<summary>
	Policy modules for administrative functions, such as package management.
</summary>
<module name="acct" filename="policy/modules/admin/acct.if">
<summary>Berkeley process accounting.</summary>
<interface name="acct_domtrans" lineno="14">
<summary>
Transition to the accounting
management domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="acct_exec" lineno="34">
<summary>
Execute accounting management tools
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="acct_exec_data" lineno="54">
<summary>
Execute accounting management data
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="acct_manage_data" lineno="74">
<summary>
Create, read, write, and delete
process accounting data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="acct_admin" lineno="101">
<summary>
All of the rules required to
administrate an acct environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="aide" filename="policy/modules/admin/aide.if">
<summary>Aide filesystem integrity checker.</summary>
<interface name="aide_domtrans" lineno="13">
<summary>
Execute aide in the aide domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="aide_run" lineno="39">
<summary>
Execute aide programs in the AIDE
domain and allow the specified role
the AIDE domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="aide_admin" lineno="65">
<summary>
All of the rules required to
administrate an aide environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="aide_mmap_files" dftval="false">
<desc>
<p>
Control if AIDE can mmap files.
AIDE can be compiled with the option 'with-mmap' in which case it will
attempt to mmap files while running.
</p>
</desc>
</tunable>
</module>
<module name="alsa" filename="policy/modules/admin/alsa.if">
<summary>Advanced Linux Sound Architecture utilities.</summary>
<interface name="alsa_domtrans" lineno="13">
<summary>
Execute a domain transition to run Alsa.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="alsa_run" lineno="39">
<summary>
Execute a domain transition to run
Alsa, and allow the specified role
the Alsa domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="alsa_rw_semaphores" lineno="58">
<summary>
Read and write Alsa semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_rw_shared_mem" lineno="76">
<summary>
Read and write Alsa shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_read_config" lineno="94">
<summary>
Read Alsa configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_manage_config" lineno="115">
<summary>
Manage Alsa config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_manage_home_files" lineno="137">
<summary>
Create, read, write, and delete
alsa home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_read_home_files" lineno="156">
<summary>
Read Alsa home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_relabel_home_files" lineno="175">
<summary>
Relabel alsa home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_home_filetrans_alsa_home" lineno="206">
<summary>
Create objects in user home
directories with the generic alsa
home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="alsa_read_lib" lineno="224">
<summary>
Read Alsa lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_write_lib" lineno="243">
<summary>
Write Alsa lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="amanda" filename="policy/modules/admin/amanda.if">
<summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
<interface name="amanda_domtrans_recover" lineno="14">
<summary>
Execute a domain transition to run
Amanda recover.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="amanda_run_recover" lineno="41">
<summary>
Execute a domain transition to run
Amanda recover, and allow the specified
role the Amanda recover domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="amanda_search_lib" lineno="60">
<summary>
Search Amanda library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amanda_dontaudit_read_dumpdates" lineno="79">
<summary>
Do not audit attempts to read /etc/dumpdates.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="amanda_rw_dumpdates_files" lineno="97">
<summary>
Read and write /etc/dumpdates.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amanda_manage_lib" lineno="116">
<summary>
Manage Amanda library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amanda_append_log_files" lineno="135">
<summary>
Read and append amanda log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amanda_search_var_lib" lineno="154">
<summary>
Search Amanda var library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="amtu" filename="policy/modules/admin/amtu.if">
<summary>Abstract Machine Test Utility.</summary>
<interface name="amtu_domtrans" lineno="13">
<summary>
Execute a domain transition to run Amtu.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="amtu_run" lineno="39">
<summary>
Execute a domain transition to run
Amtu, and allow the specified role
the Amtu domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="amtu_admin" lineno="65">
<summary>
All of the rules required to
administrate an amtu environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="anaconda" filename="policy/modules/admin/anaconda.if">
<summary>Anaconda installer.</summary>
</module>
<module name="apt" filename="policy/modules/admin/apt.if">
<summary>Advanced package tool.</summary>
<interface name="apt_domtrans" lineno="13">
<summary>
Execute apt programs in the apt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apt_exec" lineno="32">
<summary>
Execute the apt in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_run" lineno="57">
<summary>
Execute apt programs in the apt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apt_use_fds" lineno="76">
<summary>
Use apt file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_dontaudit_use_fds" lineno="95">
<summary>
Do not audit attempts to use
apt file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apt_read_pipes" lineno="113">
<summary>
Read apt unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_rw_pipes" lineno="131">
<summary>
Read and write apt unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_use_ptys" lineno="149">
<summary>
Read and write apt ptys.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_read_cache" lineno="167">
<summary>
Read apt package cache content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_manage_cache" lineno="187">
<summary>
Create, read, write, and delete apt package cache content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_read_db" lineno="207">
<summary>
Read apt package database content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_manage_db" lineno="229">
<summary>
Create, read, write, and delete
apt package database content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_dontaudit_manage_db" lineno="251">
<summary>
Do not audit attempts to create,
