SELinux Object Classes and Permissions Reference
This document contains a list of all of the object classes and permissions for modern SELinux systems (starting in kernel 2.6.0). Each permission has a brief description of of the semantics of each permission, in addition to the versions of the kernel which support the permission and the policy capability that enables its enforcement (if applicable).
The document has the following caveats:
- The permission descriptions are only for providing a general idea of the purposes of the permissions; a permission may mediate many operations.
- Since SELinux development is ongoing, this document may be be incomplete or inaccurate.
Common Permission Sets
common database
Permission
|
Description
|
create |
Create a new database object.
|
drop |
Remove a database object.
|
getattr |
Get the attributes of a database object.
|
setattr |
Set the attributes of a database object.
|
relabelfrom |
Change the security context based on existing type.
|
relabelto |
Change the security context based on the new type.
|
common file
Permission
|
Description
|
getattr |
Get file attributes for file, such as access mode. (e.g. stat, some ioctls. ...)
|
relabelto |
Relabel to new security context.
|
unlink |
Remove hard link (delete).
|
ioctl |
IO control system call requests not addressed by other permissions.
|
execute |
Execute
|
append |
Append file contents. i.e opened with O_APPEND flag.
|
read |
Read file contents.
|
setattr |
Change file attributes for file such as access mode. (e.g. chmod, some ioctls, ...)
|
swapon |
Allows file to be used for paging/swapping space.
|
write |
Write or append file contents.
|
lock |
Set and unset file locks.
|
create |
Create new file.
|
rename |
Rename a hard link.
|
mounton |
Use as mount point; only useful for directories and files in Linux.
|
quotaon |
Enabling quotas.
|
relabelfrom |
Relabel from old security context.
|
link |
Create hard link to file
|
common ipc
Permission
|
Description
|
write |
Write or append.
|
destroy |
Destroy.
|
unix_write |
Write or append; required by IPC operations.
|
getattr |
Get file attributes, such as access mode. (e.g. stat, some ioctls. ...)
|
create |
Create.
|
read |
Read.
|
setattr |
Change file attributes for shared memory segment such as access mode. (e.g. chmod, some ioctls, ...)
|
unix_read |
Read; required by IPC operations.
|
associate |
Associate a key
|
common socket
Permission
|
Description
|
append |
Write or append socket file contents.
|
relabelfrom |
Change the security context based on existing type.
|
create |
Create new socket file.
|
read |
Read socket file contents.
|
sendto |
Send datagrams to socket.
|
connect |
Initiate connection.
|
recvfrom |
Receive datagrams from socket.
|
send_msg |
Send datagram message; implicitly granted if the message SID is equal to the sending socket SID.
|
bind |
Bind name.
|
lock |
Set and unset socket file locks
|
ioctl |
IO control system call requests not addressed by other permissions.
|
getattr |
Get file attributes for socket file, such as access mode. (e.g. stat, some ioctls. ...)
|
write |
Write or append socket file contents.
|
setopt |
Set socket options.
|
getopt |
Get socket options.
|
listen |
Listen for connections.
|
setattr |
Change file attributes for file such as access mode. (e.g. chmod, some ioctls)
|
shutdown |
Shutdown connection.
|
relabelto |
Change the security context based on the new type.
|
recv_msg |
Receive datagram message; implicitly granted if the message SID is equal to the sending socket SID.
|
accept |
Accept a connection.
|
name_bind |
Use port or file; for AF_INET sockets, controls relationship between a socket and it's port number; for AF_UNIX sockets, controls relationship between a socket and it's file
|
common x_device
Permission
|
Description
|
getattr
|
setattr
|
use
|
read
|
write
|
getfocus
|
setfocus
|
bell
|
force_cursor
|
freeze
|
grab
|
manage
|
list_property
|
get_property
|
set_property
|
add
|
remove
|
Kernel Object Classes
appletalk_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append |
2.6.18+
|
relabelfrom |
see common socket:relabelfrom |
2.6.18+
|
create |
see common socket:create |
2.6.18+
|
read |
see common socket:read |
2.6.18+
|
sendto |
see common socket:sendto |
2.6.18+
|
connect |
see common socket:connect |
2.6.18+
|
recvfrom |
see common socket:recvfrom |
2.6.18+
|
send_msg |
see common socket:send_msg |
2.6.18+
|
bind |
see common socket:bind |
2.6.18+
|
lock |
see common socket:lock |
2.6.18+
|
ioctl |
see common socket:ioctl |
2.6.18+
|
getattr |
see common socket:getattr |
2.6.18+
|
write |
see common socket:write |
2.6.18+
|
setopt |
see common socket:setopt |
2.6.18+
|
getopt |
see common socket:getopt |
2.6.18+
|
listen |
see common socket:listen |
2.6.18+
|
setattr |
see common socket:setattr |
2.6.18+
|
shutdown |
see common socket:shutdown |
2.6.18+
|
relabelto |
see common socket:relabelto |
2.6.18+
|
recv_msg |
see common socket:recv_msg |
2.6.18+
|
accept |
see common socket:accept |
2.6.18+
|
name_bind |
see common socket:name_bind |
2.6.18+
|
association
Permission
|
Description
|
Kernel Version/Capability
|
sendto |
Send to an IPSEC assocation. |
2.6.12+
|
recvfrom |
Receive from an IPSEC association. |
2.6.12+
|
setcontext |
Set the context of an IPSEC association on creation. |
2.6.16+
|
polmatch |
Match an IPSEC policy entry |
2.6.19+
|
blk_file
Inherits from: common file
Permission
|
Description
|
Kernel Version/Capability
|
getattr |
see common file:getattr
|
relabelto |
see common file:relabelto
|
unlink |
see common file:unlink
|
ioctl |
see common file:ioctl
|
execute |
see common file:execute
|
append |
see common file:append
|
read |
see common file:read
|
setattr |
see common file:setattr
|
swapon |
see common file:swapon
|
write |
see common file:write
|
lock |
see common file:lock
|
create |
see common file:create
|
rename |
see common file:rename
|
mounton |
see common file:mounton
|
quotaon |
see common file:quotaon
|
relabelfrom |
see common file:relabelfrom
|
link |
see common file:link
|
open |
Open a block device file. |
2.6.26+ / open_perms
|
capability
Permission
|
Description
|
Kernel Version/Capability
|
chown |
Allow changing file ownership and group ownership.
|
dac_override |
Overrides all discretionary access control including ACL execute access if applicable. This does not include the access covered by LINUX_IMMUTABLE.
|
dac_read_search |
Overrides all discretionary access control for reading and searching directories.
|
fowner |
Grant all file operations otherwise restricted due to different ownership except where FSETID capability is applicable. DAC and MAC accesses are not overridden.
|
fsetid |
Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.
|
kill |
Allow signal raising for any process.
|
setgid |
Allow setgid(2) allow setgroups(2) allow fake gids on credentials passed over a socket.
