Layer: kernel

Module: kernel

Description:

Policy for kernel threads, proc filesystem, and unlabeled processes and objects.

This module is required to be included in all policies.

Interfaces:

kernel_change_ring_buffer_level( domain )
Summary

Change the level of kernel messages logged to the console.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_clear_ring_buffer( domain )
Summary

Allows the caller to clear the ring buffer.

Parameters
Parameter:Description:Optional:
domain The process type clearing the buffer. No
kernel_dontaudit_getattr_core( domain )
Summary

Do not audit attempts to get the attributes of core kernel interfaces.

Parameters
Parameter:Description:Optional:
domain The process type to not audit. No
kernel_dontaudit_getattr_message_if( domain )
Summary

Do not audit attempts by caller to get the attributes of kernel message interfaces.

Parameters
Parameter:Description:Optional:
domain The process type not to audit. No
kernel_dontaudit_getattr_unlabeled_blk_dev( domain )
Summary

Do not audit attempts by caller to get attributes for unlabeled block devices.

Parameters
Parameter:Description:Optional:
domain The process type not to audit. No
kernel_dontaudit_getattr_unlabeled_chr_dev( domain )
Summary

Do not audit attempts by caller to get attributes for unlabeled character devices.

Parameters
Parameter:Description:Optional:
domain The process type not to audit. No
kernel_dontaudit_getattr_unlabeled_file( domain )
Summary

Do not audit attempts by caller to get the attributes of an unlabeled file.

Parameters
Parameter:Description:Optional:
domain The process type not to audit. No
kernel_dontaudit_getattr_unlabeled_pipes( domain )
Summary

Do not audit attempts by caller to get the attributes of unlabeled named pipes.

Parameters
Parameter:Description:Optional:
domain The process type not to audit. No
kernel_dontaudit_getattr_unlabeled_sockets( domain )
Summary

Do not audit attempts by caller to get the attributes of unlabeled named sockets.

Parameters
Parameter:Description:Optional:
domain The process type not to audit. No
kernel_dontaudit_getattr_unlabeled_symlinks( domain )
Summary

Do not audit attempts by caller to get the attributes of unlabeled symbolic links.

Parameters
Parameter:Description:Optional:
domain The process type not to audit. No
kernel_dontaudit_list_proc( domain )
Summary

Do not audit attempts to list the contents of directories in /proc.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
kernel_dontaudit_list_unlabeled( domain )
Summary

Do not audit attempts to list unlabeled directories.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_dontaudit_read_proc_symlink( domain )
Summary

Do not audit attempts by caller to read system state information in proc.

Parameters
Parameter:Description:Optional:
domain The process type not to audit. No
kernel_dontaudit_read_ring_buffer( domain )
Summary

Do not audit attempts to read the ring buffer.

Parameters
Parameter:Description:Optional:
domain The domain to not audit. No
kernel_dontaudit_read_system_state( domain )
Summary

Do not audit attempts by caller to read system state information in proc.

Parameters
Parameter:Description:Optional:
domain The process type not to audit. No
kernel_dontaudit_read_unlabeled_file( domain )
Summary

Do not audit attempts by caller to read an unlabeled file.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
kernel_dontaudit_search_kernel_sysctl( domain )
Summary

Do not audit attempts to search generic kernel sysctls.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
kernel_dontaudit_search_network_state( domain )
Summary

Do not audit attempts to search the network state directory.

Parameters
Parameter:Description:Optional:
domain The process type reading the state. No
kernel_dontaudit_search_network_sysctl( domain )
Summary

Do not audit attempts by caller to search network sysctl directories.

Parameters
Parameter:Description:Optional:
domain The process type not to audit. No
kernel_dontaudit_search_sysctl( domain )
Summary

Do not audit attempts by caller to search the base directory of sysctls.

Parameters
Parameter:Description:Optional:
domain The process type not to audit. No
kernel_dontaudit_use_fd( domain )
Summary

Do not audit attempts to use kernel file descriptors.

Parameters
Parameter:Description:Optional:
domain The type of process not to audit. No
kernel_dontaudit_write_kernel_sysctl( domain )
Summary

Do not audit attempts to write generic kernel sysctls.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
kernel_get_sysvipc_info( domain )
Summary

Get information on all System V IPC objects.

Parameters
Parameter:Description:Optional:
domain No
kernel_getattr_core( domain )
Summary

Allows caller to get attribues of core kernel interface.

Parameters
Parameter:Description:Optional:
domain The process type getting the attibutes. No
kernel_getattr_debugfs( domain )
Summary

Get the attributes of a kernel debugging filesystem.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_getattr_message_if( domain )
Summary

Allow caller to get the attributes of kernel message interface (/proc/kmsg).

Parameters
Parameter:Description:Optional:
domain The process type getting the attributes. No
kernel_getattr_proc( domain )
Summary

Get the attributes of the proc filesystem.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_getattr_proc_files( domain )
Summary

Get the attributes of files in /proc.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_kill_unlabeled( domain )
Summary

Send a kill signal to unlabeled processes.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_list_from( dir_type )
Summary

Allow the kernel to read the contents of the specified directory.

