Layer: kernel

Module: domain

Interfaces Templates

Description:

Core policy for domains.

This module is required to be included in all policies.

Interfaces:

domain_base_type( type )
Summary

Make the specified type usable as a basic domain.

Description

Make the specified type usable as a basic domain.

This is primarily used for kernel threads; generally the domain_type() interface is more appropriate for userland processes.

Parameters
Parameter:Description:Optional:
type Type to be used as a basic domain type. No
domain_cron_exemption_source( domain )
Summary

Make the specified domain the source of the cron domain exception of the SELinux role and identity change constraints.

Description

Make the specified domain the source of the cron domain exception of the SELinux role and identity change constraints.

This interface is needed to decouple the cron domains from the base module. It should not be used other than on cron domains.

Parameters
Parameter:Description:Optional:
domain Domain target for user exemption. No
domain_cron_exemption_target( domain )
Summary

Make the specified domain the target of the cron domain exception of the SELinux role and identity change constraints.

Description

Make the specified domain the target of the cron domain exception of the SELinux role and identity change constraints.

This interface is needed to decouple the cron domains from the base module. It should not be used other than on user cron jobs.

Parameters
Parameter:Description:Optional:
domain Domain target for user exemption. No
domain_dontaudit_getattr_all_dgram_sockets( domain )
Summary

Do not audit attempts to get the attributes of all domains unix datagram sockets.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_dontaudit_getattr_all_domains( domain )
Summary

Get the attributes of all domains of all domains.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_dontaudit_getattr_all_key_sockets( domain )
Summary

Do not audit attempts to get attribues of all domains IPSEC key management sockets.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_dontaudit_getattr_all_packet_sockets( domain )
Summary

Do not audit attempts to get attribues of all domains packet sockets.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_dontaudit_getattr_all_pipes( domain )
Summary

Do not audit attempts to get the attributes of all domains unnamed pipes.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_dontaudit_getattr_all_raw_sockets( domain )
Summary

Do not audit attempts to get attribues of all domains raw sockets.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_dontaudit_getattr_all_sockets( domain )
Summary

Do not audit attempts to get the attributes of all domains sockets, for all socket types.

Description

Do not audit attempts to get the attributes of all domains sockets, for all socket types.

This interface was added for PCMCIA cardmgr and is probably excessive.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
domain_dontaudit_getattr_all_stream_sockets( domain )
Summary

Do not audit attempts to get the attributes of all domains unix datagram sockets.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_dontaudit_getattr_all_tcp_sockets( domain )
Summary

Do not audit attempts to get the attributes of all domains TCP sockets.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_dontaudit_getattr_all_udp_sockets( domain )
Summary

Do not audit attempts to get the attributes of all domains UDP sockets.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_dontaudit_getsession_all_domains( domain )
Summary

Do not audit attempts to get the session ID of all domains.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_dontaudit_list_all_domains_proc( domain )
Summary

Do not audit attempts to read the process state directories of all domains.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_dontaudit_ptrace_all_domains( domain )
Summary

Do not audit attempts to ptrace all domains.

Description

Do not audit attempts to ptrace all domains.

Generally this needs to be suppressed because procps tries to access /proc/pid/environ and this now triggers a ptrace check in recent kernels (2.4 and 2.6).

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_dontaudit_ptrace_confined_domains( domain )
Summary

Do not audit attempts to ptrace confined domains.

Description

Do not audit attempts to ptrace confined domains.

Generally this needs to be suppressed because procps tries to access /proc/pid/environ and this now triggers a ptrace check in recent kernels (2.4 and 2.6).

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_dontaudit_read_all_domains_state( domain )
Summary

Do not audit attempts to read the process state (/proc/pid) of all domains.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_dontaudit_rw_all_key_sockets( domain )
Summary

Do not audit attempts to read or write all domains key sockets.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_dontaudit_rw_all_udp_sockets( domain )
Summary

Do not audit attempts to read or write all domains UDP sockets.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_dontaudit_search_all_domains_state( domain )
Summary

Do not audit attempts to search the process state directory (/proc/pid) of all domains.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
domain_dontaudit_use_wide_inherit_fd( ? )
Summary

Summary is missing!

Parameters
Parameter:Description:Optional:
? Parameter descriptions are missing! No
domain_dyntrans_type( ? )
Summary

Summary is missing!

