Section C.2. Object Classes and Defined Permission Sets

• File related

Object classes relating to filesystem objects

• Network/socket

Object classes associated with network access or sockets

• IPC

System V IPC object classes

• Miscellaneous

Other object classes not in the previous three categories

blk_file

Block files

Table C-5

chr_file

Character files

Table C-6

dir

Directories

Table C-7

fd

File descriptors

Table C-8

fifo_file

Named pipes

Table C-9

file

Ordinary files

Table C-10

filesystem

Filesystem (that is, an actual partition)

Table C-11

lnk_file

Symbolic links

Table C-12

sock_file

UNIX domain sockets

Table C-13

file common permissions

See Table C-1.

file common permissions

See Table C-1.

enTRypoint

Added only to make execmod permission index map to the same index as the file execmod permission (see execmod).

execmod

Added to allow certain applications to make executable mappings of character device memory.

execute_no_trans

Added only to make execmod permission index map to the same index as the file execmod permission (see execmod).

file common permissions

See Table C-1.

add_name

Add a hard link (name) to the directory (for example, creating or moving a file into a directory).

remove_name

Remove a hard link from the directory (for example, remove or move a file from a directory).

reparent

Change directory's parent directory.

rmdir

Remove the directory object.

search

Needed to find an object contained in the directory or for a directory object in the path to another object. Does not allow directory listing, which is controlled by read.

use

Permission to use the file descriptor (for example, reading or writing to a file descriptor inherited from another process). Appropriate permissions on the underlying object are still required. (For example, successfully reading from a file using a file descriptor requires use permission on the fd object and read permission on the file object.)

file common permissions

See Table C-1.

file common permissions

See Table C-1.

enTRypoint

File can be used as the entry point of a domain via a domain transition.

execmod

Make execute a file mapping that has been modified by copy-on-write.

execute_no_trans

Execute the file in the calling process' domain (that is, without a domain transition).

associate

Allow file-related object classes with given types to be stored on the filesystem.

getattr

Needed to statfs a filesystem.

mount

Needed to mount the superblock of a filesystem.

quotaget

Get quota information.

quotamod

Modify quota information.

relabelfrom

Used to control context mounts.

relabelto

Used to control context mounts.

remount

Change filesystem mount flags.

transition

Deprecated permission from pre-LSM SELinux, not used.

unmount

Unmount.

file common permissions

See Table C-1.

file common permissions

See Table C-1.

association

Represents an IPSec security association.

Table C-15

key_socket

Sockets that are of protocol family PF_KEY, used for key management in IPSec. This class was created to distinguish PF_KEY sockets from general sockets.

Table C-16

netif

A network interface. A domain must have the appropriate permissions on a netif object to send and/or receive packets on an interface. The domain must also have the same permissions for a node object (see node class), and if the domain is using a UDP or TCP socket, it must also have the corresponding tcp_socket/udp_socket permission (that is, *_send_msg or *_recv_msg) on the TCP/UDP socket object.

Table C-17

netlink_audit_socket

A netlink_audit_socket object is a netlink socket connection to the audit service. The socket is used to list/add/delete filter rules, get/set status, and so on.

Table C-18

netlink_dnrt_socket

Netlink socket to control DECnet routing.

Table C-19

netlink_firewall_socket

Netlink socket to create userspace firewall filters; copy packets from kernel, send accept or reject packet verdict to kernel.

Table C-20

netlink_ ip6fw_socket

Netlink socket to create IPv6 userspace firewall filters.

Table C-21

netlink_kobject_uevent_socket

Netlink socket to send kernel event notifications to userspace (for example, processor temperature detection).

Table C-22

netlink_nflog_socket

Netlink socket to receive Netfilter logging messages in userspace.

Table C-23

netlink_route_socket

Netlink socket to control and mange network resources such as the routing table and IP address from userspace.

Table C-24

netlink_selinux_socket

Netlink socket that receives userspace notification messages on SELinux events (for example, policy load, enforce mode toggle, and Boolean change).

Table C-25

netlink_socket

Netlink socket to control all Netlink sockets for which there is not yet a specific SELinux class defined.

netlink_tcpdiag_socket

Netlink socket to monitor TCP connections.

Table C-27

netlink_xfrm_socket

Netlink socket to get, maintain, set IPsec parameters such as security associations, security policies, and security parameter indexes.

Table C-28

node

Represents a host IP address or range of addresses. A domain must have send or receive permission on a node object to send or receive data on a particular IP address. The domain must also have send or receive permission on the network interface object associated with the address (see netif class). If the domain uses a UDP or TCP socket, it must also have the corresponding tcp_socket/udp_socket permission (that is, *_send_msg or *_recv_msg) on the socket object.

