diff --git a/www/api-docs/admin_consoletype.html b/www/api-docs/admin_consoletype.html index 37a4b2d6..8e965220 100644 --- a/www/api-docs/admin_consoletype.html +++ b/www/api-docs/admin_consoletype.html @@ -72,9 +72,10 @@

Description:

-

+

Determine of the console connected to the controlling terminal. -

+

+ diff --git a/www/api-docs/admin_dmesg.html b/www/api-docs/admin_dmesg.html index 0d4fb902..45c45d7a 100644 --- a/www/api-docs/admin_dmesg.html +++ b/www/api-docs/admin_dmesg.html @@ -72,7 +72,8 @@

Description:

-

Policy for dmesg.

+

Policy for dmesg.

+ diff --git a/www/api-docs/admin_logrotate.html b/www/api-docs/admin_logrotate.html index d05e732e..45547459 100644 --- a/www/api-docs/admin_logrotate.html +++ b/www/api-docs/admin_logrotate.html @@ -72,7 +72,8 @@

Description:

-

Rotate and archive system logs

+

Rotate and archive system logs

+ diff --git a/www/api-docs/admin_netutils.html b/www/api-docs/admin_netutils.html index 7beb0fd6..5c42b384 100644 --- a/www/api-docs/admin_netutils.html +++ b/www/api-docs/admin_netutils.html @@ -72,7 +72,8 @@

Description:

-

Network analysis utilities

+

Network analysis utilities

+ diff --git a/www/api-docs/admin_rpm.html b/www/api-docs/admin_rpm.html index ed15c7cb..285109bb 100644 --- a/www/api-docs/admin_rpm.html +++ b/www/api-docs/admin_rpm.html @@ -72,7 +72,8 @@

Description:

-

Policy for the RPM package manager.

+

Policy for the RPM package manager.

+ diff --git a/www/api-docs/admin_usermanage.html b/www/api-docs/admin_usermanage.html index 6453b11c..a2b5a9af 100644 --- a/www/api-docs/admin_usermanage.html +++ b/www/api-docs/admin_usermanage.html @@ -72,7 +72,8 @@

Description:

-

Policy for managing user accounts.

+

Policy for managing user accounts.

+ diff --git a/www/api-docs/apps_gpg.html b/www/api-docs/apps_gpg.html index c354b75a..47cd6fca 100644 --- a/www/api-docs/apps_gpg.html +++ b/www/api-docs/apps_gpg.html @@ -55,7 +55,8 @@

Description:

-

Policy for GNU Privacy Guard and related programs.

+

Policy for GNU Privacy Guard and related programs.

+ diff --git a/www/api-docs/index.html b/www/api-docs/index.html index 60256bc0..76f05aa0 100644 --- a/www/api-docs/index.html +++ b/www/api-docs/index.html @@ -169,6 +169,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -275,8 +278,7 @@ Device nodes and interfaces for many basic system devices. kernel

-Policy for kernel threads, proc filesystem, -and unlabeled processes and objects. +Policy for kernel threads, proc filesystem,and unlabeled processes and objects.

@@ -466,6 +468,11 @@ connection and disconnection of devices at runtime. udev

Policy for udev.

+ + + unconfined +

The unconfined domain.

+ userdomain diff --git a/www/api-docs/interfaces.html b/www/api-docs/interfaces.html index aee2de3e..38cd537f 100644 --- a/www/api-docs/interfaces.html +++ b/www/api-docs/interfaces.html @@ -169,6 +169,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -11105,6 +11108,32 @@ Layer: kernel

+corenet_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to network objects. +

+
+ + + +
+Module: +corenetwork

+Layer: +kernel

+

+ corenet_use_tun_tap_device( @@ -13744,6 +13773,32 @@ Layer: kernel

+dev_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to devices. +

+
+ +
+ +
+Module: +devices

+Layer: +kernel

+

+ dev_write_framebuffer( @@ -14582,6 +14637,32 @@ Layer: system

+domain_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to domains. +

+
+ +
+ +
+Module: +domain

+Layer: +system

+

+ domain_use_wide_inherit_fd( @@ -14686,6 +14767,40 @@ Layer: system

+files_create_home_dirs( + + + + + domain + + + + , + + + + home_type + + + )
+
+ +
+

+Create home directories +

+
+ +
+ +
+Module: +files

+Layer: +system

+

+ files_create_lock( @@ -16613,6 +16728,32 @@ Layer: system

+files_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to files. +

+
+ +
+ +
+Module: +files

+Layer: +system

+

+ files_unmount_all_file_type_fs( @@ -18204,6 +18345,32 @@ Layer: kernel

+fs_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to filesystems +

+
+ +
+ +
+Module: +filesystem

+Layer: +kernel

+

+ fs_unmount_all_fs( @@ -19007,7 +19174,15 @@ system

- ? + domain + + + + , + + + + entry_point )
@@ -19015,7 +19190,8 @@ system

-Summary is missing! +Create a domain for long running processes +(daemons) which can be started by init scripts.

