HEX
Server: Apache
System: Linux vps-cdc32557.vps.ovh.ca 5.15.0-156-generic #166-Ubuntu SMP Sat Aug 9 00:02:46 UTC 2025 x86_64
User: hanode (1017)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
Upload Files
File: //usr/share/selinux/devel/include/apps.xml
<summary>Policy modules for applications</summary>
<module name="awstats" filename="policy/modules/apps/awstats.if">
<summary>Log file analyzer for advanced statistics.</summary>
<interface name="awstats_domtrans" lineno="14">
<summary>
Execute the awstats program in
the awstats domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<tunable name="awstats_purge_apache_log_files" dftval="false">
<desc>
<p>
Determine whether awstats can
purge httpd log files.
</p>
</desc>
</tunable>
<tunable name="allow_httpd_awstats_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="calamaris" filename="policy/modules/apps/calamaris.if">
<summary>Squid log analysis.</summary>
<interface name="calamaris_domtrans" lineno="14">
<summary>
Execute the calamaris in
the calamaris domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="calamaris_run" lineno="40">
<summary>
Execute calamaris in the
calamaris domain, and allow the
specified role the calamaris domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="calamaris_read_www_files" lineno="59">
<summary>
Read calamaris www files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="calamaris_admin" lineno="86">
<summary>
All of the rules required to
administrate an calamaris environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cdrecord" filename="policy/modules/apps/cdrecord.if">
<summary>Record audio or data Compact Discs from a master.</summary>
<interface name="cdrecord_role" lineno="18">
<summary>
Role access for cdrecord.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="cdrecord_exec" lineno="44">
<summary>
Execute cdrecord in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="cdrecord_read_content" dftval="false">
<desc>
<p>
Determine whether cdrecord can read
various content. nfs, samba, removable
devices, user temp and untrusted
content files
</p>
</desc>
</tunable>
</module>
<module name="chromium" filename="policy/modules/apps/chromium.if">
<summary>Chromium browser</summary>
<interface name="chromium_role" lineno="18">
<summary>
Role access for chromium
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="chromium_rw_tmp_pipes" lineno="68">
<summary>
Read-write access to Chromiums' temporary fifo files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="chromium_tmp_filetrans" lineno="97">
<summary>
Automatically use the specified type for resources created in chromium's
temporary locations
</summary>
<param name="domain">
<summary>
Domain that creates the resource(s)
</summary>
</param>
<param name="class">
<summary>
Type of the resource created
</summary>
</param>
<param name="filename" optional="true">
<summary>
The name of the resource being created
</summary>
</param>
</interface>
<interface name="chromium_domtrans" lineno="116">
<summary>
Execute a domain transition to the chromium domain (chromium_t)
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="chromium_run" lineno="142">
<summary>
Execute chromium in the chromium domain and allow the specified role to access the chromium domain
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
</interface>
<tunable name="chromium_dri" dftval="true">
<desc>
<p>
Allow chromium to access direct rendering interface
</p>
<p>
Needed for good performance on complex sites
</p>
</desc>
</tunable>
<tunable name="chromium_read_system_info" dftval="false">
<desc>
<p>
Allow chromium to read system information
</p>
<p>
Although not needed for regular browsing, this will allow chromium to update
its own memory consumption based on system state, support additional
debugging, detect specific devices, etc.
</p>
</desc>
</tunable>
<tunable name="chromium_bind_tcp_unreserved_ports" dftval="false">
<desc>
<p>
Allow chromium to bind to tcp ports
</p>
<p>
Although not needed for regular browsing, some chrome extensions need to
bind to tcp ports and accept connections.
</p>
</desc>
</tunable>
<tunable name="chromium_rw_usb_dev" dftval="false">
<desc>
<p>
Allow chromium to read/write USB devices
</p>
<p>
Although not needed for regular browsing, used for debugging over usb
or using FIDO U2F tokens.
