#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }


#
# Define a common prefix for file access vectors.
#

common file
{
	poll
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	transition
	append
	access
	unlink
	link
	rename
	execute
}


#
# Define a common prefix for socket access vectors.
#

common socket
{
# inherited from file
	poll
	ioctl
	read
	write
	create
	getattr
	setattr
	lock
	relabelfrom
	relabelto
	transition
	append
# socket-specific
	bind
	connect
	getopt
	setopt
	shutdown
	recvfrom
	sendto
	recv_msg
	send_msg
	name_bind
}	

#
# Define a common prefix for ipc access vectors.
#

common ipc
{
	create
	destroy
	getattr
	setattr
	read
	write
	associate
}

#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }


#
# Define the access vector interpretation for file-related objects.
#

class filesystem
{
	mount
	remount
	unmount
	getattr
	relabelfrom
	relabelto
	transition
	associate
}

class dir
inherits file
{
	add_name
	remove_name
	reparent
	search
	rmdir
	mounton
	mountassociate
}

class file
inherits file

class lnk_file
inherits file

class chr_file
inherits file

class blk_file
inherits file

class sock_file
inherits file

class fifo_file
inherits file

class pipe
inherits file


class fd
{
	create
	getattr
	setattr
	inherit
	receive
}


#
# Define the access vector interpretation for network-related objects.
#

class socket
inherits socket

class tcp_socket
inherits socket
{
	connectto
	listen
	accept
	newconn
	acceptfrom
}

class udp_socket
inherits socket

class rawip_socket
inherits socket

class node 
{
	tcp_recv
	tcp_send
	udp_recv
	udp_send
	rawip_recv
	rawip_send
	enforce_dest
}

class netif
{
	getattr
	setattr
	tcp_recv
	tcp_send
	udp_recv
	udp_send
	rawip_recv
	rawip_send
}

class netlink_socket
inherits socket

class packet_socket
inherits socket

class unix_stream_socket
inherits socket
{
	connectto
	listen
	accept
	newconn
	acceptfrom
}

class unix_dgram_socket
inherits socket


#
# Define the access vector interpretation for process-related objects
#

class process
{
	execute
	fork
	transition
	sigchld
	sigkill
	sigstop
	signal
	ptrace
	getsched
	setsched
	getsession
	getpgid
	setpgid
	getcap
	setcap
	entrypoint
}


#
# Define the access vector interpretation for ipc-related objects
#

class sem
inherits ipc

class msgq
inherits ipc
{
	enqueue
}

class msg
{
	send
	receive
}

class shm
inherits ipc
{
	lock
}


#
# Define the access vector interpretation for the security server. 
#

class security
{
	compute_av
	notify_perm
	transition_sid
	member_sid
	sid_to_context
	context_to_sid
	load_policy
	get_sids
	register_avc
	change_sid
	get_user_sids
}


#
# Define the access vector interpretation for system operations.
#

class system
{
	net_io_control
	route_control
	arp_control
	rarp_control
	ipc_info
	avc_toggle
}

#
# Define the access vector interpretation for controling capabilies
#

class capability
{
	# The capabilities are defined in include/linux/capability.h
	# Care should be taken to ensure that these are consistent with
	# those definitions. (Order matters)

	chown           
	dac_override    
	dac_read_search 
	fowner          
	fsetid          
	kill            
	setgid           
	setuid           
	setpcap          
	linux_immutable  
	net_bind_service 
	net_broadcast    
	net_admin        
	net_raw          
	ipc_lock         
	ipc_owner        
	sys_module       
	sys_rawio        
	sys_chroot       
	sys_ptrace       
	sys_pacct        
	sys_admin        
	sys_boot         
	sys_nice         
	sys_resource     
	sys_time         
	sys_tty_config  
	mknod
	lease
}