|
setuid |
Allow all setsuid(2) type calls including fsuid. Allow passing of forged pids on credentials passed over a socket.
|
setpcap |
Transfer capability maps from current process to any process.
|
linux_immutable |
Grant privilege to modify S_IMMUTABLE and S_APPEND file attributes on supporting filesystems.
|
net_bind_service |
Allow low port binding. Port < 1024 for TCP/UDP. VCI < 32 for ATM.
|
net_broadcast |
Grant network broadcasting and listening to incoming multicasts.
|
net_admin |
Allows all networking configurations and modifications. See linux/capability.h for details.
|
net_raw |
Allows opening of raw sockets and packet sockets.
|
ipc_lock |
Grants the capability to lock non-shared and shared memory segments.
|
ipc_owner |
Grant the ability to ignore IPC ownership checks.
|
sys_module |
Allow unrestricted kernel modification including but not limited to loading and removing kernel modules. Allows modification of kernels bounding capability mask. See sysctl.
|
sys_rawio |
Grant permission to use ioperm(2) and iopl(2) as well as the ability to send messages to USB devices via /proc/bus/usb.
|
sys_chroot |
Grant use of the chroot(2) call.
|
sys_ptrace |
Allow a ptrace of any process.
|
sys_pacct |
Allow modification of accounting for any process.
|
sys_admin |
Too many to list here (see /usr/include/linux/capability.h)
|
sys_boot |
Grant ability to reboot the system.
|
sys_nice |
Grants privilage to change priority of any process. Grants change of scheduling algorithm used by any process.
|
sys_resource |
Too many to list here (see /usr/include/linux/capability.h for details.)
|
sys_time |
Grant permission to set system time and to set the real-time lock.
|
sys_tty_config |
Grant permission to configure tty devices. Allow vhangup(2) call on a tty.
|
mknod |
Grants permission to creation of character and block device nodes.
|
lease |
Grants ability to take leases on a file. For details on what leases are see fcntl(2).
|
audit_write |
Send audit messsages from user space. |
2.6.12+
|
audit_control |
Change auditing rules. Set login UID. |
2.6.12+
|
setfcap |
Set file capabilities. |
2.6.25+
|
capability2
Permission
|
Description
|
Kernel Version/Capability
|
mac_override |
Unused by SELinux |
2.6.25+
|
mac_admin |
Unused by SELinux |
2.6.25+
|
chr_file
Inherits from: common file
Permission
|
Description
|
Kernel Version/Capability
|
getattr |
see common file:getattr
|
relabelto |
see common file:relabelto
|
unlink |
see common file:unlink
|
ioctl |
see common file:ioctl
|
execute |
see common file:execute
|
append |
see common file:append
|
read |
see common file:read
|
setattr |
see common file:setattr
|
swapon |
see common file:swapon
|
write |
see common file:write
|
lock |
see common file:lock
|
create |
see common file:create
|
rename |
see common file:rename
|
mounton |
see common file:mounton
|
quotaon |
see common file:quotaon
|
relabelfrom |
see common file:relabelfrom
|
link |
see common file:link
|
execute_no_trans |
Execute a file in the callers domain. |
2.6.11+
|
entrypoint |
Can be executed as the entry point of the new domain in a transition. |
2.6.11+
|
execmod |
Make executable a file mapping that has been modified by copy-on-write. (Text relocation) |
2.6.11+
|
open |
Open a character device file. |
2.6.26+ / open_perms
|
dccp_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append |
2.6.20+
|
relabelfrom |
see common socket:relabelfrom |
2.6.20+
|
create |
see common socket:create |
2.6.20+
|
read |
see common socket:read |
2.6.20+
|
sendto |
see common socket:sendto |
2.6.20+
|
connect |
see common socket:connect |
2.6.20+
|
recvfrom |
see common socket:recvfrom |
2.6.20+
|
send_msg |
see common socket:send_msg |
2.6.20+
|
bind |
see common socket:bind |
2.6.20+
|
lock |
see common socket:lock |
2.6.20+
|
ioctl |
see common socket:ioctl |
2.6.20+
|
getattr |
see common socket:getattr |
2.6.20+
|
write |
see common socket:write |
2.6.20+
|
setopt |
see common socket:setopt |
2.6.20+
|
getopt |
see common socket:getopt |
2.6.20+
|
listen |
see common socket:listen |
2.6.20+
|
setattr |
see common socket:setattr |
2.6.20+
|
shutdown |
see common socket:shutdown |
2.6.20+
|
relabelto |
see common socket:relabelto |
2.6.20+
|
recv_msg |
see common socket:recv_msg |
2.6.20+
|
accept |
see common socket:accept |
2.6.20+
|
name_bind |
see common socket:name_bind |
2.6.20+
|
connectto |
Connect to server socket. |
2.6.20+
|
newconn |
Create new socket for connection. |
2.6.20+
|
acceptfrom |
Accept connection from client socket. |
2.6.20+
|
node_bind |
Ability to bind to a node. |
2.6.20+
|
name_connect |
Connect to a specific port number. |
2.6.20+
|
dir
Inherits from: common file
Permission
|
Description
|
Kernel Version/Capability
|
getattr |
see common file:getattr
|
relabelto |
see common file:relabelto
|
unlink |
see common file:unlink
|
ioctl |
see common file:ioctl
|
execute |
see common file:execute
|
append |
see common file:append
|
read |
see common file:read
|
setattr |
see common file:setattr
|
swapon |
see common file:swapon
|
write |
see common file:write
|
lock |
see common file:lock
|
create |
see common file:create
|
rename |
see common file:rename
|
mounton |
see common file:mounton
|
quotaon |
see common file:quotaon
|
relabelfrom |
see common file:relabelfrom
|
link |
see common file:link
|
search |
Required on all ancestor directories of a file being accessed, similar to DAC +x permission
|
rmdir |
Remove the directory
|
remove_name |
Remove a file from the directory.
|
reparent |
Change parent directory.
|
add_name |
Add a file to the directory.
|
open |
Open a directory. |
2.6.26+ / open_perms
|
fd
Permission
|
Description
|
Kernel Version/Capability
|
use |
Permission to use an inherited file descriptor
|
fifo_file
Inherits from: common file
Permission
|
Description
|
Kernel Version/Capability
|
getattr |
see common file:getattr
|
relabelto |
see common file:relabelto
|
unlink |
see common file:unlink
|
ioctl |
see common file:ioctl
|
execute |
see common file:execute
|
append |
see common file:append
|
read |
see common file:read
|
setattr |
see common file:setattr
|
swapon |
see common file:swapon
|
write |
see common file:write
|
lock |
see common file:lock
|
create |
see common file:create
|
rename |
see common file:rename
|
mounton |
see common file:mounton
|
quotaon |
see common file:quotaon
|
relabelfrom |
see common file:relabelfrom
|
link |
see common file:link
|
open |
Open a FIFO. |
2.6.26+ / open_perms
|
file
Inherits from: common file
Permission
|
Description
|
Kernel Version/Capability
|
getattr |
see common file:getattr
|
relabelto |
see common file:relabelto
|
unlink |
see common file:unlink
|
ioctl |
see common file:ioctl
|
execute |
see common file:execute
|
append |
see common file:append
|
read |
see common file:read
|
setattr |
see common file:setattr
|
swapon |
see common file:swapon
|
write |
see common file:write
|
lock |
see common file:lock
|
create |
see common file:create
|
rename |
see common file:rename
|
mounton |
see common file:mounton
|
quotaon |
see common file:quotaon
|
relabelfrom |
see common file:relabelfrom
|
link |
see common file:link
|
execute_no_trans |
Execute a file in the callers domain.
