+
@@ -257,6 +308,19 @@ Allow system to run with kerberos
+
+
allow_user_mysql_connect
+
+
Default value
+
false
+
+
Description
+
+Allow users to connect to mysql
+
+
+
allow_ypbind
@@ -298,6 +362,20 @@ to support fcron.
+
+
named_write_master_zones
+
+
Default value
+
false
+
+
Description
+
+Allow BIND to write the master zone files.
+Generally this is used for dynamic DNS.
+
+
+
read_default_t
diff --git a/www/api-docs/index.html b/www/api-docs/index.html
index e4290fe5..07cb0df0 100644
--- a/www/api-docs/index.html
+++ b/www/api-docs/index.html
@@ -13,21 +13,42 @@
admin
+
@@ -76,33 +100,60 @@
services
+
@@ -214,6 +265,11 @@
| Module: | Description: |
+ |
+
+ acct |
+ Berkeley process accounting |
+
|
consoletype |
@@ -226,6 +282,14 @@ Determine of the console connected to the controlling terminal.
dmesg
Policy for dmesg. |
+
|
+
+ firstboot |
+
+Final system configuration run during the first boot
+after installation of Red Hat/Fedora systems.
+ |
+
|
logrotate |
@@ -236,11 +300,36 @@ Determine of the console connected to the controlling terminal.
netutils
Network analysis utilities |
+
|
+
+ quota |
+ File system quota management |
+
|
rpm |
Policy for the RPM package manager. |
+
|
+
+ su |
+ Run shells with substitute user and group |
+
+
|
+
+ sudo |
+ Execute a command with a substitute user |
+
+
|
+
+ tmpreaper |
+ Manage temporary directory sizes and file ages |
+
+
|
+
+ updfstab |
+ Red Hat utility to change /etc/fstab. |
+
|
usermanage |
@@ -354,6 +443,11 @@ Policy for kernel security interface, in particular, selinuxfs.
gpg
Policy for GNU Privacy Guard and related programs. |
+
|
+
+ loadkeys |
+ Load keyboard mappings. |
+
@@ -555,11 +649,26 @@ connection and disconnection of devices at runtime.
+ |
+
+ bind |
+ Berkeley internet name domain DNS server. |
+
|
cron |
Periodic execution of scheduled commands. |
+
|
+
+ gpm |
+ General Purpose Mouse driver |
+
+
|
+
+ howl |
+ Port of Apple Rendezvous multicast DNS |
+
|
inetd |
@@ -570,11 +679,21 @@ connection and disconnection of devices at runtime.
kerberos
MIT Kerberos admin and KDC |
+
|
+
+ ldap |
+ OpenLDAP directory server |
+
|
mta |
Policy common to all email tranfer agents. |
+
|
+
+ mysql |
+ Policy for MySQL |
+
|
nis |
@@ -585,11 +704,26 @@ connection and disconnection of devices at runtime.
nscd
Name service cache daemon |
+
|
+
+ privoxy |
+ Privacy enhancing web proxy. |
+
|
remotelogin |
Policy for rshd, rlogind, and telnetd. |
+
|
+
+ rshd |
+ Remote shell service. |
+
+
|
+
+ rsync |
+ Fast incremental file transfer for synchronization |
+
|
sendmail |
@@ -600,6 +734,11 @@ connection and disconnection of devices at runtime.
ssh
Secure shell client and server policy. |
+
|
+
+ tcpd |
+ Policy for TCP daemon. |
+
diff --git a/www/api-docs/interfaces.html b/www/api-docs/interfaces.html
index 6a441706..4f8d87ce 100644
--- a/www/api-docs/interfaces.html
+++ b/www/api-docs/interfaces.html
@@ -13,21 +13,42 @@
admin
+
@@ -76,33 +100,60 @@
services
+
@@ -205,6 +256,136 @@
Master interface index:
+
+Module:
+acct
+Layer:
+admin
+
+
+acct_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Transition to the accounting management domain.
+
+
+
+
+Module:
+acct
+Layer:
+admin
+
+
+acct_exec(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute accounting management tools in the caller domain.
+
+
+
+
+Module:
+acct
+Layer:
+admin
+
+
+acct_exec_data(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute accounting management data in the caller domain.
+
+
+
+
+Module:
+acct
+Layer:
+admin
+
+
+acct_manage_data(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete process accounting data.
+
+
+
+
+Module:
+authlogin
+Layer:
+system
+
+
+auth_create_login_records(
+
+
+
+
+ ?
+
+
+ )
+
+
+
+
+Summary is missing!
+
+
+
+
Module:
authlogin
@@ -223,6 +404,12 @@ system
)
+
+Delete pam PID files.
+
+
@@ -243,6 +430,12 @@ system
)
+
+
+Run unix_chkpwd to check a password.
