diff options
Diffstat (limited to 'apol/perm_maps')
-rw-r--r-- | apol/perm_maps/apol_perm_mapping_ver12 | 575 | ||||
-rw-r--r-- | apol/perm_maps/apol_perm_mapping_ver15 | 580 | ||||
-rw-r--r-- | apol/perm_maps/apol_perm_mapping_ver16 | 560 | ||||
-rw-r--r-- | apol/perm_maps/apol_perm_mapping_ver17 | 561 | ||||
-rw-r--r-- | apol/perm_maps/apol_perm_mapping_ver18 | 922 | ||||
-rw-r--r-- | apol/perm_maps/apol_perm_mapping_ver19 | 952 | ||||
-rw-r--r-- | apol/perm_maps/apol_perm_mapping_ver20 | 993 | ||||
-rw-r--r-- | apol/perm_maps/apol_perm_mapping_ver21 | 998 | ||||
-rw-r--r-- | apol/perm_maps/apol_perm_mapping_ver22 | 998 | ||||
-rw-r--r-- | apol/perm_maps/apol_perm_mapping_ver23 | 998 | ||||
-rw-r--r-- | apol/perm_maps/apol_perm_mapping_ver24 | 1227 |
11 files changed, 9364 insertions, 0 deletions
diff --git a/apol/perm_maps/apol_perm_mapping_ver12 b/apol/perm_maps/apol_perm_mapping_ver12 new file mode 100644 index 0000000..7e3df06 --- /dev/null +++ b/apol/perm_maps/apol_perm_mapping_ver12 @@ -0,0 +1,575 @@ +# This is a permission map file for use in policy analysis. This +# file maps object permissions (read, getattr, setattr, ..., etc.) +# for an object class, to exactly one of the following: read, write, +# both, or none. This file may be edited as long as the specific +# syntax rules are obeyed. +# +# For each object class, there is a set of object permissions that are +# individually mapped to read, write, both, or none. If a new object +# class is added, make sure that the current number of object classes +# is increased. +# +# The syntax for an object class definition is: +# class <class_name> <num_permissions> +# +# This is followed by each permission and its individual mapping to one +# of the following: +# +# r = Read +# w = Write +# n = None +# b = Both +# +# Additionally, you can choose to follow the mapping with an optional +# permission weight value from 1 (less importance) to 10 (higher importance). +# 10 is the default weight value if one is not provided. +# +# Look to the examples below for further clarification. +# +# Number of object classes. +29 + + +class blk_file 17 + getattr r 7 + relabelto w 10 + unlink w 1 + ioctl n 1 + execute r 0 + append w 1 + read r 10 + setattr w 7 + swapon b 0 + write w 10 + lock n 1 + create w 1 + rename w 5 + mounton b 1 + quotaon b 1 + relabelfrom r 10 + link w 1 + + +class file 19 + setattr w 7 + swapon b 0 + write w 10 + lock n 1 + create w 1 + rename w 5 + mounton b 1 + quotaon b 1 + relabelfrom r 10 + link w 1 + entrypoint r 0 + getattr r 7 + relabelto w 10 + unlink w 1 + execute_no_trans r 0 + ioctl n 1 + execute r 0 + append w 1 + read r 10 + + +class udp_socket 22 + listen r 1 + setattr w 7 + shutdown w 1 + relabelto w 10 + recv_msg r 10 + accept r 1 + name_bind n 1 + append w 1 + relabelfrom r 10 + create w 1 + read r 10 + sendto w 10 + connect w 1 + recvfrom r 10 + send_msg w 10 + bind w 1 + lock n 1 + ioctl n 1 + getattr r 7 + write w 10 + setopt w 1 + getopt r 1 + + +class socket 22 + append w 1 + relabelfrom r 10 + create w 1 + read r 10 + sendto w 10 + connect w 1 + recvfrom r 10 + send_msg w 10 + bind w 1 + lock n 1 + ioctl n 1 + getattr r 7 + write w 10 + setopt w 1 + getopt r 1 + listen r 0 + setattr w 7 + shutdown w 1 + relabelto w 10 + recv_msg r 10 + accept r 1 + name_bind n 1 + + +class fifo_file 17 + relabelto w 10 + getattr r 7 + lock n 1 + execute r 0 + unlink w 1 + ioctl n 1 + setattr w 7 + append w 1 + write w 10 + swapon b 0 + create w 1 + link w 1 + rename w 5 + relabelfrom r 10 + mounton b 1 + quotaon b 1 + read r 10 + + +class chr_file 17 + append w 1 + swapon b 0 + mounton b 1 + quotaon b 1 + create w 1 + rename w 5 + ioctl n 1 + getattr r 7 + link w 1 + write w 10 + execute r 0 + relabelto w 10 + setattr w 7 + relabelfrom r 10 + read r 10 + unlink w 1 + lock n 1 + + +class netlink_socket 22 + listen r 1 + accept r 1 + read r 10 + setattr w 7 + append w 1 + bind w 1 + lock n 1 + shutdown w 1 + recv_msg r 10 + create w 1 + sendto w 10 + relabelto w 10 + ioctl n 1 + name_bind n 1 + connect w 1 + write w 10 + recvfrom r 10 + send_msg w 10 + relabelfrom r 10 + setopt w 1 + getattr r 7 + getopt r 1 + + +class unix_dgram_socket 22 + connect w 1 + getopt r 1 + listen r 1 + relabelto w 10 + name_bind n 1 + accept r 1 + shutdown w 1 + getattr r 7 + recv_msg r 10 + append w 1 + read r 10 + create w 1 + sendto w 10 + ioctl n 1 + setattr w 7 + bind w 1 + lock n 1 + recvfrom r 10 + send_msg w 10 + write w 10 + relabelfrom r 10 + setopt w 1 + + +class node 7 + rawip_recv r 10 + rawip_send w 10 + tcp_recv r 10 + tcp_send w 10 + enforce_dest n 1 + udp_recv r 10 + udp_send w 10 + + +class netif 6 + rawip_recv r 10 + rawip_send w 10 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + + +class unix_stream_socket 25 + relabelto w 10 + append w 1 + name_bind n 1 + setattr w 7 + connectto w 1 + newconn w 1 + recvfrom r 10 + create w 1 + sendto w 10 + send_msg w 10 + read r 10 + bind w 1 + lock n 1 + connect w 1 + setopt w 1 + acceptfrom r 1 + getopt r 1 + ioctl n 1 + getattr r 7 + shutdown w 1 + recv_msg r 10 + listen r 1 + accept r 1 + relabelfrom r 10 + write w 10 + + +class tcp_socket 25 + connectto w 1 + newconn w 1 + recvfrom r 10 + create w 1 + sendto w 10 + send_msg w 10 + read r 10 + bind w 1 + lock n 1 + connect w 1 + setopt w 1 + acceptfrom r 1 + getopt r 1 + ioctl n 1 + getattr r 7 + shutdown w 1 + recv_msg r 10 + listen r 1 + accept r 1 + relabelfrom r 10 + write w 10 + relabelto w 10 + append w 1 + name_bind n 1 + setattr w 7 + + +class dir 22 + mounton b 1 + search r 1 + link w 1 + quotaon b 1 + append w 1 + swapon b 0 + rmdir b 1 + create w 1 + ioctl n 1 + getattr r 7 + remove_name w 1 + rename w 5 + read r 10 + write w 10 + relabelfrom r 10 + execute r 0 + relabelto w 10 + lock n 1 + setattr w 7 + reparent w 1 + add_name w 5 + unlink w 1 + + +class shm 10 + destroy w 1 + write w 10 + read r 10 + getattr r 1 + unix_write w 3 + unix_read r 3 + lock w 1 + associate n 0 + setattr w 1 + create w 1 + + +class security 9 + change_sid n 1 + transition_sid n 1 + sid_to_context n 1 + member_sid n 1 + get_user_sids n 1 + compute_av n 1 + load_policy n 1 + get_sids n 1 + context_to_sid n 1 + + +class packet_socket 22 + setattr w 7 + read r 10 + relabelto w 10 + shutdown w 1 + name_bind n 1 + recv_msg r 10 + setopt w 1 + bind w 1 + lock n 1 + ioctl n 1 + getopt r 1 + connect w 1 + relabelfrom r 10 + listen r 1 + write w 10 + accept r 1 + append w 1 + recvfrom r 10 + send_msg w 10 + getattr r 7 + create w 1 + sendto w 10 + + +class msgq 10 + enqueue w 1 + create w 1 + destroy w 1 + write w 10 + read r 10 + getattr r 1 + unix_write w 3 + unix_read r 3 + associate n 0 + setattr w 1 + + +class key_socket 22 + connect w 1 + setopt w 1 + relabelto w 10 + read r 10 + name_bind n 1 + getopt r 1 + getattr r 7 + recvfrom r 10 + send_msg w 10 + bind w 1 + listen r 1 + lock n 1 + accept r 1 + append w 1 + setattr w 7 + ioctl n 1 + create w 1 + sendto w 10 + relabelfrom r 10 + write w 10 + shutdown w 1 + recv_msg r 10 + + +class capability 29 + net_bind_service n 1 + sys_module n 0 + sys_admin n 3 + fowner n 1 + net_raw n 1 + setuid n 1 + sys_chroot n 1 + lease n 1 + net_admin n 1 + ipc_owner n 1 + fsetid n 1 + sys_resource n 1 + sys_rawio n 1 + sys_ptrace n 1 + sys_nice n 1 + setpcap n 3 + kill n 1 + sys_pacct n 1 + sys_boot n 1 + dac_override n 1 + setgid n 3 + net_broadcast n 1 + chown n 3 + sys_tty_config n 1 + linux_immutable n 1 + sys_time n 1 + ipc_lock n 1 + mknod n 1 + dac_read_search n 1 + + +class fd 1 + use b 1 + + +class rawip_socket 22 + lock n 1 + write w 10 + getattr r 1 + recvfrom r 10 + send_msg w 10 + setopt w 1 + setattr w 1 + getopt r 1 + relabelto w 10 + listen r 1 + name_bind n 1 + accept r 1 + append w 1 + shutdown w 1 + recv_msg r 10 + relabelfrom r 10 + read r 10 + ioctl n 1 + connect w 1 + create w 1 + sendto w 10 + bind w 1 + + +class ipc 9 + write w 10 + destroy w 1 + unix_write w 3 + getattr r 1 + create w 1 + read r 10 + setattr w 1 + unix_read r 3 + associate n 1 + + +class lnk_file 17 + relabelfrom r 10 + append w 1 + ioctl n 1 + swapon b 0 + create w 1 + read r 10 + write w 10 + rename w 1 + mounton b 1 + quotaon b 1 + lock n 1 + relabelto w 10 + getattr r 7 + unlink w 1 + execute r 0 + link w 1 + setattr w 7 + + +class system 8 + ipc_info n 1 + syslog_mod n 1 + syslog_read n 1 + syslog_console n 1 + nfsd_control n 1 + avc_toggle n 1 + bdflush n 1 + ichsid n 1 + + +class sem 9 + unix_read r 3 + associate n 1 + create w 1 + destroy w 1 + getattr r 1 + read r 10 + setattr w 1 + write w 10 + unix_write w 3 + + +class filesystem 10 + remount w 1 + relabelfrom r 10 + getattr r 1 + relabelto w 10 + mount w 1 + transition w 1 + quotaget r 1 + quotamod w 1 + unmount w 1 + associate n 1 + + +class sock_file 17 + setattr w 7 + rename w 1 + ioctl n 1 + link w 1 + write w 10 + mounton b 1 + relabelto w 10 + quotaon b 1 + read r 10 + unlink w 1 + append w 1 + lock n 1 + getattr r 7 + swapon b 0 + relabelfrom r 10 + execute r 0 + create w 1 + + +class process 16 + getsched r 1 + signull n 1 + sigstop w 1 + share b 1 + getpgid r 1 + signal w 5 + setcap w 1 + sigchld w 1 + getcap r 3 + getsession r 1 + setsched w 1 + fork n 1 + ptrace b 10 + sigkill w 1 + setpgid w 5 + transition w 1 + + +class msg 2 + receive r 10 + send w 10 + + diff --git a/apol/perm_maps/apol_perm_mapping_ver15 b/apol/perm_maps/apol_perm_mapping_ver15 new file mode 100644 index 0000000..689e91f --- /dev/null +++ b/apol/perm_maps/apol_perm_mapping_ver15 @@ -0,0 +1,580 @@ +# This is a permission map file for use in policy analysis. This +# file maps object permissions (read, getattr, setattr, ..., etc.) +# for an object class, to exactly one of the following: read, write, +# both, or none. This file may be edited as long as the specific +# syntax rules are obeyed. +# +# For each object class, there is a set of object permissions that are +# individually mapped to read, write, both, or none. If a new object +# class is added, make sure that the current number of object classes +# is increased. +# +# The syntax for an object class definition is: +# class <class_name> <num_permissions> +# +# This is followed by each permission and its individual mapping to one +# of the following: +# +# r = Read +# w = Write +# n = None +# b = Both +# +# Additionally, you can choose to follow the mapping with an optional +# permission weight value from 1 (less importance) to 10 (higher importance). +# 10 is the default weight value if one is not provided. +# +# Look to the examples below for further clarification. +# +# Number of object classes. +30 + + +class blk_file 17 + getattr r 7 + relabelto w 10 + unlink w 1 + ioctl n 1 + execute r 1 + append w 1 + read r 10 + setattr w 7 + swapon b 1 + write w 10 + lock n 1 + create w 1 + rename w 5 + mounton b 1 + quotaon b 1 + relabelfrom r 10 + link w 1 + + +class file 19 + setattr w 7 + swapon b 1 + write w 10 + lock n 1 + create w 1 + rename w 5 + mounton b 1 + quotaon b 1 + relabelfrom r 10 + link w 1 + entrypoint r 1 + getattr r 7 + relabelto w 10 + unlink w 1 + execute_no_trans r 1 + ioctl n 1 + execute r 1 + append w 1 + read r 10 + + +class udp_socket 22 + listen r 1 + setattr w 7 + shutdown w 1 + relabelto w 10 + recv_msg r 10 + accept r 1 + name_bind n 1 + append w 1 + relabelfrom r 10 + create w 1 + read r 10 + sendto w 10 + connect w 1 + recvfrom r 10 + send_msg w 10 + bind w 1 + lock n 1 + ioctl n 1 + getattr r 7 + write w 10 + setopt w 1 + getopt r 1 + + +class socket 22 + append w 1 + relabelfrom