# Copyright (c) 1999 The University of Utah and the Flux Group.
# All rights reserved.
# 
# Contributed by the Computer Security Research division,
# INFOSEC Research and Technology Office, NSA.
# 
# This file is part of the Flux OSKit.  The OSKit is free software, also known
# as "open source;" you can redistribute it and/or modify it under the terms
# of the GNU General Public License (GPL), version 2, as published by the Free
# Software Foundation (FSF).  To explore alternate licensing terms, contact
# the University of Utah at csl-dist@cs.utah.edu or +1-801-585-3271.
# 
# The OSKit is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE.  See the GPL for more details.  You should have
# received a copy of the GPL along with the OSKit; see the file COPYING.  If
# not, write to the FSF, 59 Temple Place #330, Boston, MA 02111-1307, USA.

#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }


#
# Define a common prefix for file access vectors.
#

common file
{
	read
	write
	create
	append
	execute
	access
	getattr
	setattr
	unlink
	link
	rename
	lock
	sync
	pathconf
	relabelfrom
	relabelto
	transition
}


#
# Define a common prefix for socket access vectors.
#

common socket
{
	receive
	send
	create
	getlocal
	setlocal
	getremote
	setremote
	getopt
	setopt
	tcp_setopt
	udp_setopt
	ip_setopt
	disable_send
	disable_receive
	send_associate
	recvfrom_associate
	recv_associate
	port_associate
}	


#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }

#
# Define the access vector interpretation for file-related objects.
#

class filesystem
{
	mount
	remount
	unmount
	getattr
	sync
	lookupi
	relabelfrom
	relabelto
	transition
	associate
}

class dir
inherits file
{
	add_name
	remove_name
	reparent
	search
	rmdir
	mounton
	mountassociate
}

class file
inherits file

class lnk_file
inherits file

class chr_file
inherits file

class blk_file
inherits file

class sock_file
inherits file

class fifo_file
inherits file

class pipe
inherits file


class fd
{
	create
	getattr
	setattr
	inherit
}


#
# Define the access vector interpretation for network-related objects.
#

class node 
{
	tcp_receive_node
	tcp_send_node
	udp_receive_node
	udp_send_node
	receive_node
	send_node
}

class netif
{
	getattr
	setattr
	tcp_receive_netif 
	tcp_send_netif
	udp_receive_netif 
	udp_send_netif
	receive_netif 
	send_netif
}

class rttab
{
	observe 
	modify
}

class rtsock
inherits socket

class in_stream_sock
inherits socket
{
	listen
	accept
	accept_associate
	client_associate
        server_associate
}


class in_dgram_sock
inherits socket


class in_raw_sock
inherits socket

class in_icmp_sock
inherits socket

class in_igmp_sock
inherits socket

class in_rsvp_sock
inherits socket

class in_ipip_sock
inherits socket


#
# Define the access vector interpretation for process-related objects
#

class process
{
	execute
	fork
	wait
	transition
	sigstop
	sigkill
	signal
}


#
# Define the access vector interpretation for the security server. 
#

class security
{
	compute_av
	notify_perm
	transition_sid
	member_sid
	sid_to_context
	context_to_sid
	load_extension
	load_policy
	register_avc
}


#
# Define the access vector interpretation for system operations.
#

class system
{
	reboot
}


#
# Define the access vector interpretation for subjects.
#
 
class subject
{ 
        read
        write
        execute
        create_object
        specify_client
        specify_server
        connect
        call
        send
        thread_scheduler
        task_keeper
        map
}
 

#
# Define the access vector interpretation for the AVC.
# 

class avc
{
        grant 
        try_revoke
        revoke 
        reset  
        set_auditallow
        set_auditdeny
}


# 
# Define the access vector interpretation for mempools and segments.
#

class memory
{
        segment_create
        segment_destroy
        segment_map
        segment_getsize
        segment_setsize
        segment_createcopy
        mempool_create
        mempool_destroy
        mempool_addsubpool
        mempool_addsegment
        mempool_gettickets
        mempool_settickets
        segment_associate
        subpool_associate
}

