C.2. Object Classes and Defined Permission Sets The following tables show all the kernel object classes and the permissions defined for each object class. These permissions correspond to permissions required by the kernel's LSM hooks and are used as the object class/permission specifications in policy statements. Each object class's permission table lists any inherited/common permissions first and then any permissions that are unique to that class. The classes are grouped alphabetically within the following four categories: • File related | Object classes relating to filesystem objects | • Network/socket | Object classes associated with network access or sockets | • IPC | System V IPC object classes | • Miscellaneous | Other object classes not in the previous three categories |
C.2.1. File-Related Object Classes File-related object classes represent many of the system objects that are familiar to a Linux user. Almost all of them inherit the common file permission set. Some classes also have unique permissions that either relate specifically to SELinux operations or are extensions that were added to the normal Linux permissions (for example, a permission to add a file to a directory). The object classes in this group are listed in Table C-4. Table C-4. Summary of File-Related Object ClassesObject Class | Description | Permission Definitions |
---|
blk_file | Block files | Table C-5 | chr_file | Character files | Table C-6 | dir | Directories | Table C-7 | fd | File descriptors | Table C-8 | fifo_file | Named pipes | Table C-9 | file | Ordinary files | Table C-10 | filesystem | Filesystem (that is, an actual partition) | Table C-11 | lnk_file | Symbolic links | Table C-12 | sock_file | UNIX domain sockets | Table C-13 |
Table C-5. blk_file PermissionsPermissions | Description |
---|
file common permissions | See Table C-1. |
Table C-6. chr_file PermissionsPermissions | Description |
---|
file common permissions | See Table C-1. | enTRypoint | Added only to make execmod permission index map to the same index as the file execmod permission (see execmod). | execmod | Added to allow certain applications to make executable mappings of character device memory. | execute_no_trans | Added only to make execmod permission index map to the same index as the file execmod permission (see execmod). |
Table C-7. dir PermissionsPermissions | Description |
---|
file common permissions | See Table C-1. | add_name | Add a hard link (name) to the directory (for example, creating or moving a file into a directory). | remove_name | Remove a hard link from the directory (for example, remove or move a file from a directory). | reparent | Change directory's parent directory. | rmdir | Remove the directory object. | search | Needed to find an object contained in the directory or for a directory object in the path to another object. Does not allow directory listing, which is controlled by read. |
Table C-8. fd PermissionsPermissions | Description |
---|
use | Permission to use the file descriptor (for example, reading or writing to a file descriptor inherited from another process). Appropriate permissions on the underlying object are still required. (For example, successfully reading from a file using a file descriptor requires use permission on the fd object and read permission on the file object.) |
Table C-9. fifo_file PermissionsPermissions | Description |
---|
file common permissions | See Table C-1. |
Table C-10. file PermissionsPermissions | Description |
---|
file common permissions | See Table C-1. | enTRypoint | File can be used as the entry point of a domain via a domain transition. | execmod | Make execute a file mapping that has been modified by copy-on-write. | execute_no_trans | Execute the file in the calling process' domain (that is, without a domain transition). |
Table C-11. filesystem PermissionsPermissions | Description |
---|
associate | Allow file-related object classes with given types to be stored on the filesystem. | getattr | Needed to statfs a filesystem. | mount | Needed to mount the superblock of a filesystem. | quotaget | Get quota information. | quotamod | Modify quota information. | relabelfrom | Used to control context mounts. | relabelto | Used to control context mounts. | remount | Change filesystem mount flags. | transition | Deprecated permission from pre-LSM SELinux, not used. | unmount | Unmount. |
Table C-12. lnk_file PermissionsPermissions | Description |
---|
file common permissions | See Table C-1. |
Table C-13. sock_file PermissionsPermissions | Description |
---|
file common permissions | See Table C-1. |
C.2.2. Network and Socket Object Classes Network and socket object classes represent network resources and sockets. They include the classes for all types of network socket objects, from raw IP sockets to specialized Netlink sockets. This group also includes the classes and permissions for network interfaces and nodes. Almost all these object classes inherit the common permission socket. The object classes in this group are listed in Table C-14. Table C-14. Summary of Network and Socket Object ClassesObject Class | Description | Permission Definitions |
---|
