summaryrefslogtreecommitdiffstats
path: root/apol/perm_maps/apol_perm_mapping_ver15
diff options
context:
space:
mode:
Diffstat (limited to 'apol/perm_maps/apol_perm_mapping_ver15')
-rw-r--r--apol/perm_maps/apol_perm_mapping_ver15580
1 files changed, 580 insertions, 0 deletions
diff --git a/apol/perm_maps/apol_perm_mapping_ver15 b/apol/perm_maps/apol_perm_mapping_ver15
new file mode 100644
index 0000000..689e91f
--- /dev/null
+++ b/apol/perm_maps/apol_perm_mapping_ver15
@@ -0,0 +1,580 @@
+# This is a permission map file for use in policy analysis. This
+# file maps object permissions (read, getattr, setattr, ..., etc.)
+# for an object class, to exactly one of the following: read, write,
+# both, or none. This file may be edited as long as the specific
+# syntax rules are obeyed.
+#
+# For each object class, there is a set of object permissions that are
+# individually mapped to read, write, both, or none. If a new object
+# class is added, make sure that the current number of object classes
+# is increased.
+#
+# The syntax for an object class definition is:
+# class <class_name> <num_permissions>
+#
+# This is followed by each permission and its individual mapping to one
+# of the following:
+#
+# r = Read
+# w = Write
+# n = None
+# b = Both
+#
+# Additionally, you can choose to follow the mapping with an optional
+# permission weight value from 1 (less importance) to 10 (higher importance).
+# 10 is the default weight value if one is not provided.
+#
+# Look to the examples below for further clarification.
+#
+# Number of object classes.
+30
+
+
+class blk_file 17
+ getattr r 7
+ relabelto w 10
+ unlink w 1
+ ioctl n 1
+ execute r 1
+ append w 1
+ read r 10
+ setattr w 7
+ swapon b 1
+ write w 10
+ lock n 1
+ create w 1
+ rename w 5
+ mounton b 1
+ quotaon b 1
+ relabelfrom r 10
+ link w 1
+
+
+class file 19
+ setattr w 7
+ swapon b 1
+ write w 10
+ lock n 1
+ create w 1
+ rename w 5
+ mounton b 1
+ quotaon b 1
+ relabelfrom r 10
+ link w 1
+ entrypoint r 1
+ getattr r 7
+ relabelto w 10
+ unlink w 1
+ execute_no_trans r 1
+ ioctl n 1
+ execute r 1
+ append w 1
+ read r 10
+
+
+class udp_socket 22
+ listen r 1
+ setattr w 7
+ shutdown w 1
+ relabelto w 10
+ recv_msg r 10
+ accept r 1
+ name_bind n 1
+ append w 1
+ relabelfrom r 10
+ create w 1
+ read r 10
+ sendto w 10
+ connect w 1
+ recvfrom r 10
+ send_msg w 10
+ bind w 1
+ lock n 1
+ ioctl n 1
+ getattr r 7
+ write w 10
+ setopt w 1
+ getopt r 1
+
+
+class socket 22
+ append w 1
+ relabelfrom r 10
+ create w 1
+ read r 10
+ sendto w 10
+ connect w 1
+ recvfrom r 10
+ send_msg w 10
+ bind w 1
+ lock n 1
+ ioctl n 1
+ getattr r 7
+ write w 10
+ setopt w 1
+ getopt r 1
+ listen r 1
+ setattr w 7
+ shutdown w 1
+ relabelto w 10
+ recv_msg r 10
+ accept r 1
+ name_bind n 1
+
+
+class passwd 3
+ passwd n 1
+ chfn w 5
+ chsh w 5
+
+
+class fifo_file 17
+ relabelto w 10
+ getattr r 7
+ lock n 1
+ execute r 1
+ unlink w 1
+ ioctl n 1