read, write, and delete apt
package database content.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
</module>
<module name="backup" filename="policy/modules/admin/backup.if">
<summary>System backup scripts.</summary>
<interface name="backup_domtrans" lineno="13">
<summary>
Execute backup in the backup domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="backup_run" lineno="40">
<summary>
Execute backup in the backup
domain, and allow the specified
role the backup domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="backup_manage_store_files" lineno="60">
<summary>
Create, read, and write backup
store files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="bacula" filename="policy/modules/admin/bacula.if">
<summary>Cross platform network backup.</summary>
<interface name="bacula_domtrans_admin" lineno="14">
<summary>
Execute bacula admin bacula
admin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bacula_run_admin" lineno="41">
<summary>
Execute user interfaces in the
bacula admin domain, and allow the
specified role the bacula admin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="bacula_admin" lineno="67">
<summary>
All of the rules required to
administrate an bacula environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="bcfg2" filename="policy/modules/admin/bcfg2.if">
<summary>configuration management suite.</summary>
<interface name="bcfg2_domtrans" lineno="13">
<summary>
Execute bcfg2 in the bcfg2 domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bcfg2_initrc_domtrans" lineno="32">
<summary>
Execute bcfg2 server in the bcfg2 domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bcfg2_search_lib" lineno="50">
<summary>
Search bcfg2 lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bcfg2_read_lib_files" lineno="69">
<summary>
Read bcfg2 lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bcfg2_manage_lib_files" lineno="89">
<summary>
Create, read, write, and delete
bcfg2 lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bcfg2_manage_lib_dirs" lineno="109">
<summary>
Create, read, write, and delete
bcfg2 lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bcfg2_admin" lineno="135">
<summary>
All of the rules required to
administrate an bcfg2 environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="blueman" filename="policy/modules/admin/blueman.if">
<summary>Tool to manage Bluetooth devices.</summary>
<interface name="blueman_domtrans" lineno="13">
<summary>
Execute blueman in the blueman domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="blueman_dbus_chat" lineno="33">
<summary>
Send and receive messages from
blueman over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="blueman_search_lib" lineno="53">
<summary>
Search blueman lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="blueman_read_lib_files" lineno="72">
<summary>
Read blueman lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="blueman_manage_lib_files" lineno="92">
<summary>
Create, read, write, and delete
blueman lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="bootloader" filename="policy/modules/admin/bootloader.if">
<summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
<interface name="bootloader_domtrans" lineno="13">
<summary>
Execute bootloader in the bootloader domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bootloader_run" lineno="39">
<summary>
Execute bootloader interactively and do
a domain transition to the bootloader domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="bootloader_exec" lineno="58">
<summary>
Execute bootloader in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bootloader_read_config" lineno="77">
<summary>
Read the bootloader configuration file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bootloader_rw_config" lineno="97">
<summary>
Read and write the bootloader
configuration file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="bootloader_rw_tmp_files" lineno="116">
<summary>
Read and write the bootloader
temporary data in /tmp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bootloader_manage_tmp_files" lineno="135">
<summary>
manage the bootloader temporary files in /tmp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bootloader_map_tmp_files" lineno="155">
<summary>
map the bootloader temporary files in /tmp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bootloader_read_tmp_lnk_files" lineno="173">
<summary>
read bootloader link files under /tmp
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bootloader_create_runtime_file" lineno="192">
<summary>
Create, read and write the bootloader
runtime data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="brctl" filename="policy/modules/admin/brctl.if">
<summary>Utilities for configuring the Linux ethernet bridge.</summary>
<interface name="brctl_domtrans" lineno="13">
<summary>
Execute a domain transition to run brctl.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="brctl_run" lineno="38">
<summary>
Execute brctl in the brctl domain, and
allow the specified role the brctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="certwatch" filename="policy/modules/admin/certwatch.if">
<summary>Digital Certificate Tracking.</summary>
<interface name="certwatch_domtrans" lineno="13">
<summary>
Domain transition to certwatch.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="certwatch_run" lineno="41">
<summary>
Execute certwatch in the certwatch
domain, and allow the specified role
the certwatch domain.
backchannel.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cfengine" filename="policy/modules/admin/cfengine.if">
<summary>System administration tool for networks.</summary>
<template name="cfengine_domain_template" lineno="13">
<summary>
The template to define a cfengine domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="cfengine_read_lib_files" lineno="45">
<summary>
Read cfengine lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cfengine_dontaudit_write_log_files" lineno="65">
<summary>
Do not audit attempts to write
cfengine log files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cfengine_admin" lineno="90">
<summary>
All of the rules required to
administrate an cfengine environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="chkrootkit" filename="policy/modules/admin/chkrootkit.if">
<summary>chkrootkit - rootkit checker.</summary>
<interface name="chkrootkit_domtrans" lineno="13">
<summary>
Execute a domain transition to run chkrootkit.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="chkrootkit_run" lineno="39">
<summary>
Execute chkrootkit in the chkrootkit domain,
and allow the specified role
the chkrootkit domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="consoletype" filename="policy/modules/admin/consoletype.if">
<summary>
Determine of the console connected to the controlling terminal.
