RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
selinux-refpolicy/policy/flask/access_vectors

1063 lines
11 KiB
Plaintext
Raw Normal View History

move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
map
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
unlink
link
rename
execute
quotaon
mounton
Move open, audit_access, and execmod to file common. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2019-10-25 19:45:31 +00:00
audit_access
Fix file common ordering and kernel version from previous commit. Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-10-31 07:03:38 +00:00
open
Move open, audit_access, and execmod to file common. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2019-10-25 19:45:31 +00:00
execmod
Add file and filesystem watch access vectors. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2019-10-25 19:46:00 +00:00
watch
watch_mount
watch_sb
watch_with_perm
watch_reads
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
map
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
name_bind
remove trailing whitespaces
2016-12-06 12:28:10 +00:00
}
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# Define a common prefix for ipc access vectors.
#
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
trunk: Database userspace object manager classes from KaiGai Kohei.
2007-08-09 13:15:07 +00:00
#
# Define a common prefix for userspace database object access vectors.
#
common database
{
create
drop
getattr
setattr
relabelfrom
relabelto
}
Add separate x_pointer and x_keyboard classes inheriting from x_device. This is needed to allow more fine-grained control over X devices without using different types. Using different types is problematic because devices act as subjects in the X Flask implementation, and subjects cannot be labeled through a type transition (since the output role is hardcoded to object_r). Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-10-13 23:17:13 +00:00
#
# Define a common prefix for pointer and keyboard access vectors.
#
common x_device
{
getattr
setattr
use
read
write
getfocus
setfocus
bell
force_cursor
freeze
grab
manage
list_property
get_property
set_property
add
remove
create
destroy
}
Add user namespace capability object classes. Define cap and cap2 commons to manage the permissions.
2016-04-06 18:52:26 +00:00
#
# Define a common for capability access vectors.
#
common cap
{
access_vectors: Add new capabilities to cap2 Updated location of capability definitions to point to current location within kernel source code. CAP_BPF and CAP_PERFMON mainlined in: cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2, original commit: a17b53c4a4b55ec322c132b6670743612229ee9c CAP_CHECKPOINT_RESTORE mainlined in: 74858abbb1032222f922487fd1a24513bbed80f9, original commit: 124ea650d3072b005457faed69909221c2905a1f The missing capabilities were noticed on archlinux with kernel 5.8.14-arch1-1. Signed-off-by: Dannick Pomerleau <dannickp@hotmail.com>
2020-10-16 00:49:49 +00:00
# The capabilities are defined in include/uapi/linux/capability.h
Add user namespace capability object classes. Define cap and cap2 commons to manage the permissions.
2016-04-06 18:52:26 +00:00
# Capabilities >= 32 are defined in the cap2 common.
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
audit_write
audit_control
setfcap
}
common cap2
{
mac_override # unused by SELinux
Remove incorrect comment about capability2:mac_admin.
2019-03-12 00:49:42 +00:00
mac_admin
Add user namespace capability object classes. Define cap and cap2 commons to manage the permissions.
2016-04-06 18:52:26 +00:00
syslog
wake_alarm
block_suspend
audit_read
access_vectors: Add new capabilities to cap2 Updated location of capability definitions to point to current location within kernel source code. CAP_BPF and CAP_PERFMON mainlined in: cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2, original commit: a17b53c4a4b55ec322c132b6670743612229ee9c CAP_CHECKPOINT_RESTORE mainlined in: 74858abbb1032222f922487fd1a24513bbed80f9, original commit: 124ea650d3072b005457faed69909221c2905a1f The missing capabilities were noticed on archlinux with kernel 5.8.14-arch1-1. Signed-off-by: Dannick Pomerleau <dannickp@hotmail.com>
2020-10-16 00:49:49 +00:00
perfmon
bpf
checkpoint_restore
Add user namespace capability object classes. Define cap and cap2 commons to manage the permissions.
2016-04-06 18:52:26 +00:00
}
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
associate
quotamod
quotaget
Add file and filesystem watch access vectors. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2019-10-25 19:46:00 +00:00
watch
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
}
class file
inherits file
{
execute_no_trans
entrypoint
}
class lnk_file
inherits file
class chr_file
inherits file
class blk_file
inherits file
class sock_file
inherits file
class fifo_file
inherits file
class fd
{
use
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
node_bind
name_connect
}
class udp_socket
inherits socket
{
node_bind
}
class rawip_socket
inherits socket
{
node_bind
}
remove trailing whitespaces
2016-12-06 12:28:10 +00:00
class node
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
{
trunk: Labeled networking peer object class updates.
2008-01-03 16:20:01 +00:00
recvfrom
sendto
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
class netif
{
trunk: Labeled networking peer object class updates.
2008-01-03 16:20:01 +00:00
ingress
egress
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
setexec
setfscreate
noatsecure
siginh
setrlimit
rlimitinh
dyntransition
setcurrent
execmem
execstack
execheap
add key support
2006-06-21 21:02:49 +00:00
setkeycreate
enhanced setransd support from darrel goeddel
2006-10-20 14:44:23 +00:00
setsockcreate
refpolicy: Define getrlimit permission for class process This permission was added to the kernel in commit 791ec491c372 ("prlimit,security,selinux: add a security hook for prlimit") circa Linux 4.12 in order to control the ability to get the resource limits of another process. It is only checked when acting on another process, so getrlimit permission is not required for use of getrlimit(2). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 15:33:46 +00:00
getrlimit
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
Add nnp_nosuid_transition policycap and related class/perm definitions.
2017-08-05 16:13:21 +00:00
class process2
{
nnp_transition
nosuid_transition
}
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# Define the access vector interpretation for ipc-related objects
#
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
#
remove trailing whitespaces
2016-12-06 12:28:10 +00:00
# Define the access vector interpretation for the security server.
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
class security
{
compute_av
compute_create
compute_member
check_context
load_policy
compute_relabel
compute_user
setenforce # was avc_toggle in system class
setbool
setsecparam
setcheckreqprot
Update access vectors.
2011-03-28 15:45:46 +00:00
read_policy
Add the validate_trans access vector to the security class This access vector has been added in version 4.5, commitid: f9df6458218f4fe8a1c3bf0af89c1fa9eaf0db39
2016-05-01 17:24:42 +00:00
validate_trans
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
remove trailing whitespaces
2016-12-06 12:28:10 +00:00
syslog_read
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
syslog_mod
syslog_console
Add module_request permission, from Dan Walsh.
2009-11-19 13:52:06 +00:00
module_request
Add module_load permission to class system The "module_load" permission has been recently added to the "system" class (kernel 4.7). The following patch updates the Reference Policy so that the new permission can be used to create SELinux policies. Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-08-07 21:07:52 +00:00
module_load
Add systemd access vectors.
2015-10-20 15:29:11 +00:00
# these are overloaded userspace
# permissions from systemd
halt
reboot
status
start
stop
enable
disable
reload
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
#
Add user namespace capability object classes. Define cap and cap2 commons to manage the permissions.
2016-04-06 18:52:26 +00:00
# Define the access vector interpretation for controlling capabilities
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
class capability
Add user namespace capability object classes. Define cap and cap2 commons to manage the permissions.
2016-04-06 18:52:26 +00:00
inherits cap
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
Add user namespace capability object classes. Define cap and cap2 commons to manage the permissions.
2016-04-06 18:52:26 +00:00
class capability2
inherits cap2
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# Define the access vector interpretation for controlling
