# This is a permission map file for use in policy analysis. This # file maps object permissions (read, getattr, setattr, ..., etc.) # for an object class, to exactly one of the following: read, write, # both, or none. This file may be edited as long as the specific # syntax rules are obeyed. # # For each object class, there is a set of object permissions that are # individually mapped to read, write, both, or none. If a new object # class is added, make sure that the current number of object classes # is increased. # # The syntax for an object class definition is: # class # # This is followed by each permission and its individual mapping to one # of the following: # # r = Read # w = Write # n = None # b = Both # # Additionally, you can choose to follow the mapping with an optional # permission weight value from 1 (less importance) to 10 (higher importance). # 10 is the default weight value if one is not provided. # # Look to the examples below for further clarification. # # Number of object classes. 30 class blk_file 17 getattr r 7 relabelto w 10 unlink w 1 ioctl n 1 execute r 1 append w 1 read r 10 setattr w 7 swapon b 1 write w 10 lock n 1 create w 1 rename w 5 mounton b 1 quotaon b 1 relabelfrom r 10 link w 1 class file 19 setattr w 7 swapon b 1 write w 10 lock n 1 create w 1 rename w 5 mounton b 1 quotaon b 1 relabelfrom r 10 link w 1 entrypoint r 1 getattr r 7 relabelto w 10 unlink w 1 execute_no_trans r 1 ioctl n 1 execute r 1 append w 1 read r 10 class udp_socket 22 listen r 1 setattr w 7 shutdown w 1 relabelto w 10 recv_msg r 10 accept r 1 name_bind n 1 append w 1 relabelfrom r 10 create w 1 read r 10 sendto w 10 connect w 1 recvfrom r 10 send_msg w 10 bind w 1 lock n 1 ioctl n 1 getattr r 7 write w 10 setopt w 1 getopt r 1 class socket 22 append w 1 relabelfrom r 10 create w 1 read r 10 sendto w 10 connect w 1 recvfrom r 10 send_msg w 10 bind w 1 lock n 1 ioctl n 1 getattr r 7 write w 10 setopt w 1 getopt r 1 listen r 1 setattr w 7 shutdown w 1 relabelto w 10 recv_msg r 10 accept r 1 name_bind n 1 class passwd 3 passwd n 1 chfn w 5 chsh w 5 class fifo_file 17 relabelto w 10 getattr r 7 lock n 1 execute r 1 unlink w 1 ioctl n 1 setattr w 7 append w 1 write w 10 swapon b 1 create w 1 link w 1 rename w 5 relabelfrom r 10 mounton b 1 quotaon b 1 read r 10 class chr_file 17 append w 1 swapon b 1 mounton b 1 quotaon b 1 create w 1 rename w 5 ioctl n 1 getattr r 7 link w 1 write w 10 execute r 1 relabelto w 10 setattr w 7 relabelfrom r 10 read r 10 unlink w 1 lock n 1 class netlink_socket 22 listen r 1 accept r 1 read r 10 setattr w 7 append w 1 bind w 1 lock n 1 shutdown w 1 recv_msg r 10 create w 1 sendto w 10 relabelto w 10 ioctl n 1 name_bind n 1 connect w 1 write w 10 recvfrom r 10 send_msg w 10 relabelfrom r 10 setopt w 1 getattr r 7 getopt r 1 class unix_dgram_socket 22 connect w 1 getopt r 1 listen r 1 relabelto w 10 name_bind n 1 accept r 1 shutdown w 1 getattr r 7 recv_msg r 10 append w 1 read r 10 create w 1 sendto w 10 ioctl n 1 setattr w 7 bind w 1 lock n 1 recvfrom r 10 send_msg w 10 write w 10 relabelfrom r 10 setopt w 1 class node 7 rawip_recv r 10 rawip_send w 10 tcp_recv r 10 tcp_send w 10 enforce_dest n 1 udp_recv r 10 udp_send w 10 class netif 6 rawip_recv r 10 rawip_send w 10 tcp_recv r 10 tcp_send w 10 udp_recv r 10 udp_send w 10 class unix_stream_socket 25 relabelto w 10 append w 1 name_bind n 1 setattr w 7 connectto w 1 newconn w 1 recvfrom r 10 create w 1 sendto w 10 send_msg w 10 read r 10 bind w 1 lock n 1 connect w 1 setopt w 1 acceptfrom r 1 getopt r 1 ioctl n 1 getattr r 7 shutdown w 1 recv_msg