w 10 + bind w 1 + listen r 1 + lock n 1 + accept r 1 + append w 1 + setattr w 7 + ioctl n 1 + create w 1 + sendto w 10 + relabelfrom r 10 + write w 10 + shutdown w 1 + recv_msg r 10 + +class unix_stream_socket 25 + relabelto w 10 + append w 1 + name_bind n 1 + setattr w 7 + connectto w 1 + newconn w 1 + recvfrom r 10 + create w 1 + sendto w 10 + send_msg w 10 + read r 10 + bind w 1 + lock n 1 + connect w 1 + setopt w 1 + acceptfrom r 1 + getopt r 1 + ioctl n 1 + getattr r 7 + shutdown w 1 + recv_msg r 10 + listen r 1 + accept r 1 + relabelfrom r 10 + write w 10 + +class unix_dgram_socket 22 + connect w 1 + getopt r 1 + listen r 1 + relabelto w 10 + name_bind n 1 + accept r 1 + shutdown w 1 + getattr r 7 + recv_msg r 10 + append w 1 + read r 10 + create w 1 + sendto w 10 + ioctl n 1 + setattr w 7 + bind w 1 + lock n 1 + recvfrom r 10 + send_msg w 10 + write w 10 + relabelfrom r 10 + setopt w 1 + +class sem 9 + unix_read r 3 + associate n 1 + create w 1 + destroy w 1 + getattr r 1 + read r 10 + setattr w 1 + write w 10 + unix_write w 3 + +class msg 2 + receive r 10 + send w 10 + +class msgq 10 + enqueue w 1 + create w 1 + destroy w 1 + write w 10 + read r 10 + getattr r 1 + unix_write w 3 + unix_read r 3 + associate n 1 + setattr w 1 + +class shm 10 + destroy w 1 + write w 10 + read r 10 + getattr r 1 + unix_write w 3 + unix_read r 3 + lock w 1 + associate n 1 + setattr w 1 + create w 1 + +class ipc 9 + write w 10 + destroy w 1 + unix_write w 3 + getattr r 1 + create w 1 + read r 10 + setattr w 1 + unix_read r 3 + associate n 1 + +class passwd 4 + passwd w 1 + chfn w 5 + chsh w 5 + rootok n 1 + |