</summary>
<interface name="consoletype_domtrans" lineno="15">
<summary>
Execute consoletype in the consoletype domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="consoletype_run" lineno="44">
<summary>
Execute consoletype in the consoletype domain, and
allow the specified role the consoletype domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="consoletype_exec" lineno="64">
<summary>
Execute consoletype in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ddcprobe" filename="policy/modules/admin/ddcprobe.if">
<summary>ddcprobe retrieves monitor and graphics card information.</summary>
<interface name="ddcprobe_domtrans" lineno="13">
<summary>
Execute ddcprobe in the ddcprobe domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ddcprobe_run" lineno="40">
<summary>
Execute ddcprobe in the ddcprobe
domain, and allow the specified
role the ddcprobe domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dmesg" filename="policy/modules/admin/dmesg.if">
<summary>Policy for dmesg.</summary>
<interface name="dmesg_domtrans" lineno="13">
<summary>
Execute dmesg in the dmesg domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dmesg_exec" lineno="33">
<summary>
Execute dmesg in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dmidecode" filename="policy/modules/admin/dmidecode.if">
<summary>Decode DMI data for x86/ia64 bioses.</summary>
<interface name="dmidecode_domtrans" lineno="13">
<summary>
Execute dmidecode in the dmidecode domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dmidecode_run" lineno="40">
<summary>
Execute dmidecode in the dmidecode
domain, and allow the specified
role the dmidecode domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dphysswapfile" filename="policy/modules/admin/dphysswapfile.if">
<summary>Set up, mount/unmount, and delete an swap file.</summary>
<interface name="dphysswapfile_admin" lineno="20">
<summary>
All of the rules required to
administrate an dphys-swapfile environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dpkg" filename="policy/modules/admin/dpkg.if">
<summary>Debian package manager.</summary>
<interface name="dpkg_domtrans" lineno="13">
<summary>
Execute dpkg programs in the dpkg domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dpkg_nnp_domtrans" lineno="32">
<summary>
Transition to dpkg_t when NNP has been set
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_run" lineno="57">
<summary>
Execute dpkg programs in the dpkg domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dpkg_exec" lineno="76">
<summary>
Execute the dkpg in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_domtrans_script" lineno="96">
<summary>
Execute dpkg_script programs in
the dpkg_script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dpkg_script_rw_pipes" lineno="117">
<summary>
access dpkg_script fifos
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="dpkg_use_fds" lineno="136">
<summary>
Inherit and use file descriptors from dpkg.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_read_pipes" lineno="154">
<summary>
Read from unnamed dpkg pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_rw_pipes" lineno="172">
<summary>
Read and write unnamed dpkg pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_use_script_fds" lineno="191">
<summary>
Inherit and use file descriptors
from dpkg scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_script_rw_inherited_pipes" lineno="210">
<summary>
Inherit and use file descriptors
from dpkg scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_read_db" lineno="229">
<summary>
Read dpkg package database content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_manage_db" lineno="251">
<summary>
Create, read, write, and delete
dpkg package database content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_dontaudit_manage_db" lineno="273">
<summary>
Do not audit attempts to create,
read, write, and delete dpkg
package database content.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dpkg_lock_db" lineno="294">
<summary>
Create, read, write, and delete
dpkg lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_manage_script_tmp_files" lineno="314">
<summary>
manage dpkg_script_tmp_t files and dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_map_script_tmp_files" lineno="334">
<summary>
map dpkg_script_tmp_t files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_read_script_tmp_symlinks" lineno="352">
<summary>
read dpkg_script_tmp_t links
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_dbus_chat" lineno="370">
<summary>
send dbus messages to dpkg_t
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_read_state" lineno="388">
<summary>
read dpkg_t process state
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="fakehwclock" filename="policy/modules/admin/fakehwclock.if">
<summary>fake-hwclock - Control fake hardware clock.</summary>
<interface name="fakehwclock_admin" lineno="19">
<summary>
All the rules required to
administrate an fake-hwclock environment.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="firstboot" filename="policy/modules/admin/firstboot.if">
<summary>Initial system configuration utility.</summary>
<interface name="firstboot_domtrans" lineno="13">
<summary>
Execute firstboot in the firstboot domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="firstboot_run" lineno="39">
<summary>
Execute firstboot in the firstboot
domain, and allow the specified role
the firstboot domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="firstboot_use_fds" lineno="58">
<summary>
Inherit and use firstboot file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="firstboot_dontaudit_use_fds" lineno="77">
<summary>
Do not audit attempts to inherit
firstboot file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="firstboot_write_pipes" lineno="95">
<summary>
Write firstboot unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="firstboot_rw_pipes" lineno="113">
<summary>
Read and Write firstboot unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="firstboot_dontaudit_rw_pipes" lineno="132">
<summary>
Do not audit attempts to read and
write firstboot unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="firstboot_dontaudit_rw_stream_sockets" lineno="152">
<summary>
Do not audit attempts to read and
write firstboot unix domain
stream sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<tunable name="firstboot_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the firstboot domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="firstboot_read_all_user_content" dftval="false">
