Integrated/unsupported permissions in Simplified Policy for Ver 1.3.3
Simplified Policy Description Language(SPDL) simplifies SELinux by
reducing number of permissions. This reduction is done by not supporting
permissions and integrating permissions.
This document describes what kind of permissions are not supported in
Simplified Policy Description Language(SPDL) and what kind of
permissions are integrated in SPDL rules.
Not supported means the permissions are allowd to all domains.
Integrated means permissions are treated as one permission.
Not supported permissions are listed in section 1. Integration of
permission is described in section 2.
Permissions are listed in table format. How to look at table is explained.
- Notation to represent domain and type
- global
It means all domains.
- from, entry, to
from domain, entry point, to domain in domain transition rule.
- Notation to represent many permissions
Following are used to describe set of permissions(it is to save space.)
- file_type
All types for files.
- all_file_class
It means all object classes related to file(dir file
lnk_file sock_file fifo_file chr_file blk_file)
- notdevfile_class
Means all file related object classes except device(dir
file lnk_file sock_file fifo_file)
- notdevdir_class
Means file related object classes except device and dir(file lnk_file sock_file fifo_file)
- notdir_class
Means file related object classes except dir(file lnk_file
sock_file fifo_file chr_file blk_file)
- socket_common_all_perms
Permissions common to sockets(ioctl readwrite create
getattr setattr lock relabelfrom relabelto append bind
connect listen accept getopt setopt shutdown recvfrom
sendto recv_msg send_msg name_bind )
- tcp_socket_all_perms
Permissions common to tcp socket(ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind connectto newconn acceptfrom node_bind name_connect)
- udp_socket_all_perms
Permissions common to udp socket(ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind node_bind)
- Tables in section 2
These tables describes what kind of permissions are not supported.
Titles of table show why these permissions are not
supported.
For example, the title of table 1 is Dead permission. It means
permissions in table is not supported because these are dead
permission in SELinux. Detailed reason why unsupported will be described in
future :-)
Let's see example. First line in table1, all_file_class,
swapon, global , file_type is described.
It means, all domains(global) are allowed permission swapon for
all object class related to file(all_file_class), to all types
related to file(file_type). It equals following allow statement
in SELinux.
allow global file\_type:all\_file\_class swapon;
So this means, swapon permission is allowed(=not supported).
- Tables in section 3
These tables describe how permissions are integrated in SPDL.
Let's see example. Look at table 11. This table describes
permissions allowed when using allow filename r; statement.
all_file_class, ioctl lock read, domain, type are described
here.
This means, ioctl lock read permissions for all file related
object classes are allowed.
Following was automatically generated by genmacro.py
Table 1:
Dead Permission
| Object class |
Permission |
Domain |
Type |
| all_file_class |
swapon |
global |
file_type |
| all_socket_class |