@@ -19033,7 +19209,15 @@ system

- ? + domain + + + + , + + + + entry_point )
@@ -19041,7 +19225,7 @@ system

-Summary is missing! +Create a domain which can be started by init.

@@ -19444,6 +19628,42 @@ Layer: system

+init_run_daemon( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+ +
+ +
+Module: +init

+Layer: +system

+

+ init_rw_script_pid( @@ -19553,7 +19773,15 @@ system

- ? + domain + + + + , + + + + entry_point )
@@ -19561,7 +19789,8 @@ system

-Summary is missing! +Create a domain for short running processes +which can be started by init scripts.

@@ -20876,6 +21105,32 @@ Layer: kernel

+kernel_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to the kernel. +

+
+ +
+ +
+Module: +kernel

+Layer: +kernel

+

+ kernel_use_fd( @@ -22553,7 +22808,15 @@ services

- ? + domain + + + + , + + + + entry_point )
@@ -22561,7 +22824,8 @@ services

-Summary is missing! +Modified mailserver interface for +sendmail daemon use.

@@ -23326,6 +23590,26 @@ kernel

+ domain + + + )
+

+ +
+ +
+Module: +selinux

+Layer: +kernel

+

+ +selinux_unconfined( + + + + domain @@ -24260,6 +24544,12 @@ kernel

)

+
+

+Create block devices in /dev with the fixed disk type. +

+
+
@@ -24280,6 +24570,13 @@ kernel

)

+
+

+Do not audit attempts made by the caller to get +the attributes of fixed disk device nodes. +

+
+
@@ -24300,6 +24597,13 @@ kernel

)

+
+

+Do not audit attempts made by the caller to get +the attributes of removable devices device nodes. +

+
+
@@ -24320,6 +24624,13 @@ kernel

)

+
+

+Do not audit attempts made by the caller to set +the attributes of fixed disk device nodes. +

+
+
@@ -24340,6 +24651,13 @@ kernel

)

+
+

+Do not audit attempts made by the caller to set +the attributes of removable devices device nodes. +

+
+
@@ -24360,6 +24678,13 @@ kernel

)

+
+

+Allow the caller to get the attributes of fixed disk +device nodes. +

+
+
@@ -24380,24 +24705,11 @@ kernel

)

-
- -
-Module: -storage

-Layer: -kernel

-

- -storage_getattr_scsi_generic( - - - - - domain - - - )
+
+

+Allow the caller to get the attributes of removable +devices device nodes. +

@@ -24420,6 +24732,40 @@ kernel

)

+
+

+Allow the caller to get the attributes of +the generic SCSI interface device nodes. +

+
+ +
+ +
+Module: +storage

+Layer: +kernel

+

+ +storage_getattr_scsi_generic( + + + + + domain + + + )
+
+ +
+

+Get attributes of the device nodes +for the SCSI generic inerface. +

+
+
@@ -24440,6 +24786,13 @@ kernel

)

+
+

+Allow the caller to get the attributes +of device nodes of tape devices. +

+
+
@@ -24486,6 +24839,15 @@ kernel

)

+
+

+Allow the caller to directly read from a fixed disk. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24506,6 +24868,15 @@ kernel

)

+
+

+Allow the caller to directly read from a logical volume. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24526,6 +24897,16 @@ kernel

)

+
+

+Allow the caller to directly read from +a removable device. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24546,6 +24927,15 @@ kernel

)

+
+

+Allow the caller to directly write to a fixed disk. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24566,6 +24956,15 @@ kernel

)

+
+

+Allow the caller to directly read from a logical volume. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24586,6 +24985,16 @@ kernel

)

+
+

+Allow the caller to directly write to +a removable device. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24606,6 +25015,16 @@ kernel

)

+
+

+Allow the caller to directly read, in a +generic fashion, from any SCSI device. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24626,6 +25045,13 @@ kernel

)

+
+

+Allow the caller to directly read +a tape device. +

+
+
@@ -24672,6 +25098,13 @@ kernel

)

