Layer: kernel

Module: kernel

Description:

Policy for kernel threads, proc filesystem,and unlabeled processes and objects.

This module is required to be included in all policies.

Interfaces:

kernel_change_ring_buffer_level(
	
		domain
		
	)

Summary

Change the level of kernel messages logged to the console.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_clear_ring_buffer(
	
		domain
		
	)

Summary

Allows the caller to clear the ring buffer.

Parameters

Parameter:	Description:	Optional:
domain	The process type clearing the buffer.	No

kernel_dontaudit_getattr_core(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of core kernel interfaces.

Parameters

Parameter:	Description:	Optional:
domain	The process type to not audit.	No

kernel_dontaudit_getattr_message_if(
	
		domain
		
	)

Summary

Do not audit attempts by caller to get the attributes of kernel message interfaces.

Parameters

Parameter:	Description:	Optional:
domain	The process type not to audit.	No

kernel_dontaudit_getattr_unlabeled_blk_dev(
	
		domain
		
	)

Summary

Do not audit attempts by caller to get attributes for unlabeled block devices.

Parameters

Parameter:	Description:	Optional:
domain	The process type not to audit.	No

kernel_dontaudit_read_ring_buffer(
	
		domain
		
	)

Summary

Do not audit attempts to read the ring buffer.

Parameters

Parameter:	Description:	Optional:
domain	The domain to not audit.	No

kernel_dontaudit_read_system_state(
	
		domain
		
	)

Summary

Do not audit attempts by caller to read system state information in proc.

Parameters

Parameter:	Description:	Optional:
domain	The process type not to audit.	No

kernel_dontaudit_search_kernel_sysctl(
	
		domain
		
	)

Summary

Do not audit attempts to search generic kernel sysctls.

Parameters

Parameter:	Description:	Optional:
domain	Domain to not audit.	No

kernel_dontaudit_search_network_state(
	
		domain
		
	)

Summary

Do not audit attempts to search the network state directory.

Parameters

Parameter:	Description:	Optional:
domain	The process type reading the state.	No

kernel_dontaudit_search_network_sysctl(
	
		domain
		
	)

Summary

Do not audit attempts by caller to search network sysctl directories.

Parameters

Parameter:	Description:	Optional:
domain	The process type not to audit.	No

kernel_dontaudit_search_sysctl(
	
		domain
		
	)

Summary

Do not audit attempts by caller to search the base directory of sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The process type not to audit.	No

kernel_dontaudit_use_fd(
	
		domain
		
	)

Summary

Do not audit attempts to use kernel file descriptors.

Parameters

Parameter:	Description:	Optional:
domain	The type of process not to audit.	No

kernel_dontaudit_write_kernel_sysctl(
	
		domain
		
	)

Summary

Do not audit attempts to write generic kernel sysctls.

Parameters

Parameter:	Description:	Optional:
domain	Domain to not audit.	No

kernel_get_sysvipc_info(
	
		domain
		
	)

Summary

Get information on all System V IPC objects.

Parameters

Parameter:	Description:	Optional:
domain		No

kernel_getattr_core(
	
		domain
		
	)

Summary

Allows caller to get attribues of core kernel interface.

Parameters

Parameter:	Description:	Optional:
domain	The process type getting the attibutes.	No

kernel_getattr_debugfs(
	
		domain
		
	)

Summary

Get the attributes of a kernel debugging filesystem.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_getattr_message_if(
	
		domain
		
	)

Summary

Allow caller to get the attributes of kernel message interface (/proc/kmsg).

Parameters

Parameter:	Description:	Optional:
domain	The process type getting the attributes.	No

kernel_getattr_proc(
	
		domain
		
	)

Summary

Get the attributes of the proc filesystem.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_kill_unlabeled(
	
		domain
		
	)

Summary

Send a kill signal to unlabeled processes.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_list_from(
	
		dir_type
		
	)

Summary

Allow the kernel to read the contents of the specified directory.

Parameters

Parameter:	Description:	Optional:
dir_type	Directory type to list.	No

kernel_list_proc(
	
		domain
		
	)

Summary

List the contents of directories in /proc.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_list_unlabeled(
	
		domain
		
	)

Summary

List unlabeled directories.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_load_module(
	
		domain
		
	)

Summary

Allows caller to load kernel modules

Parameters

Parameter:	Description:	Optional:
domain	The process type to allow to load kernel modules.	No

kernel_mount_debugfs(
	
		domain
		
	)

Summary

Mount a kernel debugging filesystem.

