Table B-1 summarizes SELinux
operations, identifying their related object classes and giving an
approximate description of them. In future SELinux releases, SELinux
developers may change the roster of operations, associate operations
with object classes differently, or modify the function performed by
an operation. The table is sorted alphabetically by the name of the
operation. The SELinux file
src/policy/flask/access_vectors
shows the
relationship between object classes and operations and is sorted by
object class.
Table B-1. SELinux operations
Operation |
Object classes |
Description |
---|---|---|
|
Accept a connection. | |
|
Accept connection from client socket. | |
|
Add a name. | |
|
Write or append file or socket contents. | |
|
Associate a file or key with a filesystem, queue, semaphore set, or memory segment. | |
|
Toggle between permissive and enforcing modes. | |
|
Control the buffer-dirty-flush daemon. | |
|
Bind name to socket. | |
|
Determine the SID of an object during relabeling. | |
|
Write context in | |
|
Change user account information (real name, work room and phone, and home phone). | |
|
Change file ownership and group ownership. | |
|
Change login shell. | |
|
Compute an access vector given a source, target, and class. | |
|
Set create information in | |
|
Set member information in | |
|
Set relabel information in | |
|
Set user information in | |
|
Initiate connection. | |
|
Connect to server socket. | |
|
Convert a context to an SID. | |
|
Create new file, IPC object, queue, semaphore set, or shared memory segment. | |
|
Override discretionary access control except
| |
|
Overrides all discretionary access control. | |
|
Destroy IPC object, message queue, semaphore set, or shared memory segment. | |
|
Destination node can enforce restrictions on the destination socket. | |
|
Message may reside on queue. | |
|
Enter a new domain via this program. | |
|
Execute. | |
|
Execute file without a domain transition. | |
|
Fork into two processes. | |
|
Grant file operations otherwise restricted due to ownership. | |
|
overrides effective user ID checks for set user ID and set group ID files | |
|
Get the list of active SIDs. | |
|
Get file, process, message queue, or shared memory segment attributes. | |
|
Get process capabilities. | |
|
Get socket options. | |
|
Get process group ID. | |
|
Get process priority. | |
|
Get session ID. | |
|
I/O control system call requests not addressed by other permissions. | |
|
Get information for an IPC socket. | |
|
Lock nonshared and shared memory segments. | |
|
Ignore IPC ownership checks. | |
|
Raise signal any process. | |
|
Take | |
|
Create hard link to file. | |
|
Modify | |
|
Listen for connections. | |
|
Load the security policy. | |
|
Set and unset file or memory page locks. | |
|
Determine SID to use when selecting a member of a polyinstantiated object. | |
|
Create character or block device nodes. | |
|
Mount a filesystem. | |
|
Use as filesystem mount point. | |
|
Bind port to IP or file to Unix socket. | |
|
Network configuration changes. | |
|
Bind to privileged port. | |
|
Open raw socket or packet socket. | |
|
Send network broadcast or listen to incoming multicasts. | |
|
Create new socket for connection. | |
|
Control the NFS server. | |
|
Allow GLibc secure mode. | |
|
Bind socket. | |
|
Change user password. | |
|
Trace program execution of parent or child. | |
|
Get quota information. | |
|
Modify quota information. | |
|
Enable quotas. | |
|
Receive raw IP packet. | |
|
Send raw IP packet. | |
|
Read file, IPC, message queue, or shared memory segment contents. | |
|
Remove message from a queue. | |
|
Receive datagram message having SID unequal to socket. | |
|
Receive datagrams from socket. | |
|
Change the security context based on existing type. | |
|
Change the security context based on the new type. | |
|
Change mounted filesystem options. | |
|
Remove a name. | |
|
Rename a hard link. | |
|
Change parent directory. | |
|
Inherit resource limits from old SID. | |
|
Remove directory. | |
|
Update password if the user is | |
|
Search directory. | |
|
Add message to a queue. | |
|
Send datagram message having SID unequal to that of sending socket. | |
|
Send datagrams to socket. | |
|
Change attributes of file, shared memory segment, or message queue. | |
|
Set a boolean value. | |
|
Set process capabilities. | |
|
Change the SELinux enforcement mode. | |
|
Set | |
|
Allow | |
|
Set IPSec or socket options socket. | |
|
Transfer process capability map. | |
|
Set process group ID. | |
|
Change process hard limits. | |
|
Set process priority. | |
|
Allow | |
|
Allow state sharing with cloned or forked process. | |
|
Shutdown connection. | |
|
Convert a SID to a context. | |
|
Send | |
|
Inherit signal state from old SID. | |
|
Send | |
|
Send a signal other than | |
|
Test for existence of another process without sending a signal. | |
|
Send | |
|
Allow file to be used for swap space. | |
|
Various system capabilities (see
| |
|
Reboot the system. | |
|
Use | |
|
Load and remove kernel modules and otherwise modify kernel. | |
|
Change process priority and scheduling options. | |
|
Change process accounting state. | |
|
Trace any process. | |
|
Perform raw I/O. | |
|
Various capabilities (see
| |
|
Set system time and real-time clock. | |
|
Configure tty devices. | |
|
Log to | |
|
Perform | |
|
Read | |
|
Receive TCP packet. | |
|
Send TCP packet. | |
|
Transition to a new SID. | |
|
Determine SID for a new object. | |
|
Receive UDP packet. | |
|
Send UDP packet. | |
|
Perform IPC read. | |
|
Perform IPC write or append. | |
|
Remove (delete) hard link. | |
|
Unmount filesystem. | |
|
Use an inherited file descriptor. | |
|
Write or append file or IPC object contents. |