relabelfrom |
global |
global |
| |
relabelto |
|
|
| unix_stream_socket |
acceptfrom |
global |
global |
| |
newconn |
|
|
| netlink_firewall_socket |
nlmsg_read |
global |
global |
| netlink_ip6fw_socket |
nlmsg_read |
global |
global |
| |
nlmsg_write |
|
|
| |
socket_common_all_perms |
|
|
| netlink_tcpdiag_socket |
nlmsg_write |
global |
self |
| ipc |
associate |
global |
global |
| |
create |
|
|
| |
destroy |
|
|
| |
getattr |
|
|
| |
read |
|
|
| |
setattr |
|
|
| |
unix_read |
|
|
| |
unix_write |
|
|
| |
write |
|
|
Table 2:
Unsupported features in SPDL
| Object class |
Permission |
Domain |
Type |
| security |
compute_member |
global |
security_t |
| |
setbool |
|
|
| |
setcheckreqprot |
|
|
Table 3:
Unsupported because related to DAC and POSIX capabilities
| Object class |
Permission |
Domain |
Type |
| process |
getcap |
global |
global |
| |
setcap |
|
|
| capability |
chown |
global |
self |
| |
dac_override |
|
|
| |
dac_read_search |
|
|
| |
fowner |
|
|
| |
fsetid |
|
|
| |
linux_immutable |
|
|
| |
setgid |
|
|
| |
setpcap |
|
|
| |
setuid |
|
|
Table 4:
Unsupported because low effect to security
| Object class |
Permission |
Domain |
Type |
| process |
execheap |
global |
global |
| |
execmem |
|
|
| |
execstack |
|
|
| |
fork |
|
|
| |
getpgid |
|
|
| |
getsched |
|
|
| |
getsession |
|
|
| |
noatsecure |
|
|
| |
rlimitinh |
|
|
| |
setpgid |
|
|
| |
share |
|
|
| |
siginh |
|
|
| system |
ipc_info |
global |
global |
| capability |
lease |
global |
self |
| filesystem |
associate |
file_type |
fs_type |
| filesystem |
getattr |
global |
fs_type |
| |
quotaget |
|
|
Table 5:
Unsupported because of complete overlap
| Object class |
Permission |
Domain |
Type |
| capability |
audit_write |
global |
self |
| |
ipc_owner |
|
|
| |
kill |
|
|
| |
net_bind_service |
|
|
| |
sys_ptrace |
|
|
Table 6:
Unsupported because of Partly overlap
| Object class |
Permission |
Domain |
Type |
| process |
setrlimit |
global |
global |
| |
setsched |
|
|
| capability |
audit_control |
global |
self |
Table 7:
Implicit overlap
| Object class |
Permission |
Domain |
Type |
| fd |
use |
global |
global |
| process |
setexec |
global |
global |
Table 8:
Pending.. May be changed
| Object class |
Permission |
Domain |
Type |
| file |
execmod |
global |
file_type |
| packet_socket |
socket_common_all_perms |
global |
self |
| key_socket |
socket_common_all_perms |
global |
self |
Table 9:
Does not support user space AVC
| Object class |
Permission |
Domain |
Type |
| passwd |
chfn |
global |
self |
| |
chsh |
|
|
| |
crontab |
|
|
| |
passwd |
|
|
| |
rootok |
|
|
| dbus |
acquire_svc |
global |
global |
| |
send_msg |
|
|
| nscd |
admin |
global |
global |
| |
getgrp |
|
|
| |
gethost |
|
|
| |
getpwd |
|
|
| |
getstat |
|
|
| |
shmemgrp |
|
|
| |
shmemhost |
|
|
| |
shmempwd |
|
|
Table 10:
Option:s
| Object class |
Permission |
Domain |
Type |
| dir |
getattr |
domain |
type |
| |
read |
|
|
| |
search |
|
|
| lnk_file |
read |
domain |
type |
| notdevdir_class |
getattr |
domain |
type |
Table 11:
Option:r
| Object class |
Permission |
Domain |
Type |
| notdevdir_class |
ioctl |
domain |
type |
| |
lock |
|
|
| |
read |
|
|
| dir |
ioctl |
domain |
type |
| |
lock |
|
|
Table 12:
Option:x
| Object class |
Permission |
Domain |
Type |
| notdevfile_class |