r 10 + create w 1 + read r 10 + sendto w 10 + connect w 1 + recvfrom r 10 + send_msg w 10 + bind w 1 + lock n 1 + ioctl n 1 + getattr r 7 + write w 10 + setopt w 1 + getopt r 1 + listen r 1 + setattr w 7 + shutdown w 1 + relabelto w 10 + recv_msg r 10 + accept r 1 + name_bind n 1 + + +class passwd 3 + passwd n 1 + chfn w 5 + chsh w 5 + + +class fifo_file 17 + relabelto w 10 + getattr r 7 + lock n 1 + execute r 1 + unlink w 1 + ioctl n 1 + setattr w 7 + append w 1 + write w 10 + swapon b 1 + create w 1 + link w 1 + rename w 5 + relabelfrom r 10 + mounton b 1 + quotaon b 1 + read r 10 + + +class chr_file 17 + append w 1 + swapon b 1 + mounton b 1 + quotaon b 1 + create w 1 + rename w 5 + ioctl n 1 + getattr r 7 + link w 1 + write w 10 + execute r 1 + relabelto w 10 + setattr w 7 + relabelfrom r 10 + read r 10 + unlink w 1 + lock n 1 + + +class netlink_socket 22 + listen r 1 + accept r 1 + read r 10 + setattr w 7 + append w 1 + bind w 1 + lock n 1 + shutdown w 1 + recv_msg r 10 + create w 1 + sendto w 10 + relabelto w 10 + ioctl n 1 + name_bind n 1 + connect w 1 + write w 10 + recvfrom r 10 + send_msg w 10 + relabelfrom r 10 + setopt w 1 + getattr r 7 + getopt r 1 + + +class unix_dgram_socket 22 + connect w 1 + getopt r 1 + listen r 1 + relabelto w 10 + name_bind n 1 + accept r 1 + shutdown w 1 + getattr r 7 + recv_msg r 10 + append w 1 + read r 10 + create w 1 + sendto w 10 + ioctl n 1 + setattr w 7 + bind w 1 + lock n 1 + recvfrom r 10 + send_msg w 10 + write w 10 + relabelfrom r 10 + setopt w 1 + + +class node 7 + rawip_recv r 10 + rawip_send w 10 + tcp_recv r 10 + tcp_send w 10 + enforce_dest n 1 + udp_recv r 10 + udp_send w 10 + + +class netif 6 + rawip_recv r 10 + rawip_send w 10 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + + +class unix_stream_socket 25 + relabelto w 10 + append w 1 + name_bind n 1 + setattr w 7 + connectto w 1 + newconn w 1 + recvfrom r 10 + create w 1 + sendto w 10 + send_msg w 10 + read r 10 + bind w 1 + lock n 1 + connect w 1 + setopt w 1 + acceptfrom r 1 + getopt r 1 + ioctl n 1 + getattr r 7 + shutdown w 1 + recv_msg r 10 + listen r 1 + accept r 1 + relabelfrom r 10 + write w 10 + + +class tcp_socket 25 + connectto w 1 + newconn w 1 + recvfrom r 10 + create w 1 + sendto w 10 + send_msg w 10 + read r 10 + bind w 1 + lock n 1 + connect w 1 + setopt w 1 + acceptfrom r 1 + getopt r 1 + ioctl n 1 + getattr r 7 + shutdown w 1 + recv_msg r 10 + listen r 1 + accept r 1 + relabelfrom r 10 + write w 10 + relabelto w 10 + append w 1 + name_bind n 1 + setattr w 7 + + +class dir 22 + mounton b 1 + search r 1 + link w 1 + quotaon b 1 + append w 1 + swapon b 1 + rmdir b 1 + create w 1 + ioctl n 1 + getattr r 7 + remove_name w 1 + rename w 5 + read r 10 + write w 10 + relabelfrom r 10 + execute r 1 + relabelto w 10 + lock n 1 + setattr w 7 + reparent w 1 + add_name w 5 + unlink w 1 + + +class shm 10 + destroy w 1 + write w 10 + read r 10 + getattr r 1 + unix_write w 3 + unix_read r 3 + lock w 1 + associate n 1 + setattr w 1 + create w 1 + + +class security 8 + compute_user n 1 + compute_relabel n 1 + compute_create n 1 + compute_av n 1 + compute_member n 1 + setenforce n 1 + check_context n 1 + load_policy n 1 + + +class packet_socket 22 + setattr w 7 + read r 10 + relabelto w 10 + shutdown w 1 + name_bind n 1 + recv_msg r 10 + setopt w 1 + bind w 1 + lock n 1 + ioctl n 1 + getopt r 1 + connect w 1 + relabelfrom r 10 + listen r 1 + write w 10 + accept r 1 + append w 1 + recvfrom r 10 + send_msg w 10 + getattr r 7 + create w 1 + sendto w 10 + + +class msgq 10 + enqueue w 1 + create w 1 + destroy w 1 + write w 10 + read r 10 + getattr r 1 + unix_write w 3 + unix_read r 3 + associate n 1 + setattr w 1 + + +class key_socket 22 + connect w 1 + setopt w 1 + relabelto w 10 + read r 10 + name_bind n 1 + getopt r 1 + getattr r 7 + recvfrom r 10 + send_msg w 10 + bind w 1 + listen r 1 + lock n 1 + accept r 1 + append w 1 + setattr w 7 + ioctl n 1 + create w 1 + sendto w 10 + relabelfrom r 10 + write w 10 + shutdown w 1 + recv_msg r 10 + + +class capability 29 + net_bind_service n 1 + sys_module n 1 + sys_admin n 3 + fowner n 1 + net_raw n 1 + setuid n 1 + sys_chroot n 1 + lease n 1 + net_admin n 1 + ipc_owner n 1 + fsetid n 1 + sys_resource n 1 + sys_rawio n 1 + sys_ptrace n 1 + sys_nice n 1 + setpcap n 3 + kill n 1 + sys_pacct n 1 + sys_boot n 1 + dac_override n 1 + setgid n 3 + net_broadcast n 1 + chown n 3 + sys_tty_config n 1 + linux_immutable n 1 + sys_time n 1 + ipc_lock n 1 + mknod n 1 + dac_read_search n 1 + + +class fd 1 + use b 1 + + +class rawip_socket 22 + lock n 1 + write w 10 + getattr r 1 + recvfrom r 10 + send_msg w 10 + setopt w 1 + setattr w 1 + getopt r 1 + relabelto w 10 + listen r 1 + name_bind n 1 + accept r 1 + append w 1 + shutdown w 1 + recv_msg r 10 + relabelfrom r 10 + read r 10 + ioctl n 1 + connect w 1 + create w 1 + sendto w 10 + bind w 1 + + +class ipc 9 + write w 10 + destroy w 1 + unix_write w 3 + getattr r 1 + create w 1 + read r 10 + setattr w 1 + unix_read r 3 + associate n 1 + + +class lnk_file 17 + relabelfrom r 10 + append w 1 + ioctl n 1 + swapon b 1 + create w 1 + read r 10 + write w 10 + rename w 1 + mounton b 1 + quotaon b 1 + lock n 1 + relabelto w 10 + getattr r 7 + unlink w 1 + execute r 1 + link w 1 + setattr w 7 + + +class system 4 + ipc_info n 1 + syslog_mod n 1 + syslog_read n 1 + syslog_console n 1 + + +class sem 9 + unix_read r 3 + associate n 1 + create w 1 + destroy w 1 + getattr r 1 + read r 10 + setattr w 1 + write w 10 + unix_write w 3 + + +class filesystem 10 + remount w 1 + relabelfrom r 10 + getattr r 1 + relabelto w 10 + mount w 1 + transition w 1 + quotaget r 1 + quotamod w 1 + unmount w 1 + associate n 1 + + +class sock_file 17 + setattr w 7 + rename w 1 + ioctl n 1 + link w 1 + write w 10 + mounton b 1 + relabelto w 10 + quotaon b 1 + read r 10 + unlink w 1 + append w 1 + lock n 1 + getattr r 7 + swapon b 1 + relabelfrom r 10 + execute r 1 + create w 1 + + +class process 20 + noatsecure n 1 + getsched r 1 + signull n 1 + sigstop w 1 + getattr r 1 + share b 1 + getpgid r 1 + signal w 5 + setcap w 1 + sigchld w 1 + setexec w 1 + getcap r 3 + getsession r 1 + setsched w 1 + fork n 1 + ptrace b 10 + sigkill w 1 + setpgid w 5 + transition w 1 + setfscreate w 1 + + +class msg 2 + receive r 10 + send w 10 + + diff --git a/apol/perm_maps/apol_perm_mapping_ver16 b/apol/perm_maps/apol_perm_mapping_ver16 new file mode 100644 index 0000000..a62fb77 --- /dev/null +++ b/apol/perm_maps/apol_perm_mapping_ver16 @@ -0,0 +1,560 @@ +# This is a permission map file for use in policy analysis. This +# file maps object permissions (read, getattr, setattr, ..., etc.) +# for an object class, to exactly one of the following: read, write, +# both, or none. This file may be edited as long as the specific +# syntax rules are obeyed. +# +# For each object class, there is a set of object permissions that are +# individually mapped to read, write, both, or none. If a new object +# class is added, make sure that the current number of object classes +# is increased. +# +# The syntax for an object class definition is: +# class <class_name> <num_permissions> +# +# This is followed by each permission and its individual mapping to one +# of the following: +# +# r = Read +# w = Write +# n = None +# b = Both +# +# Additionally, you can choose to follow the mapping with an optional +# permission weight value from 1 (less importance) to 10 (higher importance). +# 10 is the default weight value if one is not provided. +# +# Look to the examples below for further clarification. +# +# Number of object classes. +30 + +class security 9 + compute_av n 1 + compute_create n 1 + compute_member n 1 + check_context n 1 + load_policy n 1 + compute_relabel n 1 + compute_user n 1 + setenforce n 1 + setbool n 1 + +class process 23 + fork n 1 + transition w 1 + sigchld w 1 + sigkill w 1 + sigstop w 1 + signull n 1 + signal w 5 + ptrace b 10 + getsched r 1 + setsched w 1 + getsession r 1 + getpgid r 1 + setpgid w 5 + getcap r 3 + setcap w 1 + share b 1 + getattr r 1 + setexec w 1 + setfscreate w 1 + noatsecure n 1 + siginh n 1 + setrlimit n 1 + rlimitinh n 1 + + +class system 4 + ipc_info n 1 + syslog_read n 1 + syslog_mod n 1 + syslog_console n 1 + +class capability 29 + net_bind_service n 1 + sys_module n 1 + sys_admin n 3 + fowner n 1 + net_raw n 1 + setuid n 1 + sys_chroot n 1 + lease n 1 + net_admin n 1 + ipc_owner n 1 + fsetid n 1 + sys_resource n 1 + sys_rawio n 1 + sys_ptrace n 1 + sys_nice n 1 + setpcap n 3 + kill n 1 + sys_pacct n 1 + sys_boot n 1 + dac_override n 1 + setgid n 3 + net_broadcast n 1 + chown n 3 + sys_tty_config n 1 + linux_immutable n 1 + sys_time n 1 + ipc_lock n 1 + mknod n 1 + dac_read_search n 1 + +class filesystem 10 + remount w 1 + relabelfrom r 10 + getattr r 1 + relabelto w 10 + mount w 1 + transition w 1 + quotaget r 1 + quotamod w 1 + unmount w 1 + associate n 1 + +class file 19 + setattr w 7 + swapon b 1 + write w 10 + lock n 1 + create w 1 + rename w 5 + mounton b 1 + quotaon b 1 + relabelfrom r 10 + link w 1 + entrypoint r 1 + getattr r 7 + relabelto w 10 + unlink w 1 + execute_no_trans r 1 + ioctl n 1 + execute r 1 + append w 1 + read r 10 + +class dir 22 + mounton b 1 + search r 1 + link w 1 + quotaon b 1 + append w 1 + swapon b 1 + rmdir b 1 + create w 1 + ioctl n 1 + getattr r 7 + remove_name w 1 + rename w 5 + read r 10 + write w 10 + relabelfrom r 10 + execute r 1 + relabelto w 10 + lock n 1 + setattr w 7 + reparent w 1 + add_name w 5 + unlink w 1 + +class fd 1 + use b 1 + +class lnk_file 17 + relabelfrom r 10 + append w 1 + ioctl n 1 + swapon b 1 + create w 1 + read r 10 + write w 10 + rename w 1 + mounton b 1 + quotaon b 1 + lock n 1 + relabelto w 10 + getattr r 7 + unlink w 1 + execute r 1 + link w 1 + setattr w 7 + +class chr_file 17 + append w 1 + swapon b 1 + mounton b 1 + quotaon b 1 + create w 1 + rename w 5 + ioctl n 1 + getattr r 7 + link w 1 + write w 10 + execute r 1 + relabelto w 10 + setattr w 7 + relabelfrom r 10 + read r 10 + unlink w 1 + lock n 1 + +class blk_file 17 + getattr r 7 + relabelto w 10 + unlink w 1 + ioctl n 1 + execute r 1 + append w 1 + read r 10 + setattr w 7 + swapon b 1 + write w 10 + lock n 1 + create w 1 + rename w 5 + mounton b 1 + quotaon b 1 + relabelfrom r 10 + link w 1 + +class sock_file 17 + setattr w 7 + rename w 1 + ioctl n 1 + link w 1 + write w 10 + mounton b 1 + relabelto w 10 + quotaon b 1 + read r 10 + unlink w 1 + append w 1 + lock n 1 + getattr r 7 + swapon b 1 + relabelfrom r 10 + execute r 1 + create w 1 + +class fifo_file 17 + relabelto w 10 + getattr r 7 + lock n 1 + execute r 1 + unlink w 1 + ioctl n 1 + setattr w 7 + append w 1 + write w 10 + swapon b 1 + create w 1 + link w 1 + rename w 5 + relabelfrom r 10 + mounton b 1 + quotaon b 1 + read r 10 + +class socket 22 + append w 1 + relabelfrom r 10 + create w 1 + read r 10 + sendto w 10 + connect w 1 + recvfrom r 10 + send_msg w 10 + bind w 1 + lock n 1 + ioctl n 1 + getattr r 7 + write w 10 + setopt w 1 + getopt r 1 + listen r 1 + setattr w 7 + shutdown w 1 + relabelto w 10 + recv_msg r 10 + accept r 1 + name_bind n 1 + +class tcp_socket 26 + connectto w 1 + newconn w 1 + acceptfrom r 1 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + + +class udp_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + + +class rawip_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 1 + setattr w 1 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + + +class node 7 + rawip_recv r 10 + rawip_send w 10 + tcp_recv r 