| Table B-1 summarizes SELinux operations, identifying their related object classes and giving an approximate description of them. In future SELinux releases, SELinux developers may change the roster of operations, associate operations with object classes differently, or modify the function performed by an operation. The table is sorted alphabetically by the name of the operation. The SELinux file src/policy/ flask /access_vectors shows the relationship between object classes and operations and is sorted by object class. Table B-1. SELinux operations | Operation | Object classes | Description | | accept | key_socket , netlink_socket , packet_socket , raw_ipsocket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Accept a connection. | | acceptfrom | tcp_socket , unix_stream_socket | Accept connection from client socket. | | add_name | dir | Add a name. | | append | blk_file , chr_file , dir , fifo_file , file , key_socket , lnk_file , netlink_socket , packet_socket , rawip_socket , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Write or append file or socket contents. | | associate | filesystem , ipc , msgq , sem , shm | Associate a file or key with a filesystem, queue, semaphore set, or memory segment. | | avc_toggle | system | Toggle between permissive and enforcing modes. | | bdflush | system | Control the buffer-dirty-flush daemon. | | bind | key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Bind name to socket. | | change_sid | security | Determine the SID of an object during relabeling. | | check_context | security | Write context in selinuxfs filesystem. | | chfn | passwd | Change user account information (real name, work room and phone, and home phone). | | chown | capability | Change file ownership and group ownership. | | chsh | passwd | Change login shell. | | compute_av | security | Compute an access vector given a source, target, and class. | | compute_create | security | Set create information in selinuxfs filesystem. | | compute_member | security | Set member information in selinuxfs filesystem. | | compute_relabel | security | Set relabel information in selinuxfs filesystem. | | compute_user | security | Set user information in selinuxfs filesystem. | | connect | key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Initiate connection. | | connectto | tcp_socket , unix_stream_socket | Connect to server socket. | | context_to_sid | security | Convert a context to an SID. | | create | blk_file , chr_file , dir , fifo_file , file , ipc , key_socket , lnk_file , msgq , netlink_socket , packet_socket , rawip_socket , sem , shm , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Create new file, IPC object, queue, semaphore set, or shared memory segment. | | dac_override | capability | Override discretionary access control except LINUX_IMMUTABLE . | | dac_read_search | capability | Overrides all discretionary access control. | | destroy | ipc , msgq , sem , shm | Destroy IPC object, message queue, semaphore set, or shared memory segment. | | enforce_dest | node | Destination node can enforce restrictions on the destination socket. | | enqueue | msgq | Message may reside on queue. | | entrypoint | file | Enter a new domain via this program. | | execute | blk_file , chr_file , dir , fifo_file , file , lnk_file , sock_file | Execute. | | execute_no_trans | file | Execute file without a domain transition. | | fork | process | Fork into two processes. | | fowner | capability | Grant file operations otherwise restricted due to ownership. | | fsetid | capability | overrides effective user ID checks for set user ID and set group ID files | | get_sids , get_user_sids | security | Get the list of active SIDs. | | getattr | blk_file , chr_file , dir , fifo_file , file , filesystem , ipc , key_socket , lnk_file , msgq , netlink_socket , packet_socket , process , rawip_socket , sem , shm , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Get file, process, message queue, or shared memory segment attributes. | | getcap | process | Get process capabilities. | | getopt | key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Get socket options. | | getpgid | process | Get process group ID. | | getsched | process | Get process priority. | | getsession | process | Get session ID. | | ioctl | blk_file , chr_file , dir , fifo_file , file , key_socket , lnk_file , netlink_socket , packet_socket , rawip_socket , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | I/O control system call requests not addressed by other permissions. | | ipc_info | system | Get information for an IPC socket. | | ipc_lock | capability | Lock nonshared and shared memory segments. | | ipc_owner | capability | Ignore IPC ownership checks. | | kill | capability | Raise signal any process. | | lease | capability | Take fcntl( ) leases on a file. | | link | blk_file , chr_file , dir , fifo_file , file , lnk_file , sock_file | Create hard link to file. | | linux_immutable | capability | Modify S_IMMUTABLE and S_APPEND file attributes on supporting filesystems. | | listen | key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Listen for connections. | | load_policy | security | Load the security policy. | | lock | blk_file , chr_file , dir , fifo_file , file , key_socket , lnk_file , netlink_socket , packet_socket , rawip_socket , sh , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket, unix_stream_socket | Set and unset file or memory page locks. | | member_sid | security | Determine SID to use when selecting a member of a polyinstantiated object . | | mknod | capability | Create character or block device nodes. | | mount | filesystem | Mount a filesystem. | | mounton | blk_file , chr_file , dir , fifo_file , file , lnk_file , sock_file | Use as filesystem mount point. | | name_bind | key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Bind port to IP or file to Unix socket. | | net_admin | capability | Network configuration changes. | | net_bind_service | capability | Bind to privileged port. | | net_raw | capability | Open raw socket or packet socket. | | netbroadcast | capability | Send network broadcast or listen to incoming