+
+
+
@@ -271,6 +464,12 @@ system
)
+
+Execute a login_program in the target domain.
+
+
@@ -291,6 +490,12 @@ system
)
+
+Execute pam programs in the pam domain.
+
+
@@ -337,6 +542,12 @@ system
)
+
+Execute utempter programs in the utempter domain.
+
+
@@ -384,6 +595,13 @@ system
)
+
+Do not audit attempts to read the shadow
+password file (/etc/shadow).
+
+
@@ -430,6 +648,12 @@ system
)
+
+Execute the pam program.
+
+
@@ -502,6 +726,12 @@ system
)
+
+Use the login program as an entry point program.
+
+
@@ -534,6 +764,13 @@ system
)
+
+Manage all files on the filesystem, except
+the shadow passwords and listed exceptions.
+
+
@@ -710,6 +947,12 @@ system
)
+
+Read the shadow passwords file (/etc/shadow)
+
+
@@ -742,6 +985,13 @@ system
)
+
+Relabel all files on the filesystem, except
+the shadow passwords and listed exceptions.
+
+
@@ -804,6 +1054,12 @@ system
)
+
+Execute pam programs in the PAM domain.
+
+
@@ -840,6 +1096,12 @@ system
)
+
+Execute utempter programs in the utempter domain.
+
+
@@ -938,6 +1200,12 @@ system
)
+
+Read and write the shadow password file (/etc/shadow).
+
+
@@ -966,6 +1234,154 @@ Unconfined access to the authlogin module.
+
+Module:
+bind
+Layer:
+services
+
+
+bind_domtrans_ndc(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute ndc in the ndc domain.
+
+
+
+
+Module:
+bind
+Layer:
+services
+
+
+bind_read_config(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read BIND named configuration files.
+
+
+
+
+Module:
+bind
+Layer:
+services
+
+
+bind_run_ndc(
+
+
+
+
+ domain
+
+
+
+ ,
+
+
+
+ role
+
+
+
+ ,
+
+
+
+ terminal
+
+
+ )
+
+
+
+
+Execute ndc in the ndc domain, and
+allow the specified role the ndc domain.
+
+
+
+
+Module:
+bind
+Layer:
+services
+
+
+bind_setattr_pid_dir(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Do not audit attempts to set the attributes
+of the BIND pid directory.
+
+
+
+
+Module:
+bind
+Layer:
+services
+
+
+bind_write_config(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Write BIND named configuration files.
+
+
+
+
Module:
bootloader
@@ -1526,6 +1942,12 @@ system
)
+
+Execute hwclock in the clock domain.
+
+
@@ -1546,6 +1968,12 @@ system
)
+
+ Execute hwclock in the caller domain.
+
+
@@ -1582,6 +2010,13 @@ system
)
+
+Execute hwclock in the clock domain, and
+allow the specified role the hwclock domain.
+
+
@@ -1602,6 +2037,12 @@ system
)
+
+ Allow executing domain to modify clock drift
+
+
@@ -1622,6 +2063,12 @@ admin
)
+
+Execute consoletype in the consoletype domain.
+
+
@@ -1642,6 +2089,12 @@ admin
)
+
+Execute consoletype in the caller domain.
+
+
@@ -2285,6 +2738,14 @@ system
)
+
+Execute a shell in the target domain. This
+is an explicit transition, requiring the
+caller to use setexeccon().
+
+
@@ -18140,13 +18601,13 @@ Execute dmesg in the caller domain.
-Module:
+Module:
domain
Layer:
system
-
domain_base_domain_type(
+
domain_base_type(
@@ -18264,6 +18725,13 @@ system
)
+
+
+Do not audit attempts to get the attributes
+of all domains unix datagram sockets.
+
+
+
@@ -18284,6 +18752,13 @@ system
)
+
+Do not audit attempts to get the attributes
+of all domains unnamed pipes.
+
+
@@ -18331,6 +18806,13 @@ system
)
+
+Do not audit attempts to read the process state
+directories of all domains.
+
+
@@ -18518,6 +19000,33 @@ Summary is missing!
+
+Module:
+domain
+Layer:
+system
+
+
+domain_getattr_all_entry_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Get the attributes of entry point
+files for all domains.
+
+
+
+
Module:
domain
@@ -18589,6 +19098,12 @@ system
)
+
+Send a kill signal to all domains.
+
+
@@ -18609,6 +19124,13 @@ system
)
+
+Makes caller an exception to the constraint preventing
+changing the user identity in object contexts.
+
+
@@ -18681,6 +19203,13 @@ system
)
+
+Makes caller an exception to the constraint preventing
+changing of role.
+
+
@@ -18727,6 +19256,12 @@ system
)
+
+Send a child terminated signal to all domains.
+
+
@@ -18774,6 +19309,12 @@ system
)
+
+Send general signals to all domains.
