next_inactive up previous

Meaning of permissions in SELinux(Ver 1)

Yuichi Nakamura 1


1 Introduction

1.1 About this document

Meaning of SELinux's permissions(operations that are restricted by permissions) are analyzed and shown in this document. For feedback, please send e-mail to

1.2 Terminology and notation

1.3 Motivation

The design SELinux Policy Editor[1] is based on non-LSM based SELinux released at the time of Jan 2003. After that SELinux is re-implemented using LSM. As a result, meaning of access vector permissions had been changed, and many permissions are added. Before re-designing SELinux Policy Editor, we have to understand the meaning of permissions. However, the meaning of them is not well documented. [2] is a good documentation of implementing SELinux, but the meaning of access vectors are not fully covered. [3] is a quick reference of permissions, but the description is short. Therefore, I decided to analyze the meaning of all permissions.

2 Analysis method

The version of SELinux used is that in Linux kernel 2.6.13. Analysis of permissions are based on source code analysis of Linux 2.6.13. The process is following.
  1. Find value corresponding to the permission from security/selinux/include/ av_permissions.h
    In av_permissions.h, permission is defined as a constant value. For example, when we want to analyze permission read for object class file. We can find following in av_permissions.h.
    	#define FILE__READ     0x00000002UL
  2. Analyze how the constant is used.
    In the example above, we analyze how FILE__READ is used in source code. And find out how the permission is checked. lxr [4] is useful.
In some cases above process is not enough.

3 Meaning of permissions

3.1 permissions related to files

In the following subsection, operations restricted by permissions are described.

3.1.1 Object classes

Object classes related to file are summarized in Table 1.

Table 1: Object classes related to file
Object class For what kind of file?
file Normal file
blk_file Block device file
chr_file Character device file
fifo_file Special file for FIFO
lnk_file Symbolic link
sock_file Special file for Unix domain socket
dir Directory

3.1.2 permissions common to object classes related to file

3.1.3 permissions specfic to object class file, blk_file

3.1.4 permissions specific to dir

3.2 permissions related to sockets

3.2.1 Object Classes

In SELinux,object classes are related to sockets. SELinux categorizes sockets by protocol family and type. protocol family is domain and type is type in socket system call 2. Table 2 shows relationship between object class, protocol family and type.

Table 2: Object classes related to socket, partly quoted from [2]
Object class Protocol Family Type
rawip_socket PF_INET, PF_INET6 SOCK_RAW
unix_stream_socket PF_UNIX SOCK_STREAM
unix_dgram_socket PF_UNIX SOCK_DGRAM
packet_socket PF_PACKET all
key_socket PF_KEY all
netlink_route_socket PF_NETLINK NETLINK_ROUTE
netlink_firewall_socket   NETLINK_FIREWALL
netlink_tcpdiag_socket   NETLINK_TCPDIAG
netlink_nflog_socket   NETLINK_NFLOG
netlink_xfrm_socket   NETLINK_XFRM
netlink_selinux_socket   NETLINK_SELINUX
netlink_audit_socket   NETLINK_AUDIT
netlink_ip6fw_socket   NETLINK_IP6_FW
netlink_dnrt_socket   NETLINK_DNRTMSG
netlink_kobject_uevent _socket   NETLINK_KOBJECT_UEVENT
netlink_socket   ALL other types
socket all sockets unmatched above

The short description of each sockets are below.

3.2.2 permissions common to sockets

3.2.3 Object class netlink_socket, packet_socket, key_socket ,unix_dgram_socket

For these object classes, all permissions are the same as those specified in section 3.2.2.

3.2.4 Object class unix_stream_socket

In addition to permissions in 3.2.2, following are defined. These permissions are checked between subject domain and domain of peer.

3.2.5 Object class tcp_socket

In addition to permissions in 3.2.2, following are defined.

3.2.6 Object class udp_socket, rawip_socket

In addition to permissions in 3.2.2, node_bind is defined. The meaning of node_bind is the same as that of tcp_socket.

3.2.7 Object class netlink_nflog_socket, netlink_selinux_socket and netlink_dnrt_socket

permissions are the same as 3.2.2.