execute |
domain |
type |
| file |
execute_no_trans |
domain |
type |
Table 13:
Option:w
| Object class |
Permission |
Domain |
Type |
| notdevfile_class |
append |
domain |
type |
| |
create |
|
|
| |
link |
|
|
| |
rename |
|
|
| |
setattr |
|
|
| |
unlink |
|
|
| |
write |
|
|
| dir |
add_name |
domain |
type |
| |
remove_name |
|
|
| |
reparent |
|
|
| |
rmdir |
|
|
Table 14:
Option:o
| Object class |
Permission |
Domain |
Type |
| notdevdir_class |
write |
domain |
type |
Table 15:
Option:a
| Object class |
Permission |
Domain |
Type |
| notdevdir_class |
append |
domain |
type |
Table 16:
Option:e
| Object class |
Permission |
Domain |
Type |
| dir |
remove_name |
domain |
type |
| |
rename |
|
|
| |
reparent |
|
|
| |
rmdir |
|
|
| |
unlink |
|
|
| |
write |
|
|
| notdevdir_class |
rename |
domain |
type |
| |
unlink |
|
|
Table 17:
Option:c
| Object class |
Permission |
Domain |
Type |
| dir |
add_name |
domain |
type |
| |
append |
|
|
| |
create |
|
|
| |
link |
|
|
| |
write |
|
|
| notdevdir_class |
create |
domain |
type |
| |
link |
|
|
Table 18:
Option:t
| Object class |
Permission |
Domain |
Type |
| notdevfile_class |
setattr |
domain |
type |
Table 19:
Option:relabel,This is used intenally in allowpriv part_relabel
| Object class |
Permission |
Domain |
Type |
| all_file_class |
relabelfrom |
domain |
type |
| |
relabelto |
|
|
Table 20:
Option:devcreate,This is used internally in allowpriv devcreate
| Object class |
Permission |
Domain |
Type |
| devfile_class |
create |
domain |
type |
| |
link |
|
|
| |
rename |
|
|
| |
unlink |
|
|
Table 21:
Option:setattr,This is used internally in allowpriv setattr
| Object class |
Permission |
Domain |
Type |
| all_file_class |
setattr |
domain |
type |
In directory pointed by allowdev -root, following are additionally allowed for allowfile rules. By default, directory under /dev.
Table 22:
Option:s
| Object class |
Permission |
Domain |
Type |
| devfile_class |
getattr |
domain |
type |
Table 23:
Option:r
| Object class |
Permission |
Domain |
Type |
| devfile_class |
lock |
domain |
type |
| |
read |
|
|
Table 24:
Option:x
| Object class |
Permission |
Domain |
Type |
| devfile_class |
execute |
domain |
type |
| |
ioctl |
|
|
Table 25:
Option:w
| Object class |
Permission |
Domain |
Type |
| devfile_class |
append |
domain |
type |
| |
setattr |
|
|
| |
write |
|
|
Table 26:
Option:o
| Object class |
Permission |
Domain |
Type |
| devfile_class |
write |
domain |
type |
Table 27:
Option:a
| Object class |
Permission |
Domain |
Type |
| devfile_class |
append |
domain |
type |
Table 28:
Option:e
| Object class |
Permission |
Domain |
Type |
| devfile_class |
rename |
domain |
type |
| |
unlink |
|
|
Table 29:
Option:c
| Object class |
Permission |
Domain |
Type |
| devfile_class |
create |
domain |
type |
| |
link |
|
|
Table 30:
Option:t
| Object class |
Permission |
Domain |
Type |
| devfile_class |
setattr |
domain |
type |
Table 31:
Option:r
| Object class |
Permission |
Domain |
Type |
| chr_file |
getattr |
domain |
type |
| lnk_file |
ioctl |
|
|
| |
lock |
|
|
| |
read |
|
|
| dir |
getattr |
domain |
type |
| |
ioctl |
|
|
| |
lock |
|
|
| |
read |
|
|
| |
search |
|
|
Table 32:
Option:w
| Object class |
Permission |
Domain |
Type |
| chr_file |
append |
domain |
type |
| lnk_file |