+
+
@@ -18794,6 +19335,12 @@ system
)
+
+Send a null signal to all domains.
+
+
@@ -18814,6 +19361,12 @@ system
)
+
+Send a stop signal to all domains.
+
+
@@ -18834,6 +19387,13 @@ system
)
+
+Makes caller an exception to the constraint preventing
+changing of user identity.
+
+
@@ -19240,32 +19800,6 @@ system
- ?
-
-
- )
-
-
-Summary is missing!
-
-
-Module:
-files
-Layer:
-system
-
-
-files_delete_all_tmp_files(
-
-
-
-
?
@@ -19574,6 +20108,34 @@ Do not audit attempts to ioctl daemon runtime data files.
+
+Module:
+files
+Layer:
+system
+
+
+files_dontaudit_read_etc_runtime_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Do not audit attempts to read files
+in /etc that are dynamically
+created on boot, such as mtab.
+
+
+
+
+
Module:
files
@@ -19678,6 +20240,32 @@ Summary is missing!
+
+Module:
+files
+Layer:
+system
+
+
+files_dontaudit_search_home(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Do not audit attempts to search home directories root.
+
+
+
+
+
Module:
files
@@ -19900,7 +20488,7 @@ system
- ?
+ domain
)
@@ -19908,7 +20496,7 @@ system
-Summary is missing!
+Get the attributes of all files.
@@ -20018,6 +20606,32 @@ Summary is missing!
+
+Module:
+files
+Layer:
+system
+
+
+files_getattr_usr_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Get the attributes of files in /usr.
+
+
+
+
+
Module:
files
@@ -20056,6 +20670,32 @@ system
+ domain
+
+
+ )
+
+
+
+
+List the contents of all directories.
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_list_all_dirs(
+
+
+
+
?
@@ -20279,6 +20919,32 @@ Summary is missing!
+
+Module:
+files
+Layer:
+system
+
+
+files_list_var_lib(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+List the contents of the /var/lib directory.
+
+
+
+
+
Module:
files
@@ -20408,7 +21074,7 @@ system
- ?
+ domain
)
@@ -20416,7 +21082,9 @@ system
-Summary is missing!
+Create, read, write, and delete files in
+/etc that are dynamically created on boot,
+such as mtab.
@@ -20688,6 +21356,58 @@ Create, read, write, and delete directories in /mnt.
+
+Module:
+files
+Layer:
+system
+
+
+files_manage_mnt_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete files in /mnt.
+
+
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_manage_mnt_symlinks(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete symbolic links in /mnt.
+
+
+
+
+
Module:
files
@@ -20714,6 +21434,86 @@ Summary is missing!
+
+Module:
+files
+Layer:
+system
+
+
+files_manage_var_dirs(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete directories
+in the /var directory.
+
+
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_manage_var_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete files in the /var directory.
+
+
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_manage_var_symlinks(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete symbolic
+links in the /var directory.
+
+
+
+
+
Module:
files
@@ -20871,6 +21671,58 @@ Summary is missing!
+
+Module:
+files
+Layer:
+system
+
+
+files_purge_tmp(
+
+
+
+
+ ?
+
+
+ )
+
+
+
+
+Summary is missing!
+
+
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_read_all_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+
+
Module:
files
@@ -20897,6 +21749,32 @@ Summary is missing!
+
+Module:
+files
+Layer:
+system
+
+
+files_read_all_symlinks(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read all symbolic links.
+
+
+
+
+
Module:
files
@@ -21039,7 +21917,7 @@ system
- ?
+ domain
)
@@ -21047,7 +21925,8 @@ system
-Summary is missing!
+Read files in /etc that are dynamically
+created on boot, such as mtab.
@@ -21158,6 +22037,32 @@ Summary is missing!
+
+Module:
+files
+Layer:
+system
+
+
+files_read_usr_symlinks(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read symbolic links in /usr.
+
+
+
+
+
Module:
files
@@ -21405,6 +22310,32 @@ Summary is missing!
+
+Module:
+files
+Layer:
+system
+
+
+files_relabelto_usr_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Relabel a file to the type used in /usr.
+
+
+
+
+
Module:
files
@@ -21583,7 +22514,7 @@ system
-Search home directories.
+Search home directories root.
@@ -21713,7 +22644,7 @@ system
-Search the tmp directory (/tmp)
+Search the tmp directory (/tmp).
@@ -21797,6 +22728,32 @@ Search the /var/lib directory.
+
+Module:
+files
+Layer:
+system
+
+
+files_setattr_all_tmp_dirs(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Set the attributes of all tmp directories.
+
+
+
+
+
Module:
files
@@ -21980,6 +22937,127 @@ Summary is missing!
+
+Module:
+firstboot
+Layer:
+admin
+
+
+firstboot_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute firstboot in the firstboot domain.
