Layer: kernel

Module: domain

Description:

Core policy for domains.

This module is required to be included in all policies.

Interfaces:

domain_base_type(
	
		type
		
	)

Summary

Make the specified type usable as a basic domain.

Description

Make the specified type usable as a basic domain.

This is primarily used for kernel threads; generally the domain_type() interface is more appropriate for userland processes.

Parameters

Parameter:	Description:	Optional:
type	Type to be used as a basic domain type.	No

domain_cron_exemption_source(
	
		domain
		
	)

Summary

Make the specified domain the source of the cron domain exception of the SELinux role and identity change constraints.

Description

Make the specified domain the source of the cron domain exception of the SELinux role and identity change constraints.

This interface is needed to decouple the cron domains from the base module. It should not be used other than on cron domains.

Parameters

Parameter:	Description:	Optional:
domain	Domain target for user exemption.	No

domain_cron_exemption_target(
	
		domain
		
	)

Summary

Make the specified domain the target of the cron domain exception of the SELinux role and identity change constraints.

Description

Make the specified domain the target of the cron domain exception of the SELinux role and identity change constraints.

This interface is needed to decouple the cron domains from the base module. It should not be used other than on user cron jobs.

Parameters

Parameter:	Description:	Optional:
domain	Domain target for user exemption.	No

domain_dontaudit_getattr_all_dgram_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of all domains unix datagram sockets.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_dontaudit_getattr_all_domains(
	
		domain
		
	)

Summary

Get the attributes of all domains of all domains.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_dontaudit_getattr_all_key_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to get attribues of all domains IPSEC key management sockets.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_dontaudit_getattr_all_packet_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to get attribues of all domains packet sockets.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_dontaudit_getattr_all_pipes(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of all domains unnamed pipes.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_dontaudit_getattr_all_raw_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to get attribues of all domains raw sockets.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_dontaudit_getattr_all_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of all domains sockets, for all socket types.

Description

Do not audit attempts to get the attributes of all domains sockets, for all socket types.

This interface was added for PCMCIA cardmgr and is probably excessive.

Parameters

Parameter:	Description:	Optional:
domain	Domain to not audit.	No

domain_dontaudit_getattr_all_stream_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of all domains unix datagram sockets.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_dontaudit_getattr_all_tcp_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of all domains TCP sockets.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_dontaudit_getattr_all_udp_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of all domains UDP sockets.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_dontaudit_getsession_all_domains(
	
		domain
		
	)

Summary

Do not audit attempts to get the session ID of all domains.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_dontaudit_list_all_domains_state(
	
		domain
		
	)

Summary

Do not audit attempts to read the process state directories of all domains.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_dontaudit_ptrace_all_domains(
	
		domain
		
	)

Summary

Do not audit attempts to ptrace all domains.

Description

Do not audit attempts to ptrace all domains.

Generally this needs to be suppressed because procps tries to access /proc/pid/environ and this now triggers a ptrace check in recent kernels (2.4 and 2.6).

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_dontaudit_ptrace_confined_domains(
	
		domain
		
	)

Summary

Do not audit attempts to ptrace confined domains.

Description

Do not audit attempts to ptrace confined domains.

Generally this needs to be suppressed because procps tries to access /proc/pid/environ and this now triggers a ptrace check in recent kernels (2.4 and 2.6).

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_dontaudit_read_all_domains_state(
	
		domain
		
	)

Summary

Do not audit attempts to read the process state (/proc/pid) of all domains.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_dontaudit_rw_all_key_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to read or write all domains key sockets.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_dontaudit_rw_all_udp_sockets(
	
		domain
		
	)

Summary

Do not audit attempts to read or write all domains UDP sockets.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_dontaudit_search_all_domains_state(
	
		domain
		
	)

Summary

Do not audit attempts to search the process state directory (/proc/pid) of all domains.

Parameters

Parameter:	Description:	Optional:
domain	Domain to not audit.	No

domain_dontaudit_use_interactive_fds(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

domain_dyntrans_type(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

domain_entry_file(
	
		domain
		
			,
		
		type
		
	)

Summary

Make the specified type usable as an entry point for the domain.