# changes to passwd information.
#
class passwd
{
passwd # change another user passwd
chfn # change another user finger info
chsh # change another user shell
rootok # pam_rootok check (skip auth)
crontab # crontab on another user
}
#
# SE-X Windows stuff
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
class x_drawable
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
{
create
destroy
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
read
write
blend
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
getattr
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
setattr
list_child
add_child
remove_child
list_property
get_property
set_property
manage
override
show
hide
send
receive
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
class x_screen
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
{
getattr
setattr
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
hide_cursor
show_cursor
saver_getattr
saver_setattr
saver_hide
saver_show
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
class x_gc
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
{
create
destroy
getattr
setattr
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
use
}
class x_font
{
create
destroy
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
getattr
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
add_glyph
remove_glyph
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
use
}
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
class x_colormap
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
{
create
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
destroy
read
write
getattr
add_color
remove_color
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
install
uninstall
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
use
}
class x_property
{
create
destroy
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
read
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
write
append
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
getattr
setattr
}
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
class x_selection
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
{
read
write
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
getattr
setattr
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
class x_cursor
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
{
create
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
destroy
read
write
getattr
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
setattr
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
use
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
class x_client
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
{
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
destroy
getattr
setattr
manage
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
class x_device
Add separate x_pointer and x_keyboard classes inheriting from x_device. This is needed to allow more fine-grained control over X devices without using different types. Using different types is problematic because devices act as subjects in the X Flask implementation, and subjects cannot be labeled through a type transition (since the output role is hardcoded to object_r). Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-10-13 23:17:13 +00:00
inherits x_device
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
class x_server
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
{
getattr
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
setattr
record
debug
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
grab
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
manage
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
class x_extension
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
{
query
use
}
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
class x_resource
{
read
write
}
class x_event
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
{
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
send
receive
}
class x_synthetic_event
{
send
receive
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed from the kernel in commit d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue support") circa Linux 3.5. Consequently, kernels >= 3.5 should never perform permission checks on these classes although they remained defined in the SELinux kernel classmap until the netlink classes were updated by https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 circa Linux v4.2. Removing these class definitions would break legacy userspace that relies upon stable values for the userspace security class definitions since it will perturb those values by removing classes that preceded them. dbus-daemon in particular is known to break if its dbus class changes at runtime, which could occur upon a policy reload that removes these classes. Fixing this requires ensuring that dbus-daemon looks up the appropriate class value on each use or upon policy reload, via userspace interfaces such as selinux_check_access(), string_to_security_class(), and/or selinux_set_callback(SELINUX_CB_POLICYLOAD, ...) with a callback function that remaps the class value if needed. Other userspace policy enforcers are believed to have been updated in recent versions but older versions may break upon such a change. Hence, this change renames these classes with obsolete_ prefixes and removes all rules referencing them from refpolicy, thereby preserving the class numbering for subsequent classes while making it clear that these classses are no longer meaningful for modern kernels. This change does however create a potential compatibility break for kernels < 3.5, since the policy will cease to define the kernel class names and therefore the kernel will handle permission checks on the class based on the handle_unknown setting in policy. For most Linux distributions, this will default to allow and therefore avoid breaking userspace but will fail open. For kernels < 2.6.33 (i.e. the dynamic class/perm discovery support), the presence of a class in policy with the same number but a different name than the kernel class will cause the policy load to fail entirely. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 15:31:00 +00:00
class obsolete_netlink_firewall_socket
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_tcpdiag_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_nflog_socket
inherits socket
class netlink_xfrm_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_selinux_socket
inherits socket
class netlink_audit_socket
inherits socket
{
nlmsg_read
nlmsg_write
nlmsg_relay
nlmsg_readpriv
trunk: add nlmsg_tty_audit permission.
