2005-04-17 06:20:36 +08:00
|
|
|
/* This file is automatically generated. Do not edit. */
|
|
|
|
S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount")
|
|
|
|
S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount")
|
|
|
|
S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount")
|
|
|
|
S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr")
|
|
|
|
S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom")
|
|
|
|
S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto")
|
|
|
|
S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition")
|
|
|
|
S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate")
|
|
|
|
S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod")
|
|
|
|
S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget")
|
|
|
|
S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name")
|
|
|
|
S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name")
|
|
|
|
S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
|
|
|
|
S_(SECCLASS_DIR, DIR__SEARCH, "search")
|
|
|
|
S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
|
2008-02-29 01:58:40 +08:00
|
|
|
S_(SECCLASS_DIR, DIR__OPEN, "open")
|
2005-04-17 06:20:36 +08:00
|
|
|
S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
|
|
|
|
S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
|
|
|
|
S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
|
2008-02-29 01:58:40 +08:00
|
|
|
S_(SECCLASS_FILE, FILE__OPEN, "open")
|
2005-04-17 06:20:36 +08:00
|
|
|
S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
|
|
|
|
S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
|
|
|
|
S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
|
2008-02-29 01:58:40 +08:00
|
|
|
S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
|
|
|
|
S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
|
|
|
|
S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
|
2005-04-17 06:20:36 +08:00
|
|
|
S_(SECCLASS_FD, FD__USE, "use")
|
|
|
|
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
|
|
|
|
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
|
|
|
|
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom")
|
|
|
|
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind")
|
|
|
|
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect")
|
|
|
|
S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind")
|
|
|
|
S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind")
|
|
|
|
S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv")
|
|
|
|
S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send")
|
|
|
|
S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv")
|
|
|
|
S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send")
|
|
|
|
S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv")
|
|
|
|
S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send")
|
|
|
|
S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
|
2006-11-14 08:09:01 +08:00
|
|
|
S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
|
|
|
|
S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
|
2008-01-29 21:38:21 +08:00
|
|
|
S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
|
|
|
|
S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
|
2005-04-17 06:20:36 +08:00
|
|
|
S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
|
|
|
|
S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
|
|
|
|
S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
|
|
|
|
S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send")
|
|
|
|
S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv")
|
|
|
|
S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
|
2006-11-14 08:09:01 +08:00
|
|
|
S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
|
|
|
|
S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
|
2008-01-29 21:38:21 +08:00
|
|
|
S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
|
|
|
|
S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
|
2005-04-17 06:20:36 +08:00
|
|
|
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
|
|
|
|
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
|
|
|
|
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__FORK, "fork")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SHARE, "share")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
|
|
|
|
S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
|
2005-06-26 05:54:34 +08:00
|
|
|
S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
|
2005-06-26 05:54:35 +08:00
|
|
|
S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
|
2006-06-26 15:24:57 +08:00
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
|
2006-06-26 15:26:03 +08:00
|
|
|
S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
|
2005-04-17 06:20:36 +08:00
|
|
|
S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
|
|
|
|
S_(SECCLASS_MSG, MSG__SEND, "send")
|
|
|
|
S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
|
|
|
|
S_(SECCLASS_SHM, SHM__LOCK, "lock")
|
|
|
|
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
|
|
|
|
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
|
|
|
|
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
|
|
|
|
S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
|
|
|
|
S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
|
|
|
|
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
|
|
|
|
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
|
|
|
|
S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
|
|
|
|
S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
|
|
|
|
S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
|
|
|
|
S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot")
|
|
|
|
S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info")
|
|
|
|
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
|
|
|
|
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
|
|
|
|
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
|
2005-04-17 06:24:13 +08:00
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
|
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
|
2008-02-08 00:21:04 +08:00
|
|
|
S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
|
|
|
|
S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
|
|
|
|
S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
|
2005-04-17 06:20:36 +08:00
|
|
|
S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
|
|
|
|
S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
|
|
|
|
S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
|
|
|
|
S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write")
|
|
|
|
S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read")
|
|
|
|
S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write")
|
|
|
|
S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read")
|
|
|
|
S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write")
|
|
|
|
S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read")
|
|
|
|
S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write")
|
[PATCH] SELinux: add finer grained permissions to Netlink audit processing
This patch provides finer grained permissions for the audit family of
Netlink sockets under SELinux.
1. We need a way to differentiate between privileged and unprivileged
reads of kernel data maintained by the audit subsystem. The AUDIT_GET
operation is unprivileged: it returns the current status of the audit
subsystem (e.g. whether it's enabled etc.). The AUDIT_LIST operation
however returns a list of the current audit ruleset, which is considered
privileged by the audit folk. To deal with this, a new SELinux
permission has been implemented and applied to the operation:
nlmsg_readpriv, which can be allocated to appropriately privileged
domains. Unprivileged domains would only be allocated nlmsg_read.
2. There is a requirement for certain domains to generate audit events
from userspace. These events need to be collected by the kernel,
collated and transmitted sequentially back to the audit daemon. An
example is user level login, an auditable event under CAPP, where
login-related domains generate AUDIT_USER messages via PAM which are
relayed back to auditd via the kernel. To prevent handing out
nlmsg_write permissions to such domains, a new permission has been
added, nlmsg_relay, which is intended for this type of purpose: data is
passed via the kernel back to userspace but no privileged information is
written to the kernel.