Parameters

Parameter:	Description:	Optional:
domain	The type of the domain mounting the filesystem.	No

kernel_read_all_sysctl(
	
		domain
		
	)

Summary

Allow caller to read all sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_debugfs(
	
		domain
		
	)

Summary

Read information from the debugging filesystem.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_read_device_sysctl(
	
		domain
		
	)

Summary

Allow caller to read the device sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The process type to allow to read the device sysctls.	No

kernel_read_file_from(
	
		dir_type
		
	)

Summary

Allow the kernel to read the specified file.

Parameters

Parameter:	Description:	Optional:
dir_type	Directory type to list.	No

kernel_read_fs_sysctl(
	
		domain
		
	)

Summary

Read filesystem sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_hotplug_sysctl(
	
		domain
		
	)

Summary

Read the hotplug sysctl.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_irq_sysctl(
	
		domain
		
	)

Summary

Read IRQ sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_kernel_sysctl(
	
		domain
		
	)

Summary

Read generic kernel sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_messages(
	
		domain
		
	)

Summary

Allow caller to read kernel messages using the /proc/kmsg interface.

Parameters

Parameter:	Description:	Optional:
domain	The process type reading the messages.	No

kernel_read_modprobe_sysctl(
	
		domain
		
	)

Summary

Read the modprobe sysctl.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_net_sysctl(
	
		domain
		
	)

Summary

Allow caller to read network sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_network_state(
	
		domain
		
	)

Summary

Allow caller to read the network state information.

Parameters

Parameter:	Description:	Optional:
domain	The process type reading the state.	No

kernel_read_proc_symlinks(
	
		domain
		
	)

Summary

Read symbolic links in /proc.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_read_ring_buffer(
	
		domain
		
	)

Summary

Allows caller to read the ring buffer.

Parameters

Parameter:	Description:	Optional:
domain	The process type allowed to read the ring buffer.	No

kernel_read_rpc_sysctl(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

kernel_read_software_raid_state(
	
		domain
		
	)

Summary

Allow caller to read the state information for software raid.

Parameters

Parameter:	Description:	Optional:
domain	The process type reading software raid state.	No

kernel_read_system_state(
	
		domain
		
	)

Summary

Allows caller to read system state information in proc.

Parameters

Parameter:	Description:	Optional:
domain	The process type reading the system state information.	No

kernel_read_unix_sysctl(
	
		domain
		
	)

Summary

Allow caller to read unix domain socket sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_read_vm_sysctl(
	
		domain
		
	)

Summary

Allow caller to read virtual memory sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_relabel_unlabeled(
	
		domain
		
	)

Summary

Allow caller to relabel unlabeled objects.

Parameters

Parameter:	Description:	Optional:
domain	The process type relabeling the objects.	No

kernel_remount_debugfs(
	
		domain
		
	)

Summary

Remount a kernel debugging filesystem.

Parameters

Parameter:	Description:	Optional:
domain	The type of the domain remounting the filesystem.	No

kernel_rootfs_mountpoint(
	
		directory_type
		
	)

Summary

Allows the kernel to mount filesystems on the specified directory type.

Parameters

Parameter:	Description:	Optional:
directory_type	The type of the directory to use as a mountpoint.	No

kernel_rw_all_sysctl(
	
		domain
		
	)

Summary

Read and write all sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_device_sysctl(
	
		domain
		
	)

Summary

Read and write device sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_fs_sysctl(
	
		domain
		
	)

Summary

Read and write fileystem sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_hotplug_sysctl(
	
		domain
		
	)

Summary

Read and write the hotplug sysctl.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_irq_sysctl(
	
		domain
		
	)

Summary

Read and write IRQ sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_kernel_sysctl(
	
		domain
		
	)

Summary

Read and write generic kernel sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_modprobe_sysctl(
	
		domain
		
	)

Summary

Read and write the modprobe sysctl.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_net_sysctl(
	
		domain
		
	)

Summary

Allow caller to modiry contents of sysctl network files.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_pipe(
	
		domain
		
	)

Summary

Read and write kernel unnamed pipes.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_rw_rpc_sysctl(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

kernel_rw_software_raid_state(
	
		domain
		
	)

Summary

Allow caller to read and set the state information for software raid.

Parameters

Parameter:	Description:	Optional:
domain	The process type reading software raid state.	No

kernel_rw_unix_dgram_socket(
	
		domain
		
	)

Summary

Read and write kernel unix datagram sockets.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_rw_unix_sysctl(
	
		domain
		
	)

Summary

Read and write unix domain socket sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_rw_unlabeled_dir(
	
		domain
		
	)

Summary

Read and write unlabeled directories.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_rw_vm_sysctl(
	
		domain
		
	)

Summary

Read and write virtual memory sysctls.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_search_debugfs(
	
		domain
		
	)

Summary

Search the contents of a kernel debugging filesystem.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_search_from(
	
		dir_type
		
	)

Summary

Allow the kernel to search the specified directory.

