HEX
Server: Apache
System: Linux vps-cdc32557.vps.ovh.ca 5.15.0-156-generic #166-Ubuntu SMP Sat Aug 9 00:02:46 UTC 2025 x86_64
User: hanode (1017)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
Upload Files
File: //usr/share/selinux/devel/include/services.xml
<summary>
	Policy modules for system services, like cron, and network services,
	like sshd.
</summary>
<module name="abrt" filename="policy/modules/services/abrt.if">
<summary>Automated bug-reporting tool.</summary>
<interface name="abrt_domtrans" lineno="13">
<summary>
Execute abrt in the abrt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="abrt_exec" lineno="32">
<summary>
Execute abrt in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_signull" lineno="51">
<summary>
Send null signals to abrt.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_state" lineno="69">
<summary>
Read process state of abrt.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_stream_connect" lineno="87">
<summary>
Connect to abrt over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_dbus_chat" lineno="107">
<summary>
Send and receive messages from
abrt over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_domtrans_helper" lineno="128">
<summary>
Execute abrt-helper in the abrt
helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="abrt_run_helper" lineno="155">
<summary>
Execute abrt helper in the abrt
helper domain, and allow the
specified role the abrt helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="abrt_manage_cache" lineno="175">
<summary>
Create, read, write, and delete
abrt cache content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_config" lineno="196">
<summary>
Read abrt configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_log" lineno="215">
<summary>
Read abrt log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_pid_files" lineno="234">
<summary>
Read abrt PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_manage_pid_files" lineno="249">
<summary>
Create, read, write, and delete
abrt PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_manage_runtime_files" lineno="265">
<summary>
Create, read, write, and delete
abrt runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_admin" lineno="291">
<summary>
All of the rules required to
administrate an abrt environment,
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="abrt_anon_write" dftval="false">
<desc>
<p>
Determine whether ABRT can modify
public files used for public file
transfer services.
</p>
</desc>
</tunable>
<tunable name="abrt_upload_watch_anon_write" dftval="true">
<desc>
<p>
Determine whether abrt-handle-upload
can modify public files used for public file
transfer services in /var/spool/abrt-upload/.
</p>
</desc>
</tunable>
<tunable name="abrt_handle_event" dftval="false">
<desc>
<p>
Determine whether ABRT can run in
the abrt_handle_event_t domain to
handle ABRT event scripts.
</p>
</desc>
</tunable>
</module>
<module name="accountsd" filename="policy/modules/services/accountsd.if">
<summary>AccountsService and daemon for manipulating user account information via D-Bus.</summary>
<interface name="accountsd_domtrans" lineno="14">
<summary>
Execute a domain transition to
run accountsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="accountsd_dontaudit_rw_fifo_file" lineno="34">
<summary>
Do not audit attempts to read and
write Accounts Daemon fifo files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="accountsd_dbus_chat" lineno="53">
<summary>
Send and receive messages from
accountsd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="accountsd_search_lib" lineno="73">
<summary>
Search accountsd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="accountsd_read_lib_files" lineno="92">
<summary>
Read accountsd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="accountsd_manage_lib_files" lineno="113">
<summary>
Create, read, write, and delete
accountsd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="accountsd_admin" lineno="139">
<summary>
All of the rules required to
administrate an accountsd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role" unused="true">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="acpi" filename="policy/modules/services/acpi.if">
<summary>Advanced power management.</summary>
<interface name="acpi_domtrans_client" lineno="13">
<summary>
Execute apm in the apm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="acpi_run_client" lineno="39">
<summary>
Execute apm in the apm domain
and allow the specified role
the apm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="acpi_use_fds" lineno="58">
<summary>
Use apmd file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="acpi_write_pipes" lineno="76">
<summary>
Write apmd unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="acpi_rw_stream_sockets" lineno="95">
<summary>
Read and write to apmd unix
stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="acpi_append_log" lineno="113">
<summary>
Append apmd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="acpi_stream_connect" lineno="133">
<summary>
Connect to apmd over an unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="acpi_admin" lineno="159">
<summary>
All of the rules required to
administrate an apm environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="afs" filename="policy/modules/services/afs.if">
<summary>Andrew Filesystem server.</summary>
<interface name="afs_domtrans" lineno="14">
<summary>
Execute a domain transition to run the
afs client.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="afs_rw_udp_sockets" lineno="33">
<summary>
Read and write afs client UDP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="afs_rw_cache" lineno="51">
<summary>
Read and write afs cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="afs_initrc_domtrans" lineno="70">
<summary>
Execute afs server in the afs domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="afs_admin" lineno="95">
<summary>
All of the rules required to
administrate an afs environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="aiccu" filename="policy/modules/services/aiccu.if">
<summary>Automatic IPv6 Connectivity Client Utility.</summary>
<interface name="aiccu_domtrans" lineno="13">
<summary>
Execute a domain transition to run aiccu.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="aiccu_initrc_domtrans" lineno="32">
<summary>
Execute aiccu server in the aiccu domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="aiccu_read_pid_files" lineno="50">
<summary>
Read aiccu PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="aiccu_admin" lineno="71">
<summary>
All of the rules required to
administrate an aiccu environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="aisexec" filename="policy/modules/services/aisexec.if">
<summary>Aisexec Cluster Engine.</summary>
<interface name="aisexec_domtrans" lineno="13">
<summary>
Execute a domain transition to run aisexec.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="aisexec_stream_connect" lineno="33">
<summary>
Connect to aisexec over a unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="aisexec_read_log" lineno="52">
<summary>
Read aisexec log files content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="aisexecd_admin" lineno="79">
<summary>
All of the rules required to
administrate an aisexec environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="amavis" filename="policy/modules/services/amavis.if">
<summary>High-performance interface between an email server and content checkers.</summary>
<interface name="amavis_domtrans" lineno="13">
<summary>
Execute a domain transition to run amavis.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="amavis_initrc_domtrans" lineno="32">
<summary>
Execute amavis server in the amavis domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="amavis_read_spool_files" lineno="50">
<summary>
Read amavis spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_manage_spool_files" lineno="70">
<summary>
Create, read, write, and delete
amavis spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_spool_filetrans" lineno="106">
<summary>
Create objects in the amavis spool directories
with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
Private file type.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="amavis_search_lib" lineno="125">
<summary>
Search amavis lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_read_lib_files" lineno="144">
<summary>
Read amavis lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_manage_lib_files" lineno="165">
<summary>
Create, read, write, and delete
amavis lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_setattr_pid_files" lineno="184">
<summary>
Set attributes of amavis pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_create_pid_files" lineno="199">
<summary>
Create amavis pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_setattr_runtime_files" lineno="214">
<summary>
Set attributes of amavis runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_create_runtime_files" lineno="233">
<summary>
Create amavis runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_admin" lineno="259">
<summary>
All of the rules required to
administrate an amavis environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="amavis_use_jit" dftval="false">
<desc>
<p>
Determine whether amavis can
use JIT compiler.
</p>
</desc>
</tunable>
</module>
<module name="apache" filename="policy/modules/services/apache.if">
<summary>Various web servers.</summary>
<template name="apache_content_template" lineno="14">
<summary>
Create a set of derived types for
httpd web content.
</summary>
<param name="prefix">
<summary>
The prefix to be used for deriving type names.
</summary>
</param>
</template>
<interface name="apache_role" lineno="120">
<summary>
Role access for apache.
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="apache_read_user_scripts" lineno="175">
<summary>
Read user httpd script executable files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_user_content" lineno="195">
<summary>
Read user httpd content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_domtrans" lineno="215">
<summary>
Execute httpd with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apache_exec" lineno="234">
<summary>
Execute httpd
</summary>
<param name="domain">
<summary>
Domain allowed to execute it.
</summary>
</param>
</interface>
<interface name="apache_initrc_domtrans" lineno="252">
<summary>
Execute httpd server in the httpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apache_signal" lineno="270">
<summary>
Send generic signals to httpd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_signull" lineno="288">
<summary>
Send null signals to httpd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_sigchld" lineno="306">
<summary>
Send child terminated signals to httpd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_use_fds" lineno="325">
<summary>
Inherit and use file descriptors
from httpd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_rw_fifo_file" lineno="344">
<summary>
Do not audit attempts to read and
write httpd unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_rw_stream_sockets" lineno="363">
<summary>
Do not audit attempts to read and
write httpd unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_rw_stream_sockets" lineno="382">
<summary>
Read and write httpd unix domain
stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_rw_tcp_sockets" lineno="401">
<summary>
Do not audit attempts to read and
write httpd TCP sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_reload" lineno="419">
<summary>
Reload the httpd service (systemd).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_all_ra_content" lineno="438">
<summary>
Read all appendable content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_append_all_ra_content" lineno="457">
<summary>
Append to all appendable web content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_all_rw_content" lineno="475">
<summary>
Read all read/write content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_all_rw_content" lineno="494">
<summary>
Manage all read/write content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_all_content" lineno="513">
<summary>
Read all web content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_search_all_content" lineno="535">
<summary>
Search all apache content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_list_all_content" lineno="553">
<summary>
List all apache content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_all_content" lineno="573">
<summary>
Create, read, write, and delete
all httpd content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_setattr_cache_dirs" lineno="597">
<summary>
Set attributes httpd cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_list_cache" lineno="615">
<summary>
List httpd cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_rw_cache_files" lineno="633">
<summary>
Read and write httpd cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_delete_cache_dirs" lineno="651">
<summary>
Delete httpd cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_delete_cache_files" lineno="669">
<summary>
Delete httpd cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_config" lineno="688">
<summary>
Read httpd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_search_config" lineno="709">
<summary>
Search httpd configuration directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_config" lineno="729">
<summary>
Create, read, write, and delete
httpd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_domtrans_helper" lineno="751">
<summary>
Execute the Apache helper program
with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_run_helper" lineno="778">
<summary>
Execute the Apache helper program with
a domain transition, and allow the
specified role the Apache helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_read_log" lineno="798">
<summary>
Read httpd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_append_log" lineno="819">
<summary>
Append httpd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_append_log" lineno="840">
<summary>
Do not audit attempts to append
httpd log files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_manage_log" lineno="859">
<summary>
Create, read, write, and delete
httpd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_write_log" lineno="880">
<summary>
Write apache log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_search_modules" lineno="900">
<summary>
Do not audit attempts to search
httpd module directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_list_modules" lineno="918">
<summary>
List httpd module directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_exec_modules" lineno="936">
<summary>
Execute httpd module files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_module_files" lineno="956">
<summary>
Read httpd module files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_domtrans_rotatelogs" lineno="976">
<summary>
Execute a domain transition to
run httpd_rotatelogs.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apache_list_sys_content" lineno="995">
<summary>
List httpd system content directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_sys_content" lineno="1016">
<summary>
Create, read, write, and delete
httpd system content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_manage_sys_rw_content" lineno="1038">
<summary>
Create, read, write, and delete
httpd system rw content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_domtrans_sys_script" lineno="1060">
<summary>
Execute all httpd scripts in the
system script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_rw_sys_script_stream_sockets" lineno="1083">
<summary>
Do not audit attempts to read and
write httpd system script unix
domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_domtrans_all_scripts" lineno="1102">
<summary>
Execute all user scripts in the user
script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apache_run_all_scripts" lineno="1127">
<summary>
Execute all user scripts in the user
script domain. Add user script domains
to the specified role.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_squirrelmail_data" lineno="1146">
<summary>
Read httpd squirrelmail data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_append_squirrelmail_data" lineno="1164">
<summary>
Append httpd squirrelmail data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_delete_squirrelmail_spool" lineno="1182">
<summary>
delete httpd squirrelmail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_search_sys_content" lineno="1200">
<summary>
Search httpd system content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_sys_content" lineno="1219">
<summary>
Read httpd system content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_search_sys_scripts" lineno="1239">
<summary>
Search httpd system CGI directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_all_user_content" lineno="1259">
<summary>
Create, read, write, and delete all
user httpd content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_search_sys_script_state" lineno="1280">
<summary>
Search system script state directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_tmp_files" lineno="1298">
<summary>
Read httpd tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_write_tmp_files" lineno="1318">
<summary>
Do not audit attempts to write
httpd tmp files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_delete_lib_files" lineno="1336">
<summary>
Delete httpd_var_lib_t files
</summary>
<param name="domain">
<summary>
Domain that can delete the files
</summary>
</param>
</interface>
<interface name="apache_cgi_domain" lineno="1367">
<summary>
Execute CGI in the specified domain.
</summary>
<desc>
<p>
This is an interface to support third party modules
and its use is not allowed in upstream reference
policy.
</p>
</desc>
<param name="domain">
<summary>
Domain run the cgi script in.
</summary>
</param>
<param name="entrypoint">
<summary>
Type of the executable to enter the cgi domain.
</summary>
</param>
</interface>
<interface name="apache_admin" lineno="1395">
<summary>
All of the rules required to
administrate an apache environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_rw_runtime_files" lineno="1447">
<summary>
rw httpd_runtime_t files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="allow_httpd_anon_write" dftval="false">
<desc>
<p>
Determine whether httpd can modify
public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="allow_httpd_mod_auth_pam" dftval="false">
<desc>
<p>
Determine whether httpd can use mod_auth_pam.
</p>
</desc>
</tunable>
<tunable name="httpd_builtin_scripting" dftval="false">
<desc>
<p>
Determine whether httpd can use built in scripting.
</p>
</desc>
</tunable>
<tunable name="httpd_can_check_spam" dftval="false">
<desc>
<p>
Determine whether httpd can check spam.
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_connect" dftval="false">
<desc>
<p>
Determine whether httpd scripts and modules
can connect to the network using TCP.
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_connect_cobbler" dftval="false">
<desc>
<p>
Determine whether httpd scripts and modules
can connect to cobbler over the network.
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_connect_db" dftval="false">
<desc>
<p>
Determine whether scripts and modules can
connect to databases over the network.
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_connect_ldap" dftval="false">
<desc>
<p>
Determine whether httpd can connect to
ldap over the network.
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_connect_memcache" dftval="false">
<desc>
<p>
Determine whether httpd can connect
to memcache server over the network.
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_relay" dftval="false">
<desc>
<p>
Determine whether httpd can act as a relay.
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_connect_zabbix" dftval="false">
<desc>
<p>
Determine whether httpd daemon can
connect to zabbix over the network.
</p>
</desc>
</tunable>
<tunable name="httpd_can_sendmail" dftval="false">
<desc>
<p>
Determine whether httpd can send mail.
</p>
</desc>
</tunable>
<tunable name="httpd_dbus_avahi" dftval="false">
<desc>
<p>
Determine whether httpd can communicate
with avahi service via dbus.
</p>
</desc>
</tunable>
<tunable name="httpd_enable_cgi" dftval="false">
<desc>
<p>
Determine whether httpd can use support.
</p>
</desc>
</tunable>
<tunable name="httpd_enable_ftp_server" dftval="false">
<desc>
<p>
Determine whether httpd can act as a
FTP server by listening on the ftp port.
</p>
</desc>
</tunable>
<tunable name="httpd_enable_homedirs" dftval="false">
<desc>
<p>
Determine whether httpd can traverse
user home directories.
</p>
</desc>
</tunable>
<tunable name="httpd_gpg_anon_write" dftval="false">
<desc>
<p>
Determine whether httpd gpg can modify
public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="httpd_tmp_exec" dftval="false">
<desc>
<p>
Determine whether httpd can execute
its temporary content.
</p>
</desc>
</tunable>
<tunable name="httpd_execmem" dftval="false">
<desc>
<p>
Determine whether httpd scripts and
modules can use execmem and execstack.
</p>
</desc>
</tunable>
<tunable name="httpd_graceful_shutdown" dftval="false">
<desc>
<p>
Determine whether httpd can connect
to port 80 for graceful shutdown.
</p>
</desc>
</tunable>
<tunable name="httpd_manage_ipa" dftval="false">
<desc>
<p>
Determine whether httpd can
manage IPA content files.
</p>
</desc>
</tunable>
<tunable name="httpd_mod_auth_ntlm_winbind" dftval="false">
<desc>
<p>
Determine whether httpd can use mod_auth_ntlm_winbind.
</p>
</desc>
</tunable>
<tunable name="httpd_read_user_content" dftval="false">
<desc>
<p>
Determine whether httpd can read
generic user home content files.
</p>
</desc>
</tunable>
<tunable name="httpd_setrlimit" dftval="false">
<desc>
<p>
Determine whether httpd can change
its resource limits.
</p>
</desc>
</tunable>
<tunable name="httpd_ssi_exec" dftval="false">
<desc>
<p>
Determine whether httpd can run
SSI executables in the same domain
as system CGI scripts.
</p>
</desc>
</tunable>
<tunable name="httpd_tty_comm" dftval="false">
<desc>
<p>
Determine whether httpd can communicate
with the terminal. Needed for entering the
passphrase for certificates at the terminal.
</p>
</desc>
</tunable>
<tunable name="httpd_unified" dftval="false">
<desc>
<p>
Determine whether httpd can have full access
to its content types.
</p>
</desc>
</tunable>
<tunable name="httpd_use_cifs" dftval="false">
<desc>
<p>
Determine whether httpd can use
cifs file systems.
</p>
</desc>
</tunable>
<tunable name="httpd_use_fusefs" dftval="false">
<desc>
<p>
Determine whether httpd can
use fuse file systems.
</p>
</desc>
</tunable>
<tunable name="httpd_use_gpg" dftval="false">
<desc>
<p>
Determine whether httpd can use gpg.
</p>
</desc>
</tunable>
<tunable name="httpd_use_nfs" dftval="false">
<desc>
<p>
Determine whether httpd can use
nfs file systems.
</p>
</desc>
</tunable>
<tunable name="allow_httpd_sys_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="allow_httpd_user_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="allow_httpd_unconfined_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="apcupsd" filename="policy/modules/services/apcupsd.if">
<summary>APC UPS monitoring daemon.</summary>
<interface name="apcupsd_domtrans" lineno="14">
<summary>
Execute a domain transition to
run apcupsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apcupsd_initrc_domtrans" lineno="34">
<summary>
Execute apcupsd server in the
apcupsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apcupsd_read_pid_files" lineno="52">
<summary>
Read apcupsd PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apcupsd_read_log" lineno="67">
<summary>
Read apcupsd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apcupsd_append_log" lineno="87">
<summary>
Append apcupsd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apcupsd_cgi_script_domtrans" lineno="108">
<summary>
Execute a domain transition to
run httpd_apcupsd_cgi_script.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apcupsd_admin" lineno="138">
<summary>
All of the rules required to
administrate an apcupsd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_httpd_apcupsd_cgi_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="aptcacher" filename="policy/modules/services/aptcacher.if">
<summary>apt-cacher, cache for Debian APT repositories.</summary>
<interface name="aptcacher_domtrans_acngtool" lineno="13">
<summary>
Execute acngtool in the acngtool domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="aptcacher_run_acngtool" lineno="38">
<summary>
Execute acngtool in the acngtool domain, and
allow the specified role the acngtool domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="aptcacher_stream_connect" lineno="58">
<summary>
Connect to aptcacher using a unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="aptcacher_filetrans_log_dir" lineno="77">
<summary>
create /var/log/apt-cacher-ng
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="aptcacher_filetrans_cache_dir" lineno="95">
<summary>
create /var/cache/apt-cacher-ng
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="aptcacher_etc_filetrans_conf_dir" lineno="113">
<summary>
create /etc/apt-cacher-ng
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="arpwatch" filename="policy/modules/services/arpwatch.if">
<summary>Ethernet activity monitor.</summary>
<interface name="arpwatch_initrc_domtrans" lineno="14">
<summary>
Execute arpwatch server in the
arpwatch domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="arpwatch_search_data" lineno="32">
<summary>
Search arpwatch data file directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="arpwatch_manage_data_files" lineno="52">
<summary>
Create, read, write, and delete
arpwatch data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="arpwatch_rw_tmp_files" lineno="72">
<summary>
Read and write arpwatch temporary
files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="arpwatch_manage_tmp_files" lineno="92">
<summary>
Create, read, write, and delete
arpwatch temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="arpwatch_dontaudit_rw_packet_sockets" lineno="112">
<summary>
Do not audit attempts to read and
write arpwatch packet sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="arpwatch_admin" lineno="137">
<summary>
All of the rules required to
administrate an arpwatch environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="asterisk" filename="policy/modules/services/asterisk.if">
<summary>Asterisk IP telephony server.</summary>
<interface name="asterisk_domtrans" lineno="13">
<summary>
Execute asterisk in the asterisk domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="asterisk_exec" lineno="32">
<summary>
Execute asterisk in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="asterisk_stream_connect" lineno="52">
<summary>
Connect to asterisk over a unix domain.
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="asterisk_setattr_logs" lineno="72">
<summary>
Set attributes of asterisk log
files and directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="asterisk_setattr_pid_files" lineno="93">
<summary>
Set attributes of the asterisk
PID content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="asterisk_admin" lineno="114">
<summary>
All of the rules required to
administrate an asterisk environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="automount" filename="policy/modules/services/automount.if">
<summary>Filesystem automounter service.</summary>
<interface name="automount_domtrans" lineno="13">
<summary>
Execute automount in the automount domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="automount_signal" lineno="33">
<summary>
Send generic signals to automount.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="automount_read_state" lineno="51">
<summary>
Read automount process state.
</summary>
<param name="domain">
<summary>
Domain to allow access.
</summary>
</param>
</interface>
<interface name="automount_dontaudit_use_fds" lineno="73">
<summary>
Do not audit attempts to use
automount file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="automount_dontaudit_write_pipes" lineno="92">
<summary>
Do not audit attempts to write
automount unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="automount_dontaudit_getattr_tmp_dirs" lineno="112">
<summary>
Do not audit attempts to get
attributes of automount temporary
directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="automount_admin" lineno="137">
<summary>
All of the rules required to
administrate an automount environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="avahi" filename="policy/modules/services/avahi.if">
<summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture.</summary>
<interface name="avahi_domtrans" lineno="13">
<summary>
Execute avahi server in the avahi domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="avahi_initrc_domtrans" lineno="33">
<summary>
Execute avahi init scripts in the
init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="avahi_signal" lineno="51">
<summary>
Send generic signals to avahi.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_kill" lineno="69">
<summary>
Send kill signals to avahi.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_signull" lineno="87">
<summary>
Send null signals to avahi.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_dbus_chat" lineno="106">
<summary>
Send and receive messages from
avahi over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_stream_connect" lineno="127">
<summary>
Connect to avahi using a unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_create_pid_dirs" lineno="146">
<summary>
Create avahi pid directories.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_setattr_pid_dirs" lineno="161">
<summary>
Set attributes of avahi pid directories.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_setattr_runtime_dirs" lineno="176">
<summary>
Set attributes of avahi runtime directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_create_runtime_dirs" lineno="195">
<summary>
Create avahi runtime directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_manage_pid_files" lineno="214">
<summary>
Create, read, and write avahi pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_dontaudit_search_pid" lineno="230">
<summary>
Do not audit attempts to search
avahi pid directories.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="avahi_filetrans_pid" lineno="256">
<summary>
Create specified objects in generic
pid directories with the avahi pid file type.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="avahi_manage_runtime_files" lineno="271">
<summary>
Create, read, and write avahi runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_dontaudit_search_runtime" lineno="291">
<summary>
Do not audit attempts to search
avahi runtime directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="avahi_filetrans_runtime" lineno="320">
<summary>
Create specified objects in generic
runtime directories with the avahi runtime file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="avahi_admin" lineno="345">
<summary>
All of the rules required to
administrate an avahi environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="bind" filename="policy/modules/services/bind.if">
<summary>Berkeley Internet name domain DNS server.</summary>
<interface name="bind_initrc_domtrans" lineno="14">
<summary>
Execute bind init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bind_domtrans_ndc" lineno="32">
<summary>
Execute ndc in the ndc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bind_signal" lineno="51">
<summary>
Send generic signals to bind.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_signull" lineno="69">
<summary>
Send null signals to bind.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_kill" lineno="87">
<summary>
Send kill signals to bind.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_run_ndc" lineno="112">
<summary>
Execute ndc in the ndc domain, and
allow the specified role the ndc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="bind_domtrans" lineno="131">
<summary>
Execute bind in the named domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bind_read_dnssec_keys" lineno="150">
<summary>
Read dnssec key files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_read_config" lineno="168">
<summary>
Read bind named configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_write_config" lineno="186">
<summary>
Write bind named configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_manage_config_dirs" lineno="206">
<summary>
Create, read, write, and delete
bind configuration directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_search_cache" lineno="224">
<summary>
Search bind cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_manage_cache" lineno="246">
<summary>
Create, read, write, and delete
bind cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_setattr_pid_dirs" lineno="267">
<summary>
Set attributes of bind pid directories.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_setattr_zone_dirs" lineno="281">
<summary>
Set attributes of bind zone directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_read_zone" lineno="299">
<summary>
Read bind zone files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_manage_zone" lineno="319">
<summary>
Create, read, write, and delete
bind zone files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_admin" lineno="345">
<summary>
All of the rules required to
administrate an bind environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="named_tcp_bind_http_port" dftval="false">
<desc>
<p>
Determine whether Bind can bind tcp socket to http ports.
