Section C.1. Common Permission Sets


C.1. Common Permission Sets

Some object classes share sets of permissions. These permission sets are defined as common permissions and are assigned a common permission identifier in the policy. They are then "inherited" by kernel object classes when the common permission identifier is assigned to the class. Thus, they are "common permissions" defined for multiple class definitions. Allowing the same permission sets for multiple object classes make using multiple object classes in a single policy rule possible. See Chapter 4, "Object Classes and Permissions," for more information on how object classes and permissions are defined.

Note that it may be a bit confusing in that the identifiers used for common permission sets are also the identifiers used to name some kernel object classes. For example, there is a common set of permissions called "file," and there is a kernel object class also called "file," which inherits the common "file" permissions. The common permission and object class namespaces are separate, and the common permission file and the object class file are distinct entities; be careful not to confuse the two.

In the following tables, we list the three common permissions and their permissions sets that are currently used by the kernel. The three common permission sets are as follows:

file

Common permissions used by filesystem object classes

socket

Common permissions used by various socket classes

ipc

Common permissions used by System V interprocess communication (IPC) classes


Table C-1. Common Permissions File

Permission

Description

append

Append to object's contents (that is, opened with O_APPEND flag).

create

Create new object of this class.

execute

Execute the object.

getattr

Get attributes for object, such as access mode (for example, stat, some ioctls).

ioctl

ioctl(2) system call requests on the object not addressed by other permissions.

link

Create hard link to object.

lock

Set and unset object's locks.

mounton

Use object as a mount point; typically used for dir object class.

quotaon

Allow file to be used as a quota database.

read

Read the object's contents.

relabelfrom

Change the object's security context from the existing type.

relabelto

Change the object's security context to the new type.

rename

Rename any hard links to the object.

setattr

Change attributes for object such as access mode (for example, chmod, some ioctls).

swapon

Deprecated, allowed the object to be used for paging/swapping space.

unlink

Remove hard link (delete the file if no other hard links are present).

write

Write the object's contents.


Table C-2. Common Permissions socket

Permission

Description

accept

Accept a connection to the socket.

append

Write or append socket file contents.

bind

Bind name to the socket.

connect

Initiate connection from the socket.

create

Create new socket file.

getattr

Get file attributes for socket file, such as access mode (for example, stat, some ioctls).

getopt

Get socket options.

ioctl

I/O control system call requests on the socket not addressed by other permissions.

listen

Listen for connections to the socket.

lock

Set and unset socket file locks.

name_bind

Use port or file; for AF_INET sockets, defines a relationship between a socket object and its port number; no longer applied to UNIX domain sockets (post Linux Security Module [LSM]).

read

Read data received from socket.

recv_mesg

Permission required for a socket to receive a message from a port.

recvfrom

Currently unused (a legacy of older network checks).

relabelfrom

Change the socket's security context from the existing type.

relabelto

Change the socket's security context to the new type.

send_msg

Permission required to send a message from a socket to a port.

sendto

Send data to UNIX domain sockets.

setattr

Change file attributes for socket file, such as access mode (for example, chmod, some ioctls).

setopt

Set socket options.

shutdown

Shutdown connection.

write

Write or append to the socket.


Table C-3. Common Permissions ipc

Permission

Description

associate

Get the ID of an IPC object.

create

Create an IPC object.

destroy

Destroy an IPC object.

getattr

Get IPC object attributes.

read

Read or receive data from an IPC object.

setattr

Change IPC object attributes.

unix_read

Read; required by IPC operations.

unix_write

Write or change; required by IPC operations.

write

Write, send message, or change the value of an IPC object.





SELinux by Example(c) Using Security Enhanced Linux
SELinux by Example: Using Security Enhanced Linux
ISBN: 0131963694
EAN: 2147483647
Year: 2007
Pages: 154

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net