Table C-29

packet_socket

Raw sockets where the protocol is implemented in userspace. The packets for this type of object are sent at OSI Layer 2. A domain must also have the NET_RAW capability permission to use a packet_socket object.

Table C-30

rawip_socket

IP sockets that are neither TCP nor UDP.

Table C-31

socket

Any socket type for which there is no specific class defined for its protocol family. SELinux, as of policy version 19, defines socket classes for the following protocol families: unix, inet, inet6, netlink, packet, and key.

Table C-32

tcp_socket

A TCP socket. A domain also needs tcp_recv and/or tcp_send on both the associated node and netif objects to receive/send packets (in addition to the recv_msg/send_msg permission on the tcp_socket object).

Table C-33

udp_socket

A UDP socket. A domain also needs udp_recv and/or udp_send on both the associated node and netif objects to receive/send packets (in addition to the recv_msg/send_msg permission on the udp_socket object).

Table C-34

unix_dgram_socket

IPC datagram sockets on a local machine. The socket allows for passing credentials (PID, UID, and GID) for authentication. If any of the credentials are not the same as the process,' the process (that is, its domain) must also have the sys_admin, setuid, and/or setgid capability, respectively.

Table C-35

unix_stream_socket

IPC stream sockets on a local machine. The socket allows for passing credentials (PID, UID, and GID) for authentication. If any of the credentials are not the same as the process,' the process (that is, its domain) must also have the sys_admin, setuid, and/or setgid capability, respectively.

Table C-36

recvfrom

Receive packets using an IPSec security association.

sendto

Send packets using an IPSec security association.

socket common permissions

See Tablte C-2.

rawip_recv

Receive raw IP packet via the network interface.

rawip_send

Send raw IP packet via the network interface.

tcp_receive

Receive TCP packet via the network interface.

tcp_send

Send TCP packet via the network interface.

udp_recv

Receive UDP packet via the network interface.

udp_send

Send UDP packet via the network interface.

socket common permissions

See Table C-2.

nlmsg_read

Used to get the audit system status.

nlmsg_readpriv

List all auditing rules.

nlmsg_relay

Send userspace audit messages to the kernel audit system.

nlmsg_write

Used to set audit system parameters.

socket common permissions

See Table C-2.

socket common permissions

See Table C-2.

nlmsg_read

Not used.

nlmsg_write

Write control message to firewall.

socket common permissions

See Table C-2.

nlmsg_read

Not used.

nlmsg_write

Write control message to firewall.

socket common permissions

See Table C-2.

socket common permissions

See Table C-2.

socket common permissions

See Table C-2.

nlmsg_read

Read kernel routing table.

nlmsg_write

Write routing information to routing table.

socket common permissions

See Table C-2.

socket common permissions

See Table C-2.

socket common permissions

See Table C-2.

nlmsg_read

Request kernel TCP parameters.

nlmsg_write

Currently unused.

socket common permissions

See Table C-2.

nlmsg_read

Request IPsec configuration data.

nlmsg_write

Set IPsec configuration data.

enforce_dest

This permission is deprecated. It was used in an extended socket API in previous versions of SELinux.

rawip_recv

Receive raw IP packet from the node.

rawip_send

Send raw IP packet to the node.

tcp_receive

Receive TCP packet from the node.

tcp_send

Send TCP packet to the node.

udp_recv

Receive UDP packet from the node.

udp_send

Send UDP packet to the node.

socket common permissions

See Table C-2.

socket common permissions

See Table C-2.

node_bind

Ability to bind to a node.

socket common permissions

See Table C-2.

socket common permissions

See Table C-2.

acceptfrom

Deprecated, not used.

connectto

Deprecated, not used.

name_connect

Connect to a specific port number.

newconn

Deprecated, not used.

node_bind

Ability to bind to a node.

socket common permissions

See Table C-2.

node_bind

Ability to bind to a node.

socket common permissions

See Table C-2.

socket common permissions

See Table C-2.

acceptfrom

Deprecated, not used.

connectto

Connect to server socket.

newconn

Deprecated, not used.

ipc

Deprecated; no longer used.

Table C-38

msg

Messages within a message queue.

Table C-39

msgq

Message queues.

Table C-40

sem

Semaphores.

Table C-41

shm

Shared memory segment.

Table C-42

ipc common permissions

See Table C-3. (Note that ipc object class is no longer used.)

receive

Remove a message from a queue.

send

Add a message to a queue.

ipc common permissions

See Table C-3.

enqueue

Put a message onto a queue.

ipc common permissions

See Table C-3.

ipc common permissions

See Table C-3.

lock

Lock/unlock page(s) in memory.

capability

Privileges that are implemented as capabilities in Linux. These capabilities represent the typical "root" privileges. In SELinux, each process has a single instance of this object class that has the same type as the process itself. In SELinux, to use a capability defined in the kernel, the process domain type must be allowed the associated permission for the capability object class for the type of the process.