2009-03-05 14:11:24 +00:00
nlmsg_tty_audit
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed from the kernel in commit d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue support") circa Linux 3.5. Consequently, kernels >= 3.5 should never perform permission checks on these classes although they remained defined in the SELinux kernel classmap until the netlink classes were updated by https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 circa Linux v4.2. Removing these class definitions would break legacy userspace that relies upon stable values for the userspace security class definitions since it will perturb those values by removing classes that preceded them. dbus-daemon in particular is known to break if its dbus class changes at runtime, which could occur upon a policy reload that removes these classes. Fixing this requires ensuring that dbus-daemon looks up the appropriate class value on each use or upon policy reload, via userspace interfaces such as selinux_check_access(), string_to_security_class(), and/or selinux_set_callback(SELINUX_CB_POLICYLOAD, ...) with a callback function that remaps the class value if needed. Other userspace policy enforcers are believed to have been updated in recent versions but older versions may break upon such a change. Hence, this change renames these classes with obsolete_ prefixes and removes all rules referencing them from refpolicy, thereby preserving the class numbering for subsequent classes while making it clear that these classses are no longer meaningful for modern kernels. This change does however create a potential compatibility break for kernels < 3.5, since the policy will cease to define the kernel class names and therefore the kernel will handle permission checks on the class based on the handle_unknown setting in policy. For most Linux distributions, this will default to allow and therefore avoid breaking userspace but will fail open. For kernels < 2.6.33 (i.e. the dynamic class/perm discovery support), the presence of a class in policy with the same number but a different name than the kernel class will cause the policy load to fail entirely. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 15:31:00 +00:00
class obsolete_netlink_ip6fw_socket
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_dnrt_socket
inherits socket
# Define the access vector interpretation for controlling
# access and communication through the D-BUS messaging
# system.
#
class dbus
{
acquire_svc
send_msg
}
# Define the access vector interpretation for controlling
# access through the name service cache daemon (nscd).
#
class nscd
{
getpwd
getgrp
gethost
getstat
admin
silly formatting fix
2005-07-08 19:44:12 +00:00
shmempwd
shmemgrp
shmemhost
trunk: add getserv and shmemserv nscd permissions.
2007-07-24 19:52:18 +00:00
getserv
shmemserv
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
silly formatting fix
2005-07-08 19:44:12 +00:00
sendto
recvfrom
add setcontext to association class
2006-01-06 16:01:30 +00:00
setcontext
This patch adds a polmatch avperm to arbitrate flow/state's access to a xfrm policy. It also defines MLS policy for association { sendto, recvfrom, polmatch }. NOTE: When an inbound packet is not using an IPSec SA, a check is performed between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For MLS purposes however, the target of the check should be the MLS label taken from the node sid (or secmark in the new secmark world). This would present a severe performance overhead (to make a new sid based on the unlabeled sid with the MLS taken from the node sid or secmark and then using this sid as the target). Pending reconciliation of the netlabel, ipsec and iptables contexts, I have chosen to currently make an exception for unlabeled_t SAs if TE policy allowed it. A similar problem exists for the outbound case and it has been similarly handled in the policy below (by making an exception for unlabeled_t). I am submitting the below limited patch pending a comprehensive patch from Joy Latten at IBM (latten@austin.ibm.com). I am not sure if I needed to manually do a "make tolib" in the flask subdir and submit the results as well. Please let me know if I needed to. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
2006-09-01 17:06:53 +00:00
polmatch
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
}
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket
add appletalk socket for cups
2006-05-04 20:40:49 +00:00
class appletalk_socket
inherits socket
add packet security class
2006-05-19 17:45:46 +00:00
class packet
{
send
recv
relabelto
trunk: labeled networking permission update from paul moore.
2008-02-12 14:46:29 +00:00
forward_in
forward_out
add packet security class
2006-05-19 17:45:46 +00:00
}
add key support
2006-06-21 21:02:49 +00:00
class key
{
view
read
write
search
link
setattr
create
}
enhanced setransd support from darrel goeddel
2006-10-20 14:44:23 +00:00
class context
{
Remove unused translate permission in context userspace class. mcstransd never implemented this permission. To keep permission indices lined up, replace the permission with "unused_perm" to make it clear that it has no effect.
2018-10-08 17:46:05 +00:00
unused_perm
On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote: > Here is the policy changes needed for the context contains security > checking in PAM and cron.
2006-11-14 13:38:52 +00:00
contains
enhanced setransd support from darrel goeddel
2006-10-20 14:44:23 +00:00
}
add dccp_socket object class
2007-02-26 15:39:59 +00:00
class dccp_socket
inherits socket
{
node_bind
name_connect
}
Memprotect support patch from Stephen Smalley.