|
entrypoint |
Can be executed as the entry point of the new domain in a transition.
|
execmod |
Make executable a file mapping that has been modified by copy-on-write. (Text relocation) |
2.6.11+
|
open |
Open a file. |
2.6.26+ / open_perms
|
filesystem
Permission
|
Description
|
Kernel Version/Capability
|
mount |
Mount the filesystem.
|
remount |
Change filesystem mount flags.
|
unmount |
Unmount the filesystem.
|
getattr |
Get file attributes, such as access mode. (e.g. stat, some ioctls. ...)
|
relabelfrom |
Change the security context based on existing type.
|
relabelto |
Change the security context based on the new type.
|
transition |
Transition to a new SID (change security context).
|
associate |
Associate a file to the filesystem.
|
quotamod |
Modify quota information.
|
quotaget |
Get quota information
|
ipc
Inherits from: common ipc
Permission
|
Description
|
Kernel Version/Capability
|
write |
see common ipc:write
|
destroy |
see common ipc:destroy
|
unix_write |
see common ipc:unix_write
|
getattr |
see common ipc:getattr
|
create |
see common ipc:create
|
read |
see common ipc:read
|
setattr |
see common ipc:setattr
|
unix_read |
see common ipc:unix_read
|
associate |
see common ipc:associate
|
kernel_service
Permission
|
Description
|
Kernel Version/Capability
|
use_as_override |
Grant a process the right to nominate an alternate process security ID for the kernel to use as an override for the SELinux subjective security when accessing stuff on behalf of another process. |
2.6.29+
|
create_files_as |
Grant a process the right to nominate a file creation label for a kernel service to use. |
2.6.29+
|
key
Permission
|
Description
|
Kernel Version/Capability
|
view |
|
2.6.18+
|
read |
|
2.6.18+
|
write |
|
2.6.18+
|
search |
|
2.6.18+
|
link |
|
2.6.18+
|
setattr |
|
2.6.18+
|
create |
|
2.6.18+
|
key_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append
|
relabelfrom |
see common socket:relabelfrom
|
create |
see common socket:create
|
read |
see common socket:read
|
sendto |
see common socket:sendto
|
connect |
see common socket:connect
|
recvfrom |
see common socket:recvfrom
|
send_msg |
see common socket:send_msg
|
bind |
see common socket:bind
|
lock |
see common socket:lock
|
ioctl |
see common socket:ioctl
|
getattr |
see common socket:getattr
|
write |
see common socket:write
|
setopt |
see common socket:setopt
|
getopt |
see common socket:getopt
|
listen |
see common socket:listen
|
setattr |
see common socket:setattr
|
shutdown |
see common socket:shutdown
|
relabelto |
see common socket:relabelto
|
recv_msg |
see common socket:recv_msg
|
accept |
see common socket:accept
|
name_bind |
see common socket:name_bind
|
lnk_file
Inherits from: common file
Permission
|
Description
|
Kernel Version/Capability
|
getattr |
see common file:getattr
|
relabelto |
see common file:relabelto
|
unlink |
see common file:unlink
|
ioctl |
see common file:ioctl
|
execute |
see common file:execute
|
append |
see common file:append
|
read |
see common file:read
|
setattr |
see common file:setattr
|
swapon |
see common file:swapon
|
write |
see common file:write
|
lock |
see common file:lock
|
create |
see common file:create
|
rename |
see common file:rename
|
mounton |
see common file:mounton
|
quotaon |
see common file:quotaon
|
relabelfrom |
see common file:relabelfrom
|
link |
see common file:link
|
memprotect
Permission
|
Description
|
Kernel Version/Capability
|
mmap_zero |
Mmap the first page of memory. |
2.6.23+
|
msg
Permission
|
Description
|
Kernel Version/Capability
|
receive |
Remove a message from a queue.
|
send |
Add a message to a queue.
|
msgq
Inherits from: common ipc
Permission
|
Description
|
Kernel Version/Capability
|
write |
see common ipc:write
|
destroy |
see common ipc:destroy
|
unix_write |
see common ipc:unix_write
|
getattr |
see common ipc:getattr
|
create |
see common ipc:create
|
read |
see common ipc:read
|
setattr |
see common ipc:setattr
|
unix_read |
see common ipc:unix_read
|
associate |
see common ipc:associate
|
enqueue |
Message can be added to a queue.
|
netif
Permission
|
Description
|
Kernel Version/Capability
|
tcp_recv |
Receive TCP packet.
|
tcp_send |
Send TCP packet.
|
udp_recv |
Receive UDP packet.
|
udp_send |
Send UDP packet.
|
rawip_recv |
Receive raw IP packet.
|
rawip_send |
Send raw IP packet.