Also, AUDIT_LOGIN messages are now valid only for kernel->user messaging,
so this value has been removed from the SELinux nlmsgtab (which is only
used to check user->kernel messages).
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-05-01 23:58:40 +08:00
|
|
|
S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay")
|
|
|
|
S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
|
2005-04-17 06:20:36 +08:00
|
|
|
S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read")
|
|
|
|
S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write")
|
2005-04-17 06:24:13 +08:00
|
|
|
S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
|
|
|
|
S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
|
2006-01-07 05:22:39 +08:00
|
|
|
S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
|
[MLSXFRM]: Granular IPSec associations for use in MLS environments
The current approach to labeling Security Associations for SELinux
purposes uses a one-to-one mapping between xfrm policy rules and
security associations.
This doesn't address the needs of real world MLS (Multi-level System,
traditional Bell-LaPadula) environments where a single xfrm policy
rule (pertaining to a range, classified to secret for example) might
need to map to multiple Security Associations (one each for
classified, secret, top secret and all the compartments applicable to
these security levels).
This patch set addresses the above problem by allowing for the mapping
of a single xfrm policy rule to multiple security associations, with
each association used in the security context it is defined for. It
also includes the security context to be used in IKE negotiation in
the acquire messages sent to the IKE daemon so that a unique SA can be
negotiated for each unique security context. A couple of bug fixes are
also included; checks to make sure the SAs used by a packet match
policy (security context-wise) on the inbound and also that the bundle
used for the outbound matches the security context of the flow. This
patch set also makes the use of the SELinux sid in flow cache lookups
seemless by including the sid in the flow key itself. Also, open
requests as well as connection-oriented child sockets are labeled
automatically to be at the same level as the peer to allow for use of
appropriately labeled IPSec associations.
Description of changes:
A "sid" member has been added to the flow cache key resulting in the
sid being available at all needed locations and the flow cache lookups
automatically using the sid. The flow sid is derived from the socket
on the outbound and the SAs (unlabeled where an SA was not used) on
the inbound.
Outbound case:
1. Find policy for the socket.
2. OLD: Find an SA that matches the policy.
NEW: Find an SA that matches BOTH the policy and the flow/socket.
This is necessary since not every SA that matches the policy
can be used for the flow/socket. Consider policy range Secret-TS,
and SAs each for Secret and TS. We don't want a TS socket to
use the Secret SA. Hence the additional check for the SA Vs. flow/socket.
3. NEW: When looking thru bundles for a policy, make sure the
flow/socket can use the bundle. If a bundle is not found,
create one, calling for IKE if necessary. If using IKE,
include the security context in the acquire message to the IKE
daemon.
Inbound case:
1. OLD: Find policy for the socket.
NEW: Find policy for the incoming packet based on the sid of the
SA(s) it used or the unlabeled sid if no SAs were
used. (Consider a case where a socket is "authorized" for two
policies (unclassified-confidential, secret-top_secret). If the
packet has come in using a secret SA, we really ought to be
using the latter policy (secret-top_secret).)
2. OLD: BUG: No check to see if the SAs used by the packet agree with
the policy sec_ctx-wise.
(It was indicated in selinux_xfrm_sock_rcv_skb() that
this was being accomplished by
(x->id.spi == tmpl->id.spi || !tmpl->id.spi) in xfrm_state_ok,
but it turns out tmpl->id.spi
would normally be zero (unless xfrm policy rules specify one
at the template level, which they usually don't).
NEW: The socket is checked for access to the SAs used (based on the
sid of the SAs) in selinux_xfrm_sock_rcv_skb().
Forward case:
This would be Step 1 from the Inbound case, followed by Steps 2 and 3
from the Outbound case.
Outstanding items/issues:
- Timewait acknowledgements and such are generated in the
current/upstream implementation using a NULL socket resulting in the
any_socket sid (SYSTEM_HIGH) to be used. This problem is not addressed
by this patch set.
This patch: Add new flask definitions to SELinux
Adds a new avperm "polmatch" to arbitrate flow/state access to a xfrm
policy rule.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-07-25 14:26:30 +08:00
|
|
|
S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch")
|
2006-06-09 15:27:28 +08:00
|
|
|
S_(SECCLASS_PACKET, PACKET__SEND, "send")
|
|
|
|
S_(SECCLASS_PACKET, PACKET__RECV, "recv")
|
|
|
|
S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
|
2008-01-29 21:38:21 +08:00
|
|
|
S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
|
|
|
|
S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
|
|
|
|
S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in")
|
|
|
|
S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out")
|
2006-06-23 05:47:17 +08:00
|
|
|
S_(SECCLASS_KEY, KEY__VIEW, "view")
|
|
|
|
S_(SECCLASS_KEY, KEY__READ, "read")
|
|
|
|
S_(SECCLASS_KEY, KEY__WRITE, "write")
|
|
|
|
S_(SECCLASS_KEY, KEY__SEARCH, "search")
|
|
|
|
S_(SECCLASS_KEY, KEY__LINK, "link")
|
|
|
|
S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
|
2006-06-26 15:24:57 +08:00
|
|
|
S_(SECCLASS_KEY, KEY__CREATE, "create")
|
2006-11-14 08:09:01 +08:00
|
|
|
S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
|
|
|
|
S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
|
2007-06-29 03:55:21 +08:00
|
|
|
S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
|
2008-01-29 21:38:21 +08:00
|
|
|
S_(SECCLASS_PEER, PEER__RECV, "recv")
|