Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
This module is required to be included in all policies.
Change the level of kernel messages logged to the console.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Allows the caller to clear the ring buffer.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type clearing the buffer. | No | 
Do not audit attempts to get the attributes of core kernel interfaces.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type to not audit. | No | 
Do not audit attempts by caller to get the attributes of kernel message interfaces.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type not to audit. | No | 
Do not audit attempts by caller to get attributes for unlabeled block devices.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type not to audit. | No | 
Do not audit attempts to read the ring buffer.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The domain to not audit. | No | 
Do not audit attempts by caller to read system state information.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type not to audit. | No | 
Do not audit attempts by caller to search sysctl network directories.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type not to audit. | No | 
Do not audit attempts by caller to search the sysctl directory.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type not to audit. | No | 
Do not audit attempts to use kernel file descriptors.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of process not to audit. | No | 
Get information on all System V IPC objects.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | No | 
Allows caller to get attribues of core kernel interface.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type getting the attibutes. | No | 
Allow caller to get the attributes of kernel message interface (/proc/kmsg).
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type getting the attributes. | No | 
Send a kill signal to unlabeled processes.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Allows caller to load kernel modules
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type to allow to load kernel modules. | No | 
Allow caller to read all sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Allow caller to read the device sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type to allow to read the device sysctls. | No | 
Read filesystem sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read the hotplug sysctl.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read IRQ sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read generic kernel sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Allow caller to read kernel messages using the /proc/kmsg interface.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type reading the messages. | No | 
Read the modprobe sysctl.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Allow caller to read network sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Allow caller to read the network state information.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type reading the state. | No | 
Allows caller to read the ring buffer.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type allowed to read the ring buffer. | No | 
Summary is missing!
| Parameter: | Description: | Optional: | 
|---|---|---|
| ? | Parameter descriptions are missing! | No | 
Allow caller to read the state information for software raid.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type reading software raid state. | No | 
Allows caller to read system state information.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type reading the system state information. | No | 
Allow caller to read unix domain socket sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Allow caller to read virtual memory sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Allow caller to relabel unlabeled objects.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type relabeling the objects. | No | 
Allows the kernel to mount filesystems on the specified directory type.
| Parameter: | Description: | Optional: | 
|---|---|---|
| directory_type | The type of the directory to use as a mountpoint. | No | 
Read and write all sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read and write device sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read and write fileystem sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read and write the hotplug sysctl.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read and write IRQ sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read and write generic kernel sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read and write the modprobe sysctl.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Allow caller to modiry contents of sysctl network files.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Summary is missing!
| Parameter: | Description: | Optional: | 
|---|---|---|
| ? | Parameter descriptions are missing! | No | 
Read and write unix domain socket sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Read and write virtual memory sysctls.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Allows the kernel to share state information with the caller.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process with which to share state information. | No | 
Send a SIGCHLD signal to kernel threads.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process sending the signal. | No | 
Send a child terminated signal to unlabeled processes.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Send general signals to unlabeled processes.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Send a null signal to unlabeled processes.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Send a stop signal to unlabeled processes.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process performing this action. | No | 
Unconfined access to the kernel.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | Domain allowed access. | No | 
Permits caller to use kernel file descriptors.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The type of the process using the descriptors. | No | 
Allows to start userland processes by transitioning to the specified domain.
| Parameter: | Description: | Optional: | 
|---|---|---|
| domain | The process type entered by kernel. | No | 
| entrypoint | The executable type for the entrypoint. | No |