|
dccp_recv |
Receive DCCP packet. |
2.6.20+
|
dccp_send |
Send DCCP packet. |
2.6.20+
|
ingress |
|
2.6.25+ / network_peer_controls
|
egress |
|
2.6.25+ / network_peer_controls
|
netlink_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append
|
relabelfrom |
see common socket:relabelfrom
|
create |
see common socket:create
|
read |
see common socket:read
|
sendto |
see common socket:sendto
|
connect |
see common socket:connect
|
recvfrom |
see common socket:recvfrom
|
send_msg |
see common socket:send_msg
|
bind |
see common socket:bind
|
lock |
see common socket:lock
|
ioctl |
see common socket:ioctl
|
getattr |
see common socket:getattr
|
write |
see common socket:write
|
setopt |
see common socket:setopt
|
getopt |
see common socket:getopt
|
listen |
see common socket:listen
|
setattr |
see common socket:setattr
|
shutdown |
see common socket:shutdown
|
relabelto |
see common socket:relabelto
|
recv_msg |
see common socket:recv_msg
|
accept |
see common socket:accept
|
name_bind |
see common socket:name_bind
|
netlink_audit_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append |
2.6.8+
|
relabelfrom |
see common socket:relabelfrom |
2.6.8+
|
create |
see common socket:create |
2.6.8+
|
read |
see common socket:read |
2.6.8+
|
sendto |
see common socket:sendto |
2.6.8+
|
connect |
see common socket:connect |
2.6.8+
|
recvfrom |
see common socket:recvfrom |
2.6.8+
|
send_msg |
see common socket:send_msg |
2.6.8+
|
bind |
see common socket:bind |
2.6.8+
|
lock |
see common socket:lock |
2.6.8+
|
ioctl |
see common socket:ioctl |
2.6.8+
|
getattr |
see common socket:getattr |
2.6.8+
|
write |
see common socket:write |
2.6.8+
|
setopt |
see common socket:setopt |
2.6.8+
|
getopt |
see common socket:getopt |
2.6.8+
|
listen |
see common socket:listen |
2.6.8+
|
setattr |
see common socket:setattr |
2.6.8+
|
shutdown |
see common socket:shutdown |
2.6.8+
|
relabelto |
see common socket:relabelto |
2.6.8+
|
recv_msg |
see common socket:recv_msg |
2.6.8+
|
accept |
see common socket:accept |
2.6.8+
|
name_bind |
see common socket:name_bind |
2.6.8+
|
nlmsg_read |
Read netlink message. |
2.6.8+
|
nlmsg_write |
Write netlink message. |
2.6.8+
|
nlmsg_relay |
Send user space audit messages to the kernel audit system. |
2.6.12+
|
nlmsg_readpriv |
List all auditing rules. |
2.6.12+
|
nlmsg_tty_audit |
Control TTY auditing |
2.6.30+
|
netlink_dnrt_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append |
2.6.8+
|
relabelfrom |
see common socket:relabelfrom |
2.6.8+
|
create |
see common socket:create |
2.6.8+
|
read |
see common socket:read |
2.6.8+
|
sendto |
see common socket:sendto |
2.6.8+
|
connect |
see common socket:connect |
2.6.8+
|
recvfrom |
see common socket:recvfrom |
2.6.8+
|
send_msg |
see common socket:send_msg |
2.6.8+
|
bind |
see common socket:bind |
2.6.8+
|
lock |
see common socket:lock |
2.6.8+
|
ioctl |
see common socket:ioctl |
2.6.8+
|
getattr |
see common socket:getattr |
2.6.8+
|
write |
see common socket:write |
2.6.8+
|
setopt |
see common socket:setopt |
2.6.8+
|
getopt |
see common socket:getopt |
2.6.8+
|
listen |
see common socket:listen |
2.6.8+
|
setattr |
see common socket:setattr |
2.6.8+
|
shutdown |
see common socket:shutdown |
2.6.8+
|
relabelto |
see common socket:relabelto |
2.6.8+
|
recv_msg |
see common socket:recv_msg |
2.6.8+
|
accept |
see common socket:accept |
2.6.8+
|
name_bind |
see common socket:name_bind |
2.6.8+
|
netlink_firewall_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append |
2.6.8+
|
relabelfrom |
see common socket:relabelfrom |
2.6.8+
|
create |
see common socket:create |
2.6.8+
|
read |
see common socket:read |
2.6.8+
|
sendto |
see common socket:sendto |
2.6.8+
|
connect |
see common socket:connect |
2.6.8+
|
recvfrom |
see common socket:recvfrom |
2.6.8+
|
send_msg |
see common socket:send_msg |
2.6.8+
|
bind |
see common socket:bind |
2.6.8+
|
lock |
see common socket:lock |
2.6.8+
|
ioctl |
see common socket:ioctl |
2.6.8+
|
getattr |
see common socket:getattr |
2.6.8+
|
write |
see common socket:write |
2.6.8+
|
setopt |
see common socket:setopt |
2.6.8+
|
getopt |
see common socket:getopt |
2.6.8+
|
listen |
see common socket:listen |
2.6.8+
|
setattr |
see common socket:setattr |
2.6.8+
|
shutdown |
see common socket:shutdown |
2.6.8+
|
relabelto |
see common socket:relabelto |
2.6.8+
|
recv_msg |
see common socket:recv_msg |
2.6.8+
|
accept |
see common socket:accept |
2.6.8+
|
name_bind |
see common socket:name_bind |
2.6.8+
|
nlmsg_read |
Read netlink message. |
2.6.8+
|
nlmsg_write |
Write netlink message. |
2.6.8+
|
netlink_ip6fw_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append |
2.6.8+
|
relabelfrom |
see common socket:relabelfrom |
2.6.8+
|
create |
see common socket:create |
2.6.8+
|
read |
see common socket:read |
2.6.8+
|
sendto |
see common socket:sendto |
2.6.8+
|
connect |
see common socket:connect |
2.6.8+
|
recvfrom |
see common socket:recvfrom |
2.6.8+
|
send_msg |
see common socket:send_msg |
2.6.8+
|
bind |
see common socket:bind |
2.6.8+
|
lock |
see common socket:lock |
2.6.8+
|
ioctl |
see common socket:ioctl |
2.6.8+
|
getattr |
see common socket:getattr |
2.6.8+
|
write |
see common socket:write |
2.6.8+
|
setopt |
see common socket:setopt |
2.6.8+
|
getopt |
see common socket:getopt |
2.6.8+
|
listen |
see common socket:listen |
2.6.8+
|
setattr |
see common socket:setattr |
2.6.8+
|
shutdown |
see common socket:shutdown |
2.6.8+
|
relabelto |
see common socket:relabelto |
2.6.8+
|
recv_msg |
see common socket:recv_msg |
2.6.8+
|
accept |
see common socket:accept |
2.6.8+
|
name_bind |
see common socket:name_bind |
2.6.8+
|
nlmsg_read |
Read netlink message. |
2.6.8+
|
nlmsg_write |
Write netlink message. |
2.6.8+
|
netlink_kobject_uevent_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append |
2.6.12+
|
relabelfrom |
see common socket:relabelfrom |
2.6.12+
|
create |
see common socket:create |
2.6.12+
|
read |
see common socket:read |
2.6.12+
|
sendto |
see common socket:sendto |
2.6.12+
|
connect |
see common socket:connect |
2.6.12+
|
recvfrom |
see common socket:recvfrom |
2.6.12+
|
send_msg |
see common socket:send_msg |
2.6.12+
|
bind |
see common socket:bind |
2.6.12+
|
lock |
see common socket:lock |