+
+

+Set attributes of the device nodes +for the SCSI generic inerface. +

+
+
@@ -24692,6 +25125,13 @@ kernel

)

+
+

+Allow the caller to set the attributes of fixed disk +device nodes. +

+
+
@@ -24712,6 +25152,13 @@ kernel

)

+
+

+Allow the caller to set the attributes of removable +devices device nodes. +

+
+
@@ -24732,6 +25179,13 @@ kernel

)

+
+

+Allow the caller to set the attributes of +the generic SCSI interface device nodes. +

+
+
@@ -24752,6 +25206,13 @@ kernel

)

+
+

+Allow the caller to set the attributes +of device nodes of tape devices. +

+
+
@@ -24787,6 +25248,32 @@ Layer: kernel

+storage_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to storage devices. +

+
+ +
+ +
+Module: +storage

+Layer: +kernel

+

+ storage_write_scsi_generic( @@ -24798,6 +25285,16 @@ kernel

)

+
+

+Allow the caller to directly write, in a +generic fashion, from any SCSI device. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24818,6 +25315,13 @@ kernel

)

+
+

+Allow the caller to directly read +a tape device. +

+
+
@@ -25886,6 +26390,136 @@ system

+
+Module: +unconfined

+Layer: +system

+

+ +unconfined_domtrans_shell( + + + + + domain + + + )
+
+ +
+

+Transition to the unconfined domain by executing a shell. +

+
+ +
+ +
+Module: +unconfined

+Layer: +system

+

+ +unconfined_role( + + + + + domain + + + )
+
+ +
+

+Add the unconfined domain to the specified role. +

+
+ +
+ +
+Module: +unconfined

+Layer: +system

+

+ +unconfined_rw_pipe( + + + + + domain + + + )
+
+ +
+

+Read and write unconfined domain unnamed pipes. +

+
+ +
+ +
+Module: +unconfined

+Layer: +system

+

+ +unconfined_sigchld( + + + + + domain + + + )
+
+ +
+

+Send a SIGCHLD signal to the unconfined domain. +

+
+ +
+ +
+Module: +unconfined

+Layer: +system

+

+ +unconfined_use_fd( + + + + + domain + + + )
+
+ +
+

+Inherit file descriptors from the unconfined domain. +

+
+ +
+
Module: userdomain

@@ -26237,6 +26871,32 @@ Layer: system

+userdom_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to user domains. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ userdom_use_all_user_fd( diff --git a/www/api-docs/kernel.html b/www/api-docs/kernel.html index 2a28af8e..bac7cf25 100644 --- a/www/api-docs/kernel.html +++ b/www/api-docs/kernel.html @@ -109,8 +109,7 @@ Device nodes and interfaces for many basic system devices. kernel

-Policy for kernel threads, proc filesystem, -and unlabeled processes and objects. +Policy for kernel threads, proc filesystem,and unlabeled processes and objects.

diff --git a/www/api-docs/kernel_bootloader.html b/www/api-docs/kernel_bootloader.html index f85589c7..1eb1921e 100644 --- a/www/api-docs/kernel_bootloader.html +++ b/www/api-docs/kernel_bootloader.html @@ -78,7 +78,8 @@

Description:

-

Policy for the kernel modules, kernel image, and bootloader.

+

Policy for the kernel modules, kernel image, and bootloader.

+ diff --git a/www/api-docs/kernel_corenetwork.html b/www/api-docs/kernel_corenetwork.html index aac2e088..94444caf 100644 --- a/www/api-docs/kernel_corenetwork.html +++ b/www/api-docs/kernel_corenetwork.html @@ -78,7 +78,10 @@

Description:

-

Policy controlling access to network objects

+

Policy controlling access to network objects

+ + +

This module is required to be included in all policies.

@@ -18291,6 +18294,47 @@ No
+
+ +corenet_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to network objects. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The domain allowed access. + + +No +
+
+
+ +
+ +
corenet_use_tun_tap_device( diff --git a/www/api-docs/kernel_devices.html b/www/api-docs/kernel_devices.html index c8996194..120e3ba2 100644 --- a/www/api-docs/kernel_devices.html +++ b/www/api-docs/kernel_devices.html @@ -78,7 +78,7 @@

Description:

-

+

This module creates the device node concept and provides the policy for many of the device files. Notable exceptions are @@ -94,7 +94,8 @@ are used to label device nodes should use the dev_node macro. Additionally, this module controls access to three things:

  • the device directories containing device nodes
  • device nodes as a group
  • individual access to specific device nodes covered by this module.