setattr |
|
|
| |
write |
|
|
| dir |
add_name |
domain |
type |
| |
remove_name |
|
|
| |
setattr |
|
|
| |
write |
|
|
Table 33:
Option:admin
| Object class |
Permission |
Domain |
Type |
| chr_file |
create |
domain |
type |
| lnk_file |
relabelfrom |
|
|
| |
relabelto |
|
|
| |
rename |
|
|
| |
unlink |
|
|
| dir |
create |
domain |
type |
| |
link |
|
|
| |
reparent |
|
|
| |
rmdir |
|
|
| |
unlink |
|
|
Table 34:
Option:r
| Object class |
Permission |
Domain |
Type |
| chr_file |
getattr |
domain |
type |
| lnk_file |
ioctl |
|
|
| |
lock |
|
|
| |
read |
|
|
| dir |
getattr |
domain |
type |
| |
ioctl |
|
|
| |
lock |
|
|
| |
read |
|
|
| |
search |
|
|
Table 35:
Option:w
| Object class |
Permission |
Domain |
Type |
| chr_file |
append |
domain |
type |
| lnk_file |
setattr |
|
|
| |
write |
|
|
| dir |
add_name |
domain |
type |
| |
remove_name |
|
|
| |
setattr |
|
|
| |
write |
|
|
Table 36:
Option:admin
| Object class |
Permission |
Domain |
Type |
| chr_file |
create |
domain |
type |
| lnk_file |
relabelfrom |
|
|
| |
relabelto |
|
|
| |
rename |
|
|
| |
unlink |
|
|
| dir |
create |
domain |
type |
| |
link |
|
|
| |
reparent |
|
|
| |
rmdir |
|
|
| |
unlink |
|
|
Table 37:
Option:net
| Object class |
Permission |
Domain |
Type |
| udp_socket |
udp_socket_except_connect |
domain |
global |
| tcp_socket |
tcp_socket_except_connect |
domain |
global |
| netif |
tcp_recv |
domain |
netif_type |
| |
tcp_send |
|
|
| |
udp_recv |
|
|
| |
udp_send |
|
|
| udp_socket |
udp_socket_all_perms |
domain |
netmsg_type |
| tcp_socket |
tcp_socket_all_perms |
domain |
netmsg_type |
| node |
tcp_recv |
domain |
node_type |
| |
tcp_send |
|
|
| |
udp_recv |
|
|
| |
udp_send |
|
|
| udp_socket |
node_bind |
domain |
node_type |
| tcp_socket |
node_bind |
domain |
node_type |
| udp_socket |
udp_socket_all_perms |
domain |
port_t |
| tcp_socket |
tcp_socket_all_perms |
domain |
port_t |
| tcp_socket |
recv_msg |
domain |
port_type |
| |
send_msg |
|
|
| udp_socket |
recv_msg |
domain |
port_type |
| |
send_msg |
|
|
Table 38:
Option:raw
| Object class |
Permission |
Domain |
Type |
| rawip_socket |
node_bind |
domain |
global |
| |
socket_common_all_perms |
|
|
| capability |
net_raw |
domain |
self |
| netif |
rawip_recv |
domain |
netif_type |
| |
rawip_send |
|
|
| node |
rawip_recv |
domain |
node_type |
| |
rawip_send |
|
|
Table 39:
Option:tcp suboption:port
| Object class |
Permission |
Domain |
Type |
| tcp_socket |
name_bind |
domain |
type |
Table 40:
Option:udp suboption:port
| Object class |
Permission |
Domain |
Type |
| udp_socket |
name_bind |
domain |
type |
Table 41:
Option:connect
| Object class |
Permission |
Domain |
Type |
| tcp_socket |
name_connect |
domain |
port_type |
| tcp_socket |
connect |
domain |
self |
| tcp_socket |
connect |
domain |
self |
Table 42:
Option:tcp
| Object class |
Permission |
Domain |
Type |
| tcp_socket |
tcp_socket_all_perms |
domain |
type |
Table 43:
Option:udp
| Object class |
Permission |
Domain |
Type |
| udp_socket |
udp_socket_all_perms |
domain |
type |
Table 44:
Option:unix
| Object class |
Permission |
Domain |
Type |
| unix_dgram_socket |
socket_common_all_perms |
domain |
type |
| unix_stream_socket |
connectto |
domain |
type |
| |
socket_common_all_perms |
|
|
Table 45:
Option:sem suboption:r