Parameters
Parameter:Description:Optional:
dir_type Directory type to list. No
kernel_list_proc( domain )
Summary

List the contents of directories in /proc.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_list_unlabeled( domain )
Summary

List unlabeled directories.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_load_module( domain )
Summary

Allows caller to load kernel modules

Parameters
Parameter:Description:Optional:
domain The process type to allow to load kernel modules. No
kernel_mount_debugfs( domain )
Summary

Mount a kernel debugging filesystem.

Parameters
Parameter:Description:Optional:
domain The type of the domain mounting the filesystem. No
kernel_read_all_sysctl( domain )
Summary

Allow caller to read all sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_read_debugfs( domain )
Summary

Read information from the debugging filesystem.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_read_device_sysctl( domain )
Summary

Allow caller to read the device sysctls.

Parameters
Parameter:Description:Optional:
domain The process type to allow to read the device sysctls. No
kernel_read_file_from( dir_type )
Summary

Allow the kernel to read the specified file.

Parameters
Parameter:Description:Optional:
dir_type Directory type to list. No
kernel_read_fs_sysctl( domain )
Summary

Read filesystem sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_read_hotplug_sysctl( domain )
Summary

Read the hotplug sysctl.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_read_irq_sysctl( domain )
Summary

Read IRQ sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_read_kernel_sysctl( domain )
Summary

Read generic kernel sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_read_messages( domain )
Summary

Allow caller to read kernel messages using the /proc/kmsg interface.

Parameters
Parameter:Description:Optional:
domain The process type reading the messages. No
kernel_read_modprobe_sysctl( domain )
Summary

Read the modprobe sysctl.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_read_net_sysctl( domain )
Summary

Allow caller to read network sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_read_network_state( domain )
Summary

Allow caller to read the network state information.

Parameters
Parameter:Description:Optional:
domain The process type reading the state. No
kernel_read_network_state_symlinks( domain )
Summary

Allow caller to read the network state symbolic links.

Parameters
Parameter:Description:Optional:
domain The process type reading the state. No
kernel_read_proc_symlinks( domain )
Summary

Read symbolic links in /proc.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_read_ring_buffer( domain )
Summary

Allows caller to read the ring buffer.

Parameters
Parameter:Description:Optional:
domain The process type allowed to read the ring buffer. No
kernel_read_rpc_sysctl( ? )
Summary

Summary is missing!

Parameters
Parameter:Description:Optional:
? Parameter descriptions are missing! No
kernel_read_software_raid_state( domain )
Summary

Allow caller to read the state information for software raid.

Parameters
Parameter:Description:Optional:
domain The process type reading software raid state. No
kernel_read_sysctl( domain )
Summary

Allow access to read sysctl directories.

Parameters
Parameter:Description:Optional:
domain The process type to allow to read sysctl directories. No
kernel_read_system_state( domain )
Summary

Allows caller to read system state information in proc.

Parameters
Parameter:Description:Optional:
domain The process type reading the system state information. No
kernel_read_unix_sysctl( domain )
Summary

Allow caller to read unix domain socket sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_read_vm_sysctl( domain )
Summary

Allow caller to read virtual memory sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_relabel_unlabeled( domain )
Summary

Allow caller to relabel unlabeled objects.

Parameters
Parameter:Description:Optional:
domain The process type relabeling the objects. No
kernel_remount_debugfs( domain )
Summary

Remount a kernel debugging filesystem.

Parameters
Parameter:Description:Optional:
domain The type of the domain remounting the filesystem. No
kernel_rootfs_mountpoint( directory_type )
Summary

Allows the kernel to mount filesystems on the specified directory type.

Parameters
Parameter:Description:Optional:
directory_type The type of the directory to use as a mountpoint. No
kernel_rw_all_sysctl( domain )
Summary

Read and write all sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_rw_device_sysctl( domain )
Summary

Read and write device sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_rw_fs_sysctl( domain )
Summary

Read and write fileystem sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_rw_hotplug_sysctl( domain )
Summary

Read and write the hotplug sysctl.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_rw_irq_sysctl( domain )
Summary

Read and write IRQ sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_rw_kernel_sysctl( domain )
Summary

Read and write generic kernel sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_rw_modprobe_sysctl( domain )
Summary

Read and write the modprobe sysctl.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_rw_net_sysctl( domain )
Summary

Allow caller to modiry contents of sysctl network files.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_rw_pipe( domain )
Summary

Read and write kernel unnamed pipes.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_rw_rpc_sysctl( ? )
Summary

Summary is missing!

Parameters
Parameter:Description:Optional:
? Parameter descriptions are missing! No
kernel_rw_software_raid_state( domain )
Summary

Allow caller to read and set the state information for software raid.