</p>
</desc>
</tunable>
<tunable name="chromium_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the chromium domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="chromium_read_all_user_content" dftval="false">
<desc>
<p>
Grant the chromium domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="chromium_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the chromium domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="chromium_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the chromium domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="cpufreqselector" filename="policy/modules/apps/cpufreqselector.if">
<summary>Command-line CPU frequency settings.</summary>
<interface name="cpufreqselector_dbus_chat" lineno="14">
<summary>
Send and receive messages from
cpufreq-selector over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="cryfs" filename="policy/modules/apps/cryfs.if">
<summary>CryFS and similar other tools which mount encrypted directories using FUSE.</summary>
<interface name="cryfs_role" lineno="18">
<summary>
Role access for CryFS.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<tunable name="cryfs_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the cryfs domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="cryfs_read_all_user_content" dftval="false">
<desc>
<p>
Grant the cryfs domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="cryfs_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the cryfs domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="cryfs_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the cryfs domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="evolution" filename="policy/modules/apps/evolution.if">
<summary>Evolution email client.</summary>
<interface name="evolution_role" lineno="18">
<summary>
Role access for evolution.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="evolution_home_filetrans" lineno="99">
<summary>
Create objects in the evolution home
directories with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
Private file type.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="evolution_read_home_files" lineno="118">
<summary>
Read evolution home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="evolution_stream_connect" lineno="137">
<summary>
Connect to evolution using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="evolution_read_orbit_tmp_files" lineno="158">
<summary>
Read evolution orbit temporary
files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="evolution_dbus_chat" lineno="179">
<summary>
Send and receive messages from
evolution over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="evolution_alarm_dbus_chat" lineno="200">
<summary>
Send and receive messages from
evolution_alarm over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="evolution_domtrans" lineno="221">
<summary>
Make a domain transition to the
evolution target domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="evolution_manage_user_certs" dftval="false">
<desc>
<p>
Allow evolution to create and write
user certificates in addition to
being able to read them
</p>
</desc>
</tunable>
<tunable name="evolution_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the evolution domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="evolution_read_all_user_content" dftval="false">
<desc>
<p>
Grant the evolution domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="evolution_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the evolution domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="evolution_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the evolution domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="games" filename="policy/modules/apps/games.if">
<summary>Various games.</summary>
<interface name="games_role" lineno="18">
<summary>
Role access for games.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="games_rw_data" lineno="52">
<summary>
Read and write games data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="games_domtrans" lineno="71">
<summary>
Run a game in the game domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="games_dbus_chat" lineno="91">
<summary>
Send and receive messages from
games over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="gitosis" filename="policy/modules/apps/gitosis.if">
<summary>Tools for managing and hosting git repositories.</summary>
<interface name="gitosis_domtrans" lineno="13">
<summary>
Execute a domain transition to run gitosis.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gitosis_run" lineno="39">
<summary>
Execute gitosis-serve in the
gitosis domain, and allow the
specified role the gitosis domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="gitosis_read_lib_files" lineno="58">
<summary>
Read gitosis lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gitosis_manage_lib_files" lineno="80">
<summary>
Create, read, write, and delete
gitosis lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="gitosis_can_sendmail" dftval="false">
<desc>
<p>
Determine whether Gitosis can send mail.
</p>
</desc>
</tunable>
</module>
<module name="gnome" filename="policy/modules/apps/gnome.if">
<summary>GNU network object model environment.</summary>
<template name="gnome_role_template" lineno="24">
<summary>
The role template for gnome.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<interface name="gnome_exec_gconf" lineno="125">
<summary>
Execute gconf in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_read_gconf_config" lineno="144">
<summary>
Read gconf configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_dontaudit_read_inherited_gconf_config_files" lineno="166">
<summary>
Do not audit attempts to read
inherited gconf configuration files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="gnome_manage_gconf_config" lineno="185">
<summary>
Create, read, write, and delete
gconf configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_stream_connect_gconf" lineno="207">
<summary>
Connect to gconf using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_domtrans_gconfd" lineno="226">
<summary>
Run gconfd in gconfd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gnome_create_generic_home_dirs" lineno="245">
<summary>
Create generic gnome home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_setattr_generic_home_dirs" lineno="264">
<summary>
Set attributes of generic gnome
user home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_read_generic_home_content" lineno="283">
<summary>
Read generic gnome home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_generic_home_content" lineno="307">
<summary>
Create, read, write, and delete
generic gnome home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_search_generic_home" lineno="330">
<summary>
Search generic gnome home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_home_filetrans" lineno="365">
<summary>
Create objects in gnome user home
directories with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
Private file type.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="gnome_create_generic_gconf_home_dirs" lineno="384">
<summary>
Create generic gconf home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_read_generic_gconf_home_content" lineno="402">
<summary>
Read generic gconf home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_generic_gconf_home_content" lineno="426">
<summary>
Create, read, write, and delete
generic gconf home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_search_generic_gconf_home" lineno="449">
<summary>
Search generic gconf home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_home_filetrans_gconf_home" lineno="480">
<summary>
Create objects in user home
directories with the generic gconf
home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="gnome_home_filetrans_gnome_home" lineno="510">
<summary>
Create objects in user home
directories with the generic gnome
home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="gnome_gconf_home_filetrans" lineno="544">
<summary>
Create objects in gnome gconf home
directories with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
Private file type.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="gnome_user_home_dir_filetrans_gstreamer_orcexec" lineno="575">
<summary>
Create objects in user home
directories with the gstreamer
orcexec type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="gnome_user_runtime_filetrans_gstreamer_orcexec" lineno="605">
<summary>
Create objects in the user
runtime directories with the
gstreamer orcexec type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="gnome_read_keyring_home_files" lineno="623">
<summary>
Read generic gnome keyring home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_dbus_chat_gconfd" lineno="650">
<summary>
Send and receive messages from
gnome configuration daemon over
dbus.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_dbus_chat_gkeyringd" lineno="677">
<summary>
Send and receive messages from
gnome keyring daemon over dbus.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_dbus_chat_all_gkeyringd" lineno="698">
<summary>
Send and receive messages from all
gnome keyring daemon over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_spec_domtrans_all_gkeyringd" lineno="718">
<summary>
Run all gkeyringd in gkeyringd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gnome_stream_connect_gkeyringd" lineno="745">
<summary>
Connect to gnome keyring daemon
with a unix stream socket.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_stream_connect_all_gkeyringd" lineno="766">
<summary>
Connect to all gnome keyring daemon
with a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_gstreamer_orcexec" lineno="788">
<summary>
Manage gstreamer ORC optimized
code.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_mmap_gstreamer_orcexec" lineno="807">
<summary>
Mmap gstreamer ORC optimized
code.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_watch_xdg_config_dirs" lineno="825">
<summary>
watch gnome_xdg_config_t dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="gpg" filename="policy/modules/apps/gpg.if">
<summary>Policy for GNU Privacy Guard and related programs.</summary>
<interface name="gpg_role" lineno="18">
<summary>
Role access for gpg.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="gpg_domtrans" lineno="72">
<summary>
Execute the gpg in the gpg domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gpg_exec" lineno="91">
<summary>
Execute the gpg in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_spec_domtrans" lineno="125">
<summary>
Execute gpg in a specified domain.