2.6.12+
|
ioctl |
see common socket:ioctl |
2.6.12+
|
getattr |
see common socket:getattr |
2.6.12+
|
write |
see common socket:write |
2.6.12+
|
setopt |
see common socket:setopt |
2.6.12+
|
getopt |
see common socket:getopt |
2.6.12+
|
listen |
see common socket:listen |
2.6.12+
|
setattr |
see common socket:setattr |
2.6.12+
|
shutdown |
see common socket:shutdown |
2.6.12+
|
relabelto |
see common socket:relabelto |
2.6.12+
|
recv_msg |
see common socket:recv_msg |
2.6.12+
|
accept |
see common socket:accept |
2.6.12+
|
name_bind |
see common socket:name_bind |
2.6.12+
|
netlink_nflog_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append |
2.6.8+
|
relabelfrom |
see common socket:relabelfrom |
2.6.8+
|
create |
see common socket:create |
2.6.8+
|
read |
see common socket:read |
2.6.8+
|
sendto |
see common socket:sendto |
2.6.8+
|
connect |
see common socket:connect |
2.6.8+
|
recvfrom |
see common socket:recvfrom |
2.6.8+
|
send_msg |
see common socket:send_msg |
2.6.8+
|
bind |
see common socket:bind |
2.6.8+
|
lock |
see common socket:lock |
2.6.8+
|
ioctl |
see common socket:ioctl |
2.6.8+
|
getattr |
see common socket:getattr |
2.6.8+
|
write |
see common socket:write |
2.6.8+
|
setopt |
see common socket:setopt |
2.6.8+
|
getopt |
see common socket:getopt |
2.6.8+
|
listen |
see common socket:listen |
2.6.8+
|
setattr |
see common socket:setattr |
2.6.8+
|
shutdown |
see common socket:shutdown |
2.6.8+
|
relabelto |
see common socket:relabelto |
2.6.8+
|
recv_msg |
see common socket:recv_msg |
2.6.8+
|
accept |
see common socket:accept |
2.6.8+
|
name_bind |
see common socket:name_bind |
2.6.8+
|
netlink_route_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append |
2.6.8+
|
relabelfrom |
see common socket:relabelfrom |
2.6.8+
|
create |
see common socket:create |
2.6.8+
|
read |
see common socket:read |
2.6.8+
|
sendto |
see common socket:sendto |
2.6.8+
|
connect |
see common socket:connect |
2.6.8+
|
recvfrom |
see common socket:recvfrom |
2.6.8+
|
send_msg |
see common socket:send_msg |
2.6.8+
|
bind |
see common socket:bind |
2.6.8+
|
lock |
see common socket:lock |
2.6.8+
|
ioctl |
see common socket:ioctl |
2.6.8+
|
getattr |
see common socket:getattr |
2.6.8+
|
write |
see common socket:write |
2.6.8+
|
setopt |
see common socket:setopt |
2.6.8+
|
getopt |
see common socket:getopt |
2.6.8+
|
listen |
see common socket:listen |
2.6.8+
|
setattr |
see common socket:setattr |
2.6.8+
|
shutdown |
see common socket:shutdown |
2.6.8+
|
relabelto |
see common socket:relabelto |
2.6.8+
|
recv_msg |
see common socket:recv_msg |
2.6.8+
|
accept |
see common socket:accept |
2.6.8+
|
name_bind |
see common socket:name_bind |
2.6.8+
|
nlmsg_read |
Read netlink message. |
2.6.8+
|
nlmsg_write |
Write netlink message. |
2.6.8+
|
netlink_selinux_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append |
2.6.8+
|
relabelfrom |
see common socket:relabelfrom |
2.6.8+
|
create |
see common socket:create |
2.6.8+
|
read |
see common socket:read |
2.6.8+
|
sendto |
see common socket:sendto |
2.6.8+
|
connect |
see common socket:connect |
2.6.8+
|
recvfrom |
see common socket:recvfrom |
2.6.8+
|
send_msg |
see common socket:send_msg |
2.6.8+
|
bind |
see common socket:bind |
2.6.8+
|
lock |
see common socket:lock |
2.6.8+
|
ioctl |
see common socket:ioctl |
2.6.8+
|
getattr |
see common socket:getattr |
2.6.8+
|
write |
see common socket:write |
2.6.8+
|
setopt |
see common socket:setopt |
2.6.8+
|
getopt |
see common socket:getopt |
2.6.8+
|
listen |
see common socket:listen |
2.6.8+
|
setattr |
see common socket:setattr |
2.6.8+
|
shutdown |
see common socket:shutdown |
2.6.8+
|
relabelto |
see common socket:relabelto |
2.6.8+
|
recv_msg |
see common socket:recv_msg |
2.6.8+
|
accept |
see common socket:accept |
2.6.8+
|
name_bind |
see common socket:name_bind |
2.6.8+
|
netlink_tcpdiag_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append |
2.6.8+
|
relabelfrom |
see common socket:relabelfrom |
2.6.8+
|
create |
see common socket:create |
2.6.8+
|
read |
see common socket:read |
2.6.8+
|
sendto |
see common socket:sendto |
2.6.8+
|
connect |
see common socket:connect |
2.6.8+
|
recvfrom |
see common socket:recvfrom |
2.6.8+
|
send_msg |
see common socket:send_msg |
2.6.8+
|
bind |
see common socket:bind |
2.6.8+
|
lock |
see common socket:lock |
2.6.8+
|
ioctl |
see common socket:ioctl |
2.6.8+
|
getattr |
see common socket:getattr |
2.6.8+
|
write |
see common socket:write |
2.6.8+
|
setopt |
see common socket:setopt |
2.6.8+
|
getopt |
see common socket:getopt |
2.6.8+
|
listen |
see common socket:listen |
2.6.8+
|
setattr |
see common socket:setattr |
2.6.8+
|
shutdown |
see common socket:shutdown |
2.6.8+
|
relabelto |
see common socket:relabelto |
2.6.8+
|
recv_msg |
see common socket:recv_msg |
2.6.8+
|
accept |
see common socket:accept |
2.6.8+
|
name_bind |
see common socket:name_bind |
2.6.8+
|
nlmsg_read |
Read netlink message. |
2.6.8+
|
nlmsg_write |
Write netlink message. |
2.6.8+
|
netlink_xfrm_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append |
2.6.8+
|
relabelfrom |
see common socket:relabelfrom |
2.6.8+
|
create |
see common socket:create |
2.6.8+
|
read |
see common socket:read |
2.6.8+
|
sendto |
see common socket:sendto |
2.6.8+
|
connect |
see common socket:connect |
2.6.8+
|
recvfrom |
see common socket:recvfrom |
2.6.8+
|
send_msg |
see common socket:send_msg |
2.6.8+
|
bind |
see common socket:bind |
2.6.8+
|
lock |
see common socket:lock |
2.6.8+
|
ioctl |
see common socket:ioctl |
2.6.8+
|
getattr |
see common socket:getattr |
2.6.8+
|
write |
see common socket:write |
2.6.8+
|
setopt |
see common socket:setopt |
2.6.8+
|
getopt |
see common socket:getopt |
2.6.8+
|
listen |
see common socket:listen |
2.6.8+
|
setattr |
see common socket:setattr |
2.6.8+
|
shutdown |
see common socket:shutdown |
2.6.8+
|
relabelto |
see common socket:relabelto |
2.6.8+
|
recv_msg |
see common socket:recv_msg |
2.6.8+
|
accept |
see common socket:accept |
2.6.8+
|
name_bind |
see common socket:name_bind |
2.6.8+
|
nlmsg_read |
Read netlink message. |
2.6.8+
|
nlmsg_write |
Write netlink message. |
2.6.8+
|
node
Permission
|
Description
|
Kernel Version/Capability
|
tcp_recv |
Receive TCP packet.
