diff options
author | Miroslav Grepl <mgrepl@redhat.com> | 2014-04-11 09:37:53 +0200 |
---|---|---|
committer | Miroslav Grepl <mgrepl@redhat.com> | 2014-04-11 09:37:53 +0200 |
commit | 47be9ff57e72906660bb62a515222f482131e1fb (patch) | |
tree | 2cb0ef0ba48d73b1df7cc0915754a17e19464bb6 /apol/perm_maps/apol_perm_mapping_ver24 | |
download | setools-master.tar.gz setools-master.tar.xz setools-master.zip |
Create setools-3.3.7 git repomaster
Diffstat (limited to 'apol/perm_maps/apol_perm_mapping_ver24')
-rw-r--r-- | apol/perm_maps/apol_perm_mapping_ver24 | 1227 |
1 files changed, 1227 insertions, 0 deletions
diff --git a/apol/perm_maps/apol_perm_mapping_ver24 b/apol/perm_maps/apol_perm_mapping_ver24 new file mode 100644 index 0000000..102ce04 --- /dev/null +++ b/apol/perm_maps/apol_perm_mapping_ver24 @@ -0,0 +1,1227 @@ +# This is a permission map file for use in policy analysis. This +# file maps object permissions (read, getattr, setattr, ..., etc.) +# for an object class, to exactly one of the following: read, write, +# both, or none. This file may be edited as long as the specific +# syntax rules are obeyed. +# +# For each object class, there is a set of object permissions that are +# individually mapped to read, write, both, or none. If a new object +# class is added, make sure that the current number of object classes +# is increased. +# +# The syntax for an object class definition is: +# class <class_name> <num_permissions> +# +# This is followed by each permission and its individual mapping to one +# of the following: +# +# r = Read +# w = Write +# n = None +# b = Both +# +# Additionally, you can choose to follow the mapping with an optional +# permission weight value from 1 (less importance) to 10 (higher importance). +# 10 is the default weight value if one is not provided. +# +# Look to the examples below for further clarification. +# +# Number of object classes. +77 + +class netlink_audit_socket 27 + nlmsg_relay w 10 + nlmsg_tty_audit w 10 + nlmsg_readpriv r 10 + nlmsg_write w 10 + nlmsg_read r 10 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class tcp_socket 27 + acceptfrom r 1 + connectto w 1 + node_bind n 1 + newconn w 1 + name_connect w 1 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class msgq 10 + enqueue w 1 + associate n 1 + create w 1 + write w 10 + unix_read r 3 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + unix_write w 3 + +class x_property 7 + append w 10 + create w 1 + write w 10 + destroy w 1 + getattr r 7 + setattr w 7 + read r 10 + +class db_procedure 9 + execute r 1 + install w 10 + entrypoint r 1 + drop w 1 + create w 1 + relabelfrom r 1 + getattr r 7 + setattr w 7 + relabelto w 1 + +class dir 23 + rmdir b 1 + remove_name w 1 + add_name w 5 + reparent w 1 + search r 1 + open n 1 + append w 1 + create w 1 + execute r 1 + write w 10 + relabelfrom r 10 + link w 1 + unlink w 1 + ioctl n 1 + getattr r 7 + setattr w 7 + read r 10 + rename w 5 + lock n 1 + relabelto w 10 + mounton b 1 + quotaon b 1 + swapon b 1 + +class peer 1 + recv r 10 + +class blk_file 18 + open n 1 + append w 1 + create w 1 + execute r 1 + write w 10 + relabelfrom r 10 + link w 1 + unlink w 1 + ioctl n 1 + getattr r 7 + setattr w 7 + read r 10 + rename w 5 + lock n 1 + relabelto w 10 + mounton b 1 + quotaon b 1 + swapon b 1 + +class chr_file 21 + entrypoint r 1 + execmod n 1 + execute_no_trans r 1 + open n 1 + append w 1 + create w 1 + execute r 1 + write w 10 + relabelfrom r 10 + link w 1 + unlink w 1 + ioctl n 1 + getattr r 7 + setattr w 7 + read r 10 + rename w 5 + lock n 1 + relabelto w 10 + mounton b 1 + quotaon b 1 + swapon b 1 + +class db_table 12 + select n 1 + delete w 1 + update w 10 + insert w 10 + use r 10 + lock n 1 + drop w 1 + create w 1 + relabelfrom r 1 + getattr r 7 + setattr w 7 + relabelto w 1 + +class db_tuple 7 + select n 1 + delete w 1 + update w 10 + relabelfrom r 1 + insert w 10 + use r 10 + relabelto w 1 + +class dbus 2 + acquire_svc b 1 + send_msg w 10 + +class ipc 9 + associate n 1 + create w 1 + write w 10 + unix_read r 3 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + unix_write w 3 + +class lnk_file 17 + append w 1 + create w 1 + execute r 1 + write w 10 + relabelfrom r 10 + link w 1 + unlink w 1 + ioctl n 1 + getattr r 7 + setattr w 7 + read r 10 + rename w 1 + lock n 1 + relabelto w 10 + mounton b 1 + quotaon b 1 + swapon b 1 + +class process 30 + getcap r 3 + setcap w 1 + sigstop w 1 + sigchld w 1 + share b 1 + execheap n 1 + setcurrent w 1 + setfscreate w 1 + setkeycreate w 1 + siginh n 1 + dyntransition w 10 + transition w 5 + fork n 1 + getsession r 1 + noatsecure n 1 + sigkill w 1 + signull n 1 + setrlimit n 1 + getattr r 1 + getsched r 1 + setexec w 1 + setsched w 1 + getpgid r 1 + setpgid w 5 + ptrace b 10 + execstack n 1 + rlimitinh n 1 + setsockcreate w 1 + signal w 5 + execmem n 1 + +class capability2 2 + mac_override n 1 + mac_admin n 1 + +class fd 1 + use b 1 + +class packet 7 + forward_out w 10 + flow_out w 10 + send w 10 + recv r 10 + forward_in r 10 + relabelto w 3 + flow_in r 10 + +class socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class fifo_file 18 + open n 1 + append w 1 + create w 1 + execute r 1 + write w 10 + relabelfrom r 10 + link w 1 + unlink w 1 + ioctl n 1 + getattr r 7 + setattr w 7 + read r 10 + rename w 5 + lock n 1 + relabelto w 10 + mounton b 1 + quotaon b 1 + swapon b 1 + +class file 21 + entrypoint r 1 + execmod n 1 + execute_no_trans r 1 + open n 1 + append w 1 + create w 1 + execute r 1 + write w 10 + relabelfrom r 10 + link w 1 + unlink w 1 + ioctl n 1 + getattr r 7 + setattr w 7 + read r 10 + rename w 5 + lock n 1 + relabelto w 10 + mounton b 1 + quotaon b 1 + swapon b 1 + +class node 11 + rawip_recv r 10 + tcp_recv r 10 + udp_recv r 10 + rawip_send w 10 + tcp_send w 10 + udp_send w 10 + dccp_recv r 10 + dccp_send w 10 + enforce_dest n 1 + sendto w 10 + recvfrom r 10 + +class x_cursor 7 + create w 1 + write w 10 + destroy w 1 + getattr r 7 + setattr w 7 + read r 10 + use r 1 + +class x_server 6 + record r 10 + getattr r 7 + grab w 1 + setattr w 7 + manage w 10 + debug b 10 + +class netlink_nflog_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class key 7 + create w 10 + write w 10 + view r 7 + link w 7 + setattr w 7 + read r 10 + search r 5 + +class netlink_tcpdiag_socket 24 + nlmsg_write w 10 + nlmsg_read r 10 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class unix_stream_socket 25 + acceptfrom r 1 + connectto w 1 + newconn w 1 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class x_synthetic_event 2 + send w 10 + receive r 10 + +class db_database 11 + access b 10 + set_param w 7 + load_module r 10 + get_param r 7 + install_module r 10 + drop w 1 + create w 1 + relabelfrom r 1 + getattr r 7 + setattr w 7 + relabelto w 1 + +class kernel_service 2 + create_files_as n 1 + use_as_override n 1 + +class netlink_route_socket 24 + nlmsg_write w 10 + nlmsg_read r 10 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class x_extension 2 + use r 1 + query r 5 + +class shm 10 + lock w 1 + associate n 1 + create w 1 + write w 10 + unix_read r 3 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + unix_write w 3 + +class x_resource 2 + write w 10 + read r 10 + +class netlink_selinux_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class capability 32 + setfcap n 1 + setpcap n 3 + fowner n 1 + sys_boot n 1 + sys_tty_config n 1 + net_raw n 1 + sys_admin n 3 + sys_chroot n 1 + sys_module n 1 + sys_rawio n 1 + dac_override n 1 + ipc_owner n 1 + kill n 1 + dac_read_search n 1 + sys_pacct n 1 + net_broadcast n 1 + net_bind_service n 1 + sys_nice n 1 + sys_time n 1 + fsetid n 1 + mknod n 1 + setgid n 3 + setuid n 1 + lease n 1 + net_admin n 1 + audit_write n 3 + linux_immutable n 1 + sys_ptrace n 1 + audit_control n 1 + ipc_lock n 1 + sys_resource n 1 + chown n 3 + +class netlink_ip6fw_socket 24 + nlmsg_write w 10 + nlmsg_read r 10 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class dccp_socket 24 + node_bind n 1 + name_connect w 10 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class netlink_firewall_socket 24 + nlmsg_write w 10 + nlmsg_read r 10 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class sock_file 18 + open n 1 + append w 1 + create w 1 + execute r 1 + write w 10 + relabelfrom r 10 + link w 1 + unlink w 1 + ioctl n 1 + getattr r 7 + setattr w 7 + read r 10 + rename w 1 + lock n 1 + relabelto w 10 + mounton b 1 + quotaon b 1 + swapon b 1 + +class unix_dgram_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class netlink_kobject_uevent_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class db_blob 10 + write w 10 + export r 10 + import w 10 + read r 10 + drop w 