+
+
+
+
+
+
+Module:
+firstboot
+Layer:
+admin
+
+
+firstboot_run(
+
+
+
+
+ domain
+
+
+
+ ,
+
+
+
+ role
+
+
+
+ ,
+
+
+
+ terminal
+
+
+ )
+
+
+
+
+Execute firstboot in the firstboot domain, and
+allow the specified role the firstboot domain.
+
+
+
+
+
+
+Module:
+firstboot
+Layer:
+admin
+
+
+firstboot_use_fd(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Inherit and use a file descriptor from firstboot.
+
+
+
+
+
+
+Module:
+firstboot
+Layer:
+admin
+
+
+firstboot_write_pipe(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Write to a firstboot unnamed pipe.
+
+
+
+
+
Module:
filesystem
@@ -22370,6 +23448,33 @@ Get the quotas of all filesystems.
+
+Module:
+filesystem
+Layer:
+kernel
+
+
+fs_get_xattr_fs_quota(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Get the filesystem quotas of a filesystem
+with extended attributes.
+
+
+
+
+
Module:
filesystem
@@ -24178,6 +25283,58 @@ mounted filesystems.
+
+Module:
+filesystem
+Layer:
+kernel
+
+
+fs_search_cifs(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Search directories on a CIFS or SMB filesystem.
+
+
+
+
+
+
+Module:
+filesystem
+Layer:
+kernel
+
+
+fs_search_nfs(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Search directories on a NFS filesystem.
+
+
+
+
+
Module:
filesystem
@@ -24230,6 +25387,33 @@ Set the quotas of all filesystems.
+
+Module:
+filesystem
+Layer:
+kernel
+
+
+fs_set_xattr_fs_quota(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Set the filesystem quotas of a filesystem
+with extended attributes.
+
+
+
+
+
Module:
filesystem
@@ -24694,6 +25878,12 @@ system
)
+
+
+Execute fs tools in the fstools domain.
+
+
+
@@ -24714,6 +25904,66 @@ system
)
+
+Execute fsadm in the caller domain.
+
+
+Module:
+fstools
+Layer:
+system
+
+
+fstools_manage_entry_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete a file used by the
+filesystem tools programs.
+
+
+
+
+Module:
+fstools
+Layer:
+system
+
+
+fstools_relabelto_entry_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Relabel a file to the type used by the
+filesystem tools programs.
+
+
+
@@ -24750,6 +26000,13 @@ system
)
+
+Execute fs tools in the fstools domain, and
+allow the specified role the fs tools domain.
+
+
@@ -24770,6 +26027,12 @@ system
)
+
+Execute gettys in the getty domain.
+
+
@@ -24790,6 +26053,12 @@ system
)
+
+Allow process to edit getty config file.
+
+
@@ -24810,6 +26079,12 @@ system
)
+
+Allow process to read getty config file.
+
+
@@ -24830,6 +26105,94 @@ system
)
+
+Allow process to read getty log file.
+
+
+Module:
+gpm
+Layer:
+services
+
+
+gpm_dontaudit_getattr_gpmctl(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Do not audit attempts to get the
+attributes of the GPM control channel
+named socket.
+
+
+
+
+Module:
+gpm
+Layer:
+services
+
+
+gpm_getattr_gpmctl(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Get the attributes of the GPM
+control channel named socket.
+
+
+
+
+Module:
+gpm
+Layer:
+services
+
+
+gpm_setattr_gpmctl(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Set the attributes of the GPM
+control channel named socket.
+
+
+
@@ -25169,6 +26532,32 @@ Define the specified domain as a inetd service.
+
+Module:
+inetd
+Layer:
+services
+
+
+inetd_domtrans_child(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Run inetd child process in the inet child domain
+
+
+
+
Module:
inetd
@@ -25204,13 +26593,13 @@ Define the specified domain as a TCP and UDP inetd service.
-Module:
+Module:
inetd
Layer:
services
-inetd_tcp_connectto(
+inetd_tcp_connect(
@@ -25297,6 +26686,32 @@ Define the specified domain as a UDP inetd service.
+
+Module:
+inetd
+Layer:
+services
+
+
+inetd_use_fd(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Inherit and use file descriptors from inetd.
+
+
+
+
+
Module:
init
@@ -25704,6 +27119,85 @@ Summary is missing!
+
+Module:
+init
+Layer:
+system
+
+
+init_list_script_pids(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+List the contents of an init script
+process id directory.
+
+
+
+
+
+
+Module:
+init
+Layer:
+system
+
+
+init_read_script(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read init scripts.
+
+
+
+
+
+
+Module:
+init
+Layer:
+system
+
+
+init_read_script_file(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read init scripts.
