# This is a permission map file for use in policy analysis. This # file maps object permissions (read, getattr, setattr, ..., etc.) # for an object class, to exactly one of the following: read, write, # both, or none. This file may be edited as long as the specific # syntax rules are obeyed. # # For each object class, there is a set of object permissions that are # individually mapped to read, write, both, or none. If a new object # class is added, make sure that the current number of object classes # is increased. # # The syntax for an object class definition is: # class # # This is followed by each permission and its individual mapping to one # of the following: # # r = Read # w = Write # n = None # b = Both # # Additionally, you can choose to follow the mapping with an optional # permission weight value from 1 (less importance) to 10 (higher importance). # 10 is the default weight value if one is not provided. # # Look to the examples below for further clarification. # # Number of object classes. 77 class netlink_audit_socket 27 nlmsg_relay w 10 nlmsg_tty_audit w 10 nlmsg_readpriv r 10 nlmsg_write w 10 nlmsg_read r 10 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto r 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class tcp_socket 27 acceptfrom r 1 connectto w 1 node_bind n 1 newconn w 1 name_connect w 1 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto w 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class msgq 10 enqueue w 1 associate n 1 create w 1 write w 10 unix_read r 3 destroy w 1 getattr r 1 setattr w 1 read r 10 unix_write w 3 class x_property 7 append w 10 create w 1 write w 10 destroy w 1 getattr r 7 setattr w 7 read r 10 class db_procedure 9 execute r 1 install w 10 entrypoint r 1 drop w 1 create w 1 relabelfrom r 1 getattr r 7 setattr w 7 relabelto w 1 class dir 23 rmdir b 1 remove_name w 1 add_name w 5 reparent w 1 search r 1 open n 1 append w 1 create w 1 execute r 1 write w 10 relabelfrom r 10 link w 1 unlink w 1 ioctl n 1 getattr r 7 setattr w 7 read r 10 rename w 5 lock n 1 relabelto w 10 mounton b 1 quotaon b 1 swapon b 1 class peer 1 recv r 10 class blk_file 18 open n 1 append w 1 create w 1 execute r 1 write w 10 relabelfrom r 10 link w 1 unlink w 1 ioctl n 1 getattr r 7 setattr w 7 read r 10 rename w 5 lock n 1 relabelto w 10 mounton b 1 quotaon b 1 swapon b 1 class chr_file 21 entrypoint r 1 execmod n 1 execute_no_trans r 1 open n 1 append w 1 create w 1 execute r 1 write w 10 relabelfrom r 10 link w 1 unlink w 1 ioctl n 1 getattr r 7 setattr w 7 read r 10 rename w 5 lock n 1 relabelto w 10 mounton b 1 quotaon b 1 swapon b 1 class db_table 12 select n 1 delete w 1 update w 10 insert w 10 use r 10 lock n 1 drop w 1 create w 1 relabelfrom r 1 getattr r 7 setattr w 7 relabelto w 1 class db_tuple 7 select n 1 delete w 1 update w 10 relabelfrom r 1 insert w 10 use r 10 relabelto w 1 class dbus 2 acquire_svc b 1 send_msg w 10 class ipc 9 associate n 1 create w 1 write w 10 unix_read r 3 destroy w 1 getattr r 1 setattr w 1 read r 10 unix_write w 3 class lnk_file 17 append w 1 create w 1 execute r 1 write w 10 relabelfrom r 10 link w 1 unlink w 1 ioctl n 1 getattr r 7 setattr w 7 read r 10 rename w 1 lock n 1 relabelto w 10 mounton b 1 quotaon b 1 swapon b 1 class process 30 getcap r 3 setcap w 1 sigstop w 1 sigchld w 1 share b 1 execheap n 1 setcurrent w 1 setfscreate w 1 setkeycreate w 1 siginh n 1 dyntransition w 10 transition w 5 fork n 1 getsession r 1 noatsecure n 1 sigkill w 1 signull n 1 setrlimit n 1 getattr r 1 getsched r 1 setexec w 1 setsched w 1 getpgid r 1 setpgid w 5 ptrace b 10 execstack n 1 rlimitinh n 1 setsockcreate w 1 signal w 5 execmem n 1 class capability2 2 mac_override n 1 mac_admin n 1 class fd 1 use b 1 class packet 7 forward_out w 10 flow_out w 10 send w 10 recv r 10 forward_in r 10 relabelto w 3 flow_in r 10 class socket 22 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto w 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class fifo_file 18 open n 1 append w 1 create w 1 execute r 1 write w 10 relabelfrom r 10 link w 1 unlink w 1 ioctl n 1 getattr r 7 setattr