10 + tcp_send w 10 + enforce_dest n 1 + udp_recv r 10 + udp_send w 10 + +class netif 6 + rawip_recv r 10 + rawip_send w 10 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + +class netlink_socket 22 + listen r 1 + accept r 1 + read r 10 + setattr w 7 + append w 1 + bind w 1 + lock n 1 + shutdown w 1 + recv_msg r 10 + create w 1 + sendto w 10 + relabelto w 10 + ioctl n 1 + name_bind n 1 + connect w 1 + write w 10 + recvfrom r 10 + send_msg w 10 + relabelfrom r 10 + setopt w 1 + getattr r 7 + getopt r 1 + +class packet_socket 22 + setattr w 7 + read r 10 + relabelto w 10 + shutdown w 1 + name_bind n 1 + recv_msg r 10 + setopt w 1 + bind w 1 + lock n 1 + ioctl n 1 + getopt r 1 + connect w 1 + relabelfrom r 10 + listen r 1 + write w 10 + accept r 1 + append w 1 + recvfrom r 10 + send_msg w 10 + getattr r 7 + create w 1 + sendto w 10 + +class key_socket 22 + connect w 1 + setopt w 1 + relabelto w 10 + read r 10 + name_bind n 1 + getopt r 1 + getattr r 7 + recvfrom r 10 + send_msg w 10 + bind w 1 + listen r 1 + lock n 1 + accept r 1 + append w 1 + setattr w 7 + ioctl n 1 + create w 1 + sendto w 10 + relabelfrom r 10 + write w 10 + shutdown w 1 + recv_msg r 10 + +class unix_stream_socket 25 + relabelto w 10 + append w 1 + name_bind n 1 + setattr w 7 + connectto w 1 + newconn w 1 + recvfrom r 10 + create w 1 + sendto w 10 + send_msg w 10 + read r 10 + bind w 1 + lock n 1 + connect w 1 + setopt w 1 + acceptfrom r 1 + getopt r 1 + ioctl n 1 + getattr r 7 + shutdown w 1 + recv_msg r 10 + listen r 1 + accept r 1 + relabelfrom r 10 + write w 10 + +class unix_dgram_socket 22 + connect w 1 + getopt r 1 + listen r 1 + relabelto w 10 + name_bind n 1 + accept r 1 + shutdown w 1 + getattr r 7 + recv_msg r 10 + append w 1 + read r 10 + create w 1 + sendto w 10 + ioctl n 1 + setattr w 7 + bind w 1 + lock n 1 + recvfrom r 10 + send_msg w 10 + write w 10 + relabelfrom r 10 + setopt w 1 + +class sem 9 + unix_read r 3 + associate n 1 + create w 1 + destroy w 1 + getattr r 1 + read r 10 + setattr w 1 + write w 10 + unix_write w 3 + +class msg 2 + receive r 10 + send w 10 + +class msgq 10 + enqueue w 1 + create w 1 + destroy w 1 + write w 10 + read r 10 + getattr r 1 + unix_write w 3 + unix_read r 3 + associate n 1 + setattr w 1 + +class shm 10 + destroy w 1 + write w 10 + read r 10 + getattr r 1 + unix_write w 3 + unix_read r 3 + lock w 1 + associate n 1 + setattr w 1 + create w 1 + +class ipc 9 + write w 10 + destroy w 1 + unix_write w 3 + getattr r 1 + create w 1 + read r 10 + setattr w 1 + unix_read r 3 + associate n 1 + +class passwd 4 + passwd w 1 + chfn w 5 + chsh w 5 + rootok n 1 diff --git a/apol/perm_maps/apol_perm_mapping_ver17 b/apol/perm_maps/apol_perm_mapping_ver17 new file mode 100644 index 0000000..648b538 --- /dev/null +++ b/apol/perm_maps/apol_perm_mapping_ver17 @@ -0,0 +1,561 @@ +# This is a permission map file for use in policy analysis. This +# file maps object permissions (read, getattr, setattr, ..., etc.) +# for an object class, to exactly one of the following: read, write, +# both, or none. This file may be edited as long as the specific +# syntax rules are obeyed. +# +# For each object class, there is a set of object permissions that are +# individually mapped to read, write, both, or none. If a new object +# class is added, make sure that the current number of object classes +# is increased. +# +# The syntax for an object class definition is: +# class <class_name> <num_permissions> +# +# This is followed by each permission and its individual mapping to one +# of the following: +# +# r = Read +# w = Write +# n = None +# b = Both +# +# Additionally, you can choose to follow the mapping with an optional +# permission weight value from 1 (less importance) to 10 (higher importance). +# 10 is the default weight value if one is not provided. +# +# Look to the examples below for further clarification. +# +# Number of object classes. +41 + +class security 9 + compute_av n 1 + compute_create n 1 + compute_member n 1 + check_context n 1 + load_policy n 1 + compute_relabel n 1 + compute_user n 1 + setenforce n 1 + setbool n 1 + +class process 23 + fork n 1 + transition w 1 + sigchld w 1 + sigkill w 1 + sigstop w 1 + signull n 1 + signal w 5 + ptrace b 10 + getsched r 1 + setsched w 1 + getsession r 1 + getpgid r 1 + setpgid w 5 + getcap r 3 + setcap w 1 + share b 1 + getattr r 1 + setexec w 1 + setfscreate w 1 + noatsecure n 1 + siginh n 1 + setrlimit n 1 + rlimitinh n 1 + + +class system 4 + ipc_info n 1 + syslog_read n 1 + syslog_mod n 1 + syslog_console n 1 + +class capability 29 + net_bind_service n 1 + sys_module n 1 + sys_admin n 3 + fowner n 1 + net_raw n 1 + setuid n 1 + sys_chroot n 1 + lease n 1 + net_admin n 1 + ipc_owner n 1 + fsetid n 1 + sys_resource n 1 + sys_rawio n 1 + sys_ptrace n 1 + sys_nice n 1 + setpcap n 3 + kill n 1 + sys_pacct n 1 + sys_boot n 1 + dac_override n 1 + setgid n 3 + net_broadcast n 1 + chown n 3 + sys_tty_config n 1 + linux_immutable n 1 + sys_time n 1 + ipc_lock n 1 + mknod n 1 + dac_read_search n 1 + +class filesystem 10 + remount w 1 + relabelfrom r 10 + getattr r 1 + relabelto w 10 + mount w 1 + transition w 1 + quotaget r 1 + quotamod w 1 + unmount w 1 + associate n 1 + +class file 19 + setattr w 7 + swapon b 1 + write w 10 + lock n 1 + create w 1 + rename w 5 + mounton b 1 + quotaon b 1 + relabelfrom r 10 + link w 1 + entrypoint r 1 + getattr r 7 + relabelto w 10 + unlink w 1 + execute_no_trans r 1 + ioctl n 1 + execute r 1 + append w 1 + read r 10 + +class dir 22 + mounton b 1 + search r 1 + link w 1 + quotaon b 1 + append w 1 + swapon b 1 + rmdir b 1 + create w 1 + ioctl n 1 + getattr r 7 + remove_name w 1 + rename w 5 + read r 10 + write w 10 + relabelfrom r 10 + execute r 1 + relabelto w 10 + lock n 1 + setattr w 7 + reparent w 1 + add_name w 5 + unlink w 1 + +class fd 1 + use b 1 + +class lnk_file 17 + relabelfrom r 10 + append w 1 + ioctl n 1 + swapon b 1 + create w 1 + read r 10 + write w 10 + rename w 1 + mounton b 1 + quotaon b 1 + lock n 1 + relabelto w 10 + getattr r 7 + unlink w 1 + execute r 1 + link w 1 + setattr w 7 + +class chr_file 17 + append w 1 + swapon b 1 + mounton b 1 + quotaon b 1 + create w 1 + rename w 5 + ioctl n 1 + getattr r 7 + link w 1 + write w 10 + execute r 1 + relabelto w 10 + setattr w 7 + relabelfrom r 10 + read r 10 + unlink w 1 + lock n 1 + +class blk_file 17 + getattr r 7 + relabelto w 10 + unlink w 1 + ioctl n 1 + execute r 1 + append w 1 + read r 10 + setattr w 7 + swapon b 1 + write w 10 + lock n 1 + create w 1 + rename w 5 + mounton b 1 + quotaon b 1 + relabelfrom r 10 + link w 1 + +class sock_file 17 + setattr w 7 + rename w 1 + ioctl n 1 + link w 1 + write w 10 + mounton b 1 + relabelto w 10 + quotaon b 1 + read r 10 + unlink w 1 + append w 1 + lock n 1 + getattr r 7 + swapon b 1 + relabelfrom r 10 + execute r 1 + create w 1 + +class fifo_file 17 + relabelto w 10 + getattr r 7 + lock n 1 + execute r 1 + unlink w 1 + ioctl n 1 + setattr w 7 + append w 1 + write w 10 + swapon b 1 + create w 1 + link w 1 + rename w 5 + relabelfrom r 10 + mounton b 1 + quotaon b 1 + read r 10 + +class socket 22 + append w 1 + relabelfrom r 10 + create w 1 + read r 10 + sendto w 10 + connect w 1 + recvfrom r 10 + send_msg w 10 + bind w 1 + lock n 1 + ioctl n 1 + getattr r 7 + write w 10 + setopt w 1 + getopt r 1 + listen r 1 + setattr w 7 + shutdown w 1 + relabelto w 10 + recv_msg r 10 + accept r 1 + name_bind n 1 + +class tcp_socket 26 + connectto w 1 + newconn w 1 + acceptfrom r 1 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + + +class udp_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + + +class rawip_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 1 + setattr w 1 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + + +class node 7 + rawip_recv r 10 + rawip_send w 10 + tcp_recv r 10 + tcp_send w 10 + enforce_dest n 1 + udp_recv r 10 + udp_send w 10 + +class netif 6 + rawip_recv r 10 + rawip_send w 10 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + +class netlink_socket 22 + listen r 1 + accept r 1 + read r 10 + setattr w 7 + append w 1 + bind w 1 + lock n 1 + shutdown w 1 + recv_msg r 10 + create w 1 + sendto w 10 + relabelto w 10 + ioctl n 1 + name_bind n 1 + connect w 1 + write w 10 + recvfrom r 10 + send_msg w 10 + relabelfrom r 10 + setopt w 1 + getattr r 7 + getopt r 1 + +class packet_socket 22 + setattr w 7 + read r 10 + relabelto w 10 + shutdown w 1 + name_bind n 1 + recv_msg r 10 + setopt w 1 + bind w 1 + lock n 1 + ioctl n 1 + getopt r 1 + connect w 1 + relabelfrom r 10 + listen r 1 + write w 10 + accept r 1 + append w 1 + recvfrom r 10 + send_msg w 10 + getattr r 7 + create w 1 + sendto w 10 + +class key_socket 22 + connect w 1 + setopt w 1 + relabelto w 10 + read r 10 + name_bind n 1 + getopt r 1 + getattr r 7 + recvfrom r 10 + send_msg w 10 + bind w 1 + listen r 1 + lock n 1 + accept r 1 + append w 1 + setattr w 7 + ioctl n 1 + create w 1 + sendto w 10 + relabelfrom r 10 + write w 10 + shutdown w 1 + recv_msg r 10 + +class unix_stream_socket 25 + relabelto w 10 + append w 1 + name_bind n 1 + setattr w 7 + connectto w 1 + newconn w 1 + recvfrom r 10 + create w 1 + sendto w 10 + send_msg w 10 + read r 10 + bind w 1 + lock n 1 + connect w 1 + setopt w 1 + acceptfrom r 1 + getopt r 1 + ioctl n 1 + getattr r 7 + shutdown w 1 + recv_msg r 10 + listen r 1 + accept r 1 + relabelfrom r 10 + write w 10 + +class unix_dgram_socket 22 + connect w 1 + getopt r 1 + listen r 1 + relabelto w 10 + name_bind n 1 + accept r 1 + shutdown w 1 + getattr r 7 + recv_msg r 10 + append w 1 + read r 10 + create w 1 + sendto w 10 + ioctl n 1 + setattr w 7 + bind w 1 + lock n 1 + recvfrom r 10 + send_msg w 10 + write w 10 + relabelfrom r 10 + setopt w 1 + +class sem 9 + unix_read r 3 + associate n 1 + create w 1 + destroy w 1 + getattr r 1 + read r 10 + setattr w 1 + write w 10 + unix_write w 3 + +class msg 2 + receive r 10 + send w 10 + +class msgq 10 + enqueue w 1 + create w 1 + destroy w 1 + write w 10 + read r 10 + getattr r 1 + unix_write w 3 + unix_read r 3 + associate n 1 + setattr w 1 + +class shm 10 + destroy w 1 + write w 10 + read r 10 + getattr r 1 + unix_write w 3 + unix_read r 3 + lock w 1 + associate n 1 + setattr w 1 + create w 1 + +class ipc 9 + write w 10 + destroy w 1 + unix_write w 3 + getattr r 1 + create w 1 + read r 10 + setattr w 1 + unix_read r 3 + associate n 1 + +class passwd 4 + passwd w 1 + chfn w 5 + chsh w 5 + rootok n 1 + diff --git a/apol/perm_maps/apol_perm_mapping_ver18 b/apol/perm_maps/apol_perm_mapping_ver18 new file mode 100644 index 0000000..b2f4403 --- /dev/null +++ b/apol/perm_maps/apol_perm_mapping_ver18 @@ -0,0 +1,922 @@ +# This is a permission map file for use in policy analysis. This +# file maps object permissions (read, getattr, setattr, ..., etc.) +# for an object class, to exactly one of the following: read, write, +# both, or none. This file may be edited as long as the specific +# syntax rules are obeyed. +# +# For each object class, there is a set of object permissions that are +# individually mapped to read, write, both, or none. If a new object +# class is added, make sure that the current number of object classes +# is increased. +# +# The syntax for an object class definition is: +# class <class_name> <num_permissions> +# +# This is followed by each permission and its individual mapping to one +# of the following: +# +# r = Read +# w = Write +# n = None +# b = Both +# +# Additionally, you can choose to follow the mapping with an optional +# permission