+
+
+
+
+
Module:
init
@@ -25790,6 +27284,12 @@ system
)
+
+
+Start and stop daemon programs directly.
+
+
+
@@ -26047,7 +27547,7 @@ system
- ?
+ domain
)
@@ -26055,7 +27555,7 @@ system
-Summary is missing!
+Read and write the init script pty.
@@ -26087,32 +27587,6 @@ Summary is missing!
-Module:
-ipsec
-Layer:
-system
-
-
-ipsec_connectto_unix_stream_socket(
-
-
-
-
- domain
-
-
- )
-
-
-
-
-Connect to an IPSEC unix domain stream socket.
-
-
-
-
Module:
ipsec
@@ -26243,6 +27717,32 @@ Read the IPSEC configuration
+Module:
+ipsec
+Layer:
+system
+
+
+ipsec_stream_connect(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Connect to IPSEC using a unix domain stream socket.
+
+
+
+
Module:
iptables
@@ -26261,6 +27761,12 @@ system
)
+
+Execute iptables in the iptables domain.
+
+
@@ -26281,6 +27787,12 @@ system
)
+
+Execute iptables in the caller domain.
+
+
@@ -26317,16 +27829,23 @@ system
)
+
+Execute iptables in the iptables domain, and
+allow the specified role the iptables domain.
+
+
-Module:
+Module:
kerberos
Layer:
services
-kerberos_read_conf(
+kerberos_read_config(
@@ -26345,6 +27864,32 @@ Read the kerberos configuration file (/etc/krb5.conf).
+
+Module:
+kerberos
+Layer:
+services
+
+
+kerberos_rw_config(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read and write the kerberos configuration file (/etc/krb5.conf).
+
+
+
+
+
Module:
kerberos
@@ -26636,6 +28181,32 @@ kernel file descriptors.
+
+Module:
+kernel
+Layer:
+kernel
+
+
+kernel_dontaudit_write_kernel_sysctl(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Do not audit attempts to write generic kernel sysctls.
+
+
+
+
+
Module:
kernel
@@ -28107,6 +29678,59 @@ by transitioning to the specified domain.
+
+Module:
+ldap
+Layer:
+services
+
+
+ldap_list_db_dir(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read the contents of the OpenLDAP
+database directories.
+
+
+
+
+
+
+Module:
+ldap
+Layer:
+services
+
+
+ldap_read_config(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read the OpenLDAP configuration files.
+
+
+
+
+
Module:
libraries
@@ -28266,6 +29890,32 @@ as static libraries.
+
+Module:
+libraries
+Layer:
+system
+
+
+libs_relabelto_lib_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Relabel files to the type used in library directories.
+
+
+
+
+
Module:
libraries
@@ -28414,6 +30064,100 @@ Load and execute functions from shared libraries.
+
+Module:
+loadkeys
+Layer:
+apps
+
+
+loadkeys_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute the loadkeys program in the loadkeys domain.
+
+
+
+
+
+
+Module:
+loadkeys
+Layer:
+apps
+
+
+loadkeys_exec(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute the loadkeys program in the caller domain.
+
+
+
+
+
+
+Module:
+loadkeys
+Layer:
+apps
+
+
+loadkeys_run(
+
+
+
+
+ domain
+
+
+
+ ,
+
+
+
+ role
+
+
+
+ ,
+
+
+
+ terminal
+
+
+ )
+
+
+
+
+Execute the loadkeys program in the loadkeys domain.
+
+
+
+
+
Module:
locallogin
@@ -28796,6 +30540,14 @@ system
)
+
+
+Allows the domain to open a file in the
+log directory, but does not allow the listing
+of the contents of the log directory.
+
+
+
@@ -28989,6 +30741,12 @@ system
)
+
+Execute lvm programs in the lvm domain.
+
+
@@ -29009,6 +30767,12 @@ system
)
+
+Read LVM configuration files.
+
+
@@ -29045,6 +30809,12 @@ system
)
+
+Execute lvm programs in the lvm domain.
+
+
@@ -29248,6 +31018,12 @@ system
)
+
+Execute depmod in the depmod domain.
+
+
@@ -29268,6 +31044,12 @@ system
)
+
+Execute insmod in the insmod domain.
+
+
@@ -29288,6 +31070,12 @@ system
)
+
+Execute depmod in the depmod domain.
+
+
@@ -29386,6 +31174,12 @@ system
)
+
+Read the dependencies of kernel modules.
+
+
@@ -29406,6 +31200,13 @@ system
)
+
+Read the configuration options used when
+loading modules.
+
+
@@ -29442,6 +31243,12 @@ system
)
+
+Execute depmod in the depmod domain.
+
+
@@ -29478,6 +31285,15 @@ system
)
+
+Execute insmod in the insmod domain, and
+allow the specified role the insmod domain,
+and use the caller's terminal. Has a sigchld
+backchannel.