association | Represents an IPSec security association. | Table C-15 | key_socket | Sockets that are of protocol family PF_KEY, used for key management in IPSec. This class was created to distinguish PF_KEY sockets from general sockets. | Table C-16 | netif | A network interface. A domain must have the appropriate permissions on a netif object to send and/or receive packets on an interface. The domain must also have the same permissions for a node object (see node class), and if the domain is using a UDP or TCP socket, it must also have the corresponding tcp_socket/udp_socket permission (that is, *_send_msg or *_recv_msg) on the TCP/UDP socket object. | Table C-17 | netlink_audit_socket | A netlink_audit_socket object is a netlink socket connection to the audit service. The socket is used to list/add/delete filter rules, get/set status, and so on. | Table C-18 | netlink_dnrt_socket | Netlink socket to control DECnet routing. | Table C-19 | netlink_firewall_socket | Netlink socket to create userspace firewall filters; copy packets from kernel, send accept or reject packet verdict to kernel. | Table C-20 | netlink_ ip6fw_socket | Netlink socket to create IPv6 userspace firewall filters. | Table C-21 | netlink_kobject_uevent_socket | Netlink socket to send kernel event notifications to userspace (for example, processor temperature detection). | Table C-22 | netlink_nflog_socket | Netlink socket to receive Netfilter logging messages in userspace. | Table C-23 | netlink_route_socket | Netlink socket to control and mange network resources such as the routing table and IP address from userspace. | Table C-24 | netlink_selinux_socket | Netlink socket that receives userspace notification messages on SELinux events (for example, policy load, enforce mode toggle, and Boolean change). | Table C-25 | netlink_socket | Netlink socket to control all Netlink sockets for which there is not yet a specific SELinux class defined. | | netlink_tcpdiag_socket | Netlink socket to monitor TCP connections. | Table C-27 | netlink_xfrm_socket | Netlink socket to get, maintain, set IPsec parameters such as security associations, security policies, and security parameter indexes. | Table C-28 | node | Represents a host IP address or range of addresses. A domain must have send or receive permission on a node object to send or receive data on a particular IP address. The domain must also have send or receive permission on the network interface object associated with the address (see netif class). If the domain uses a UDP or TCP socket, it must also have the corresponding tcp_socket/udp_socket permission (that is, *_send_msg or *_recv_msg) on the socket object. | Table C-29 | packet_socket | Raw sockets where the protocol is implemented in userspace. The packets for this type of object are sent at OSI Layer 2. A domain must also have the NET_RAW capability permission to use a packet_socket object. | Table C-30 | rawip_socket | IP sockets that are neither TCP nor UDP. | Table C-31 | socket | Any socket type for which there is no specific class defined for its protocol family. SELinux, as of policy version 19, defines socket classes for the following protocol families: unix, inet, inet6, netlink, packet, and key. | Table C-32 | tcp_socket | A TCP socket. A domain also needs tcp_recv and/or tcp_send on both the associated node and netif objects to receive/send packets (in addition to the recv_msg/send_msg permission on the tcp_socket object). | Table C-33 | udp_socket | A UDP socket. A domain also needs udp_recv and/or udp_send on both the associated node and netif objects to receive/send packets (in addition to the recv_msg/send_msg permission on the udp_socket object). | Table C-34 | unix_dgram_socket | IPC datagram sockets on a local machine. The socket allows for passing credentials (PID, UID, and GID) for authentication. If any of the credentials are not the same as the process,' the process (that is, its domain) must also have the sys_admin, setuid, and/or setgid capability, respectively. | Table C-35 | unix_stream_socket | IPC stream sockets on a local machine. The socket allows for passing credentials (PID, UID, and GID) for authentication. If any of the credentials are not the same as the process,' the process (that is, its domain) must also have the sys_admin, setuid, and/or setgid capability, respectively. | Table C-36 |
Table C-15. association PermissionsPermissions | Description |
---|
recvfrom | Receive packets using an IPSec security association. | sendto | Send packets using an IPSec security association. |
Table C-16. key_socket PermissionsPermissions | Description |
---|
socket common permissions | See Tablte C-2. |
Table C-17. netif PermissionsPermissions | Description |
---|
rawip_recv | Receive raw IP packet via the network interface. | rawip_send | Send raw IP packet via the network interface. | tcp_receive | Receive TCP packet via the network interface. | tcp_send | Send TCP packet via the network interface. | udp_recv | Receive UDP packet via the network interface. | udp_send | Send UDP packet via the network interface. |
Table C-18. netlink_audit_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. | nlmsg_read | Used to get the audit system status. | nlmsg_readpriv | List all auditing rules. | nlmsg_relay | Send userspace audit messages to the kernel audit system. | nlmsg_write | Used to set audit system parameters. |
Table C-19. netlink_dnrt_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. |
Table C-20. netlink_firewall_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. | nlmsg_read | Not used. | nlmsg_write | Write control message to firewall. |
Table C-21. netlink_ip6fw_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. | nlmsg_read | Not used. | nlmsg_write | Write control message to firewall. |
Table C-22. netlink_kobject_uevent_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. |
Table C-23. netlink_nflog_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. |