weight value from 1 (less importance) to 10 (higher importance). +# 10 is the default weight value if one is not provided. +# +# Look to the examples below for further clarification. +# +# Number of object classes. +54 + +class security 10 + compute_av n 1 + compute_create n 1 + compute_member n 1 + check_context n 1 + load_policy n 1 + compute_relabel n 1 + compute_user n 1 + setenforce n 1 + setbool n 1 + setsecparam n 1 + +class process 26 + fork n 1 + transition w 5 + sigchld w 1 + sigkill w 1 + sigstop w 1 + signull n 1 + signal w 5 + ptrace b 10 + getsched r 1 + setsched w 1 + getsession r 1 + getpgid r 1 + setpgid w 5 + getcap r 3 + setcap w 1 + share b 1 + getattr r 1 + setexec w 1 + setfscreate w 1 + noatsecure n 1 + siginh n 1 + setrlimit n 1 + rlimitinh n 1 + dyntransition w 10 + setcurrent w 1 + execmem n 1 + +class system 4 + ipc_info n 1 + syslog_read n 1 + syslog_mod n 1 + syslog_console n 1 + +class capability 31 + chown n 3 + dac_override n 1 + dac_read_search n 1 + fowner n 1 + fsetid n 1 + kill n 1 + setgid n 3 + setuid n 1 + setpcap n 3 + linux_immutable n 1 + net_bind_service n 1 + net_broadcast n 1 + net_admin n 1 + net_raw n 1 + ipc_lock n 1 + ipc_owner n 1 + sys_module n 1 + sys_rawio n 1 + sys_chroot n 1 + sys_ptrace n 1 + sys_pacct n 1 + sys_admin n 3 + sys_boot n 1 + sys_nice n 1 + sys_resource n 1 + sys_time n 1 + sys_tty_config n 1 + mknod n 1 + lease n 1 + audit_write n 3 + audit_control n 1 + +class filesystem 10 + mount w 1 + remount w 1 + unmount w 1 + getattr r 1 + relabelfrom r 10 + relabelto w 10 + transition w 1 + associate n 1 + quotamod w 1 + quotaget r 1 + +class file 20 + execute_no_trans r 1 + entrypoint r 1 + execmod n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class dir 22 + add_name w 5 + remove_name w 1 + reparent w 1 + search r 1 + rmdir b 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class fd 1 + use b 1 + +class lnk_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 1 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class chr_file 20 + execute_no_trans r 1 + entrypoint r 1 + execmod n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class blk_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class sock_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 1 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class fifo_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class tcp_socket 26 + connectto w 1 + newconn w 1 + acceptfrom r 1 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class udp_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class rawip_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 1 + setattr w 1 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class node 7 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + rawip_recv r 10 + rawip_send w 10 + enforce_dest n 1 + +class netif 6 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + rawip_recv r 10 + rawip_send w 10 + +class netlink_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class packet_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class key_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class unix_stream_socket 25 + connectto w 1 + newconn w 1 + acceptfrom r 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class unix_dgram_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class sem 9 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class msg 2 + send w 10 + receive r 10 + +class msgq 10 + enqueue w 1 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class shm 10 + lock w 1 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class ipc 9 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class passwd 5 + passwd w 1 + chfn w 5 + chsh w 5 + rootok n 1 + crontab w 5 + +class drawable 5 + create w 1 + destroy w 1 + draw w 10 + copy r 10 + getattr r 7 + +class window 26 + addchild w 1 + create w 1 + destroy w 1 + map w 1 + unmap w 1 + chstack w 10 + chproplist w 7 + chprop w 10 + listprop r 5 + getattr r 5 + setattr w 5 + setfocus w 1 + move w 10 + chselection w 10 + chparent w 5 + ctrllife w 5 + enumerate w 1 + transparent w 1 + mousemotion w 10 + clientcomevent w 5 + inputevent w 5 + drawevent w 5 + windowchangeevent w 5 +windowchangerequest w 5 + serverchangeevent w 5 + extensionevent w 5 + +class gc 4 + create w 1 + free w 1 + getattr r 5 + setattr w 5 + +class font 4 + load r 1 + free w 1 + getattr r 5 + use r 1 + +class colormap 9 + create w 1 + free w 1 + install w 10 + uninstall w 1 + list r 5 + read r 10 + store w 10 + getattr r 5 + setattr w 5 + +class property 4 + create w 1 + free w 1 + read r 10 + write w 10 + +class cursor 5 + create w 1 + createglyph w 10 + free w 1 + assign w 10 + setattr w 5 + +class xclient 1 + kill w 1 + +class xinput 11 + lookup r 10 + getattr r 5 + setattr w 5 + setfocus w 10 + warppointer w 10 + activegrab w 1 + passivegrab w 1 + ungrab w 1 + bell w 3 + mousemotion w 10 + relabelinput b 3 + +class xserver 8 + screensaver w 10 + gethostlist r 7 + sethostlist w 7 + getfontpath r 7 + setfontpath w 7 + getattr r 7 + grab w 10 + ungrab w 1 + +class xextension 2 + query r 10 + use b 1 + +class pax 6 + pageexec n 1 + emutramp n 1 + mprotect n 1 + randmmap n 1 + randexec n 1 + segmexec n 1 + +class netlink_route_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_firewall_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_tcpdiag_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_nflog_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_xfrm_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_selinux_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_audit_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_ip6fw_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_dnrt_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class dbus 2 + acquire_svc b 1 + send_msg w 10 + +class nscd 8 + getpwd r 7 + getgrp r 7 + gethost r 7 + getstat r 7 + admin w 5 + shmempwd r 7 + shmemgrp r 7 + shmemhost r 7 + +class association 2 + sendto w 10 + recvfrom r 10 diff --git a/apol/perm_maps/apol_perm_mapping_ver19 b/apol/perm_maps/apol_perm_mapping_ver19 new file mode 100644 index 0000000..77e9a28 --- /dev/null +++ b/apol/perm_maps/apol_perm_mapping_ver19 @@ -0,0 +1,952 @@ +# This is a permission map file for use in policy analysis. This +# file maps object permissions (read, getattr, setattr, ..., etc.) +# for an object class, to exactly one of the following: read, write, +# both, or none. This file may be edited as long as the specific +# syntax rules are obeyed. +# +# For each object class, there is a set of object permissions that are +# individually mapped to read, write, both, or none. If a new object +# class is added, make sure that the current number of object classes +# is increased. +# +# The syntax for an object class definition is: +# class <class_name> <num_permissions> +# +# This is followed by each permission and its individual mapping to one +# of the following: +# +# r = Read +# w = Write +# n = None +# b = Both +# +# Additionally, you can choose to follow the mapping with an optional +# permission weight value from 1 (less importance) to 10 (higher importance). +# 10 is the default weight value if one is not provided. +# +# Look to the examples below for further clarification. +# +# Number of object classes. +55 + +class security 11 + compute_av n 1 + compute_create n 1 + compute_member n 1 + check_context n 1 + load_policy n 1 + compute_relabel n 1 + compute_user n 1 + setenforce n 1 + setbool n 1 + setsecparam n 1 + setcheckreqprot n 1 + +class process 28 + fork n 1 + transition w 5 + sigchld w 1 + sigkill w 1 + sigstop w 1 + signull n 1 + signal w 5 + ptrace b 10 + getsched r 1 + setsched w 1 + getsession r 1 + getpgid r 1 + setpgid w 5 + getcap r 3 + setcap w 1 + share b 1 + getattr r 1 + setexec w 1 + setfscreate w 1 + noatsecure n 1 + siginh n 1 + setrlimit n 1 + rlimitinh n 1 + dyntransition w 10 + setcurrent w 1 + execmem n 1 + execstack n 1 + execheap n 1 + +class system 4 + ipc_info n 1 + syslog_read n 1 + syslog_mod n 1 + syslog_console n 1 + +class capability 31 + chown n 3 + dac_override n 1 + dac_read_search n 1 + fowner n 1 + fsetid n 1 + kill n 1 + setgid n 3 + setuid n 1 + setpcap n 3 + linux_immutable n 1 + net_bind_service n 1 + net_broadcast n 1 + net_admin n 1 + net_raw n 1 + ipc_lock n 1 + ipc_owner n 1 + sys_module n 1 + sys_rawio n 1 + sys_chroot n 1 + sys_ptrace n 1 + sys_pacct n 1 + sys_admin n 3 + sys_boot n 1 + sys_nice n 1 + sys_resource n 1 + sys_time n 1 + sys_tty_config n 1 + mknod n 1 + lease n 1 + audit_write n 3 + audit_control n 1 + +class filesystem 10 + mount w 1 + remount w 1 + unmount w 1 + getattr r 1 + relabelfrom r 10 + relabelto w 10 + transition w 1 + associate n 1 + quotamod w 1 + quotaget r 1 + +class file 20 + execute_no_trans r 1 + entrypoint r 1 + execmod n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class dir 22 + add_name w 5 + remove_name w 1 + reparent w 1 + search r 1 + rmdir b 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class fd 1 + use b 1 + +class lnk_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 1 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class chr_file 20 + execute_no_trans r 1 + entrypoint r 1 + execmod n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class blk_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class sock_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 1 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class fifo_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class tcp_socket 27 + connectto w 1 + newconn w 1 + acceptfrom r 1 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + name_connect w 1 + +class udp_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class rawip_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 1 + setattr w 1 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class node 7 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + rawip_recv r 10 + rawip_send w 10 + enforce_dest n 1 + +class netif 6 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + rawip_recv r 10 + rawip_send w 10 + +class netlink_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class packet_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class key_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class unix_stream_socket 25 + connectto w 1 + newconn w 1 + acceptfrom r 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class unix_dgram_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class sem 9 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class msg 2 + send w 10 + receive r 10 + +class msgq 10 + enqueue w 1 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class shm 10 + lock w 1 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class ipc 9 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class passwd 5 + passwd w 1 + chfn w 5 + chsh w 5 + rootok n 1 + crontab w 5 + +class drawable 5 + create w 1 + destroy w 1 + draw w 10 + copy r 10 + getattr r 7 + +class window 26 + addchild w 1 + create w 1 + destroy w 1 + map w 1 + unmap w 1 + chstack w 10 + chproplist w 7 + chprop w 10 + listprop r 5 + getattr r 5 + setattr w 5 + setfocus w 1 + move w 10 + chselection w 10 + chparent w 5 + ctrllife w 5 + enumerate w 1 + transparent w 1 + mousemotion w 10 + clientcomevent w 5 + inputevent w 5 + drawevent w 5 + windowchangeevent w 5 +windowchangerequest w 5 + serverchangeevent w 5 + extensionevent w 5 + +class gc 4 + create w 1 + free w 1 + getattr r 5 + setattr