3.2.8 Object class netlink_audit_socket

In addition to permissions in 3.2.2, following permissions are defined. These permissions are checked when sending message to CAPP(Controlled Access Protection Profile)[8] audit system.

3.2.9 netlink_route_socket

netlink_route_socket is used to restrict access to netlink socket that is used to configure kernel routing table. In addition to permissions in 3.2.2, following permissions are defined.

3.2.10 Object class netlink_firewall_socket

This object class is to control access to IPv4 firewall. In addition to permissions in 3.2.2, following permissions are defined.

3.2.11 Object class netlink_tcpdiag_socket

netlink_tcpdiag_socket is used to restrict usage of netlink socket for network monitoring kernel module enabled by CONFIG_IP_TCPDIAG kernel compile option.

In addition to permissions in 3.2.2, following permissions are defined.

3.2.12 netlink_xfrm_socket

netlink_tcpdiag_socket is used to restrict usage of netlink_xfrm_socket to configure IPSEC.In addition to permissions in 3.2.2, following permissions are defined.

3.2.13 Object class netlink_ip6fw_socket

This object class is defined, but not used.

3.3 permissions related to other network elements

3.3.1 Object class netif

Following permissions are defined. In these, target type is network interface3.

3.3.2 Object class node

Following permissions are defined. In these, target type is network node(IP address).

3.4 permissions related to IPC

3.4.1 Object classes

3.4.2 permissions common to all ipc object classes

3.4.3 Object class msgq

In addition to permissions common to IPC, enqueue is defined.

3.4.4 Object class msg

There are only two permissions in msg. Object classes common to IPC are not used. As a target type type of message is used above. However, by default, type of message is the same as type of msgq. So, above permissions are same as write and read for msgq.

3.4.5 Object class sem

permissions are the same as those common to IPC.

3.4.6 Object class shm

In addition to permissions common to IPC, lock is defined.

3.5 Object class capability

3.6 Object class fd

3.7 Object class filesystem

SELinux labels superblock of filesystem. permissions in object class filesystem is used for access control to superblock.

3.8 Object class process

permissions in object class are prepared to restrict operations between process. Unless specified, target type is domain of peer process.

3.9 Object class security

Object class security is operations related to query security server 6, changing SELinux internal parameters and managing SELinux. The meaning are found by analyzing selinuxfs.c.

3.10 Object class system

In object class system, misc permissions related to system are defined.


Discussion on NSA's SELinux list, especially Stephen Smalley's comment was helpful to analyze what access vectors are unused.


SELinux Policy Editor, URL=

Stephen Smalley, Implementing SELinux as a Linux Secuity Module, URL=

An Overview of Object Classes and Permissions, Tresys Technology, URL=

Linux Cross-Reference, URL=

Stephen Smalley, Configuring the SELinux Policy, URL=

Arjan van de Ven, New Security Enhancements in Redhat Enterprize Linux, URL=

Linux manpage auditd, auditctl, ausearch

Controlled Access Protection Profile URL=

SELinux Mailing List archive, URL=

About this document ...

Meaning of permissions in SELinux(Ver 1)

This document was generated using the LaTeX2HTML translator Version 2002-2-1 (1.70)

Copyright © 1993, 1994, 1995, 1996, Nikos Drakos, Computer Based Learning Unit, University of Leeds.
Copyright © 1997, 1998, 1999, Ross Moore, Mathematics Department, Macquarie University, Sydney.

The command line arguments were:
latex2html -show_section_numbers -link 2 -split 0 access_vectors.tex

The translation was initiated by Yuichi on 2006-01-12


... Nakamura1
The George Washington University,
... call2
See man socket(2)
... interface3
SELinux labels network interface.
... socket4
When creating unix domain socket, by setting SCM_RIGHTS flag, file descriptor can be sent, see man unix(7).
... List5
... server6
Security Server a component of SELinux which makes access control decision based on policy
... /selinux/checkreqprot7
By writing 0 or 1 /selinux/checkreqprot, behavior of execmem, execmod and execheap can be configured.

next_inactive up previous
Yuichi 2006-01-12