w 7 read r 10 rename w 5 lock n 1 relabelto w 10 mounton b 1 quotaon b 1 swapon b 1 class file 21 entrypoint r 1 execmod n 1 execute_no_trans r 1 open n 1 append w 1 create w 1 execute r 1 write w 10 relabelfrom r 10 link w 1 unlink w 1 ioctl n 1 getattr r 7 setattr w 7 read r 10 rename w 5 lock n 1 relabelto w 10 mounton b 1 quotaon b 1 swapon b 1 class node 11 rawip_recv r 10 tcp_recv r 10 udp_recv r 10 rawip_send w 10 tcp_send w 10 udp_send w 10 dccp_recv r 10 dccp_send w 10 enforce_dest n 1 sendto w 10 recvfrom r 10 class x_cursor 7 create w 1 write w 10 destroy w 1 getattr r 7 setattr w 7 read r 10 use r 1 class x_server 6 record r 10 getattr r 7 grab w 1 setattr w 7 manage w 10 debug b 10 class netlink_nflog_socket 22 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto r 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class key 7 create w 10 write w 10 view r 7 link w 7 setattr w 7 read r 10 search r 5 class netlink_tcpdiag_socket 24 nlmsg_write w 10 nlmsg_read r 10 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto r 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class unix_stream_socket 25 acceptfrom r 1 connectto w 1 newconn w 1 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto w 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class x_synthetic_event 2 send w 10 receive r 10 class db_database 11 access b 10 set_param w 7 load_module r 10 get_param r 7 install_module r 10 drop w 1 create w 1 relabelfrom r 1 getattr r 7 setattr w 7 relabelto w 1 class kernel_service 2 create_files_as n 1 use_as_override n 1 class netlink_route_socket 24 nlmsg_write w 10 nlmsg_read r 10 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto r 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class x_extension 2 use r 1 query r 5 class shm 10 lock w 1 associate n 1 create w 1 write w 10 unix_read r 3 destroy w 1 getattr r 1 setattr w 1 read r 10 unix_write w 3 class x_resource 2 write w 10 read r 10 class netlink_selinux_socket 22 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto r 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class capability 32 setfcap n 1 setpcap n 3 fowner n 1 sys_boot n 1 sys_tty_config n 1 net_raw n 1 sys_admin n 3 sys_chroot n 1 sys_module n 1 sys_rawio n 1 dac_override n 1 ipc_owner n 1 kill n 1 dac_read_search n 1 sys_pacct n 1 net_broadcast n 1 net_bind_service n 1 sys_nice n 1 sys_time n 1 fsetid n 1 mknod n 1 setgid n 3 setuid n 1 lease n 1 net_admin n 1 audit_write n 3 linux_immutable n 1 sys_ptrace n 1 audit_control n 1 ipc_lock n 1 sys_resource n 1 chown n 3 class netlink_ip6fw_socket 24 nlmsg_write w 10 nlmsg_read r 10 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto r 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class dccp_socket 24 node_bind n 1 name_connect w 10 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto w 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class netlink_firewall_socket 24 nlmsg_write w 10 nlmsg_read r 10 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto r 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class sock_file 18 open n 1 append w 1 create w 1 execute r 1 write w 10 relabelfrom r 10 link w 1 unlink w 1 ioctl n 1 getattr r 7 setattr w 7 read r 10 rename w 1 lock n 1 relabelto w 10 mounton b 1 quotaon b 1 swapon b 1 class unix_dgram_socket 22 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto w 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class netlink_kobject_uevent_socket 22 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto w 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class db_blob 10 write w 10 export r 10 import w 10 read r 10 drop w 1 create w 1 relabelfrom r 1 getattr r 7 setattr w 7 relabelto w 1 class filesystem 10 associate n 1 quotaget r 1 relabelfrom r 10 transition w 1 getattr r 1 quotamod w 1 mount w 1 remount w 1 unmount w 1 relabelto w 10 class netlink_xfrm_socket 24 nlmsg_write w 10 nlmsg_read r 10 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto r 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class x_device 19 get_property r 7 list_property