w 5 + +class font 4 + load r 1 + free w 1 + getattr r 5 + use r 1 + +class colormap 9 + create w 1 + free w 1 + install w 10 + uninstall w 1 + list r 5 + read r 10 + store w 10 + getattr r 5 + setattr w 5 + +class property 4 + create w 1 + free w 1 + read r 10 + write w 10 + +class cursor 5 + create w 1 + createglyph w 10 + free w 1 + assign w 10 + setattr w 5 + +class xclient 1 + kill w 1 + +class xinput 11 + lookup r 10 + getattr r 5 + setattr w 5 + setfocus w 10 + warppointer w 10 + activegrab w 1 + passivegrab w 1 + ungrab w 1 + bell w 3 + mousemotion w 10 + relabelinput b 3 + +class xserver 8 + screensaver w 10 + gethostlist r 7 + sethostlist w 7 + getfontpath r 7 + setfontpath w 7 + getattr r 7 + grab w 10 + ungrab w 1 + +class xextension 2 + query r 10 + use b 1 + +class pax 6 + pageexec n 1 + emutramp n 1 + mprotect n 1 + randmmap n 1 + randexec n 1 + segmexec n 1 + +class netlink_route_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_firewall_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_tcpdiag_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_nflog_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_xfrm_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_selinux_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_audit_socket 26 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + nlmsg_relay w 10 + nlmsg_readpriv r 10 + +class netlink_ip6fw_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_dnrt_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_kobject_uevent_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class dbus 2 + acquire_svc b 1 + send_msg w 10 + +class nscd 8 + getpwd r 7 + getgrp r 7 + gethost r 7 + getstat r 7 + admin w 5 + shmempwd r 7 + shmemgrp r 7 + shmemhost r 7 + +class association 2 + sendto w 10 + recvfrom r 10 diff --git a/apol/perm_maps/apol_perm_mapping_ver20 b/apol/perm_maps/apol_perm_mapping_ver20 new file mode 100644 index 0000000..a7123ad --- /dev/null +++ b/apol/perm_maps/apol_perm_mapping_ver20 @@ -0,0 +1,993 @@ +# This is a permission map file for use in policy analysis. This +# file maps object permissions (read, getattr, setattr, ..., etc.) +# for an object class, to exactly one of the following: read, write, +# both, or none. This file may be edited as long as the specific +# syntax rules are obeyed. +# +# For each object class, there is a set of object permissions that are +# individually mapped to read, write, both, or none. If a new object +# class is added, make sure that the current number of object classes +# is increased. +# +# The syntax for an object class definition is: +# class <class_name> <num_permissions> +# +# This is followed by each permission and its individual mapping to one +# of the following: +# +# r = Read +# w = Write +# n = None +# b = Both +# +# Additionally, you can choose to follow the mapping with an optional +# permission weight value from 1 (less importance) to 10 (higher importance). +# 10 is the default weight value if one is not provided. +# +# Look to the examples below for further clarification. +# +# Number of object classes. +58 + +class security 11 + compute_av n 1 + compute_create n 1 + compute_member n 1 + check_context n 1 + load_policy n 1 + compute_relabel n 1 + compute_user n 1 + setenforce n 1 + setbool n 1 + setsecparam n 1 + setcheckreqprot n 1 + +class process 29 + fork n 1 + transition w 5 + sigchld w 1 + sigkill w 1 + sigstop w 1 + signull n 1 + signal w 5 + ptrace b 10 + getsched r 1 + setsched w 1 + getsession r 1 + getpgid r 1 + setpgid w 5 + getcap r 3 + setcap w 1 + share b 1 + getattr r 1 + setexec w 1 + setfscreate w 1 + noatsecure n 1 + siginh n 1 + setrlimit n 1 + rlimitinh n 1 + dyntransition w 10 + setcurrent w 1 + execmem n 1 + execstack n 1 + execheap n 1 + setkeycreate w 1 + +class system 4 + ipc_info n 1 + syslog_read n 1 + syslog_mod n 1 + syslog_console n 1 + +class capability 31 + chown n 3 + dac_override n 1 + dac_read_search n 1 + fowner n 1 + fsetid n 1 + kill n 1 + setgid n 3 + setuid n 1 + setpcap n 3 + linux_immutable n 1 + net_bind_service n 1 + net_broadcast n 1 + net_admin n 1 + net_raw n 1 + ipc_lock n 1 + ipc_owner n 1 + sys_module n 1 + sys_rawio n 1 + sys_chroot n 1 + sys_ptrace n 1 + sys_pacct n 1 + sys_admin n 3 + sys_boot n 1 + sys_nice n 1 + sys_resource n 1 + sys_time n 1 + sys_tty_config n 1 + mknod n 1 + lease n 1 + audit_write n 3 + audit_control n 1 + +class filesystem 10 + mount w 1 + remount w 1 + unmount w 1 + getattr r 1 + relabelfrom r 10 + relabelto w 10 + transition w 1 + associate n 1 + quotamod w 1 + quotaget r 1 + +class file 20 + execute_no_trans r 1 + entrypoint r 1 + execmod n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class dir 22 + add_name w 5 + remove_name w 1 + reparent w 1 + search r 1 + rmdir b 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class fd 1 + use b 1 + +class lnk_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 1 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class chr_file 20 + execute_no_trans r 1 + entrypoint r 1 + execmod n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class blk_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class sock_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 1 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class fifo_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class tcp_socket 27 + connectto w 1 + newconn w 1 + acceptfrom r 1 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + name_connect w 1 + +class udp_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class rawip_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 1 + setattr w 1 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class node 7 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + rawip_recv r 10 + rawip_send w 10 + enforce_dest n 1 + +class netif 6 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + rawip_recv r 10 + rawip_send w 10 + +class netlink_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class packet_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class key_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class unix_stream_socket 25 + connectto w 1 + newconn w 1 + acceptfrom r 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class unix_dgram_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class sem 9 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class msg 2 + send w 10 + receive r 10 + +class msgq 10 + enqueue w 1 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class shm 10 + lock w 1 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class ipc 9 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class passwd 5 + passwd w 1 + chfn w 5 + chsh w 5 + rootok n 1 + crontab w 5 + +class drawable 5 + create w 1 + destroy w 1 + draw w 10 + copy r 10 + getattr r 7 + +class window 26 + addchild w 1 + create w 1 + destroy w 1 + map w 1 + unmap w 1 + chstack w 10 + chproplist w 7 + chprop w 10 + listprop r 5 + getattr r 5 + setattr w 5 + setfocus w 1 + move w 10 + chselection w 10 + chparent w 5 + ctrllife w 5 + enumerate w 1 + transparent w 1 + mousemotion w 10 + clientcomevent w 5 + inputevent w 5 + drawevent w 5 + windowchangeevent w 5 +windowchangerequest w 5 + serverchangeevent w 5 + extensionevent w 5 + +class gc 4 + create w 1 + free w 1 + getattr r 5 + setattr w 5 + +class font 4 + load r 1 + free w 1 + getattr r 5 + use r 1 + +class colormap 9 + create w 1 + free w 1 + install w 10 + uninstall w 1 + list r 5 + read r 10 + store w 10 + getattr r 5 + setattr w 5 + +class property 4 + create w 1 + free w 1 + read r 10 + write w 10 + +class cursor 5 + create w 1 + createglyph w 10 + free w 1 + assign w 10 + setattr w 5 + +class xclient 1 + kill w 1 + +class xinput 11 + lookup r 10 + getattr r 5 + setattr w 5 + setfocus w 10 + warppointer w 10 + activegrab w 1 + passivegrab w 1 + ungrab w 1 + bell w 3 + mousemotion w 10 + relabelinput b 3 + +class xserver 8 + screensaver w 10 + gethostlist r 7 + sethostlist w 7 + getfontpath r 7 + setfontpath w 7 + getattr r 7 + grab w 10 + ungrab w 1 + +class xextension 2 + query r 10 + use b 1 + +class pax 6 + pageexec n 1 + emutramp n 1 + mprotect n 1 + randmmap n 1 + randexec n 1 + segmexec n 1 + +class netlink_route_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_firewall_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_tcpdiag_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_nflog_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_xfrm_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_selinux_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_audit_socket 26 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + nlmsg_relay w 10 + nlmsg_readpriv r 10 + +class netlink_ip6fw_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_dnrt_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_kobject_uevent_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class dbus 2 + acquire_svc b 1 + send_msg w 10 + +class nscd 8 + getpwd r 7 + getgrp r 7 + gethost r 7 + getstat r 7 + admin w 5 + shmempwd r 7 + shmemgrp r 7 + shmemhost r 7 + +class association 4 + sendto w 10 + recvfrom r 10 + setcontext w 3 + polmatch r 1 + +class appletalk_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 1 + setattr w 1 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class key 7 + view r 7 + read r 10 + write w 10 + search r 5 + link w 7 + setattr w 7 + create w 10 + +class packet 3 + send w 10 + recv r 10 + relabelto w 3 diff --git a/apol/perm_maps/apol_perm_mapping_ver21 b/apol/perm_maps/apol_perm_mapping_ver21 new file mode 100644 index 0000000..e5b115f --- /dev/null +++ b/apol/perm_maps/apol_perm_mapping_ver21 @@ -0,0 +1,998 @@ +# This is a permission map file for use in policy analysis. This +# file maps object permissions (read, getattr, setattr, ..., etc.) +# for an object class, to exactly one of the following: read, write, +# both, or none. This file may be edited as long as the specific +# syntax rules are obeyed. +# +# For each object class, there is a set of object permissions that are +# individually mapped to read, write, both, or none. If a new object +# class is added, make sure that the current number of object classes +# is increased. +# +# The syntax for an object class definition is: +# class <class_name> <num_permissions> +# +# This is followed by each permission and its individual mapping to one +# of the following: +# +# r = Read +# w = Write +# n = None +# b = Both +# +# Additionally, you can choose to follow the mapping with an optional +# permission weight value from 1 (less importance) to 10 (higher importance). +# 10 is the default weight value if one is not provided. +# +# Look to the examples below for further clarification. +# +# Number of object classes. +59 + +class security 11 + compute_av n 1 + compute_create n 1 + compute_member n 1 + check_context n 1 + load_policy n 1 + compute_relabel n 1 + compute_user n 1 + setenforce n 1 + setbool n 1 + setsecparam n 1 + setcheckreqprot n 1 + +class process 30 + fork n 1 + transition w 5 + sigchld w 1 + sigkill w 1 + sigstop w 1 + signull n 1 + signal w 5 + ptrace b 10 + getsched r 1 + setsched w 1 + getsession r 1 + getpgid r 1 + setpgid w 5 + getcap r 3 + setcap w 1 + share b 1 + getattr r 1 + setexec w 1 + setfscreate w 1 + noatsecure n 1 + siginh n 1 + setrlimit n 1 + rlimitinh n 1 + dyntransition w 10 + setcurrent w 1 + execmem n 1 + execstack n 1 + execheap n 1 + setkeycreate w 1 + setsockcreate w 1 + +class system 4 + ipc_info n 1 + syslog_read