C.1. Common Permission Sets Some object classes share sets of permissions. These permission sets are defined as common permissions and are assigned a common permission identifier in the policy. They are then "inherited" by kernel object classes when the common permission identifier is assigned to the class. Thus, they are "common permissions" defined for multiple class definitions. Allowing the same permission sets for multiple object classes make using multiple object classes in a single policy rule possible. See Chapter 4, "Object Classes and Permissions," for more information on how object classes and permissions are defined. Note that it may be a bit confusing in that the identifiers used for common permission sets are also the identifiers used to name some kernel object classes. For example, there is a common set of permissions called "file," and there is a kernel object class also called "file," which inherits the common "file" permissions. The common permission and object class namespaces are separate, and the common permission file and the object class file are distinct entities; be careful not to confuse the two. In the following tables, we list the three common permissions and their permissions sets that are currently used by the kernel. The three common permission sets are as follows: • file | Common permissions used by filesystem object classes | • socket | Common permissions used by various socket classes | • ipc | Common permissions used by System V interprocess communication (IPC) classes |
Table C-1. Common Permissions FilePermission | Description |
---|
append | Append to object's contents (that is, opened with O_APPEND flag). | create | Create new object of this class. | execute | Execute the object. | getattr | Get attributes for object, such as access mode (for example, stat, some ioctls). | ioctl | ioctl(2) system call requests on the object not addressed by other permissions. | link | Create hard link to object. | lock | Set and unset object's locks. | mounton | Use object as a mount point; typically used for dir object class. | quotaon | Allow file to be used as a quota database. | read | Read the object's contents. | relabelfrom | Change the object's security context from the existing type. | relabelto | Change the object's security context to the new type. | rename | Rename any hard links to the object. | setattr | Change attributes for object such as access mode (for example, chmod, some ioctls). | swapon | Deprecated, allowed the object to be used for paging/swapping space. | unlink | Remove hard link (delete the file if no other hard links are present). | write | Write the object's contents. |
Table C-2. Common Permissions socketPermission | Description |
---|
accept | Accept a connection to the socket. | append | Write or append socket file contents. | bind | Bind name to the socket. | connect | Initiate connection from the socket. | create | Create new socket file. | getattr | Get file attributes for socket file, such as access mode (for example, stat, some ioctls). | getopt | Get socket options. | ioctl | I/O control system call requests on the socket not addressed by other permissions. | listen | Listen for connections to the socket. | lock | Set and unset socket file locks. | name_bind | Use port or file; for AF_INET sockets, defines a relationship between a socket object and its port number; no longer applied to UNIX domain sockets (post Linux Security Module [LSM]). | read | Read data received from socket. | recv_mesg | Permission required for a socket to receive a message from a port. | recvfrom | Currently unused (a legacy of older network checks). | relabelfrom | Change the socket's security context from the existing type. | relabelto | Change the socket's security context to the new type. | send_msg | Permission required to send a message from a socket to a port. | sendto | Send data to UNIX domain sockets. | setattr | Change file attributes for socket file, such as access mode (for example, chmod, some ioctls). | setopt | Set socket options. | shutdown | Shutdown connection. | write | Write or append to the socket. |
Table C-3. Common Permissions ipcPermission | Description |
---|
associate | Get the ID of an IPC object. | create | Create an IPC object. | destroy | Destroy an IPC object. | getattr | Get IPC object attributes. | read | Read or receive data from an IPC object. | setattr | Change IPC object attributes. | unix_read | Read; required by IPC operations. | unix_write | Write or change; required by IPC operations. | write | Write, send message, or change the value of an IPC object. |
|