Table C-24. netlink_route_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. | nlmsg_read | Read kernel routing table. | nlmsg_write | Write routing information to routing table. |
Table C-25. netlink_selinux_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. |
Table C-26. netlink_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. |
Table C-27. netlink_tcpdiag_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. | nlmsg_read | Request kernel TCP parameters. | nlmsg_write | Currently unused. |
Table C-28. netlink_xfrm_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. | nlmsg_read | Request IPsec configuration data. | nlmsg_write | Set IPsec configuration data. |
Table C-29. node PermissionsPermissions | Description |
---|
enforce_dest | This permission is deprecated. It was used in an extended socket API in previous versions of SELinux. | rawip_recv | Receive raw IP packet from the node. | rawip_send | Send raw IP packet to the node. | tcp_receive | Receive TCP packet from the node. | tcp_send | Send TCP packet to the node. | udp_recv | Receive UDP packet from the node. | udp_send | Send UDP packet to the node. |
Table C-30. packet_socket PermissionPermissions | Description |
---|
socket common permissions | See Table C-2. |
Table C-31. rawip_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. | node_bind | Ability to bind to a node. |
Table C-32. socket PermissionsCommon Permissions (socket) | Description |
---|
socket common permissions | See Table C-2. |
Table C-33. tcp_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. | acceptfrom | Deprecated, not used. | connectto | Deprecated, not used. | name_connect | Connect to a specific port number. | newconn | Deprecated, not used. | node_bind | Ability to bind to a node. |
Table C-34. udp_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. | node_bind | Ability to bind to a node. |
Table C-35. unix_dgram_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. |
Table C-36. unix_stream_socket PermissionsPermissions | Description |
---|
socket common permissions | See Table C-2. | acceptfrom | Deprecated, not used. | connectto | Connect to server socket. | newconn | Deprecated, not used. |
C.2.3. System V IPC-Related Object Classes System V IPC-related object classes are for those resources that support System V IPC objects such as message queues, semaphores, and shared memory. Most of these classes inherit the common permission ipc. The object classes in this group are listed in Table C-37. Table C-37. Summary of IPC-Related Object ClassesObject Class | Description | Permission Definitions |
---|
ipc | Deprecated; no longer used. | Table C-38 | msg | Messages within a message queue. | Table C-39 | msgq | Message queues. | Table C-40 | sem | Semaphores. | Table C-41 | shm | Shared memory segment. | Table C-42 |
Table C-38. ipc PermissionsPermissions | Description |
---|
ipc common permissions | See Table C-3. (Note that ipc object class is no longer used.) |
Table C-39. msg PermissionsPermissions | Description |
---|
receive | Remove a message from a queue. | send | Add a message to a queue. |
Table C-40. msgq PermissionsPermissions | Description |
---|
ipc common permissions | See Table C-3. | enqueue | Put a message onto a queue. |
Table C-41. sem PermissionsPermissions | Description |
---|
ipc common permissions | See Table C-3. |
Table C-42. shm PermissionsPermissions | Description |
---|
ipc common permissions | See Table C-3. | lock | Lock/unlock page(s) in memory. |
C.2.4. Miscellaneous Object Classes The remaining object classes are primarily system control and management object classes. Most of the permissions are usually those reserved for the root user on a non-SELinux system and generally would be limited to selected trusted domains in SELinux. Most object classes are one or a fixed number of instances. (That is, you cannot create object instances of these classes like you can with file or socket classes.) The object classes in this group are listed in Table C-43. Table C-43. Summary of Remaining Miscellaneous Object ClassesObject Class | Description | Permission Definitions |
---|
capability | Privileges that are implemented as capabilities in Linux. These capabilities represent the typical "root" privileges. In SELinux, each process has a single instance of this object class that has the same type as the process itself. In SELinux, to use a capability defined in the kernel, the process domain type must be allowed the associated permission for the capability object class for the type of the process. Note that the capabilities grant privileges with respect to standard Linux; the Linux check (either for the capability or superuser) and the SELinux check are orthogonal. (That is, both are required; neither is sufficient alone.) | Table C-44 | passwd | A userspace class that represents the password and shadow files. The permission checks are enforced in the passwd program (although the access information is held in the kernel policy). | Table C-45 | pax | Pax security objects. Pax is a separate Linux security mechanism that may be integrated with SELinux. | Table C-45 | process | Each process itself is an object of class process and must have permission to its own type (or other process types) to perform certain actions with regard to the target process. | Table C-46 | security | The SELinux security server. There is only one instance of this object class. | Table C-47 | system | The system. Any system-level privileged functions not covered by the capability or the security object classes are embodied in the system object. There is only one instance of this object class. | Table C-48 |