</p>
</desc>
</tunable>
<tunable name="named_write_master_zones" dftval="false">
<desc>
<p>
Determine whether Bind can write to master zone files.
Generally this is used for dynamic DNS or zone transfers.
</p>
</desc>
</tunable>
</module>
<module name="bird" filename="policy/modules/services/bird.if">
<summary>BIRD Internet Routing Daemon.</summary>
<interface name="bird_admin" lineno="20">
<summary>
All of the rules required to
administrate an bird environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="bitlbee" filename="policy/modules/services/bitlbee.if">
<summary>Tunnels instant messaging traffic to a virtual IRC channel.</summary>
<interface name="bitlbee_read_config" lineno="13">
<summary>
Read bitlbee configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bitlbee_admin" lineno="40">
<summary>
All of the rules required to
administrate an bitlbee environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="bluetooth" filename="policy/modules/services/bluetooth.if">
<summary>Bluetooth tools and system services.</summary>
<interface name="bluetooth_role" lineno="18">
<summary>
Role access for bluetooth.
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="bluetooth_stream_connect" lineno="63">
<summary>
Connect to bluetooth over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bluetooth_domtrans" lineno="83">
<summary>
Execute bluetooth in the bluetooth domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bluetooth_read_config" lineno="102">
<summary>
Read bluetooth configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bluetooth_dbus_chat" lineno="121">
<summary>
Send and receive messages from
bluetooth over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bluetooth_dontaudit_read_helper_state" lineno="142">
<summary>
Do not audit attempts to read
bluetooth process state files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="bluetooth_admin" lineno="168">
<summary>
All of the rules required to
administrate an bluetooth environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="boinc" filename="policy/modules/services/boinc.if">
<summary>Platform for computing using volunteered resources.</summary>
<interface name="boinc_admin" lineno="20">
<summary>
All of the rules required to
administrate an boinc environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="boinc_execmem" dftval="true">
<desc>
<p>
Determine whether boinc can execmem/execstack.
</p>
</desc>
</tunable>
</module>
<module name="bugzilla" filename="policy/modules/services/bugzilla.if">
<summary>Bugtracker.</summary>
<interface name="bugzilla_search_content" lineno="13">
<summary>
Search bugzilla directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bugzilla_dontaudit_rw_stream_sockets" lineno="33">
<summary>
Do not audit attempts to read and
write bugzilla script unix domain
stream sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="bugzilla_admin" lineno="58">
<summary>
All of the rules required to
administrate an bugzilla environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role" unused="true">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_httpd_bugzilla_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="cachefilesd" filename="policy/modules/services/cachefilesd.if">
<summary>CacheFiles user-space management daemon.</summary>
<interface name="cachefilesd_admin" lineno="20">
<summary>
All of the rules required to
administrate an cachefilesd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="callweaver" filename="policy/modules/services/callweaver.if">
<summary>PBX software.</summary>
<interface name="callweaver_exec" lineno="13">
<summary>
Execute callweaver in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="callweaver_stream_connect" lineno="33">
<summary>
Connect to callweaver over a
unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="callweaver_admin" lineno="59">
<summary>
All of the rules required to
administrate an callweaver environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="canna" filename="policy/modules/services/canna.if">
<summary>Kana-kanji conversion server.</summary>
<interface name="canna_stream_connect" lineno="14">
<summary>
Connect to Canna using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="canna_admin" lineno="40">
<summary>
All of the rules required to
administrate an canna environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ccs" filename="policy/modules/services/ccs.if">
<summary>Cluster Configuration System.</summary>
<interface name="ccs_domtrans" lineno="13">
<summary>
Execute a domain transition to run ccs.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ccs_stream_connect" lineno="32">
<summary>
Connect to ccs over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ccs_read_config" lineno="51">
<summary>
Read cluster configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ccs_manage_config" lineno="71">
<summary>
Create, read, write, and delete
cluster configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ccs_admin" lineno="98">
<summary>
All of the rules required to
administrate an ccs environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="certbot" filename="policy/modules/services/certbot.if">
<summary>SSL certificate requesting tool certbot AKA letsencrypt.</summary>
<interface name="certbot_domtrans" lineno="14">
<summary>
Execute certbot/letsencrypt in the certbot
domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="certbot_run" lineno="39">
<summary>
Execute certbot/letsencrypt in the certbot
domain, and allow the specified role
the firstboot domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<tunable name="certbot_acmesh" dftval="false">
<desc>
<p>
Determine whether additional rules
should be enabled to support acme.sh
</p>
</desc>
</tunable>
</module>
<module name="certmaster" filename="policy/modules/services/certmaster.if">
<summary>Remote certificate distribution framework.</summary>
<interface name="certmaster_domtrans" lineno="13">
<summary>
Execute a domain transition to run certmaster.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="certmaster_exec" lineno="32">
<summary>
Execute certmaster in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmaster_read_log" lineno="51">
<summary>
read certmaster logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmaster_append_log" lineno="70">
<summary>
Append certmaster log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmaster_manage_log" lineno="90">
<summary>
Create, read, write, and delete
certmaster log content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmaster_admin" lineno="117">
<summary>
All of the rules required to
administrate an certmaster environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="certmonger" filename="policy/modules/services/certmonger.if">
<summary>Certificate status monitor and PKI enrollment client.</summary>
<interface name="certmonger_domtrans" lineno="13">
<summary>
Execute a domain transition to run certmonger.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="certmonger_dbus_chat" lineno="33">
<summary>
Send and receive messages from
certmonger over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_initrc_domtrans" lineno="54">
<summary>
Execute certmonger server in
the certmonger domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="certmonger_read_pid_files" lineno="72">
<summary>
Read certmonger PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_search_lib" lineno="86">
<summary>
Search certmonger lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_read_lib_files" lineno="105">
<summary>
Read certmonger lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_manage_lib_files" lineno="125">
<summary>
Create, read, write, and delete
certmonger lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_admin" lineno="151">
<summary>
All of the rules required to
administrate an certmonger environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cgmanager" filename="policy/modules/services/cgmanager.if">
<summary>Control Group manager daemon.</summary>
<interface name="cgmanager_stream_connect" lineno="14">
<summary>
Connect to cgmanager with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="cgroup" filename="policy/modules/services/cgroup.if">
<summary>libcg is a library that abstracts the control group file system in Linux.</summary>
<interface name="cgroup_domtrans_cgclear" lineno="14">
<summary>
Execute a domain transition to run
CG Clear.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cgroup_domtrans_cgconfig" lineno="34">
<summary>
Execute a domain transition to run
CG config parser.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cgroup_initrc_domtrans_cgconfig" lineno="54">
<summary>
Execute CG config init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cgroup_domtrans_cgred" lineno="73">
<summary>
Execute a domain transition to run
CG rules engine daemon.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cgroup_initrc_domtrans_cgred" lineno="94">
<summary>
Execute a domain transition to run
CG rules engine daemon.
domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cgroup_run_cgclear" lineno="121">
<summary>
Execute a domain transition to
run CG Clear and allow the
specified role the CG Clear
domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cgroup_stream_connect_cgred" lineno="141">
<summary>
Connect to CG rules engine daemon
over unix stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cgroup_admin" lineno="167">
<summary>
All of the rules required to administrate
an cgroup environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="chronyd" filename="policy/modules/services/chronyd.if">
<summary>Chrony NTP background daemon.</summary>
<interface name="chronyd_domtrans" lineno="13">
<summary>
Execute chronyd in the chronyd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="chronyd_domtrans_cli" lineno="32">
<summary>
Execute chronyc in the chronyc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="chronyd_initrc_domtrans" lineno="52">
<summary>
Execute chronyd server in the
chronyd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="chronyd_exec" lineno="70">
<summary>
Execute chronyd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_run_cli" lineno="97">
<summary>
Execute chronyc in the chronyc domain,
and allow the specified roles the
chronyc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="chronyd_read_log" lineno="116">
<summary>
Read chronyd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_read_config" lineno="135">
<summary>
Read chronyd config file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_rw_config" lineno="154">
<summary>
Read and write chronyd config file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_rw_shm" lineno="173">
<summary>
Read and write chronyd shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_stream_connect" lineno="196">
<summary>
Connect to chronyd using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_dgram_send" lineno="216">
<summary>
Send to chronyd using a unix domain
datagram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_read_key_files" lineno="235">
<summary>
Read chronyd key files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_enabledisable" lineno="254">
<summary>
Allow specified domain to enable and disable chronyd unit
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_startstop" lineno="273">
<summary>
Allow specified domain to start and stop chronyd unit
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_status" lineno="292">
<summary>
Allow specified domain to get status of chronyd unit
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_dgram_send_cli" lineno="312">
<summary>
Send to chronyd command line interface using a unix domain
datagram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_admin" lineno="338">
<summary>
All of the rules required to
administrate an chronyd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cipe" filename="policy/modules/services/cipe.if">
<summary>Encrypted tunnel daemon.</summary>
<interface name="cipe_admin" lineno="20">
<summary>
All of the rules required to
administrate an cipe environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="clamav" filename="policy/modules/services/clamav.if">
<summary>ClamAV Virus Scanner.</summary>
<interface name="clamav_domtrans" lineno="13">
<summary>
Execute a domain transition to run clamd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="clamav_run" lineno="39">
<summary>
Execute clamd programs in the clamd
domain and allow the specified role
the clamd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="clamav_stream_connect" lineno="59">
<summary>
Connect to clamd using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_append_log" lineno="80">
<summary>
Append clamav log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_manage_pid_content" lineno="101">
<summary>
Create, read, write, and delete
clamav pid content.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_read_config" lineno="115">
<summary>
Read clamav configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_search_lib" lineno="134">
<summary>
Search clamav library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_domtrans_clamscan" lineno="153">
<summary>
Execute a domain transition to run clamscan.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="clamav_exec_clamscan" lineno="172">
<summary>
Execute clamscan in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_read_state_clamd" lineno="191">
<summary>
Read clamd process state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_read_signatures" lineno="219">
<summary>
Read clam virus signature files
</summary>
<desc>
<p>
Useful for when using things like 'sigtool'
which provides useful information about
ClamAV signature files.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_scannable_files" lineno="240">
<summary>
Denote a particular type to be scanned by ClamAV
</summary>
<param name="domain">
<summary>
Type that clamd_t and clamscan_t can read.
</summary>
</param>
</interface>
<interface name="clamav_domtrans_freshclam" lineno="258">
<summary>
Execute a domain transition to run freshclam.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="clamav_run_freshclam" lineno="284">
<summary>
Execute freshclam in the freshclam domain, and
allow the specified role the freshclam domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="clamav_exec_freshclam" lineno="303">
<summary>
Execute freshclam in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_enabledisable_clamd" lineno="322">
<summary>
Allow specified domain to enable clamd units
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_startstop_clamd" lineno="341">
<summary>
Allow specified domain to start clamd units
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_status_clamd" lineno="360">
<summary>
Allow specified domain to get status of clamd
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_reload_clamd" lineno="379">
<summary>
Allow specified domain reload of clamd
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_admin" lineno="405">
<summary>
All of the rules required to
administrate an clamav environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="clamav_filetrans_log" lineno="444">
<summary>
specified domain creates /var/log/clamav/freshclam.log with correct type
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_filetrans_runtime_dir" lineno="462">
<summary>
specified domain creates /run/clamav with correct type
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="clamav_read_user_content_files_clamscan" dftval="false">
<desc>
<p>
Determine whether clamscan can
read user content files.
</p>
</desc>
</tunable>
<tunable name="clamav_read_all_non_security_files_clamscan" dftval="false">
<desc>
<p>
Determine whether clamscan can read
all non-security files.
</p>
</desc>
</tunable>
<tunable name="clamd_use_jit" dftval="false">
<desc>
<p>
Determine whether can clamd use JIT compiler.
</p>
</desc>
</tunable>
</module>
<module name="clockspeed" filename="policy/modules/services/clockspeed.if">
<summary>Clock speed measurement and manipulation.</summary>
<interface name="clockspeed_domtrans_cli" lineno="14">
<summary>
Execute clockspeed utilities in
the clockspeed_cli domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="clockspeed_run_cli" lineno="41">
<summary>
Execute clockspeed utilities in the
clockspeed cli domain, and allow the
specified role the clockspeed cli domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="clogd" filename="policy/modules/services/clogd.if">
<summary>Clustered Mirror Log Server.</summary>
<interface name="clogd_domtrans" lineno="13">
<summary>
Execute a domain transition to run clogd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="clogd_rw_semaphores" lineno="32">
<summary>
Read and write clogd semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clogd_rw_shm" lineno="50">
<summary>
Read and write clogd shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="cmirrord" filename="policy/modules/services/cmirrord.if">
<summary>Cluster mirror log daemon.</summary>
<interface name="cmirrord_domtrans" lineno="14">
<summary>
Execute a domain transition to
run cmirrord.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cmirrord_initrc_domtrans" lineno="34">
<summary>
Execute cmirrord server in the
cmirrord domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cmirrord_read_pid_files" lineno="52">
<summary>
Read cmirrord PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cmirrord_rw_shm" lineno="66">
<summary>
Read and write cmirrord shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cmirrord_admin" lineno="96">
<summary>
All of the rules required to
administrate an cmirrord environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cobbler" filename="policy/modules/services/cobbler.if">
<summary>Cobbler installation server.</summary>
<interface name="cobblerd_domtrans" lineno="13">
<summary>
Execute a domain transition to run cobblerd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cobblerd_initrc_domtrans" lineno="33">
<summary>
Execute cobblerd init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cobbler_read_config" lineno="51">
<summary>
Read cobbler configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cobbler_dontaudit_rw_log" lineno="71">
<summary>
Do not audit attempts to read and write
cobbler log files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cobbler_search_lib" lineno="89">
<summary>
Search cobbler lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cobbler_read_lib_files" lineno="108">
<summary>
Read cobbler lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cobbler_manage_lib_files" lineno="128">
<summary>
Create, read, write, and delete
cobbler lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cobbler_admin" lineno="154">
<summary>
All of the rules required to
administrate an cobbler environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="cobbler_anon_write" dftval="false">
<desc>
<p>
Determine whether Cobbler can modify
public files used for public file
transfer services.
</p>
</desc>
</tunable>
<tunable name="cobbler_can_network_connect" dftval="false">
<desc>
<p>
Determine whether Cobbler can connect
to the network using TCP.
</p>
</desc>
</tunable>
<tunable name="cobbler_use_cifs" dftval="false">
<desc>
<p>
Determine whether Cobbler can access
cifs file systems.
</p>
</desc>
</tunable>
<tunable name="cobbler_use_nfs" dftval="false">
<desc>
<p>
Determine whether Cobbler can access
nfs file systems.
</p>
</desc>
</tunable>
</module>
<module name="cockpit" filename="policy/modules/services/cockpit.if">
<summary>policy for cockpit</summary>
<interface name="cockpit_ws_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the cockpit domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cockpit_session_domtrans" lineno="32">
<summary>
Execute TEMPLATE in the cockpit domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cockpit_rw_pipes" lineno="51">
<summary>
Read and write cockpit_session_t unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cockpit_manage_unix_stream_sockets" lineno="69">
<summary>
Create cockpit unix_stream_sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cockpit_search_lib" lineno="87">
<summary>
Search cockpit lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cockpit_read_lib_files" lineno="106">
<summary>
Read cockpit lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cockpit_manage_lib_files" lineno="125">
<summary>
Manage cockpit lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cockpit_manage_lib_dirs" lineno="144">
<summary>
Manage cockpit lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cockpit_read_pid_files" lineno="163">
<summary>
Read cockpit pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cockpit_manage_pid_dirs" lineno="182">
<summary>
Manage cockpit pid dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cockpit_manage_pid_files" lineno="200">
<summary>
Manage cockpit pid dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cockpit_systemctl" lineno="218">
<summary>
Execute cockpit server in the cockpit domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cockpit_admin" lineno="246">
<summary>
All of the rules required to administrate
an cockpit environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="collectd" filename="policy/modules/services/collectd.if">
<summary>Statistics collection daemon for filling RRD files.</summary>
<interface name="collectd_admin" lineno="20">
<summary>
All of the rules required to
administrate an collectd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="collectd_tcp_network_connect" dftval="false">
<desc>
<p>
Determine whether collectd can connect
to the network using TCP.
</p>
</desc>
</tunable>
<tunable name="allow_httpd_collectd_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="colord" filename="policy/modules/services/colord.if">
<summary>GNOME color manager.</summary>
<interface name="colord_domtrans" lineno="13">
<summary>
Execute a domain transition to run colord.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="colord_dbus_chat" lineno="33">
<summary>
Send and receive messages from
colord over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="colord_read_lib_files" lineno="53">
<summary>
Read colord lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="colord_relabel_lib" lineno="72">
<summary>
relabel colord lib files and dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="comsat" filename="policy/modules/services/comsat.if">
<summary>Comsat, a biff server.</summary>
</module>
<module name="condor" filename="policy/modules/services/condor.if">
<summary>High-Throughput Computing System.</summary>
<template name="condor_domain_template" lineno="13">
<summary>
The template to define a condor domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="condor_admin" lineno="58">
<summary>
All of the rules required to
administrate an condor environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="condor_tcp_network_connect" dftval="false">
<desc>
<p>
Determine whether Condor can connect
to the network using TCP.
</p>
</desc>
</tunable>
</module>
<module name="consolesetup" filename="policy/modules/services/consolesetup.if">
<summary>console font and keymap setup program for debian</summary>
<interface name="consolesetup_domtrans" lineno="13">
<summary>
Execute console-setup in the consolesetup domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="consolesetup_read_conf" lineno="33">
<summary>
Read console-setup configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="consolesetup_exec_conf" lineno="55">
<summary>
Execute console-setup configuration files
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="consolesetup_manage_runtime" lineno="76">
<summary>
Allow the caller to manage
consolesetup_runtime_t files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="consolesetup_pid_filetrans_runtime" lineno="98">
<summary>
Create a console-setup directory in
the runtime directory.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="consolesetup_runtime_filetrans_runtime_dir" lineno="115">
<summary>
Create a console-setup directory in
the runtime directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="corosync" filename="policy/modules/services/corosync.if">
<summary>Corosync Cluster Engine.</summary>
<interface name="corosync_domtrans" lineno="13">
<summary>
Execute a domain transition to run corosync.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="corosync_initrc_domtrans" lineno="33">
<summary>
Execute corosync init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="corosync_exec" lineno="51">
<summary>
Execute corosync in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="corosync_read_log" lineno="70">
<summary>
Read corosync log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="corosync_stream_connect" lineno="91">
<summary>
Connect to corosync over a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="corosync_mmap_rw_tmpfs" lineno="110">
<summary>
Memmap, read and write corosync tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="corosync_rw_tmpfs" lineno="129">
<summary>
Read and write corosync tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="corosync_read_state" lineno="148">
<summary>
Read process state of corosync.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="corosync_admin" lineno="173">
<summary>
All of the rules required to
administrate an corosync environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="couchdb" filename="policy/modules/services/couchdb.if">
<summary>Document database server.</summary>
<interface name="couchdb_read_log_files" lineno="13">
<summary>
Read couchdb log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="couchdb_manage_lib_files" lineno="32">
<summary>
Read, write, and create couchdb lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="couchdb_read_conf_files" lineno="51">
<summary>
Read couchdb config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="couchdb_read_pid_files" lineno="70">
<summary>
Read couchdb pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="couchdb_read_runtime_files" lineno="85">
<summary>
Read couchdb runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="couchdb_admin" lineno="111">
<summary>
All of the rules required to
administrate an couchdb environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="courier" filename="policy/modules/services/courier.if">
<summary>Courier IMAP and POP3 email servers.</summary>
<template name="courier_domain_template" lineno="13">
<summary>
The template to define a courier domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="courier_domtrans_authdaemon" lineno="46">
<summary>
Execute the courier authentication
daemon with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="courier_stream_connect_authdaemon" lineno="66">
<summary>
Connect to courier-authdaemon over
a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_domtrans_pop" lineno="86">
<summary>
Execute the courier POP3 and IMAP
server with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="courier_read_config" lineno="105">
<summary>
Read courier config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_manage_spool_dirs" lineno="125">
<summary>
Create, read, write, and delete courier
spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_manage_spool_files" lineno="145">
<summary>
Create, read, write, and delete courier
spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_read_spool" lineno="164">
<summary>
Read courier spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_rw_spool_pipes" lineno="183">
<summary>
Read and write courier spool pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="cpucontrol" filename="policy/modules/services/cpucontrol.if">
<summary>Services for loading CPU microcode and CPU frequency scaling.</summary>
<interface name="cpucontrol_stub" lineno="13">
<summary>
CPUcontrol stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="cron" filename="policy/modules/services/cron.if">
<summary>Periodic execution of scheduled commands.</summary>
<template name="cron_common_crontab_template" lineno="13">
<summary>
The template to define a crontab domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="cron_role" lineno="69">
<summary>
Role access for cron.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
stem of domain for the role.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cron_unconfined_role" lineno="150">
<summary>
Role access for unconfined cron.
Only used if cronjob_domain is set
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="cron_admin_role" lineno="231">
<summary>
Role access for admin cron.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="cron_system_entry" lineno="322">
<summary>
Make the specified program domain
accessible from the system cron jobs.
</summary>
<param name="domain">
<summary>
The type of the process to transition to.
</summary>
</param>
<param name="entrypoint">
<summary>
The type of the file used as an entrypoint to this domain.