<desc>
<p>
Grant the firstboot domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="firstboot_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the firstboot domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="firstboot_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the firstboot domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="hwloc" filename="policy/modules/admin/hwloc.if">
<summary>Dump topology and locality information from hardware tables.</summary>
<interface name="hwloc_domtrans_dhwd" lineno="13">
<summary>
Execute hwloc dhwd in the hwloc dhwd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hwloc_run_dhwd" lineno="38">
<summary>
Execute hwloc dhwd in the hwloc dhwd domain, and
allow the specified role the hwloc dhwd domain,
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="hwloc_exec_dhwd" lineno="57">
<summary>
Execute hwloc dhwd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hwloc_read_runtime_files" lineno="75">
<summary>
Read hwloc runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hwloc_admin" lineno="96">
<summary>
All of the rules required to
administrate an hwloc environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="kdump" filename="policy/modules/admin/kdump.if">
<summary>Kernel crash dumping mechanism.</summary>
<interface name="kdump_domtrans" lineno="13">
<summary>
Execute kdump in the kdump domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kdump_initrc_domtrans" lineno="33">
<summary>
Execute kdump init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kdump_read_config" lineno="51">
<summary>
Read kdump configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kdump_manage_config" lineno="71">
<summary>
Create, read, write, and delete
kdmup configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kdump_admin" lineno="97">
<summary>
All of the rules required to
administrate an kdump environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="kismet" filename="policy/modules/admin/kismet.if">
<summary>IEEE 802.11 wireless LAN sniffer.</summary>
<template name="kismet_role" lineno="18">
<summary>
Role access for kismet.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</template>
<interface name="kismet_domtrans" lineno="51">
<summary>
Execute a domain transition to run kismet.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kismet_run" lineno="76">
<summary>
Execute kismet in the kismet domain, and
allow the specified role the kismet domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="kismet_read_pid_files" lineno="95">
<summary>
Read kismet pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_manage_pid_files" lineno="111">
<summary>
Create, read, write, and delete
kismet pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_read_runtime_files" lineno="126">
<summary>
Read kismet runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_manage_runtime_files" lineno="146">
<summary>
Create, read, write, and delete
kismet runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_search_lib" lineno="165">
<summary>
Search kismet lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_read_lib_files" lineno="184">
<summary>
Read kismet lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_manage_lib_files" lineno="205">
<summary>
Create, read, write, and delete
kismet lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_manage_lib" lineno="225">
<summary>
Create, read, write, and delete
kismet lib content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_read_log" lineno="247">
<summary>
Read kismet log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kismet_append_log" lineno="266">
<summary>
Append kismet log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_manage_log" lineno="286">
<summary>
Create, read, write, and delete
kismet log content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_admin" lineno="314">
<summary>
All of the rules required to
administrate an kismet environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="logrotate" filename="policy/modules/admin/logrotate.if">
<summary>Rotates, compresses, removes and mails system log files.</summary>
<interface name="logrotate_domtrans" lineno="13">
<summary>
Execute logrotate in the logrotate domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="logrotate_run" lineno="40">
<summary>
Execute logrotate in the logrotate
domain, and allow the specified
role the logrotate domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logrotate_exec" lineno="59">
<summary>
Execute logrotate in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logrotate_use_fds" lineno="78">
<summary>
Inherit and use logrotate file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logrotate_dontaudit_use_fds" lineno="97">
<summary>
Do not audit attempts to inherit
logrotate file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="logrotate_read_tmp_files" lineno="115">
<summary>
Read logrotate temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="logwatch" filename="policy/modules/admin/logwatch.if">
<summary>System log analyzer and reporter.</summary>
<interface name="logwatch_read_tmp_files" lineno="13">
<summary>
Read logwatch temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logwatch_search_cache_dir" lineno="32">
<summary>
Search logwatch cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="logwatch_can_network_connect_mail" dftval="false">
<desc>
<p>
Determine whether logwatch can connect
to mail over the network.
</p>
</desc>
</tunable>
</module>
<module name="mcelog" filename="policy/modules/admin/mcelog.if">
<summary>Linux hardware error daemon.</summary>
<interface name="mcelog_domtrans" lineno="13">
<summary>
Execute a domain transition to run mcelog.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mcelog_admin" lineno="39">
<summary>
All of the rules required to
administrate an mcelog environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="mcelog_client" dftval="false">
<desc>
<p>
Determine whether mcelog supports
client mode.
</p>
</desc>
</tunable>
<tunable name="mcelog_exec_scripts" dftval="true">
<desc>
<p>
Determine whether mcelog can execute scripts.
</p>
</desc>
</tunable>
<tunable name="mcelog_foreground" dftval="false">
<desc>
<p>
Determine whether mcelog can use all
the user ttys.
</p>
</desc>
</tunable>
<tunable name="mcelog_server" dftval="false">
<desc>
<p>
Determine whether mcelog supports
server mode.
</p>
</desc>
</tunable>
<tunable name="mcelog_syslog" dftval="false">
<desc>
<p>
Determine whether mcelog can use syslog.
