Core policy for domains.
This module is required to be included in all policies.
Make the specified type usable as a basic domain.
Make the specified type usable as a basic domain.
This is primarily used for kernel threads; generally the domain_type() interface is more appropriate for userland processes.
Parameter: | Description: | Optional: |
---|---|---|
type | Type to be used as a basic domain type. | No |
Make the specified domain the source of the cron domain exception of the SELinux role and identity change constraints.
Make the specified domain the source of the cron domain exception of the SELinux role and identity change constraints.
This interface is needed to decouple the cron domains from the base module. It should not be used other than on cron domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain target for user exemption. | No |
Make the specified domain the target of the cron domain exception of the SELinux role and identity change constraints.
Make the specified domain the target of the cron domain exception of the SELinux role and identity change constraints.
This interface is needed to decouple the cron domains from the base module. It should not be used other than on user cron jobs.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain target for user exemption. | No |
Do not audit attempts to get the attributes of all domains unix datagram sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Get the attributes of all domains of all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Do not audit attempts to get attribues of all domains IPSEC key management sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Do not audit attempts to get attribues of all domains packet sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Do not audit attempts to get the attributes of all domains unnamed pipes.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Do not audit attempts to get attribues of all domains raw sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Do not audit attempts to get the attributes of all domains sockets, for all socket types.
Do not audit attempts to get the attributes of all domains sockets, for all socket types.
This interface was added for PCMCIA cardmgr and is probably excessive.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Do not audit attempts to get the attributes of all domains unix datagram sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Do not audit attempts to get the attributes of all domains TCP sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Do not audit attempts to get the attributes of all domains UDP sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Do not audit attempts to get the session ID of all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Do not audit attempts to read the process state directories of all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Do not audit attempts to ptrace all domains.
Do not audit attempts to ptrace all domains.
Generally this needs to be suppressed because procps tries to access /proc/pid/environ and this now triggers a ptrace check in recent kernels (2.4 and 2.6).
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Do not audit attempts to ptrace confined domains.
Do not audit attempts to ptrace confined domains.
Generally this needs to be suppressed because procps tries to access /proc/pid/environ and this now triggers a ptrace check in recent kernels (2.4 and 2.6).
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Do not audit attempts to read the process state (/proc/pid) of all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Do not audit attempts to read or write all domains key sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Do not audit attempts to read or write all domains UDP sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Do not audit attempts to search the process state directory (/proc/pid) of all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Summary is missing!
Parameter: | Description: | Optional: |
---|---|---|
? | Parameter descriptions are missing! | No |
Summary is missing!
Parameter: | Description: | Optional: |
---|---|---|
? | Parameter descriptions are missing! | No |
Make the specified type usable as an entry point for the domain.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to be entered. | No |
type | Type of program used for entering the domain. | No |
Summary is missing!
Parameter: | Description: | Optional: |
---|---|---|
? | Parameter descriptions are missing! | No |
Get the attributes of all domains of all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of entry point files for all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of all domains sockets, for all socket types.
Get the attributes of all domains sockets, for all socket types.
This is commonly used for domains that can use lsof on all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of all confined domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the session ID of all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Send a kill signal to all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Create, read, write, and delete all entrypoint files.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Mmap all entry point files as executable.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Makes caller an exception to the constraint preventing changing the user identity in object contexts.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type to make an exception to the constraint. | No |
Ptrace all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read the process state (/proc/pid) of all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Summary is missing!
Parameter: | Description: | Optional: |
---|---|---|
? | Parameter descriptions are missing! | No |
Read the process state (/proc/pid) of all confined domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Relabel to and from all entry point file types.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Makes caller an exception to the constraint preventing changing of role.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type to make an exception to the constraint. | No |
Search the process state directory (/proc/pid) of all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Summary is missing!
Parameter: | Description: | Optional: |
---|---|---|
? | Parameter descriptions are missing! | No |
Send a child terminated signal to all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Send a SIGCHLD signal to domains whose file discriptors are widely inheritable.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Send general signals to all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Send a null signal to all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Send a stop signal to all domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Makes caller an exception to the constraint preventing changing of user identity.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type to make an exception to the constraint. | No |
Makes caller and execption to the constraint preventing changing to the system user identity and system role.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Make the specified type usable as a domain.
Parameter: | Description: | Optional: |
---|---|---|
type | Type to be used as a domain type. | No |
Unconfined access to domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Summary is missing!
Parameter: | Description: | Optional: |
---|---|---|
? | Parameter descriptions are missing! | No |
Make the specified domain the target of the user domain exception of the SELinux role and identity change constraints.
Make the specified domain the target of the user domain exception of the SELinux role and identity change constraints.
This interface is needed to decouple the user domains from the base module. It should not be used other than on user domains.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain target for user exemption. | No |
Summary is missing!
Parameter: | Description: | Optional: |
---|---|---|
? | Parameter descriptions are missing! | No |
Summary is missing!
Parameter: | Description: | Optional: |
---|---|---|
? | Parameter descriptions are missing! | No |
Summary is missing!
Parameter: | Description: | Optional: |
---|---|---|
? | Parameter descriptions are missing! | No |