</summary>
</param>
</interface>
<interface name="cron_domtrans" lineno="343">
<summary>
Execute cron in the cron system domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cron_exec" lineno="362">
<summary>
Execute crond in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_initrc_domtrans" lineno="381">
<summary>
Execute crond server in the crond domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cron_use_fds" lineno="399">
<summary>
Use crond file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_sigchld" lineno="417">
<summary>
Send child terminated signals to crond.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_setattr_log_files" lineno="435">
<summary>
Set the attributes of cron log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_create_log_files" lineno="453">
<summary>
Create cron log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_write_log_files" lineno="471">
<summary>
Write to cron log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_manage_log_files" lineno="490">
<summary>
Create, read, write and delete
cron log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_generic_log_filetrans_log" lineno="521">
<summary>
Create specified objects in generic
log directories with the cron log file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="cron_read_pipes" lineno="539">
<summary>
Read cron daemon unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_dontaudit_write_pipes" lineno="558">
<summary>
Do not audit attempts to write
cron daemon unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cron_rw_pipes" lineno="576">
<summary>
Read and write crond unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_tcp_sockets" lineno="594">
<summary>
Read and write crond TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_dontaudit_rw_tcp_sockets" lineno="613">
<summary>
Do not audit attempts to read and
write cron daemon TCP sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cron_search_spool" lineno="631">
<summary>
Search cron spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_manage_pid_files" lineno="651">
<summary>
Create, read, write, and delete
crond pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_anacron_domtrans_system_job" lineno="666">
<summary>
Execute anacron in the cron
system domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cron_use_system_job_fds" lineno="685">
<summary>
Use system cron job file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_manage_system_spool" lineno="703">
<summary>
Create, read, write, and delete the system spool.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_read_system_spool" lineno="722">
<summary>
Read the system spool.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_tmp_files" lineno="742">
<summary>
Read and write crond temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_inherited_tmp_files" lineno="760">
<summary>
Read and write inherited crond temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_read_system_job_lib_files" lineno="778">
<summary>
Read system cron job lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_manage_system_job_lib_files" lineno="798">
<summary>
Create, read, write, and delete
system cron job lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_write_system_job_pipes" lineno="817">
<summary>
Write system cron job unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_system_job_pipes" lineno="836">
<summary>
Read and write system cron job
unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_system_job_stream_sockets" lineno="855">
<summary>
Read and write inherited system cron
job unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_read_system_job_tmp_files" lineno="873">
<summary>
Read system cron job temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_system_job_tmp_files" lineno="893">
<summary>
Read/write system cron job temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_dontaudit_append_system_job_tmp_files" lineno="914">
<summary>
Do not audit attempts to append temporary
system cron job files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cron_append_system_job_tmp_files" lineno="932">
<summary>
allow appending temporary system cron job files.
</summary>
<param name="domain">
<summary>
Domain to allow.
</summary>
</param>
</interface>
<interface name="cron_rw_inherited_system_job_tmp_files" lineno="950">
<summary>
Read and write to inherited system cron job temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_dontaudit_write_system_job_tmp_files" lineno="969">
<summary>
Do not audit attempts to write temporary
system cron job files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cron_exec_crontab" lineno="988">
<summary>
Execute crontab in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cron_admin" lineno="1014">
<summary>
All of the rules required to
administrate a cron environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="cron_can_relabel" dftval="false">
<desc>
<p>
Determine whether system cron jobs
can relabel filesystem for
restoring file contexts.
</p>
</desc>
</tunable>
<tunable name="cron_userdomain_transition" dftval="true">
<desc>
<p>
Determine whether crond can execute jobs
in the user domain as opposed to the
the generic cronjob domain.
</p>
</desc>
</tunable>
<tunable name="fcron_crond" dftval="false">
<desc>
<p>
Determine whether extra rules
should be enabled to support fcron.
</p>
</desc>
</tunable>
<tunable name="cron_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the cron domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="cron_read_all_user_content" dftval="false">
<desc>
<p>
Grant the cron domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="cron_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the cron domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="cron_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the cron domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="ctdb" filename="policy/modules/services/ctdb.if">
<summary>Clustered Database based on Samba Trivial Database.</summary>
<interface name="ctdbd_manage_lib_files" lineno="14">
<summary>
Create, read, write, and delete
ctdbd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_stream_connect" lineno="34">
<summary>
Connect to ctdbd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdb_admin" lineno="60">
<summary>
All of the rules required to
administrate an ctdb environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cups" filename="policy/modules/services/cups.if">
<summary>Common UNIX printing system.</summary>
<interface name="cups_backend" lineno="19">
<summary>
Create a domain which can be
started by cupsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
<interface name="cups_domtrans" lineno="46">
<summary>
Execute cups in the cups domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cups_stream_connect" lineno="66">
<summary>
Connect to cupsd over an unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_dbus_chat" lineno="87">
<summary>
Send and receive messages from
cups over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_read_pid_files" lineno="107">
<summary>
Read cups PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_read_runtime_files" lineno="122">
<summary>
Read cups runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_domtrans_config" lineno="142">
<summary>
Execute cups_config in the
cups config domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cups_signal_config" lineno="162">
<summary>
Send generic signals to the cups
configuration daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_dbus_chat_config" lineno="181">
<summary>
Send and receive messages from
cupsd_config over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_read_config" lineno="202">
<summary>
Read cups configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cups_read_rw_config" lineno="222">
<summary>
Read cups-writable configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cups_read_log" lineno="242">
<summary>
Read cups log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cups_append_log" lineno="261">
<summary>
Append cups log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_write_log" lineno="280">
<summary>
Write cups log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_stream_connect_ptal" lineno="300">
<summary>
Connect to ptal over an unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_read_state" lineno="319">
<summary>
Read the process state (/proc/pid) of cupsd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_domtrans_hplip" lineno="341">
<summary>
Execute HP Linux Imaging and
Printing applications in their
own domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cups_admin" lineno="367">
<summary>
All of the rules required to
administrate an cups environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="cups_legacy_ldso" dftval="false">
<desc>
<p>
Allows legacy ld_so for old printer filters
</p>
</desc>
</tunable>
</module>
<module name="cvs" filename="policy/modules/services/cvs.if">
<summary>Concurrent versions system.</summary>
<interface name="cvs_read_data" lineno="13">
<summary>
Read CVS data and metadata content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cvs_exec" lineno="33">
<summary>
Execute cvs in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cvs_admin" lineno="59">
<summary>
All of the rules required to
administrate an cvs environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_cvs_read_shadow" dftval="false">
<desc>
<p>
Determine whether cvs can read shadow
password files.
</p>
</desc>
</tunable>
<tunable name="allow_httpd_cvs_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="cyphesis" filename="policy/modules/services/cyphesis.if">
<summary>Cyphesis WorldForge game server.</summary>
<interface name="cyphesis_domtrans" lineno="13">
<summary>
Execute a domain transition to run cyphesis.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cyphesis_admin" lineno="39">
<summary>
All of the rules required to
administrate an cyphesis environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cyrus" filename="policy/modules/services/cyrus.if">
<summary>Cyrus is an IMAP service intended to be run on sealed servers.</summary>
<interface name="cyrus_manage_data" lineno="14">
<summary>
Create, read, write, and delete
cyrus data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cyrus_stream_connect" lineno="34">
<summary>
Connect to Cyrus using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cyrus_admin" lineno="60">
<summary>
All of the rules required to
administrate an cyrus environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dante" filename="policy/modules/services/dante.if">
<summary>Dante msproxy and socks4/5 proxy server.</summary>
<interface name="dante_admin" lineno="20">
<summary>
All of the rules required to
administrate an dante environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dbskk" filename="policy/modules/services/dbskk.if">
<summary>Dictionary server for the SKK Japanese input method system.</summary>
</module>
<module name="dbus" filename="policy/modules/services/dbus.if">
<summary>Desktop messaging bus.</summary>
<interface name="dbus_stub" lineno="13">
<summary>
DBUS stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="dbus_exec" lineno="30">
<summary>
Execute dbus in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="dbus_role_template" lineno="60">
<summary>
Role access for dbus.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</template>
<interface name="dbus_system_bus_client" lineno="150">
<summary>
Template for creating connections to
the system bus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_connect_all_session_bus" lineno="184">
<summary>
Acquire service on all DBUS
session busses.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_connect_spec_session_bus" lineno="210">
<summary>
Acquire service on specified
DBUS session bus.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_all_session_bus_client" lineno="230">
<summary>
Creating connections to all
DBUS session busses.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_spec_session_bus_client" lineno="262">
<summary>
Creating connections to specified
DBUS session bus.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_send_all_session_bus" lineno="289">
<summary>
Send messages to all DBUS
session busses.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_send_spec_session_bus" lineno="315">
<summary>
Send messages to specified
DBUS session busses.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_read_config" lineno="334">
<summary>
Read dbus configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_read_lib_files" lineno="353">
<summary>
Read system dbus lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_relabel_lib_dirs" lineno="373">
<summary>
Relabel system dbus lib directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_manage_lib_files" lineno="393">
<summary>
Create, read, write, and delete
system dbus lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_all_session_domain" lineno="419">
<summary>
Allow a application domain to be
started by the specified session bus.
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an
entry point to this domain.
</summary>
</param>
</interface>
<interface name="dbus_spec_session_domain" lineno="453">
<summary>
Allow a application domain to be
started by the specified session bus.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an
entry point to this domain.
</summary>
</param>
</interface>
<interface name="dbus_connect_system_bus" lineno="474">
<summary>
Acquire service on the DBUS system bus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_send_system_bus" lineno="493">
<summary>
Send messages to the DBUS system bus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_system_bus_unconfined" lineno="512">
<summary>
Unconfined access to DBUS system bus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_system_domain" lineno="537">
<summary>
Create a domain for processes which
can be started by the DBUS system bus.
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
<interface name="dbus_use_system_bus_fds" lineno="577">
<summary>
Use and inherit DBUS system bus
file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="596">
<summary>
Do not audit attempts to read and
write DBUS system bus TCP sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dbus_watch_system_bus_runtime_dirs" lineno="614">
<summary>
Watch system bus runtime directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_list_system_bus_runtime" lineno="632">
<summary>
List system bus runtime directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_watch_system_bus_runtime_named_sockets" lineno="650">
<summary>
Watch system bus runtime named sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_read_system_bus_runtime_named_sockets" lineno="668">
<summary>
Read system bus runtime named sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_unconfined" lineno="686">
<summary>
Unconfined access to DBUS.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="dbus_pass_tuntap_fd" dftval="false">
<desc>
<p>
Allow dbus-daemon system bus to access /dev/net/tun
which is needed to pass tun/tap device file descriptors
over D-Bus.  This is needed by openvpn3-linux.
</p>
</desc>
</tunable>
</module>
<module name="dcc" filename="policy/modules/services/dcc.if">
<summary>Distributed checksum clearinghouse spam filtering.</summary>
<interface name="dcc_domtrans_cdcc" lineno="13">
<summary>
Execute cdcc in the cdcc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dcc_run_cdcc" lineno="40">
<summary>
Execute cdcc in the cdcc domain, and
allow the specified role the
cdcc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dcc_domtrans_client" lineno="60">
<summary>
Execute dcc client in the dcc
client domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dcc_signal_client" lineno="79">
<summary>
Send generic signals to dcc client.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dcc_run_client" lineno="105">
<summary>
Execute dcc client in the dcc
client domain, and allow the
specified role the dcc client domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dcc_domtrans_dbclean" lineno="124">
<summary>
Execute dbclean in the dcc dbclean domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dcc_run_dbclean" lineno="151">
<summary>
Execute dbclean in the dcc dbclean
domain, and allow the specified
role the dcc dbclean domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dcc_stream_connect_dccifd" lineno="171">
<summary>
Connect to dccifd over a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="ddclient" filename="policy/modules/services/ddclient.if">
<summary>Update dynamic IP address at DynDNS.org.</summary>
<interface name="ddclient_domtrans" lineno="13">
<summary>
Execute ddclient in the ddclient domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ddclient_run" lineno="40">
<summary>
Execute ddclient in the ddclient
domain, and allow the specified
role the ddclient domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ddclient_admin" lineno="66">
<summary>
All of the rules required to
administrate an ddclient environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="denyhosts" filename="policy/modules/services/denyhosts.if">
<summary>SSH dictionary attack mitigation.</summary>
<interface name="denyhosts_domtrans" lineno="13">
<summary>
Execute a domain transition to run denyhosts.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="denyhosts_initrc_domtrans" lineno="33">
<summary>
Execute denyhost server in the
denyhost domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="denyhosts_admin" lineno="57">
<summary>
All of the rules required to
administrate an denyhosts environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="devicekit" filename="policy/modules/services/devicekit.if">
<summary>Devicekit modular hardware abstraction layer.</summary>
<interface name="devicekit_domtrans" lineno="13">
<summary>
Execute a domain transition to run devicekit.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="devicekit_dgram_send" lineno="33">
<summary>
Send to devicekit over a unix domain
datagram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_dbus_chat" lineno="53">
<summary>
Send and receive messages from
devicekit over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_dbus_chat_disk" lineno="74">
<summary>
Send and receive messages from
devicekit disk over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_signal_power" lineno="94">
<summary>
Send generic signals to devicekit power.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_dbus_chat_power" lineno="113">
<summary>
Send and receive messages from
devicekit power over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_use_fds_power" lineno="134">
<summary>
Use and inherit devicekit power
file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_append_inherited_log_files" lineno="152">
<summary>
Append inherited devicekit log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_manage_log_files" lineno="174">
<summary>
Create, read, write, and delete
devicekit log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_relabel_log_files" lineno="193">
<summary>
Relabel devicekit log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_read_pid_files" lineno="212">
<summary>
Read devicekit PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_manage_pid_files" lineno="228">
<summary>
Create, read, write, and delete
devicekit PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_read_runtime_files" lineno="243">
<summary>
Read devicekit runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_manage_runtime_files" lineno="263">
<summary>
Create, read, write, and delete
devicekit runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_admin" lineno="289">
<summary>
All of the rules required to
administrate an devicekit environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role" unused="true">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dhcp" filename="policy/modules/services/dhcp.if">
<summary>Dynamic host configuration protocol server.</summary>
<interface name="dhcpd_domtrans" lineno="13">
<summary>
Execute a domain transition to run dhcpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dhcpd_setattr_state_files" lineno="33">
<summary>
Set attributes of dhcpd server
state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dhcpd_initrc_domtrans" lineno="53">
<summary>
Execute dhcp server in the dhcp domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dhcpd_admin" lineno="78">
<summary>
All of the rules required to
administrate an dhcpd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="dhcpd_use_ldap" dftval="false">
<desc>
<p>
Determine whether DHCP daemon
can use LDAP backends.
</p>
</desc>
</tunable>
</module>
<module name="dictd" filename="policy/modules/services/dictd.if">
<summary>Dictionary daemon.</summary>
<interface name="dictd_admin" lineno="20">
<summary>
All of the rules required to
administrate an dictd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dirmngr" filename="policy/modules/services/dirmngr.if">
<summary>Server for managing and downloading certificate revocation lists.</summary>
<interface name="dirmngr_role" lineno="18">
<summary>
Role access for dirmngr.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="dirmngr_unlink_tmp_sock" lineno="47">
<summary>
unlink dirmngr_tmp_t sock_file
</summary>
<param name="domain">
<summary>
domain allowed access
</summary>
</param>
</interface>
<interface name="dirmngr_domtrans" lineno="65">
<summary>
Execute dirmngr in the dirmngr domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dirmngr_exec" lineno="84">
<summary>
Execute the dirmngr in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirmngr_stream_connect" lineno="103">
<summary>
Connect to dirmngr socket
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirmngr_tmp_dir_search" lineno="125">
<summary>
Search dirmngr_tmp_t dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirmngr_admin" lineno="150">
<summary>
All of the rules required to
administrate an dirmngr environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="distcc" filename="policy/modules/services/distcc.if">
<summary>Distributed compiler daemon.</summary>
<interface name="distcc_admin" lineno="20">
<summary>
All of the rules required to
administrate an distcc environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="djbdns" filename="policy/modules/services/djbdns.if">
<summary>Small and secure DNS daemon.</summary>
<template name="djbdns_daemontools_domain_template" lineno="13">
<summary>
The template to define a djbdns domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="djbdns_search_tinydns_keys" lineno="54">
<summary>
Search djbdns-tinydns key ring.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="djbdns_link_tinydns_keys" lineno="72">
<summary>
Link djbdns-tinydns key ring.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="dkim" filename="policy/modules/services/dkim.if">
<summary>DomainKeys Identified Mail milter.</summary>
<interface name="dkim_stream_connect" lineno="13">
<summary>
Allow a domain to talk to dkim via Unix domain socket
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dkim_admin" lineno="38">
<summary>
All of the rules required to
administrate an dkim environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dnsmasq" filename="policy/modules/services/dnsmasq.if">
<summary>DNS forwarder and DHCP server.</summary>
<interface name="dnsmasq_domtrans" lineno="14">
<summary>
Execute dnsmasq server in the dnsmasq domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dnsmasq_initrc_domtrans" lineno="35">
<summary>
Execute the dnsmasq init script in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dnsmasq_signal" lineno="54">
<summary>
Send generic signals to dnsmasq.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_signull" lineno="73">
<summary>
Send null signals to dnsmasq.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_kill" lineno="92">
<summary>
Send kill signals to dnsmasq.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_read_config" lineno="110">
<summary>
Read dnsmasq config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_write_config" lineno="129">
<summary>
Write dnsmasq config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_delete_pid_files" lineno="149">
<summary>
Delete dnsmasq pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_manage_pid_files" lineno="165">
<summary>
Create, read, write, and delete
dnsmasq pid files  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_read_pid_files" lineno="181">
<summary>
Read dnsmasq pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_create_pid_dirs" lineno="196">
<summary>
Create dnsmasq pid directories.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_spec_filetrans_pid" lineno="228">
<summary>
Create specified objects in specified
directories with a type transition to
the dnsmasq pid file type.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="file_type">
<summary>
Directory to transition on.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="dnsmasq_create_runtime_dirs" lineno="243">
<summary>
Create dnsmasq runtime directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_virt_runtime_filetrans_runtime" lineno="274">
<summary>
Create specified objects in specified
directories with a type transition to
the dnsmasq runtime file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="dnsmasq_read_runtime_files" lineno="293">
<summary>
Read dnsmasq runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_delete_runtime_files" lineno="312">
<summary>
Delete dnsmasq runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_manage_runtime_files" lineno="331">
<summary>
Create, read, write, and delete
dnsmasq runtime files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_admin" lineno="357">
<summary>
All of the rules required to
administrate an dnsmasq environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dovecot" filename="policy/modules/services/dovecot.if">
<summary>POP and IMAP mail server.</summary>
<interface name="dovecot_stream_connect" lineno="14">
<summary>
Connect to dovecot using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dovecot_stream_connect_auth" lineno="35">
<summary>
Connect to dovecot using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dovecot_domtrans_deliver" lineno="55">
<summary>
Execute dovecot_deliver in the
dovecot_deliver domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dovecot_read_config" lineno="75">
<summary>
Read dovecot configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dovecot_manage_spool" lineno="97">
<summary>
Create, read, write, and delete
dovecot spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dovecot_dontaudit_unlink_lib_files" lineno="119">
<summary>
Do not audit attempts to delete
dovecot lib files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dovecot_write_inherited_tmp_files" lineno="137">
<summary>
Write inherited dovecot tmp files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dovecot_admin" lineno="162">
<summary>
All of the rules required to
administrate an dovecot environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="dovecot_can_connect_db" dftval="false">
<desc>
<p>
Determine whether dovecot can connect to
databases.
</p>
</desc>
</tunable>
</module>
<module name="drbd" filename="policy/modules/services/drbd.if">
<summary>Mirrors a block device over the network to another machine.</summary>
<interface name="drbd_domtrans" lineno="14">
<summary>
Execute a domain transition to
run drbd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="drbd_admin" lineno="40">
<summary>
All of the rules required to
administrate an drbd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dspam" filename="policy/modules/services/dspam.if">
<summary>Content-based spam filter designed for multi-user enterprise systems.</summary>
<interface name="dspam_domtrans" lineno="13">
<summary>
Execute a domain transition to run dspam.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_stream_connect" lineno="33">
<summary>
Connect to dspam using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_admin" lineno="60">
<summary>
All of the rules required to
administrate an dspam environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_httpd_dspam_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="entropyd" filename="policy/modules/services/entropyd.if">
<summary>Generate entropy from audio input.</summary>
<interface name="entropyd_admin" lineno="20">
<summary>
All of the rules required to
administrate an entropyd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="entropyd_use_audio" dftval="false">
<desc>
<p>
Determine whether entropyd can use
audio devices as the source for
the entropy feeds.
</p>
</desc>
</tunable>
</module>
<module name="exim" filename="policy/modules/services/exim.if">
<summary>Mail transfer agent.</summary>
<interface name="exim_exec" lineno="13">
<summary>
Execute exim in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_domtrans" lineno="32">
<summary>
Execute a domain transition to run exim.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="exim_run" lineno="59">
<summary>
Execute exim in the exim domain,
and allow the specified role
the exim domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="exim_dontaudit_read_tmp_files" lineno="79">
<summary>
Do not audit attempts to read exim
temporary tmp files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="exim_read_tmp_files" lineno="97">
<summary>
Read exim temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_read_pid_files" lineno="116">
<summary>
Read exim pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_read_log" lineno="131">
<summary>
Read exim log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="exim_append_log" lineno="150">
<summary>
Append exim log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_manage_log" lineno="171">
<summary>
Create, read, write, and delete
exim log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="exim_manage_spool_dirs" lineno="191">
<summary>
Create, read, write, and delete
exim spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_read_spool_files" lineno="210">
<summary>
Read exim spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_manage_spool_files" lineno="231">
<summary>
Create, read, write, and delete
exim spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_read_var_lib_files" lineno="250">
<summary>
Read exim var lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_manage_var_lib_files" lineno="269">
<summary>
Create, read, and write exim var lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_admin" lineno="295">
<summary>
All of the rules required to
administrate an exim environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="exim_can_connect_db" dftval="false">
<desc>
<p>
Determine whether exim can connect to
databases.
</p>
</desc>
</tunable>
<tunable name="exim_read_user_files" dftval="false">
<desc>
<p>
Determine whether exim can read generic
user content files.
</p>
</desc>
</tunable>
<tunable name="exim_manage_user_files" dftval="false">
<desc>
<p>
Determine whether exim can create,
read, write, and delete generic user
content files.