</p>
</desc>
</tunable>
</module>
<module name="mrtg" filename="policy/modules/admin/mrtg.if">
<summary>Network traffic graphing.</summary>
<interface name="mrtg_read_config" lineno="13">
<summary>
Read mrtg configuration
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mrtg_append_create_logs" lineno="31">
<summary>
Create and append mrtg log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mrtg_admin" lineno="58">
<summary>
All of the rules required to
administrate an mrtg environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ncftool" filename="policy/modules/admin/ncftool.if">
<summary>Cross-platform network configuration library.</summary>
<interface name="ncftool_domtrans" lineno="13">
<summary>
Execute a domain transition to run ncftool.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ncftool_run" lineno="39">
<summary>
Execute ncftool in the ncftool
domain, and allow the specified
role the ncftool domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="netutils" filename="policy/modules/admin/netutils.if">
<summary>Network analysis utilities</summary>
<interface name="netutils_domtrans" lineno="13">
<summary>
Execute network utilities in the netutils domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="netutils_run" lineno="39">
<summary>
Execute network utilities in the netutils domain, and
allow the specified role the netutils domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="netutils_exec" lineno="58">
<summary>
Execute network utilities in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="netutils_signal" lineno="77">
<summary>
Send generic signals to network utilities.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="netutils_domtrans_ping" lineno="95">
<summary>
Execute ping in the ping domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="netutils_kill_ping" lineno="114">
<summary>
Send a kill (SIGKILL) signal to ping.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="netutils_signal_ping" lineno="132">
<summary>
Send generic signals to ping.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="netutils_run_ping" lineno="157">
<summary>
Execute ping in the ping domain, and
allow the specified role the ping domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="netutils_run_ping_cond" lineno="183">
<summary>
Conditionally execute ping in the ping domain, and
allow the specified role the ping domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="netutils_exec_ping" lineno="206">
<summary>
Execute ping in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="netutils_domtrans_traceroute" lineno="225">
<summary>
Execute traceroute in the traceroute domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="netutils_run_traceroute" lineno="251">
<summary>
Execute traceroute in the traceroute domain, and
allow the specified role the traceroute domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="netutils_run_traceroute_cond" lineno="277">
<summary>
Conditionally execute traceroute in the traceroute domain, and
allow the specified role the traceroute domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="netutils_exec_traceroute" lineno="300">
<summary>
Execute traceroute in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="user_ping" dftval="false">
<desc>
<p>
Control users use of ping and traceroute
</p>
</desc>
</tunable>
</module>
<module name="passenger" filename="policy/modules/admin/passenger.if">
<summary>Ruby on rails deployment for Apache and Nginx servers.</summary>
<interface name="passenger_domtrans" lineno="13">
<summary>
Execute passenger in the passenger domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="passenger_exec" lineno="32">
<summary>
Execute passenger in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="passenger_read_lib_files" lineno="51">
<summary>
Read passenger lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="portage" filename="policy/modules/admin/portage.if">
<summary>Package Management System.</summary>
<interface name="portage_domtrans" lineno="13">
<summary>
Execute emerge in the portage domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="portage_run" lineno="40">
<summary>
Execute emerge in the portage domain,
and allow the specified role the
portage domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="portage_compile_domain" lineno="65">
<summary>
Template for portage sandbox.
</summary>
<desc>
<p>
Template for portage sandbox.  Portage
does all compiling in the sandbox.
</p>
</desc>
<param name="domain">
<summary>
Domain Allowed Access
</summary>
</param>
</interface>
<interface name="portage_domtrans_fetch" lineno="211">
<summary>
Execute tree management functions
(fetching, layman, ...) in the
portage fetch domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="portage_run_fetch" lineno="240">
<summary>
Execute tree management functions
(fetching, layman, ...) in the
portage fetch domain, and allow
the specified role the portage
fetch domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="portage_domtrans_gcc_config" lineno="259">
<summary>
Execute gcc-config in the gcc config domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="portage_run_gcc_config" lineno="286">
<summary>
Execute gcc-config in the gcc config
domain, and allow the specified role
the gcc_config domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="portage_dontaudit_use_fds" lineno="306">
<summary>
Do not audit attempts to use
portage file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="portage_dontaudit_search_tmp" lineno="325">
<summary>
Do not audit attempts to search the
portage temporary directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="portage_dontaudit_rw_tmp_files" lineno="344">
<summary>
Do not audit attempts to read and write
the portage temporary files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<tunable name="portage_use_nfs" dftval="false">
<desc>
<p>
Determine whether portage can
use nfs filesystems.
</p>
</desc>
</tunable>
</module>
<module name="prelink" filename="policy/modules/admin/prelink.if">
<summary>Prelink ELF shared library mappings.</summary>
<interface name="prelink_domtrans" lineno="13">
<summary>
Execute prelink in the prelink domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="prelink_exec" lineno="37">
<summary>
Execute prelink in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelink_run" lineno="64">
<summary>
Execute prelink in the prelink
domain, and allow the specified role
the prelink domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="prelink_object_file" lineno="83">
<summary>
Make the specified file type prelinkable.
</summary>
<param name="file_type">
<summary>
File type to be prelinked.
</summary>
</param>
</interface>
<interface name="prelink_read_cache" lineno="101">
<summary>
Read prelink cache files.
</summary>
<param name="file_type">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelink_delete_cache" lineno="120">
<summary>
Delete prelink cache files.
</summary>
<param name="file_type">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelink_manage_log" lineno="140">
<summary>
Create, read, write, and delete
prelink log files.
</summary>
<param name="file_type">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelink_manage_lib" lineno="160">
<summary>
Create, read, write, and delete
prelink var_lib files.
</summary>
<param name="file_type">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelink_relabelfrom_lib" lineno="179">
<summary>
Relabel from prelink lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelink_relabel_lib" lineno="198">
<summary>
Relabel prelink lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="puppet" filename="policy/modules/admin/puppet.if">
<summary>Configuration management system.</summary>
<interface name="puppet_domtrans_puppetca" lineno="14">
<summary>
Execute puppetca in the puppetca
domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="puppet_run_puppetca" lineno="41">
<summary>
Execute puppetca in the puppetca
domain and allow the specified
role the puppetca domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="puppet_read_config" lineno="60">
<summary>
Read puppet configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_read_lib_files" lineno="81">
<summary>
Read Puppet lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_manage_lib_files" lineno="101">
<summary>
Create, read, write, and delete
puppet lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_append_log_files" lineno="120">
<summary>
Append puppet log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_create_log_files" lineno="139">
<summary>
Create puppet log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_read_log_files" lineno="158">
<summary>
Read puppet log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_rw_tmp" lineno="177">
<summary>
Read and write to puppet tempoprary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_admin" lineno="203">
<summary>
All of the rules required to
administrate an puppet environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="puppet_manage_all_files" dftval="false">
<desc>
<p>
Determine whether puppet can
manage all non-security files.