2007-06-19 13:02:26 +00:00
class memprotect
{
mmap_zero
}
trunk: Database userspace object manager classes from KaiGai Kohei.
2007-08-09 13:15:07 +00:00
class db_database
inherits database
{
access
install_module
load_module
se-postgresql update from kaigai - rework: Add a comment of "deprecated" for deprecated permissions. - bugfix: MCS policy did not constrain the following permissions. db_database:{getattr} db_table:{getattr lock} db_column:{getattr} db_procedure:{drop getattr setattr} db_blob:{getattr import export} - rework: db_table:{lock} is moved to reader side, because it makes impossible to refer read-only table with foreign-key constraint. (FK checks internally acquire explicit locks.) - bugfix: some of permissions in db_procedure class are allowed on sepgsql_trusted_proc_t, but it is a domain, not a procedure. It should allow them on sepgsql_trusted_proc_exec_t. I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid such kind of confusion, as Chris suggested before. - rework: we should not allow db_procedure:{install} on the sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted procedure implicitly. - bugfix: MLS policy dealt db_blob:{export} as writer-side permission, but it is required whrn the largeobject is refered. - bugfix: MLS policy didn't constrain the db_procedure class.
2009-05-07 12:35:32 +00:00
get_param # deprecated
set_param # deprecated
trunk: Database userspace object manager classes from KaiGai Kohei.
2007-08-09 13:15:07 +00:00
}
class db_table
inherits database
{
select
update
insert
delete
lock
}
class db_procedure
inherits database
{
execute
entrypoint
trunk: Add db_procedure install permission from KaiGai Kohei.
2009-01-23 19:49:36 +00:00
install
trunk: Database userspace object manager classes from KaiGai Kohei.
2007-08-09 13:15:07 +00:00
}
class db_column
inherits database
{
select
update
insert
}
class db_tuple
{
relabelfrom
relabelto
SEPostgresql changes from Kohei KaiGai. * fix bugs in MLS/MCS * add connection pooling server support * foreign data wrapper support * Add temporary objects support * redefinition of use permission onto system objects
2012-05-18 13:28:18 +00:00
use
trunk: Database userspace object manager classes from KaiGai Kohei.
2007-08-09 13:15:07 +00:00
select
update
insert
delete
}
class db_blob
inherits database
{
read
write
import
export
}
trunk: Labeled networking peer object class updates.
2008-01-03 16:20:01 +00:00
New database object classes Pair of objects which supported by Interbase/Firebird/Red Database: db_exception - exception which can be thrown from PSQL db_domain - named set of column attributes
2014-06-24 10:34:10 +00:00
class db_exception
inherits database
Fixes for db_domain and db_exception Rename db_domain to db_type Add "use" permission to db_domain and db_type
2014-06-25 08:47:15 +00:00
{
use
}
New database object classes Pair of objects which supported by Interbase/Firebird/Red Database: db_exception - exception which can be thrown from PSQL db_domain - named set of column attributes
2014-06-24 10:34:10 +00:00
Renamed db_type to db_datatype, to avoid confusion with SELinux "type"
2014-06-25 12:24:33 +00:00
class db_datatype
New database object classes Pair of objects which supported by Interbase/Firebird/Red Database: db_exception - exception which can be thrown from PSQL db_domain - named set of column attributes
2014-06-24 10:34:10 +00:00
inherits database
Fixes for db_domain and db_exception Rename db_domain to db_type Add "use" permission to db_domain and db_type
2014-06-25 08:47:15 +00:00
{
use
}
New database object classes Pair of objects which supported by Interbase/Firebird/Red Database: db_exception - exception which can be thrown from PSQL db_domain - named set of column attributes
2014-06-24 10:34:10 +00:00
trunk: Labeled networking peer object class updates.
2008-01-03 16:20:01 +00:00
# network peer labels
class peer
{
recv
}
trunk: X application data class from Eamon Walsh and Ted Toth.
2008-05-06 14:37:05 +00:00
class x_application_data
{
paste
paste_after_confirm
copy
}
trunk: Add kernel_service access vectors, from Stephen Smalley.