Parameters
Parameter:Description:Optional:
domain The process type reading software raid state. No
kernel_rw_unix_dgram_socket( domain )
Summary

Read and write kernel unix datagram sockets.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_rw_unix_sysctl( domain )
Summary

Read and write unix domain socket sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_rw_unlabeled_dir( domain )
Summary

Read and write unlabeled directories.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_rw_vm_sysctl( domain )
Summary

Read and write virtual memory sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_search_debugfs( domain )
Summary

Search the contents of a kernel debugging filesystem.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_search_from( dir_type )
Summary

Allow the kernel to search the specified directory.

Parameters
Parameter:Description:Optional:
dir_type Directory type to search. No
kernel_search_network_state( domain )
Summary

Allow searching of network state directory.

Parameters
Parameter:Description:Optional:
domain The process type reading the state. No
kernel_search_network_sysctl( domain )
Summary

Search network sysctl directories.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_search_proc( domain )
Summary

Search directories in /proc.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_search_vm_sysctl( domain )
Summary

Allow caller to search virtual memory sysctls.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_send_syslog_msg_from( socket , syslog_type )
Summary

Allow the kernel to send a syslog message to the specified domain, connecting over the specified named socket.

Parameters
Parameter:Description:Optional:
socket The type of the named socket file. No
syslog_type The domain of the syslog daemon. No
kernel_sendrecv_unlabeled_association( domain )
Summary

Send and receive messages from an unlabeled IPSEC association.

Description

Send and receive messages from an unlabeled IPSEC association. Network connections that are not protected by IPSEC have use an unlabeled assocation.

The corenetwork interface corenet_non_ipsec_sendrecv() should be used instead of this one.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_sendto_unix_dgram_socket( domain )
Summary

Send messages to kernel unix datagram sockets.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_setpgid( domain )
Summary

Set the process group of kernel threads.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_share_state( domain )
Summary

Allows the kernel to share state information with the caller.

Parameters
Parameter:Description:Optional:
domain The type of the process with which to share state information. No
kernel_sigchld( domain )
Summary

Send a SIGCHLD signal to kernel threads.

Parameters
Parameter:Description:Optional:
domain The type of the process sending the signal. No
kernel_sigchld_from( domain )
Summary

Allow the kernel to send a SIGCHLD signal to the specified domain.

Parameters
Parameter:Description:Optional:
domain Domain receiving the SIGCHLD. No
kernel_sigchld_from_unlabeled( domain )
Summary

Allow unlabeled processes to send a SIGCHLD signal to the specified domain.

Parameters
Parameter:Description:Optional:
domain Domain receiving the SIGCHLD. No
kernel_sigchld_unlabeled( domain )
Summary

Send a child terminated signal to unlabeled processes.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_signal( domain )
Summary

Send a generic signal to kernel threads.

Parameters
Parameter:Description:Optional:
domain The type of the process sending the signal. No
kernel_signal_unlabeled( domain )
Summary

Send general signals to unlabeled processes.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_signull_unlabeled( domain )
Summary

Send a null signal to unlabeled processes.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_sigstop_unlabeled( domain )
Summary

Send a stop signal to unlabeled processes.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_tcp_recvfrom( domain )
Summary

Receive messages from kernel TCP sockets.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_udp_recvfrom( domain )
Summary

Receive messages from kernel UDP sockets.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_udp_sendfrom( domain )
Summary

Allow the kernel to send UDP network traffic the specified domain.

Parameters
Parameter:Description:Optional:
domain The type of the receiving domain. No
kernel_unconfined( domain )
Summary

Unconfined access to kernel module resources.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_unmount_debugfs( domain )
Summary

Unmount a kernel debugging filesystem.

Parameters
Parameter:Description:Optional:
domain The type of the domain unmounting the filesystem. No
kernel_use_fd( domain )
Summary

Permits caller to use kernel file descriptors.

Parameters
Parameter:Description:Optional:
domain The type of the process using the descriptors. No
kernel_use_ld_so_from( lib_type , ld_type , cache_type )
Summary

Use the specified types for /lib directory and use the dynamic link/loader for automatic loading of shared libraries, and the link/loader cache.

Parameters
Parameter:Description:Optional:
lib_type The type of the lib directories. No
ld_type The type of the dynamic link/loader. No
cache_type The type of the dynamic link/loader cache. No
kernel_use_shared_libs_from( lib_dir_type , shlib_type )
Summary

Allow the kernel to load and execute functions from the specified shared libraries.

Parameters
Parameter:Description:Optional:
lib_dir_type The type of the lib directories. No
shlib_type Shared library type. No
kernel_use_unlabeled_blk_dev( domain )
Summary

Read and write unlabeled block device nodes.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
kernel_userland_entry( domain , entrypoint )
Summary

Allows to start userland processes by transitioning to the specified domain.

Parameters
Parameter:Description:Optional:
domain The process type entered by kernel. No
entrypoint The executable type for the entrypoint. No
kernel_write_proc_file( domain )
Summary

Write to generic proc entries.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
Return