; Permission groups for files. (classmap files (relabel mount relax enter describe load execute mutate block)) ; Permission group for relabeling files. (classmapping files relabel relabel_file) (classmapping files relabel relabel_dir) (classmapping files relabel relabel_lnk_file) (classmapping files relabel relabel_chr_file) (classmapping files relabel relabel_blk_file) (classmapping files relabel relabel_sock_file) (classmapping files relabel relabel_fifo_file) (classmapping files relabel relabel_anon_inode) ; Permission group for mounts. (classmapping files mount mount_file) (classmapping files mount mount_dir) (classmapping files mount mount_lnk_file) (classmapping files mount mount_chr_file) (classmapping files mount mount_blk_file) (classmapping files mount mount_sock_file) (classmapping files mount mount_fifo_file) (classmapping files mount mount_filesystem) (classmapping files mount mount_anon_inode) ; Permission group for relaxing security constraints on files. (classmapping files relax relax_file) (classmapping files relax relax_dir) (classmapping files relax relax_lnk_file) (classmapping files relax relax_chr_file) (classmapping files relax relax_blk_file) (classmapping files relax relax_sock_file) (classmapping files relax relax_fifo_file) (classmapping files relax relax_anon_inode) ; Permission group for using files as entry points. (classmapping files enter enter_file) ; Permission group for describing files. (classmapping files describe describe_file) (classmapping files describe describe_dir) (classmapping files describe describe_lnk_file) (classmapping files describe describe_chr_file) (classmapping files describe describe_blk_file) (classmapping files describe describe_sock_file) (classmapping files describe describe_fifo_file) (classmapping files describe describe_filesystem) (classmapping files describe describe_anon_inode) ; Permission group for reading files. (classmapping files load load_file) (classmapping files load load_dir) (classmapping files load load_lnk_file) (classmapping files load load_chr_file) (classmapping files load load_blk_file) (classmapping files load load_sock_file) (classmapping files load load_fifo_file) (classmapping files load load_filesystem) (classmapping files load load_fd) (classmapping files load load_anon_inode) (classmapping files load load_io_uring) ; Permission group for executing files. (classmapping files execute execute_file) (classmapping files execute execute_dir) (classmapping files execute execute_lnk_file) (classmapping files execute execute_chr_file) (classmapping files execute execute_blk_file) (classmapping files execute execute_sock_file) (classmapping files execute execute_fifo_file) ; Permission group for blocking access to files. (classmapping files block block_file) (classmapping files block block_dir) (classmapping files block block_lnk_file) (classmapping files block block_chr_file) (classmapping files block block_blk_file) (classmapping files block block_sock_file) (classmapping files block block_fifo_file) (classmapping files block block_anon_inode) ; Permission group for mutating files. (classmapping files mutate mutate_file) (classmapping files mutate mutate_dir) (classmapping files mutate mutate_lnk_file) (classmapping files mutate mutate_chr_file) (classmapping files mutate mutate_blk_file) (classmapping files mutate mutate_sock_file) (classmapping files mutate mutate_fifo_file) (classmapping files mutate mutate_anon_inode) ; Sets of permissions for relabeling file objects. (classpermission relabel_file) (classpermission relabel_dir) (classpermission relabel_lnk_file) (classpermission relabel_chr_file) (classpermission relabel_blk_file) (classpermission relabel_sock_file) (classpermission relabel_fifo_file) (classpermission relabel_anon_inode) (classpermissionset relabel_file ( file (relabelfrom relabelto))) (classpermissionset relabel_dir ( dir (relabelfrom relabelto))) (classpermissionset relabel_lnk_file ( lnk_file (relabelfrom relabelto))) (classpermissionset relabel_chr_file ( chr_file (relabelfrom relabelto))) (classpermissionset relabel_blk_file ( blk_file (relabelfrom relabelto))) (classpermissionset relabel_sock_file ( sock_file (relabelfrom relabelto))) (classpermissionset relabel_fifo_file ( fifo_file (relabelfrom relabelto))) (classpermissionset relabel_anon_inode( anon_inode (relabelfrom relabelto))) ; Sets of permissions for mounts. (classpermission mount_file) (classpermission mount_dir) (classpermission mount_lnk_file) (classpermission mount_chr_file) (classpermission mount_blk_file) (classpermission mount_sock_file) (classpermission mount_fifo_file) (classpermission mount_filesystem) (classpermission mount_anon_inode) (classpermissionset mount_file ( file (mounton quotaon))) (classpermissionset mount_dir ( dir (mounton quotaon))) (classpermissionset mount_lnk_file ( lnk_file (mounton quotaon))) (classpermissionset mount_chr_file ( chr_file (mounton quotaon))) (classpermissionset mount_blk_file ( blk_file (mounton quotaon))) (classpermissionset mount_sock_file ( sock_file (mounton quotaon))) (classpermissionset mount_fifo_file ( fifo_file (mounton quotaon))) (classpermissionset mount_filesystem ( filesystem (mount quotamod remount unmount))) (classpermissionset mount_anon_inode ( anon_inode (mounton quotaon))) ; Sets of permissions that relax security constraints for file objects. (classpermission relax_file) (classpermission relax_dir) (classpermission relax_lnk_file) (classpermission relax_chr_file) (classpermission relax_blk_file) (classpermission relax_sock_file) (classpermission relax_fifo_file) (classpermission relax_anon_inode) (classpermissionset relax_file ( file (execmod))) (classpermissionset relax_dir ( dir (execmod))) (classpermissionset relax_lnk_file ( lnk_file (execmod))) (classpermissionset relax_chr_file ( chr_file (execmod))) (classpermissionset relax_blk_file ( blk_file (execmod))) (classpermissionset relax_sock_file ( sock_file (execmod))) (classpermissionset relax_fifo_file ( fifo_file (execmod))) (classpermissionset relax_anon_inode ( anon_inode (execmod))) ; Sets of permissions for using file objects as entry points. (classpermission enter_file) (classpermissionset enter_file ( file (entrypoint))) ; Sets of permissions for describing file objects. (classpermission describe_file) (classpermission describe_dir) (classpermission describe_lnk_file) (classpermission describe_chr_file) (classpermission describe_blk_file) (classpermission describe_sock_file) (classpermission describe_fifo_file) (classpermission describe_filesystem) (classpermission describe_anon_inode) (classpermissionset describe_file ( file (getattr))) (classpermissionset describe_dir ( dir (getattr))) (classpermissionset describe_lnk_file ( lnk_file (getattr))) (classpermissionset describe_chr_file ( chr_file (getattr))) (classpermissionset describe_blk_file ( blk_file (getattr))) (classpermissionset describe_sock_file ( sock_file (getattr))) (classpermissionset describe_fifo_file ( fifo_file (getattr))) (classpermissionset describe_filesystem ( filesystem (getattr quotaget))) (classpermissionset describe_anon_inode ( anon_inode (getattr))) ; Sets of permissions for read-only actions that do not affect the ; integrity of file objects. (classpermission load_file) (classpermission load_dir) (classpermission load_lnk_file) (classpermission load_chr_file) (classpermission load_blk_file) (classpermission load_sock_file) (classpermission load_fifo_file) (classpermission load_filesystem) (classpermission load_fd) (classpermission load_anon_inode) (classpermission load_io_uring) (classpermissionset load_file ( file ( ioctl map open read watch watch_mount watch_reads watch_sb))) (classpermissionset load_dir ( dir ( ioctl map open read search watch watch_mount watch_reads watch_sb))) (classpermissionset load_lnk_file ( lnk_file ( ioctl map open read watch watch_mount watch_reads watch_sb))) (classpermissionset load_chr_file ( chr_file ( ioctl map open read watch watch_mount watch_reads watch_sb))) (classpermissionset load_blk_file ( blk_file ( ioctl map open read watch watch_mount watch_reads watch_sb))) (classpermissionset load_sock_file ( sock_file ( ioctl map open read watch