next up previous contents
Next: 3.8 Integrated permissions for Up: 3 Integrated permissions by Previous: 3.6 Integrated permissions for   Contents

3.7 Integrated permissions in allowpriv rule


Table 76: Option:audit_read
Object class Permission Domain Type
netlink_audit_socket nlmsg_read domain self
  nlmsg_readpriv    


Table 77: Option:audit_write
Object class Permission Domain Type
netlink_audit_socket nlmsg_relay domain self


Table 78: Option:audit_adm
Object class Permission Domain Type
netlink_audit_socket nlmsg_write domain self


Table 79: Option:klog_read
Object class Permission Domain Type
system syslog_read domain kernel_t


Table 80: Option:klog_adm
Object class Permission Domain Type
system syslog_console domain kernel_t
  syslog_mod    


Table 81: Option:cap_sys_pacct
Object class Permission Domain Type
capability sys_pacct domain self


Table 82: Option:cap_sys_module
Object class Permission Domain Type
capability sys_module domain self


Table 83: Option:netlink
Object class Permission Domain Type
netlink_socket accept domain self
  append    
  bind    
  connect    
  create    
  getattr    
  getopt    
  ioctl    
  listen    
  lock    
  name_bind    
  read    
  recv_msg    
  recvfrom    
  relabelfrom    
  relabelto    
  send_msg    
  sendto    
  setattr    
  setopt    
  shutdown    
  write    
netlink_route_socket accept domain self
  append    
  bind    
  connect    
  create    
  getattr    
  getopt    
  ioctl    
  listen    
  lock    
  name_bind    
  nlmsg_read    
  read    
  recv_msg    
  recvfrom    
  relabelfrom    
  relabelto    
  send_msg    
  sendto    
  setattr    
  setopt    
  shutdown    
  write    
netlink_firewall_socket accept domain self
  append    
  bind    
  connect    
  create    
  getattr    
  getopt    
  ioctl    
  listen    
  lock    
  name_bind    
  read    
  recv_msg    
  recvfrom    
  relabelfrom    
  relabelto    
  send_msg    
  sendto    
  setattr    
  setopt    
  shutdown    
  write    
netlink_firewall_socket nlmsg_write domain self
netlink_tcpdiag_socket accept domain self
  append    
  bind    
  connect    
  create    
  getattr    
  getopt    
  ioctl    
  listen    
  lock    
  name_bind    
  read    
  recv_msg    
  recvfrom    
  relabelfrom    
  relabelto    
  send_msg    
  sendto    
  setattr    
  setopt    
  shutdown    
  write    
netlink_tcpdiag_socket nlmsg_read domain self
netlink_nflog_socket accept domain self
  append    
  bind    
  connect    
  create    
  getattr    
  getopt    
  ioctl    
  listen    
  lock    
  name_bind    
  read    
  recv_msg    
  recvfrom    
  relabelfrom    
  relabelto    
  send_msg    
  sendto    
  setattr    
  setopt    
  shutdown    
  write    
netlink_xfrm_socket accept domain self
  append    
  bind    
  connect    
  create    
  getattr    
  getopt    
  ioctl    
  listen    
  lock    
  name_bind    
  read    
  recv_msg    
  recvfrom    
  relabelfrom    
  relabelto    
  send_msg    
  sendto    
  setattr    
  setopt    
  shutdown    
  write    
netlink_xfrm_socket nlmsg_read domain self
  nlmsg_write    
netlink_selinux_socket accept domain self
  append    
  bind    
  connect    
  create    
  getattr    
  getopt    
  ioctl    
  listen    
  lock    
  name_bind    
  read    
  recv_msg    
  recvfrom    
  relabelfrom    
  relabelto    
  send_msg    
  sendto    
  setattr    
  setopt    
  shutdown    
  write    
netlink_audit_socket accept domain self
  append    
  bind    
  connect    
  create    
  getattr    
  getopt    
  ioctl    
  listen    
  lock    
  name_bind    
  read    
  recv_msg    
  recvfrom    
  relabelfrom    
  relabelto    
  send_msg    
  sendto    
  setattr    
  setopt    
  shutdown    
  write    
netlink_dnrt_socket accept domain self
  append    
  bind    
  connect    
  create    
  getattr    
  getopt    
  ioctl    
  listen    
  lock    
  name_bind    
  read    
  recv_msg    
  recvfrom    
  relabelfrom    
  relabelto    
  send_msg    
  sendto    
  setattr    
  setopt    
  shutdown    
  write    
netlink_kobject_uevent_socket accept domain self
  append    
  bind    
  connect    
  create    
  getattr    
  getopt    
  ioctl    
  listen    
  lock    
  name_bind    
  read    
  recv_msg    
  recvfrom    
  relabelfrom    
  relabelto    
  send_msg    
  sendto    
  setattr    
  setopt    
  shutdown    
  write    


Table 84: Option:relabel
Object class Permission Domain Type
blk_file relabelfrom domain file_type
chr_file relabelto   fs_type
dir setattr    
fifo_file      
file      
lnk_file      
sock_file      


