SELinux [Electronic resources]

Bill McCarty

نسخه متنی -صفحه : 100/ 70

Appendix B. SELinux Operations

Table B-1 summarizes SELinux operations, identifying their related object classes and giving an approximate description of them. In future SELinux releases, SELinux developers may change the roster of operations, associate operations with object classes differently, or modify the function performed by an operation. The table is sorted alphabetically by the name of the operation. The SELinux file src/policy/flask/access_vectors shows the relationship between object classes and operations and is sorted by object class.

Table B-1. SELinux operations

Operation

Object classes

Description

accept

key_socket , netlink_socket , packet_socket , raw_ipsocket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Accept a connection.

acceptfrom

tcp_socket , unix_stream_socket

Accept connection from client socket.

add_name

dir

Add a name.

append

blk_file , chr_file , dir , fifo_file , file , key_socket , lnk_file , netlink_socket , packet_socket , rawip_socket , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Write or append file or socket contents.

associate

filesystem , ipc , msgq , sem , shm

Associate a file or key with a filesystem, queue, semaphore set, or memory segment.

avc_toggle

system

Toggle between permissive and enforcing modes.

bdflush

system

Control the buffer-dirty-flush daemon.

bind

key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Bind name to socket.

change_sid

security

Determine the SID of an object during relabeling.

check_context

security

Write context in selinuxfs filesystem.

chfn

passwd

Change user account information (real name, work room and phone, and home phone).

chown

capability

Change file ownership and group ownership.

chsh

passwd

Change login shell.

compute_av

security

Compute an access vector given a source, target, and class.

compute_create

security

Set create information in selinuxfs filesystem.

compute_member

security

Set member information in selinuxfs filesystem.

compute_relabel

security

Set relabel information in selinuxfs filesystem.

compute_user

security

Set user information in selinuxfs filesystem.

connect

key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Initiate connection.

connectto

tcp_socket , unix_stream_socket

Connect to server socket.

context_to_sid

security

Convert a context to an SID.

create

blk_file , chr_file , dir , fifo_file , file , ipc , key_socket , lnk_file , msgq , netlink_socket , packet_socket , rawip_socket , sem , shm , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Create new file, IPC object, queue, semaphore set, or shared memory segment.

dac_override

capability

Override discretionary access control except LINUX_IMMUTABLE .

dac_read_search

capability

Overrides all discretionary access control.

destroy

ipc , msgq , sem , shm

Destroy IPC object, message queue, semaphore set, or shared memory segment.

enforce_dest

node

Destination node can enforce restrictions on the destination socket.

enqueue

msgq

Message may reside on queue.

entrypoint

file

Enter a new domain via this program.

execute

blk_file , chr_file , dir , fifo_file , file , lnk_file , sock_file

Execute.

execute_no_trans

file

Execute file without a domain transition.

fork

process

Fork into two processes.

fowner

capability

Grant file operations otherwise restricted due to ownership.

fsetid

capability

overrides effective user ID checks for set user ID and set group ID files

get_sids , get_user_sids

security

Get the list of active SIDs.

getattr

blk_file , chr_file , dir , fifo_file , file , filesystem , ipc , key_socket , lnk_file , msgq , netlink_socket , packet_socket , process , rawip_socket , sem , shm , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Get file, process, message queue, or shared memory segment attributes.

getcap

process

Get process capabilities.

getopt

key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Get socket options.

getpgid

process

Get process group ID.

getsched

process

Get process priority.

getsession

process

Get session ID.

ioctl

I/O control system call requests not addressed by other permissions.

ipc_info

system

Get information for an IPC socket.

ipc_lock

capability

Lock nonshared and shared memory segments.

ipc_owner

capability

Ignore IPC ownership checks.

kill

capability

Raise signal any process.

lease

capability

Take fcntl( ) leases on a file.

link

blk_file , chr_file , dir , fifo_file , file , lnk_file , sock_file

Create hard link to file.

linux_immutable

capability

Modify S_IMMUTABLE and S_APPEND file attributes on supporting filesystems.

listen

key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Listen for connections.

load_policy

security

Load the security policy.

lock

blk_file , chr_file , dir , fifo_file , file , key_socket , lnk_file , netlink_socket , packet_socket , rawip_socket , sh , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket, unix_stream_socket

Set and unset file or memory page locks.

member_sid

security

Determine SID to use when selecting a member of a polyinstantiated object .

mknod

capability

Create character or block device nodes.

mount

filesystem

Mount a filesystem.

mounton

blk_file , chr_file , dir , fifo_file , file , lnk_file , sock_file

Use as filesystem mount point.

name_bind

key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Bind port to IP or file to Unix socket.

net_admin

capability

Network configuration changes.

net_bind_service

capability

Bind to privileged port.

net_raw

capability

Open raw socket or packet socket.