Note that the capabilities grant privileges with respect to standard Linux; the Linux check (either for the capability or superuser) and the SELinux check are orthogonal. (That is, both are required; neither is sufficient alone.)

Table C-44

passwd

A userspace class that represents the password and shadow files. The permission checks are enforced in the passwd program (although the access information is held in the kernel policy).

Table C-45

pax

Pax security objects. Pax is a separate Linux security mechanism that may be integrated with SELinux.

Table C-45

process

Each process itself is an object of class process and must have permission to its own type (or other process types) to perform certain actions with regard to the target process.

Table C-46

security

The SELinux security server. There is only one instance of this object class.

Table C-47

system

The system. Any system-level privileged functions not covered by the capability or the security object classes are embodied in the system object. There is only one instance of this object class.

Table C-48

audit_control

Allows the process to change auditing rules. Set login UID.

audit_write

Allows the process to send audit messsages from userspace.

chown

Allows the process to change file ownership on a system where users are restricted to only changing group ownership.

dac_override

Allows the process to ignore discretionary access controls including access lists. The capability does not include the access covered by linux_immutable (see below).

dac_read_search

Allows the process read and search permission on all files and directories regardless of their DAC settings except for access covered by linux_immutable (see below) or where not permitted by SELinux permissions.

fowner

Allows the process to access a file when the file owner is not the same as the process' user ID. Other security checks (that is, DAC and MAC) are still in effect.

fsetid

Allows the process to set the group ID of a file where the group ID does not match that of the process.

ipc_lock

Allows the proceses the capability to lock non-shared and shared memory segments.

ipc_owner

Allows the process to ignore IPC ownership checks.

kill

Allows the process to send a kill signal to a process owned by a different user.

lease

Allows the process to take leases on a file. A lease allows a process to be notified when another process accesses the file that a lease's file descriptor refers to.

linux_immutable

Allows the process to change S_IMMUTABLE and S_APPEND file attributes on supporting filesystems.

mknod

Allows the process to create character and block device nodes.

net_admin

Allows the process a variety of trusted network permissions such as configuring network interfaces, firewall settings, and routing tables. (See /usr/include/linux/capabilities.h for full list). Appropriate SELinux permissions remain in effect.

net_bind_service

Allows the process to bind TCP/UDP sockets to ports below 1024 or bind to ATM VCIs below 32.

net_broadcast

Allows the process to send network broadcasts and listen to incoming multicasts.

net_raw

Allows the process to create and use non-TCP/UDP sockets. Appropriate SELinux controls are still in effect. (That is, the process must also have appropriate permissions on a packet_socket or rawip_socket).

setgid

Allows a non-root process to set its group IDs.

setpcap

Adds or removes the process' capability from another process' capability set. Note that the use of an added capability must still be allowed in the policy.

setuid

Allows a non-root process to set its real and/or effective IDs.

sys_admin

This capability allows the process many "standard" administrative functions. Some of these are: configuring syslog, setting the domain and host names, turning swap on or off, accessing and configuring of various devices (for example, IDE, SCSI, and do on), and setting the encryption key for a loopback filesystem. See /usr/include/linux/capability.h for the complete list.

sys_boot

Allows the process to reboot the system.

sys_chroot

Allows the process to use the chroot(2) call.

sys_module

Allows the process unrestricted kernel modification capability including, but not limited to, loading and removing kernel modules. Allows modification of kernel's bounding capability mask.

sys_nice

Allows the process to change priority of other processes. Also allows the process to change the scheduling algorithm used by any process.

sys_pacct

Allows the process to modify process accounting.

sys_ptrace

Allows the process to ptrace(2) another process.

sys_rawio

Allows the process to use ioperm(2) and iopl(2) as well as the capability to send messages to USB devices via /proc/bus/usb.

sys_resource

Allows the process to change various system resources: quota limits, reserved ext2 filesystem space, ext3 journaling mode, IPC message queue size restrictions, control of interrupts from real-time clock, change maximum number of consoles, and change maximum number of keymaps.

sys_time

Allows the process to set system time and to set the real-time clock.

sys_tty_config

Allows the process to configure tty devices. Allows vhangup(2) call on a tty.

chfn

Change finger information for a different user (that is, the string in the passwd file for an account; commonly the user's real name).

chsh

Change login shell for a particular account.

crontab

Permits a cron job to be run as a different user than the user who submitted the job.

passwd

Update a different user's password.

rootok

Allow update if the user is root and the process has the rootok permission.

emutramp

Emulate gcc trampolines (a technique for implementing nested functions) so that they will work with pax.