1 + create w 1 + relabelfrom r 1 + getattr r 7 + setattr w 7 + relabelto w 1 + +class filesystem 10 + associate n 1 + quotaget r 1 + relabelfrom r 10 + transition w 1 + getattr r 1 + quotamod w 1 + mount w 1 + remount w 1 + unmount w 1 + relabelto w 10 + +class netlink_xfrm_socket 24 + nlmsg_write w 10 + nlmsg_read r 10 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class x_device 19 + get_property r 7 + list_property r 7 + set_property w 7 + add w 1 + setfocus w 1 + create w 1 + freeze w 1 + getfocus r 1 + remove w 1 + write w 10 + force_cursor w 1 + destroy w 1 + bell w 1 + getattr r 7 + grab w 1 + setattr w 7 + read r 10 + manage w 10 + use r 1 + +class netlink_dnrt_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class x_client 4 + destroy w 1 + getattr r 7 + setattr w 7 + manage w 10 + +class x_gc 5 + create w 1 + destroy w 1 + getattr r 7 + setattr w 7 + use r 1 + +class context 2 + contains n 1 + translate n 1 + +class nscd 10 + shmemserv r 7 + gethost r 7 + getstat r 7 + getgrp r 7 + shmemhost r 7 + shmempwd r 7 + getpwd r 7 + getserv r 7 + shmemgrp r 7 + admin w 5 + +class passwd 5 + chfn w 5 + crontab w 5 + passwd w 1 + chsh w 5 + rootok n 1 + +class x_event 2 + send w 10 + receive r 10 + +class x_font 6 + create w 1 + destroy w 1 + add_glyph w 1 + remove_glyph w 1 + getattr r 7 + use r 1 + +class key_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class netif 10 + rawip_recv r 10 + tcp_recv r 10 + udp_recv r 10 + rawip_send w 10 + egress w 10 + ingress r 10 + tcp_send w 10 + udp_send w 10 + dccp_recv r 10 + dccp_send w 10 + +class packet_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class memprotect 1 + mmap_zero n 1 + +class msg 2 + send w 10 + receive r 10 + +class tun_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class udp_socket 23 + node_bind n 1 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class appletalk_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 1 + setattr w 1 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class x_colormap 10 + add_color w 10 + create w 1 + write w 10 + destroy w 1 + install w 1 + getattr r 7 + read r 10 + use r 1 + remove_color w 10 + uninstall w 1 + +class x_screen 8 + show_cursor w 1 + hide_cursor w 1 + saver_show w 1 + getattr r 7 + setattr w 7 + saver_hide w 1 + saver_getattr r 7 + saver_setattr w 7 + +class rawip_socket 23 + node_bind n 1 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 1 + setattr w 1 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class x_application_data 3 + paste w 10 +paste_after_confirm w 10 + copy r 10 + +class association 4 + setcontext w 3 + sendto w 10 + recvfrom r 10 + polmatch r 1 + +class x_selection 4 + write w 10 + getattr r 7 + setattr w 7 + read r 10 + +class db_column 10 + select r 10 + update w 10 + insert w 1 + use r 10 + drop w 1 + create w 1 + relabelfrom r 1 + getattr r 7 + setattr w 7 + relabelto w 1 + +class netlink_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class x_drawable 19 + get_property r 7 + list_property r 7 + set_property w 7 + add_child w 1 + override n 1 + blend w 1 + send w 10 + create w 1 + hide w 1 + receive r 10 + write w 10 + show w 1 + destroy w 1 + list_child r 7 + getattr r 7 + setattr w 7 + read r 10 + manage w 10 + remove_child w 1 + +class sem 9 + associate n 1 + create w 1 + write w 10 + unix_read r 3 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + unix_write w 3 + +class system 5 + module_request n 1 + ipc_info n 1 + syslog_read n 1 + syslog_console n 1 + syslog_mod n 1 + +class x_keyboard 19 + get_property r 7 + list_property r 7 + set_property w 7 + add w 1 + setfocus w 1 + create w 1 + freeze w 1 + getfocus w 1 + remove w 1 + write w 10 + force_cursor w 1 + destroy w 1 + bell w 1 + getattr r 7 + grab w 1 + setattr w 7 + read r 10 + manage w 10 + use r 1 + +class security 11 + compute_member n 1 + compute_user n 1 + compute_create n 1 + setenforce n 1 + check_context n 1 + setcheckreqprot n 1 + compute_relabel n 1 + setbool n 1 + load_policy n 1 + setsecparam n 1 + compute_av n 1 + +class x_pointer 19 + get_property r 7 + list_property r 7 + set_property w 7 + add w 1 + setfocus w 1 + create w 1 + freeze w 1 + getfocus w 1 + remove w 1 + write w 10 + force_cursor w 1 + destroy w 1 + bell w 1 + getattr r 7 + grab w 1 + setattr w 7 + read r 10 + manage w 10 + use r 1 |