+ setattr w 7
+ append w 1
+ write w 10
+ swapon b 1
+ create w 1
+ link w 1
+ rename w 5
+ relabelfrom r 10
+ mounton b 1
+ quotaon b 1
+ read r 10
+
+
+class chr_file 17
+ append w 1
+ swapon b 1
+ mounton b 1
+ quotaon b 1
+ create w 1
+ rename w 5
+ ioctl n 1
+ getattr r 7
+ link w 1
+ write w 10
+ execute r 1
+ relabelto w 10
+ setattr w 7
+ relabelfrom r 10
+ read r 10
+ unlink w 1
+ lock n 1
+
+
+class netlink_socket 22
+ listen r 1
+ accept r 1
+ read r 10
+ setattr w 7
+ append w 1
+ bind w 1
+ lock n 1
+ shutdown w 1
+ recv_msg r 10
+ create w 1
+ sendto w 10
+ relabelto w 10
+ ioctl n 1
+ name_bind n 1
+ connect w 1
+ write w 10
+ recvfrom r 10
+ send_msg w 10
+ relabelfrom r 10
+ setopt w 1
+ getattr r 7
+ getopt r 1
+
+
+class unix_dgram_socket 22
+ connect w 1
+ getopt r 1
+ listen r 1
+ relabelto w 10
+ name_bind n 1
+ accept r 1
+ shutdown w 1
+ getattr r 7
+ recv_msg r 10
+ append w 1
+ read r 10
+ create w 1
+ sendto w 10
+ ioctl n 1
+ setattr w 7
+ bind w 1
+ lock n 1
+ recvfrom r 10
+ send_msg w 10
+ write w 10
+ relabelfrom r 10
+ setopt w 1
+
+
+class node 7
+ rawip_recv r 10
+ rawip_send w 10
+ tcp_recv r 10
+ tcp_send w 10
+ enforce_dest n 1
+ udp_recv r 10
+ udp_send w 10
+
+
+class netif 6
+ rawip_recv r 10
+ rawip_send w 10
+ tcp_recv r 10
+ tcp_send w 10
+ udp_recv r 10
+ udp_send w 10
+
+
+class unix_stream_socket 25
+ relabelto w 10
+ append w 1
+ name_bind n 1
+ setattr w 7
+ connectto w 1
+ newconn w 1
+ recvfrom r 10
+ create w 1
+ sendto w 10
+ send_msg w 10
+ read r 10
+ bind w 1
+ lock n 1
+ connect w 1
+ setopt w 1
+ acceptfrom r 1
+ getopt r 1
+ ioctl n 1
+ getattr r 7
+ shutdown w 1
+ recv_msg r 10
+ listen r 1
+ accept r 1
+ relabelfrom r 10
+ write w 10
+
+
+class tcp_socket 25
+ connectto w 1
+ newconn w 1
+ recvfrom r 10
+ create w 1
+ sendto w 10
+ send_msg w 10
+ read r 10
+ bind w 1
+ lock n 1
+ connect w 1
+ setopt w 1
+ acceptfrom r 1
+ getopt r 1
+ ioctl n 1
+ getattr r 7
+ shutdown w 1
+ recv_msg r 10
+ listen r 1
+ accept r 1
+ relabelfrom r 10
+ write w 10
+ relabelto w 10
+ append w 1
+ name_bind n 1
+ setattr w 7
+
+
+class dir 22
+ mounton b 1
+ search r 1
+ link w 1
+ quotaon b 1
+ append w 1
+ swapon b 1
+ rmdir b 1
+ create w 1
+ ioctl n 1
+ getattr r 7
+ remove_name w 1
+ rename w 5
+ read r 10
+ write w 10
+ relabelfrom r 10
+ execute r 1
+ relabelto w 10
+ lock n 1
+ setattr w 7
+ reparent w 1
+ add_name w 5
+ unlink w 1
+
+
+class shm 10
+ destroy w 1
+ write w 10
+ read r 10
+ getattr r 1
+ unix_write w 3
+ unix_read r 3
+ lock w 1
+ associate n 1
+ setattr w 1
+ create w 1
+
+
+class security 8
+ compute_user n 1
+ compute_relabel n 1
+ compute_create n 1
+ compute_av n 1
+ compute_member n 1
+ setenforce n 1
+ check_context n 1
+ load_policy n 1
+
+
+class packet_socket 22
+ setattr w 7
+ read r 10
+ relabelto w 10
+ shutdown w 1
+ name_bind n 1
+ recv_msg r 10
+ setopt w 1
+ bind w 1
+ lock n 1
+ ioctl n 1
+ getopt r 1