+
+
@@ -29514,6 +31330,12 @@ system
)
+
+Execute update_modules in the update_modules domain.
+
+
@@ -29534,6 +31356,12 @@ system
)
+
+Execute mount in the mount domain.
+
+
@@ -29570,6 +31398,14 @@ system
)
+
+Execute mount in the mount domain, and
+allow the specified role the mount domain,
+and use the caller's terminal.
+
+
@@ -29590,6 +31426,13 @@ system
)
+
+Allow the mount domain to send nfs requests for mounting
+network drives
+
+
@@ -29610,6 +31453,12 @@ system
)
+
+Use file descriptors for mount.
+
+
@@ -29787,6 +31636,12 @@ services
)
+
+Read mail address aliases.
+
+
@@ -29902,6 +31757,189 @@ sendmail daemon use.
+
+Module:
+mysql
+Layer:
+services
+
+
+mysql_manage_db_dir(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete MySQL database directories.
+
+
+
+
+Module:
+mysql
+Layer:
+services
+
+
+mysql_read_config(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read MySQL configuration files.
+
+
+
+
+Module:
+mysql
+Layer:
+services
+
+
+mysql_rw_db_dir(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read and write to the MySQL database directory.
+
+
+
+
+Module:
+mysql
+Layer:
+services
+
+
+mysql_search_db_dir(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Search the directories that contain MySQL
+database storage.
+
+
+
+
+Module:
+mysql
+Layer:
+services
+
+
+mysql_signal(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Send a generic signal to MySQL.
+
+
+
+
+Module:
+mysql
+Layer:
+services
+
+
+mysql_stream_connect(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Connect to MySQL using a unix domain stream socket.
+
+
+
+
+Module:
+mysql
+Layer:
+services
+
+
+mysql_write_log(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Write to the MySQL log.
+
+
+
+
Module:
netutils
@@ -30572,6 +32610,128 @@ allow the specified role the cardmgr domain.
+Module:
+quota
+Layer:
+admin
+
+
+quota_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute quota management tools in the quota domain.
+
+
+
+
+Module:
+quota
+Layer:
+admin
+
+
+quota_dontaudit_getattr_db(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Do not audit attempts to get the attributes
+of filesystem quota data files.
+
+
+
+
+Module:
+quota
+Layer:
+admin
+
+
+quota_manage_flags(
+
+
+
+
+ ?
+
+
+ )
+
+
+
+
+Summary is missing!
+
+
+
+
+Module:
+quota
+Layer:
+admin
+
+
+quota_run(
+
+
+
+
+ domain
+
+
+
+ ,
+
+
+
+ role
+
+
+
+ ,
+
+
+
+ terminal
+
+
+ )
+
+
+
+
+Execute quota management tools in the quota domain, and
+allow the specified role the quota domain.
+
+
+
+
Module:
raid
@@ -30642,6 +32802,12 @@ services
)
+
+Domain transition to the remote login domain.
+
+
@@ -30894,6 +33060,32 @@ Inherit and use file descriptors from RPM scripts.
+
+Module:
+rshd
+Layer:
+services
+
+
+rshd_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Domain transition to rshd.
+
+
+
+
Module:
selinux
@@ -30940,7 +33132,7 @@ kernel
-
+Calculate the default type for object creation.
@@ -30966,7 +33158,7 @@ kernel
-
+Calculate the context for relabeling objects.
@@ -31189,7 +33381,7 @@ kernel
-Allow caller to set selinux security parameters.
+Allow caller to set SELinux access vector cache parameters.
@@ -31215,7 +33407,7 @@ kernel
-Unconfined access to the SELinux security server.
+Unconfined access to the SELinux kernel security server.
@@ -31265,6 +33457,12 @@ services
)
+
+Domain transition to sendmail.
+
+
@@ -31311,6 +33509,12 @@ system
)
+
+Execute checkpolicy in the checkpolicy domain.
+
+
@@ -31331,6 +33535,12 @@ system
)
+
+Execute load_policy in the load_policy domain.
+
+
@@ -31351,6 +33561,12 @@ system
)
+
+Execute newrole in the load_policy domain.
+
+
@@ -31371,6 +33587,12 @@ system
)
+
+Execute restorecon in the restorecon domain.
+
+
@@ -31391,6 +33613,12 @@ system
)
+
+Execute run_init in the run_init domain.
+
+
@@ -31411,6 +33639,12 @@ system
)
+
+Execute setfiles in the setfiles domain.
+
+
@@ -31458,6 +33692,13 @@ system
)
+
+Do not audit the caller attempts to send
+a signal to newrole.
+
+
@@ -31816,6 +34057,12 @@ system
)
+
+Allow the caller to relabel a file to the binary policy type.