Parameters

Parameter:	Description:	Optional:
dir_type	Directory type to search.	No

kernel_search_from(
	
		dir_type
		
	)

Summary

Allow the kernel to search the specified directory.

Parameters

Parameter:	Description:	Optional:
dir_type	Directory type to search.	No

kernel_search_network_sysctl(
	
		domain
		
	)

Summary

Search network sysctl directories.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_search_proc(
	
		domain
		
	)

Summary

Search directories in /proc.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_send_syslog_msg_from(
	
		socket
		
			,
		
		syslog_type
		
	)

Summary

Allow the kernel to send a syslog message to the specified domain, connecting over the specified named socket.

Parameters

Parameter:	Description:	Optional:
socket	The type of the named socket file.	No
syslog_type	The domain of the syslog daemon.	No

kernel_sendto_unix_dgram_socket(
	
		domain
		
	)

Summary

Send messages to kernel unix datagram sockets.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_setpgid(
	
		domain
		
	)

Summary

Set the process group of kernel threads.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_share_state(
	
		domain
		
	)

Summary

Allows the kernel to share state information with the caller.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process with which to share state information.	No

kernel_sigchld(
	
		domain
		
	)

Summary

Send a SIGCHLD signal to kernel threads.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process sending the signal.	No

kernel_sigchld_from(
	
		domain
		
	)

Summary

Allow the kernel to send a SIGCHLD signal to the specified domain.

Parameters

Parameter:	Description:	Optional:
domain	Domain receiving the SIGCHLD.	No

kernel_sigchld_from_unlabeled(
	
		domain
		
	)

Summary

Allow unlabeled processes to send a SIGCHLD signal to the specified domain.

Parameters

Parameter:	Description:	Optional:
domain	Domain receiving the SIGCHLD.	No

kernel_sigchld_unlabeled(
	
		domain
		
	)

Summary

Send a child terminated signal to unlabeled processes.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_signal(
	
		domain
		
	)

Summary

Send a generic signal to kernel threads.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process sending the signal.	No

kernel_signal_unlabeled(
	
		domain
		
	)

Summary

Send general signals to unlabeled processes.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_signull_unlabeled(
	
		domain
		
	)

Summary

Send a null signal to unlabeled processes.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_sigstop_unlabeled(
	
		domain
		
	)

Summary

Send a stop signal to unlabeled processes.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

kernel_tcp_recvfrom(
	
		domain
		
	)

Summary

Receive messages from kernel TCP sockets.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_udp_recvfrom(
	
		domain
		
	)

Summary

Receive messages from kernel UDP sockets.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_udp_sendfrom(
	
		domain
		
	)

Summary

Allow the kernel to send UDP network traffic the specified domain.

Parameters

Parameter:	Description:	Optional:
domain	The type of the receiving domain.	No

kernel_unconfined(
	
		domain
		
	)

Summary

Unconfined access to the kernel.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_unmount_debugfs(
	
		domain
		
	)

Summary

Unmount a kernel debugging filesystem.

Parameters

Parameter:	Description:	Optional:
domain	The type of the domain unmounting the filesystem.	No

kernel_use_fd(
	
		domain
		
	)

Summary

Permits caller to use kernel file descriptors.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process using the descriptors.	No

kernel_use_ld_so_from(
	
		lib_type
		
			,
		
		ld_type
		
			,
		
		cache_type
		
	)

Summary

Use the specified types for /lib directory and use the dynamic link/loader for automatic loading of shared libraries, and the link/loader cache.

Parameters

Parameter:	Description:	Optional:
lib_type	The type of the lib directories.	No
ld_type	The type of the dynamic link/loader.	No
cache_type	The type of the dynamic link/loader cache.	No

kernel_use_shared_libs_from(
	
		lib_dir_type
		
			,
		
		shlib_type
		
	)

Summary

Allow the kernel to load and execute functions from the specified shared libraries.

Parameters

Parameter:	Description:	Optional:
lib_dir_type	The type of the lib directories.	No
shlib_type	Shared library type.	No

kernel_use_unlabeled_blk_dev(
	
		domain
		
	)

Summary

Read and write unlabeled block device nodes.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

kernel_userland_entry(
	
		domain
		
			,
		
		entrypoint
		
	)

Summary

Allows to start userland processes by transitioning to the specified domain.

Parameters

Parameter:	Description:	Optional:
domain	The process type entered by kernel.	No
entrypoint	The executable type for the entrypoint.	No

kernel_write_proc_file(
	
		domain
		
	)

Summary

Write to generic proc entries.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

Return