TracNav menu

SELinux Object Classes and Permissions Reference

This document contains a list of all of the object classes and permissions for SELinux including a brief description of of the semantics of each permission. Additionally, any permissions that are version-specific are noted. The permission descriptions are only a rough initial version and might be incomplete or inaccurate. Please send any updates or suggestions for changes to these descriptions, or any other part of this document, to selinux@tresys.com

Common Permission Sets

file
socket
ipc

 Kernel Object Classes

file
blk_file
chr_file
fifo_file
lnk_file
sock_file
dir
socket
key_socket
netlink_socket
netlink_route_socket
netlink_firewall_socket
netlink_tcpdiag_socket
netlink_nflog_socket
netlink_xfrm_socket
netlink_selinux_socket
netlink_audit_socket
netlink_ip6fw_socket
netlink_dnrt_socket
netlink_kobject_uevent_socket
packet_socket
rawip_socket
tcp_socket
udp_socket
unix_dgram_socket
unix_stream_socket
ipc
msgq
sem
shm
capability
fd
filesystem
msg
netif
node
process
security
system
pax
association
appletalk_socket

Userland Object Classes

passwd
dbus
nscd
drawable
window
gc
font
colormap
property
cursor
xclient
xinput
xserver
xextension

common file (17 Permissions)

Permission Description
getattr Get file attributes for block file, such as access mode. (e.g. stat, some ioctls. ...)
relabelto Change the security context based on the new type.
unlink Remove hard link (delete).
ioctl IO control system call requests not addressed by other permissions.
execute Execute.
append Append file contents. i.e opened with O_APPEND flag.
read Read block file contents.
setattr Change file attributes for block file such as access mode. (e.g. chmod, some ioctls, ...)
swapon Allows file to be used for paging/swapping space.
write Write or append file contents.
lock Set and unset block file locks.
create Create new block file.
rename Rename a hard link.
mounton Use as mount point; only useful for directories in Linux.
quotaon Enabling quotas.
relabelfrom Change the security context based on existing type.
link Create hard link to block files

common socket (22 Permissions)

Permission Description
append Write or append socket file contents.
relabelfrom Change the security context based on existing type.
create Create new socket file.
read Read socket file contents.
sendto Send datagrams to socket.
connect Initiate connection.
recvfrom Receive datagrams from socket.
send_msg Send datagram message; implicitly granted if the message SID is equal to the sending socket SID.
bind Bind name.
lock Set and unset socket file locks
ioctl IO control system call requests not addressed by other permissions.
getattr Get file attributes for socket file, such as access mode. (e.g. stat, some ioctls. ...)
write Write or append socket file contents.
setopt Set socket options.
getopt Get socket options.
listen Listen for connections.
setattr Change file attributes for file such as access mode. (e.g. chmod, some ioctls, …)
shutdown Shutdown connection.
relabelto Change the security context based on the new type.
recv_msg Receive datagram message; implicitly granted if the message SID is equal to the sending socket SID.
accept Accept a connection.
name_bind Use port or file; for AF_INET sockets, controls relationship between a socket and it's port number; for AF_UNIX sockets, controls relationship between a socket and it's file

common ipc (9 Permissions)

Permission Description
write Write or append.
destroy Destroy.
unix_write Write or append; required by IPC operations.
getattr Get file attributes, such as access mode. (e.g. stat, some ioctls. ...)
create Create.
read Read.
setattr Change file attributes for shared memory segment such as access mode. (e.g. chmod, some ioctls, ...)
unix_read Read; required by IPC operations.
associate Associate a key

file (17 Inherited Permissions, 3 Unique Permissions)

Inherits from: common file

Permission Description
Common Permissions
getattr see common file:getattr
relabelto see common file:relabelto
unlink see common file:unlink
ioctl see common file:ioctl
execute see common file:execute
append see common file:append
read see common file:read
setattr see common file:setattr
swapon see common file:swapon
write see common file:write
lock see common file:lock
create see common file:create
rename see common file:rename
mounton see common file:mounton
quotaon see common file:quotaon
relabelfrom see common file:relabelfrom
link see common file:link
Unique Permissions
execute_no_trans Execute in the caller's domain.
entrypoint Can be executed as the entry point of the new domain in a transition.
execmod (v.18+ Make executable a file mapping that has been modified by copy-on-write.

blk_file (17 Inherited Permissions, 0 Unique Permissions)

Inherits from: common file

Permission Description
Common Permissions
getattr see common file:getattr
relabelto see common file:relabelto
unlink see common file:unlink
ioctl see common file:ioctl
execute see common file:execute
append see common file:append
read see common file:read
setattr see common file:setattr
swapon see common file:swapon
write see common file:write
lock see common file:lock
create see common file:create
rename see common file:rename
mounton see common file:mounton
quotaon see common file:quotaon
relabelfrom see common file:relabelfrom
link see common file:link

chr_file (17 Inherited Permissions, 3 Unique Permissions)