r 7 set_property w 7 add w 1 setfocus w 1 create w 1 freeze w 1 getfocus r 1 remove w 1 write w 10 force_cursor w 1 destroy w 1 bell w 1 getattr r 7 grab w 1 setattr w 7 read r 10 manage w 10 use r 1 class netlink_dnrt_socket 22 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto r 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class x_client 4 destroy w 1 getattr r 7 setattr w 7 manage w 10 class x_gc 5 create w 1 destroy w 1 getattr r 7 setattr w 7 use r 1 class context 2 contains n 1 translate n 1 class nscd 10 shmemserv r 7 gethost r 7 getstat r 7 getgrp r 7 shmemhost r 7 shmempwd r 7 getpwd r 7 getserv r 7 shmemgrp r 7 admin w 5 class passwd 5 chfn w 5 crontab w 5 passwd w 1 chsh w 5 rootok n 1 class x_event 2 send w 10 receive r 10 class x_font 6 create w 1 destroy w 1 add_glyph w 1 remove_glyph w 1 getattr r 7 use r 1 class key_socket 22 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto w 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class netif 10 rawip_recv r 10 tcp_recv r 10 udp_recv r 10 rawip_send w 10 egress w 10 ingress r 10 tcp_send w 10 udp_send w 10 dccp_recv r 10 dccp_send w 10 class packet_socket 22 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto w 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class memprotect 1 mmap_zero n 1 class msg 2 send w 10 receive r 10 class tun_socket 22 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto w 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class udp_socket 23 node_bind n 1 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto w 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class appletalk_socket 22 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto w 10 recv_msg r 10 send_msg w 10 getattr r 1 setattr w 1 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class x_colormap 10 add_color w 10 create w 1 write w 10 destroy w 1 install w 1 getattr r 7 read r 10 use r 1 remove_color w 10 uninstall w 1 class x_screen 8 show_cursor w 1 hide_cursor w 1 saver_show w 1 getattr r 7 setattr w 7 saver_hide w 1 saver_getattr r 7 saver_setattr w 7 class rawip_socket 23 node_bind n 1 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto w 10 recv_msg r 10 send_msg w 10 getattr r 1 setattr w 1 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class x_application_data 3 paste w 10 paste_after_confirm w 10 copy r 10 class association 4 setcontext w 3 sendto w 10 recvfrom r 10 polmatch r 1 class x_selection 4 write w 10 getattr r 7 setattr w 7 read r 10 class db_column 10 select r 10 update w 10 insert w 1 use r 10 drop w 1 create w 1 relabelfrom r 1 getattr r 7 setattr w 7 relabelto w 1 class netlink_socket 22 append w 1 bind w 1 connect w 1 create w 1 write w 10 relabelfrom r 10 ioctl n 1 name_bind n 1 sendto w 10 recv_msg r 10 send_msg w 10 getattr r 7 setattr w 7 accept r 1 getopt r 1 read r 10 setopt w 1 shutdown w 1 recvfrom r 10 lock n 1 relabelto w 10 listen r 1 class x_drawable 19 get_property r 7 list_property r 7 set_property w 7 add_child w 1 override n 1 blend w 1 send w 10 create w 1 hide w 1 receive r 10 write w 10 show w 1 destroy w 1 list_child r 7 getattr r 7 setattr w 7 read r 10 manage w 10 remove_child w 1 class sem 9 associate n 1 create w 1 write w 10 unix_read r 3 destroy w 1 getattr r 1 setattr w 1 read r 10 unix_write w 3 class system 5 module_request n 1 ipc_info n 1 syslog_read n 1 syslog_console n 1 syslog_mod n 1 class x_keyboard 19 get_property r 7 list_property r 7 set_property w 7 add w 1 setfocus w 1 create w 1 freeze w 1 getfocus w 1 remove w 1 write w 10 force_cursor w 1 destroy w 1 bell w 1 getattr r 7 grab w 1 setattr w 7 read r 10 manage w 10 use r 1 class security 11 compute_member n 1 compute_user n 1 compute_create n 1 setenforce n 1 check_context n 1 setcheckreqprot n 1 compute_relabel n 1 setbool n 1 load_policy n 1 setsecparam n 1 compute_av n 1 class x_pointer 19 get_property r 7 list_property r 7 set_property w 7 add w 1 setfocus w 1 create w 1 freeze w 1 getfocus w 1 remove w 1 write w 10 force_cursor w 1 destroy w 1 bell w 1 getattr r 7 grab w 1 setattr w 7 read r 10 manage w 10 use r 1