</summary>
<desc>
<p>
Execute gpg in a specified domain.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="source_domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
Domain to transition to.
</summary>
</param>
</interface>
<interface name="gpg_exec_agent" lineno="144">
<summary>
Execute the gpg-agent in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_entry_type" lineno="164">
<summary>
Make gpg executable files an
entrypoint for the specified domain.
</summary>
<param name="domain">
<summary>
The domain for which gpg_exec_t is an entrypoint.
</summary>
</param>
</interface>
<interface name="gpg_signal" lineno="182">
<summary>
Send generic signals to gpg.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_enter_user_gpg_agent_domain" lineno="205">
<summary>
Transition to $2_gpg_agent_t from another domain via gpg_agent_exec_t
</summary>
<param name="domain">
<summary>
source domain
</summary>
</param>
<param name="domain">
<summary>
base of target domain
</summary>
</param>
</interface>
<interface name="gpg_rw_agent_pipes" lineno="222">
<summary>
Read and write gpg agent pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_stream_connect_agent" lineno="240">
<summary>
Connect to gpg agent socket
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_search_agent_tmp_dirs" lineno="262">
<summary>
Search gpg agent dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_agent_tmp_filetrans" lineno="280">
<summary>
filetrans in gpg_agent_tmp_t dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_agent_tmp_unlink_sock" lineno="299">
<summary>
unlink gpg_agent_tmp_t sock_file
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_runtime_filetrans" lineno="317">
<summary>
filetrans in gpg_runtime_t dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_secret_filetrans" lineno="336">
<summary>
filetrans in gpg_secret_t dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_pinentry_dbus_chat" lineno="357">
<summary>
Send messages to and from gpg
pinentry over DBUS.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_list_user_secrets" lineno="377">
<summary>
List gpg user secrets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="gpg_agent_env_file" dftval="false">
<desc>
<p>
Determine whether GPG agent can manage
generic user home content files. This is
required by the --write-env-file option.
</p>
</desc>
</tunable>
<tunable name="gpg_agent_use_card" dftval="false">
<desc>
<p>
Determine whether GPG agent can use OpenPGP
cards or Yubikeys over USB
</p>
</desc>
</tunable>
<tunable name="gpg_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the gpg domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="gpg_read_all_user_content" dftval="false">
<desc>
<p>
Grant the gpg domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="gpg_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the gpg domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="gpg_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the gpg domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="irc" filename="policy/modules/apps/irc.if">
<summary>IRC client policy.</summary>
<interface name="irc_role" lineno="18">
<summary>
Role access for IRC.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<tunable name="irc_use_any_tcp_ports" dftval="false">
<desc>
<p>
Determine whether irc clients can
listen on and connect to any
unreserved TCP ports.
</p>
</desc>
</tunable>
<tunable name="irc_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the irc domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="irc_read_all_user_content" dftval="false">
<desc>
<p>
Grant the irc domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="irc_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the irc domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="irc_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the irc domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="java" filename="policy/modules/apps/java.if">
<summary>Java virtual machine</summary>
<interface name="java_role" lineno="18">
<summary>
Role access for java.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<template name="java_role_template" lineno="81">
<summary>
The role template for the java module.
</summary>
<desc>
<p>
This template creates a derived domains which are used
for java applications.
</p>
</desc>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<interface name="java_domtrans" lineno="139">
<summary>
Execute the java program in the java domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="java_run" lineno="164">
<summary>
Execute java in the java domain, and
allow the specified role the java domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="java_domtrans_unconfined" lineno="184">
<summary>
Execute the java program in the
unconfined java domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="java_run_unconfined" lineno="210">
<summary>
Execute the java program in the
unconfined java domain and allow the
specified role the java domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="java_exec" lineno="230">
<summary>
Execute the java program in
the callers domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="java_manage_generic_home_content" lineno="250">
<summary>
Create, read, write, and delete
generic java home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="java_manage_java_tmp" lineno="271">
<summary>
Create, read, write, and delete
temporary java content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="java_home_filetrans_java_home" lineno="302">
<summary>
Create specified objects in user home
directories with the generic java
home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<tunable name="allow_java_execstack" dftval="false">
<desc>
<p>
Determine whether java can make
its stack executable.