</p>
</desc>
</tunable>
</module>
<module name="fail2ban" filename="policy/modules/services/fail2ban.if">
<summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
<interface name="fail2ban_domtrans" lineno="13">
<summary>
Execute a domain transition to run fail2ban.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="fail2ban_domtrans_client" lineno="33">
<summary>
Execute the fail2ban client in
the fail2ban client domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="fail2ban_run_client" lineno="60">
<summary>
Execute fail2ban client in the
fail2ban client domain, and allow
the specified role the fail2ban
client domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_stream_connect" lineno="80">
<summary>
Connect to fail2ban over a
unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_rw_inherited_tmp_files" lineno="99">
<summary>
Read and write inherited temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_dontaudit_use_fds" lineno="119">
<summary>
Do not audit attempts to use
fail2ban file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="fail2ban_dontaudit_rw_stream_sockets" lineno="138">
<summary>
Do not audit attempts to read and
write fail2ban unix stream sockets
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="fail2ban_rw_stream_sockets" lineno="157">
<summary>
Read and write fail2ban unix
stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_read_lib_files" lineno="175">
<summary>
Read fail2ban lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_read_log" lineno="195">
<summary>
Read fail2ban log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="fail2ban_append_log" lineno="214">
<summary>
Append fail2ban log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_read_pid_files" lineno="233">
<summary>
Read fail2ban pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_admin" lineno="254">
<summary>
All of the rules required to
administrate an fail2ban environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="fcoe" filename="policy/modules/services/fcoe.if">
<summary>Fibre Channel over Ethernet utilities.</summary>
<interface name="fcoe_dgram_send_fcoemon" lineno="13">
<summary>
Send to fcoemon with a unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fcoe_admin" lineno="39">
<summary>
All of the rules required to
administrate an fcoemon environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="fetchmail" filename="policy/modules/services/fetchmail.if">
<summary>Remote-mail retrieval and forwarding utility.</summary>
<interface name="fetchmail_admin" lineno="20">
<summary>
All of the rules required to
administrate an fetchmail environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="finger" filename="policy/modules/services/finger.if">
<summary>Finger user information service.</summary>
<interface name="finger_domtrans" lineno="13">
<summary>
Execute fingerd in the fingerd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="firewalld" filename="policy/modules/services/firewalld.if">
<summary>Service daemon with a D-BUS interface that provides a dynamic managed firewall.</summary>
<interface name="firewalld_read_config_files" lineno="13">
<summary>
Read firewalld configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="firewalld_dbus_chat" lineno="33">
<summary>
Send and receive messages from
firewalld over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="firewalld_dontaudit_rw_tmp_files" lineno="54">
<summary>
Do not audit attempts to read, snd
write firewalld temporary files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="firewalld_read_var_run_files" lineno="72">
<summary>
Read firewalld runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="firewalld_admin" lineno="98">
<summary>
All of the rules required to
administrate an firewalld environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="fprintd" filename="policy/modules/services/fprintd.if">
<summary>DBus fingerprint reader service.</summary>
<interface name="fprintd_domtrans" lineno="13">
<summary>
Execute a domain transition to run fprintd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="fprintd_dbus_chat" lineno="33">
<summary>
Send and receive messages from
fprintd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="ftp" filename="policy/modules/services/ftp.if">
<summary>File transfer protocol service.</summary>
<interface name="ftp_dyntrans_anon_sftpd" lineno="13">
<summary>
Execute a dyntransition to run anon sftpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ftp_read_config" lineno="31">
<summary>
Read ftpd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ftp_check_exec" lineno="50">
<summary>
Execute FTP daemon entry point programs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ftp_read_log" lineno="69">
<summary>
Read ftpd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ftp_domtrans_ftpdctl" lineno="88">
<summary>
Execute the ftpdctl in the ftpdctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ftp_run_ftpdctl" lineno="115">
<summary>
Execute the ftpdctl in the ftpdctl
domain, and allow the specified
role the ftpctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ftp_dyntrans_sftpd" lineno="134">
<summary>
Execute a dyntransition to run sftpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ftp_admin" lineno="159">
<summary>
All of the rules required to
administrate an ftp environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ftp_filetrans_pure_ftpd_runtime" lineno="203">
<summary>
create /run/pure-ftpd
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="allow_ftpd_anon_write" dftval="false">
<desc>
<p>
Determine whether ftpd can modify
public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="allow_ftpd_full_access" dftval="false">
<desc>
<p>
Determine whether ftpd can login to
local users and can read and write
all files on the system, governed by DAC.
</p>
</desc>
</tunable>
<tunable name="allow_ftpd_use_cifs" dftval="false">
<desc>
<p>
Determine whether ftpd can use CIFS
used for public file transfer services.
</p>
</desc>
</tunable>
<tunable name="allow_ftpd_use_nfs" dftval="false">
<desc>
<p>
Determine whether ftpd can use NFS
used for public file transfer services.
</p>
</desc>
</tunable>
<tunable name="ftpd_connect_db" dftval="false">
<desc>
<p>
Determine whether ftpd can connect to
databases over the TCP network.
</p>
</desc>
</tunable>
<tunable name="ftpd_use_passive_mode" dftval="false">
<desc>
<p>
Determine whether ftpd can bind to all
unreserved ports for passive mode.
</p>
</desc>
</tunable>
<tunable name="ftpd_connect_all_unreserved" dftval="false">
<desc>
<p>
Determine whether ftpd can connect to
all unreserved ports.
</p>
</desc>
</tunable>
<tunable name="ftp_home_dir" dftval="false">
<desc>
<p>
Determine whether ftpd can read and write
files in user home directories.
</p>
</desc>
</tunable>
<tunable name="sftpd_anon_write" dftval="false">
<desc>
<p>
Determine whether sftpd can modify
public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="sftpd_enable_homedirs" dftval="false">
<desc>
<p>
Determine whether sftpd-can read and write
files in user home directories.
</p>
</desc>
</tunable>
<tunable name="sftpd_full_access" dftval="false">
<desc>
<p>
Determine whether sftpd-can login to
local users and read and write all
files on the system, governed by DAC.
</p>
</desc>
</tunable>
<tunable name="sftpd_write_ssh_home" dftval="false">
<desc>
<p>
Determine whether sftpd can read and write
files in user ssh home directories.
</p>
</desc>
</tunable>
</module>
<module name="gatekeeper" filename="policy/modules/services/gatekeeper.if">
<summary>OpenH.323 Voice-Over-IP Gatekeeper.</summary>
<interface name="gatekeeper_admin" lineno="20">
<summary>
All of the rules required to
administrate an gatekeeper environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="gdomap" filename="policy/modules/services/gdomap.if">
<summary>GNUstep distributed object mapper.</summary>
<interface name="gdomap_read_config" lineno="13">
<summary>
Read gdomap configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gdomap_admin" lineno="39">
<summary>
All of the rules required to
administrate an gdomap environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="geoclue" filename="policy/modules/services/geoclue.if">
<summary>Geoclue is a D-Bus service that provides location information.</summary>
</module>
<module name="git" filename="policy/modules/services/git.if">
<summary>GIT revision control system.</summary>
<template name="git_role" lineno="18">
<summary>
Role access for Git session.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</template>
<interface name="git_read_generic_sys_content_files" lineno="60">
<summary>
Read generic system content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="git_cgi_enable_homedirs" dftval="false">
<desc>
<p>
Determine whether Git CGI
can search home directories.
</p>
</desc>
</tunable>
<tunable name="git_cgi_use_cifs" dftval="false">
<desc>
<p>
Determine whether Git CGI
can access cifs file systems.
</p>
</desc>
</tunable>
<tunable name="git_cgi_use_nfs" dftval="false">
<desc>
<p>
Determine whether Git CGI
can access nfs file systems.
</p>
</desc>
</tunable>
<tunable name="git_session_bind_all_unreserved_ports" dftval="false">
<desc>
<p>
Determine whether Git session daemon
can bind TCP sockets to all
unreserved ports.
</p>
</desc>
</tunable>
<tunable name="git_session_users" dftval="false">
<desc>
<p>
Determine whether calling user domains
can execute Git daemon in the
git_session_t domain.
</p>
</desc>
</tunable>
<tunable name="git_session_send_syslog_msg" dftval="false">
<desc>
<p>
Determine whether Git session daemons
can send syslog messages.
</p>
</desc>
</tunable>
<tunable name="git_system_enable_homedirs" dftval="false">
<desc>
<p>
Determine whether Git system daemon
can search home directories.
</p>
</desc>
</tunable>
<tunable name="git_system_use_cifs" dftval="false">
<desc>
<p>
Determine whether Git system daemon
can access cifs file systems.
</p>
</desc>
</tunable>
<tunable name="git_system_use_nfs" dftval="false">
<desc>
<p>
Determine whether Git system daemon
can access nfs file systems.
</p>
</desc>
</tunable>
<tunable name="allow_httpd_git_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="glance" filename="policy/modules/services/glance.if">
<summary>OpenStack image registry and delivery service.</summary>
<interface name="glance_domtrans_registry" lineno="14">
<summary>
Execute a domain transition to
run glance registry.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="glance_domtrans_api" lineno="34">
<summary>
Execute a domain transition to
run glance api.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="glance_read_log" lineno="54">
<summary>
Read glance log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="glance_append_log" lineno="73">
<summary>
Append glance log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_manage_log" lineno="93">
<summary>
Create, read, write, and delete
glance log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_search_lib" lineno="114">
<summary>
Search glance lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_read_lib_files" lineno="133">
<summary>
Read glance lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_manage_lib_files" lineno="153">
<summary>
Create, read, write, and delete
glance lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_manage_lib_dirs" lineno="173">
<summary>
Create, read, write, and delete
glance lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_read_pid_files" lineno="192">
<summary>
Read glance pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_manage_pid_files" lineno="207">
<summary>
Create, read, write, and delete
glance pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_admin" lineno="228">
<summary>
All of the rules required to
administrate an glance environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="glusterfs" filename="policy/modules/services/glusterfs.if">
<summary>Cluster File System binary, daemon and command line.</summary>
<interface name="glusterfs_admin" lineno="20">
<summary>
All of the rules required to
administrate an glusterfs environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="gnomeclock" filename="policy/modules/services/gnomeclock.if">
<summary>Gnome clock handler for setting the time.</summary>
<interface name="gnomeclock_domtrans" lineno="14">
<summary>
Execute a domain transition to
run gnomeclock.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gnomeclock_run" lineno="40">
<summary>
Execute gnomeclock in the gnomeclock
domain, and allow the specified
role the gnomeclock domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="gnomeclock_dbus_chat" lineno="60">
<summary>
Send and receive messages from
gnomeclock over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnomeclock_dontaudit_dbus_chat" lineno="82">
<summary>
Do not audit attempts to send and
receive messages from gnomeclock
over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
</module>
<module name="gpm" filename="policy/modules/services/gpm.if">
<summary>General Purpose Mouse driver.</summary>
<interface name="gpm_stream_connect" lineno="14">
<summary>
Connect to GPM over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpm_getattr_gpmctl" lineno="34">
<summary>
Get attributes of gpm control
channel named sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpm_dontaudit_getattr_gpmctl" lineno="56">
<summary>
Do not audit attempts to get
attributes of gpm control channel
named sock files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="gpm_setattr_gpmctl" lineno="76">
<summary>
Set attributes of gpm control
channel named sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpm_admin" lineno="102">
<summary>
All of the rules required to
administrate an gpm environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="gpsd" filename="policy/modules/services/gpsd.if">
<summary>gpsd monitor daemon.</summary>
<interface name="gpsd_domtrans" lineno="13">
<summary>
Execute a domain transition to run gpsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gpsd_run" lineno="38">
<summary>
Execute gpsd in the gpsd domain, and
allow the specified role the gpsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="gpsd_rw_shm" lineno="57">
<summary>
Read and write gpsd shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpsd_admin" lineno="86">
<summary>
All of the rules required to
administrate an gpsd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="gssproxy" filename="policy/modules/services/gssproxy.if">
<summary>policy for gssproxy - daemon to proxy GSSAPI context establishment and channel handling</summary>
<interface name="gssproxy_domtrans" lineno="13">
<summary>
Execute gssproxy in the gssproxy domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gssproxy_search_lib" lineno="32">
<summary>
Search gssproxy lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gssproxy_read_lib_files" lineno="51">
<summary>
Read gssproxy lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gssproxy_manage_lib_files" lineno="70">
<summary>
Manage gssproxy lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gssproxy_manage_lib_dirs" lineno="89">
<summary>
Manage gssproxy lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gssproxy_read_pid_files" lineno="108">
<summary>
Read gssproxy PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gssproxy_stream_connect" lineno="123">
<summary>
Connect to gssproxy over an unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gssproxy_admin" lineno="145">
<summary>
All of the rules required to administrate
an gssproxy environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="hadoop" filename="policy/modules/services/hadoop.if">
<summary>Software for reliable, scalable, distributed computing.</summary>
<template name="hadoop_domain_template" lineno="13">
<summary>
The template to define a hadoop domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="hadoop_role" lineno="107">
<summary>
Role access for hadoop.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="hadoop_domtrans" lineno="139">
<summary>
Execute hadoop in the
hadoop domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom" lineno="158">
<summary>
Receive from hadoop peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_domtrans_zookeeper_client" lineno="177">
<summary>
Execute zookeeper client in the
zookeeper client domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom_zookeeper_client" lineno="196">
<summary>
Receive from zookeeper peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_domtrans_zookeeper_server" lineno="215">
<summary>
Execute zookeeper server in the
zookeeper server domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom_zookeeper_server" lineno="234">
<summary>
Receive from zookeeper server peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_initrc_domtrans_zookeeper_server" lineno="253">
<summary>
Execute zookeeper server in the
zookeeper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom_datanode" lineno="271">
<summary>
Receive from datanode peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_read_config" lineno="289">
<summary>
Read hadoop configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_exec_config" lineno="308">
<summary>
Execute hadoop configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom_jobtracker" lineno="327">
<summary>
Receive from jobtracker peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_match_lan_spd" lineno="345">
<summary>
Match hadoop lan association.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom_namenode" lineno="363">
<summary>
Receive from namenode peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom_secondarynamenode" lineno="381">
<summary>
Receive from secondary namenode peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom_tasktracker" lineno="399">
<summary>
Receive from tasktracker peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_admin" lineno="424">
<summary>
All of the rules required to
administrate an hadoop environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="hddtemp" filename="policy/modules/services/hddtemp.if">
<summary>Hard disk temperature tool running as a daemon.</summary>
<interface name="hddtemp_domtrans" lineno="13">
<summary>
Execute a domain transition to run hddtemp.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hddtemp_exec" lineno="32">
<summary>
Execute hddtemp in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hddtemp_admin" lineno="58">
<summary>
All of the rules required to
administrate an hddtemp environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="hostapd" filename="policy/modules/services/hostapd.if">
<summary>IEEE 802.11 wireless LAN Host AP daemon.</summary>
</module>
<module name="howl" filename="policy/modules/services/howl.if">
<summary>Port of Apple Rendezvous multicast DNS.</summary>
<interface name="howl_signal" lineno="13">
<summary>
Send generic signals to howl.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="howl_admin" lineno="38">
<summary>
All of the rules required to
administrate an howl environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="hypervkvp" filename="policy/modules/services/hypervkvp.if">
<summary>HyperV key value pair (KVP).</summary>
<interface name="hypervkvp_admin" lineno="20">
<summary>
All of the rules required to
administrate an hypervkvp environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="i18n_input" filename="policy/modules/services/i18n_input.if">
<summary>IIIMF htt server.</summary>
<interface name="i18n_input_admin" lineno="20">
<summary>
All of the rules required to
administrate an i18n input environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="i18n_input_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the i18n_input domains read access to generic user content
</p>
</desc>
</tunable>
</module>
<module name="icecast" filename="policy/modules/services/icecast.if">
<summary>ShoutCast compatible streaming media server.</summary>
<interface name="icecast_domtrans" lineno="13">
<summary>
Execute a domain transition to run icecast.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="icecast_signal" lineno="32">
<summary>
Send generic signals to icecast.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="icecast_initrc_domtrans" lineno="50">
<summary>
Execute icecast server in the icecast domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="icecast_read_pid_files" lineno="68">
<summary>
Read icecast pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="icecast_manage_pid_files" lineno="83">
<summary>
Create, read, write, and delete
icecast pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="icecast_read_log" lineno="103">
<summary>
Read icecast log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="icecast_append_log" lineno="122">
<summary>
Append icecast log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="icecast_manage_log" lineno="142">
<summary>
Create, read, write, and delete
icecast log files.
</summary>
<param name="domain">
<summary>
Domain allow access.
</summary>
</param>
</interface>
<interface name="icecast_admin" lineno="168">
<summary>
All of the rules required to
administrate an icecast environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="icecast_use_any_tcp_ports" dftval="false">
<desc>
<p>
Determine whether icecast can listen
on and connect to any TCP port.
</p>
</desc>
</tunable>
</module>
<module name="ifplugd" filename="policy/modules/services/ifplugd.if">
<summary>Bring up/down ethernet interfaces based on cable detection.</summary>
<interface name="ifplugd_domtrans" lineno="13">
<summary>
Execute a domain transition to run ifplugd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ifplugd_signal" lineno="32">
<summary>
Send generic signals to ifplugd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ifplugd_read_config" lineno="50">
<summary>
Read ifplugd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ifplugd_manage_config" lineno="70">
<summary>
Create, read, write, and delete
ifplugd configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ifplugd_read_pid_files" lineno="90">
<summary>
Read ifplugd pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ifplugd_admin" lineno="111">
<summary>
All of the rules required to
administrate an ifplugd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="imaze" filename="policy/modules/services/imaze.if">
<summary>iMaze game server.</summary>
</module>
<module name="inetd" filename="policy/modules/services/inetd.if">
<summary>Internet services daemon.</summary>
<interface name="inetd_core_service_domain" lineno="27">
<summary>
Define the specified domain as a inetd service.
</summary>
<desc>
<p>
Define the specified domain as a inetd service.  The
inetd_service_domain(), inetd_tcp_service_domain(),
or inetd_udp_service_domain() interfaces should be used
instead of this interface, as this interface only provides
the common rules to these three interfaces.
</p>
</desc>
<param name="domain">
<summary>
The type associated with the inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="inetd_tcp_service_domain" lineno="57">
<summary>
Define the specified domain as a TCP inetd service.
</summary>
<param name="domain">
<summary>
The type associated with the inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="inetd_udp_service_domain" lineno="83">
<summary>
Define the specified domain as a UDP inetd service.
</summary>
<param name="domain">
<summary>
The type associated with the inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="inetd_service_domain" lineno="108">
<summary>
Define the specified domain as a TCP and UDP inetd service.
</summary>
<param name="domain">
<summary>
The type associated with the inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="inetd_use_fds" lineno="133">
<summary>
Inherit and use inetd file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inetd_domtrans_child" lineno="152">
<summary>
Run inetd child process in the
inet child domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="inetd_rw_tcp_sockets" lineno="171">
<summary>
Read and write inetd TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="inn" filename="policy/modules/services/inn.if">
<summary>Internet News NNTP server.</summary>
<interface name="inn_exec" lineno="13">
<summary>
Execute innd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_exec_config" lineno="32">
<summary>
Execute inn configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_manage_log" lineno="52">
<summary>
Create, read, write, and delete
innd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_generic_log_filetrans_innd_log" lineno="81">
<summary>
Create specified objects in generic
log directories with the innd log file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="inn_manage_pid" lineno="100">
<summary>
Create, read, write, and delete
innd pid content.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_manage_runtime_dirs" lineno="118">
<summary>
Create, read, write, and delete
innd runtime dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_manage_runtime_files" lineno="138">
<summary>
Create, read, write, and delete
innd runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_manage_runtime_sockets" lineno="158">
<summary>
Create, read, write, and delete
innd runtime named sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_read_config" lineno="178">
<summary>
Read innd configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_read_news_lib" lineno="198">
<summary>
Read innd news library content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_read_news_spool" lineno="217">
<summary>
Read innd news spool content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_dgram_send" lineno="237">
<summary>
Send to a innd unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_domtrans" lineno="256">
<summary>
Execute innd in the innd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="inn_admin" lineno="282">
<summary>
All of the rules required to
administrate an inn environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="iodine" filename="policy/modules/services/iodine.if">
<summary>IP over DNS tunneling daemon.</summary>
<interface name="iodine_admin" lineno="20">
<summary>
All of the rules required to
administrate an iodined environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ircd" filename="policy/modules/services/ircd.if">
<summary>IRC servers.</summary>
<interface name="ircd_admin" lineno="20">
<summary>
All of the rules required to
administrate an ircd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="irqbalance" filename="policy/modules/services/irqbalance.if">
<summary>IRQ balancing daemon.</summary>
<interface name="irqbalance_admin" lineno="20">
<summary>
All of the rules required to
administrate an irqbalance environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="isns" filename="policy/modules/services/isns.if">
<summary>Internet Storage Name Service.</summary>
<interface name="isnsd_admin" lineno="20">
<summary>
All of the rules required to
administrate an isnsd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="jabber" filename="policy/modules/services/jabber.if">
<summary>Jabber instant messaging servers.</summary>
<template name="jabber_domain_template" lineno="13">
<summary>
The template to define a jabber domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="jabber_manage_lib_files" lineno="34">
<summary>
Create, read, write, and delete
jabber lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jabber_admin" lineno="60">
<summary>
All of the rules required to
administrate an jabber environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="jockey" filename="policy/modules/services/jockey.if">
<summary>Jockey driver manager.</summary>
</module>
<module name="kerberos" filename="policy/modules/services/kerberos.if">
<summary>MIT Kerberos admin and KDC.</summary>
<interface name="kerberos_exec_kadmind" lineno="13">
<summary>
Execute kadmind in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_domtrans_kpropd" lineno="32">
<summary>
Execute a domain transition to run kpropd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kerberos_use" lineno="51">
<summary>
Support kerberos services.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_read_config" lineno="108">
<summary>
Read kerberos configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_dontaudit_write_config" lineno="131">
<summary>
Do not audit attempts to write
kerberos configuration files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="kerberos_rw_config" lineno="151">
<summary>
Read and write kerberos
configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_manage_krb5_home_files" lineno="171">
<summary>
Create, read, write, and delete
kerberos home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_relabel_krb5_home_files" lineno="190">
<summary>
Relabel kerberos home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_home_filetrans_krb5_home" lineno="220">
<summary>
Create objects in user home
directories with the krb5 home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="kerberos_read_keytab" lineno="239">
<summary>
Read kerberos key table files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_rw_keytab" lineno="258">
<summary>
Read and write kerberos key table files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_manage_keytab_files" lineno="278">
<summary>
Create, read, write, and delete
kerberos key table files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_etc_filetrans_keytab" lineno="309">
<summary>
Create specified objects in generic
etc directories with the kerberos
keytab file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="kerberos_read_kdc_config" lineno="328">
<summary>
Read kerberos kdc configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_manage_host_rcache" lineno="349">
<summary>
Create, read, write, and delete
kerberos host rcache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_tmp_filetrans_host_rcache" lineno="390">
<summary>
Create objects in generic temporary
directories with the kerberos host
rcache type.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="kerberos_connect_524" lineno="408">
<summary>
Connect to krb524 service.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_admin" lineno="437">
<summary>
All of the rules required to
administrate an kerberos environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_kerberos" dftval="false">
<desc>
<p>
Determine whether kerberos is supported.