Table 85: Option:part_relabel
Object class Permission Domain Type
blk_file relabelfrom domain writable_type
chr_file relabelto    
dir      
fifo_file      
file      
lnk_file      
sock_file      
process setfscreate domain self


Table 86: Option:getsecurity
Object class Permission Domain Type
dir getattr domain security_t
  read    
  search    
file getattr domain security_t
  read    
security check_context domain security_t
  compute_av    
  compute_create    
  compute_relabel    
  compute_user    


Table 87: Option:setsecurity
Object class Permission Domain Type
file write domain security_t


Table 88: Option:setenforce
Object class Permission Domain Type
security setenforce domain security_t


Table 89: Option:setbool
Object class Permission Domain Type
security setbool domain security_t


Table 90: Option:load_policy
Object class Permission Domain Type
security load_policy domain security_t


Table 91: Option:getsecattr
Object class Permission Domain Type
process getattr domain global


Table 92: Option:setsecparam
Object class Permission Domain Type
security setsecparam domain security_t


Table 93: Option:devcreate,In addition, allow_file_devcrete is used in file write
Object class Permission Domain Type
capability mknod domain self
blk_file create domain writable_type
chr_file link    
  rename    
  unlink    


Table 94: Option:search
Object class Permission Domain Type
dir getattr domain file_type
  read    
  search    
blk_file getattr domain file_type
chr_file      
dir      
fifo_file      
file      
lnk_file      
sock_file      
lnk_file read domain file_type


Table 95: Option:read
Object class Permission Domain Type
blk_file getattr domain file_type
chr_file ioctl    
dir lock    
fifo_file read    
file      
lnk_file      
sock_file      


Table 96: Option:write
Object class Permission Domain Type
blk_file append domain file_type
chr_file create    
dir link    
fifo_file rename    
file setattr    
lnk_file unlink    
sock_file write    
dir reparent domain file_type
  rmdir    


Table 97: Option:cap_net_admin
Object class Permission Domain Type
capability net_admin domain self
netlink_route_socket nlmsg_write domain self


Table 98: Option:cap_sys_boot
Object class Permission Domain Type
capability sys_boot domain self


Table 99: Option:cap_dac_override
Object class Permission Domain Type
capability dac_override domain self


Table 100: Option:cap_dac_read_search
Object class Permission Domain Type
capability dac_read_search domain self


Table 101: Option:cap_setuid
Object class Permission Domain Type
capability setuid domain self


Table 102: Option:cap_setgid
Object class Permission Domain Type
capability setgid domain self


Table 103: Option:cap_chown
Object class Permission Domain Type
capability chown domain self


Table 104: Option:cap_setpcap
Object class Permission Domain Type
capability setpcap domain self


Table 105: Option:cap_fowner
Object class Permission Domain Type
capability fowner domain self


Table 106: Option:cap_fsetid
Object class Permission Domain Type
capability fsetid domain self


Table 107: Option:cap_linux_immutable
Object class Permission Domain Type
capability linux_immutable domain self


Table 108: Option:quotaon
Object class Permission Domain Type
file quotaon domain file_type
filesystem quotamod domain fs_type


Table 109: Option:mount
Object class Permission Domain Type
dir mounton domain file_type
filesystem mount domain fs_type
  remount    
  unmount    


Table 110: Option:cap_sys_rawio
Object class Permission Domain Type
capability sys_rawio domain self


Table 111: Option:cap_sys_chroot
Object class Permission Domain Type
capability sys_chroot domain self


Table 112: Option:unlabel
Object class Permission Domain Type
dir add_name domain file_t
  getattr   unlabeled_t
  ioctl    
  lock    
  read    
  remove_name    
  reparent    
  rmdir    
  search    
blk_file append domain file_t
chr_file create   unlabeled_t
dir getattr    
fifo_file ioctl    
file link    
lnk_file lock    
sock_file read    
  rename    
  setattr    
  unlink    
  write    
file execute domain file_t
  execute_no_trans   unlabeled_t


Table 113: Option:cap_ipc_lock
Object class Permission Domain Type
capability ipc_lock domain self


Table 114: Option:cap_sys_nice
Object class Permission Domain Type
capability sys_nice domain self


Table 115: Option:cap_sys_resource
Object class Permission Domain Type
capability sys_resource domain self


Table 116: Option:cap_sys_time
Object class Permission Domain Type
capability sys_time domain self


Table 117: Option:cap_sys_admin
Object class Permission Domain Type
capability sys_admin domain self


Table 118: Option:cap_sys_tty_config
Object class Permission Domain Type
capability sys_tty_config domain self


Table 119: Option:ptrace
Object class Permission Domain Type
process ptrace domain global

next up previous contents
Next: 3.8 Integrated permissions for Up: 3 Integrated permissions by Previous: 3.6 Integrated permissions for   Contents
Yuichi Nakamura 2006-10-27