</p>
</desc>
</tunable>
</module>
<module name="quota" filename="policy/modules/admin/quota.if">
<summary>File system quota management.</summary>
<interface name="quota_domtrans" lineno="13">
<summary>
Execute quota management tools in the quota domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="quota_run" lineno="40">
<summary>
Execute quota management tools in
the quota domain, and allow the
specified role the quota domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="quota_domtrans_nld" lineno="59">
<summary>
Execute quota nld in the quota nld domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="quota_manage_db_files" lineno="79">
<summary>
Create, read, write, and delete
quota db files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="quota_spec_filetrans_db" lineno="114">
<summary>
Create specified objects in specified
directories with a type transition to
the quota db file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="file_type">
<summary>
Directory to transition on.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="quota_dontaudit_getattr_db" lineno="133">
<summary>
Do not audit attempts to get attributes
of filesystem quota data files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="quota_manage_flags" lineno="152">
<summary>
Create, read, write, and delete
quota flag files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="quota_admin" lineno="178">
<summary>
All of the rules required to
administrate an quota environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rkhunter" filename="policy/modules/admin/rkhunter.if">
<summary>rkhunter - rootkit checker.</summary>
<interface name="rkhunter_domtrans" lineno="13">
<summary>
Execute a domain transition to run rkhunter.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rkhunter_run" lineno="39">
<summary>
Execute rkhunter in the rkhunter domain,
and allow the specified role
the rkhunter domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<tunable name="rkhunter_connect_http" dftval="false">
<desc>
<p>
Determine whether rkhunter can connect
to http ports. This is required by the
--update option.
</p>
</desc>
</tunable>
</module>
<module name="rpm" filename="policy/modules/admin/rpm.if">
<summary>Redhat package manager.</summary>
<interface name="rpm_domtrans" lineno="13">
<summary>
Execute rpm in the rpm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpm_debuginfo_domtrans" lineno="33">
<summary>
Execute debuginfo install
in the rpm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpm_domtrans_script" lineno="52">
<summary>
Execute rpm scripts in the rpm script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpm_run" lineno="82">
<summary>
Execute rpm in the rpm domain,
and allow the specified roles the
rpm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rpm_exec" lineno="101">
<summary>
Execute the rpm in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_signull" lineno="120">
<summary>
Send null signals to rpm.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_use_fds" lineno="138">
<summary>
Inherit and use file descriptors from rpm.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_read_pipes" lineno="156">
<summary>
Read rpm unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_rw_pipes" lineno="174">
<summary>
Read and write rpm unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_dbus_chat" lineno="193">
<summary>
Send and receive messages from
rpm over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_dontaudit_dbus_chat" lineno="214">
<summary>
Do not audit attempts to send and
receive messages from rpm over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="rpm_script_dbus_chat" lineno="235">
<summary>
Send and receive messages from
rpm script over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_search_log" lineno="255">
<summary>
Search rpm log directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_append_log" lineno="274">
<summary>
Append rpm log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_manage_log" lineno="294">
<summary>
Create, read, write, and delete
rpm log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_use_script_fds" lineno="313">
<summary>
Inherit and use rpm script file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_manage_script_tmp_files" lineno="332">
<summary>
Create, read, write, and delete
rpm script temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_append_tmp_files" lineno="351">
<summary>
Append rpm temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_manage_tmp_files" lineno="371">
<summary>
Create, read, write, and delete
rpm temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_read_script_tmp_files" lineno="390">
<summary>
Read rpm script temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_read_cache" lineno="410">
<summary>
Read rpm cache content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_manage_cache" lineno="432">
<summary>
Create, read, write, and delete
rpm cache content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_read_db" lineno="453">
<summary>
Read rpm lib content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_delete_db" lineno="475">
<summary>
Delete rpm lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_manage_db" lineno="495">
<summary>
Create, read, write, and delete
rpm lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_dontaudit_manage_db" lineno="517">
<summary>
Do not audit attempts to create, read,
write, and delete rpm lib content.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="rpm_read_pid_files" lineno="538">
<summary>
Read rpm pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_manage_pid_files" lineno="553">
<summary>
Create, read, write, and delete
rpm pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_pid_filetrans_rpm_pid" lineno="579">
<summary>
Create specified objects in pid directories
with the rpm pid file type.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="rpm_manage_runtime_files" lineno="594">
<summary>
Create, read, write, and delete
rpm runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_admin" lineno="620">
<summary>
All of the rules required to
administrate an rpm environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="samhain" filename="policy/modules/admin/samhain.if">
<summary>Check file integrity.</summary>
<template name="samhain_service_template" lineno="13">
<summary>
The template to define a samhain domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="samhain_domtrans" lineno="38">
<summary>
Execute samhain in the samhain domain
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samhain_run" lineno="82">
<summary>
Execute samhain in the samhain
domain with the clearance security
level and allow the specifiled role
the samhain domain.
</summary>
<desc>
<p>
Execute samhain in the samhain
domain with the clearance security
level and allow the specifiled role
the samhain domain.