</p>
</desc>
</tunable>
</module>
<module name="kerneloops" filename="policy/modules/services/kerneloops.if">
<summary>Service for reporting kernel oopses to kerneloops.org.</summary>
<interface name="kerneloops_domtrans" lineno="13">
<summary>
Execute a domain transition to run kerneloops.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kerneloops_dbus_chat" lineno="33">
<summary>
Send and receive messages from
kerneloops over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerneloops_dontaudit_dbus_chat" lineno="55">
<summary>
Do not audit attempts to Send and
receive messages from kerneloops
over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="kerneloops_manage_tmp_files" lineno="76">
<summary>
Create, read, write, and delete
kerneloops temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerneloops_admin" lineno="102">
<summary>
All of the rules required to
administrate an kerneloops environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="keystone" filename="policy/modules/services/keystone.if">
<summary>Python implementation of the OpenStack identity service API.</summary>
<interface name="keystone_admin" lineno="20">
<summary>
All of the rules required to
administrate an keystone environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="knot" filename="policy/modules/services/knot.if">
<summary>high-performance authoritative-only DNS server.</summary>
<interface name="knot_domtrans_client" lineno="13">
<summary>
Execute knotc in the knotc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="knot_run_client" lineno="39">
<summary>
Execute knotc in the knotc domain, and
allow the specified role the knotc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="knot_read_config_files" lineno="58">
<summary>
Read knot config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="knot_admin" lineno="84">
<summary>
All of the rules required to
administrate an knot environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ksmtuned" filename="policy/modules/services/ksmtuned.if">
<summary>Kernel Samepage Merging Tuning Daemon.</summary>
<interface name="ksmtuned_domtrans" lineno="13">
<summary>
Execute a domain transition to run ksmtuned.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ksmtuned_initrc_domtrans" lineno="33">
<summary>
Execute ksmtuned server in
the ksmtuned domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ksmtuned_admin" lineno="58">
<summary>
All of the rules required to
administrate an ksmtuned environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ktalk" filename="policy/modules/services/ktalk.if">
<summary>KDE Talk daemon.</summary>
</module>
<module name="l2tp" filename="policy/modules/services/l2tp.if">
<summary>Layer 2 Tunneling Protocol.</summary>
<interface name="l2tpd_dgram_send" lineno="14">
<summary>
Send to l2tpd with a unix
domain dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_rw_socket" lineno="34">
<summary>
Read and write l2tpd sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_stream_connect" lineno="53">
<summary>
Connect to l2tpd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tp_admin" lineno="80">
<summary>
All of the rules required to
administrate an l2tp environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ldap" filename="policy/modules/services/ldap.if">
<summary>OpenLDAP directory server.</summary>
<interface name="ldap_list_db" lineno="13">
<summary>
List ldap database directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ldap_read_config" lineno="33">
<summary>
Read ldap configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ldap_stream_connect" lineno="53">
<summary>
Connect to slapd over an unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ldap_tcp_connect" lineno="72">
<summary>
Connect to ldap over the network.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ldap_admin" lineno="99">
<summary>
All of the rules required to
administrate an ldap environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="likewise" filename="policy/modules/services/likewise.if">
<summary>Likewise Active Directory support for UNIX.</summary>
<template name="likewise_domain_template" lineno="13">
<summary>
The template to define a likewise domain.
</summary>
<param name="userdomain_prefix">
<summary>
The type of daemon to be used.
</summary>
</param>
</template>
<interface name="likewise_stream_connect_lsassd" lineno="71">
<summary>
Connect to lsassd with a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="likewise_admin" lineno="97">
<summary>
All of the rules required to
administrate an likewise environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="lircd" filename="policy/modules/services/lircd.if">
<summary>Linux infared remote control daemon.</summary>
<interface name="lircd_domtrans" lineno="13">
<summary>
Execute a domain transition to run lircd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lircd_stream_connect" lineno="33">
<summary>
Connect to lircd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lircd_read_config" lineno="52">
<summary>
Read lircd etc files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lircd_admin" lineno="78">
<summary>
All of the rules required to
administrate a lircd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="lldpad" filename="policy/modules/services/lldpad.if">
<summary>Intel LLDP Agent.</summary>
<interface name="lldpad_dgram_send" lineno="13">
<summary>
Send to lldpad with a unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lldpad_admin" lineno="39">
<summary>
All of the rules required to
administrate an lldpad environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="lpd" filename="policy/modules/services/lpd.if">
<summary>Line printer daemon.</summary>
<interface name="lpd_role" lineno="18">
<summary>
Role access for lpd.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="lpd_domtrans_checkpc" lineno="58">
<summary>
Execute lpd in the lpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lpd_run_checkpc" lineno="85">
<summary>
Execute amrecover in the lpd
domain, and allow the specified
role the lpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="lpd_list_spool" lineno="104">
<summary>
List printer spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lpd_read_spool" lineno="123">
<summary>
Read printer spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lpd_manage_spool" lineno="143">
<summary>
Create, read, write, and delete
printer spool content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lpd_relabel_spool" lineno="164">
<summary>
Relabel spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lpd_read_config" lineno="184">
<summary>
Read printer configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="lpd_domtrans_lpr" lineno="203">
<summary>
Transition to a user lpr domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lpd_run_lpr" lineno="229">
<summary>
Execute lpr in the lpr domain, and
allow the specified role the lpr domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="lpd_exec_lpr" lineno="248">
<summary>
Execute lpr in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="use_lpd_server" dftval="false">
<desc>
<p>
Determine whether to support lpd server.
</p>
</desc>
</tunable>
</module>
<module name="lsm" filename="policy/modules/services/lsm.if">
<summary>Storage array management library.</summary>
<interface name="lsmd_admin" lineno="20">
<summary>
All of the rules required to administrate
an lsmd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role" unused="true">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="mailman" filename="policy/modules/services/mailman.if">
<summary>Manage electronic mail discussion and e-newsletter lists.</summary>
<template name="mailman_domain_template" lineno="13">
<summary>
The template to define a mailman domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="mailman_domtrans" lineno="54">
<summary>
Execute mailman in the mailman domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mailman_run" lineno="81">
<summary>
Execute the mailman program in the
mailman domain and allow the
specified role the mailman domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mailman_domtrans_cgi" lineno="101">
<summary>
Execute mailman CGI scripts in the
mailman CGI domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mailman_connect_cgi" lineno="120">
<summary>
Talk to mailman_cgi_t via Unix domain socket
</summary>
<param name="domain">
<summary>
Domain talking to mailman
</summary>
</param>
</interface>
<interface name="mailman_manage_runtime" lineno="140">
<summary>
Manage mailman runtime files
</summary>
<param name="domain">
<summary>
Domain to manage the files
</summary>
</param>
</interface>
<interface name="mailman_read_runtime" lineno="159">
<summary>
read mailman runtime files
</summary>
<param name="domain">
<summary>
Domain to read the files
</summary>
</param>
</interface>
<interface name="mailman_exec" lineno="178">
<summary>
Execute mailman in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_signal_cgi" lineno="197">
<summary>
Send generic signals to mailman cgi.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_search_data" lineno="215">
<summary>
Search mailman data directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_read_data_files" lineno="234">
<summary>
Read mailman data content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_manage_data_files" lineno="257">
<summary>
Create, read, write, and delete
mailman data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_list_data" lineno="277">
<summary>
List mailman data directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_read_data_symlinks" lineno="296">
<summary>
Read mailman data symbolic links.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_read_log" lineno="314">
<summary>
Read mailman log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_append_log" lineno="333">
<summary>
Append mailman log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_manage_log" lineno="353">
<summary>
Create, read, write, and delete
mailman log content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_read_archive" lineno="373">
<summary>
Read mailman archive content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_domtrans_queue" lineno="396">
<summary>
Execute mailman_queue in the
mailman_queue domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mailman_manage_lockdir" lineno="415">
<summary>
Manage mailman lock dir
</summary>
<param name="domain">
<summary>
Domain allowed to manage it.
</summary>
</param>
</interface>
</module>
<module name="mailscanner" filename="policy/modules/services/mailscanner.if">
<summary>E-mail security and anti-spam package for e-mail gateway systems.</summary>
<interface name="mscan_manage_spool_content" lineno="14">
<summary>
Create, read, write, and delete
mscan spool content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mscan_admin" lineno="41">
<summary>
All of the rules required to
administrate an mscan environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="matrixd" filename="policy/modules/services/matrixd.if">
<summary>Matrixd</summary>
<tunable name="matrix_allow_federation" dftval="true">
<desc>
<p>
Determine whether Matrixd is allowed to federate
(bind all UDP ports and connect to all TCP ports).
</p>
</desc>
</tunable>
<tunable name="matrix_postgresql_connect" dftval="false">
<desc>
<p>
Determine whether Matrixd can connect to the Postgres database.
</p>
</desc>
</tunable>
</module>
<module name="mediawiki" filename="policy/modules/services/mediawiki.if">
<summary>Open source wiki package written in PHP.</summary>
<tunable name="allow_httpd_mediawiki_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="memcached" filename="policy/modules/services/memcached.if">
<summary>High-performance memory object caching system.</summary>
<interface name="memcached_domtrans" lineno="13">
<summary>
Execute a domain transition to run memcached.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="memcached_manage_pid_files" lineno="33">
<summary>
Create, read, write, and delete
memcached pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="memcached_read_pid_files" lineno="48">
<summary>
Read memcached pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="memcached_manage_runtime_files" lineno="63">
<summary>
Create, read, write, and delete
memcached runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="memcached_stream_connect" lineno="83">
<summary>
Connect to memcached using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="memcached_tcp_connect" lineno="102">
<summary>
Connect to memcache over the network.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="memcached_admin" lineno="129">
<summary>
All of the rules required to
administrate an memcached environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="memlockd" filename="policy/modules/services/memlockd.if">
<summary>memory lock daemon, keeps important files in RAM.</summary>
</module>
<module name="milter" filename="policy/modules/services/milter.if">
<summary>Milter mail filters.</summary>
<template name="milter_template" lineno="13">
<summary>
The template to define a milter domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="milter_stream_connect_all" lineno="52">
<summary>
connect to all milter domains using
a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="milter_getattr_all_sockets" lineno="71">
<summary>
Get attributes of all  milter sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="milter_manage_spamass_state" lineno="90">
<summary>
Create, read, write, and delete
spamassissin milter data content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="milter_var_lib_filetrans_spamass_state" lineno="111">
<summary>
create spamass milter state dir
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="milter_getattr_data_dir" lineno="129">
<summary>
Get the attributes of the spamassissin milter data dir.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="minidlna" filename="policy/modules/services/minidlna.if">
<summary>MiniDLNA lightweight DLNA/UPnP media server</summary>
<interface name="minidlna_admin" lineno="20">
<summary>
All of the rules required to
administrate an minidlna environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="minidlna_initrc_domtrans" lineno="55">
<summary>
Execute minidlna init scripts in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<tunable name="minidlna_read_generic_user_content" dftval="false">
<desc>
<p>
Determine whether minidlna can read generic user content.
</p>
</desc>
</tunable>
</module>
<module name="minissdpd" filename="policy/modules/services/minissdpd.if">
<summary>Daemon used by MiniUPnPc to speed up device discoveries.</summary>
<interface name="minissdpd_read_config" lineno="13">
<summary>
Read minissdpd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="minissdpd_admin" lineno="39">
<summary>
All of the rules required to
administrate an minissdpd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="modemmanager" filename="policy/modules/services/modemmanager.if">
<summary>Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.</summary>
<interface name="modemmanager_domtrans" lineno="13">
<summary>
Execute a domain transition to run modemmanager.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="modemmanager_dbus_chat" lineno="33">
<summary>
Send and receive messages from
modemmanager over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="mojomojo" filename="policy/modules/services/mojomojo.if">
<summary>MojoMojo Wiki.</summary>
<tunable name="allow_httpd_mojomojo_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="mon" filename="policy/modules/services/mon.if">
<summary>mon network monitoring daemon.</summary>
<interface name="mon_dontaudit_use_fds" lineno="13">
<summary>
dontaudit using an inherited fd from mon_t
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="mon_dontaudit_search_var_lib" lineno="31">
<summary>
dontaudit searching /var/lib/mon
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
</module>
<module name="mongodb" filename="policy/modules/services/mongodb.if">
<summary>Scalable, high-performance, open source NoSQL database.</summary>
<interface name="mongodb_admin" lineno="20">
<summary>
All of the rules required to
administrate an mongodb environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="monit" filename="policy/modules/services/monit.if">
<summary>Monit - utility for monitoring services on a Unix system.</summary>
<interface name="monit_domtrans_cli" lineno="13">
<summary>
Execute a domain transition to run monit cli.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="monit_run_cli" lineno="39">
<summary>
Execute monit in the monit cli domain,
and allow the specified role
the monit cli domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="monit_reload" lineno="58">
<summary>
Reload the monit daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="monit_startstop_service" lineno="77">
<summary>
Start and stop the monit daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="monit_admin" lineno="102">
<summary>
All of the rules required to
administrate an monit environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<tunable name="monit_startstop_services" dftval="false">
<desc>
<p>
Allow monit to start/stop services
</p>
</desc>
</tunable>
</module>
<module name="monop" filename="policy/modules/services/monop.if">
<summary>Monopoly daemon.</summary>
<interface name="monop_admin" lineno="20">
<summary>
All of the rules required to
administrate an monop environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="mpd" filename="policy/modules/services/mpd.if">
<summary>Music Player Daemon.</summary>
<interface name="mpd_domtrans" lineno="13">
<summary>
Execute a domain transition to run mpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mpd_initrc_domtrans" lineno="32">
<summary>
Execute mpd server in the mpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mpd_read_data_files" lineno="50">
<summary>
Read mpd data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_manage_data_files" lineno="70">
<summary>
Create, read, write, and delete
mpd data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_manage_user_data_content" lineno="90">
<summary>
Create, read, write, and delete
mpd user data content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_relabel_user_data_content" lineno="111">
<summary>
Relabel mpd user data content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_home_filetrans_user_data" lineno="143">
<summary>
Create objects in user home
directories with the mpd user data type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mpd_read_tmpfs_files" lineno="161">
<summary>
Read mpd tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_manage_tmpfs_files" lineno="181">
<summary>
Create, read, write, and delete
mpd tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_search_lib" lineno="201">
<summary>
Search mpd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_read_lib_files" lineno="220">
<summary>
Read mpd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_manage_lib_files" lineno="240">
<summary>
Create, read, write, and delete
mpd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_var_lib_filetrans" lineno="275">
<summary>
Create specified objects in mpd
lib directories with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mpd_manage_lib_dirs" lineno="295">
<summary>
Create, read, write, and delete
mpd lib dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_admin" lineno="321">
<summary>
All of the rules required to
administrate an mpd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="mpd_enable_homedirs" dftval="false">
<desc>
<p>
Determine whether mpd can traverse
user home directories.
</p>
</desc>
</tunable>
<tunable name="mpd_use_cifs" dftval="false">
<desc>
<p>
Determine whether mpd can use
cifs file systems.
</p>
</desc>
</tunable>
<tunable name="mpd_use_nfs" dftval="false">
<desc>
<p>
Determine whether mpd can use
nfs file systems.
</p>
</desc>
</tunable>
</module>
<module name="mta" filename="policy/modules/services/mta.if">
<summary>Common e-mail transfer agent policy.</summary>
<interface name="mta_stub" lineno="13">
<summary>
MTA stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="mta_base_mail_template" lineno="29">
<summary>
The template to define a mail domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="mta_base_role" lineno="77">
<summary>
Role access for mta.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="mta_user_role" lineno="131">
<summary>
User Role access for mta.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="mta_admin_role" lineno="163">
<summary>
Admin Role access for mta.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="mta_mailserver" lineno="199">
<summary>
Make the specified domain usable for a mail server.
</summary>
<param name="type">
<summary>
Type to be used as a mail server domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
<interface name="mta_agent_executable" lineno="218">
<summary>
Make the specified type a MTA executable file.
</summary>
<param name="type">
<summary>
Type to be used as a mail client.
</summary>
</param>
</interface>
<interface name="mta_read_mail_home_files" lineno="238">
<summary>
Read mta mail home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_manage_mail_home_files" lineno="258">
<summary>
Create, read, write, and delete
mta mail home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_home_filetrans_mail_home" lineno="289">
<summary>
Create specified objects in user home
directories with the generic mail
home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mta_manage_mail_home_rw_content" lineno="308">
<summary>
Create, read, write, and delete
mta mail home rw content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_home_filetrans_mail_home_rw" lineno="343">
<summary>
Create specified objects in user home
directories with the generic mail
home rw type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mta_system_content" lineno="361">
<summary>
Make the specified type by a system MTA.
</summary>
<param name="type">
<summary>
Type to be used as a mail client.
</summary>
</param>
</interface>
<interface name="mta_sendmail_mailserver" lineno="394">
<summary>
Modified mailserver interface for
sendmail daemon use.
</summary>
<desc>
<p>
A modified MTA mail server interface for
the sendmail program.  It's design does
not fit well with policy, and using the
regular interface causes a type_transition
conflict if direct running of init scripts
is enabled.
</p>
<p>
This interface should most likely only be used
by the sendmail policy.
</p>
</desc>
<param name="domain">
<summary>
The type to be used for the mail server.
</summary>
</param>
</interface>
<interface name="mta_use_mailserver_fds" lineno="415">
<summary>
Inherit FDs from mailserver_domain domains
</summary>
<param name="type">
<summary>
Type for a list server or delivery agent that inherits fds
</summary>
</param>
</interface>
<interface name="mta_mailserver_sender" lineno="434">
<summary>
Make a type a mailserver type used
for sending mail.
</summary>
<param name="domain">
<summary>
Mail server domain type used for sending mail.
</summary>
</param>
</interface>
<interface name="mta_mailserver_delivery" lineno="453">
<summary>
Make a type a mailserver type used
for delivering mail to local users.
</summary>
<param name="domain">
<summary>
Mail server domain type used for delivering mail.
</summary>
</param>
</interface>
<interface name="mta_mailserver_user_agent" lineno="473">
<summary>
Make a type a mailserver type used
for sending mail on behalf of local
users to the local mail spool.
</summary>
<param name="domain">
<summary>
Mail server domain type used for sending local mail.
</summary>
</param>
</interface>
<interface name="mta_send_mail" lineno="491">
<summary>
Send mail from the system.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mta_sendmail_domtrans" lineno="528">
<summary>
Execute send mail in a specified domain.
</summary>
<desc>
<p>
Execute send mail in a specified domain.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="source_domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
Domain to transition to.
</summary>
</param>
</interface>
<interface name="mta_signal_system_mail" lineno="550">
<summary>
Send signals to system mail.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_kill_system_mail" lineno="568">
<summary>
Send kill signals to system mail.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_sendmail_exec" lineno="586">
<summary>
Execute sendmail in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_sendmail_entry_point" lineno="606">
<summary>
Make sendmail usable as an entry
point for the domain.
</summary>
<param name="domain">
<summary>
Domain to be entered.
</summary>
</param>
</interface>
<interface name="mta_read_config" lineno="625">
<summary>
Read mail server configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mta_write_config" lineno="647">
<summary>
Write mail server configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mta_read_aliases" lineno="666">
<summary>
Read mail address alias files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_map_aliases" lineno="685">
<summary>
Read mail address alias files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_manage_aliases" lineno="704">
<summary>
Create, read, write, and delete
mail address alias content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_etc_filetrans_aliases" lineno="736">
<summary>
Create specified object in generic
etc directories with the mail address
alias type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mta_spec_filetrans_aliases" lineno="771">
<summary>
Create specified objects in specified
directories with a type transition to
the mail address alias type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="file_type">
<summary>
Directory to transition on.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mta_rw_aliases" lineno="790">
<summary>
Read and write mail alias files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mta_dontaudit_rw_delivery_tcp_sockets" lineno="811">
<summary>
Do not audit attempts to read
and write TCP sockets of mail
delivery domains.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mta_rw_delivery_fifos" lineno="829">
<summary>
read and write fifo files inherited from delivery domains
</summary>
<param name="domain">
<summary>
Domain to use fifo files
</summary>
</param>
</interface>
<interface name="mta_dontaudit_read_spool_symlinks" lineno="850">
<summary>
Do not audit attempts to read
mail spool symlinks.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mta_getattr_spool" lineno="868">
<summary>
Get attributes of mail spool content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_dontaudit_getattr_spool_files" lineno="890">
<summary>
Do not audit attempts to get
attributes of mail spool files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mta_spool_filetrans" lineno="928">
<summary>
Create specified objects in the
mail spool directory with a
private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mta_read_spool_files" lineno="947">
<summary>
Read mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_rw_spool" lineno="967">
<summary>
Read and write mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_append_spool" lineno="988">
<summary>
Create, read, and write mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_delete_spool" lineno="1009">
<summary>
Delete mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_manage_spool" lineno="1029">
<summary>
Create, read, write, and delete
mail spool content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_watch_spool" lineno="1051">
<summary>
Watch mail spool content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_queue_filetrans" lineno="1086">
<summary>
Create specified objects in the
mail queue spool directory with a
private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mta_search_queue" lineno="1105">
<summary>
Search mail queue directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_list_queue" lineno="1124">
<summary>
List mail queue directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_read_queue" lineno="1143">
<summary>
Read mail queue files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_dontaudit_rw_queue" lineno="1163">
<summary>
Do not audit attempts to read and
write mail queue content.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mta_manage_queue" lineno="1183">
<summary>
Create, read, write, and delete
mail queue content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_read_sendmail_bin" lineno="1203">
<summary>
Read sendmail binary.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_rw_user_mail_stream_sockets" lineno="1222">
<summary>
Read and write unix domain stream
sockets of all base mail domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_system_mail_role" lineno="1241">
<summary>
Allow system_mail_t to run in a role
</summary>
<param name="domain">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="munin" filename="policy/modules/services/munin.if">
<summary>Munin network-wide load graphing.</summary>
<template name="munin_plugin_template" lineno="13">
<summary>
The template to define a munin plugin domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="munin_stream_connect" lineno="55">
<summary>
Connect to munin over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="munin_read_config" lineno="75">
<summary>
Read munin configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="munin_append_log" lineno="97">
<summary>
Append munin log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="munin_search_lib" lineno="117">
<summary>
Search munin library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="munin_dontaudit_search_lib" lineno="137">
<summary>
Do not audit attempts to search
munin library directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="munin_admin" lineno="162">
<summary>
All of the rules required to
administrate an munin environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_httpd_munin_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="mysql" filename="policy/modules/services/mysql.if">
<summary>Open source database.</summary>
<interface name="mysql_domtrans" lineno="13">
<summary>
Execute MySQL in the mysql domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mysql_run_mysqld" lineno="38">
<summary>
Execute mysqld in the mysqld domain, and
allow the specified role the mysqld domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="mysql_signal" lineno="57">
<summary>
Send generic signals to mysqld.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_tcp_connect" lineno="75">
<summary>
Connect to mysqld with a tcp socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_stream_connect" lineno="97">
<summary>
Connect to mysqld with a unix
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mysql_read_config" lineno="117">
<summary>
Read mysqld configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mysql_search_db" lineno="138">
<summary>
Search mysqld db directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_rw_db_dirs" lineno="157">
<summary>
Read and write mysqld database directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_manage_db_dirs" lineno="177">
<summary>
Create, read, write, and delete
mysqld database directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_append_db_files" lineno="196">
<summary>
Append mysqld database files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_rw_db_files" lineno="215">
<summary>
Read and write mysqld database files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_manage_db_files" lineno="235">
<summary>
Create, read, write, and delete
mysqld database files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_var_lib_filetrans_db_dir" lineno="254">
<summary>
create mysqld db dir.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_manage_mysqld_home_files" lineno="273">
<summary>
Create, read, write, and delete
mysqld home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_relabel_mysqld_home_files" lineno="292">
<summary>
Relabel mysqld home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_home_filetrans_mysqld_home" lineno="322">
<summary>
Create objects in user home
directories with the mysqld home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mysql_write_log" lineno="340">
<summary>
Write mysqld log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_log_filetrans_log_dir" lineno="360">
<summary>
create mysqld log dir.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_domtrans_mysql_safe" lineno="380">
<summary>
Execute mysqld safe in the
mysqld safe domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mysql_read_pid_files" lineno="399">
<summary>
Read mysqld pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_search_pid_files" lineno="414">
<summary>
Search mysqld pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>

</interface>
<interface name="mysql_admin" lineno="435">
<summary>
All of the rules required to
administrate an mysqld environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="mysql_connect_any" dftval="false">
<desc>
<p>
Determine whether mysqld can
connect to all TCP ports.