+
+
@@ -31852,6 +34099,15 @@ system
)
+
+Execute checkpolicy in the checkpolicy domain, and
+allow the specified role the checkpolicy domain,
+and use the caller's terminal.
+Has a SIGCHLD signal backchannel.
+
+
@@ -31888,6 +34144,15 @@ system
)
+
+Execute load_policy in the load_policy domain, and
+allow the specified role the load_policy domain,
+and use the caller's terminal.
+Has a SIGCHLD signal backchannel.
+
+
@@ -31924,6 +34189,14 @@ system
)
+
+Execute newrole in the newrole domain, and
+allow the specified role the newrole domain,
+and use the caller's terminal.
+
+
@@ -31960,6 +34233,14 @@ system
)
+
+Execute restorecon in the restorecon domain, and
+allow the specified role the restorecon domain,
+and use the caller's terminal.
+
+
@@ -31996,6 +34277,14 @@ system
)
+
+Execute run_init in the run_init domain, and
+allow the specified role the run_init domain,
+and use the caller's terminal.
+
+
@@ -32032,6 +34321,14 @@ system
)
+
+Execute setfiles in the setfiles domain, and
+allow the specified role the setfiles domain,
+and use the caller's terminal.
+
+
@@ -32986,6 +35283,33 @@ a tape device.
+
+Module:
+sysnetwork
+Layer:
+system
+
+
+sysnet_create_config(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create files in /etc with the type used for
+the network config files.
+
+
+
+
Module:
sysnetwork
@@ -33004,6 +35328,12 @@ system
)
+
+Execute dhcp client in dhcpc domain.
+
+
@@ -33024,6 +35354,12 @@ system
)
+
+Execute ifconfig in the ifconfig domain.
+
+
@@ -33190,6 +35526,14 @@ system
)
+
+Execute ifconfig in the ifconfig domain, and
+allow the specified role the ifconfig domain,
+and use the caller's terminal.
+
+
@@ -33348,6 +35692,12 @@ kernel
)
+
+Create a pty in the /dev/pts directory.
+
+
@@ -33368,6 +35718,14 @@ kernel
)
+
+Do not audit attempts to get the
+attributes of any user pty
+device nodes.
+
+
@@ -33388,6 +35746,14 @@ kernel
)
+
+Do not audit attempts to get the
+attributes of any user tty
+device nodes.
+
+
@@ -33408,6 +35774,13 @@ kernel
)
+
+Do not audit attempts to get the attributes
+of all unallocated tty device nodes.
+
+
@@ -33428,6 +35801,40 @@ kernel
)
+
+Do not audit attempts to read the
+/dev/pts directory.
+
+
+Module:
+terminal
+Layer:
+kernel
+
+
+term_dontaudit_manage_pty_dir(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Do not audit attempts to create, read,
+write, or delete the /dev/pts directory.
+
+
+
@@ -33448,6 +35855,13 @@ kernel
)
+
+Do not audit attempts to read any
+user ptys.
+
+
@@ -33468,6 +35882,13 @@ kernel
)
+
+Do not audit attempts to read or write
+any user ttys.
+
+
@@ -33488,6 +35909,13 @@ kernel
)
+
+Do not audit attemtps to read from
+or write to the console.
+
+
@@ -33508,6 +35936,14 @@ kernel
)
+
+Dot not audit attempts to read and
+write the generic pty type. This is
+generally only used in the targeted policy.
+
+
@@ -33528,6 +35964,13 @@ kernel
)
+
+Do not audit attempts to read and
+write the pty multiplexor (/dev/ptmx).
+
+
@@ -33548,6 +35991,13 @@ kernel
)
+
+Do not audit attempts to read or
+write unallocated ttys.
+
+
@@ -33568,6 +36018,13 @@ kernel
)
+
+Get the attributes of all user
+pty device nodes.
+
+
@@ -33588,6 +36045,13 @@ kernel
)
+
+Get the attributes of all user tty
+device nodes.
+
+
@@ -33608,6 +36072,13 @@ kernel
)
+
+Get the attributes of all unallocated
+tty device nodes.
+
+
@@ -33628,6 +36099,13 @@ kernel
)
+
+Read the /dev/pts directory to
+list all ptys.
+
+
@@ -33648,6 +36126,13 @@ kernel
)
+
+Transform specified type into a pty type
+used by login programs, such as sshd.
+
+
@@ -33668,6 +36153,12 @@ kernel
)
+
+Transform specified type into a pty type.
+
+
@@ -33688,6 +36179,13 @@ kernel
)
+
+Relabel from and to all user
+user pty device nodes.
+
+
@@ -33708,6 +36206,13 @@ kernel
)
+
+Relabel from and to all user
+user tty device nodes.
+
+
@@ -33728,6 +36233,13 @@ kernel
)
+
+Relabel from and to the unallocated
+tty type.