-

+

+ @@ -4049,6 +4050,47 @@ No
+
+ +dev_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to devices. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ +
dev_write_framebuffer( diff --git a/www/api-docs/kernel_filesystem.html b/www/api-docs/kernel_filesystem.html index f9f16674..a443856a 100644 --- a/www/api-docs/kernel_filesystem.html +++ b/www/api-docs/kernel_filesystem.html @@ -78,7 +78,10 @@

Description:

-

Policy for filesystems.

+

Policy for filesystems.

+ + +

This module is required to be included in all policies.

@@ -3288,6 +3291,47 @@ No
+
+ +fs_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to filesystems +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ +
fs_unmount_all_fs( diff --git a/www/api-docs/kernel_kernel.html b/www/api-docs/kernel_kernel.html index cb23abcf..f2594a2c 100644 --- a/www/api-docs/kernel_kernel.html +++ b/www/api-docs/kernel_kernel.html @@ -78,10 +78,12 @@

Description:

-

-Policy for kernel threads, proc filesystem, -and unlabeled processes and objects. -

+

+Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +

+ + +

This module is required to be included in all policies.

@@ -2151,6 +2153,47 @@ No
+
+ +kernel_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to the kernel. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ +
kernel_use_fd( diff --git a/www/api-docs/kernel_selinux.html b/www/api-docs/kernel_selinux.html index 4d7cd7a6..b6914417 100644 --- a/www/api-docs/kernel_selinux.html +++ b/www/api-docs/kernel_selinux.html @@ -78,9 +78,12 @@

Description:

-

+

Policy for kernel security interface, in particular, selinuxfs. -

+

+ + +

This module is required to be included in all policies.

@@ -524,6 +527,47 @@ No
+
+ +selinux_unconfined( + + + + + domain + + + )
+
+
+ + +
Description
+

+Unconfined access to the SELinux security server. +

+ +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ +
selinux_validate_context( diff --git a/www/api-docs/kernel_storage.html b/www/api-docs/kernel_storage.html index 1ec3c667..61332b5d 100644 --- a/www/api-docs/kernel_storage.html +++ b/www/api-docs/kernel_storage.html @@ -78,7 +78,8 @@

Description:

-

Policy controlling access to storage devices

+

Policy controlling access to storage devices

+ @@ -101,12 +102,12 @@
- -
Description
+
Summary

Create block devices in /dev with the fixed disk type.

+
Parameters
@@ -142,13 +143,13 @@ No
- -
Description
+
Summary

Do not audit attempts made by the caller to get the attributes of fixed disk device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -184,13 +185,13 @@ No
- -
Description
+
Summary

Do not audit attempts made by the caller to get the attributes of removable devices device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -226,13 +227,13 @@ No
- -
Description
+
Summary

Do not audit attempts made by the caller to set the attributes of fixed disk device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -268,13 +269,13 @@ No
- -
Description
+
Summary

Do not audit attempts made by the caller to set the attributes of removable devices device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -310,13 +311,13 @@ No
- -
Description
+
Summary

Allow the caller to get the attributes of fixed disk device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -352,13 +353,13 @@ No
- -
Description
+
Summary

Allow the caller to get the attributes of removable devices device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -394,13 +395,13 @@ No
- -
Description
+
Summary

Allow the caller to get the attributes of the generic SCSI interface device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -436,13 +437,13 @@ No
- -
Description
+
Summary

Get attributes of the device nodes for the SCSI generic inerface.

+
Parameters
Parameter:Description:Optional:
@@ -478,13 +479,13 @@ No
- -
Description
+
Summary

Allow the caller to get the attributes of device nodes of tape devices.

+
Parameters
Parameter:Description:Optional:
@@ -561,8 +562,7 @@ No
- -
Description
+
Summary

Allow the caller to directly read from a fixed disk. This is extremly dangerous as it can bypass the @@ -570,6 +570,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
Parameter:Description:Optional:
@@ -605,8 +606,7 @@ No
- -
Description
+
Summary

Allow the caller to directly read from a logical volume. This is extremly dangerous as it can bypass the @@ -614,6 +614,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
Parameter:Description:Optional:
@@ -649,8 +650,7 @@ No
- -
Description
+
Summary

Allow the caller to directly read from a removable device. @@ -659,6 +659,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
Parameter:Description:Optional:
@@ -694,8 +695,7 @@ No
- -
Description
+
Summary

Allow the caller to directly write to a fixed disk. This is extremly dangerous as it can bypass the @@ -703,6 +703,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
Parameter:Description:Optional:
@@ -738,8 +739,7 @@ No
- -
Description
+
Summary