Table C-44. capability PermissionsPermissions | Description |
---|
audit_control | Allows the process to change auditing rules. Set login UID. | audit_write | Allows the process to send audit messsages from userspace. | chown | Allows the process to change file ownership on a system where users are restricted to only changing group ownership. | dac_override | Allows the process to ignore discretionary access controls including access lists. The capability does not include the access covered by linux_immutable (see below). | dac_read_search | Allows the process read and search permission on all files and directories regardless of their DAC settings except for access covered by linux_immutable (see below) or where not permitted by SELinux permissions. | fowner | Allows the process to access a file when the file owner is not the same as the process' user ID. Other security checks (that is, DAC and MAC) are still in effect. | fsetid | Allows the process to set the group ID of a file where the group ID does not match that of the process. | ipc_lock | Allows the proceses the capability to lock non-shared and shared memory segments. | ipc_owner | Allows the process to ignore IPC ownership checks. | kill | Allows the process to send a kill signal to a process owned by a different user. | lease | Allows the process to take leases on a file. A lease allows a process to be notified when another process accesses the file that a lease's file descriptor refers to. | linux_immutable | Allows the process to change S_IMMUTABLE and S_APPEND file attributes on supporting filesystems. | mknod | Allows the process to create character and block device nodes. | net_admin | Allows the process a variety of trusted network permissions such as configuring network interfaces, firewall settings, and routing tables. (See /usr/include/linux/capabilities.h for full list). Appropriate SELinux permissions remain in effect. | net_bind_service | Allows the process to bind TCP/UDP sockets to ports below 1024 or bind to ATM VCIs below 32. | net_broadcast | Allows the process to send network broadcasts and listen to incoming multicasts. | net_raw | Allows the process to create and use non-TCP/UDP sockets. Appropriate SELinux controls are still in effect. (That is, the process must also have appropriate permissions on a packet_socket or rawip_socket). | setgid | Allows a non-root process to set its group IDs. | setpcap | Adds or removes the process' capability from another process' capability set. Note that the use of an added capability must still be allowed in the policy. | setuid | Allows a non-root process to set its real and/or effective IDs. | sys_admin | This capability allows the process many "standard" administrative functions. Some of these are: configuring syslog, setting the domain and host names, turning swap on or off, accessing and configuring of various devices (for example, IDE, SCSI, and do on), and setting the encryption key for a loopback filesystem. See /usr/include/linux/capability.h for the complete list. | sys_boot | Allows the process to reboot the system. | sys_chroot | Allows the process to use the chroot(2) call. | sys_module | Allows the process unrestricted kernel modification capability including, but not limited to, loading and removing kernel modules. Allows modification of kernel's bounding capability mask. | sys_nice | Allows the process to change priority of other processes. Also allows the process to change the scheduling algorithm used by any process. | sys_pacct | Allows the process to modify process accounting. | sys_ptrace | Allows the process to ptrace(2) another process. | sys_rawio | Allows the process to use ioperm(2) and iopl(2) as well as the capability to send messages to USB devices via /proc/bus/usb. | sys_resource | Allows the process to change various system resources: quota limits, reserved ext2 filesystem space, ext3 journaling mode, IPC message queue size restrictions, control of interrupts from real-time clock, change maximum number of consoles, and change maximum number of keymaps. | sys_time | Allows the process to set system time and to set the real-time clock. | sys_tty_config | Allows the process to configure tty devices. Allows vhangup(2) call on a tty. |
Table C-45. passwd PermissionsPermissions | Description |
---|
chfn | Change finger information for a different user (that is, the string in the passwd file for an account; commonly the user's real name). | chsh | Change login shell for a particular account. | crontab | Permits a cron job to be run as a different user than the user who submitted the job. | passwd | Update a different user's password. | rootok | Allow update if the user is root and the process has the rootok permission. |
Table C-46. pax PermissionsPermissions | Description |
---|
emutramp | Emulate gcc trampolines (a technique for implementing nested functions) so that they will work with pax. | mprotect | Protects the modification of a task's address space. | pageexec | Paging-based, non-executable pages. | randexec | Randomize the mappings of an executable not built with relocatable code. | randmmap | Randomize mappings in a task's address space for an executable with relocatable code. | segmexec | Segmentation-based, nonexecutable pages. |
Table C-47. process PermissionsPermissions | Description |
---|