</p>
<p>
The range_transition rule used in
this interface requires that the
calling domain should have the
clearance security level otherwise
the MLS constraint for process
transition would fail.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed to access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samhain_manage_config_files" lineno="107">
<summary>
Create, read, write, and delete
samhain configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samhain_manage_db_files" lineno="127">
<summary>
Create, read, write, and delete
samhain database files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samhain_manage_init_script_files" lineno="147">
<summary>
Create, read, write, and delete
samhain init script files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samhain_manage_log_files" lineno="167">
<summary>
Create, read, write, and delete
samhain log and log.lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samhain_manage_pid_files" lineno="187">
<summary>
Create, read, write, and delete
samhain pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samhain_admin" lineno="208">
<summary>
All of the rules required to
administrate the samhain environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role" unused="true">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="sblim" filename="policy/modules/admin/sblim.if">
<summary>Standards Based Linux Instrumentation for Manageability.</summary>
<interface name="sblim_domtrans_gatherd" lineno="13">
<summary>
Execute gatherd in the gatherd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sblim_read_pid_files" lineno="32">
<summary>
Read gatherd pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sblim_admin" lineno="53">
<summary>
All of the rules required to
administrate an sblim environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="shorewall" filename="policy/modules/admin/shorewall.if">
<summary>Shoreline Firewall high-level tool for configuring netfilter.</summary>
<interface name="shorewall_domtrans" lineno="13">
<summary>
Execute a domain transition to run shorewall.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="shorewall_lib_domtrans" lineno="33">
<summary>
Execute a domain transition to run shorewall
using executables from /var/lib.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="shorewall_read_config" lineno="52">
<summary>
Read shorewall configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="shorewall_read_lib_files" lineno="71">
<summary>
Read shorewall lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="shorewall_rw_lib_files" lineno="90">
<summary>
Read and write shorewall lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="shorewall_read_tmp_files" lineno="109">
<summary>
Read shorewall temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="shorewall_admin" lineno="135">
<summary>
All of the rules required to
administrate an shorewall environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="shutdown" filename="policy/modules/admin/shutdown.if">
<summary>System shutdown command.</summary>
<interface name="shutdown_role" lineno="18">
<summary>
Role access for shutdown.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="shutdown_domtrans" lineno="39">
<summary>
Execute a domain transition to run shutdown.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="shutdown_run" lineno="65">
<summary>
Execute shutdown in the shutdown
domain, and allow the specified role
the shutdown domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="shutdown_signal" lineno="84">
<summary>
Send generic signals to shutdown.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="shutdown_sigchld" lineno="102">
<summary>
Send SIGCHLD signals to shutdown.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="shutdown_getattr_exec_files" lineno="120">
<summary>
Get attributes of shutdown executable files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="sosreport" filename="policy/modules/admin/sosreport.if">
<summary>Generate debugging information for system.</summary>
<interface name="sosreport_domtrans" lineno="13">
<summary>
Execute a domain transition to run sosreport.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sosreport_run" lineno="39">
<summary>
Execute sosreport in the sosreport
domain, and allow the specified
role the sosreport domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="sosreport_role" lineno="63">
<summary>
Role access for sosreport.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="sosreport_read_tmp_files" lineno="84">
<summary>
Read sosreport temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sosreport_append_tmp_files" lineno="103">
<summary>
Append sosreport temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sosreport_delete_tmp_files" lineno="122">
<summary>
Delete sosreport temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="su" filename="policy/modules/admin/su.if">
<summary>Run shells with substitute user and group.</summary>
<template name="su_restricted_domain_template" lineno="31">
<summary>
Restricted su domain template.
</summary>
<desc>
<p>
This template creates a derived domain which is allowed
to change the linux user id, to run shells as a different
user.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
</template>
<template name="su_role_template" lineno="138">
<summary>
The role template for the su module.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<interface name="su_exec" lineno="270">
<summary>
Execute su in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="sudo" filename="policy/modules/admin/sudo.if">
<summary>Execute a command with a substitute user</summary>
<template name="sudo_role_template" lineno="31">
<summary>
The role template for the sudo module.
</summary>
<desc>
<p>
This template creates a derived domain which is allowed
to change the linux user id, to run commands as a different
user.
</p>
</desc>
<param name="role_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="user_role">
<summary>
The user role.
</summary>
</param>
<param name="user_domain">
<summary>
The user domain associated with the role.
</summary>
</param>
</template>
<interface name="sudo_sigchld" lineno="185">
<summary>
Send a SIGCHLD signal to the sudo domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="sudo_all_tcp_connect_http_port" dftval="false">
<desc>
<p>
Determine whether all sudo domains
can connect to TCP HTTP ports. This
is needed if an additional authentication
mechanism via an HTTP server is
required for users to use sudo.
</p>
</desc>
</tunable>
</module>
<module name="sxid" filename="policy/modules/admin/sxid.if">
<summary>SUID/SGID program monitoring.</summary>
<interface name="sxid_read_log" lineno="14">
<summary>
Read sxid log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="tboot" filename="policy/modules/admin/tboot.if">
<summary>Utilities for the tboot TXT module.</summary>
<interface name="tboot_domtrans_txtstat" lineno="13">
<summary>
Execute txt-stat in the txtstat domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tboot_run_txtstat" lineno="38">
<summary>
Execute txt-stat in the txtstat domain, and
allow the specified role the txtstat domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the txtstat domain.