Allow the caller to directly read from a logical volume. This is extremly dangerous as it can bypass the @@ -747,6 +747,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
Parameter:Description:Optional:
@@ -782,8 +783,7 @@ No
- -
Description
+
Summary

Allow the caller to directly write to a removable device. @@ -792,6 +792,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
Parameter:Description:Optional:
@@ -827,8 +828,7 @@ No
- -
Description
+
Summary

Allow the caller to directly read, in a generic fashion, from any SCSI device. @@ -837,6 +837,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
Parameter:Description:Optional:
@@ -872,13 +873,13 @@ No
- -
Description
+
Summary

Allow the caller to directly read a tape device.

+
Parameters
Parameter:Description:Optional:
@@ -955,13 +956,13 @@ No
- -
Description
+
Summary

Set attributes of the device nodes for the SCSI generic inerface.

+
Parameters
Parameter:Description:Optional:
@@ -997,13 +998,13 @@ No
- -
Description
+
Summary

Allow the caller to set the attributes of fixed disk device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -1039,13 +1040,13 @@ No
- -
Description
+
Summary

Allow the caller to set the attributes of removable devices device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -1081,13 +1082,13 @@ No
- -
Description
+
Summary

Allow the caller to set the attributes of the generic SCSI interface device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -1123,13 +1124,13 @@ No
- -
Description
+
Summary

Allow the caller to set the attributes of device nodes of tape devices.

+
Parameters
Parameter:Description:Optional:
@@ -1192,6 +1193,47 @@ No
+
+ +storage_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to storage devices. +

+ + +
Parameters
+
Parameter:Description:Optional:
+ + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ +
storage_write_scsi_generic( @@ -1206,8 +1248,7 @@ No
- -
Description
+
Summary

Allow the caller to directly write, in a generic fashion, from any SCSI device. @@ -1216,6 +1257,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
@@ -1251,13 +1293,13 @@ No
- -
Description
+
Summary

Allow the caller to directly read a tape device.

+
Parameters
Parameter:Description:Optional:
diff --git a/www/api-docs/kernel_terminal.html b/www/api-docs/kernel_terminal.html index 4547c70b..86b74855 100644 --- a/www/api-docs/kernel_terminal.html +++ b/www/api-docs/kernel_terminal.html @@ -78,7 +78,8 @@

Description:

-

Policy for terminals.

+

Policy for terminals.

+ diff --git a/www/api-docs/services_cron.html b/www/api-docs/services_cron.html index a9409571..7b6981bb 100644 --- a/www/api-docs/services_cron.html +++ b/www/api-docs/services_cron.html @@ -81,7 +81,8 @@

Description:

-

Periodic execution of scheduled commands.

+

Periodic execution of scheduled commands.

+ diff --git a/www/api-docs/services_inetd.html b/www/api-docs/services_inetd.html index 74c94b2a..1e0009c5 100644 --- a/www/api-docs/services_inetd.html +++ b/www/api-docs/services_inetd.html @@ -78,7 +78,8 @@

Description:

-

Internet services daemon.

+

Internet services daemon.

+ diff --git a/www/api-docs/services_kerberos.html b/www/api-docs/services_kerberos.html index d25efc40..f6f57249 100644 --- a/www/api-docs/services_kerberos.html +++ b/www/api-docs/services_kerberos.html @@ -78,7 +78,7 @@

Description:

-

+

This policy supports:

@@ -88,7 +88,8 @@ Servers:

Clients:

  • kinit
  • kdestroy
  • klist
  • ksu (incomplete)

-

+

+ diff --git a/www/api-docs/services_mta.html b/www/api-docs/services_mta.html index 949e72d5..036a1fcc 100644 --- a/www/api-docs/services_mta.html +++ b/www/api-docs/services_mta.html @@ -81,7 +81,8 @@

Description:

-

Policy common to all email tranfer agents.

+

Policy common to all email tranfer agents.

+ @@ -466,7 +467,15 @@ No - ? + domain + + + + , + + + + entry_point )
@@ -475,19 +484,46 @@ No
Summary

-Summary is missing! +Modified mailserver interface for +sendmail daemon use.

+
Description
+

+

+A modified MTA mail server interface for +the sendmail program. It's design does +not fit well with policy, and using the +regular interface causes a type_transition +conflict if direct running of init scripts +is enabled. +

+

+This interface should most likely only be used +by the sendmail policy. +

+

+
Parameters
Parameter:Description:Optional:
+ + + + + diff --git a/www/api-docs/system_authlogin.html b/www/api-docs/system_authlogin.html index bcd8a82d..89a2f0c9 100644 --- a/www/api-docs/system_authlogin.html +++ b/www/api-docs/system_authlogin.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -123,7 +126,8 @@

Description:

-

Common policy for authentication and user login.