</p>
</desc>
</tunable>
<tunable name="java_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the java domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="java_read_all_user_content" dftval="false">
<desc>
<p>
Grant the java domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="java_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the java domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="java_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the java domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="libmtp" filename="policy/modules/apps/libmtp.if">
<summary>libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).</summary>
<interface name="libmtp_role" lineno="18">
<summary>
Role access for libmtp.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<tunable name="libmtp_enable_home_dirs" dftval="false">
<desc>
<p>
Determine whether libmtp can read
and manage the user home directories
and files.
</p>
</desc>
</tunable>
</module>
<module name="lightsquid" filename="policy/modules/apps/lightsquid.if">
<summary>Log analyzer for squid proxy.</summary>
<interface name="lightsquid_domtrans" lineno="14">
<summary>
Execute the lightsquid program in
the lightsquid domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lightsquid_run" lineno="40">
<summary>
Execute lightsquid in the
lightsquid domain, and allow the
specified role the lightsquid domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="lightsquid_admin" lineno="66">
<summary>
All of the rules required to
administrate an lightsquid environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_httpd_lightsquid_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="livecd" filename="policy/modules/apps/livecd.if">
<summary>Tool for building alternate livecd for different os and policy versions.</summary>
<interface name="livecd_domtrans" lineno="13">
<summary>
Execute a domain transition to run livecd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="livecd_run" lineno="39">
<summary>
Execute livecd in the livecd
domain, and allow the specified
role the livecd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="livecd_read_tmp_files" lineno="58">
<summary>
Read livecd temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="livecd_rw_tmp_files" lineno="77">
<summary>
Read and write livecd temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="livecd_rw_semaphores" lineno="96">
<summary>
Read and write livecd semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="loadkeys" filename="policy/modules/apps/loadkeys.if">
<summary>Load keyboard mappings.</summary>
<interface name="loadkeys_domtrans" lineno="14">
<summary>
Execute the loadkeys program in
the loadkeys domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="loadkeys_run" lineno="41">
<summary>
Execute the loadkeys program in
the loadkeys domain, and allow the
specified role the loadkeys domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="loadkeys_exec" lineno="60">
<summary>
Execute the loadkeys in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="lockdev" filename="policy/modules/apps/lockdev.if">
<summary>Library for locking devices.</summary>
<interface name="lockdev_role" lineno="18">
<summary>
Role access for lockdev.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
</module>
<module name="man2html" filename="policy/modules/apps/man2html.if">
<summary>A Unix manpage-to-HTML converter.</summary>
<tunable name="allow_httpd_man2html_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="mandb" filename="policy/modules/apps/mandb.if">
<summary>On-line manual database.</summary>
<interface name="mandb_domtrans" lineno="14">
<summary>
Execute the mandb program in
the mandb domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mandb_run" lineno="40">
<summary>
Execute mandb in the mandb
domain, and allow the specified
role the mandb domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="mandb_admin" lineno="66">
<summary>
All of the rules required to
administrate an mandb environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="mono" filename="policy/modules/apps/mono.if">
<summary>Run .NET server and client applications on Linux.</summary>
<template name="mono_role_template" lineno="30">
<summary>
The role template for the mono module.
</summary>
<desc>
<p>
This template creates a derived domains which are used
for mono applications.