n 1 + syslog_mod n 1 + syslog_console n 1 + +class capability 31 + chown n 3 + dac_override n 1 + dac_read_search n 1 + fowner n 1 + fsetid n 1 + kill n 1 + setgid n 3 + setuid n 1 + setpcap n 3 + linux_immutable n 1 + net_bind_service n 1 + net_broadcast n 1 + net_admin n 1 + net_raw n 1 + ipc_lock n 1 + ipc_owner n 1 + sys_module n 1 + sys_rawio n 1 + sys_chroot n 1 + sys_ptrace n 1 + sys_pacct n 1 + sys_admin n 3 + sys_boot n 1 + sys_nice n 1 + sys_resource n 1 + sys_time n 1 + sys_tty_config n 1 + mknod n 1 + lease n 1 + audit_write n 3 + audit_control n 1 + +class filesystem 10 + mount w 1 + remount w 1 + unmount w 1 + getattr r 1 + relabelfrom r 10 + relabelto w 10 + transition w 1 + associate n 1 + quotamod w 1 + quotaget r 1 + +class file 20 + execute_no_trans r 1 + entrypoint r 1 + execmod n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class dir 22 + add_name w 5 + remove_name w 1 + reparent w 1 + search r 1 + rmdir b 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class fd 1 + use b 1 + +class lnk_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 1 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class chr_file 20 + execute_no_trans r 1 + entrypoint r 1 + execmod n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class blk_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class sock_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 1 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class fifo_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class tcp_socket 27 + connectto w 1 + newconn w 1 + acceptfrom r 1 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + name_connect w 1 + +class udp_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class rawip_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 1 + setattr w 1 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class node 7 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + rawip_recv r 10 + rawip_send w 10 + enforce_dest n 1 + +class netif 6 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + rawip_recv r 10 + rawip_send w 10 + +class netlink_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class packet_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class key_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class unix_stream_socket 25 + connectto w 1 + newconn w 1 + acceptfrom r 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class unix_dgram_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class sem 9 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class msg 2 + send w 10 + receive r 10 + +class msgq 10 + enqueue w 1 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class shm 10 + lock w 1 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class ipc 9 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class passwd 5 + passwd w 1 + chfn w 5 + chsh w 5 + rootok n 1 + crontab w 5 + +class drawable 5 + create w 1 + destroy w 1 + draw w 10 + copy r 10 + getattr r 7 + +class window 26 + addchild w 1 + create w 1 + destroy w 1 + map w 1 + unmap w 1 + chstack w 10 + chproplist w 7 + chprop w 10 + listprop r 5 + getattr r 5 + setattr w 5 + setfocus w 1 + move w 10 + chselection w 10 + chparent w 5 + ctrllife w 5 + enumerate w 1 + transparent w 1 + mousemotion w 10 + clientcomevent w 5 + inputevent w 5 + drawevent w 5 + windowchangeevent w 5 +windowchangerequest w 5 + serverchangeevent w 5 + extensionevent w 5 + +class gc 4 + create w 1 + free w 1 + getattr r 5 + setattr w 5 + +class font 4 + load r 1 + free w 1 + getattr r 5 + use r 1 + +class colormap 9 + create w 1 + free w 1 + install w 10 + uninstall w 1 + list r 5 + read r 10 + store w 10 + getattr r 5 + setattr w 5 + +class property 4 + create w 1 + free w 1 + read r 10 + write w 10 + +class cursor 5 + create w 1 + createglyph w 10 + free w 1 + assign w 10 + setattr w 5 + +class xclient 1 + kill w 1 + +class xinput 11 + lookup r 10 + getattr r 5 + setattr w 5 + setfocus w 10 + warppointer w 10 + activegrab w 1 + passivegrab w 1 + ungrab w 1 + bell w 3 + mousemotion w 10 + relabelinput b 3 + +class xserver 8 + screensaver w 10 + gethostlist r 7 + sethostlist w 7 + getfontpath r 7 + setfontpath w 7 + getattr r 7 + grab w 10 + ungrab w 1 + +class xextension 2 + query r 10 + use b 1 + +class pax 6 + pageexec n 1 + emutramp n 1 + mprotect n 1 + randmmap n 1 + randexec n 1 + segmexec n 1 + +class netlink_route_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_firewall_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_tcpdiag_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_nflog_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_xfrm_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_selinux_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_audit_socket 26 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + nlmsg_relay w 10 + nlmsg_readpriv r 10 + +class netlink_ip6fw_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_dnrt_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_kobject_uevent_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class dbus 2 + acquire_svc b 1 + send_msg w 10 + +class nscd 8 + getpwd r 7 + getgrp r 7 + gethost r 7 + getstat r 7 + admin w 5 + shmempwd r 7 + shmemgrp r 7 + shmemhost r 7 + +class association 4 + sendto w 10 + recvfrom r 10 + setcontext w 3 + polmatch r 1 + +class appletalk_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 1 + setattr w 1 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class key 7 + view r 7 + read r 10 + write w 10 + search r 5 + link w 7 + setattr w 7 + create w 10 + +class packet 3 + send w 10 + recv r 10 + relabelto w 3 + +class context 2 + contains n 1 + translate n 1 diff --git a/apol/perm_maps/apol_perm_mapping_ver22 b/apol/perm_maps/apol_perm_mapping_ver22 new file mode 100644 index 0000000..e5b115f --- /dev/null +++ b/apol/perm_maps/apol_perm_mapping_ver22 @@ -0,0 +1,998 @@ +# This is a permission map file for use in policy analysis. This +# file maps object permissions (read, getattr, setattr, ..., etc.) +# for an object class, to exactly one of the following: read, write, +# both, or none. This file may be edited as long as the specific +# syntax rules are obeyed. +# +# For each object class, there is a set of object permissions that are +# individually mapped to read, write, both, or none. If a new object +# class is added, make sure that the current number of object classes +# is increased. +# +# The syntax for an object class definition is: +# class <class_name> <num_permissions> +# +# This is followed by each permission and its individual mapping to one +# of the following: +# +# r = Read +# w = Write +# n = None +# b = Both +# +# Additionally, you can choose to follow the mapping with an optional +# permission weight value from 1 (less importance) to 10 (higher importance). +# 10 is the default weight value if one is not provided. +# +# Look to the examples below for further clarification. +# +# Number of object classes. +59 + +class security 11 + compute_av n 1 + compute_create n 1 + compute_member n 1 + check_context n 1 + load_policy n 1 + compute_relabel n 1 + compute_user n 1 + setenforce n 1 + setbool n 1 + setsecparam n 1 + setcheckreqprot n 1 + +class process 30 + fork n 1 + transition w 5 + sigchld w 1 + sigkill w 1 + sigstop w 1 + signull n 1 + signal w 5 + ptrace b 10 + getsched r 1 + setsched w 1 + getsession r 1 + getpgid r 1 + setpgid w 5 + getcap r 3 + setcap w 1 + share b 1 + getattr r 1 + setexec w 1 + setfscreate w 1 + noatsecure n 1 + siginh n 1 + setrlimit n 1 + rlimitinh n 1 + dyntransition w 10 + setcurrent w 1 + execmem n 1 + execstack n 1 + execheap n 1 + setkeycreate w 1 + setsockcreate w 1 + +class system 4 + ipc_info n 1 + syslog_read n 1 + syslog_mod n 1 + syslog_console n 1 + +class capability 31 + chown n 3 + dac_override n 1 + dac_read_search n 1 + fowner n 1 + fsetid n 1 + kill n 1 + setgid n 3 + setuid n 1 + setpcap n 3 + linux_immutable n 1 + net_bind_service n 1 + net_broadcast n 1 + net_admin n 1 + net_raw n 1 + ipc_lock n 1 + ipc_owner n 1 + sys_module n 1 + sys_rawio n 1 + sys_chroot n 1 + sys_ptrace n 1 + sys_pacct n 1 + sys_admin n 3 + sys_boot n 1 + sys_nice n 1 + sys_resource n 1 + sys_time n 1 + sys_tty_config n 1 + mknod n 1 + lease n 1 + audit_write n 3 + audit_control n 1 + +class filesystem 10 + mount w 1 + remount w 1 + unmount w 1 + getattr r 1 + relabelfrom r 10 + relabelto w 10 + transition w 1 + associate n 1 + quotamod w 1 + quotaget r 1 + +class file 20 + execute_no_trans r 1 + entrypoint r 1 + execmod n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class dir 22 + add_name w 5 + remove_name w 1 + reparent w 1 + search r 1 + rmdir b 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class fd 1 + use b 1 + +class lnk_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 1 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class chr_file 20 + execute_no_trans r 1 + entrypoint r 1 + execmod n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class blk_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class sock_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 1 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class fifo_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class tcp_socket 27 + connectto w 1 + newconn w 1 + acceptfrom r 1 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + name_connect w 1 + +class udp_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class rawip_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 1 + setattr w 1 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class node 7 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + rawip_recv r 10 + rawip_send w 10 + enforce_dest n 1 + +class netif 6 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + rawip_recv r 10 + rawip_send w 10 + +class netlink_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class packet_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class key_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class unix_stream_socket 25 + connectto w 1 + newconn w 1 + acceptfrom r 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class unix_dgram_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class sem 9 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class msg 2 + send w 10 + receive r 10 + +class msgq 10 + enqueue w 1 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class shm 10 + lock w 1 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class ipc 9 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class passwd 5 + passwd w 1 + chfn w 5 + chsh w 5 + rootok n 1 + crontab w 5 + +class drawable 5 + create w 1 + destroy w 1 + draw w 10 + copy r 10 + getattr r 7 + +class window 26 + addchild w 1 + create w 1 + destroy w 1 + map w 1 + unmap w 1 + chstack w 10 + chproplist w 7 + chprop w 10 + listprop r 5 + getattr r 5 + setattr w 5 + setfocus w 1 + move w 10 + chselection w 10 + chparent w 5 + ctrllife w 5 + enumerate w 1 + transparent w 1 + mousemotion w 10 + clientcomevent w 5 + inputevent w 5 + drawevent w 5 + windowchangeevent w 5 +windowchangerequest w 5 + serverchangeevent w 5 + extensionevent w 5 + +class gc 4 + create w 1 + free w 1 + getattr r 5 + setattr w 5 + +class font 4 + load r 1 + free w 1 + getattr r 5 + use r 1 + +class colormap 9 + create w 1 + free w 1 + install w 10 + uninstall w 1 + list r 5 + read r 10 + store w 10 + getattr r 5 + setattr w 5 + +class property 4 + create w 1 + free w 1 + read r 10 + write w 10 + +class cursor 5 + create