+

Common policy for authentication and user login.

+ diff --git a/www/api-docs/system_clock.html b/www/api-docs/system_clock.html index 3301e7c8..fba0684a 100644 --- a/www/api-docs/system_clock.html +++ b/www/api-docs/system_clock.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for reading and setting the hardware clock.

+

Policy for reading and setting the hardware clock.

+ diff --git a/www/api-docs/system_corecommands.html b/www/api-docs/system_corecommands.html index 7d065e9d..cb66c7f7 100644 --- a/www/api-docs/system_corecommands.html +++ b/www/api-docs/system_corecommands.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,10 +123,11 @@

Description:

-

+

Core policy for shells, and generic programs in /bin, /sbin, /usr/bin, and /usr/sbin. -

+

+ diff --git a/www/api-docs/system_domain.html b/www/api-docs/system_domain.html index f02e5b78..7ab85320 100644 --- a/www/api-docs/system_domain.html +++ b/www/api-docs/system_domain.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -123,7 +126,10 @@

Description:

-

Core policy for domains.

+

Core policy for domains.

+ + +

This module is required to be included in all policies.

@@ -1125,6 +1131,47 @@ No
+
+ +domain_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to domains. +

+ + +
Parameters
+
Parameter:Description:Optional:
-? +domain -Parameter descriptions are missing! +The type to be used for the mail server. + + +No +
+entry_point + + +The type to be used for the domain entry point program. No diff --git a/www/api-docs/services_nis.html b/www/api-docs/services_nis.html index 5997c42a..9670fc74 100644 --- a/www/api-docs/services_nis.html +++ b/www/api-docs/services_nis.html @@ -78,7 +78,8 @@

Description:

-

Policy for NIS (YP) servers and clients

+

Policy for NIS (YP) servers and clients

+ diff --git a/www/api-docs/services_remotelogin.html b/www/api-docs/services_remotelogin.html index 8bd22ed8..70a0b7bd 100644 --- a/www/api-docs/services_remotelogin.html +++ b/www/api-docs/services_remotelogin.html @@ -78,7 +78,8 @@

Description:

-

Policy for rshd, rlogind, and telnetd.

+

Policy for rshd, rlogind, and telnetd.

+ diff --git a/www/api-docs/services_sendmail.html b/www/api-docs/services_sendmail.html index a8561ad9..1dd53f4a 100644 --- a/www/api-docs/services_sendmail.html +++ b/www/api-docs/services_sendmail.html @@ -78,7 +78,8 @@

Description:

-

Policy for sendmail.

+

Policy for sendmail.

+ diff --git a/www/api-docs/services_ssh.html b/www/api-docs/services_ssh.html index 2eadd26f..46a0a118 100644 --- a/www/api-docs/services_ssh.html +++ b/www/api-docs/services_ssh.html @@ -81,7 +81,8 @@

Description:

-

Secure shell client and server policy.

+

Secure shell client and server policy.

+ diff --git a/www/api-docs/system.html b/www/api-docs/system.html index 30026953..267d3773 100644 --- a/www/api-docs/system.html +++ b/www/api-docs/system.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -244,6 +247,11 @@ connection and disconnection of devices at runtime. udev

Policy for udev.

+ + unconfined

The unconfined domain.

userdomain
+ + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ +
+ +
domain_use_wide_inherit_fd( diff --git a/www/api-docs/system_files.html b/www/api-docs/system_files.html index cdfd1f76..b2b23a6a 100644 --- a/www/api-docs/system_files.html +++ b/www/api-docs/system_files.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,14 +123,17 @@

Description:

-

+

This module contains basic filesystem types and interfaces. This includes:

  • The concept of different file types including basic files, mount points, tmp files, etc.
  • Access to groups of files and all files.
  • Types and interfaces for the basic filesystem layout (/, /etc, /tmp, /usr, etc.).

-

+

+ + +

This module is required to be included in all policies.