Parameters
Parameter:Description:Optional:
? Parameter descriptions are missing! No
domain_entry_file( domain , type )
Summary

Make the specified type usable as an entry point for the domain.

Parameters
Parameter:Description:Optional:
domain Domain to be entered. No
type Type of program used for entering the domain. No
domain_exec_all_entry_files( ? )
Summary

Summary is missing!

Parameters
Parameter:Description:Optional:
? Parameter descriptions are missing! No
domain_getattr_all_domains( domain )
Summary

Get the attributes of all domains of all domains.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_getattr_all_entry_files( domain )
Summary

Get the attributes of entry point files for all domains.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_getattr_all_sockets( domain )
Summary

Get the attributes of all domains sockets, for all socket types.

Description

Get the attributes of all domains sockets, for all socket types.

This is commonly used for domains that can use lsof on all domains.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_getattr_confined_domains( domain )
Summary

Get the attributes of all confined domains.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_getsession_all_domains( domain )
Summary

Get the session ID of all domains.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_kill_all_domains( domain )
Summary

Send a kill signal to all domains.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_manage_all_entry_files( domain )
Summary

Create, read, write, and delete all entrypoint files.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_mmap_all_entry_files( domain )
Summary

Mmap all entry point files as executable.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_obj_id_change_exempt( domain )
Summary

Makes caller an exception to the constraint preventing changing the user identity in object contexts.

Parameters
Parameter:Description:Optional:
domain The process type to make an exception to the constraint. No
domain_ptrace_all_domains( domain )
Summary

Ptrace all domains.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_read_all_domains_state( domain )
Summary

Read the process state (/proc/pid) of all domains.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_read_all_entry_files( ? )
Summary

Summary is missing!

Parameters
Parameter:Description:Optional:
? Parameter descriptions are missing! No
domain_read_confined_domains_state( domain )
Summary

Read the process state (/proc/pid) of all confined domains.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_relabel_all_entry_files( domain )
Summary

Relabel to and from all entry point file types.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_role_change_exempt( domain )
Summary

Makes caller an exception to the constraint preventing changing of role.

Parameters
Parameter:Description:Optional:
domain The process type to make an exception to the constraint. No
domain_search_all_domains_state( domain )
Summary

Search the process state directory (/proc/pid) of all domains.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_setpriority_all_domains( ? )
Summary

Summary is missing!

Parameters
Parameter:Description:Optional:
? Parameter descriptions are missing! No
domain_sigchld_all_domains( domain )
Summary

Send a child terminated signal to all domains.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_sigchld_wide_inherit_fd( domain )
Summary

Send a SIGCHLD signal to domains whose file discriptors are widely inheritable.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_signal_all_domains( domain )
Summary

Send general signals to all domains.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_signull_all_domains( domain )
Summary

Send a null signal to all domains.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_sigstop_all_domains( domain )
Summary

Send a stop signal to all domains.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_subj_id_change_exempt( domain )
Summary

Makes caller an exception to the constraint preventing changing of user identity.

Parameters
Parameter:Description:Optional:
domain The process type to make an exception to the constraint. No
domain_system_change_exempt( domain )
Summary

Makes caller and execption to the constraint preventing changing to the system user identity and system role.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
domain_type( type )
Summary

Make the specified type usable as a domain.

Parameters
Parameter:Description:Optional:
type Type to be used as a domain type. No
domain_unconfined( domain )
Summary

Unconfined access to domains.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
domain_use_wide_inherit_fd( ? )
Summary

Summary is missing!

Parameters
Parameter:Description:Optional:
? Parameter descriptions are missing! No
domain_user_exemption_target( domain )
Summary

Make the specified domain the target of the user domain exception of the SELinux role and identity change constraints.

Description

Make the specified domain the target of the user domain exception of the SELinux role and identity change constraints.

This interface is needed to decouple the user domains from the base module. It should not be used other than on user domains.

Parameters
Parameter:Description:Optional:
domain Domain target for user exemption. No
domain_wide_inherit_fd( ? )
Summary

Summary is missing!

Parameters
Parameter:Description:Optional:
? Parameter descriptions are missing! No
Return

Templates:

domain_auto_trans( ? )
Summary

Summary is missing!

Parameters
Parameter:Description:Optional:
? Parameter descriptions are missing! No
domain_trans( ? )
Summary

Summary is missing!

Parameters
Parameter:Description:Optional:
? Parameter descriptions are missing! No
Return