|
tcp_send |
Send TCP packet.
|
udp_recv |
Receive UDP packet.
|
udp_send |
Send UDP packet.
|
rawip_recv |
Receive raw IP packet.
|
rawip_send |
Send raw IP packet.
|
enforce_dest |
Ensure that the destination node can enforce restrictions on the destination socket.
|
dccp_recv |
Receive DCCP packet. |
2.6.20+
|
dccp_send |
Send DCCP packet. |
2.6.20+
|
recvfrom |
|
2.6.25+ / network_peer_controls
|
sendto |
|
2.6.25+ / network_peer_controls
|
packet
Permission
|
Description
|
Kernel Version/Capability
|
send |
Send a packet. |
2.6.18+
|
receive |
Receive a packet. |
2.6.18+
|
relabelto |
Set a labeling rule to the specified type. |
2.6.18+
|
flow_in |
Deprecated |
2.6.25+
|
flow_out |
Deprecated |
2.6.25+
|
forward_in |
|
2.6.25+
|
forward_out |
|
2.6.25+
|
packet_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append
|
relabelfrom |
see common socket:relabelfrom
|
create |
see common socket:create
|
read |
see common socket:read
|
sendto |
see common socket:sendto
|
connect |
see common socket:connect
|
recvfrom |
see common socket:recvfrom
|
send_msg |
see common socket:send_msg
|
bind |
see common socket:bind
|
lock |
see common socket:lock
|
ioctl |
see common socket:ioctl
|
getattr |
see common socket:getattr
|
write |
see common socket:write
|
setopt |
see common socket:setopt
|
getopt |
see common socket:getopt
|
listen |
see common socket:listen
|
setattr |
see common socket:setattr
|
shutdown |
see common socket:shutdown
|
relabelto |
see common socket:relabelto
|
recv_msg |
see common socket:recv_msg
|
accept |
see common socket:accept
|
name_bind |
see common socket:name_bind
|
peer
Permission
|
Description
|
Kernel Version/Capability
|
recv |
Receive from a labeled networking peer. |
2.6.25+ / network_peer_controls
|
process
Permission
|
Description
|
Kernel Version/Capability
|
fork |
Fork into two processes.
|
transition |
Transition to a new context on exec().
|
sigchld |
Send SIGCHLD signal.
|
sigkill |
Send SIGKILL signal.
|
sigstop |
Send SIGSTOP signal
|
signull |
Test for exisitence of another process without sending a signal
|
signal |
Send a signal other than SIGKILL, SIGSTOP, or SIGCHLD.
|
ptrace |
Trace program execution of parent or child.
|
getsched |
Get priority of a process.
|
setsched |
Set priority of a process.
|
getsession |
Get session ID of another process.
|
getpgid |
Get group Process ID of a process.
|
setpgid |
Set group Process ID of a process.
|
getcap |
Get Linux capabilities.
|
setcap |
Set Linux capabilities.
|
share |
Allow state sharing with cloned or forked process.
|
getattr |
Get attributes of a file.
|
setexec |
Override the default context for the next exec().
|
setfscreate |
Override the default context for file creation.
|
setrlimit |
Change process hard limits.
|
noatsecure |
Disable secure mode environment cleansing (AT_SECURE). |
v.16+
|
siginh |
Inherit signal state from old sid. |
v.16+
|
rlimitinh |
Inherit resource limits from old sid. |
v.16+
|
dyntransition |
Dynamically transition to a new context. |
2.6.11+
|
setcurrent |
Set the current process context. |
2.6.11+
|
execmem |
Make executable an anonymous mapping or private file mapping that is writable. |
2.6.13+
|
execstack |
Make the main process stack executable. |
2.6.13+
|
execheap |
Make the heap executable. |
2.6.13+
|
setkeycreate |
Override the default context for key creation. |
2.6.18+
|
setsockcreate |
Override the default context for socket creation. |
2.6.18+
|
rawip_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append
|
relabelfrom |
see common socket:relabelfrom
|
create |
see common socket:create
|
read |
see common socket:read
|
sendto |
see common socket:sendto
|
connect |
see common socket:connect
|
recvfrom |
see common socket:recvfrom
|
send_msg |
see common socket:send_msg
|
bind |
see common socket:bind
|
lock |
see common socket:lock
|
ioctl |
see common socket:ioctl
|
getattr |
see common socket:getattr
|
write |
see common socket:write
|
setopt |
see common socket:setopt
|
getopt |
see common socket:getopt
|
listen |
see common socket:listen
|
setattr |
see common socket:setattr
|
shutdown |
see common socket:shutdown
|
relabelto |
see common socket:relabelto
|
recv_msg |
see common socket:recv_msg
|
accept |
see common socket:accept
|
name_bind |
see common socket:name_bind
|
node_bind |
Ability to bind to a node. |
v.17+
|
security
Permission
|
Description
|
Kernel Version/Capability
|
compute_user |
Get user info in selinuxfs.
|
compute_relabel |
Get relabel info in selinuxfs.
|
compute_create |
Get create info in selinuxfs.
|
compute_av |
Compute an access vector given a source/target/class.
|
compute_member |
Determines the context to use when selecting a member of a polyinstantiated object.
|
setenforce |
Change the enforcement state of SELinux.
|
check_context |
Write context in selinuxfs.
|
load_policy |
Load the security policy.
|
setbool |
Set a boolean value. |
2.6.5+
|
setsecparam |
Set kernel access vector cache tuning parameters. |
2.6.11+
|
setcheckreqprot |
Set if SELinux will check original protection mode or modified protection mode (read-implies-exec) for mmap/mprotect. |
2.6.12+
|
sem
Inherits from: common ipc
Permission
|
Description
|
Kernel Version/Capability
|
write |
see common ipc:write
|
destroy |
see common ipc:destroy
|
unix_write |
see common ipc:unix_write
|
getattr |
see common ipc:getattr
|
create |
see common ipc:create
|
read |
see common ipc:read
|
setattr |
see common ipc:setattr
|
unix_read |
see common ipc:unix_read
|
associate |
see common ipc:associate
|
shm
Inherits from: common ipc
Permission
|
Description
|
Kernel Version/Capability
|
write |
see common ipc:write
|
destroy |
see common ipc:destroy
|
unix_write |
see common ipc:unix_write
|
getattr |
see common ipc:getattr
|
create |
see common ipc:create
|
read |
see common ipc:read
|
setattr |
see common ipc:setattr
|
unix_read |
see common ipc:unix_read
|
associate |
see common ipc:associate
|
lock |
(Un)lock page(s) in memory.