</p>
</desc>
</tunable>
</module>
<module name="nagios" filename="policy/modules/services/nagios.if">
<summary>Network monitoring server.</summary>
<template name="nagios_plugin_template" lineno="13">
<summary>
The template to define a nagios plugin domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="nagios_dontaudit_rw_pipes" lineno="52">
<summary>
Do not audit attempts to read or
write nagios unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
<rolecap/>
</interface>
<interface name="nagios_read_config" lineno="71">
<summary>
Read nagios configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="nagios_read_log" lineno="92">
<summary>
Read nagios log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_dontaudit_rw_log" lineno="112">
<summary>
Do not audit attempts to read or
write nagios log files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="nagios_search_spool" lineno="130">
<summary>
Search nagios spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_read_tmp_files" lineno="149">
<summary>
Read nagios temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_domtrans_nrpe" lineno="168">
<summary>
Execute nrpe with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nagios_admin" lineno="194">
<summary>
All of the rules required to
administrate an nagios environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_httpd_nagios_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="nessus" filename="policy/modules/services/nessus.if">
<summary>Network scanning daemon.</summary>
<interface name="nessus_admin" lineno="20">
<summary>
All of the rules required to
administrate an nessus environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="networkmanager" filename="policy/modules/services/networkmanager.if">
<summary>Manager for dynamically switching between networks.</summary>
<interface name="networkmanager_rw_udp_sockets" lineno="13">
<summary>
Read and write networkmanager udp sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_rw_packet_sockets" lineno="31">
<summary>
Read and write networkmanager packet sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_attach_tun_iface" lineno="49">
<summary>
Relabel networkmanager tun socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_rw_routing_sockets" lineno="69">
<summary>
Read and write networkmanager netlink
routing sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_domtrans" lineno="87">
<summary>
Execute networkmanager with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="networkmanager_initrc_domtrans" lineno="107">
<summary>
Execute networkmanager scripts with
an automatic domain transition to initrc.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="networkmanager_dbus_chat" lineno="126">
<summary>
Send and receive messages from
networkmanager over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_read_state" lineno="146">
<summary>
Read metworkmanager process state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_signal" lineno="166">
<summary>
Send generic signals to networkmanager.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_watch_etc_dirs" lineno="184">
<summary>
Watch networkmanager etc dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_read_etc_files" lineno="202">
<summary>
Read networkmanager etc files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_manage_lib_files" lineno="223">
<summary>
Create, read, and write
networkmanager library files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_read_lib_files" lineno="243">
<summary>
Read networkmanager lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_append_log_files" lineno="264">
<summary>
Append networkmanager log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_read_pid_files" lineno="284">
<summary>
Read networkmanager pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_read_runtime_files" lineno="299">
<summary>
Read networkmanager runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_watch_runtime_dirs" lineno="318">
<summary>
watch networkmanager runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_stream_connect" lineno="337">
<summary>
Connect to networkmanager over
a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_enabledisable" lineno="356">
<summary>
Allow specified domain to enable/disable NetworkManager units
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_startstop" lineno="375">
<summary>
Allow specified domain to start/stop NetworkManager units
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_status" lineno="394">
<summary>
Allow specified domain to get status of NetworkManager
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_admin" lineno="420">
<summary>
All of the rules required to
administrate an networkmanager environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="nis" filename="policy/modules/services/nis.if">
<summary>Policy for NIS (YP) servers and clients.</summary>
<interface name="nis_use_ypbind_uncond" lineno="26">
<summary>
Use the ypbind service to access NIS services
unconditionally.
</summary>
<desc>
<p>
Use the ypbind service to access NIS services
unconditionally.
</p>
<p>
This interface was added because of apache and
spamassassin, to fix a nested conditionals problem.
When that support is added, this should be removed,
and the regular	interface should be used.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_use_ypbind" lineno="87">
<summary>
Use the ypbind service to access NIS services.
</summary>
<desc>
<p>
Allow the specified domain to use the ypbind service
to access Network Information Service (NIS) services.
Information that can be retrieved from NIS includes
usernames, passwords, home directories, and groups.
If the network is configured to have a single sign-on
using NIS, it is likely that any program that does
authentication will need this access.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<infoflow type="both" weight="10"/>
<rolecap/>
</interface>
<interface name="nis_authenticate" lineno="104">
<summary>
Use nis to authenticate passwords.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="nis_domtrans_ypbind" lineno="122">
<summary>
Execute ypbind in the ypbind domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nis_exec_ypbind" lineno="141">
<summary>
Execute ypbind in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_run_ypbind" lineno="167">
<summary>
Execute ypbind in the ypbind domain, and
allow the specified role the ypbind domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="nis_signal_ypbind" lineno="186">
<summary>
Send generic signals to ypbind.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_list_var_yp" lineno="204">
<summary>
List nis data directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_read_ypbind_pid" lineno="223">
<summary>
Read ypbind pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_read_ypbind_runtime_files" lineno="238">
<summary>
Read ypbind runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_delete_ypbind_pid" lineno="257">
<summary>
Delete ypbind pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_read_ypserv_config" lineno="271">
<summary>
Read ypserv configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_domtrans_ypxfr" lineno="290">
<summary>
Execute ypxfr in the ypxfr domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nis_initrc_domtrans" lineno="311">
<summary>
Execute nis init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nis_initrc_domtrans_ypbind" lineno="330">
<summary>
Execute ypbind init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nis_admin" lineno="355">
<summary>
All of the rules required to
administrate an nis environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="nscd" filename="policy/modules/services/nscd.if">
<summary>Name service cache daemon.</summary>
<interface name="nscd_signal" lineno="13">
<summary>
Send generic signals to nscd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_kill" lineno="31">
<summary>
Send kill signals to nscd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_signull" lineno="49">
<summary>
Send null signals to nscd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_domtrans" lineno="67">
<summary>
Execute nscd in the nscd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nscd_exec" lineno="86">
<summary>
Execute nscd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_socket_use" lineno="106">
<summary>
Use nscd services by connecting using
a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_shm_use" lineno="138">
<summary>
Use nscd services by mapping the
database from an inherited nscd
file descriptor.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_use" lineno="167">
<summary>
Use nscd services.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_dontaudit_search_pid" lineno="186">
<summary>
Do not audit attempts to search
nscd pid directories.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="nscd_read_pid" lineno="201">
<summary>
Read nscd pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_dontaudit_search_runtime" lineno="217">
<summary>
Do not audit attempts to search
nscd runtime directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="nscd_read_runtime_files" lineno="235">
<summary>
Read nscd runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_unconfined" lineno="254">
<summary>
Unconfined access to nscd services.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_run" lineno="279">
<summary>
Execute nscd in the nscd domain, and
allow the specified role the nscd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="nscd_initrc_domtrans" lineno="299">
<summary>
Execute the nscd server init
script in the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nscd_admin" lineno="324">
<summary>
All of the rules required to
administrate an nscd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="nscd_use_shm" dftval="false">
<desc>
<p>
Determine whether confined applications
can use nscd shared memory.
</p>
</desc>
</tunable>
</module>
<module name="nsd" filename="policy/modules/services/nsd.if">
<summary>Authoritative only name server.</summary>
<interface name="nsd_admin" lineno="20">
<summary>
All of the rules required to
administrate an nsd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="nslcd" filename="policy/modules/services/nslcd.if">
<summary>Local LDAP name service daemon.</summary>
<interface name="nslcd_domtrans" lineno="13">
<summary>
Execute a domain transition to run nslcd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nslcd_initrc_domtrans" lineno="32">
<summary>
Execute nslcd server in the nslcd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nslcd_read_pid_files" lineno="50">
<summary>
Read nslcd pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nslcd_stream_connect" lineno="65">
<summary>
Connect to nslcd over an unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nslcd_admin" lineno="91">
<summary>
All of the rules required to
administrate an nslcd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ntop" filename="policy/modules/services/ntop.if">
<summary>A network traffic probe similar to the UNIX top command.</summary>
<interface name="ntop_admin" lineno="20">
<summary>
All of the rules required to
administrate an ntop environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ntp" filename="policy/modules/services/ntp.if">
<summary>Network time protocol daemon.</summary>
<interface name="ntp_stub" lineno="13">
<summary>
NTP stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_read_config" lineno="29">
<summary>
Read ntp.conf
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_domtrans" lineno="47">
<summary>
Execute ntp server in the ntpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ntp_run" lineno="73">
<summary>
Execute ntp in the ntp domain, and
allow the specified role the ntp domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ntp_dbus_chat" lineno="93">
<summary>
Send and receive messages from
ntpd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_domtrans_ntpdate" lineno="113">
<summary>
Execute ntpdate server in the ntpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ntp_initrc_domtrans" lineno="133">
<summary>
Execute ntpd init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ntp_read_conf_files" lineno="151">
<summary>
Read ntp conf files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_read_drift_files" lineno="170">
<summary>
Read ntp drift files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_rw_shm" lineno="189">
<summary>
Read and write ntpd shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_enabledisable" lineno="211">
<summary>
Allow specified domain to enable/disable ntpd unit
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_startstop" lineno="232">
<summary>
Allow specified domain to start/stop ntpd unit
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_status" lineno="253">
<summary>
Allow specified domain to get status of ntpd unit
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_admin" lineno="281">
<summary>
All of the rules required to
administrate an ntp environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="numad" filename="policy/modules/services/numad.if">
<summary>Non-Uniform Memory Alignment Daemon.</summary>
<interface name="numad_admin" lineno="20">
<summary>
All of the rules required to
administrate an numad environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="nut" filename="policy/modules/services/nut.if">
<summary>Network UPS Tools </summary>
<interface name="nut_admin" lineno="20">
<summary>
All of the rules required to
administrate an nut environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_httpd_nutups_cgi_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="nx" filename="policy/modules/services/nx.if">
<summary>NX remote desktop.</summary>
<interface name="nx_spec_domtrans_server" lineno="13">
<summary>
Transition to nx server.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nx_read_home_files" lineno="32">
<summary>
Read nx home directory content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nx_search_var_lib" lineno="51">
<summary>
Search nx lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nx_var_lib_filetrans" lineno="86">
<summary>
Create specified objects in nx lib
directories with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
</module>
<module name="oav" filename="policy/modules/services/oav.if">
<summary>Open AntiVirus scannerdaemon and signature update.</summary>
<interface name="oav_domtrans_update" lineno="13">
<summary>
Execute oav_update in the oav_update domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="oav_run_update" lineno="40">
<summary>
Execute oav_update in the oav update
domain, and allow the specified role
the oav_update domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="obex" filename="policy/modules/services/obex.if">
<summary>D-Bus service providing high-level OBEX client and server side functionality.</summary>
<template name="obex_role_template" lineno="24">
<summary>
The role template for obex.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<interface name="obex_domtrans" lineno="60">
<summary>
Execute obex in the obex domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="obex_dbus_chat" lineno="80">
<summary>
Send and receive messages from
obex over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="oddjob" filename="policy/modules/services/oddjob.if">
<summary>D-BUS service which runs odd jobs on behalf of client applications.</summary>
<interface name="oddjob_domtrans" lineno="13">
<summary>
Execute a domain transition to run oddjob.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="oddjob_system_entry" lineno="38">
<summary>
Make the specified program domain
accessible from the oddjob.
</summary>
<param name="domain">
<summary>
The type of the process to transition to.
</summary>
</param>
<param name="entrypoint">
<summary>
The type of the file used as an entrypoint to this domain.
</summary>
</param>
</interface>
<interface name="oddjob_dbus_chat" lineno="57">
<summary>
Send and receive messages from
oddjob over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oddjob_domtrans_mkhomedir" lineno="78">
<summary>
Execute a domain transition to
run oddjob mkhomedir.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="oddjob_run_mkhomedir" lineno="106">
<summary>
Execute oddjob mkhomedir in the
oddjob mkhomedir domain and allow
the specified role the oddjob
mkhomedir domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="oddjob_dontaudit_rw_fifo_files" lineno="126">
<summary>
Do not audit attempts to read and write
oddjob fifo files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="oddjob_sigchld" lineno="144">
<summary>
Send child terminated signals to oddjob.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="oident" filename="policy/modules/services/oident.if">
<summary>An ident daemon with IP masq/NAT support and the ability to specify responses.</summary>
<interface name="oident_read_user_content" lineno="13">
<summary>
Read oidentd user home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oident_manage_user_content" lineno="33">
<summary>
Create, read, write, and delete
oidentd user home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oident_relabel_user_content" lineno="52">
<summary>
Relabel oidentd user home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oident_home_filetrans_oidentd_home" lineno="82">
<summary>
Create objects in user home
directories with the oidentd home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="oident_admin" lineno="107">
<summary>
All of the rules required to
administrate an oident environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="openca" filename="policy/modules/services/openca.if">
<summary>Open Certificate Authority.</summary>
<interface name="openca_domtrans" lineno="14">
<summary>
Execute the openca with
a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openca_signal" lineno="34">
<summary>
Send generic signals to openca.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openca_sigstop" lineno="52">
<summary>
Send stop signals to openca.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openca_kill" lineno="70">
<summary>
Send kill signals to openca.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="openct" filename="policy/modules/services/openct.if">
<summary>Service for handling smart card readers.</summary>
<interface name="openct_signull" lineno="13">
<summary>
Send null signals to openct.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openct_exec" lineno="31">
<summary>
Execute openct in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openct_domtrans" lineno="50">
<summary>
Execute a domain transition to run openct.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openct_read_pid_files" lineno="69">
<summary>
Read openct pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openct_read_runtime_files" lineno="84">
<summary>
Read openct runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openct_stream_connect" lineno="104">
<summary>
Connect to openct over an unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openct_admin" lineno="130">
<summary>
All of the rules required to
administrate an openct environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="openhpi" filename="policy/modules/services/openhpi.if">
<summary>Open source implementation of the Service Availability Forum Hardware Platform Interface.</summary>
<interface name="openhpi_admin" lineno="20">
<summary>
All of the rules required to
administrate an openhpi environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="openvpn" filename="policy/modules/services/openvpn.if">
<summary>full-featured SSL VPN solution.</summary>
<interface name="openvpn_domtrans" lineno="14">
<summary>
Execute openvpn clients in the
openvpn domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openvpn_run" lineno="41">
<summary>
Execute openvpn clients in the
openvpn domain, and allow the
specified role the openvpn domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="openvpn_kill" lineno="60">
<summary>
Send kill signals to openvpn.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvpn_signal" lineno="78">
<summary>
Send generic signals to openvpn.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvpn_signull" lineno="96">
<summary>
Send null signals to openvpn.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvpn_read_config" lineno="115">
<summary>
Read openvpn configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="openvpn_admin" lineno="143">
<summary>
All of the rules required to
administrate an openvpn environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="openvpn_enable_homedirs" dftval="false">
<desc>
<p>
Determine whether openvpn can
read generic user home content files.
</p>
</desc>
</tunable>
<tunable name="openvpn_can_network_connect" dftval="false">
<desc>
<p>
Determine whether openvpn can
connect to the TCP network.
</p>
</desc>
</tunable>
</module>
<module name="openvswitch" filename="policy/modules/services/openvswitch.if">
<summary>Multilayer virtual switch.</summary>
<interface name="openvswitch_domtrans" lineno="13">
<summary>
Execute openvswitch in the openvswitch domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openvswitch_read_pid_files" lineno="32">
<summary>
Read openvswitch pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_read_runtime_files" lineno="47">
<summary>
Read openvswitch runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_admin" lineno="73">
<summary>
All of the rules required to
administrate an openvswitch environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pacemaker" filename="policy/modules/services/pacemaker.if">
<summary>A scalable high-availability cluster resource manager.</summary>
<interface name="pacemaker_admin" lineno="20">
<summary>
All of the rules required to
administrate an pacemaker environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="pacemaker_startstop_all_services" dftval="false">
<desc>
<p>
Allow pacemaker to start/stop services
</p>
</desc>
</tunable>
</module>
<module name="pads" filename="policy/modules/services/pads.if">
<summary>Passive Asset Detection System.</summary>
<interface name="pads_admin" lineno="20">
<summary>
All of the rules required to
administrate an pads environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pcscd" filename="policy/modules/services/pcscd.if">
<summary>PCSC smart card service.</summary>
<interface name="pcscd_domtrans" lineno="13">
<summary>
Execute a domain transition to run pcscd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pcscd_read_pid_files" lineno="32">
<summary>
Read pcscd pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcscd_read_runtime_files" lineno="47">
<summary>
Read pcscd runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcscd_stream_connect" lineno="67">
<summary>
Connect to pcscd over an unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcscd_admin" lineno="96">
<summary>
All of the rules required to
administrate an pcscd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pegasus" filename="policy/modules/services/pegasus.if">
<summary>The Open Group Pegasus CIM/WBEM Server.</summary>
<interface name="pegasus_admin" lineno="20">
<summary>
All of the rules required to
administrate an pegasus environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="perdition" filename="policy/modules/services/perdition.if">
<summary>Perdition POP and IMAP proxy.</summary>
<interface name="perdition_admin" lineno="20">
<summary>
All of the rules required to
administrate an perdition environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pingd" filename="policy/modules/services/pingd.if">
<summary>Pingd of the Whatsup cluster node up/down detection utility.</summary>
<interface name="pingd_domtrans" lineno="13">
<summary>
Execute a domain transition to run pingd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pingd_read_config" lineno="32">
<summary>
Read pingd etc configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pingd_manage_config" lineno="52">
<summary>
Create, read, write, and delete
pingd etc configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pingd_admin" lineno="78">
<summary>
All of the rules required to
administrate an pingd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pkcs" filename="policy/modules/services/pkcs.if">
<summary>Implementations of the Cryptoki specification.</summary>
<interface name="pkcs_admin_slotd" lineno="20">
<summary>
All of the rules required to
administrate an pkcs slotd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="plymouthd" filename="policy/modules/services/plymouthd.if">
<summary>Plymouth graphical boot.</summary>
<interface name="plymouthd_domtrans" lineno="13">
<summary>
Execute a domain transition to run plymouthd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="plymouthd_exec" lineno="32">
<summary>
Execute plymouthd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_stream_connect" lineno="52">
<summary>
Connect to plymouthd using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_exec_plymouth" lineno="71">
<summary>
Execute plymouth in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_domtrans_plymouth" lineno="90">
<summary>
Execute a domain transition to run plymouth.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="plymouthd_search_spool" lineno="109">
<summary>
Search plymouthd spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_read_spool_files" lineno="128">
<summary>
Read plymouthd spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_manage_spool_files" lineno="148">
<summary>
Create, read, write, and delete
plymouthd spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_search_lib" lineno="167">
<summary>
Search plymouthd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_read_lib_files" lineno="186">
<summary>
Read plymouthd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_rw_lib_files" lineno="205">
<summary>
Read and write plymouthd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_manage_lib_files" lineno="225">
<summary>
Create, read, write, and delete
plymouthd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_read_pid_files" lineno="244">
<summary>
Read plymouthd pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_delete_pid_files" lineno="259">
<summary>
Delete the plymouthd pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_read_runtime_files" lineno="274">
<summary>
Read plymouthd runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_delete_runtime_files" lineno="293">
<summary>
Delete the plymouthd runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_admin" lineno="319">
<summary>
All of the rules required to
administrate an plymouthd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role" unused="true">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="policykit" filename="policy/modules/services/policykit.if">
<summary>Policy framework for controlling privileges for system-wide services.</summary>
<interface name="policykit_dbus_chat" lineno="14">
<summary>
Send and receive messages from
policykit over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_dbus_chat_auth" lineno="35">
<summary>
Send and receive messages from
policykit auth over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_domtrans_auth" lineno="55">
<summary>
Execute a domain transition to run polkit_auth.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="policykit_run_auth" lineno="81">
<summary>
Execute a policy_auth in the policy
auth domain, and allow the specified
role the policy auth domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="policykit_signal_auth" lineno="101">
<summary>
Send generic signals to
policykit auth.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_domtrans_grant" lineno="119">
<summary>
Execute a domain transition to run polkit grant.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="policykit_run_grant" lineno="146">
<summary>
Execute a policy_grant in the policy
grant domain, and allow the specified
role the policy grant domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="policykit_read_reload" lineno="165">
<summary>
Read policykit reload files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_rw_reload" lineno="184">
<summary>
Read and write policykit reload files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_domtrans_resolve" lineno="203">
<summary>
Execute a domain transition to run polkit resolve.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="policykit_search_lib" lineno="222">
<summary>
Search policykit lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_read_lib" lineno="241">
<summary>
Read policykit lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="polipo" filename="policy/modules/services/polipo.if">
<summary>Lightweight forwarding and caching proxy server.</summary>
<template name="polipo_role" lineno="18">
<summary>
Role access for Polipo session.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</template>
<interface name="polipo_initrc_domtrans" lineno="64">
<summary>
Execute Polipo in the Polipo
system domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="polipo_log_filetrans_log" lineno="94">
<summary>
Create specified objects in generic
log directories with the polipo
log file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="polipo_admin" lineno="119">
<summary>
All of the rules required to
administrate an polipo environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="polipo_system_use_cifs" dftval="false">
<desc>
<p>
Determine whether Polipo system
daemon can access CIFS file systems.
</p>
</desc>
</tunable>
<tunable name="polipo_system_use_nfs" dftval="false">
<desc>
<p>
Determine whether Polipo system
daemon can access NFS file systems.
</p>
</desc>
</tunable>
<tunable name="polipo_session_users" dftval="false">
<desc>
<p>
Determine whether calling user domains
can execute Polipo daemon in the
polipo_session_t domain.
</p>
</desc>
</tunable>
<tunable name="polipo_session_send_syslog_msg" dftval="false">
<desc>
<p>
Determine whether Polipo session daemon
can send syslog messages.