dyntransition | Allows a process to dynamically transition to a new context. This capability is tied in with the setcurrent capability; both are required for a process domain transition. The ability of a process to change from one domain to another is extremely dangerous because it violates the principle of label tranquility for a process. It creates a real potential for unintentional granting of access. | execheap | Make the heap executable. | execmem | Make executable an anonymous mapping or private file mapping that is writable. | execstack | Make the process stack executable. | fork | Fork into two processes. | getattr | Get attributes of a process through the /proc/[pid]/attr directory. | getcap | Get Linux capabilities allowed for this process. | getpgid | Get Process Group ID of process. | getsched | Get priority of process. | getsession | Get session ID of process. | noatsecure | Disable secure mode environment cleansing. Allows process to disable secure mode feature of glibc on execve(2). | ptrace | Trace program execution of parent or child. | rlimitnh | Inherit process resource limits from parent process. | setcap | Set Linux capabilities allowed for this process. | setcurrent | Set the current process context. This is the first permission checked when a process tries to perform a dynamic domain transition. The dyntransition capability is also required. | setexec | Override the default context for the next execve(2). Allows a process to set the context of a program it execs to something other than the default context. (The context must still be a valid context for the domain of the new process.). | setfscreate | Allows a process to set the context of an object created by the process to something other than the default context. | setpgid | Set Process Group ID of process. | setrlimit | Change process hard resource limits. | setsched | Set priority of process. | share | Allow state sharing with cloned or forked process. | sigchld | Send SIGCHLD signal. | siginh | Inherit signal state from parent process. | sigkill | Send SIGKILL signal. | signal | Send a signal other than SIGKILL, SIGSTOP, or SIGCHLD. | signull | Test for existence of another process without sending a signal. | sigstop | Send SIGSTOP signal. | transition | Transition to a new context on execve(2). |
Table C-48. security PermissionsPermissions | Description |
---|
check_context | Allows a domain to check with the security server to see whether a context is valid within the current policy. | compute_av | Ask the security server to compute an access vector given a source/target/class using the selinuxfs interface. | compute_create | Retrieve a labeling decision on a new object. | compute_member | Ask the security server to compute a polyinstantiation membership decision through the selinuxfs interface. | compute_relabel | Allows a domain to use the selinuxfs interface to compute a relabeling decision. | compute_user | Allows domain to use the selinuxfs interface to retrieve a user's reachable SIDs. | load_policy | Load the security policy. This completely changes the kernel policy being enforced, and flushes the current access vector cache (AVC) so that all future access decisions are made against the new policy. | setbool | Allows a domain to set policy Boolean values. The domain also needs permissions on the Boolean file (that is, based on the label of the Boolean file). | setcheckreqprot | Set if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect. | setenforce | Change the enforcement state of SELinux to either permissive mode or enforcing mode. The kernel may be built to not allow this capability. | setsecparam | Set kernel AVC tuning parameters. | compute_user | Allows domain to use the selinuxfs interface to retrieve a user's reachable SIDs. | compute_relabel | Allows a domain to use the selinuxfs interface to compute a relabeling decision. | compute_create | Retrieve a labeling decision on a new object. | compute_av | Ask the security server to compute an access vector given a source/target/class using the selinuxfs interface. | compute_member | Ask the security server to compute a polyinstantiation membership decision through the selinuxfs interface. | setenforce | Change the enforcement state of SELinux to either permissive mode or enforcing mode. The kernel may be built to not allow this capability. | check_context | Allows a domain to check with the security server to see whether a context is valid within the current policy. | load_policy | Load the security policy. This completely changes the kernel policy being enforced, and flushes the current access vector cache (AVC), so that all future access decisions are made against the new policy. | setbool | Allows a domain to set policy Boolean values. The domain also needs permissions on the Boolean file (that is, based on the label of the Boolean file). | setsecparam | Set kernel AVC tuning parameters. | setcheckreqprot | Set if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect. |
Table C-49. system PermissionsPermissions | Description |
---|
avc_toggle | No longer used (see setenforce permission in the security object). | bdflush | Deprecated, not used. | ichsid | Deprecated, not used. | ipc_info | Get info for IPC objects. | nfsd_control | Deprecated, not used. | syslog_console | Allows domain to enable and disable logging to the console and to set the level of syslog messages sent to the console. | syslog_mod | Perform syslog operation other than those operations controlled by syslog_read or syslog_console permissions. | syslog_read | Allows domain to retrieve the last kernel messages sent to the log and the size of the log buffer. |
|