| Object class |
Permission |
Domain |
Type |
| sem |
associate |
domain |
type |
| |
getattr |
|
|
| |
read |
|
|
| |
unix_read |
|
|
Table 46:
Option:sem suboption:w
| Object class |
Permission |
Domain |
Type |
| sem |
create |
domain |
type |
| |
destroy |
|
|
| |
setattr |
|
|
| |
unix_write |
|
|
| |
write |
|
|
Table 47:
Option:msg suboption:r
| Object class |
Permission |
Domain |
Type |
| msg |
send |
domain |
type |
Table 48:
Option:msg suboption:w
| Object class |
Permission |
Domain |
Type |
| msg |
receive |
domain |
type |
Table 49:
Option:msgq suboption:r
| Object class |
Permission |
Domain |
Type |
| msgq |
associate |
domain |
type |
| |
getattr |
|
|
| |
read |
|
|
| |
unix_read |
|
|
Table 50:
Option:msgq suboption:w
| Object class |
Permission |
Domain |
Type |
| msgq |
create |
domain |
type |
| |
destroy |
|
|
| |
enqueue |
|
|
| |
setattr |
|
|
| |
unix_write |
|
|
| |
write |
|
|
Table 51:
Option:shm suboption:r
| Object class |
Permission |
Domain |
Type |
| shm |
associate |
domain |
type |
| |
getattr |
|
|
| |
read |
|
|
| |
unix_read |
|
|
Table 52:
Option:shm suboption:w
| Object class |
Permission |
Domain |
Type |
| shm |
create |
domain |
type |
| |
destroy |
|
|
| |
lock |
|
|
| |
setattr |
|
|
| |
unix_write |
|
|
| |
write |
|
|
Table 53:
Option:pipe suboption:r
| Object class |
Permission |
Domain |
Type |
| fifo_file |
getattr |
domain |
type |
| |
ioctl |
|
|
| |
lock |
|
|
| |
read |
|
|
Table 54:
Option:pipe suboption:w
| Object class |
Permission |
Domain |
Type |
| fifo_file |
append |
domain |
type |
| |
create |
|
|
| |
execute |
|
|
| |
link |
|
|
| |
lock |
|
|
| |
mounton |
|
|
| |
quotaon |
|
|
| |
relabelfrom |
|
|
| |
relabelto |
|
|
| |
rename |
|
|
| |
setattr |
|
|
| |
unlink |
|
|
| |
write |
|
|
Table 55:
Option:sig suboption:c
| Object class |
Permission |
Domain |
Type |
| process |
sigchld |
domain |
type |
Table 56:
Option:sig suboption:k
| Object class |
Permission |
Domain |
Type |
| process |
sigkill |
domain |
type |
Table 57:
Option:sig suboption:s
| Object class |
Permission |
Domain |
Type |
| process |
sigstop |
domain |
type |
Table 58:
Option:sig suboption:n
| Object class |
Permission |
Domain |
Type |
| process |
signull |
domain |
type |
Table 59:
Option:sig suboption:o
| Object class |
Permission |
Domain |
Type |
| process |
signal |
domain |
type |
Table 60:
Option:klog_write
| Object class |
Permission |
Domain |
Type |
| netlink_audit_socket |
nlmsg_relay |
domain |
self |
Table 61:
Option:klog_read
| Object class |
Permission |
Domain |
Type |
| system |
syslog_read |
domain |
kernel_t |
| netlink_audit_socket |
nlmsg_read |
domain |
self |
| |
nlmsg_readpriv |
|
|
Table 62:
Option:klog_adm
| Object class |
Permission |
Domain |
Type |
| capability |
sys_pacct |
domain |
self |
| system |
syslog_console |
domain |
kernel_t |
| |
syslog_mod |
|
|
| netlink_audit_socket |
nlmsg_write |
domain |
self |
Table 63:
Option:insmod
| Object class |
Permission |
Domain |
Type |
| capability |
sys_module |
domain |
self |
Table 64:
Option:netlink
| Object class |
Permission |
Domain |
Type |
| netlink_socket |
socket_common_all_perms |
domain |
self |
| netlink_route_socket |
nlmsg_read |
domain |
self |
| |
socket_common_all_perms |
|
|
| netlink_firewall_socket |
socket_common_all_perms |
