# This is a permission map file for use in policy analysis. This
# file maps object permissions (read, getattr, setattr, ..., etc.)
# for an object class, to exactly one of the following: read, write,
# both, or none. This file may be edited as long as the specific
# syntax rules are obeyed.
#
# For each object class, there is a set of object permissions that are
# individually mapped to read, write, both, or none. If a new object
# class is added, make sure that the current number of object classes
# is increased.
#
# The syntax for an object class definition is:
# class <class_name> <num_permissions>
#
# This is followed by each permission and its individual mapping to one
# of the following:
#
# r = Read
# w = Write
# n = None
# b = Both
#
# Additionally, you can choose to follow the mapping with an optional
# permission weight value from 1 (less importance) to 10 (higher importance).
# 10 is the default weight value if one is not provided.
#
# Look to the examples below for further clarification.
#
# Number of object classes.
58
class security 11
compute_av n 1
compute_create n 1
compute_member n 1
check_context n 1
load_policy n 1
compute_relabel n 1
compute_user n 1
setenforce n 1
setbool n 1
setsecparam n 1
setcheckreqprot n 1
class process 29
fork n 1
transition w 5
sigchld w 1
sigkill w 1
sigstop w 1
signull n 1
signal w 5
ptrace b 10
getsched r 1
setsched w 1
getsession r 1
getpgid r 1
setpgid w 5
getcap r 3
setcap w 1
share b 1
getattr r 1
setexec w 1
setfscreate w 1
noatsecure n 1
siginh n 1
setrlimit n 1
rlimitinh n 1
dyntransition w 10
setcurrent w 1
execmem n 1
execstack n 1
execheap n 1
setkeycreate w 1
class system 4
ipc_info n 1
syslog_read n 1
syslog_mod n 1
syslog_console n 1
class capability 31
chown n 3
dac_override n 1
dac_read_search n 1
fowner n 1
fsetid n 1
kill n 1
setgid n 3
setuid n 1
setpcap n 3
linux_immutable n 1
net_bind_service n 1
net_broadcast n 1
net_admin n 1
net_raw n 1
ipc_lock n 1
ipc_owner n 1
sys_module n 1
sys_rawio n 1
sys_chroot n 1
sys_ptrace n 1
sys_pacct n 1
sys_admin n 3
sys_boot n 1
sys_nice n 1
sys_resource n 1
sys_time n 1
sys_tty_config n 1
mknod n 1
lease n 1
audit_write n 3
audit_control n 1
class filesystem 10
mount w 1
remount w 1
unmount w 1
getattr r 1
relabelfrom r 10
relabelto w 10
transition w 1
associate n 1
quotamod w 1
quotaget r 1
class file 20
execute_no_trans r 1
entrypoint r 1
execmod n 1
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
unlink w 1
link w 1
rename w 5
execute r 1
swapon b 1
quotaon b 1
mounton b 1
class dir 22
add_name w 5
remove_name w 1
reparent w 1
search r 1
rmdir b 1
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
unlink w 1
link w 1
rename w 5
execute r 1
swapon b 1
quotaon b 1
mounton b 1
class fd 1
use b 1
class lnk_file 17
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
unlink w 1
link w 1
rename w 1
execute r 1
swapon b 1
quotaon b 1
mounton b 1
class chr_file 20
execute_no_trans r 1
entrypoint r 1
execmod n 1
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
unlink w 1
link w 1
rename w 5
execute r 1
swapon b 1
quotaon b 1
mounton b 1
class blk_file 17
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
unlink w 1
link w 1
rename w 5
execute r 1
swapon b 1
quotaon b 1
mounton b 1
class sock_file 17
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
unlink w 1
link w 1
rename w 1
execute r 1
swapon b 1
quotaon b 1
mounton b 1
class fifo_file 17
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
unlink w 1
link w 1
rename w 5
execute r 1
swapon b 1
quotaon b 1
mounton b 1
class socket 22
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto w 10
recv_msg r 10
send_msg w 10
name_bind n 1
class tcp_socket 27
connectto w 1
newconn w 1
acceptfrom r 1
node_bind n 1
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto w 10
recv_msg r 10
send_msg w 10
name_bind n 1
name_connect w 1
class udp_socket 23
node_bind n 1
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto w 10
recv_msg r 10
send_msg w 10
name_bind n 1
class rawip_socket 23
node_bind n 1
ioctl n 1
read r 10
write w 10
create w 1
getattr r 1
setattr w 1
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto w 10
recv_msg r 10
send_msg w 10
name_bind n 1
class node 7
tcp_recv r 10
tcp_send w 10
udp_recv r 10
udp_send w 10
rawip_recv r 10
rawip_send w 10
enforce_dest n 1
class netif 6
tcp_recv r 10
tcp_send w 10
udp_recv r 10
udp_send w 10
rawip_recv r 10
rawip_send w 10
class netlink_socket 22
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto w 10
recv_msg r 10
send_msg w 10
name_bind n 1
class packet_socket 22
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto w 10