w 1 + createglyph w 10 + free w 1 + assign w 10 + setattr w 5 + +class xclient 1 + kill w 1 + +class xinput 11 + lookup r 10 + getattr r 5 + setattr w 5 + setfocus w 10 + warppointer w 10 + activegrab w 1 + passivegrab w 1 + ungrab w 1 + bell w 3 + mousemotion w 10 + relabelinput b 3 + +class xserver 8 + screensaver w 10 + gethostlist r 7 + sethostlist w 7 + getfontpath r 7 + setfontpath w 7 + getattr r 7 + grab w 10 + ungrab w 1 + +class xextension 2 + query r 10 + use b 1 + +class pax 6 + pageexec n 1 + emutramp n 1 + mprotect n 1 + randmmap n 1 + randexec n 1 + segmexec n 1 + +class netlink_route_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_firewall_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_tcpdiag_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_nflog_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_xfrm_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_selinux_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_audit_socket 26 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + nlmsg_relay w 10 + nlmsg_readpriv r 10 + +class netlink_ip6fw_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_dnrt_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_kobject_uevent_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class dbus 2 + acquire_svc b 1 + send_msg w 10 + +class nscd 8 + getpwd r 7 + getgrp r 7 + gethost r 7 + getstat r 7 + admin w 5 + shmempwd r 7 + shmemgrp r 7 + shmemhost r 7 + +class association 4 + sendto w 10 + recvfrom r 10 + setcontext w 3 + polmatch r 1 + +class appletalk_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 1 + setattr w 1 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class key 7 + view r 7 + read r 10 + write w 10 + search r 5 + link w 7 + setattr w 7 + create w 10 + +class packet 3 + send w 10 + recv r 10 + relabelto w 3 + +class context 2 + contains n 1 + translate n 1 diff --git a/apol/perm_maps/apol_perm_mapping_ver23 b/apol/perm_maps/apol_perm_mapping_ver23 new file mode 100644 index 0000000..e5b115f --- /dev/null +++ b/apol/perm_maps/apol_perm_mapping_ver23 @@ -0,0 +1,998 @@ +# This is a permission map file for use in policy analysis. This +# file maps object permissions (read, getattr, setattr, ..., etc.) +# for an object class, to exactly one of the following: read, write, +# both, or none. This file may be edited as long as the specific +# syntax rules are obeyed. +# +# For each object class, there is a set of object permissions that are +# individually mapped to read, write, both, or none. If a new object +# class is added, make sure that the current number of object classes +# is increased. +# +# The syntax for an object class definition is: +# class <class_name> <num_permissions> +# +# This is followed by each permission and its individual mapping to one +# of the following: +# +# r = Read +# w = Write +# n = None +# b = Both +# +# Additionally, you can choose to follow the mapping with an optional +# permission weight value from 1 (less importance) to 10 (higher importance). +# 10 is the default weight value if one is not provided. +# +# Look to the examples below for further clarification. +# +# Number of object classes. +59 + +class security 11 + compute_av n 1 + compute_create n 1 + compute_member n 1 + check_context n 1 + load_policy n 1 + compute_relabel n 1 + compute_user n 1 + setenforce n 1 + setbool n 1 + setsecparam n 1 + setcheckreqprot n 1 + +class process 30 + fork n 1 + transition w 5 + sigchld w 1 + sigkill w 1 + sigstop w 1 + signull n 1 + signal w 5 + ptrace b 10 + getsched r 1 + setsched w 1 + getsession r 1 + getpgid r 1 + setpgid w 5 + getcap r 3 + setcap w 1 + share b 1 + getattr r 1 + setexec w 1 + setfscreate w 1 + noatsecure n 1 + siginh n 1 + setrlimit n 1 + rlimitinh n 1 + dyntransition w 10 + setcurrent w 1 + execmem n 1 + execstack n 1 + execheap n 1 + setkeycreate w 1 + setsockcreate w 1 + +class system 4 + ipc_info n 1 + syslog_read n 1 + syslog_mod n 1 + syslog_console n 1 + +class capability 31 + chown n 3 + dac_override n 1 + dac_read_search n 1 + fowner n 1 + fsetid n 1 + kill n 1 + setgid n 3 + setuid n 1 + setpcap n 3 + linux_immutable n 1 + net_bind_service n 1 + net_broadcast n 1 + net_admin n 1 + net_raw n 1 + ipc_lock n 1 + ipc_owner n 1 + sys_module n 1 + sys_rawio n 1 + sys_chroot n 1 + sys_ptrace n 1 + sys_pacct n 1 + sys_admin n 3 + sys_boot n 1 + sys_nice n 1 + sys_resource n 1 + sys_time n 1 + sys_tty_config n 1 + mknod n 1 + lease n 1 + audit_write n 3 + audit_control n 1 + +class filesystem 10 + mount w 1 + remount w 1 + unmount w 1 + getattr r 1 + relabelfrom r 10 + relabelto w 10 + transition w 1 + associate n 1 + quotamod w 1 + quotaget r 1 + +class file 20 + execute_no_trans r 1 + entrypoint r 1 + execmod n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class dir 22 + add_name w 5 + remove_name w 1 + reparent w 1 + search r 1 + rmdir b 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class fd 1 + use b 1 + +class lnk_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 1 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class chr_file 20 + execute_no_trans r 1 + entrypoint r 1 + execmod n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class blk_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class sock_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 1 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class fifo_file 17 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + unlink w 1 + link w 1 + rename w 5 + execute r 1 + swapon b 1 + quotaon b 1 + mounton b 1 + +class socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class tcp_socket 27 + connectto w 1 + newconn w 1 + acceptfrom r 1 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + name_connect w 1 + +class udp_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class rawip_socket 23 + node_bind n 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 1 + setattr w 1 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class node 7 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + rawip_recv r 10 + rawip_send w 10 + enforce_dest n 1 + +class netif 6 + tcp_recv r 10 + tcp_send w 10 + udp_recv r 10 + udp_send w 10 + rawip_recv r 10 + rawip_send w 10 + +class netlink_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class packet_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class key_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class unix_stream_socket 25 + connectto w 1 + newconn w 1 + acceptfrom r 1 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class unix_dgram_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class sem 9 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class msg 2 + send w 10 + receive r 10 + +class msgq 10 + enqueue w 1 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class shm 10 + lock w 1 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class ipc 9 + create w 1 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + write w 10 + associate n 1 + unix_read r 3 + unix_write w 3 + +class passwd 5 + passwd w 1 + chfn w 5 + chsh w 5 + rootok n 1 + crontab w 5 + +class drawable 5 + create w 1 + destroy w 1 + draw w 10 + copy r 10 + getattr r 7 + +class window 26 + addchild w 1 + create w 1 + destroy w 1 + map w 1 + unmap w 1 + chstack w 10 + chproplist w 7 + chprop w 10 + listprop r 5 + getattr r 5 + setattr w 5 + setfocus w 1 + move w 10 + chselection w 10 + chparent w 5 + ctrllife w 5 + enumerate w 1 + transparent w 1 + mousemotion w 10 + clientcomevent w 5 + inputevent w 5 + drawevent w 5 + windowchangeevent w 5 +windowchangerequest w 5 + serverchangeevent w 5 + extensionevent w 5 + +class gc 4 + create w 1 + free w 1 + getattr r 5 + setattr w 5 + +class font 4 + load r 1 + free w 1 + getattr r 5 + use r 1 + +class colormap 9 + create w 1 + free w 1 + install w 10 + uninstall w 1 + list r 5 + read r 10 + store w 10 + getattr r 5 + setattr w 5 + +class property 4 + create w 1 + free w 1 + read r 10 + write w 10 + +class cursor 5 + create w 1 + createglyph w 10 + free w 1 + assign w 10 + setattr w 5 + +class xclient 1 + kill w 1 + +class xinput 11 + lookup r 10 + getattr r 5 + setattr w 5 + setfocus w 10 + warppointer w 10 + activegrab w 1 + passivegrab w 1 + ungrab w 1 + bell w 3 + mousemotion w 10 + relabelinput b 3 + +class xserver 8 + screensaver w 10 + gethostlist r 7 + sethostlist w 7 + getfontpath r 7 + setfontpath w 7 + getattr r 7 + grab w 10 + ungrab w 1 + +class xextension 2 + query r 10 + use b 1 + +class pax 6 + pageexec n 1 + emutramp n 1 + mprotect n 1 + randmmap n 1 + randexec n 1 + segmexec n 1 + +class netlink_route_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_firewall_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_tcpdiag_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_nflog_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_xfrm_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_selinux_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_audit_socket 26 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + nlmsg_relay w 10 + nlmsg_readpriv r 10 + +class netlink_ip6fw_socket 24 + nlmsg_read r 10 + nlmsg_write w 10 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_dnrt_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto r 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class netlink_kobject_uevent_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 7 + setattr w 7 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class dbus 2 + acquire_svc b 1 + send_msg w 10 + +class nscd 8 + getpwd r 7 + getgrp r 7 + gethost r 7 + getstat r 7 + admin w 5 + shmempwd r 7 + shmemgrp r 7 + shmemhost r 7 + +class association 4 + sendto w 10 + recvfrom r 10 + setcontext w 3 + polmatch r 1 + +class appletalk_socket 22 + ioctl n 1 + read r 10 + write w 10 + create w 1 + getattr r 1 + setattr w 1 + lock n 1 + relabelfrom r 10 + relabelto w 10 + append w 1 + bind w 1 + connect w 1 + listen r 1 + accept r 1 + getopt r 1 + setopt w 1 + shutdown w 1 + recvfrom r 10 + sendto w 10 + recv_msg r 10 + send_msg w 10 + name_bind n 1 + +class key 7 + view r 7 + read r 10 + write w 10 + search r 5 + link w 7 + setattr w 7 + create w 10 + +class packet 3 + send w 10 + recv r 10 + relabelto w 3 + +class context 2 + contains n 1 + translate n 1 diff --git a/apol/perm_maps/apol_perm_mapping_ver24 b/apol/perm_maps/apol_perm_mapping_ver24 new file mode 100644 index 0000000..102ce04 --- /dev/null +++ b/apol/perm_maps/apol_perm_mapping_ver24 @@ -0,0 +1,1227 @@ +# This is a permission map file for use in policy analysis. This +# file maps object permissions (read, getattr, setattr, ..., etc.) +# for an object class, to exactly one of the following: read, write, +# both, or none. This file may be edited as long as the specific +# syntax rules are obeyed. +# +# For each object class, there is a set of object permissions that are +# individually mapped to read, write, both, or none. If a new object +# class is added, make sure that the current number of object classes +# is increased. +# +# The syntax for an object class definition is: +# class <class_name> <num_permissions> +# +# This is followed by each permission and its individual mapping to one +# of the following: +# +# r = Read +# w = Write +# n = None +# b = Both +# +# Additionally, you can choose to follow the mapping with an optional +# permission weight value from 1 (less importance) to 10 (higher importance). +# 10 is the default weight value if one is not provided. +# +# Look to the examples