# Copyright (c) 1999, 2000 The University of Utah and the Flux Group.
# All rights reserved.
#
# Contributed by the Computer Security Research division,
# INFOSEC Research and Technology Office, NSA.
#
# This file is part of the Flux OSKit. The OSKit is free software, also known
# as "open source;" you can redistribute it and/or modify it under the terms
# of the GNU General Public License (GPL), version 2, as published by the Free
# Software Foundation (FSF). To explore alternate licensing terms, contact
# the University of Utah at csl-dist@cs.utah.edu or +1-801-585-3271.
#
# The OSKit is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GPL for more details. You should have
# received a copy of the GPL along with the OSKit; see the file COPYING. If
# not, write to the FSF, 59 Temple Place #330, Boston, MA 02111-1307, USA.
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
transition
append
access
unlink
link
rename
execute
pathconf
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
transition
bind
connect
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
transition
associate
lookupi
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
mounton
mountassociate
}
class file
inherits file
class lnk_file
inherits file
class chr_file
inherits file
class blk_file
inherits file
class sock_file
inherits file
class fifo_file
inherits file
class pipe
inherits file
class fd
{
create
getattr
setattr
inherit
receive
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
connectto
listen
accept
newconn
acceptfrom
}
class udp_socket
inherits socket
class rawip_socket
inherits socket
class node
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
enforce_dest
}
class netif
{
getattr
setattr
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
listen
accept
newconn
acceptfrom
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
execute
fork
transition
sigkill
sigstop
signal
chroot
setid
}
#
# Define the access vector interpretation for the security server.
#
class security
{
compute_av
notify_perm
transition_sid
member_sid
sid_to_context
context_to_sid
load_policy
get_sids
register_avc
}
#
# Define the access vector interpretation for system operations.
#
class system
{
reboot
net_io_control
route_control
arp_control
rarp_control
}
#
# Define the access vector interpretation for subjects.
#
class subject
{
read
write
execute
create_object
specify_client
specify_server
connect
call
send
thread_scheduler
task_keeper
map
}
#
# Define the access vector interpretation for the AVC.
#
class avc
{
grant
try_revoke
revoke
reset
set_auditallow
set_auditdeny
}
#
# Define the access vector interpretation for mempools and segments.
#
class memory
{
segment_create
segment_destroy
segment_map
segment_getsize
segment_setsize
segment_createcopy
mempool_create
mempool_destroy
mempool_addsubpool
mempool_addsegment
mempool_gettickets
mempool_settickets
segment_associate
subpool_associate
}