</p>
</desc>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<interface name="mono_domtrans" lineno="80">
<summary>
Execute mono in the mono domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mono_run" lineno="105">
<summary>
Execute mono in the mono domain, and
allow the specified role the mono domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="mono_exec" lineno="124">
<summary>
Execute mono in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mono_rw_shm" lineno="143">
<summary>
Read and write mono shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="mozilla" filename="policy/modules/apps/mozilla.if">
<summary>Policy for Mozilla and related web browsers.</summary>
<interface name="mozilla_role" lineno="18">
<summary>
Role access for mozilla.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="mozilla_role_plugin" lineno="90">
<summary>
Role access for mozilla plugin.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="mozilla_read_user_home_files" lineno="151">
<summary>
Read mozilla home directory content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_write_user_home_files" lineno="172">
<summary>
Write mozilla home directory files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_dontaudit_rw_user_home_files" lineno="192">
<summary>
Do not audit attempts to read and
write mozilla home directory files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mozilla_dontaudit_manage_user_home_files" lineno="212">
<summary>
Do not audit attempt to Create,
read, write, and delete mozilla
home directory content.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mozilla_exec_user_plugin_home_files" lineno="232">
<summary>
Execute mozilla plugin home directory files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_execmod_user_plugin_home_files" lineno="252">
<summary>
Mozilla plugin home directory file
text relocation.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_read_tmp_files" lineno="270">
<summary>
Read temporary mozilla files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_domtrans" lineno="288">
<summary>
Run mozilla in the mozilla domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mozilla_domtrans_plugin" lineno="308">
<summary>
Execute a domain transition to
run mozilla plugin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mozilla_run_plugin" lineno="335">
<summary>
Execute mozilla plugin in the
mozilla plugin domain, and allow
the specified role the mozilla
plugin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_domtrans_plugin_config" lineno="355">
<summary>
Execute a domain transition to
run mozilla plugin config.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mozilla_run_plugin_config" lineno="382">
<summary>
Execute mozilla plugin config in
the mozilla plugin config domain,
and allow the specified role the
mozilla plugin config domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_dbus_chat" lineno="402">
<summary>
Send and receive messages from
mozilla over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_dbus_chat_plugin" lineno="423">
<summary>
Send and receive messages from
mozilla plugin over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_rw_tcp_sockets" lineno="443">
<summary>
Read and write mozilla TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_manage_plugin_rw_files" lineno="462">
<summary>
Create, read, write, and delete
mozilla plugin rw files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_plugin_read_tmpfs_files" lineno="481">
<summary>
Read mozilla_plugin tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_plugin_delete_tmpfs_files" lineno="500">
<summary>
Delete mozilla_plugin tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_manage_generic_plugin_home_content" lineno="520">
<summary>
Create, read, write, and delete
generic mozilla plugin home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_home_filetrans_plugin_home" lineno="555">
<summary>
Create objects in user home
directories with the generic mozilla
plugin home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<tunable name="mozilla_execstack" dftval="false">
<desc>
<p>
Determine whether mozilla can
make its stack executable.
</p>
</desc>
</tunable>
<tunable name="mozilla_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the mozilla domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="mozilla_read_all_user_content" dftval="false">
<desc>
<p>
Grant the mozilla domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="mozilla_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the mozilla domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="mozilla_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the mozilla domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="mplayer" filename="policy/modules/apps/mplayer.if">
<summary>Mplayer media player and encoder.</summary>
<interface name="mplayer_role" lineno="18">
<summary>
Role access for mplayer
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="mplayer_domtrans" lineno="65">
<summary>
Run mplayer in mplayer domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mplayer_exec" lineno="85">
<summary>
Execute mplayer in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mplayer_read_user_home_files" lineno="104">
<summary>
Read mplayer user home content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mplayer_manage_generic_home_content" lineno="124">
<summary>
Create, read, write, and delete
generic mplayer home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mplayer_home_filetrans_mplayer_home" lineno="157">
<summary>
Create specified objects in user home
directories with the generic mplayer
home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<tunable name="allow_mplayer_execstack" dftval="false">
<desc>
<p>
Determine whether mplayer can make
its stack executable.
</p>
</desc>
</tunable>
<tunable name="mplayer_mencoder_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the mplayer_mencoder domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="mplayer_mencoder_read_all_user_content" dftval="false">
<desc>
<p>
Grant the mplayer_mencoder domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="mplayer_mencoder_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the mplayer_mencoder domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="mplayer_mencoder_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the mplayer_mencoder domains manage rights on all user content
</p>
</desc>
</tunable>
<tunable name="mplayer_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the mplayer domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="mplayer_read_all_user_content" dftval="false">
<desc>
<p>
Grant the mplayer domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="mplayer_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the mplayer domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="mplayer_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the mplayer domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="openoffice" filename="policy/modules/apps/openoffice.if">
<summary>Openoffice suite.</summary>
<interface name="ooffice_role" lineno="18">
<summary>
Role access for openoffice.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="ooffice_domtrans" lineno="48">
<summary>
Run openoffice in its own domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ooffice_dontaudit_exec_tmp_files" lineno="67">
<summary>
Do not audit attempts to execute
files in temporary directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ooffice_rw_tmp_files" lineno="86">
<summary>
Read and write temporary
openoffice files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ooffice_dbus_chat" lineno="106">
<summary>
Send and receive dbus messages
from and to the openoffice
domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ooffice_stream_connect" lineno="127">
<summary>
Connect to openoffice using a
unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="openoffice_allow_update" dftval="true">
<desc>
<p>
Determine whether openoffice can
download software updates from the
network (application and/or
extensions).
</p>
</desc>
</tunable>
<tunable name="openoffice_allow_email" dftval="false">
<desc>
<p>
Determine whether openoffice writer
can send emails directly (print to
email). This is different from the
functionality of sending emails
through external clients which is
always enabled.
