1 How to look at tables

Permissions are listed in table format. How to look at table is explained.

1. Notation to represent domain and type
   
   • global
     It means all domains.
   • from, entry, to
     from domain, entry point, to domain in domain transition rule.
2. Notation to represent many permissions
   Following are used to describe set of permissions(it is to save space.)
   • file_type
     All types for files.
   • all_file_class
     It means all object classes related to file(dir file lnk_file sock_file fifo_file chr_file blk_file)
   • notdevfile_class
     Means all file related object classes except device(dir file lnk_file sock_file fifo_file)
   • notdevdir_class
     Means file related object classes except device and dir(file lnk_file sock_file fifo_file)
   • notdir_class
     Means file related object classes except dir(file lnk_file sock_file fifo_file chr_file blk_file)
   • socket_common_all_perms
     Permissions common to sockets(ioctl readwrite create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind )
   • tcp_socket_all_perms
     Permissions common to tcp socket(ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind connectto newconn acceptfrom node_bind name_connect)
   • udp_socket_all_perms
     Permissions common to udp socket(ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind node_bind)

3. Tables in section 2
   These tables describes what kind of permissions are not supported. Titles of table show why these permissions are not supported. For example, the title of table 1 is Dead permission. It means permissions in table is not supported because these are dead permission in SELinux. Detailed reason why unsupported will be described in future :-)
   Let's see example. First line in table1, all_file_class, swapon, global , file_type is described. It means, all domains(global) are allowed permission swapon for all object class related to file(all_file_class), to all types related to file(file_type). It equals following allow statement in SELinux.

          allow global file\_type:all\_file\_class swapon;
   

   So this means, swapon permission is allowed(=not supported).
4. Tables in section 3
   These tables describe how permissions are integrated in SPDL. Let's see example. Look at table 11. This table describes permissions allowed when using allow filename r; statement. all_file_class, ioctl lock read, domain, type are described here. This means, ioctl lock read permissions for all file related object classes are allowed.

Following was automatically generated by genmacro.py