r 10 listen r 1 accept r 1 relabelfrom r 10 write w 10 class tcp_socket 25 connectto w 1 newconn w 1 recvfrom r 10 create w 1 sendto w 10 send_msg w 10 read r 10 bind w 1 lock n 1 connect w 1 setopt w 1 acceptfrom r 1 getopt r 1 ioctl n 1 getattr r 7 shutdown w 1 recv_msg r 10 listen r 1 accept r 1 relabelfrom r 10 write w 10 relabelto w 10 append w 1 name_bind n 1 setattr w 7 class dir 22 mounton b 1 search r 1 link w 1 quotaon b 1 append w 1 swapon b 1 rmdir b 1 create w 1 ioctl n 1 getattr r 7 remove_name w 1 rename w 5 read r 10 write w 10 relabelfrom r 10 execute r 1 relabelto w 10 lock n 1 setattr w 7 reparent w 1 add_name w 5 unlink w 1 class shm 10 destroy w 1 write w 10 read r 10 getattr r 1 unix_write w 3 unix_read r 3 lock w 1 associate n 1 setattr w 1 create w 1 class security 8 compute_user n 1 compute_relabel n 1 compute_create n 1 compute_av n 1 compute_member n 1 setenforce n 1 check_context n 1 load_policy n 1 class packet_socket 22 setattr w 7 read r 10 relabelto w 10 shutdown w 1 name_bind n 1 recv_msg r 10 setopt w 1 bind w 1 lock n 1 ioctl n 1 getopt r 1 connect w 1 relabelfrom r 10 listen r 1 write w 10 accept r 1 append w 1 recvfrom r 10 send_msg w 10 getattr r 7 create w 1 sendto w 10 class msgq 10 enqueue w 1 create w 1 destroy w 1 write w 10 read r 10 getattr r 1 unix_write w 3 unix_read r 3 associate n 1 setattr w 1 class key_socket 22 connect w 1 setopt w 1 relabelto w 10 read r 10 name_bind n 1 getopt r 1 getattr r 7 recvfrom r 10 send_msg w 10 bind w 1 listen r 1 lock n 1 accept r 1 append w 1 setattr w 7 ioctl n 1 create w 1 sendto w 10 relabelfrom r 10 write w 10 shutdown w 1 recv_msg r 10 class capability 29 net_bind_service n 1 sys_module n 1 sys_admin n 3 fowner n 1 net_raw n 1 setuid n 1 sys_chroot n 1 lease n 1 net_admin n 1 ipc_owner n 1 fsetid n 1 sys_resource n 1 sys_rawio n 1 sys_ptrace n 1 sys_nice n 1 setpcap n 3 kill n 1 sys_pacct n 1 sys_boot n 1 dac_override n 1 setgid n 3 net_broadcast n 1 chown n 3 sys_tty_config n 1 linux_immutable n 1 sys_time n 1 ipc_lock n 1 mknod n 1 dac_read_search n 1 class fd 1 use b 1 class rawip_socket 22 lock n 1 write w 10 getattr r 1 recvfrom r 10 send_msg w 10 setopt w 1 setattr w 1 getopt r 1 relabelto w 10 listen r 1 name_bind n 1 accept r 1 append w 1 shutdown w 1 recv_msg r 10 relabelfrom r 10 read r 10 ioctl n 1 connect w 1 create w 1 sendto w 10 bind w 1 class ipc 9 write w 10 destroy w 1 unix_write w 3 getattr r 1 create w 1 read r 10 setattr w 1 unix_read r 3 associate n 1 class lnk_file 17 relabelfrom r 10 append w 1 ioctl n 1 swapon b 1 create w 1 read r 10 write w 10 rename w 1 mounton b 1 quotaon b 1 lock n 1 relabelto w 10 getattr r 7 unlink w 1 execute r 1 link w 1 setattr w 7 class system 4 ipc_info n 1 syslog_mod n 1 syslog_read n 1 syslog_console n 1 class sem 9 unix_read r 3 associate n 1 create w 1 destroy w 1 getattr r 1 read r 10 setattr w 1 write w 10 unix_write w 3 class filesystem 10 remount w 1 relabelfrom r 10 getattr r 1 relabelto w 10 mount w 1 transition w 1 quotaget r 1 quotamod w 1 unmount w 1 associate n 1 class sock_file 17 setattr w 7 rename w 1 ioctl n 1 link w 1 write w 10 mounton b 1 relabelto w 10 quotaon b 1 read r 10 unlink w 1 append w 1 lock n 1 getattr r 7 swapon b 1 relabelfrom r 10 execute r 1 create w 1 class process 20 noatsecure n 1 getsched r 1 signull n 1 sigstop w 1 getattr r 1 share b 1 getpgid r 1 signal w 5 setcap w 1 sigchld w 1 setexec w 1 getcap r 3 getsession r 1 setsched w 1 fork n 1 ptrace b 10 sigkill w 1 setpgid w 5 transition w 1 setfscreate w 1 class msg 2 receive r 10 send w 10