Next: 3 Integrated permissions by
Up: Integrated/unsupported permissions in Simplified
Previous: 1 How to look
Contents
Table 1:
Dead Permission
| Object class |
Permission |
Domain |
Type |
| blk_file |
swapon |
global |
file_type |
| chr_file |
|
|
|
| dir |
|
|
|
| fifo_file |
|
|
|
| file |
|
|
|
| lnk_file |
|
|
|
| sock_file |
|
|
|
| all_socket_class |
relabelfrom |
global |
global |
| |
relabelto |
|
|
| unix_stream_socket |
acceptfrom |
global |
global |
| |
newconn |
|
|
| netlink_firewall_socket |
nlmsg_read |
global |
global |
| netlink_ip6fw_socket |
accept |
global |
global |
| |
append |
|
|
| |
bind |
|
|
| |
connect |
|
|
| |
create |
|
|
| |
getattr |
|
|
| |
getopt |
|
|
| |
ioctl |
|
|
| |
listen |
|
|
| |
lock |
|
|
| |
name_bind |
|
|
| |
nlmsg_read |
|
|
| |
nlmsg_write |
|
|
| |
read |
|
|
| |
recv_msg |
|
|
| |
recvfrom |
|
|
| |
relabelfrom |
|
|
| |
relabelto |
|
|
| |
send_msg |
|
|
| |
sendto |
|
|
| |
setattr |
|
|
| |
setopt |
|
|
| |
shutdown |
|
|
| |
write |
|
|
| netlink_tcpdiag_socket |
nlmsg_write |
global |
self |
| ipc |
associate |
global |
global |
| |
create |
|
|
| |
destroy |
|
|
| |
getattr |
|
|
| |
read |
|
|
| |
setattr |
|
|
| |
unix_read |
|
|
| |
unix_write |
|
|
| |
write |
|
|
Table 2:
Unsupported features in SPDL
| Object class |
Permission |
Domain |
Type |
| security |
compute_member |
global |
security_t |
| |
setcheckreqprot |
|
|
Table 3:
Unsupported because related to DAC and POSIX capabilities
| Object class |
Permission |
Domain |
Type |
| process |
getcap |
global |
global |
| |
setcap |
|
|
Table 4:
Unsupported because low effect to security
| Object class |
Permission |
Domain |
Type |
| blk_file |
getattr |
global |
file_type |
| chr_file |
|
|
global |
| dir |
|
|
|
| fifo_file |
|
|
|
| file |
|
|
|
| lnk_file |
|
|
|
| sock_file |
|
|
|
| process |
execheap |
global |
global |
| |
execmem |
|
|
| |
execstack |
|
|
| |
fork |
|
|
| |
getpgid |
|
|
| |
getsched |
|
|
| |
getsession |
|
|
| |
noatsecure |
|
|
| |
rlimitinh |
|
|
| |
setpgid |
|
|
| |
share |
|
|
| |
siginh |
|
|
| system |
ipc_info |
global |
global |
| capability |
lease |
global |
self |
| filesystem |
associate |
file_type |
fs_type |
| filesystem |
getattr |
global |
fs_type |
| |
quotaget |
|
|
Table 5:
Unsupported because of complete overlap
| Object class |
Permission |
Domain |
Type |
| capability |
audit_write |
global |
self |
| |
ipc_owner |
|
|
| |
kill |
|
|
| |
net_bind_service |
|
|
| |
sys_ptrace |
|
|
| dir |
add_name |
global |
file_type |
| |
remove_name |
|
global |
Table 6:
Unsupported because of Partly overlap
| Object class |
Permission |
Domain |
Type |
| process |
setrlimit |
global |
global |
| |
setsched |
|
|
| capability |
audit_control |