+
+
@@ -33774,6 +36286,13 @@ kernel
)
+
+Relabel from all user tty types to
+the unallocated tty type.
+
+
@@ -33821,6 +36340,13 @@ kernel
)
+
+Set the attributes of all user tty
+device nodes.
+
+
@@ -33841,6 +36367,13 @@ kernel
)
+
+Set the attributes of the console
+device node.
+
+
@@ -33861,6 +36394,13 @@ kernel
)
+
+Set the attributes of all unallocated
+tty device nodes.
+
+
@@ -33881,6 +36421,12 @@ kernel
)
+
+Transform specified type into a tty type.
+
+
@@ -33901,6 +36447,13 @@ kernel
)
+
+Read and write the console, all
+ttys and all ptys.
+
+
@@ -33921,6 +36474,12 @@ kernel
)
+
+Read and write all user ptys.
+
+
@@ -33941,6 +36500,12 @@ kernel
)
+
+Read and write all user to all user ttys.
+
+
@@ -33961,6 +36526,12 @@ kernel
)
+
+Read from and write to the console.
+
+
@@ -33981,6 +36552,13 @@ kernel
)
+
+Read and write the controlling
+terminal (/dev/tty).
+
+
@@ -34001,6 +36579,14 @@ kernel
)
+
+Read and write the generic pty
+type. This is generally only used in
+the targeted policy.
+
+
@@ -34021,6 +36607,12 @@ kernel
)
+
+Read and write unallocated ttys.
+
+
@@ -34049,6 +36641,14 @@ kernel
)
+
+Transform specified type into an user
+pty type. This allows it to be relabeled via
+type change by login programs such as ssh.
+
+
@@ -34069,6 +36669,12 @@ kernel
)
+
+Write to all user ttys.
+
+
@@ -34089,6 +36695,12 @@ kernel
)
+
+Write to the console.
+
+
@@ -34109,6 +36721,38 @@ kernel
)
+
+Write to unallocated ttys.
+
+
+Module:
+tmpreaper
+Layer:
+admin
+
+
+tmpreaper_exec(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute tmpreaper in the caller domain.
+
+
+
@@ -34329,6 +36973,12 @@ system
)
+
+Execute specified programs in the unconfined domain.
+
+
@@ -34435,6 +37085,98 @@ Inherit file descriptors from the unconfined domain.
+
+Module:
+updfstab
+Layer:
+admin
+
+
+updfstab_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute updfstab in the updfstab domain.
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_create_user_home(
+
+
+
+
+ domain
+
+
+
+ ,
+
+
+
+ [
+
+ object_class
+
+ ]
+
+
+ )
+
+
+
+
+Create objects in generic user home directories
+with automatic file type transition.
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_create_user_home_dir(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create generic user home directories
+with automatic file type transition.
+
+
+
+
Module:
userdomain
@@ -34621,6 +37363,169 @@ user ttys.
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_manage_user_home_dir(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete
+generic user home directories.
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_manage_user_home_dirs(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete
+subdirectories of generic user
+home directories.
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_manage_user_home_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete files
+in generic user home directories.
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_manage_user_home_pipes(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete named
+pipes in generic user home directories.
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_manage_user_home_sockets(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete named
+sockets in generic user home directories.
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_manage_user_home_symlinks(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete symbolic
+links in generic user home directories.
+
+
+
+
Module:
userdomain
@@ -35163,6 +38068,12 @@ admin
)
+
+Execute chfn in the chfn domain.
+
+
@@ -35183,6 +38094,12 @@ admin
)
+
+Execute groupadd in the groupadd domain.
+
+
@@ -35203,6 +38120,12 @@ admin
)
+
+Execute passwd in the passwd domain.
+
+
@@ -35223,6 +38146,12 @@ admin
)
+
+Execute useradd in the useradd domain.
+
+
@@ -35285,6 +38214,13 @@ admin
)
+
+Execute chfn in the chfn domain, and
+allow the specified role the chfn domain.
+
+
@@ -35321,6 +38257,13 @@ admin
)
+
+Execute groupadd in the groupadd domain, and
+allow the specified role the groupadd domain.
+
+
@@ -35357,6 +38300,13 @@ admin
)
+
+Execute passwd in the passwd domain, and
+allow the specified role the passwd domain.
+
+
@@ -35393,6 +38343,13 @@ admin
)
+
+Execute useradd in the useradd domain, and
+allow the specified role the useradd domain.
+
+
This module is required to be included in all policies.
+
diff --git a/www/api-docs/kernel_kernel.html b/www/api-docs/kernel_kernel.html
index 2c9989bb..e8318854 100644
--- a/www/api-docs/kernel_kernel.html
+++ b/www/api-docs/kernel_kernel.html
@@ -518,6 +518,48 @@ No
+