</summary>
</param>
</interface>
</module>
<module name="tmpreaper" filename="policy/modules/admin/tmpreaper.if">
<summary>Manage temporary directory sizes and file ages.</summary>
<interface name="tmpreaper_exec" lineno="13">
<summary>
Execute tmpreaper in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="tripwire" filename="policy/modules/admin/tripwire.if">
<summary>File integrity checker.</summary>
<interface name="tripwire_domtrans_tripwire" lineno="13">
<summary>
Execute tripwire in the tripwire domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tripwire_run_tripwire" lineno="40">
<summary>
Execute tripwire in the tripwire
domain, and allow the specified
role the tripwire domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="tripwire_domtrans_twadmin" lineno="59">
<summary>
Execute twadmin in the twadmin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tripwire_run_twadmin" lineno="86">
<summary>
Execute twadmin in the twadmin
domain, and allow the specified
role the twadmin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="tripwire_domtrans_twprint" lineno="105">
<summary>
Execute twprint in the twprint domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tripwire_run_twprint" lineno="132">
<summary>
Execute twprint in the twprint
domain, and allow the specified
role the twprint domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="tripwire_domtrans_siggen" lineno="151">
<summary>
Execute siggen in the siggen domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tripwire_run_siggen" lineno="178">
<summary>
Execute siggen in the siggen domain,
and allow the specified role
the siggen domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="tzdata" filename="policy/modules/admin/tzdata.if">
<summary>Time zone updater.</summary>
<interface name="tzdata_domtrans" lineno="13">
<summary>
Execute a domain transition to run tzdata.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tzdata_run" lineno="40">
<summary>
Execute tzdata in the tzdata domain,
and allow the specified role
the tzdata domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="updfstab" filename="policy/modules/admin/updfstab.if">
<summary>Red Hat utility to change fstab.</summary>
<interface name="updfstab_domtrans" lineno="13">
<summary>
Execute updfstab in the updfstab domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="usbguard" filename="policy/modules/admin/usbguard.if">
<summary>
Usbguard enforces the USB device authorization policy for all USB
devices.
</summary>
<interface name="usbguard_stream_connect" lineno="16">
<summary>
Connect to usbguard with a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="usbguard_user_modify_rule_files" dftval="false">
<desc>
<p>
Determine whether authorized users can control the daemon,
which requires usbguard-daemon to be able modify its rules in
/etc/usbguard.
</p>
</desc>
</tunable>
</module>
<module name="usbmodules" filename="policy/modules/admin/usbmodules.if">
<summary>List kernel modules of USB devices.</summary>
<interface name="usbmodules_domtrans" lineno="13">
<summary>
Execute usbmodules in the usbmodules domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="usbmodules_run" lineno="40">
<summary>
Execute usbmodules in the usbmodules
domain, and allow the specified
role the usbmodules domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="usermanage" filename="policy/modules/admin/usermanage.if">
<summary>Policy for managing user accounts.</summary>
<interface name="usermanage_domtrans_chfn" lineno="13">
<summary>
Execute chfn in the chfn domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="usermanage_run_chfn" lineno="42">
<summary>
Execute chfn in the chfn domain, and
allow the specified role the chfn domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="usermanage_domtrans_groupadd" lineno="61">
<summary>
Execute groupadd in the groupadd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="usermanage_run_groupadd" lineno="91">
<summary>
Execute groupadd in the groupadd domain, and
allow the specified role the groupadd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="usermanage_domtrans_passwd" lineno="110">
<summary>
Execute passwd in the passwd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="usermanage_kill_passwd" lineno="133">
<summary>
Send sigkills to passwd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="usermanage_check_exec_passwd" lineno="151">
<summary>
Check if the passwd binary is executable.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="usermanage_run_passwd" lineno="175">
<summary>
Execute passwd in the passwd domain, and
allow the specified role the passwd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="usermanage_domtrans_admin_passwd" lineno="195">
<summary>
Execute password admin functions in
the admin passwd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="usermanage_run_admin_passwd" lineno="222">
<summary>
Execute passwd admin functions in the admin
passwd domain, and allow the specified role
the admin passwd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="usermanage_dontaudit_use_useradd_fds" lineno="241">
<summary>
Do not audit attempts to use useradd fds.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="usermanage_domtrans_useradd" lineno="259">
<summary>
Execute useradd in the useradd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="usermanage_check_exec_useradd" lineno="282">
<summary>
Check if the useradd binaries are executable.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="usermanage_run_useradd" lineno="307">
<summary>
Execute useradd in the useradd domain, and
allow the specified role the useradd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="usermanage_read_crack_db" lineno="326">
<summary>
Read the crack database.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="vbetool" filename="policy/modules/admin/vbetool.if">
<summary>run real-mode video BIOS code to alter hardware state.</summary>
<interface name="vbetool_domtrans" lineno="13">
<summary>
Execute vbetool in the vbetool domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vbetool_run" lineno="39">
<summary>
Execute vbetool in the vbetool
domain, and allow the specified
role the vbetool domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<tunable name="vbetool_mmap_zero_ignore" dftval="false">
<desc>
<p>
Determine whether attempts by
vbetool to mmap low regions should
be silently blocked.
</p>
</desc>
</tunable>
</module>
<module name="vpn" filename="policy/modules/admin/vpn.if">
<summary>Virtual Private Networking client.</summary>
<interface name="vpn_domtrans" lineno="13">
<summary>
Execute vpn clients in the vpnc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vpn_run" lineno="40">
<summary>
Execute vpn clients in the vpnc
domain, and allow the specified
role the vpnc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="vpn_kill" lineno="59">
<summary>
Send kill signals to vpnc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vpn_signal" lineno="77">
<summary>
Send generic signals to vpnc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vpn_signull" lineno="95">
<summary>
Send null signals to vpnc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vpn_dbus_chat" lineno="114">
<summary>
Send and receive messages from
vpnc over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vpn_relabelfrom_tun_socket" lineno="134">
<summary>
Relabelfrom from vpnc socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>