Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
This module is required to be included in all policies.
Change the level of kernel messages logged to the console.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Allows the caller to clear the ring buffer.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type clearing the buffer. | No |
Do not audit attempts to get the attributes of core kernel interfaces.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type to not audit. | No |
Do not audit attempts by caller to get the attributes of kernel message interfaces.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type not to audit. | No |
Do not audit attempts by caller to get attributes for unlabeled block devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type not to audit. | No |
Do not audit attempts to read the ring buffer.
Parameter: | Description: | Optional: |
---|---|---|
domain | The domain to not audit. | No |
Do not audit attempts by caller to read system state information in proc.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type not to audit. | No |
Do not audit attempts to search generic kernel sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Do not audit attempts to search the network state directory.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type reading the state. | No |
Do not audit attempts by caller to search network sysctl directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type not to audit. | No |
Do not audit attempts by caller to search the base directory of sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type not to audit. | No |
Do not audit attempts to use kernel file descriptors.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of process not to audit. | No |
Do not audit attempts to write generic kernel sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Get information on all System V IPC objects.
Parameter: | Description: | Optional: |
---|---|---|
domain | No |
Allows caller to get attribues of core kernel interface.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type getting the attibutes. | No |
Get the attributes of a kernel debugging filesystem.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Allow caller to get the attributes of kernel message interface (/proc/kmsg).
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type getting the attributes. | No |
Get the attributes of the proc filesystem.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Send a kill signal to unlabeled processes.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Allow the kernel to read the contents of the specified directory.
Parameter: | Description: | Optional: |
---|---|---|
dir_type | Directory type to list. | No |
List the contents of directories in /proc.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
List unlabeled directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Allows caller to load kernel modules
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type to allow to load kernel modules. | No |
Mount a kernel debugging filesystem.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the domain mounting the filesystem. | No |
Allow caller to read all sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Read information from the debugging filesystem.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Allow caller to read the device sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type to allow to read the device sysctls. | No |
Allow the kernel to read the specified file.
Parameter: | Description: | Optional: |
---|---|---|
dir_type | Directory type to list. | No |
Read filesystem sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Read the hotplug sysctl.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Read IRQ sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Read generic kernel sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Allow caller to read kernel messages using the /proc/kmsg interface.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type reading the messages. | No |
Read the modprobe sysctl.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Allow caller to read network sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Allow caller to read the network state information.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type reading the state. | No |
Read symbolic links in /proc.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Allows caller to read the ring buffer.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type allowed to read the ring buffer. | No |
Summary is missing!
Parameter: | Description: | Optional: |
---|---|---|
? | Parameter descriptions are missing! | No |
Allow caller to read the state information for software raid.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type reading software raid state. | No |
Allows caller to read system state information in proc.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type reading the system state information. | No |
Allow caller to read unix domain socket sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Allow caller to read virtual memory sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Allow caller to relabel unlabeled objects.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type relabeling the objects. | No |
Remount a kernel debugging filesystem.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the domain remounting the filesystem. | No |
Allows the kernel to mount filesystems on the specified directory type.
Parameter: | Description: | Optional: |
---|---|---|
directory_type | The type of the directory to use as a mountpoint. | No |
Read and write all sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Read and write device sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Read and write fileystem sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Read and write the hotplug sysctl.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Read and write IRQ sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Read and write generic kernel sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Read and write the modprobe sysctl.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Allow caller to modiry contents of sysctl network files.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Read and write kernel unnamed pipes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Summary is missing!
Parameter: | Description: | Optional: |
---|---|---|
? | Parameter descriptions are missing! | No |
Allow caller to read and set the state information for software raid.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type reading software raid state. | No |
Read and write kernel unix datagram sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write unix domain socket sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Read and write unlabeled directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write virtual memory sysctls.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Search the contents of a kernel debugging filesystem.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Allow the kernel to search the specified directory.
Parameter: | Description: | Optional: |
---|---|---|
dir_type | Directory type to search. | No |
Allow the kernel to search the specified directory.
Parameter: | Description: | Optional: |
---|---|---|
dir_type | Directory type to search. | No |
Search network sysctl directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Search directories in /proc.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Allow the kernel to send a syslog message to the specified domain, connecting over the specified named socket.
Parameter: | Description: | Optional: |
---|---|---|
socket | The type of the named socket file. | No |
syslog_type | The domain of the syslog daemon. | No |
Send messages to kernel unix datagram sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Set the process group of kernel threads.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Allows the kernel to share state information with the caller.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process with which to share state information. | No |
Send a SIGCHLD signal to kernel threads.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process sending the signal. | No |
Allow the kernel to send a SIGCHLD signal to the specified domain.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain receiving the SIGCHLD. | No |
Allow unlabeled processes to send a SIGCHLD signal to the specified domain.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain receiving the SIGCHLD. | No |
Send a child terminated signal to unlabeled processes.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Send a generic signal to kernel threads.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process sending the signal. | No |
Send general signals to unlabeled processes.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Send a null signal to unlabeled processes.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Send a stop signal to unlabeled processes.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Receive messages from kernel TCP sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Receive messages from kernel UDP sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Allow the kernel to send UDP network traffic the specified domain.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the receiving domain. | No |
Unconfined access to the kernel.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Unmount a kernel debugging filesystem.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the domain unmounting the filesystem. | No |
Permits caller to use kernel file descriptors.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process using the descriptors. | No |
Use the specified types for /lib directory and use the dynamic link/loader for automatic loading of shared libraries, and the link/loader cache.
Parameter: | Description: | Optional: |
---|---|---|
lib_type | The type of the lib directories. | No |
ld_type | The type of the dynamic link/loader. | No |
cache_type | The type of the dynamic link/loader cache. | No |
Allow the kernel to load and execute functions from the specified shared libraries.
Parameter: | Description: | Optional: |
---|---|---|
lib_dir_type | The type of the lib directories. | No |
shlib_type | Shared library type. | No |
Read and write unlabeled block device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Allows to start userland processes by transitioning to the specified domain.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type entered by kernel. | No |
entrypoint | The executable type for the entrypoint. | No |
Write to generic proc entries.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |