Layer: kernel

Module: kernel

Description:

Policy for kernel threads, proc filesystem, and unlabeled processes and objects.

Interfaces:

kernel_change_ring_buffer_level(
	
		domain
		
	)

Description

Parameters

Parameter:	Description:	Optional:
domain		No

kernel_clear_ring_buffer(
	
		domain
		
	)

Description

Allows the caller to clear the ring buffer.

Parameters

Parameter:	Description:	Optional:
domain	The process type clearing the buffer.	No

kernel_dontaudit_getattr_core(
	
		domain
		
	)

Description

Do not audit attempts to get the attributes of core kernel interfaces.

Parameters

Parameter:	Description:	Optional:
domain	The process type to not audit.	No

kernel_dontaudit_getattr_message_if(
	
		domain
		
	)

Description

Do not audit attempts by caller to get the attributes of kernel message interfaces.

Parameters

Parameter:	Description:	Optional:
domain	The process type not to audit.	No

kernel_dontaudit_getattr_unlabeled_blk_dev(
	
		domain
		
	)

Description

Do not audit attempts by caller to get attributes for unlabeled block devices.

Parameters

Parameter:	Description:	Optional:
domain	The process type not to audit.	No

kernel_dontaudit_read_ring_buffer(
	
		domain
		
	)

Description

Do not audit attempts to read the ring buffer.

Parameters

Parameter:	Description:	Optional:
domain	The domain to not audit.	No

kernel_dontaudit_read_system_state(
	
		domain
		
	)

Description

Do not audit attempts by caller to read system state information.

Parameters

Parameter:	Description:	Optional:
domain	The process type not to audit.	No

kernel_dontaudit_search_network_sysctl_dir(
	
		domain
		
	)

Description

Do not audit attempts by caller to search sysctl network directories.

Parameters

Parameter:	Description:	Optional:
domain	The process type not to audit.	No

kernel_dontaudit_search_sysctl_dir(
	
		domain
		
	)

Description

Do not audit attempts by caller to search the sysctl directory.

Parameters

Parameter:	Description:	Optional:
domain	The process type not to audit.	No

kernel_dontaudit_use_fd(
	
		domain
		
	)

Description

Do not audit attempts to use kernel file descriptors.

Parameters

Parameter:	Description:	Optional:
domain	The type of process not to audit.	No

kernel_get_sysvipc_info(
	
		domain
		
	)

Description

Get information on all System V IPC objects.

Parameters

Parameter:	Description:	Optional:
domain		No

kernel_getattr_core(
	
		domain
		
	)

Description

Allows caller to get attribues of core kernel interface.

Parameters

Parameter:	Description:	Optional:
domain	The process type getting the attibutes.	No

kernel_getattr_message_if(
	
		domain
		
	)

Description

Allow caller to get the attributes of kernel message interface (/proc/kmsg).

Parameters

Parameter:	Description:	Optional:
domain	The process type getting the attributes.	No

kernel_kill_unlabeled(
	
		domain
		
	)

Description

Send a kill signal to unlabeled processes.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_load_module(
	
		domain
		
	)

Description

Allows caller to load kernel modules

Parameters

Parameter:	Description:	Optional:
domain	The process type to allow to load kernel modules.	No

kernel_read_all_sysctl(
	
		domain
		
	)

Description

Allow caller to read all sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_device_sysctl(
	
		domain
		
	)

Description

Allow caller to read the device sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The process type to allow to read the device sysctls.	No

kernel_read_fs_sysctl(
	
		domain
		
	)

Description

Read filesystem sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_hotplug_sysctl(
	
		domain
		
	)

Description

Read the hotplug sysctl.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_irq_sysctl(
	
		domain
		
	)

Description

Read IRQ sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_kernel_sysctl(
	
		domain
		
	)

Description

Read generic kernel sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_messages(
	
		domain
		
	)

Description

Allow caller to read kernel messages using the /proc/kmsg interface.

Parameters

Parameter:	Description:	Optional:
domain	The process type reading the messages.	No

kernel_read_modprobe_sysctl(
	
		domain
		
	)

Description

Read the modprobe sysctl.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_net_sysctl(
	
		domain
		
	)

Description

Allow caller to read network sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_network_state(
	
		domain
		
	)

Description

Allow caller to read the network state information.

Parameters

Parameter:	Description:	Optional:
domain	The process type reading the state.	No

kernel_read_ring_buffer(
	
		domain
		
	)

Description

Allows caller to read the ring buffer.

Parameters

Parameter:	Description:	Optional:
domain	The process type allowed to read the ring buffer.	No

kernel_read_software_raid_state(
	
		domain
		
	)

Description

Allow caller to read the state information for software raid.

Parameters

Parameter:	Description:	Optional:
domain	The process type reading software raid state.	No

kernel_read_system_state(
	
		domain
		
	)

Description

Allows caller to read system state information.

Parameters

Parameter:	Description:	Optional:
domain	The process type reading the system state information.	No

kernel_read_unix_sysctl(
	
		domain
		
	)

Description

Allow caller to read unix domain socket sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_vm_sysctl(
	
		domain
		
	)

Description

Allow caller to read virtual memory sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_relabel_unlabeled(
	
		domain
		
	)

Description

Allow caller to relabel unlabeled objects.

Parameters

Parameter:	Description:	Optional:
domain	The process type relabeling the objects.	No

kernel_rootfs_mountpoint(
	
		directory_type
		
	)

Description

Allows the kernel to mount filesystems on the specified directory type.

Parameters

Parameter:	Description:	Optional:
directory_type	The type of the directory to use as a mountpoint.	No

kernel_rw_all_sysctl(
	
		domain
		
	)

Description

Read and write all sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_device_sysctl(
	
		domain
		
	)

Description

Read and write device sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_fs_sysctl(
	
		domain
		
	)

Description

Read and write fileystem sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_hotplug_sysctl(
	
		domain
		
	)

Description

Read and write the hotplug sysctl.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_irq_sysctl(
	
		domain
		
	)

Description

Read and write IRQ sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_kernel_sysctl(
	
		domain
		
	)

Description

Read and write generic kernel sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_modprobe_sysctl(
	
		domain
		
	)

Description

Read and write the modprobe sysctl.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_net_sysctl(
	
		domain
		
	)

Description

Allow caller to modiry contents of sysctl network files.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_unix_sysctl(
	
		domain
		
	)

Description

Read and write unix domain socket sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_vm_sysctl(
	
		domain
		
	)

Description

Read and write virtual memory sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_share_state(
	
		domain
		
	)

Description

Allows the kernel to share state information with the caller.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process with which to share state information.	No

kernel_sigchld_unlabeled(
	
		domain
		
	)

Description

Send a child terminated signal to unlabeled processes.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_signal_unlabeled(
	
		domain
		
	)

Description

Send general signals to unlabeled processes.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_signull_unlabeled(
	
		domain
		
	)

Description

Send a null signal to unlabeled processes.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_sigstop_unlabeled(
	
		domain
		
	)

Description

Send a stop signal to unlabeled processes.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_use_fd(
	
		domain
		
	)

Description

Permits caller to use kernel file descriptors.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process using the descriptors.	No

kernel_userland_entry(
	
		domain
		
			,
		
		entrypoint
		
	)

Description

Allows to start userland processes by transitioning to the specified domain.

Parameters

Parameter:	Description:	Optional:
domain	The process type entered by kernel.	No
entrypoint	The executable type for the entrypoint.	No