2009-01-05 21:44:33 +00:00
class kernel_service
{
use_as_override
remove trailing whitespaces
2016-12-06 12:28:10 +00:00
create_files_as
trunk: Add kernel_service access vectors, from Stephen Smalley.
2009-01-05 21:44:33 +00:00
}
reorganize tun patch changes.
2009-08-31 12:44:11 +00:00
class tun_socket
inherits socket
flask: add the attach_queue permission to the tun_socket object class New permission added to Linux 3.8 via the new multiqueue TUN device. Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-01-22 16:25:11 +00:00
{
attach_queue
}
Add separate x_pointer and x_keyboard classes inheriting from x_device. This is needed to allow more fine-grained control over X devices without using different types. Using different types is problematic because devices act as subjects in the X Flask implementation, and subjects cannot be labeled through a type transition (since the output role is hardcoded to object_r). Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-10-13 23:17:13 +00:00
Add "binder" security class and access vectors
2015-05-06 16:31:28 +00:00
class binder
{
impersonate
call
set_context_mgr
transfer
}
Update netlink socket classes. Define new netlink socket security classes introduced by kernel commit 223ae516404a7a65f09e79a1c0291521c233336e. Note that this does not remove the long-since obsolete netlink_firewall_socket and netlink_ip6_fw_socket classes from refpolicy in case they are still needed for legacy distribution policies. Add the new socket classes to socket_class_set. Update ubac and mls constraints for the new socket classes. Add allow rules for a few specific known cases (netutils, iptables, netlabel, ifconfig, udev) in core policy that require access. Further refinement for the contrib tree will be needed. Any allow rule previously written on :netlink_socket may need to be rewritten or duplicated for one of the more specific classes. For now, we retain the existing :netlink_socket rules for compatibility on older kernels. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-21 17:38:09 +00:00
class netlink_iscsi_socket
inherits socket
class netlink_fib_lookup_socket
inherits socket
class netlink_connector_socket
inherits socket
class netlink_netfilter_socket
inherits socket
class netlink_generic_socket
inherits socket
class netlink_scsitransport_socket
inherits socket
class netlink_rdma_socket
inherits socket
class netlink_crypto_socket
inherits socket
Add separate x_pointer and x_keyboard classes inheriting from x_device. This is needed to allow more fine-grained control over X devices without using different types. Using different types is problematic because devices act as subjects in the X Flask implementation, and subjects cannot be labeled through a type transition (since the output role is hardcoded to object_r). Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2009-10-13 23:17:13 +00:00
class x_pointer
inherits x_device
class x_keyboard
inherits x_device
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
class db_schema
inherits database
{
search
add_name
remove_name
}
class db_view
inherits database
{
expand
}
class db_sequence
inherits database
{
get_value
next_value
set_value
}
refpolicy: Infiniband pkeys and endports Every Infiniband network will have a default pkey, so that is labeled. The rest of the pkey configuration is network specific. The policy allows access to the default and unlabeled pkeys for sysadm and staff users. kernel_t is allowed access to all pkeys, which it needs to process and route management datagrams. Endports are all unlabeled by default, sysadm users are allowed to manage the subnet on unlabeled endports. kernel_t is allowed to manage the subnet on all ibendports, which is required for configuring the HCA. This patch requires selinux series: "SELinux user space support for Infiniband RDMA", due to the new ipkeycon labeling mechanism. Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 14:14:59 +00:00
class infiniband_pkey
{
access
}
class infiniband_endport
{
manage_subnet
}
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
class db_language
inherits database
{
implement
execute
}
Add systemd access vectors.
2015-10-20 15:29:11 +00:00
class service
{
start
stop
status
reload
enable
disable
}
Add user namespace capability object classes. Define cap and cap2 commons to manage the permissions.