domain |
self |
| netlink_firewall_socket |
nlmsg_write |
domain |
self |
| netlink_tcpdiag_socket |
socket_common_all_perms |
domain |
self |
| netlink_tcpdiag_socket |
nlmsg_read |
domain |
self |
| netlink_nflog_socket |
socket_common_all_perms |
domain |
self |
| netlink_xfrm_socket |
socket_common_all_perms |
domain |
self |
| netlink_xfrm_socket |
nlmsg_read |
domain |
self |
| |
nlmsg_write |
|
|
| netlink_selinux_socket |
socket_common_all_perms |
domain |
self |
| netlink_audit_socket |
socket_common_all_perms |
domain |
self |
| netlink_dnrt_socket |
socket_common_all_perms |
domain |
self |
| netlink_kobject_uevent_socket |
socket_common_all_perms |
domain |
self |
Table 65:
Option:relabel
| Object class |
Permission |
Domain |
Type |
| all_file_class |
relabelfrom |
domain |
file_type |
| |
relabelto |
|
fs_type |
| |
setattr |
|
|
Table 66:
Option:part_relabel
| Object class |
Permission |
Domain |
Type |
| all_file_class |
relabelfrom |
domain |
writable_type |
| |
relabelto |
|
|
| process |
setfscreate |
domain |
self |
Table 67:
Option:getsecurity
| Object class |
Permission |
Domain |
Type |
| dir |
getattr |
domain |
security_t |
| |
read |
|
|
| |
search |
|
|
| file |
getattr |
domain |
security_t |
| |
read |
|
|
| |
write |
|
|
| security |
check_context |
domain |
security_t |
| |
compute_av |
|
|
| |
compute_create |
|
|
| |
compute_relabel |
|
|
| |
compute_user |
|
|
Table 68:
Option:setenforce
| Object class |
Permission |
Domain |
Type |
| security |
setenforce |
domain |
security_t |
Table 69:
Option:load_policy
| Object class |
Permission |
Domain |
Type |
| security |
load_policy |
domain |
security_t |
Table 70:
Option:getsecattr
| Object class |
Permission |
Domain |
Type |
| process |
getattr |
domain |
global |
Table 71:
Option:setsecparam
| Object class |
Permission |
Domain |
Type |
| security |
setsecparam |
domain |
security_t |
Table 72:
Option:devcreate,In addition, allow_file_devcrete is used in file write
| Object class |
Permission |
Domain |
Type |
| capability |
mknod |
domain |
self |
| devfile_class |
create |
domain |
writable_type |
| |
link |
|
|
| |
rename |
|
|
| |
unlink |
|
|
Table 73:
Option:setattr,do nothing. allow_file_setattr is used in file s
| Object class |
Permission |
Domain |
Type |
| all_file_class |
setattr |
domain |
getattr_file_type |
Table 74:
Option:search
| Object class |
Permission |
Domain |
Type |
| dir |
getattr |
domain |
file_type |
| |
read |
|
|
| |
search |
|
|
| all_file_class |
getattr |
domain |
file_type |
| lnk_file |
read |
domain |
file_type |
Table 75:
Option:read
| Object class |
Permission |
Domain |
Type |
| all_file_class |
getattr |
domain |
file_type |
| |
ioctl |
|
|
| |
lock |
|
|
| |
read |
|
|
Table 76:
Option:write
| Object class |
Permission |
Domain |
Type |
| all_file_class |
append |
domain |
file_type |
| |
create |
|
|
| |
link |
|
|
| |
rename |
|
|
| |
setattr |
|
|
| |
unlink |
|
|
| |
write |
|
|
| dir |
add_name |
domain |
file_type |
| |
remove_name |
|
|
| |
reparent |
|
|
| |
rmdir |
|
|
Table 77:
Option:net
| Object class |
Permission |
Domain |
Type |
| capability |
net_admin |
domain |
self |
| netlink_route_socket |
nlmsg_write |
domain |
self |
Table 78:
Option:boot
| Object class |
Permission |
Domain |
Type |
| capability |