</p>
</desc>
</tunable>
<tunable name="openoffice_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the openoffice domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="openoffice_read_all_user_content" dftval="false">
<desc>
<p>
Grant the openoffice domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="openoffice_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the openoffice domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="openoffice_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the openoffice domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="pulseaudio" filename="policy/modules/apps/pulseaudio.if">
<summary>Pulseaudio network sound server.</summary>
<interface name="pulseaudio_role" lineno="18">
<summary>
Role access for pulseaudio.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="pulseaudio_domtrans" lineno="56">
<summary>
Execute a domain transition to run pulseaudio.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pulseaudio_run" lineno="85">
<summary>
Execute pulseaudio in the pulseaudio
domain, and allow the specified role
the pulseaudio domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_exec" lineno="104">
<summary>
Execute pulseaudio in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_dontaudit_exec" lineno="123">
<summary>
Do not audit attempts to execute pulseaudio.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="pulseaudio_signull" lineno="142">
<summary>
Send null signals to pulseaudio.
processes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_use_fds" lineno="161">
<summary>
Use file descriptors for
pulseaudio.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_dontaudit_use_fds" lineno="180">
<summary>
Do not audit attempts to use the
file descriptors for pulseaudio.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_stream_connect" lineno="199">
<summary>
Connect to pulseaudio with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_manage_tmp_dirs" lineno="218">
<summary>
Manage pulseaudio_tmp_t dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_dbus_chat" lineno="237">
<summary>
Send and receive messages from
pulseaudio over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_setattr_home_dir" lineno="257">
<summary>
Set attributes of pulseaudio home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_read_home" lineno="275">
<summary>
Read pulseaudio home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_rw_home_files" lineno="296">
<summary>
Read and write Pulse Audio files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_manage_home" lineno="317">
<summary>
Create, read, write, and delete
pulseaudio home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_home_filetrans_pulseaudio_home" lineno="350">
<summary>
Create objects in user home
directories with the pulseaudio
home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="pulseaudio_tmpfs_content" lineno="369">
<summary>
Make the specified tmpfs file type
pulseaudio tmpfs content.
</summary>
<param name="file_type">
<summary>
File type to make pulseaudio tmpfs content.
</summary>
</param>
</interface>
<interface name="pulseaudio_read_tmpfs_files" lineno="387">
<summary>
Read pulseaudio tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_rw_tmpfs_files" lineno="407">
<summary>
Read and write pulseaudio tmpfs
files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="pulseaudio_execmem" dftval="false">
<desc>
<p>
Allow pulseaudio to execute code in
writable memory
</p>
</desc>
</tunable>
</module>
<module name="qemu" filename="policy/modules/apps/qemu.if">
<summary>QEMU machine emulator and virtualizer.</summary>
<template name="qemu_domain_template" lineno="13">
<summary>
The template to define a qemu domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<template name="qemu_role" lineno="112">
<summary>
Role access for qemu.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</template>
<interface name="qemu_domtrans" lineno="133">
<summary>
Execute a domain transition to run qemu.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="qemu_exec" lineno="152">
<summary>
Execute a qemu in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_run" lineno="179">
<summary>
Execute qemu in the qemu domain,
and allow the specified role the
qemu domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="qemu_read_state" lineno="198">
<summary>
Read qemu process state files.
</summary>
<param name="domain">
<summary>
Domain to allow access.
</summary>
</param>
</interface>
<interface name="qemu_setsched" lineno="219">
<summary>
Set qemu scheduler.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_signal" lineno="237">
<summary>
Send generic signals to qemu.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_kill" lineno="255">
<summary>
Send kill signals to qemu.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_stream_connect" lineno="274">
<summary>
Connect to qemu with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_delete_pid_sock_file" lineno="293">
<summary>
Unlink qemu socket  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_delete_runtime_sock_files" lineno="308">
<summary>
Unlink qemu runtime sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_domtrans_unconfined" lineno="327">
<summary>
Execute a domain transition to
run qemu unconfined.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="qemu_manage_tmp_dirs" lineno="347">
<summary>
Create, read, write, and delete
qemu temporary directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_manage_tmp_files" lineno="367">
<summary>
Create, read, write, and delete
qemu temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_spec_domtrans" lineno="401">
<summary>
Execute qemu in a specified domain.
</summary>
<desc>
<p>
Execute qemu in a specified domain.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="source_domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
Domain to transition to.
</summary>
</param>
</interface>
<interface name="qemu_entry_type" lineno="421">
<summary>
Make qemu executable files an
entrypoint for the specified domain.
</summary>
<param name="domain">
<summary>
The domain for which qemu_exec_t is an entrypoint.
</summary>
</param>
</interface>
<tunable name="qemu_full_network" dftval="false">
<desc>
<p>
Determine whether qemu has full
access to the network.