mprotect

Protects the modification of a task's address space.

pageexec

Paging-based, non-executable pages.

randexec

Randomize the mappings of an executable not built with relocatable code.

randmmap

Randomize mappings in a task's address space for an executable with relocatable code.

segmexec

Segmentation-based, nonexecutable pages.

dyntransition

Allows a process to dynamically transition to a new context. This capability is tied in with the setcurrent capability; both are required for a process domain transition. The ability of a process to change from one domain to another is extremely dangerous because it violates the principle of label tranquility for a process. It creates a real potential for unintentional granting of access.

execheap

Make the heap executable.

execmem

Make executable an anonymous mapping or private file mapping that is writable.

execstack

Make the process stack executable.

fork

Fork into two processes.

getattr

Get attributes of a process through the /proc/[pid]/attr directory.

getcap

Get Linux capabilities allowed for this process.

getpgid

Get Process Group ID of process.

getsched

Get priority of process.

getsession

Get session ID of process.

noatsecure

Disable secure mode environment cleansing. Allows process to disable secure mode feature of glibc on execve(2).

ptrace

Trace program execution of parent or child.

rlimitnh

Inherit process resource limits from parent process.

setcap

Set Linux capabilities allowed for this process.

setcurrent

Set the current process context. This is the first permission checked when a process tries to perform a dynamic domain transition. The dyntransition capability is also required.

setexec

Override the default context for the next execve(2). Allows a process to set the context of a program it execs to something other than the default context. (The context must still be a valid context for the domain of the new process.).

setfscreate

Allows a process to set the context of an object created by the process to something other than the default context.

setpgid

Set Process Group ID of process.

setrlimit

Change process hard resource limits.

setsched

Set priority of process.

share

Allow state sharing with cloned or forked process.

sigchld

Send SIGCHLD signal.

siginh

Inherit signal state from parent process.

sigkill

Send SIGKILL signal.

signal

Send a signal other than SIGKILL, SIGSTOP, or SIGCHLD.

signull

Test for existence of another process without sending a signal.

sigstop

Send SIGSTOP signal.

transition

Transition to a new context on execve(2).

check_context

Allows a domain to check with the security server to see whether a context is valid within the current policy.

compute_av

Ask the security server to compute an access vector given a source/target/class using the selinuxfs interface.

compute_create

Retrieve a labeling decision on a new object.

compute_member

Ask the security server to compute a polyinstantiation membership decision through the selinuxfs interface.

compute_relabel

Allows a domain to use the selinuxfs interface to compute a relabeling decision.

compute_user

Allows domain to use the selinuxfs interface to retrieve a user's reachable SIDs.

load_policy

Load the security policy. This completely changes the kernel policy being enforced, and flushes the current access vector cache (AVC) so that all future access decisions are made against the new policy.

setbool

Allows a domain to set policy Boolean values. The domain also needs permissions on the Boolean file (that is, based on the label of the Boolean file).

setcheckreqprot

Set if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect.

setenforce

Change the enforcement state of SELinux to either permissive mode or enforcing mode. The kernel may be built to not allow this capability.

setsecparam

Set kernel AVC tuning parameters.

compute_user

Allows domain to use the selinuxfs interface to retrieve a user's reachable SIDs.

compute_relabel

Allows a domain to use the selinuxfs interface to compute a relabeling decision.

compute_create

Retrieve a labeling decision on a new object.

compute_av

Ask the security server to compute an access vector given a source/target/class using the selinuxfs interface.

compute_member

Ask the security server to compute a polyinstantiation membership decision through the selinuxfs interface.

setenforce

Change the enforcement state of SELinux to either permissive mode or enforcing mode. The kernel may be built to not allow this capability.

check_context

Allows a domain to check with the security server to see whether a context is valid within the current policy.

load_policy

Load the security policy. This completely changes the kernel policy being enforced, and flushes the current access vector cache (AVC), so that all future access decisions are made against the new policy.

setbool

Allows a domain to set policy Boolean values. The domain also needs permissions on the Boolean file (that is, based on the label of the Boolean file).

setsecparam

Set kernel AVC tuning parameters.

setcheckreqprot

Set if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect.

avc_toggle

No longer used (see setenforce permission in the security object).

bdflush

Deprecated, not used.

ichsid

Deprecated, not used.

ipc_info

Get info for IPC objects.

nfsd_control

Deprecated, not used.

syslog_console

Allows domain to enable and disable logging to the console and to set the level of syslog messages sent to the console.

syslog_mod

Perform syslog operation other than those operations controlled by syslog_read or syslog_console permissions.

syslog_read

Allows domain to retrieve the last kernel messages sent to the log and the size of the log buffer.