Inherits from: common file

Permission Description
Common Permissions
getattr see common file:getattr
relabelto see common file:relabelto
unlink see common file:unlink
ioctl see common file:ioctl
execute see common file:execute
append see common file:append
read see common file:read
setattr see common file:setattr
swapon see common file:swapon
write see common file:write
lock see common file:lock
create see common file:create
rename see common file:rename
mounton see common file:mounton
quotaon see common file:quotaon
relabelfrom see common file:relabelfrom
link see common file:link
Unique Permissions
execute_no_trans Execute in the caller's domain.
entrypoint Can be executed as the entry point of the new domain in a transition.
execmod (v.18+) Make executable a file mapping that has been modified by copy-on-write.

fifo_file (17 Inherited Permissions, 0 Unique Permissions)

Inherits from: common file

Permission Description
Common Permissions
getattr see common file:getattr
relabelto see common file:relabelto
unlink see common file:unlink
ioctl see common file:ioctl
execute see common file:execute
append see common file:append
read see common file:read
setattr see common file:setattr
swapon see common file:swapon
write see common file:write
lock see common file:lock
create see common file:create
rename see common file:rename
mounton see common file:mounton
quotaon see common file:quotaon
relabelfrom see common file:relabelfrom
link see common file:link

lnk_file (17 Inherited Permissions, 0 Unique Permissions)

Inherits from: common file

Permission Description
Common Permissions
getattr see common file:getattr
relabelto see common file:relabelto
unlink see common file:unlink
ioctl see common file:ioctl
execute see common file:execute
append see common file:append
read see common file:read
setattr see common file:setattr
swapon see common file:swapon
write see common file:write
lock see common file:lock
create see common file:create
rename see common file:rename
mounton see common file:mounton
quotaon see common file:quotaon
relabelfrom see common file:relabelfrom
link see common file:link

sock_file (17 Inherited Permissions, 0 Unique Permissions)

Inherits from: common file

Permission Description
Common Permissions
getattr see common file:getattr
relabelto see common file:relabelto
unlink see common file:unlink
ioctl see common file:ioctl
execute see common file:execute
append see common file:append
read see common file:read
setattr see common file:setattr
swapon see common file:swapon
write see common file:write
lock see common file:lock
create see common file:create
rename see common file:rename
mounton see common file:mounton
quotaon see common file:quotaon
relabelfrom see common file:relabelfrom
link see common file:link

dir (17 Inherited Permissions, 5 Unique Permissions)

Inherits from: common file

Permission Description
Common Permissions
getattr see common file:getattr
relabelto see common file:relabelto
unlink see common file:unlink
ioctl see common file:ioctl
execute see common file:execute
append see common file:append
read see common file:read
setattr see common file:setattr
swapon see common file:swapon
write see common file:write
lock see common file:lock
create see common file:create
rename see common file:rename
mounton see common file:mounton
quotaon see common file:quotaon
relabelfrom see common file:relabelfrom
link see common file:link
Unique Permissions
search Search.
rmdir Remove.
getattr Get file attributes for file, such as access mode. (e.g. stat, some ioctls. ...)
remove_name Remove a file from the directory.
reparent Change parent directory.
add_name Add a file to the directory.

socket (22 Inherited Permissions, 0 Unique Permissions)

Inherits from: common socket

Permission Description
Common Permissions
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind

key_socket (22 Inherited Permissions, 0 Unique Permissions)

Inherits from: common socket

Permission Description
Common Permissions
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind

netlink_socket (22 Inherited Permissions, 0 Unique Permissions)

Inherits from: common socket

Permission Description
Common Permissions
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind

packet_socket (22 Inherited Permissions, 0 Unique Permissions)

Inherits from: common socket

Permission Description
Common Permissions
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind

rawip_socket (22 Inherited Permissions, 1 Unique Permissions)

Inherits from: common socket

Permission Description
Common Permissions
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind
Unique Permissions
node_bind (v.17+) Ability to bind to a node.

tcp_socket (22 Inherited Permissions, 5 Unique Permissions)

Inherits from: common socket

Permission Description
Common Permissions
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind
Unique Permissions
connectto Connect to server socket.
newconn Create new socket for connection.
acceptfrom Accept connection from client socket.
node_bind (v.17+) Ability to bind to a node.
name_connect (v.19+) Connect to a specific port number.

udp_socket (22 Inherited Permissions, 1 Unique Permissions)

Inherits from: common socket

Permission Description
Common Permissions
append see common socket:append
relabelfrom see common socket:relabelfrom
create see common socket:create
read see common socket:read
sendto see common socket:sendto
connect see common socket:connect
recvfrom see common socket:recvfrom
send_msg see common socket:send_msg
bind see common socket:bind
lock see common socket:lock
ioctl see common socket:ioctl
getattr see common socket:getattr
write see common socket:write
setopt see common socket:setopt
getopt see common socket:getopt
listen see common socket:listen
setattr see common socket:setattr
shutdown see common socket:shutdown
relabelto see common socket:relabelto
recv_msg see common socket:recv_msg
accept see common socket:accept
name_bind see common socket:name_bind
Unique Permissions
node_bind (v.17+) Ability to bind to a node.

unix_dgram_socket (22 Inherited Permissions, 0 Unique Permissions)

Inherits from: common socket

Permission Description
Common Permissions
append see common socket:append
relabelfrom see common socket:relabelfrom