@@ -218,6 +224,65 @@ No
+
+ +files_create_home_dirs( + + + + + domain + + + + , + + + + home_type + + + )
+
+
+ +
Summary
+

+Create home directories +

+ + +
Parameters
+ + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+home_type + + +The type of the home directory + + +No +
+
+
+ +
+ +
files_create_lock( @@ -3359,6 +3424,47 @@ No
+
+ +files_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to files. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ +
files_unmount_all_file_type_fs( diff --git a/www/api-docs/system_fstools.html b/www/api-docs/system_fstools.html index 64756990..bf68ba94 100644 --- a/www/api-docs/system_fstools.html +++ b/www/api-docs/system_fstools.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Tools for filesystem management, such as mkfs and fsck.

+

Tools for filesystem management, such as mkfs and fsck.

+ diff --git a/www/api-docs/system_getty.html b/www/api-docs/system_getty.html index eb97234a..810af4de 100644 --- a/www/api-docs/system_getty.html +++ b/www/api-docs/system_getty.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for getty.

+

Policy for getty.

+ diff --git a/www/api-docs/system_hostname.html b/www/api-docs/system_hostname.html index a45d6865..93e46aab 100644 --- a/www/api-docs/system_hostname.html +++ b/www/api-docs/system_hostname.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for changing the system host name.

+

Policy for changing the system host name.

+ diff --git a/www/api-docs/system_hotplug.html b/www/api-docs/system_hotplug.html index c517d4b8..519b4a96 100644 --- a/www/api-docs/system_hotplug.html +++ b/www/api-docs/system_hotplug.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,10 +123,11 @@

Description:

-

+

Policy for hotplug system, for supporting the connection and disconnection of devices at runtime. -

+

+ diff --git a/www/api-docs/system_init.html b/www/api-docs/system_init.html index 6c086fc5..265a9597 100644 --- a/www/api-docs/system_init.html +++ b/www/api-docs/system_init.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

System initialization programs (init and init scripts).

+

System initialization programs (init and init scripts).

+ @@ -136,7 +140,15 @@ - ? + domain + + + + , + + + + entry_point )
@@ -145,7 +157,8 @@
Summary

-Summary is missing! +Create a domain for long running processes +(daemons) which can be started by init scripts.

@@ -154,10 +167,20 @@ Summary is missing! Parameter:Description:Optional: -? +domain -Parameter descriptions are missing! +Type to be used as a domain. + + +No + + + +entry_point + + +Type of the program to be used as an entry point to this domain. No @@ -177,7 +200,15 @@ No - ? + domain + + + + , + + + + entry_point )
@@ -186,7 +217,7 @@ No
Summary

-Summary is missing! +Create a domain which can be started by init.

@@ -195,10 +226,20 @@ Summary is missing! Parameter:Description:Optional: -? +domain -Parameter descriptions are missing! +Type to be used as a domain. + + +No + + + +entry_point + + +Type of the program to be used as an entry point to this domain. No @@ -826,6 +867,83 @@ No
+
+ +init_run_daemon( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+
+ + +
Description
+

+Start and stop daemon programs directly. +

+ +
Parameters
+ + + + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+role + + +The role to be performing this action. + + +No +
+terminal + + +The type of the terminal of the user. + + +No +
+
+
+ +
+ +
init_rw_script_pid( @@ -997,7 +1115,15 @@ No - ? + domain + + + + , + + + + entry_point )
@@ -1006,7 +1132,8 @@ No
Summary

-Summary is missing! +Create a domain for short running processes +which can be started by init scripts.

@@ -1015,10 +1142,20 @@ Summary is missing! Parameter:Description:Optional: -? +domain -Parameter descriptions are missing! +Type to be used as a domain. + + +No + + + +entry_point + + +Type of the program to be used as an entry point to this domain. No diff --git a/www/api-docs/system_iptables.html b/www/api-docs/system_iptables.html index d0cff126..c57dd88e 100644 --- a/www/api-docs/system_iptables.html +++ b/www/api-docs/system_iptables.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for iptables.

+

Policy for iptables.

+ diff --git a/www/api-docs/system_libraries.html b/www/api-docs/system_libraries.html index 73686d52..ff2c5b32 100644 --- a/www/api-docs/system_libraries.html +++ b/www/api-docs/system_libraries.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for system libraries.

+

Policy for system libraries.

+ diff --git a/www/api-docs/system_locallogin.html b/www/api-docs/system_locallogin.html index 248f982f..34495f7f 100644 --- a/www/api-docs/system_locallogin.html +++ b/www/api-docs/system_locallogin.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for local logins.

+

Policy for local logins.

+ diff --git a/www/api-docs/system_logging.html b/www/api-docs/system_logging.html index 4554b108..bc1079ef 100644 --- a/www/api-docs/system_logging.html +++ b/www/api-docs/system_logging.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for the kernel message logger and system logging daemon.