+ connect w 1
+ relabelfrom r 10
+ listen r 1
+ write w 10
+ accept r 1
+ append w 1
+ recvfrom r 10
+ send_msg w 10
+ getattr r 7
+ create w 1
+ sendto w 10
+
+
+class msgq 10
+ enqueue w 1
+ create w 1
+ destroy w 1
+ write w 10
+ read r 10
+ getattr r 1
+ unix_write w 3
+ unix_read r 3
+ associate n 1
+ setattr w 1
+
+
+class key_socket 22
+ connect w 1
+ setopt w 1
+ relabelto w 10
+ read r 10
+ name_bind n 1
+ getopt r 1
+ getattr r 7
+ recvfrom r 10
+ send_msg w 10
+ bind w 1
+ listen r 1
+ lock n 1
+ accept r 1
+ append w 1
+ setattr w 7
+ ioctl n 1
+ create w 1
+ sendto w 10
+ relabelfrom r 10
+ write w 10
+ shutdown w 1
+ recv_msg r 10
+
+
+class capability 29
+ net_bind_service n 1
+ sys_module n 1
+ sys_admin n 3
+ fowner n 1
+ net_raw n 1
+ setuid n 1
+ sys_chroot n 1
+ lease n 1
+ net_admin n 1
+ ipc_owner n 1
+ fsetid n 1
+ sys_resource n 1
+ sys_rawio n 1
+ sys_ptrace n 1
+ sys_nice n 1
+ setpcap n 3
+ kill n 1
+ sys_pacct n 1
+ sys_boot n 1
+ dac_override n 1
+ setgid n 3
+ net_broadcast n 1
+ chown n 3
+ sys_tty_config n 1
+ linux_immutable n 1
+ sys_time n 1
+ ipc_lock n 1
+ mknod n 1
+ dac_read_search n 1
+
+
+class fd 1
+ use b 1
+
+
+class rawip_socket 22
+ lock n 1
+ write w 10
+ getattr r 1
+ recvfrom r 10
+ send_msg w 10
+ setopt w 1
+ setattr w 1
+ getopt r 1
+ relabelto w 10
+ listen r 1
+ name_bind n 1
+ accept r 1
+ append w 1
+ shutdown w 1
+ recv_msg r 10
+ relabelfrom r 10
+ read r 10
+ ioctl n 1
+ connect w 1
+ create w 1
+ sendto w 10
+ bind w 1
+
+
+class ipc 9
+ write w 10
+ destroy w 1
+ unix_write w 3
+ getattr r 1
+ create w 1
+ read r 10
+ setattr w 1
+ unix_read r 3
+ associate n 1
+
+
+class lnk_file 17
+ relabelfrom r 10
+ append w 1
+ ioctl n 1
+ swapon b 1
+ create w 1
+ read r 10
+ write w 10
+ rename w 1
+ mounton b 1
+ quotaon b 1
+ lock n 1
+ relabelto w 10
+ getattr r 7
+ unlink w 1
+ execute r 1
+ link w 1
+ setattr w 7
+
+
+class system 4
+ ipc_info n 1
+ syslog_mod n 1
+ syslog_read n 1
+ syslog_console n 1
+
+
+class sem 9
+ unix_read r 3
+ associate n 1
+ create w 1
+ destroy w 1
+ getattr r 1
+ read r 10
+ setattr w 1
+ write w 10
+ unix_write w 3
+
+
+class filesystem 10
+ remount w 1
+ relabelfrom r 10
+ getattr r 1
+ relabelto w 10
+ mount w 1
+ transition w 1
+ quotaget r 1
+ quotamod w 1
+ unmount w 1
+ associate n 1
+
+
+class sock_file 17
+ setattr w 7
+ rename w 1
+ ioctl n 1
+ link w 1
+ write w 10
+ mounton b 1
+ relabelto w 10
+ quotaon b 1
+ read r 10
+ unlink w 1
+ append w 1
+ lock n 1
+ getattr r 7
+ swapon b 1
+ relabelfrom r 10
+ execute r 1
+ create w 1
+
+
+class process 20
+ noatsecure n 1
+ getsched r 1
+ signull n 1
+ sigstop w 1
+ getattr r 1
+ share b 1
+ getpgid r 1
+ signal w 5
+ setcap w 1
+ sigchld w 1
+ setexec w 1
+ getcap r 3
+ getsession r 1
+ setsched w 1
+ fork n 1
+ ptrace b 10
+ sigkill w 1
+ setpgid w 5
+ transition w 1
+ setfscreate w 1
+
+
+class msg 2
+ receive r 10
+ send w 10
+
+