|
sock_file
Inherits from: common file
Permission
|
Description
|
Kernel Version/Capability
|
getattr |
see common file:getattr
|
relabelto |
see common file:relabelto
|
unlink |
see common file:unlink
|
ioctl |
see common file:ioctl
|
execute |
see common file:execute
|
append |
see common file:append
|
read |
see common file:read
|
setattr |
see common file:setattr
|
swapon |
see common file:swapon
|
write |
see common file:write
|
lock |
see common file:lock
|
create |
see common file:create
|
rename |
see common file:rename
|
mounton |
see common file:mounton
|
quotaon |
see common file:quotaon
|
relabelfrom |
see common file:relabelfrom
|
link |
see common file:link
|
open |
Open a named socket file. |
2.6.26+ / open_perms
|
socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append
|
relabelfrom |
see common socket:relabelfrom
|
create |
see common socket:create
|
read |
see common socket:read
|
sendto |
see common socket:sendto
|
connect |
see common socket:connect
|
recvfrom |
see common socket:recvfrom
|
send_msg |
see common socket:send_msg
|
bind |
see common socket:bind
|
lock |
see common socket:lock
|
ioctl |
see common socket:ioctl
|
getattr |
see common socket:getattr
|
write |
see common socket:write
|
setopt |
see common socket:setopt
|
getopt |
see common socket:getopt
|
listen |
see common socket:listen
|
setattr |
see common socket:setattr
|
shutdown |
see common socket:shutdown
|
relabelto |
see common socket:relabelto
|
recv_msg |
see common socket:recv_msg
|
accept |
see common socket:accept
|
name_bind |
see common socket:name_bind
|
system
Permission
|
Description
|
Kernel Version/Capability
|
ipc_info |
Get info for an ipc socket.
|
syslog_mod |
Perform syslog operation other than syslog_read or console logging.
|
syslog_read |
Perform syslog read.
|
syslog_console |
Perform syslog console.
|
tcp_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append
|
relabelfrom |
see common socket:relabelfrom
|
create |
see common socket:create
|
read |
see common socket:read
|
sendto |
see common socket:sendto
|
connect |
see common socket:connect
|
recvfrom |
see common socket:recvfrom
|
send_msg |
see common socket:send_msg
|
bind |
see common socket:bind
|
lock |
see common socket:lock
|
ioctl |
see common socket:ioctl
|
getattr |
see common socket:getattr
|
write |
see common socket:write
|
setopt |
see common socket:setopt
|
getopt |
see common socket:getopt
|
listen |
see common socket:listen
|
setattr |
see common socket:setattr
|
shutdown |
see common socket:shutdown
|
relabelto |
see common socket:relabelto
|
recv_msg |
see common socket:recv_msg
|
accept |
see common socket:accept
|
name_bind |
see common socket:name_bind
|
connectto |
Connect to server socket.
|
newconn |
Create new socket for connection.
|
acceptfrom |
Accept connection from client socket.
|
node_bind |
Ability to bind to a node. |
2.6.2+
|
name_connect |
Connect to a specific port number. |
2.6.12+
|
tun_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append |
2.6.32+
|
relabelfrom |
see common socket:relabelfrom |
2.6.32+
|
create |
see common socket:create |
2.6.32+
|
read |
see common socket:read |
2.6.32+
|
sendto |
see common socket:sendto |
2.6.32+
|
connect |
see common socket:connect |
2.6.32+
|
recvfrom |
see common socket:recvfrom |
2.6.32+
|
send_msg |
see common socket:send_msg |
2.6.32+
|
bind |
see common socket:bind |
2.6.32+
|
lock |
see common socket:lock |
2.6.32+
|
ioctl |
see common socket:ioctl |
2.6.32+
|
getattr |
see common socket:getattr |
2.6.32+
|
write |
see common socket:write |
2.6.32+
|
setopt |
see common socket:setopt |
2.6.32+
|
getopt |
see common socket:getopt |
2.6.32+
|
listen |
see common socket:listen |
2.6.32+
|
setattr |
see common socket:setattr |
2.6.32+
|
shutdown |
see common socket:shutdown |
2.6.32+
|
relabelto |
see common socket:relabelto |
2.6.32+
|
recv_msg |
see common socket:recv_msg |
2.6.32+
|
accept |
see common socket:accept |
2.6.32+
|
name_bind |
see common socket:name_bind |
2.6.32+
|
udp_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append
|
relabelfrom |
see common socket:relabelfrom
|
create |
see common socket:create
|
read |
see common socket:read
|
sendto |
see common socket:sendto
|
connect |
see common socket:connect
|
recvfrom |
see common socket:recvfrom
|
send_msg |
see common socket:send_msg
|
bind |
see common socket:bind
|
lock |
see common socket:lock
|
ioctl |
see common socket:ioctl
|
getattr |
see common socket:getattr
|
write |
see common socket:write
|
setopt |
see common socket:setopt
|
getopt |
see common socket:getopt
|
listen |
see common socket:listen
|
setattr |
see common socket:setattr
|
shutdown |
see common socket:shutdown
|
relabelto |
see common socket:relabelto
|
recv_msg |
see common socket:recv_msg
|
accept |
see common socket:accept
|
name_bind |
see common socket:name_bind
|
node_bind |
Ability to bind to a node. |
2.6.2+
|
unix_dgram_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append
|
relabelfrom |
see common socket:relabelfrom
|
create |
see common socket:create
|
read |
see common socket:read
|
sendto |
see common socket:sendto
|
connect |
see common socket:connect
|
recvfrom |
see common socket:recvfrom
|
send_msg |
see common socket:send_msg
|
bind |
see common socket:bind
|
lock |
see common socket:lock
|
ioctl |
see common socket:ioctl
|
getattr |
see common socket:getattr
|
write |
see common socket:write
|
setopt |
see common socket:setopt
|
getopt |
see common socket:getopt
|
listen |
see common socket:listen
|
setattr |
see common socket:setattr
|
shutdown |
see common socket:shutdown
|
relabelto |
see common socket:relabelto
|
recv_msg |
see common socket:recv_msg
|
accept |
see common socket:accept
|
name_bind |
see common socket:name_bind
|
unix_stream_socket
Inherits from: common socket
Permission
|
Description
|
Kernel Version/Capability
|
append |
see common socket:append
|
relabelfrom |
see common socket:relabelfrom
|
create |
see common socket:create
|
read |
see common socket:read
|
sendto |
see common socket:sendto
|
connect |
see common socket:connect
|
recvfrom |
see common socket:recvfrom
|
send_msg |
see common socket:send_msg
|
bind |
see common socket:bind
|
lock |
see common socket:lock
|
ioctl |
see common socket:ioctl
|
getattr |
see common socket:getattr
|
write |
see common socket:write
|
setopt |
see common socket:setopt
|
getopt |
see common socket:getopt
|
listen |
see common socket:listen
|
setattr |
see common socket:setattr
|
shutdown |
see common socket:shutdown
|
relabelto |
see common socket:relabelto
|
recv_msg |
see common socket:recv_msg
|
accept |
see common socket:accept
|
name_bind |
see common socket:name_bind
|
connectto |
Connect to server socket.
|
newconn |
Create new socket for connection.