watch_mount watch_reads watch_sb))) (classpermissionset load_fifo_file ( fifo_file ( ioctl map open read watch watch_mount watch_reads watch_sb))) (classpermissionset load_filesystem ( filesystem (watch))) (classpermissionset load_fd ( fd (use))) (classpermissionset load_anon_inode ( anon_inode ( execute ioctl map open read watch watch_mount watch_reads watch_sb))) (classpermissionset load_io_uring ( io_uring (cmd))) ; Sets of permissions for execute actions on file objects. (classpermission execute_file) (classpermission execute_dir) (classpermission execute_lnk_file) (classpermission execute_chr_file) (classpermission execute_blk_file) (classpermission execute_sock_file) (classpermission execute_fifo_file) (classpermissionset execute_file ( file (execute execute_no_trans))) (classpermissionset execute_dir ( dir (execute))) (classpermissionset execute_lnk_file ( lnk_file (execute))) (classpermissionset execute_chr_file ( chr_file (execute))) (classpermissionset execute_blk_file ( blk_file (execute))) (classpermissionset execute_sock_file ( sock_file (execute))) (classpermissionset execute_fifo_file ( fifo_file (execute))) ; Sets of permissions for blocking access to file objects. (classpermission block_file) (classpermission block_dir) (classpermission block_lnk_file) (classpermission block_chr_file) (classpermission block_blk_file) (classpermission block_sock_file) (classpermission block_fifo_file) (classpermission block_anon_inode) (classpermissionset block_file ( file (watch_with_perm))) (classpermissionset block_dir ( dir (watch_with_perm))) (classpermissionset block_lnk_file ( lnk_file (watch_with_perm))) (classpermissionset block_chr_file ( chr_file (watch_with_perm))) (classpermissionset block_blk_file ( blk_file (watch_with_perm))) (classpermissionset block_sock_file ( sock_file (watch_with_perm))) (classpermissionset block_fifo_file ( fifo_file (watch_with_perm))) (classpermissionset block_anon_inode ( anon_inode (watch_with_perm))) ; Sets of permissions for mutating file objects, which includes all ; actions that are not covered by other policy restrictions. (classpermission mutate_file) (classpermission mutate_dir) (classpermission mutate_lnk_file) (classpermission mutate_chr_file) (classpermission mutate_blk_file) (classpermission mutate_sock_file) (classpermission mutate_fifo_file) (classpermission mutate_anon_inode) (classpermissionset mutate_file ( file (not ( entrypoint execute_no_trans execute ioctl getattr map open read execmod relabelfrom relabelto mounton quotaon watch watch_mount watch_reads watch_sb watch_with_perm)))) (classpermissionset mutate_dir ( dir (not ( search execute ioctl getattr map open read execmod relabelfrom relabelto mounton quotaon watch watch_mount watch_reads watch_sb watch_with_perm)))) (classpermissionset mutate_lnk_file ( lnk_file (not ( execute ioctl getattr map open read execmod relabelfrom relabelto mounton quotaon watch watch_mount watch_reads watch_sb watch_with_perm)))) (classpermissionset mutate_chr_file ( chr_file (not ( execute ioctl getattr map open read execmod relabelfrom relabelto mounton quotaon watch watch_mount watch_reads watch_sb watch_with_perm)))) (classpermissionset mutate_blk_file ( blk_file (not ( execute ioctl getattr map open read execmod relabelfrom relabelto mounton quotaon watch watch_mount watch_reads watch_sb watch_with_perm)))) (classpermissionset mutate_sock_file ( sock_file (not ( execute ioctl getattr map open read execmod relabelfrom relabelto mounton quotaon watch watch_mount watch_reads watch_sb watch_with_perm)))) (classpermissionset mutate_fifo_file ( fifo_file (not ( execute ioctl getattr map open read execmod relabelfrom relabelto mounton quotaon watch watch_mount watch_reads watch_sb watch_with_perm)))) (classpermissionset mutate_anon_inode ( anon_inode (not ( execute ioctl getattr map open read execmod relabelfrom relabelto mounton quotaon watch watch_mount watch_reads watch_sb watch_with_perm)))) ; Permission group for filesystems. (classmap filesystems (relabel)) (classmapping filesystems relabel (filesystem (relabelfrom relabelto)))