below for further clarification. +# +# Number of object classes. +77 + +class netlink_audit_socket 27 + nlmsg_relay w 10 + nlmsg_tty_audit w 10 + nlmsg_readpriv r 10 + nlmsg_write w 10 + nlmsg_read r 10 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class tcp_socket 27 + acceptfrom r 1 + connectto w 1 + node_bind n 1 + newconn w 1 + name_connect w 1 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class msgq 10 + enqueue w 1 + associate n 1 + create w 1 + write w 10 + unix_read r 3 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + unix_write w 3 + +class x_property 7 + append w 10 + create w 1 + write w 10 + destroy w 1 + getattr r 7 + setattr w 7 + read r 10 + +class db_procedure 9 + execute r 1 + install w 10 + entrypoint r 1 + drop w 1 + create w 1 + relabelfrom r 1 + getattr r 7 + setattr w 7 + relabelto w 1 + +class dir 23 + rmdir b 1 + remove_name w 1 + add_name w 5 + reparent w 1 + search r 1 + open n 1 + append w 1 + create w 1 + execute r 1 + write w 10 + relabelfrom r 10 + link w 1 + unlink w 1 + ioctl n 1 + getattr r 7 + setattr w 7 + read r 10 + rename w 5 + lock n 1 + relabelto w 10 + mounton b 1 + quotaon b 1 + swapon b 1 + +class peer 1 + recv r 10 + +class blk_file 18 + open n 1 + append w 1 + create w 1 + execute r 1 + write w 10 + relabelfrom r 10 + link w 1 + unlink w 1 + ioctl n 1 + getattr r 7 + setattr w 7 + read r 10 + rename w 5 + lock n 1 + relabelto w 10 + mounton b 1 + quotaon b 1 + swapon b 1 + +class chr_file 21 + entrypoint r 1 + execmod n 1 + execute_no_trans r 1 + open n 1 + append w 1 + create w 1 + execute r 1 + write w 10 + relabelfrom r 10 + link w 1 + unlink w 1 + ioctl n 1 + getattr r 7 + setattr w 7 + read r 10 + rename w 5 + lock n 1 + relabelto w 10 + mounton b 1 + quotaon b 1 + swapon b 1 + +class db_table 12 + select n 1 + delete w 1 + update w 10 + insert w 10 + use r 10 + lock n 1 + drop w 1 + create w 1 + relabelfrom r 1 + getattr r 7 + setattr w 7 + relabelto w 1 + +class db_tuple 7 + select n 1 + delete w 1 + update w 10 + relabelfrom r 1 + insert w 10 + use r 10 + relabelto w 1 + +class dbus 2 + acquire_svc b 1 + send_msg w 10 + +class ipc 9 + associate n 1 + create w 1 + write w 10 + unix_read r 3 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + unix_write w 3 + +class lnk_file 17 + append w 1 + create w 1 + execute r 1 + write w 10 + relabelfrom r 10 + link w 1 + unlink w 1 + ioctl n 1 + getattr r 7 + setattr w 7 + read r 10 + rename w 1 + lock n 1 + relabelto w 10 + mounton b 1 + quotaon b 1 + swapon b 1 + +class process 30 + getcap r 3 + setcap w 1 + sigstop w 1 + sigchld w 1 + share b 1 + execheap n 1 + setcurrent w 1 + setfscreate w 1 + setkeycreate w 1 + siginh n 1 + dyntransition w 10 + transition w 5 + fork n 1 + getsession r 1 + noatsecure n 1 + sigkill w 1 + signull n 1 + setrlimit n 1 + getattr r 1 + getsched r 1 + setexec w 1 + setsched w 1 + getpgid r 1 + setpgid w 5 + ptrace b 10 + execstack n 1 + rlimitinh n 1 + setsockcreate w 1 + signal w 5 + execmem n 1 + +class capability2 2 + mac_override n 1 + mac_admin n 1 + +class fd 1 + use b 1 + +class packet 7 + forward_out w 10 + flow_out w 10 + send w 10 + recv r 10 + forward_in r 10 + relabelto w 3 + flow_in r 10 + +class socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class fifo_file 18 + open n 1 + append w 1 + create w 1 + execute r 1 + write w 10 + relabelfrom r 10 + link w 1 + unlink w 1 + ioctl n 1 + getattr r 7 + setattr w 7 + read r 10 + rename w 5 + lock n 1 + relabelto w 10 + mounton b 1 + quotaon b 1 + swapon b 1 + +class file 21 + entrypoint r 1 + execmod n 1 + execute_no_trans r 1 + open n 1 + append w 1 + create w 1 + execute r 1 + write w 10 + relabelfrom r 10 + link w 1 + unlink w 1 + ioctl n 1 + getattr r 7 + setattr w 7 + read r 10 + rename w 5 + lock n 1 + relabelto w 10 + mounton b 1 + quotaon b 1 + swapon b 1 + +class node 11 + rawip_recv r 10 + tcp_recv r 10 + udp_recv r 10 + rawip_send w 10 + tcp_send w 10 + udp_send w 10 + dccp_recv r 10 + dccp_send w 10 + enforce_dest n 1 + sendto w 10 + recvfrom r 10 + +class x_cursor 7 + create w 1 + write w 10 + destroy w 1 + getattr r 7 + setattr w 7 + read r 10 + use r 1 + +class x_server 6 + record r 10 + getattr r 7 + grab w 1 + setattr w 7 + manage w 10 + debug b 10 + +class netlink_nflog_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class key 7 + create w 10 + write w 10 + view r 7 + link w 7 + setattr w 7 + read r 10 + search r 5 + +class netlink_tcpdiag_socket 24 + nlmsg_write w 10 + nlmsg_read r 10 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class unix_stream_socket 25 + acceptfrom r 1 + connectto w 1 + newconn w 1 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class x_synthetic_event 2 + send w 10 + receive r 10 + +class db_database 11 + access b 10 + set_param w 7 + load_module r 10 + get_param r 7 + install_module r 10 + drop w 1 + create w 1 + relabelfrom r 1 + getattr r 7 + setattr w 7 + relabelto w 1 + +class kernel_service 2 + create_files_as n 1 + use_as_override n 1 + +class netlink_route_socket 24 + nlmsg_write w 10 + nlmsg_read r 10 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class x_extension 2 + use r 1 + query r 5 + +class shm 10 + lock w 1 + associate n 1 + create w 1 + write w 10 + unix_read r 3 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + unix_write w 3 + +class x_resource 2 + write w 10 + read r 10 + +class netlink_selinux_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class capability 32 + setfcap n 1 + setpcap n 3 + fowner n 1 + sys_boot n 1 + sys_tty_config n 1 + net_raw n 1 + sys_admin n 3 + sys_chroot n 1 + sys_module n 1 + sys_rawio n 1 + dac_override n 1 + ipc_owner n 1 + kill n 1 + dac_read_search n 1 + sys_pacct n 1 + net_broadcast n 1 + net_bind_service n 1 + sys_nice n 1 + sys_time n 1 + fsetid n 1 + mknod n 1 + setgid n 3 + setuid n 1 + lease n 1 + net_admin n 1 + audit_write n 3 + linux_immutable n 1 + sys_ptrace n 1 + audit_control n 1 + ipc_lock n 1 + sys_resource n 1 + chown n 3 + +class netlink_ip6fw_socket 24 + nlmsg_write w 10 + nlmsg_read r 10 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class dccp_socket 24 + node_bind n 1 + name_connect w 10 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class netlink_firewall_socket 24 + nlmsg_write w 10 + nlmsg_read r 10 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class sock_file 18 + open n 1 + append w 1 + create w 1 + execute r 1 + write w 10 + relabelfrom r 10 + link w 1 + unlink w 1 + ioctl n 1 + getattr r 7 + setattr w 7 + read r 10 + rename w 1 + lock n 1 + relabelto w 10 + mounton b 1 + quotaon b 1 + swapon b 1 + +class unix_dgram_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class netlink_kobject_uevent_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class db_blob 10 + write w 10 + export r 10 + import w 10 + read r 10 + drop w 1 + create w 1 + relabelfrom r 1 + getattr r 7 + setattr w 7 + relabelto w 1 + +class filesystem 10 + associate n 1 + quotaget r 1 + relabelfrom r 10 + transition w 1 + getattr r 1 + quotamod w 1 + mount w 1 + remount w 1 + unmount w 1 + relabelto w 10 + +class netlink_xfrm_socket 24 + nlmsg_write w 10 + nlmsg_read r 10 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class x_device 19 + get_property r 7 + list_property r 7 + set_property w 7 + add w 1 + setfocus w 1 + create w 1 + freeze w 1 + getfocus r 1 + remove w 1 + write w 10 + force_cursor w 1 + destroy w 1 + bell w 1 + getattr r 7 + grab w 1 + setattr w 7 + read r 10 + manage w 10 + use r 1 + +class netlink_dnrt_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto r 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class x_client 4 + destroy w 1 + getattr r 7 + setattr w 7 + manage w 10 + +class x_gc 5 + create w 1 + destroy w 1 + getattr r 7 + setattr w 7 + use r 1 + +class context 2 + contains n 1 + translate n 1 + +class nscd 10 + shmemserv r 7 + gethost r 7 + getstat r 7 + getgrp r 7 + shmemhost r 7 + shmempwd r 7 + getpwd r 7 + getserv r 7 + shmemgrp r 7 + admin w 5 + +class passwd 5 + chfn w 5 + crontab w 5 + passwd w 1 + chsh w 5 + rootok n 1 + +class x_event 2 + send w 10 + receive r 10 + +class x_font 6 + create w 1 + destroy w 1 + add_glyph w 1 + remove_glyph w 1 + getattr r 7 + use r 1 + +class key_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class netif 10 + rawip_recv r 10 + tcp_recv r 10 + udp_recv r 10 + rawip_send w 10 + egress w 10 + ingress r 10 + tcp_send w 10 + udp_send w 10 + dccp_recv r 10 + dccp_send w 10 + +class packet_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class memprotect 1 + mmap_zero n 1 + +class msg 2 + send w 10 + receive r 10 + +class tun_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class udp_socket 23 + node_bind n 1 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class appletalk_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 1 + setattr w 1 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class x_colormap 10 + add_color w 10 + create w 1 + write w 10 + destroy w 1 + install w 1 + getattr r 7 + read r 10 + use r 1 + remove_color w 10 + uninstall w 1 + +class x_screen 8 + show_cursor w 1 + hide_cursor w 1 + saver_show w 1 + getattr r 7 + setattr w 7 + saver_hide w 1 + saver_getattr r 7 + saver_setattr w 7 + +class rawip_socket 23 + node_bind n 1 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 1 + setattr w 1 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class x_application_data 3 + paste w 10 +paste_after_confirm w 10 + copy r 10 + +class association 4 + setcontext w 3 + sendto w 10 + recvfrom r 10 + polmatch r 1 + +class x_selection 4 + write w 10 + getattr r 7 + setattr w 7 + read r 10 + +class db_column 10 + select r 10 + update w 10 + insert w 1 + use r 10 + drop w 1 + create w 1 + relabelfrom r 1 + getattr r 7 + setattr w 7 + relabelto w 1 + +class netlink_socket 22 + append w 1 + bind w 1 + connect w 1 + create w 1 + write w 10 + relabelfrom r 10 + ioctl n 1 + name_bind n 1 + sendto w 10 + recv_msg r 10 + send_msg w 10 + getattr r 7 + setattr w 7 + accept r 1 + getopt r 1 + read r 10 + setopt w 1 + shutdown w 1 + recvfrom r 10 + lock n 1 + relabelto w 10 + listen r 1 + +class x_drawable 19 + get_property r 7 + list_property r 7 + set_property w 7 + add_child w 1 + override n 1 + blend w 1 + send w 10 + create w 1 + hide w 1 + receive r 10 + write w 10 + show w 1 + destroy w 1 + list_child r 7 + getattr r 7 + setattr w 7 + read r 10 + manage w 10 + remove_child w 1 + +class sem 9 + associate n 1 + create w 1 + write w 10 + unix_read r 3 + destroy w 1 + getattr r 1 + setattr w 1 + read r 10 + unix_write w 3 + +class system 5 + module_request n 1 + ipc_info n 1 + syslog_read n 1 + syslog_console n 1 + syslog_mod n 1 + +class x_keyboard 19 + get_property r 7 + list_property r 7 + set_property w 7 + add w 1 + setfocus w 1 + create w 1 + freeze w 1 + getfocus w 1 + remove w 1 + write w 10 + force_cursor w 1 + destroy w 1 + bell w 1 + getattr r 7 + grab w 1 + setattr w 7 + read r 10 + manage w 10 + use r 1 + +class security 11 + compute_member n 1 + compute_user n 1 + compute_create n 1 + setenforce n 1 + check_context n 1 + setcheckreqprot n 1 + compute_relabel n 1 + setbool n 1 + load_policy n 1 + setsecparam n 1 + compute_av n 1 + +class x_pointer 19 + get_property r 7 + list_property r 7 + set_property w 7 + add w 1 + setfocus w 1 + create w 1 + freeze w 1 + getfocus w 1 + remove w 1 + write w 10 + force_cursor w 1 + destroy w 1 + bell w 1 + getattr r 7 + grab w 1 + setattr w 7 + read r 10 + manage w 10 + use r 1 |