global |
self |
Table 7:
Implicit overlap
| Object class |
Permission |
Domain |
Type |
| fd |
use |
global |
global |
| process |
setexec |
global |
global |
| tcp_socket |
accept |
global |
self |
| |
append |
|
|
| |
bind |
|
|
| |
connect |
|
|
| |
create |
|
|
| |
getattr |
|
|
| |
getopt |
|
|
| |
ioctl |
|
|
| |
listen |
|
|
| |
lock |
|
|
| |
read |
|
|
| |
setattr |
|
|
| |
setopt |
|
|
| |
shutdown |
|
|
| |
write |
|
|
| udp_socket |
accept |
global |
self |
| |
append |
|
|
| |
bind |
|
|
| |
connect |
|
|
| |
create |
|
|
| |
getattr |
|
|
| |
getopt |
|
|
| |
ioctl |
|
|
| |
listen |
|
|
| |
lock |
|
|
| |
read |
|
|
| |
setattr |
|
|
| |
setopt |
|
|
| |
shutdown |
|
|
| |
write |
|
|
| unix_dgram_socket |
create |
global |
global |
| |
getattr |
|
|
| |
getopt |
|
|
| |
ioctl |
|
|
| |
lock |
|
|
| |
relabelfrom |
|
|
| |
relabelto |
|
|
| |
setattr |
|
|
| |
setopt |
|
|
| |
shutdown |
|
|
| unix_stream_socket |
create |
global |
global |
| |
getattr |
|
|
| |
getopt |
|
|
| |
ioctl |
|
|
| |
lock |
|
|
| |
relabelfrom |
|
|
| |
relabelto |
|
|
| |
setattr |
|
|
| |
setopt |
|
|
| |
shutdown |
|
|
Table 8:
Pending.. May be changed
| Object class |
Permission |
Domain |
Type |
| packet |
recv |
global |
unlabeled_t |
| |
send |
|
|
| file |
execmod |
global |
file_type |
| packet_socket |
accept |
global |
self |
| |
append |
|
|
| |
bind |
|
|
| |
connect |
|
|
| |
create |
|
|
| |
getattr |
|
|
| |
getopt |
|
|
| |
ioctl |
|
|
| |
listen |
|
|
| |
lock |
|
|
| |
name_bind |
|
|
| |
read |
|
|
| |
recv_msg |
|
|
| |
recvfrom |
|
|
| |
relabelfrom |
|
|
| |
relabelto |
|
|
| |
send_msg |
|
|
| |
sendto |
|
|
| |
setattr |
|
|
| |
setopt |
|
|
| |
shutdown |
|
|
| |
write |
|
|
| key_socket |
accept |
global |
self |
| |
append |
|
|
| |
bind |
|
|
| |
connect |
|
|
| |
create |
|
|
| |
getattr |
|
|
| |
getopt |
|
|
| |
ioctl |
|
|
| |
listen |
|
|
| |
lock |
|
|
| |
name_bind |
|
|
| |
read |
|
|
| |
recv_msg |
|
|
| |
recvfrom |
|
|
| |
relabelfrom |
|
|
| |
relabelto |
|
|
| |
send_msg |
|
|
| |
sendto |
|
|
| |
setattr |
|
|
| |
setopt |
|
|
| |
shutdown |
|
|
| |
write |
|
|
Table 9:
Does not support user space AVC
| Object class |
Permission |
Domain |
Type |
| passwd |
chfn |
global |
self |
| |
chsh |
|
|
| |
crontab |
|
|
| |
passwd |
|
|
| |
rootok |
|
|
| dbus |
acquire_svc |
global |
global |
| |
send_msg |
|
|
| nscd |
admin |
global |
global |
| |
getgrp |
|
|
| |
gethost |
|
|
| |
getpwd |
|
|
| |
getstat |
|
|
| |
shmemgrp |
|
|
| |
shmemhost |
|
|
| |
shmempwd |
|
|
| association |
* |
global |
unlabeled_t |
Next: 3 Integrated permissions by
Up: Integrated/unsupported permissions in Simplified
Previous: 1 How to look
Contents
Yuichi Nakamura
2006-10-27