multicasts. | | newconn | tcp_socket , unix_stream_socket | Create new socket for connection. | | nfsd_control | system | Control the NFS server. | | noatsecure | process | Allow GLibc secure mode. | | node_bind | rawip_socket , tcp_socket , udp_socket | Bind socket. | | passwd | passwd | Change user password. | | ptrace | process | Trace program execution of parent or child. | | quotaget | filesystem | Get quota information. | | quotamod | filesystem | Modify quota information. | | quotaon | blk_file , chr_file , dir , fifo_file , file , lnk_file , sock_file | Enable quotas. | | rawip_recv | netif , node | Receive raw IP packet. | | rawip_send | netif , node | Send raw IP packet. | | read | blk_file , chr_file , dir , fifo_file , file , ipc , key_socket , lnk_file , msgq , netlink_socket , packet_socket , rawip_socket , sem , shm , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Read file, IPC, message queue, or shared memory segment contents. | | receive | msg | Remove message from a queue. | | recv_msg | key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Receive datagram message having SID unequal to socket. | | recvfrom | key_socket , netlink_socket , packet_socket , rawip-socket , socket , tcp_socket , udp-socket , unix_dgram_socket , unix_stream_socket | Receive datagrams from socket. | | relabelfrom | blk_file , chr_file , dir , fifo_file , file , filesystem , key_socket , lnk_file , netlink_socket , packet_socket , rawip_socket , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Change the security context based on existing type. | | relabelto | blk_file , chr_file , dir , fifo_file , file , filesystem , key_socket , lnk_file , netlink_socket , packet_socket , rawip_socket , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Change the security context based on the new type. | | remount | filesystem | Change mounted filesystem options. | | remove_name | dir | Remove a name. | | rename | blk_file, chr_file , dir , fifo_file , lnk_file , sock_file | Rename a hard link. | | reparent | dir | Change parent directory. | | rlimitinh | process | Inherit resource limits from old SID. | | rmdir | dir | Remove directory. | | rootok | passwd | Update password if the user is root and the process has the rootok permission. | | search | dir | Search directory. | | send | msg | Add message to a queue. | | send_msg | key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Send datagram message having SID unequal to that of sending socket. | | sendto | key_socket, netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Send datagrams to socket. | | setattr | blk_file , chr_file , dir , fifo_file , file , ipc , key_socket , lnk_file , msgq , netlink_socket , packet_socket , rawip_socket , sem , shm , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Change attributes of file, shared memory segment, or message queue. | | setbool | security | Set a boolean value. | | setcap | process | Set process capabilities. | | setenforce | security | Change the SELinux enforcement mode. | | setfscreate | process | Set fscreate context. | | setgid | capability | Allow setgid( ) calls, and fake group IDs on credentials passed over a socket. | | setopt | key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Set IPSec or socket options socket. | | setpcap | capability | Transfer process capability map. | | setpgid | process | Set process group ID. | | setrlimit | process | Change process hard limits. | | setsched | process | Set process priority. | | setuid | capability | Allow setsuid( ) and fake UIDs on credentials passed over a socket. | | share | process | Allow state sharing with cloned or forked process. | | shutdown | key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Shutdown connection. | | sid_to_context | security | Convert a SID to a context. | | sigchld | process | Send SIGCHLD signal. | | siginh | process | Inherit signal state from old SID. | | sigkill | process | Send SIGKILL signal. | | signal | process | Send a signal other than SIGKILL , SIGSTOP , or SIGCHLD . | | signull | process | Test for existence of another process without sending a signal. | | sigstop | process | Send SIGSTOP signal. | | swapon | blk_file , chr_file , dir , fifo_file , lnk_file , sock_file | Allow file to be used for swap space. | | sys_admin | capability | Various system capabilities (see /usr/include/linux/capability.h ). | | sys_boot | capability | Reboot the system. | | sys_chroot | capability | Use chroot( ) . | | sys_module | capability | Load and remove kernel modules and otherwise modify kernel. | | sys_nice | capability | Change process priority and scheduling options. | | sys_pacct | capability | Change process accounting state. | | sys_ptrace | capability | Trace any process. | | sys_rawio | capability | Perform raw I/O. | | sys_resource | capability | Various capabilities (see /usr/include/linux/capability.h ). | | sys_time | capability | Set system time and real-time clock. | | sys_tty_config | capability | Configure tty devices. | | syslog_console | system | Log to syslog console. | | syslog_mod | system | Perform syslog operation other than reading syslog or logging to console. | | syslog_read | system | Read syslog | | tcp_recv | netif , node | Receive TCP packet. | | tcp_send | netif , node | Send TCP packet. | | transition | filesystem , process | Transition to a new SID. | | transition_sid | security | Determine SID for a new object. | | udp_recv | netif , node | Receive UDP packet. | | udp_send | netif , node | Send UDP packet. | | unix_read | ipc , msgq , sem , shm | Perform IPC read. | | unix_write | ipc , msgq , sem , shm | Perform IPC write or append. | | unlink | blk_file , chr_file , dir , fifo_file , file , lnk_file , sock_file | Remove (delete) hard link. | | unmount | filesystem | Unmount filesystem. | | use | fd | Use an inherited file descriptor. | | write | blk_file , chr_file , dir , fifo_file , file , ipc , key_socket , lnk_file , msgq , netlink_socket , packet_socket , rawip_socket , sem , shm , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket | Write or append file or IPC object contents. |
|