recv_msg r 10
send_msg w 10
name_bind n 1
class key_socket 22
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto w 10
recv_msg r 10
send_msg w 10
name_bind n 1
class unix_stream_socket 25
connectto w 1
newconn w 1
acceptfrom r 1
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto w 10
recv_msg r 10
send_msg w 10
name_bind n 1
class unix_dgram_socket 22
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto w 10
recv_msg r 10
send_msg w 10
name_bind n 1
class sem 9
create w 1
destroy w 1
getattr r 1
setattr w 1
read r 10
write w 10
associate n 1
unix_read r 3
unix_write w 3
class msg 2
send w 10
receive r 10
class msgq 10
enqueue w 1
create w 1
destroy w 1
getattr r 1
setattr w 1
read r 10
write w 10
associate n 1
unix_read r 3
unix_write w 3
class shm 10
lock w 1
create w 1
destroy w 1
getattr r 1
setattr w 1
read r 10
write w 10
associate n 1
unix_read r 3
unix_write w 3
class ipc 9
create w 1
destroy w 1
getattr r 1
setattr w 1
read r 10
write w 10
associate n 1
unix_read r 3
unix_write w 3
class passwd 5
passwd w 1
chfn w 5
chsh w 5
rootok n 1
crontab w 5
class drawable 5
create w 1
destroy w 1
draw w 10
copy r 10
getattr r 7
class window 26
addchild w 1
create w 1
destroy w 1
map w 1
unmap w 1
chstack w 10
chproplist w 7
chprop w 10
listprop r 5
getattr r 5
setattr w 5
setfocus w 1
move w 10
chselection w 10
chparent w 5
ctrllife w 5
enumerate w 1
transparent w 1
mousemotion w 10
clientcomevent w 5
inputevent w 5
drawevent w 5
windowchangeevent w 5
windowchangerequest w 5
serverchangeevent w 5
extensionevent w 5
class gc 4
create w 1
free w 1
getattr r 5
setattr w 5
class font 4
load r 1
free w 1
getattr r 5
use r 1
class colormap 9
create w 1
free w 1
install w 10
uninstall w 1
list r 5
read r 10
store w 10
getattr r 5
setattr w 5
class property 4
create w 1
free w 1
read r 10
write w 10
class cursor 5
create w 1
createglyph w 10
free w 1
assign w 10
setattr w 5
class xclient 1
kill w 1
class xinput 11
lookup r 10
getattr r 5
setattr w 5
setfocus w 10
warppointer w 10
activegrab w 1
passivegrab w 1
ungrab w 1
bell w 3
mousemotion w 10
relabelinput b 3
class xserver 8
screensaver w 10
gethostlist r 7
sethostlist w 7
getfontpath r 7
setfontpath w 7
getattr r 7
grab w 10
ungrab w 1
class xextension 2
query r 10
use b 1
class pax 6
pageexec n 1
emutramp n 1
mprotect n 1
randmmap n 1
randexec n 1
segmexec n 1
class netlink_route_socket 24
nlmsg_read r 10
nlmsg_write w 10
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto r 10
recv_msg r 10
send_msg w 10
name_bind n 1
class netlink_firewall_socket 24
nlmsg_read r 10
nlmsg_write w 10
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto r 10
recv_msg r 10
send_msg w 10
name_bind n 1
class netlink_tcpdiag_socket 24
nlmsg_read r 10
nlmsg_write w 10
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto r 10
recv_msg r 10
send_msg w 10
name_bind n 1
class netlink_nflog_socket 22
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto r 10
recv_msg r 10
send_msg w 10
name_bind n 1
class netlink_xfrm_socket 24
nlmsg_read r 10
nlmsg_write w 10
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto r 10
recv_msg r 10
send_msg w 10
name_bind n 1
class netlink_selinux_socket 22
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto r 10
recv_msg r 10
send_msg w 10
name_bind n 1
class netlink_audit_socket 26
nlmsg_read r 10
nlmsg_write w 10
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto r 10
recv_msg r 10
send_msg w 10
name_bind n 1
nlmsg_relay w 10
nlmsg_readpriv r 10
class netlink_ip6fw_socket 24
nlmsg_read r 10
nlmsg_write w 10
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto r 10
recv_msg r 10
send_msg w 10
name_bind n 1
class netlink_dnrt_socket 22
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto r 10
recv_msg r 10
send_msg w 10
name_bind n 1
class netlink_kobject_uevent_socket 22
ioctl n 1
read r 10
write w 10
create w 1
getattr r 7
setattr w 7
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto w 10
recv_msg r 10
send_msg w 10
name_bind n 1
class dbus 2
acquire_svc b 1
send_msg w 10
class nscd 8
getpwd r 7
getgrp r 7
gethost r 7
getstat r 7
admin w 5
shmempwd r 7
shmemgrp r 7
shmemhost r 7
class association 4
sendto w 10
recvfrom r 10
setcontext w 3
polmatch r 1
class appletalk_socket 22
ioctl n 1
read r 10
write w 10
create w 1
getattr r 1
setattr w 1
lock n 1
relabelfrom r 10
relabelto w 10
append w 1
bind w 1
connect w 1
listen r 1
accept r 1
getopt r 1
setopt w 1
shutdown w 1
recvfrom r 10
sendto w 10
recv_msg r 10
send_msg w 10
name_bind n 1
class key 7
view r 7
read r 10
write w 10
search r 5
link w 7
setattr w 7
create w 10
class packet 3
send w 10
recv r 10
relabelto w 3