+

Policy for the kernel message logger and system logging daemon.

+ diff --git a/www/api-docs/system_lvm.html b/www/api-docs/system_lvm.html index 0da71a83..ce57f083 100644 --- a/www/api-docs/system_lvm.html +++ b/www/api-docs/system_lvm.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for logical volume management programs.

+

Policy for logical volume management programs.

+ diff --git a/www/api-docs/system_miscfiles.html b/www/api-docs/system_miscfiles.html index be5525b8..1bf647ef 100644 --- a/www/api-docs/system_miscfiles.html +++ b/www/api-docs/system_miscfiles.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Miscelaneous files.

+

Miscelaneous files.

+ diff --git a/www/api-docs/system_modutils.html b/www/api-docs/system_modutils.html index 36849758..fdbb731c 100644 --- a/www/api-docs/system_modutils.html +++ b/www/api-docs/system_modutils.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for kernel module utilities

+

Policy for kernel module utilities

+ diff --git a/www/api-docs/system_mount.html b/www/api-docs/system_mount.html index 7f61be86..48b61643 100644 --- a/www/api-docs/system_mount.html +++ b/www/api-docs/system_mount.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for mount.

+

Policy for mount.

+ diff --git a/www/api-docs/system_selinuxutil.html b/www/api-docs/system_selinuxutil.html index ad54f250..6ed72879 100644 --- a/www/api-docs/system_selinuxutil.html +++ b/www/api-docs/system_selinuxutil.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for SELinux policy and userland applications.

+

Policy for SELinux policy and userland applications.

+ diff --git a/www/api-docs/system_sysnetwork.html b/www/api-docs/system_sysnetwork.html index 7fcfd262..3dca320d 100644 --- a/www/api-docs/system_sysnetwork.html +++ b/www/api-docs/system_sysnetwork.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for network configuration: ifconfig and dhcp client.

+

Policy for network configuration: ifconfig and dhcp client.

+ diff --git a/www/api-docs/system_udev.html b/www/api-docs/system_udev.html index d25f12e3..d6d9caa4 100644 --- a/www/api-docs/system_udev.html +++ b/www/api-docs/system_udev.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for udev.

+

Policy for udev.

+ diff --git a/www/api-docs/system_unconfined.html b/www/api-docs/system_unconfined.html new file mode 100644 index 00000000..a57bce1c --- /dev/null +++ b/www/api-docs/system_unconfined.html @@ -0,0 +1,395 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: system

+

Module: unconfined

+ + +Interfaces +Templates + + +

Description:

+ +

The unconfined domain.

+ + + + +

Interfaces:

+ +
+ + +
+ +unconfined_domtrans_shell( + + + + + domain + + + )
+
+
+ +
Summary
+

+Transition to the unconfined domain by executing a shell. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ +unconfined_role( + + + + + domain + + + )
+
+
+ +
Summary
+

+Add the unconfined domain to the specified role. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ +unconfined_rw_pipe( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read and write unconfined domain unnamed pipes. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ +unconfined_sigchld( + + + + + domain + + + )
+
+
+ +
Summary
+

+Send a SIGCHLD signal to the unconfined domain. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ +unconfined_use_fd( + + + + + domain + + + )
+
+
+ +
Summary
+

+Inherit file descriptors from the unconfined domain. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +Return + + + +

Templates:

+ +
+ + +
+ +unconfined_domain_template( + + + + + domain + + + )
+
+
+ +
Summary
+

+A template to make the specified domain unconfined. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain to make unconfined. + + +No +
+
+
+ + +Return + + +
+ + diff --git a/www/api-docs/system_userdomain.html b/www/api-docs/system_userdomain.html index e428af79..0d4c3b99 100644 --- a/www/api-docs/system_userdomain.html +++ b/www/api-docs/system_userdomain.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -123,7 +126,8 @@

Description:

-

Policy for user domains

+

Policy for user domains

+ @@ -671,6 +675,47 @@ No
+
+ +userdom_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to user domains. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ +
userdom_use_all_user_fd( diff --git a/www/api-docs/templates.html b/www/api-docs/templates.html index 38289bab..258b89cc 100644 --- a/www/api-docs/templates.html +++ b/www/api-docs/templates.html @@ -169,6 +169,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -471,6 +474,32 @@ The template to define a ssh server.
+
+Module: +unconfined

+Layer: +system

+

+ +unconfined_domain_template( + + + + + domain + + + )
+
+ +
+

+A template to make the specified domain unconfined. +

+
+ +
+
Module: userdomain