</p>
</desc>
</tunable>
</module>
<module name="portmap" filename="policy/modules/services/portmap.if">
<summary>RPC port mapping service.</summary>
<interface name="portmap_domtrans_helper" lineno="13">
<summary>
Execute portmap helper in the helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="portmap_run_helper" lineno="40">
<summary>
Execute portmap helper in the helper
domain, and allow the specified role
the helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="portmap_admin" lineno="66">
<summary>
All of the rules required to
administrate an portmap environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="portreserve" filename="policy/modules/services/portreserve.if">
<summary>Reserve well-known ports in the RPC port range.</summary>
<interface name="portreserve_domtrans" lineno="13">
<summary>
Execute a domain transition to run portreserve.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="portreserve_read_config" lineno="33">
<summary>
Read portreserve configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="portreserve_manage_config" lineno="55">
<summary>
Create, read, write, and delete
portreserve configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="portreserve_initrc_domtrans" lineno="77">
<summary>
Execute portreserve init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="portreserve_admin" lineno="102">
<summary>
All of the rules required to
administrate an portreserve environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="portslave" filename="policy/modules/services/portslave.if">
<summary>Portslave terminal server software.</summary>
<interface name="portslave_domtrans" lineno="13">
<summary>
Execute portslave with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="postfix" filename="policy/modules/services/postfix.if">
<summary>Postfix email server.</summary>
<interface name="postfix_stub" lineno="13">
<summary>
Postfix stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="postfix_domain_template" lineno="29">
<summary>
The template to define a postfix domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<template name="postfix_server_domain_template" lineno="65">
<summary>
The template to define a postfix server domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<template name="postfix_user_domain_template" lineno="105">
<summary>
The template to define a postfix user domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="postfix_read_config" lineno="142">
<summary>
Read postfix configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postfix_config_filetrans" lineno="179">
<summary>
Create specified object in postfix
etc directories with a type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="postfix_dontaudit_rw_local_tcp_sockets" lineno="199">
<summary>
Do not audit attempts to read and
write postfix local delivery
TCP sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="postfix_rw_local_pipes" lineno="217">
<summary>
Read and write postfix local pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_read_local_state" lineno="235">
<summary>
Read postfix local process state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_rw_inherited_master_pipes" lineno="256">
<summary>
Read and write inherited postfix master pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_read_master_state" lineno="275">
<summary>
Read postfix master process state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_use_fds_master" lineno="296">
<summary>
Use postfix master file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_dontaudit_use_fds" lineno="316">
<summary>
Do not audit attempts to use
postfix master process file
file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="postfix_domtrans_map" lineno="334">
<summary>
Execute postfix_map in the postfix_map domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_run_map" lineno="361">
<summary>
Execute postfix map in the postfix
map domain, and allow the specified
role the postfix_map domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postfix_domtrans_master" lineno="381">
<summary>
Execute the master postfix program
in the postfix_master domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_exec_master" lineno="401">
<summary>
Execute the master postfix program
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_stream_connect_master" lineno="422">
<summary>
Connect to postfix master process
using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postfix_domtrans_postdrop" lineno="441">
<summary>
Execute the master postdrop in the
postfix postdrop domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_domtrans_postqueue" lineno="461">
<summary>
Execute the master postqueue in the
postfix postqueue domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_exec_postqueue" lineno="481">
<summary>
Execute postfix postqueue in
the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_create_private_sockets" lineno="500">
<summary>
Create postfix private sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_manage_private_sockets" lineno="519">
<summary>
Create, read, write, and delete
postfix private sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_domtrans_smtp" lineno="538">
<summary>
Execute the smtp postfix program
in the postfix smtp domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_getattr_all_spool_files" lineno="558">
<summary>
Get attributes of all postfix mail
spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_search_spool" lineno="577">
<summary>
Search postfix mail spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_list_spool" lineno="596">
<summary>
List postfix mail spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_read_spool_files" lineno="615">
<summary>
Read postfix mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_manage_spool_files" lineno="635">
<summary>
Create, read, write, and delete
postfix mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_domtrans_user_mail_handler" lineno="655">
<summary>
Execute postfix user mail programs
in their respective domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_admin" lineno="680">
<summary>
All of the rules required to
administrate an postfix environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="postfix_local_write_mail_spool" dftval="true">
<desc>
<p>
Determine whether postfix local
can manage mail spool content.
</p>
</desc>
</tunable>
<tunable name="postfix_read_generic_user_content" dftval="true">
<desc>
<p>
Grant the postfix domains read access to generic user content
</p>
</desc>
</tunable>
<tunable name="postfix_read_all_user_content" dftval="false">
<desc>
<p>
Grant the postfix domains read access to all user content
</p>
</desc>
</tunable>
<tunable name="postfix_manage_generic_user_content" dftval="false">
<desc>
<p>
Grant the postfix domains manage rights on generic user content
</p>
</desc>
</tunable>
<tunable name="postfix_manage_all_user_content" dftval="false">
<desc>
<p>
Grant the postfix domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
<module name="postfixpolicyd" filename="policy/modules/services/postfixpolicyd.if">
<summary>Postfix policy server.</summary>
<interface name="postfixpolicyd_admin" lineno="20">
<summary>
All of the rules required to administrate
an postfixpolicyd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="postgresql" filename="policy/modules/services/postgresql.if">
<summary>PostgreSQL relational database</summary>
<interface name="postgresql_role" lineno="18">
<summary>
Role access for SE-PostgreSQL.
</summary>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</interface>
<interface name="postgresql_loadable_module" lineno="109">
<summary>
Marks as a SE-PostgreSQL loadable shared library module
</summary>
<param name="type">
<summary>
Type marked as a database object type.
</summary>
</param>
</interface>
<interface name="postgresql_database_object" lineno="127">
<summary>
Marks as a SE-PostgreSQL database object type
</summary>
<param name="type">
<summary>
Type marked as a database object type.
</summary>
</param>
</interface>
<interface name="postgresql_schema_object" lineno="145">
<summary>
Marks as a SE-PostgreSQL schema object type
</summary>
<param name="type">
<summary>
Type marked as a schema object type.
</summary>
</param>
</interface>
<interface name="postgresql_table_object" lineno="163">
<summary>
Marks as a SE-PostgreSQL table/column/tuple object type
</summary>
<param name="type">
<summary>
Type marked as a table/column/tuple object type.
</summary>
</param>
</interface>
<interface name="postgresql_system_table_object" lineno="181">
<summary>
Marks as a SE-PostgreSQL system table/column/tuple object type
</summary>
<param name="type">
<summary>
Type marked as a table/column/tuple object type.
</summary>
</param>
</interface>
<interface name="postgresql_sequence_object" lineno="200">
<summary>
Marks as a SE-PostgreSQL sequence type
</summary>
<param name="type">
<summary>
Type marked as a sequence type.
</summary>
</param>
</interface>
<interface name="postgresql_view_object" lineno="218">
<summary>
Marks as a SE-PostgreSQL view object type
</summary>
<param name="type">
<summary>
Type marked as a view object type.
</summary>
</param>
</interface>
<interface name="postgresql_procedure_object" lineno="236">
<summary>
Marks as a SE-PostgreSQL procedure object type
</summary>
<param name="type">
<summary>
Type marked as a procedure object type.
</summary>
</param>
</interface>
<interface name="postgresql_trusted_procedure_object" lineno="254">
<summary>
Marks as a SE-PostgreSQL trusted procedure object type
</summary>
<param name="type">
<summary>
Type marked as a trusted procedure object type.
</summary>
</param>
</interface>
<interface name="postgresql_language_object" lineno="274">
<summary>
Marks as a SE-PostgreSQL procedural language object type
</summary>
<param name="type">
<summary>
Type marked as a procedural language object type.
</summary>
</param>
</interface>
<interface name="postgresql_blob_object" lineno="292">
<summary>
Marks as a SE-PostgreSQL binary large object type
</summary>
<param name="type">
<summary>
Type marked as a database binary large object type.
</summary>
</param>
</interface>
<interface name="postgresql_search_db" lineno="310">
<summary>
Allow the specified domain to search postgresql's database directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgresql_manage_db" lineno="327">
<summary>
Allow the specified domain to manage postgresql's database.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgresql_domtrans" lineno="347">
<summary>
Execute postgresql in the postgresql domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postgresql_signal" lineno="365">
<summary>
Allow domain to signal postgresql
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgresql_read_config" lineno="383">
<summary>
Allow the specified domain to read postgresql's etc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postgresql_tcp_connect" lineno="404">
<summary>
Allow the specified domain to connect to postgresql with a tcp socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgresql_stream_connect" lineno="425">
<summary>
Allow the specified domain to connect to postgresql with a unix socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postgresql_unpriv_client" lineno="447">
<summary>
Allow the specified domain unprivileged accesses to unifined database objects
managed by SE-PostgreSQL,
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgresql_unconfined" lineno="539">
<summary>
Allow the specified domain unconfined accesses to any database objects
managed by SE-PostgreSQL,
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgresql_admin" lineno="563">
<summary>
All of the rules required to administrate an postgresql environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the postgresql domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="sepgsql_enable_users_ddl" dftval="false">
<desc>
<p>
Allow unprived users to execute DDL statement
</p>
</desc>
</tunable>
<tunable name="sepgsql_transmit_client_label" dftval="false">
<desc>
<p>
Allow transmit client label to foreign database
</p>
</desc>
</tunable>
<tunable name="sepgsql_unconfined_dbadm" dftval="false">
<desc>
<p>
Allow database admins to execute DML statement
</p>
</desc>
</tunable>
</module>
<module name="postgrey" filename="policy/modules/services/postgrey.if">
<summary>Postfix grey-listing server.</summary>
<interface name="postgrey_stream_connect" lineno="14">
<summary>
Connect to postgrey using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgrey_search_spool" lineno="34">
<summary>
Search spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgrey_admin" lineno="60">
<summary>
All of the rules required to
administrate an postgrey environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ppp" filename="policy/modules/services/ppp.if">
<summary>Point to Point Protocol daemon creates links in ppp networks.</summary>
<interface name="ppp_manage_home_files" lineno="14">
<summary>
Create, read, write, and delete
ppp home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_read_home_files" lineno="33">
<summary>
Read ppp user home content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_relabel_home_files" lineno="53">
<summary>
Relabel ppp home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_home_filetrans_ppp_home" lineno="83">
<summary>
Create objects in user home
directories with the ppp home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="ppp_use_fds" lineno="101">
<summary>
Inherit and use ppp file discriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_dontaudit_use_fds" lineno="120">
<summary>
Do not audit attempts to inherit
and use ppp file discriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ppp_sigchld" lineno="138">
<summary>
Send child terminated signals to ppp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_kill" lineno="158">
<summary>
Send kill signals to ppp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_signal" lineno="176">
<summary>
Send generic signals to ppp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_signull" lineno="194">
<summary>
Send null signals to ppp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_domtrans" lineno="212">
<summary>
Execute pppd in the pppd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ppp_run_cond" lineno="238">
<summary>
Conditionally execute pppd on
behalf of a user or staff type.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ppp_run" lineno="267">
<summary>
Unconditionally execute ppp daemon
on behalf of a user or staff type.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ppp_exec" lineno="286">
<summary>
Execute domain in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_read_config" lineno="305">
<summary>
Read ppp configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_read_rw_config" lineno="324">
<summary>
Read ppp writable configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_read_secrets" lineno="345">
<summary>
Read ppp secret files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_read_pid_files" lineno="366">
<summary>
Read ppp pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_manage_pid_files" lineno="382">
<summary>
Create, read, write, and delete
ppp pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_pid_filetrans" lineno="408">
<summary>
Create specified pppd pid objects
with a type transition.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="ppp_read_runtime_files" lineno="423">
<summary>
Read ppp runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_manage_runtime_files" lineno="443">
<summary>
Create, read, write, and delete
ppp runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_runtime_filetrans" lineno="473">
<summary>
Create specified pppd runtime objects
with a type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="ppp_initrc_domtrans" lineno="492">
<summary>
Execute pppd init script in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ppp_admin" lineno="517">
<summary>
All of the rules required to
administrate an ppp environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="pppd_can_insmod" dftval="false">
<desc>
<p>
Determine whether pppd can
load kernel modules.
</p>
</desc>
</tunable>
<tunable name="pppd_for_user" dftval="false">
<desc>
<p>
Determine whether common users can
run pppd with a domain transition.
</p>
</desc>
</tunable>
</module>
<module name="prelude" filename="policy/modules/services/prelude.if">
<summary>Prelude hybrid intrusion detection system.</summary>
<interface name="prelude_domtrans" lineno="13">
<summary>
Execute a domain transition to run prelude.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="prelude_domtrans_audisp" lineno="33">
<summary>
Execute a domain transition to
run prelude audisp.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="prelude_signal_audisp" lineno="52">
<summary>
Send generic signals to prelude audisp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelude_read_spool" lineno="70">
<summary>
Read prelude spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelude_manage_spool" lineno="90">
<summary>
Create, read, write, and delete
prelude manager spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelude_admin" lineno="117">
<summary>
All of the rules required to
administrate an prelude environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_httpd_prewikka_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="privoxy" filename="policy/modules/services/privoxy.if">
<summary>Privacy enhancing web proxy.</summary>
<interface name="privoxy_admin" lineno="20">
<summary>
All of the rules required to
administrate an privoxy environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="privoxy_connect_any" dftval="false">
<desc>
<p>
Determine whether privoxy can
connect to all tcp ports.
</p>
</desc>
</tunable>
</module>
<module name="procmail" filename="policy/modules/services/procmail.if">
<summary>Procmail mail delivery agent.</summary>
<interface name="procmail_domtrans" lineno="13">
<summary>
Execute procmail with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="procmail_exec" lineno="32">
<summary>
Execute procmail in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="procmail_manage_home_files" lineno="52">
<summary>
Create, read, write, and delete
procmail home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="procmail_read_home_files" lineno="71">
<summary>
Read procmail user home content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="procmail_relabel_home_files" lineno="91">
<summary>
Relabel procmail home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="procmail_home_filetrans_procmail_home" lineno="121">
<summary>
Create objects in user home
directories with the procmail home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="procmail_read_tmp_files" lineno="139">
<summary>
Read procmail tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="procmail_rw_tmp_files" lineno="158">
<summary>
Read and write procmail tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="psad" filename="policy/modules/services/psad.if">
<summary>Intrusion Detection and Log Analysis with iptables.</summary>
<interface name="psad_domtrans" lineno="13">
<summary>
Execute a domain transition to run psad.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="psad_signal" lineno="32">
<summary>
Send generic signals to psad.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_signull" lineno="50">
<summary>
Send null signals to psad.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_read_config" lineno="68">
<summary>
Read psad configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_manage_config" lineno="90">
<summary>
Create, read, write, and delete
psad configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_read_pid_files" lineno="111">
<summary>
Read psad pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_rw_pid_files" lineno="125">
<summary>
Read and write psad pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_read_log" lineno="140">
<summary>
Read psad log content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="psad_append_log" lineno="161">
<summary>
Append psad log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="psad_rw_fifo_file" lineno="180">
<summary>
Read and write psad fifo files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_rw_tmp_files" lineno="199">
<summary>
Read and write psad temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_admin" lineno="225">
<summary>
All of the rules required to
administrate an psad environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="publicfile" filename="policy/modules/services/publicfile.if">
<summary>publicfile supplies files to the public through HTTP and FTP.</summary>
</module>
<module name="pwauth" filename="policy/modules/services/pwauth.if">
<summary>External plugin for mod_authnz_external authenticator.</summary>
<interface name="pwauth_role" lineno="18">
<summary>
Role access for pwauth.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="pwauth_domtrans" lineno="39">
<summary>
Execute pwauth in the pwauth domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pwauth_run" lineno="65">
<summary>
Execute pwauth in the pwauth
domain, and allow the specified
role the pwauth domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="pxe" filename="policy/modules/services/pxe.if">
<summary>Server for the PXE network boot protocol.</summary>
<interface name="pxe_admin" lineno="20">
<summary>
All of the rules required to
administrate an pxe environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pyicqt" filename="policy/modules/services/pyicqt.if">
<summary>ICQ transport for XMPP server.</summary>
<interface name="pyicqt_admin" lineno="20">
<summary>
All of the rules required to
administrate an pyicqt environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pyzor" filename="policy/modules/services/pyzor.if">
<summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary>
<interface name="pyzor_role" lineno="18">
<summary>
Role access for pyzor.
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="pyzor_signal" lineno="49">
<summary>
Send generic signals to pyzor.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pyzor_domtrans" lineno="67">
<summary>
Execute pyzor with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pyzor_exec" lineno="86">
<summary>
Execute pyzor in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pyzor_admin" lineno="112">
<summary>
All of the rules required to
administrate an pyzor environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="qmail" filename="policy/modules/services/qmail.if">
<summary>Qmail Mail Server.</summary>
<template name="qmail_child_domain_template" lineno="18">
<summary>
Template for qmail parent/sub-domain pairs.
</summary>
<param name="child_prefix">
<summary>
The prefix of the child domain.
</summary>
</param>
<param name="parent_domain">
<summary>
The name of the parent domain.
</summary>
</param>
</template>
<interface name="qmail_domtrans_inject" lineno="55">
<summary>
Transition to qmail_inject_t.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="qmail_domtrans_queue" lineno="80">
<summary>
Transition to qmail_queue_t.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="qmail_read_config" lineno="106">
<summary>
Read qmail configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="qmail_smtpd_service_domain" lineno="137">
<summary>
Define the specified domain as a
qmail-smtp service.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
</module>
<module name="qpid" filename="policy/modules/services/qpid.if">
<summary>Apache QPID AMQP messaging server.</summary>
<interface name="qpidd_domtrans" lineno="13">
<summary>
Execute a domain transition to run qpidd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="qpidd_rw_semaphores" lineno="32">
<summary>
Read and write access qpidd semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_rw_shm" lineno="50">
<summary>
Read and write qpidd shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_initrc_domtrans" lineno="69">
<summary>
Execute qpidd init script in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="qpidd_read_pid_files" lineno="87">
<summary>
Read qpidd pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_search_lib" lineno="101">
<summary>
Search qpidd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_read_lib_files" lineno="120">
<summary>
Read qpidd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_manage_lib_files" lineno="140">
<summary>
Create, read, write, and delete
qpidd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_admin" lineno="166">
<summary>
All of the rules required to
administrate an qpidd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="quantum" filename="policy/modules/services/quantum.if">
<summary>Virtual network service for Openstack.</summary>
<interface name="quantum_admin" lineno="20">
<summary>
All of the rules required to
administrate an quantum environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rabbitmq" filename="policy/modules/services/rabbitmq.if">
<summary>AMQP server written in Erlang.</summary>
<interface name="rabbitmq_domtrans" lineno="13">
<summary>
Execute rabbitmq in the rabbitmq domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rabbitmq_admin" lineno="41">
<summary>
All of the rules required to
administrate an rabbitmq environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="radius" filename="policy/modules/services/radius.if">
<summary>RADIUS authentication and accounting server.</summary>
<interface name="radius_admin" lineno="20">
<summary>
All of the rules required to
administrate an radius environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="radvd" filename="policy/modules/services/radvd.if">
<summary>IPv6 router advertisement daemon.</summary>
<interface name="radvd_admin" lineno="20">
<summary>
All of the rules required to
administrate an radvd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rasdaemon" filename="policy/modules/services/rasdaemon.if">
<summary></summary>
</module>
<module name="razor" filename="policy/modules/services/razor.if">
<summary>A distributed, collaborative, spam detection and filtering network.</summary>
<template name="razor_common_domain_template" lineno="13">
<summary>
The template to define a razor domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="razor_role" lineno="51">
<summary>
Role access for razor.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="razor_domtrans" lineno="82">
<summary>
Execute razor in the system razor domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="razor_manage_home_content" lineno="102">
<summary>
Create, read, write, and delete
razor home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="razor_read_lib_files" lineno="123">
<summary>
Read razor lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rdisc" filename="policy/modules/services/rdisc.if">
<summary>Network router discovery daemon.</summary>
<interface name="rdisc_exec" lineno="13">
<summary>
Execute rdisc in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="realmd" filename="policy/modules/services/realmd.if">
<summary>Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA.</summary>
<interface name="realmd_domtrans" lineno="13">
<summary>
Execute realmd in the realmd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="realmd_dbus_chat" lineno="33">
<summary>
Send and receive messages from
realmd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="redis" filename="policy/modules/services/redis.if">
<summary>Advanced key-value store.</summary>
<interface name="redis_admin" lineno="20">
<summary>
All of the rules required to
administrate an redis environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="remotelogin" filename="policy/modules/services/remotelogin.if">
<summary>Rshd, rlogind, and telnetd.</summary>
<interface name="remotelogin_domtrans" lineno="13">
<summary>
Domain transition to the remote login domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="remotelogin_signal" lineno="32">
<summary>
Send generic signals to remote login.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="remotelogin_manage_tmp_content" lineno="51">
<summary>
Create, read, write, and delete
remote login temporary content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="remotelogin_relabel_tmp_content" lineno="71">
<summary>
Relabel remote login temporary content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="resmgr" filename="policy/modules/services/resmgr.if">
<summary>Resource management daemon.</summary>
<interface name="resmgr_stream_connect" lineno="14">
<summary>
Connect to resmgrd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="resmgr_admin" lineno="40">
<summary>
All of the rules required to
administrate an resmgr environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rgmanager" filename="policy/modules/services/rgmanager.if">
<summary>Resource Group Manager.</summary>
<interface name="rgmanager_domtrans" lineno="13">
<summary>
Execute a domain transition to run rgmanager.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rgmanager_stream_connect" lineno="33">
<summary>
Connect to rgmanager with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rgmanager_manage_tmp_files" lineno="53">
<summary>
Create, read, write, and delete
rgmanager tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rgmanager_manage_tmpfs_files" lineno="73">
<summary>
Create, read, write, and delete
rgmanager tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rgmanager_admin" lineno="99">
<summary>
All of the rules required to
administrate an rgmanager environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="rgmanager_can_network_connect" dftval="false">
<desc>
<p>
Determine whether rgmanager can
connect to the network using TCP.
</p>
</desc>
</tunable>
</module>
<module name="rhcs" filename="policy/modules/services/rhcs.if">
<summary>Red Hat Cluster Suite.</summary>
<template name="rhcs_domain_template" lineno="13">
<summary>
The template to define a rhcs domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="rhcs_domtrans_dlm_controld" lineno="75">
<summary>
Execute a domain transition to
run dlm_controld.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_getattr_fenced_exec_files" lineno="95">
<summary>
Get attributes of fenced
executable files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_dlm_controld" lineno="114">
<summary>
Connect to dlm_controld with a
unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_dlm_controld_semaphores" lineno="133">
<summary>
Read and write dlm_controld semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_fenced" lineno="154">
<summary>
Execute a domain transition to run fenced.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_rw_fenced_semaphores" lineno="173">
<summary>
Read and write fenced semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_cluster" lineno="195">
<summary>
Connect to all cluster domains
with a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_fenced" lineno="215">
<summary>
Connect to fenced with an unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_gfs_controld" lineno="235">
<summary>
Execute a domain transition
to run gfs_controld.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_rw_gfs_controld_semaphores" lineno="254">
<summary>
Read and write gfs_controld semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_gfs_controld_shm" lineno="275">
<summary>
Read and write gfs_controld_t shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_gfs_controld" lineno="297">
<summary>
Connect to gfs_controld_t with
a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_groupd" lineno="316">
<summary>
Execute a domain transition to run groupd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_groupd" lineno="336">
<summary>
Connect to groupd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_cluster_shm" lineno="356">
<summary>
Read and write all cluster domains
shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_cluster_semaphores" lineno="378">
<summary>
Read and write all cluster
domains semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_groupd_semaphores" lineno="396">
<summary>
Read and write groupd semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_groupd_shm" lineno="417">
<summary>
Read and write groupd shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_qdiskd" lineno="438">
<summary>
Execute a domain transition to run qdiskd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_admin" lineno="464">
<summary>
All of the rules required to
administrate an rhcs environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="fenced_can_network_connect" dftval="false">
<desc>
<p>
Determine whether fenced can
connect to the TCP network.
</p>
</desc>
</tunable>
<tunable name="fenced_can_ssh" dftval="false">
<desc>
<p>
Determine whether fenced can use ssh.