|
acceptfrom |
Accept connection from client socket.
|
Database Object Classes
db_blob
Inherits from: common database
Permission
|
Description
|
read |
Read a blob.
|
write |
Write a blob.
|
import |
Import a blob.
|
export |
Export a blob.
|
db_column
Inherits from: common database
Permission
|
Description
|
use |
Deprecated
|
select
|
update
|
insert
|
db_database
Inherits from: common database
Permission
|
Description
|
access
|
install_module
|
load_module
|
get_param |
Deprecated
|
set_param |
Deprecated
|
db_procedure
Inherits from: common database
Permission
|
Description
|
execute |
Execute a stored procedure.
|
entrypoint
|
install
|
db_table
Inherits from: common database
Permission
|
Description
|
use |
Deprecated
|
select
|
update
|
insert
|
delete
|
lock
|
db_tuple
Permission
|
Description
|
relabelfrom
|
relabelto
|
use |
Deprecated
|
select
|
update
|
insert
|
delete
|
DBus Object Classes
dbus
Permission
|
Description
|
acquire_svc
|
send_msg |
Send a message on the bus.
|
MLS Context Translation Object Classes
context
Permission
|
Description
|
translate |
Translate a raw MLS label.
|
contains |
Calculate a MLS subset.
|
NSCD Object Classes
nscd
Permission
|
Description
|
getpwd
|
getgrp
|
gethost
|
getstat
|
admin
|
shmempwd
|
shmemgrp
|
shmemhost
|
getserv
|
shmemserv
|
Password Object Classes
passwd
Permission
|
Description
|
passwd |
Update user password.
|
chfn |
Change finger information. e.g real name, work room and phone and home phone.
|
chsh |
Change login shell.
|
rootok |
Allow update if the user is root and the process has the rootok PAM permission.
|
crontab |
crontab on another user.
|
X Server Object Classes
x_application_data
Permission
|
Description
|
paste
|
paste_after_confirm
|
copy
|
x_client
Permission
|
Description
|
destroy |
Close down a client.
|
getattr |
Get the attributes of an X client
|
setattr |
Set the attributes of an X client
|
manage
|
x_colormap
Permission
|
Description
|
create |
Create a new Colormap.
|
destroy |
Free a Colormap.
|
read |
Read color cells of colormap.
|
write
|
getattr |
Get the color gamut of a screen.
|
add_color
|
remove_color
|
install |
Copy a virtual colormap into the display hardware.
|
uninstall |
Remove a virtual colormap from the display hardware.
|
use
|
x_cursor
Permission
|
Description
|
create |
Create an arbitrary cursor object.
|
destroy |
Delete a cursor object.
|
read
|
write
|
getattr |
Get attributes of the cursor.
|
setattr |
Set attributes of the cursor.
|
use |
Associate a cursor object with a window.
|
x_device
Inherits from: common x_device
Permission
|
Description
|
getattr |
see common x_device: getattr
|
setattr |
see common x_device: setattr
|
use |
see common x_device: use
|
read |
see common x_device: read
|
write |
see common x_device: write
|
getfocus |
see common x_device: getfocus
|
setfocus |
see common x_device: setfocus
|
bell |
see common x_device: bell
|
force_cursor |
see common x_device: force_cursor
|
freeze |
see common x_device: freeze
|
grab |
see common x_device: grab
|
manage |
see common x_device: manage
|
list_property |
see common x_device: list_property
|
get_property |
see common x_device: get_property
|
set_property |
see common x_device: set_property
|
add |
see common x_device: add
|
remove |
see common x_device: remove
|
x_drawable
Permission
|
Description
|
create |
Create a Drawable object.
|
destroy |
Destroy a Drawable.
|
read
|
write
|
blend
|
getattr |
Get attributes of a Drawable object
|
setattr |
Set attributes of a Drawable object
|
list_child
|
add_child
|
remove_child
|
list_property
|
get_property
|
set_property
|
manage
|
override
|
show
|
hide
|
send
|
receive
|
x_event
Permission
|
Description
|
send
|
receive
|
x_extension
Permission
|
Description
|
query
|
use
|
x_font
Permission
|
Description
|
create |
Load a font.
|
destroy |
Free (dereference) a font.
|
getattr |
Obtain font names, path, etc.
|
add_glyph
|
remove_glyph
|
use |
Use a font for drawing.
|
x_gc
Permission
|
Description
|
create |
Create Graphic Contexts object.
|
destroy |
Free (dereference) a Graphics Contexts object.
|
getattr |
Get attributes for Graphic Contexts object.
|
setattr |
Set attributes for Graphic Contexts object.
|
use
|
x_keyboard
Inherits from: common x_device
Permission
|
Description
|
getattr |
see common x_device: getattr
|
setattr |
see common x_device: setattr
|
use |
see common x_device: use
|
read |
see common x_device: read
|
write |
see common x_device: write
|
getfocus |
see common x_device: getfocus
|
setfocus |
see common x_device: setfocus
|
bell |
see common x_device: bell
|
force_cursor |
see common x_device: force_cursor
|
freeze |
see common x_device: freeze
|
grab |
see common x_device: grab
|
manage |
see common x_device: manage
|
list_property |
see common x_device: list_property
|
get_property |
see common x_device: get_property
|
set_property |
see common x_device: set_property
|
add |
see common x_device: add
|
remove |
see common x_device: remove
|
x_pointer
Inherits from: common x_device
Permission
|
Description
|
getattr |
see common x_device: getattr
|
setattr |
see common x_device: setattr
|
use |
see common x_device: use
|
read |
see common x_device: read
|
write |
see common x_device: write
|
getfocus |
see common x_device: getfocus
|
setfocus |
see common x_device: setfocus
|
bell |
see common x_device: bell
|
force_cursor |
see common x_device: force_cursor
|
freeze |
see common x_device: freeze
|
grab |
see common x_device: grab
|
manage |
see common x_device: manage
|
list_property |
see common x_device: list_property
|
get_property |
see common x_device: get_property
|
set_property |
see common x_device: set_property
|
add |
see common x_device: add
|
remove |
see common x_device: remove
|
x_property
Permission
|
Description
|
create |
Create property object.
|
destroy |
Free (dereference) a property object.
|
read |
Read a property.
|
write |
Write a property.
|
append |
Append a property.
|
getattr |
Get the attributes of a property.
|
setattr |
Set the attributes of a property.
|
x_resource
Permission
|
Description
|
read
|
write
|
x_screen
Permission
|
Description
|
getattr
|
setattr
|
hide_cursor
|
show_cursor
|
saver_getattr
|
saver_setattr
|
saver_hide
|
saver_show
|
x_selection
Permission
|
Description
|
read
|
write
|
getattr
|
setattr
|
x_server
Permission
|
Description
|
getattr
|
setattr
|
record
|
debug
|
grab
|
manage
|
x_synthetic_event
Permission
|
Description
|
send
|
receive
|