sys_boot |
domain |
self |
Table 79:
Option:quotaon
| Object class |
Permission |
Domain |
Type |
| file |
quotaon |
domain |
file_type |
| filesystem |
quotamod |
domain |
fs_type |
Table 80:
Option:mount
| Object class |
Permission |
Domain |
Type |
| dir |
mounton |
domain |
file_type |
| filesystem |
mount |
domain |
fs_type |
| |
remount |
|
|
| |
unmount |
|
|
Table 81:
Option:rawio
| Object class |
Permission |
Domain |
Type |
| capability |
sys_rawio |
domain |
self |
Table 82:
Option:chroot
| Object class |
Permission |
Domain |
Type |
| capability |
sys_chroot |
domain |
self |
Table 83:
Option:unlabel
| Object class |
Permission |
Domain |
Type |
| dir |
add_name |
domain |
file_t |
| |
getattr |
|
unlabeled_t |
| |
ioctl |
|
|
| |
lock |
|
|
| |
read |
|
|
| |
remove_name |
|
|
| |
reparent |
|
|
| |
rmdir |
|
|
| |
search |
|
|
| all_file_class |
append |
domain |
file_t |
| |
create |
|
unlabeled_t |
| |
getattr |
|
|
| |
ioctl |
|
|
| |
link |
|
|
| |
lock |
|
|
| |
read |
|
|
| |
rename |
|
|
| |
setattr |
|
|
| |
unlink |
|
|
| |
write |
|
|
| file |
execute |
domain |
file_t |
| |
execute_no_trans |
|
unlabeled_t |
Table 84:
Option:memlock
| Object class |
Permission |
Domain |
Type |
| capability |
ipc_lock |
domain |
self |
Table 85:
Option:nice
| Object class |
Permission |
Domain |
Type |
| capability |
sys_nice |
domain |
self |
Table 86:
Option:resource
| Object class |
Permission |
Domain |
Type |
| capability |
sys_resource |
domain |
self |
Table 87:
Option:time
| Object class |
Permission |
Domain |
Type |
| capability |
sys_time |
domain |
self |
Table 88:
Option:sys_admin
| Object class |
Permission |
Domain |
Type |
| capability |
sys_admin |
domain |
self |
Table 89:
Option:tty_config
| Object class |
Permission |
Domain |
Type |
| capability |
sys_tty_config |
domain |
self |
Table 90:
Option:Normal domain transition,This is allowed in domain_trans rule
| Object class |
Permission |
Domain |
Type |
| process |
transition |
from |
to |
| file |
entrypoint |
to |
entry |
| process |
sigchld |
to |
from |
| fifo_file |
append |
to |
from |
| |
getattr |
|
|
| |
ioctl |
|
|
| |
lock |
|
|
| |
read |
|
|
| |
write |
|
|
| file |
execute |
from |
entry |
| |
getattr |
|
|
| |
ioctl |
|
|
| |
lock |
|
|
| |
read |
|
|
Table 91:
Option:Dynamic domain transition,This is allowed in domain_trans rule when entry point is not specified.
| Object class |
Permission |
Domain |
Type |
| process |
dyntransition |
from |
to |
| process |
setcurrent |
from |
self |
Table 92:
Option:File type transition,This is allowed in allow exclusive rule
| Object class |
Permission |
Domain |
Type |
| dir |
add_name |
from |
entry |
| |
getattr |
|
|
| |
ioctl |
|
|
| |
lock |
|
|
| |
read |
|
|
| |
remove_name |
|
|
| |
search |
|
|
| |
write |
|
|
Integrated/unsupported permissions in Simplified Policy for Ver 1.3.3
This document was generated using the
LaTeX2HTML translator Version 2002-2-1 (1.70)
Copyright © 1993, 1994, 1995, 1996,
Nikos Drakos,
Computer Based Learning Unit, University of Leeds.
Copyright © 1997, 1998, 1999,
Ross Moore,
Mathematics Department, Macquarie University, Sydney.
The command line arguments were:
latex2html -show_section_numbers -link 2 -split 0 permission_integrate.tex
The translation was initiated by on 2006-02-27
2006-02-27