Parameters

Parameter:	Description:	Optional:
domain	Domain to be entered.	No
type	Type of program used for entering the domain.	No

domain_entry_file_spec_domtrans(
	
		domain
		
	)

Summary

Execute an entry_type in the specified domain.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_exec_all_entry_files(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

domain_getattr_all_domains(
	
		domain
		
	)

Summary

Get the attributes of all domains of all domains.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_getattr_all_entry_files(
	
		domain
		
	)

Summary

Get the attributes of entry point files for all domains.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_getattr_all_sockets(
	
		domain
		
	)

Summary

Get the attributes of all domains sockets, for all socket types.

Description

Get the attributes of all domains sockets, for all socket types.

This is commonly used for domains that can use lsof on all domains.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_getattr_confined_domains(
	
		domain
		
	)

Summary

Get the attributes of all confined domains.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_getsession_all_domains(
	
		domain
		
	)

Summary

Get the session ID of all domains.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_interactive_fd(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

domain_kill_all_domains(
	
		domain
		
	)

Summary

Send a kill signal to all domains.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_manage_all_entry_files(
	
		domain
		
	)

Summary

Create, read, write, and delete all entrypoint files.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_mmap_all_entry_files(
	
		domain
		
	)

Summary

Mmap all entry point files as executable.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_obj_id_change_exemption(
	
		domain
		
	)

Summary

Makes caller an exception to the constraint preventing changing the user identity in object contexts.

Parameters

Parameter:	Description:	Optional:
domain	The process type to make an exception to the constraint.	No

domain_ptrace_all_domains(
	
		domain
		
	)

Summary

Ptrace all domains.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_read_all_domains_state(
	
		domain
		
	)

Summary

Read the process state (/proc/pid) of all domains.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_read_all_entry_files(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

domain_read_confined_domains_state(
	
		domain
		
	)

Summary

Read the process state (/proc/pid) of all confined domains.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_relabel_all_entry_files(
	
		domain
		
	)

Summary

Relabel to and from all entry point file types.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_role_change_exemption(
	
		domain
		
	)

Summary

Makes caller an exception to the constraint preventing changing of role.

Parameters

Parameter:	Description:	Optional:
domain	The process type to make an exception to the constraint.	No

domain_search_all_domains_state(
	
		domain
		
	)

Summary

Search the process state directory (/proc/pid) of all domains.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_setpriority_all_domains(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

domain_sigchld_all_domains(
	
		domain
		
	)

Summary

Send a child terminated signal to all domains.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_sigchld_interactive_fds(
	
		domain
		
	)

Summary

Send a SIGCHLD signal to domains whose file discriptors are widely inheritable.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_signal_all_domains(
	
		domain
		
	)

Summary

Send general signals to all domains.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_signull_all_domains(
	
		domain
		
	)

Summary

Send a null signal to all domains.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_sigstop_all_domains(
	
		domain
		
	)

Summary

Send a stop signal to all domains.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_subj_id_change_exemption(
	
		domain
		
	)

Summary

Makes caller an exception to the constraint preventing changing of user identity.

Parameters

Parameter:	Description:	Optional:
domain	The process type to make an exception to the constraint.	No

domain_system_change_exemption(
	
		domain
		
	)

Summary

Makes caller and execption to the constraint preventing changing to the system user identity and system role.

Parameters

Parameter:	Description:	Optional:
domain	Domain allowed access.	No

domain_type(
	
		type
		
	)

Summary

Make the specified type usable as a domain.

Parameters

Parameter:	Description:	Optional:
type	Type to be used as a domain type.	No

domain_unconfined(
	
		domain
		
	)

Summary

Unconfined access to domains.

Parameters

Parameter:	Description:	Optional:
domain	The type of the process performing this action.	No

domain_use_interactive_fds(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

domain_user_exemption_target(
	
		domain
		
	)

Summary

Make the specified domain the target of the user domain exception of the SELinux role and identity change constraints.

Description

Make the specified domain the target of the user domain exception of the SELinux role and identity change constraints.

This interface is needed to decouple the user domains from the base module. It should not be used other than on user domains.

Parameters

Parameter:	Description:	Optional:
domain	Domain target for user exemption.	No

Return

Templates:

domain_auto_trans(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

domain_trans(
	
		?
		
	)

Summary

Summary is missing!

Parameters

Parameter:	Description:	Optional:
?	Parameter descriptions are missing!	No

Return