</p>
</desc>
</tunable>
</module>
<module name="rssh" filename="policy/modules/apps/rssh.if">
<summary>Restricted (scp/sftp) only shell.</summary>
<interface name="rssh_role" lineno="18">
<summary>
Role access for rssh.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="rssh_spec_domtrans" lineno="46">
<summary>
Execute rssh in the rssh domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rssh_exec" lineno="66">
<summary>
Execute the rssh program
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rssh_domtrans_chroot_helper" lineno="86">
<summary>
Execute a domain transition to
run rssh chroot helper.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rssh_read_ro_content" lineno="105">
<summary>
Read users rssh read-only content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="screen" filename="policy/modules/apps/screen.if">
<summary>GNU terminal multiplexer.</summary>
<template name="screen_role_template" lineno="24">
<summary>
The role template for the screen module.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
</module>
<module name="seunshare" filename="policy/modules/apps/seunshare.if">
<summary>Filesystem namespacing/polyinstantiation application.</summary>
<interface name="seunshare_domtrans" lineno="13">
<summary>
Execute a domain transition to run seunshare.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="seunshare_run" lineno="37">
<summary>
Execute seunshare in the seunshare domain, and
allow the specified role the seunshare domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="seunshare_role" lineno="69">
<summary>
Role access for seunshare
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
</module>
<module name="sigrok" filename="policy/modules/apps/sigrok.if">
<summary>sigrok signal analysis software suite.</summary>
<interface name="sigrok_run" lineno="18">
<summary>
Execute sigrok in its domain.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
</module>
<module name="slocate" filename="policy/modules/apps/slocate.if">
<summary>Update database for mlocate.</summary>
<interface name="locate_read_lib_files" lineno="13">
<summary>
Read locate lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="syncthing" filename="policy/modules/apps/syncthing.if">
<summary>Application that lets you synchronize your files across multiple devices.</summary>
<interface name="syncthing_role" lineno="18">
<summary>
Role access for Syncthing
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<tunable name="syncthing_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the syncthing domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="syncthing_read_all_user_content" dftval="false">
<desc>
<p>
Grant the syncthing domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="syncthing_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the syncthing domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="syncthing_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the syncthing domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="telepathy" filename="policy/modules/apps/telepathy.if">
<summary>Telepathy communications framework.</summary>
<template name="telepathy_domain_template" lineno="13">
<summary>
The template to define a telepathy domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<template name="telepathy_role_template" lineno="59">
<summary>
The role template for the telepathy module.
</summary>
<desc>
<p>
This template creates a derived domains which are used
for window manager applications.
</p>
</desc>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<interface name="telepathy_gabble_stream_connect" lineno="137">
<summary>
Connect to gabble with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="telepathy_gabble_dbus_chat" lineno="157">
<summary>
Send dbus messages to and from
gabble.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="telepathy_mission_control_dbus_chat" lineno="178">
<summary>
Send dbus messages to and from
mission control.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="telepathy_mission_control_read_state" lineno="198">
<summary>
Read mission control process state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="telepathy_msn_stream_connect" lineno="220">
<summary>
Connect to msn with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="telepathy_salut_stream_connect" lineno="240">
<summary>
Connect to salut with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="telepathy_tcp_connect_generic_network_ports" dftval="false">
<desc>
<p>
Determine whether telepathy connection
managers can connect to generic tcp ports.
</p>
</desc>
</tunable>
<tunable name="telepathy_connect_all_ports" dftval="false">
<desc>
<p>
Determine whether telepathy connection
managers can connect to any port.
</p>
</desc>
</tunable>
</module>
<module name="thunderbird" filename="policy/modules/apps/thunderbird.if">
<summary>Thunderbird email client.</summary>
<interface name="thunderbird_role" lineno="18">
<summary>
Role access for thunderbird.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="thunderbird_domtrans" lineno="52">
<summary>
Execute thunderbird in the thunderbird domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<tunable name="thunderbird_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the thunderbird domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="thunderbird_read_all_user_content" dftval="false">
<desc>
<p>
Grant the thunderbird domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="thunderbird_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the thunderbird domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="thunderbird_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the thunderbird domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="tvtime" filename="policy/modules/apps/tvtime.if">
<summary>High quality television application.</summary>
<interface name="tvtime_role" lineno="18">
<summary>
Role access for tvtime
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
</module>
<module name="uml" filename="policy/modules/apps/uml.if">
<summary>User mode linux tools and services.</summary>
<interface name="uml_role" lineno="18">
<summary>
Role access for uml.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="uml_setattr_util_sockets" lineno="55">
<summary>
Set attributes of uml pid sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uml_manage_util_files" lineno="74">
<summary>
Create, read, write, and delete
uml pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="userhelper" filename="policy/modules/apps/userhelper.if">
<summary>A wrapper that helps users run system programs.</summary>
<template name="userhelper_role_template" lineno="24">
<summary>
The role template for the userhelper module.
</summary>
<param name="userrole_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="user_role">
<summary>
The user role.
</summary>
</param>
<param name="user_domain">
<summary>
The user domain associated with the role.