2016-04-06 18:52:26 +00:00
#
# Define the access vector interpretation for controlling capabilities
# in user namespaces
#
class cap_userns
inherits cap
class cap2_userns
inherits cap2
refpolicy: Define extended_socket_class policy capability and socket classes Add a (default disabled) definition for the extended_socket_class policy capability used to enable the use of separate socket security classes for all network address families rather than the generic socket class. The capability also enables the use of separate security classes for ICMP and SCTP sockets, which were previously mapped to rawip_socket class. Add definitions for the new socket classes and access vectors enabled by this capability. Add the new socket classes to the socket_class_set macro, which also covers allowing access by unconfined domains. Allowing access by other domains to the new socket security classes is left to future commits. The kernel support will be included in Linux 4.11+. Building policy with this capability enabled will require libsepol 2.7+. This change leaves the capability disabled by default. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 18:35:27 +00:00
#
# Define the access vector interpretation for the new socket classes
# enabled by the extended_socket_class policy capability.
#
#
# The next two classes were previously mapped to rawip_socket and therefore
# have the same definition as rawip_socket (until further permissions
# are defined).
#
class sctp_socket
inherits socket
{
node_bind
refpolicy: Update for kernel sctp support Add additional entries to support the kernel SCTP implementation introduced in kernel 4.16 Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-03-19 09:59:54 +00:00
name_connect
association
refpolicy: Define extended_socket_class policy capability and socket classes Add a (default disabled) definition for the extended_socket_class policy capability used to enable the use of separate socket security classes for all network address families rather than the generic socket class. The capability also enables the use of separate security classes for ICMP and SCTP sockets, which were previously mapped to rawip_socket class. Add definitions for the new socket classes and access vectors enabled by this capability. Add the new socket classes to the socket_class_set macro, which also covers allowing access by unconfined domains. Allowing access by other domains to the new socket security classes is left to future commits. The kernel support will be included in Linux 4.11+. Building policy with this capability enabled will require libsepol 2.7+. This change leaves the capability disabled by default. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 18:35:27 +00:00
}
class icmp_socket
inherits socket
{
node_bind
}
#
# The remaining network socket classes were previously
# mapped to the socket class and therefore have the
# same definition as socket.
#
class ax25_socket
inherits socket
class ipx_socket
inherits socket
class netrom_socket
inherits socket
class atmpvc_socket
inherits socket
class x25_socket
inherits socket
class rose_socket
inherits socket
class decnet_socket
inherits socket
class atmsvc_socket
inherits socket
class rds_socket
inherits socket
class irda_socket
inherits socket
class pppox_socket
inherits socket
class llc_socket
inherits socket
class can_socket
inherits socket
class tipc_socket
inherits socket
class bluetooth_socket
inherits socket
class iucv_socket
inherits socket
class rxrpc_socket
inherits socket
class isdn_socket
inherits socket
class phonet_socket
inherits socket
class ieee802154_socket
inherits socket
class caif_socket
inherits socket
class alg_socket
inherits socket
class nfc_socket
inherits socket
class vsock_socket
inherits socket
class kcm_socket
inherits socket
class qipcrtr_socket
inherits socket
refpolicy: Define smc_socket security class Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all network address families") triggers a build error if a new address family is added without defining a corresponding SELinux security class. As a result, the smc_socket class was added to the kernel to resolve a build failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa Linux 4.11. Define this security class and its access vector, note that it is enabled as part of the extended_socket_class policy capability, and add it to the socket_class_set macro. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 15:31:48 +00:00
class smc_socket
inherits socket
add definition of bpf class and systemd perms
2018-03-21 10:57:45 +00:00
class bpf
{
map_create
map_read
map_write
prog_load
prog_run
}
Add xdp_socket security class and access vectors Added in 4.18 release
2018-10-21 11:00:35 +00:00
class xdp_socket
inherits socket
Add perf_event access vectors. Added in Linux v5.5. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-01-29 14:58:40 +00:00
class perf_event
{
open
cpu
kernel
tracepoint
read
write
}
define lockdown class and access This was introduced in the merge b1dba2473114588be3df916bf629a61bdcc83737 in the linux kernel. Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-08 14:29:52 +00:00
class lockdown
{
integrity
confidentiality
}