netbroadcast

capability

Send network broadcast or listen to incoming multicasts.

newconn

tcp_socket , unix_stream_socket

Create new socket for connection.

nfsd_control

system

Control the NFS server.

noatsecure

process

Allow GLibc secure mode.

node_bind

rawip_socket , tcp_socket , udp_socket

Bind socket.

passwd

Change user password.

ptrace

process

Trace program execution of parent or child.

quotaget

filesystem

Get quota information.

quotamod

filesystem

Modify quota information.

quotaon

blk_file , chr_file , dir , fifo_file , file , lnk_file , sock_file

Enable quotas.

rawip_recv

netif , node

Receive raw IP packet.

rawip_send

netif , node

Send raw IP packet.

read

Read file, IPC, message queue, or shared memory segment contents.

receive

msg

Remove message from a queue.

recv_msg

key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Receive datagram message having SID unequal to socket.

recvfrom

key_socket , netlink_socket , packet_socket , rawip-socket , socket , tcp_socket , udp-socket , unix_dgram_socket , unix_stream_socket

Receive datagrams from socket.

relabelfrom

blk_file , chr_file , dir , fifo_file , file , filesystem , key_socket , lnk_file , netlink_socket , packet_socket , rawip_socket , sock_file , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Change the security context based on existing type.

relabelto

Change the security context based on the new type.

remount

filesystem

Change mounted filesystem options.

remove_name

dir

Remove a name.

rename

blk_file, chr_file , dir , fifo_file , lnk_file , sock_file

Rename a hard link.

reparent

dir

Change parent directory.

rlimitinh

process

Inherit resource limits from old SID.

rmdir

dir

Remove directory.

rootok

passwd

Update password if the user is root and the process has the rootok permission.

search

dir

Search directory.

send

msg

Add message to a queue.

send_msg

key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Send datagram message having SID unequal to that of sending socket.

sendto

key_socket, netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Send datagrams to socket.

setattr

Change attributes of file, shared memory segment, or message queue.

setbool

security

Set a boolean value.

setcap

process

Set process capabilities.

setenforce

security

Change the SELinux enforcement mode.

setfscreate

process

Set fscreate context.

setgid

capability

Allow setgid( ) calls, and fake group IDs on credentials passed over a socket.

setopt

key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Set IPSec or socket options socket.

setpcap

capability

Transfer process capability map.

setpgid

process

Set process group ID.

setrlimit

process

Change process hard limits.

setsched

process

Set process priority.

setuid

capability

Allow setsuid( ) and fake UIDs on credentials passed over a socket.

share

process

Allow state sharing with cloned or forked process.

shutdown

key_socket , netlink_socket , packet_socket , rawip_socket , socket , tcp_socket , udp_socket , unix_dgram_socket , unix_stream_socket

Shutdown connection.

sid_to_context

security

Convert a SID to a context.

sigchld

process

Send SIGCHLD signal.

siginh

process

Inherit signal state from old SID.

sigkill

process

Send SIGKILL signal.

signal

process

Send a signal other than SIGKILL , SIGSTOP , or SIGCHLD .

signull

process

Test for existence of another process without sending a signal.

sigstop

process

Send SIGSTOP signal.

swapon

blk_file , chr_file , dir , fifo_file , lnk_file , sock_file

Allow file to be used for swap space.

sys_admin

capability

Various system capabilities (see /usr/include/linux/capability.h).

sys_boot

capability

Reboot the system.

sys_chroot

capability

Use chroot( ) .

sys_module

capability

Load and remove kernel modules and otherwise modify kernel.

sys_nice

capability

Change process priority and scheduling options.

sys_pacct

capability

Change process accounting state.

sys_ptrace

capability

Trace any process.

sys_rawio

capability

Perform raw I/O.

sys_resource

capability

Various capabilities (see /usr/include/linux/capability.h).

sys_time

capability

Set system time and real-time clock.

sys_tty_config

capability

Configure tty devices.

syslog_console

system

Log to syslog console.

syslog_mod

system

Perform syslog operation other than reading syslog or logging to console.

syslog_read

system

Read syslog

tcp_recv

netif , node

Receive TCP packet.

tcp_send

netif , node

Send TCP packet.

transition

filesystem , process

Transition to a new SID.

transition_sid

security

Determine SID for a new object.

udp_recv

netif , node

Receive UDP packet.

udp_send

netif , node

Send UDP packet.

unix_read

ipc , msgq , sem , shm

Perform IPC read.

unix_write

ipc , msgq , sem , shm

Perform IPC write or append.

unlink

blk_file , chr_file , dir , fifo_file , file , lnk_file , sock_file

Remove (delete) hard link.

unmount

filesystem

Unmount filesystem.

use

fd

Use an inherited file descriptor.

write

Write or append file or IPC object contents.