</summary>
</param>
</template>
<interface name="userhelper_search_config" lineno="110">
<summary>
Search userhelper configuration directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userhelper_dontaudit_search_config" lineno="129">
<summary>
Do not audit attempts to search
userhelper configuration directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userhelper_dbus_chat_all_consolehelper" lineno="148">
<summary>
Send and receive messages from
consolehelper over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userhelper_use_fd" lineno="168">
<summary>
Use userhelper all userhelper file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userhelper_sigchld" lineno="186">
<summary>
Send child terminated signals to all userhelper.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userhelper_exec" lineno="204">
<summary>
Execute the userhelper program in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userhelper_exec_consolehelper" lineno="224">
<summary>
Execute the consolehelper program
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="usernetctl" filename="policy/modules/apps/usernetctl.if">
<summary>User network interface configuration helper.</summary>
<interface name="usernetctl_domtrans" lineno="13">
<summary>
Execute usernetctl in the usernetctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="usernetctl_run" lineno="40">
<summary>
Execute usernetctl in the usernetctl
domain, and allow the specified role
the usernetctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="vlock" filename="policy/modules/apps/vlock.if">
<summary>Lock one or more sessions on the Linux console.</summary>
<interface name="vlock_domtrans" lineno="13">
<summary>
Execute vlock in the vlock domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vlock_run" lineno="40">
<summary>
Execute vlock in the vlock domain,
and allow the specified role
the vlock domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed to access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="vmware" filename="policy/modules/apps/vmware.if">
<summary>VMWare Workstation virtual machines.</summary>
<interface name="vmware_role" lineno="18">
<summary>
Role access for vmware.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="vmware_exec_host" lineno="50">
<summary>
Execute vmware host executables
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vmware_read_system_config" lineno="69">
<summary>
Read vmware system configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vmware_append_system_config" lineno="88">
<summary>
Append vmware system configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vmware_append_log" lineno="107">
<summary>
Append vmware log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="webalizer" filename="policy/modules/apps/webalizer.if">
<summary>Web server log analysis.</summary>
<interface name="webalizer_domtrans" lineno="13">
<summary>
Execute webalizer in the webalizer domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="webalizer_run" lineno="40">
<summary>
Execute webalizer in the webalizer
domain, and allow the specified
role the webalizer domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="manage_webalizer_var_lib" lineno="60">
<summary>
Manage webalizer usage files
</summary>
<param name="domain">
<summary>
Domain allowed to manage webalizer usage files
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_httpd_webalizer_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="wine" filename="policy/modules/apps/wine.if">
<summary>Run Windows programs in Linux.</summary>
<interface name="wine_role" lineno="18">
<summary>
Role access for wine.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<template name="wine_role_template" lineno="73">
<summary>
The role template for the wine module.
</summary>
<desc>
<p>
This template creates a derived domains which are used
for wine applications.
</p>
</desc>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<interface name="wine_domtrans" lineno="114">
<summary>
Execute the wine program in the wine domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="wine_run" lineno="140">
<summary>
Execute wine in the wine domain,
and allow the specified role
the wine domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="wine_rw_shm" lineno="160">
<summary>
Read and write wine Shared
memory segments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="wine_mmap_zero_ignore" dftval="false">
<desc>
<p>
Determine whether attempts by
wine to mmap low regions should
be silently blocked.
</p>
</desc>
</tunable>
</module>
<module name="wireshark" filename="policy/modules/apps/wireshark.if">
<summary>Wireshark packet capture tool.</summary>
<interface name="wireshark_role" lineno="18">
<summary>
Role access for wireshark.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="wireshark_domtrans" lineno="50">
<summary>
Execute wireshark in wireshark domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<tunable name="wireshark_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the wireshark domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="wireshark_read_all_user_content" dftval="false">
<desc>
<p>
Grant the wireshark domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="wireshark_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the wireshark domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="wireshark_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the wireshark domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="wm" filename="policy/modules/apps/wm.if">
<summary>X Window Managers.</summary>
<template name="wm_role_template" lineno="30">
<summary>
The role template for the wm module.
</summary>
<desc>
<p>
This template creates a derived domains which are used
for window manager applications.
</p>
</desc>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<interface name="wm_exec" lineno="137">
<summary>
Execute wm in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="wm_dbus_chat" lineno="163">
<summary>
Send and receive messages from
specified wm over dbus.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="wm_dontaudit_exec_tmp_files" lineno="184">
<summary>
Do not audit attempts to execute
files in temporary directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="wm_dontaudit_exec_tmpfs_files" lineno="203">
<summary>
Do not audit attempts to execute
files in temporary filesystems.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="wm_application_domain" lineno="246">
<summary>
Create a domain for applications
that are launched by the window
manager.
</summary>
<desc>
<p>
Create a domain for applications that are launched by the
window manager (implying a domain transition).  Typically
these are graphical applications that are run interactively.
</p>
<p>
The types will be made usable as a domain and file, making
calls to domain_type() and files_type() redundant.
</p>
</desc>
<param name="target_domain">
<summary>
Type to be used in the domain transition as the application
domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
<param name="source_domain">
<summary>
Type to be used as the source window manager domain.
</summary>
</param>
<infoflow type="none"/>
</interface>
<interface name="wm_write_pipes" lineno="271">
<summary>
Write wm unnamed pipes.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="wm_write_xdg_data" dftval="false">
<desc>
<p>
Grant the window manager domains write access to xdg data
</p>
</desc>
</tunable>
</module>
<module name="xscreensaver" filename="policy/modules/apps/xscreensaver.if">
<summary>Modular screen saver and locker for X11.</summary>
<interface name="xscreensaver_role" lineno="18">
<summary>
Role access for xscreensaver.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<tunable name="xscreensaver_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the xscreensaver domains read access to generic user content
</p>
</desc>
</tunable>
</module>