</p>
</desc>
</tunable>
</module>
<module name="rhsmcertd" filename="policy/modules/services/rhsmcertd.if">
<summary>Subscription Management Certificate Daemon.</summary>
<interface name="rhsmcertd_domtrans" lineno="13">
<summary>
Execute rhsmcertd in the rhsmcertd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhsmcertd_initrc_domtrans" lineno="33">
<summary>
Execute rhsmcertd init scripts
in the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhsmcertd_read_log" lineno="52">
<summary>
Read rhsmcertd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rhsmcertd_append_log" lineno="71">
<summary>
Append rhsmcertd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_manage_log" lineno="91">
<summary>
Create, read, write, and delete
rhsmcertd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_search_lib" lineno="112">
<summary>
Search rhsmcertd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_read_lib_files" lineno="131">
<summary>
Read rhsmcertd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_manage_lib_files" lineno="151">
<summary>
Create, read, write, and delete
rhsmcertd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_manage_lib_dirs" lineno="171">
<summary>
Create, read, write, and delete
rhsmcertd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_read_pid_files" lineno="190">
<summary>
Read rhsmcertd pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_stream_connect" lineno="205">
<summary>
Connect to rhsmcertd with a
unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_dbus_chat" lineno="225">
<summary>
Send and receive messages from
rhsmcertd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_dontaudit_dbus_chat" lineno="247">
<summary>
Do not audit attempts to send
and receive messages from
rhsmcertd over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="rhsmcertd_admin" lineno="274">
<summary>
All of the rules required to
administrate an rhsmcertd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ricci" filename="policy/modules/services/ricci.if">
<summary>Ricci cluster management agent.</summary>
<interface name="ricci_domtrans" lineno="13">
<summary>
Execute a domain transition to run ricci.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modcluster" lineno="33">
<summary>
Execute a domain transition to
run ricci modcluster.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_dontaudit_use_modcluster_fds" lineno="53">
<summary>
Do not audit attempts to use
ricci modcluster file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ricci_dontaudit_rw_modcluster_pipes" lineno="72">
<summary>
Do not audit attempts to read write
ricci modcluster unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ricci_stream_connect_modclusterd" lineno="91">
<summary>
Connect to ricci_modclusterd with
a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modlog" lineno="111">
<summary>
Execute a domain transition to
run ricci modlog.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modrpm" lineno="131">
<summary>
Execute a domain transition to
run ricci modrpm.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modservice" lineno="151">
<summary>
Execute a domain transition to
run ricci modservice.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modstorage" lineno="171">
<summary>
Execute a domain transition to
run ricci modstorage.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_admin" lineno="197">
<summary>
All of the rules required to
administrate an ricci environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rlogin" filename="policy/modules/services/rlogin.if">
<summary>Remote login daemon.</summary>
<interface name="rlogin_domtrans" lineno="13">
<summary>
Execute rlogind in the rlogin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<template name="rlogin_read_home_content" lineno="32">
<summary>
Read rlogin user home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</template>
<interface name="rlogin_manage_rlogind_home_files" lineno="54">
<summary>
Create, read, write, and delete
rlogind home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rlogin_relabel_rlogind_home_files" lineno="73">
<summary>
Relabel rlogind home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rlogin_home_filetrans_logind_home" lineno="103">
<summary>
Create objects in user home
directories with the rlogind home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="rlogin_manage_rlogind_tmp_content" lineno="122">
<summary>
Create, read, write, and delete
rlogind temporary content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rlogin_relabel_rlogind_tmp_content" lineno="142">
<summary>
Relabel rlogind temporary content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rngd" filename="policy/modules/services/rngd.if">
<summary>Check and feed random data from hardware device to kernel random device.</summary>
<interface name="rngd_admin" lineno="20">
<summary>
All of the rules required to
administrate an rng environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rpc" filename="policy/modules/services/rpc.if">
<summary>Remote Procedure Call Daemon.</summary>
<interface name="rpc_stub" lineno="13">
<summary>
RPC stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="rpc_domain_template" lineno="29">
<summary>
The template to define a rpc domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="rpc_dontaudit_getattr_exports" lineno="64">
<summary>
Do not audit attempts to get
attributes of export files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="rpc_read_exports" lineno="82">
<summary>
Read export files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_write_exports" lineno="100">
<summary>
Write export files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_domtrans_nfsd" lineno="118">
<summary>
Execute nfsd in the nfsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpc_initrc_domtrans_nfsd" lineno="138">
<summary>
Execute nfsd init scripts in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpc_domtrans_rpcd" lineno="156">
<summary>
Execute rpcd in the rpcd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpc_initrc_domtrans_rpcd" lineno="176">
<summary>
Execute rpcd init scripts in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpc_read_nfs_content" lineno="195">
<summary>
Read nfs exported content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rpc_manage_nfs_rw_content" lineno="217">
<summary>
Create, read, write, and delete
nfs exported read write content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rpc_manage_nfs_ro_content" lineno="239">
<summary>
Create, read, write, and delete
nfs exported read only content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rpc_tcp_rw_nfs_sockets" lineno="259">
<summary>
Read and write to nfsd tcp sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_udp_rw_nfs_sockets" lineno="277">
<summary>
Read and write to nfsd udp sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_search_nfs_state_data" lineno="295">
<summary>
Search nfs lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_read_nfs_state_data" lineno="314">
<summary>
Read nfs lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_manage_nfs_state_data" lineno="334">
<summary>
Create, read, write, and delete
nfs lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_admin" lineno="360">
<summary>
All of the rules required to
administrate an rpc environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_gssd_read_tmp" dftval="false">
<desc>
<p>
Determine whether gssd can read
generic user temporary content.
</p>
</desc>
</tunable>
<tunable name="allow_gssd_write_tmp" dftval="false">
<desc>
<p>
Determine whether gssd can write
generic user temporary content.
</p>
</desc>
</tunable>
<tunable name="allow_nfsd_anon_write" dftval="false">
<desc>
<p>
Determine whether nfs can modify
public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="rpcbind" filename="policy/modules/services/rpcbind.if">
<summary>Universal Addresses to RPC Program Number Mapper.</summary>
<interface name="rpcbind_domtrans" lineno="13">
<summary>
Execute a domain transition to run rpcbind.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpcbind_stream_connect" lineno="33">
<summary>
Connect to rpcbind with a
unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_read_pid_files" lineno="52">
<summary>
Read rpcbind pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_search_lib" lineno="66">
<summary>
Search rpcbind lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_read_lib_files" lineno="85">
<summary>
Read rpcbind lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_manage_lib_files" lineno="105">
<summary>
Create, read, write, and delete
rpcbind lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_signull" lineno="124">
<summary>
Send null signals to rpcbind.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_admin" lineno="149">
<summary>
All of the rules required to
administrate an rpcbind environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rshd" filename="policy/modules/services/rshd.if">
<summary>Remote shell service.</summary>
<interface name="rshd_domtrans" lineno="13">
<summary>
Execute rshd in the rshd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="rsync" filename="policy/modules/services/rsync.if">
<summary>Fast incremental file transfer for synchronization.</summary>
<interface name="rsync_entry_type" lineno="14">
<summary>
Make rsync executable file an
entry point for the specified domain.
</summary>
<param name="domain">
<summary>
The domain for which rsync_exec_t is an entrypoint.
</summary>
</param>
</interface>
<interface name="rsync_entry_spec_domtrans" lineno="47">
<summary>
Execute a rsync in a specified domain.
</summary>
<desc>
<p>
Execute a rsync in a specified domain.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="source_domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
Domain to transition to.
</summary>
</param>
</interface>
<interface name="rsync_entry_domtrans" lineno="81">
<summary>
Execute a rsync in a specified domain.
</summary>
<desc>
<p>
Execute a rsync in a specified domain.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="source_domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
Domain to transition to.
</summary>
</param>
</interface>
<interface name="rsync_domtrans" lineno="100">
<summary>
Execute the rsync program in the rsync domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rsync_run" lineno="125">
<summary>
Execute rsync in the rsync domain, and
allow the specified role the rsync domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="rsync_exec" lineno="144">
<summary>
Execute rsync in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rsync_read_config" lineno="163">
<summary>
Read rsync config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rsync_write_config" lineno="182">
<summary>
Write rsync config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rsync_manage_config_files" lineno="202">
<summary>
Create, read, write, and delete
rsync config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rsync_etc_filetrans_config" lineno="232">
<summary>
Create specified objects in etc directories
with rsync etc type.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="rsync_admin" lineno="257">
<summary>
All of the rules required to
administrate an rsync environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role" unused="true">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="rsync_use_cifs" dftval="false">
<desc>
<p>
Determine whether rsync can use
cifs file systems.
</p>
</desc>
</tunable>
<tunable name="rsync_use_fusefs" dftval="false">
<desc>
<p>
Determine whether rsync can
use fuse file systems.
</p>
</desc>
</tunable>
<tunable name="rsync_use_nfs" dftval="false">
<desc>
<p>
Determine whether rsync can use
nfs file systems.
</p>
</desc>
</tunable>
<tunable name="rsync_client" dftval="false">
<desc>
<p>
Determine whether rsync can
run as a client
</p>
</desc>
</tunable>
<tunable name="rsync_export_all_ro" dftval="false">
<desc>
<p>
Determine whether rsync can
export all content read only.
</p>
</desc>
</tunable>
<tunable name="allow_rsync_anon_write" dftval="false">
<desc>
<p>
Determine whether rsync can modify
public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="rtkit" filename="policy/modules/services/rtkit.if">
<summary>Realtime scheduling for user processes.</summary>
<interface name="rtkit_daemon_domtrans" lineno="13">
<summary>
Execute a domain transition to run rtkit_daemon.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rtkit_daemon_dbus_chat" lineno="33">
<summary>
Send and receive messages from
rtkit_daemon over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rtkit_scheduled" lineno="53">
<summary>
Allow rtkit to control scheduling for your process.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rtkit_admin" lineno="85">
<summary>
All of the rules required to
administrate an rtkit environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rwho" filename="policy/modules/services/rwho.if">
<summary>Who is logged in on other machines?</summary>
<interface name="rwho_domtrans" lineno="13">
<summary>
Execute a domain transition to run rwho.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rwho_search_log" lineno="32">
<summary>
Search rwho log directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_read_log_files" lineno="51">
<summary>
Read rwho log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_search_spool" lineno="71">
<summary>
Search rwho spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_read_spool_files" lineno="90">
<summary>
Read rwho spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_manage_spool_files" lineno="110">
<summary>
Create, read, write, and delete
rwho spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_admin" lineno="136">
<summary>
All of the rules required to
administrate an rwho environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="samba" filename="policy/modules/services/samba.if">
<summary>SMB and CIFS client/server programs.</summary>
<interface name="samba_domtrans_nmbd" lineno="13">
<summary>
Execute nmbd in the nmbd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_signal_nmbd" lineno="32">
<summary>
Send generic signals to nmbd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_stream_connect_nmbd" lineno="50">
<summary>
Connect to nmbd with a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_initrc_domtrans" lineno="70">
<summary>
Execute samba init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_domtrans_net" lineno="88">
<summary>
Execute samba net in the samba net domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_run_net" lineno="115">
<summary>
Execute samba net in the samba net
domain, and allow the specified
role the samba net domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_domtrans_smbmount" lineno="134">
<summary>
Execute smbmount in the smbmount domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_run_smbmount" lineno="161">
<summary>
Execute smbmount in the smbmount
domain, and allow the specified
role the smbmount domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_read_config" lineno="181">
<summary>
Read samba configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_rw_config" lineno="201">
<summary>
Read and write samba configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_manage_config" lineno="222">
<summary>
Create, read, write, and delete
samba configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_read_log" lineno="243">
<summary>
Read samba log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_append_log" lineno="264">
<summary>
Append to samba log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_exec_log" lineno="284">
<summary>
Execute samba log files in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_read_secrets" lineno="303">
<summary>
Read samba secret files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_read_share_files" lineno="322">
<summary>
Read samba share files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_start" lineno="341">
<summary>
start samba daemon
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_stop" lineno="361">
<summary>
stop samba daemon
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_status" lineno="381">
<summary>
get status of samba daemon
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_reload" lineno="401">
<summary>
reload samba daemon
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_search_var" lineno="421">
<summary>
Search samba var directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_read_var_files" lineno="440">
<summary>
Read samba var files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_dontaudit_write_var_files" lineno="460">
<summary>
Do not audit attempts to write
samba var files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="samba_rw_var_files" lineno="478">
<summary>
Read and write samba var files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_manage_var_files" lineno="498">
<summary>
Create, read, write, and delete
samba var files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_domtrans_smbcontrol" lineno="517">
<summary>
Execute smbcontrol in the smbcontrol domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_run_smbcontrol" lineno="543">
<summary>
Execute smbcontrol in the smbcontrol
domain, and allow the specified
role the smbcontrol domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="samba_domtrans_smbd" lineno="562">
<summary>
Execute smbd in the smbd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_signal_smbd" lineno="581">
<summary>
Send generic signals to smbd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_dontaudit_use_fds" lineno="599">
<summary>
Do not audit attempts to inherit
and use smbd file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="samba_write_smbmount_tcp_sockets" lineno="617">
<summary>
Write smbmount tcp sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_rw_smbmount_tcp_sockets" lineno="635">
<summary>
Read and write smbmount tcp sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_domtrans_winbind_helper" lineno="654">
<summary>
Execute winbind helper in the
winbind helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_getattr_winbind_exec" lineno="673">
<summary>
Get attributes of winbind executable files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_run_winbind_helper" lineno="699">
<summary>
Execute winbind helper in the winbind
helper domain, and allow the specified
role the winbind helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_read_winbind_pid" lineno="718">
<summary>
Read winbind pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_read_winbind_runtime_files" lineno="733">
<summary>
Read winbind runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_stream_connect_winbind" lineno="753">
<summary>
Connect to winbind with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_admin" lineno="779">
<summary>
All of the rules required to
administrate an samba environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="samba_read_shadow" dftval="false">
<desc>
<p>
Determine whether smbd_t can
read shadow files.
</p>
</desc>
</tunable>
<tunable name="allow_smbd_anon_write" dftval="false">
<desc>
<p>
Determine whether samba can modify
public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="samba_create_home_dirs" dftval="false">
<desc>
<p>
Determine whether samba can
create home directories via pam.
</p>
</desc>
</tunable>
<tunable name="samba_domain_controller" dftval="false">
<desc>
<p>
Determine whether samba can act as the
domain controller, add users, groups
and change passwords.
</p>
</desc>
</tunable>
<tunable name="samba_portmapper" dftval="false">
<desc>
<p>
Determine whether samba can
act as a portmapper.
</p>
</desc>
</tunable>
<tunable name="samba_enable_home_dirs" dftval="false">
<desc>
<p>
Determine whether samba can share
users home directories.
</p>
</desc>
</tunable>
<tunable name="samba_export_all_ro" dftval="false">
<desc>
<p>
Determine whether samba can share
any content read only.
</p>
</desc>
</tunable>
<tunable name="samba_export_all_rw" dftval="false">
<desc>
<p>
Determine whether samba can share any
content readable and writable.
</p>
</desc>
</tunable>
<tunable name="samba_run_unconfined" dftval="false">
<desc>
<p>
Determine whether samba can
run unconfined scripts.
</p>
</desc>
</tunable>
<tunable name="samba_share_nfs" dftval="false">
<desc>
<p>
Determine whether samba can
use nfs file systems.
</p>
</desc>
</tunable>
<tunable name="samba_share_fusefs" dftval="false">
<desc>
<p>
Determine whether samba can
use fuse file systems.
</p>
</desc>
</tunable>
</module>
<module name="sanlock" filename="policy/modules/services/sanlock.if">
<summary>shared storage lock manager.</summary>
<interface name="sanlock_domtrans" lineno="13">
<summary>
Execute a domain transition to run sanlock.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sanlock_initrc_domtrans" lineno="33">
<summary>
Execute sanlock init scripts in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sanlock_manage_pid_files" lineno="52">
<summary>
Create, read, write, and delete
sanlock pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sanlock_stream_connect" lineno="67">
<summary>
Connect to sanlock with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sanlock_admin" lineno="93">
<summary>
All of the rules required to
administrate an sanlock environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="sanlock_use_nfs" dftval="false">
<desc>
<p>
Determine whether sanlock can use
nfs file systems.
</p>
</desc>
</tunable>
<tunable name="sanlock_use_samba" dftval="false">
<desc>
<p>
Determine whether sanlock can use
cifs file systems.
</p>
</desc>
</tunable>
</module>
<module name="sasl" filename="policy/modules/services/sasl.if">
<summary>SASL authentication server.</summary>
<interface name="sasl_connect" lineno="13">
<summary>
Connect to SASL.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sasl_admin" lineno="39">
<summary>
All of the rules required to
administrate an sasl environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_saslauthd_read_shadow" dftval="false">
<desc>
<p>
Determine whether sasl can
read shadow files.
</p>
</desc>
</tunable>
</module>
<module name="sendmail" filename="policy/modules/services/sendmail.if">
<summary>Internetwork email routing facility.</summary>
<interface name="sendmail_stub" lineno="13">
<summary>
Sendmail stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_rw_pipes" lineno="29">
<summary>
Read and write sendmail unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_domtrans" lineno="47">
<summary>
Execute a domain transition to run sendmail.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sendmail_run" lineno="78">
<summary>
Execute the sendmail program in the
sendmail domain, and allow the
specified role the sendmail domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sendmail_signal" lineno="97">
<summary>
Send generic signals to sendmail.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_rw_tcp_sockets" lineno="115">
<summary>
Read and write sendmail TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_dontaudit_rw_tcp_sockets" lineno="134">
<summary>
Do not audit attempts to read and write
sendmail TCP sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="sendmail_rw_unix_stream_sockets" lineno="153">
<summary>
Read and write sendmail unix
domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_dontaudit_rw_unix_stream_sockets" lineno="172">
<summary>
Do not audit attempts to read and write
sendmail unix_stream_sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="sendmail_read_log" lineno="191">
<summary>
Read sendmail log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sendmail_manage_log" lineno="212">
<summary>
Create, read, write, and delete
sendmail log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sendmail_log_filetrans_sendmail_log" lineno="242">
<summary>
Create specified objects in generic
log directories sendmail log file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="sendmail_manage_tmp_files" lineno="261">
<summary>
Create, read, write, and delete
sendmail tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_domtrans_unconfined" lineno="280">
<summary>
Execute sendmail in the unconfined sendmail domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sendmail_run_unconfined" lineno="311">
<summary>
Execute sendmail in the unconfined
sendmail domain, and allow the
specified role the unconfined
sendmail domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sendmail_admin" lineno="337">
<summary>
All of the rules required to
administrate an sendmail environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="sensord" filename="policy/modules/services/sensord.if">
<summary>Sensor information logging daemon.</summary>
<interface name="sensord_admin" lineno="20">
<summary>
All of the rules required to
administrate an sensord environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="setroubleshoot" filename="policy/modules/services/setroubleshoot.if">
<summary>SELinux troubleshooting service.</summary>
<interface name="setroubleshoot_stream_connect" lineno="14">
<summary>
Connect to setroubleshootd with a
unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="setroubleshoot_dontaudit_stream_connect" lineno="36">
<summary>
Do not audit attempts to connect to
setroubleshootd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="setroubleshoot_signull" lineno="55">
<summary>
Send null signals to setroubleshoot.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="setroubleshoot_dbus_chat" lineno="74">
<summary>
Send and receive messages from
setroubleshoot over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="setroubleshoot_dontaudit_dbus_chat" lineno="95">
<summary>
Do not audit send and receive messages from
setroubleshoot over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="setroubleshoot_dbus_chat_fixit" lineno="116">
<summary>
Send and receive messages from
setroubleshoot fixit over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="setroubleshoot_admin" lineno="143">
<summary>
All of the rules required to
administrate an setroubleshoot environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role" unused="true">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="shibboleth" filename="policy/modules/services/shibboleth.if">
<summary>Shibboleth authentication daemon</summary>
<interface name="shibboleth_read_config" lineno="14">
<summary>
Allow your application domain to access
config files from shibboleth
</summary>
<param name="domain">
<summary>
The domain which should be enabled.
</summary>
</param>
</interface>
<interface name="shibboleth_stream_connect" lineno="32">
<summary>
Allow the specified domain to connect to shibboleth with a unix socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="slpd" filename="policy/modules/services/slpd.if">
<summary>OpenSLP server daemon to dynamically register services.</summary>
<interface name="slpd_admin" lineno="20">
<summary>
All of the rules required to
administrate an slpd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="slrnpull" filename="policy/modules/services/slrnpull.if">
<summary>Service for downloading news feeds the slrn newsreader.</summary>
<interface name="slrnpull_search_spool" lineno="13">
<summary>
Search slrnpull spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="slrnpull_manage_spool" lineno="33">
<summary>
Create, read, write, and delete
slrnpull spool content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="smartmon" filename="policy/modules/services/smartmon.if">
<summary>Smart disk monitoring daemon.</summary>
<interface name="smartmon_read_tmp_files" lineno="13">
<summary>
Read smartmon temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smartmon_admin" lineno="39">
<summary>
All of the rules required to
administrate an smartmon environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="fsdaemon_read_lib" lineno="71">
<summary>
Read fsdaemon /var/lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="smartmon_3ware" dftval="false">
<desc>
<p>
Determine whether smartmon can support
devices on 3ware controllers.
</p>
</desc>
</tunable>
</module>
<module name="smokeping" filename="policy/modules/services/smokeping.if">
<summary>Smokeping network latency measurement.</summary>
<interface name="smokeping_domtrans" lineno="13">
<summary>
Execute a domain transition to run smokeping.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="smokeping_initrc_domtrans" lineno="33">
<summary>
Execute smokeping init scripts in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="smokeping_read_pid_files" lineno="51">
<summary>
Read smokeping pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_manage_pid_files" lineno="66">
<summary>
Create, read, write, and delete
smokeping pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_getattr_lib_files" lineno="80">
<summary>
Get attributes of smokeping lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_read_lib_files" lineno="99">
<summary>
Read smokeping lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_manage_lib_files" lineno="119">
<summary>
Create, read, write, and delete
smokeping lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_admin" lineno="145">
<summary>
All of the rules required to
administrate a smokeping environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_httpd_smokeping_cgi_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="smstools" filename="policy/modules/services/smstools.if">
<summary> Tools to send and receive short messages through GSM modems or mobile phones.</summary>
<interface name="smstools_admin" lineno="20">
<summary>
All of the rules required to
administrate an smstools environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="snmp" filename="policy/modules/services/snmp.if">
<summary>Simple network management protocol services.</summary>
<interface name="snmp_stream_connect" lineno="14">
<summary>
Connect to snmpd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_tcp_connect" lineno="33">
<summary>
Connect to snmp over the TCP network.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_manage_var_lib_dirs" lineno="54">
<summary>
Create, read, write, and delete
snmp lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_manage_var_lib_files" lineno="74">
<summary>
Create, read, write, and delete
snmp lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_read_snmp_var_lib_files" lineno="94">
<summary>
Read snmpd lib content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_dontaudit_read_snmp_var_lib_files" lineno="115">
<summary>
Do not audit attempts to read
snmpd lib content.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="snmp_dontaudit_write_snmp_var_lib_files" lineno="136">
<summary>
Do not audit attempts to write
snmpd lib files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="snmp_admin" lineno="161">
<summary>
All of the rules required to
administrate an snmp environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="snort" filename="policy/modules/services/snort.if">
<summary>Snort network intrusion detection system.</summary>
<interface name="snort_domtrans" lineno="13">
<summary>
Execute a domain transition to run snort.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="snort_admin" lineno="39">
<summary>
All of the rules required to
administrate an snort environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="soundserver" filename="policy/modules/services/soundserver.if">
<summary>sound server for network audio server programs, nasd, yiff, etc</summary>
<interface name="soundserver_admin" lineno="20">
<summary>
All of the rules required to
administrate an soundd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="spamassassin" filename="policy/modules/services/spamassassin.if">
<summary>Filter used for removing unsolicited email.</summary>
<interface name="spamassassin_role" lineno="18">
<summary>
Role access for spamassassin.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="spamassassin_run_update" lineno="57">
<summary>
Execute sa-update in the spamd-update domain,
and allow the specified role
the spamd-update domain. Also allow transitive
access to the private gpg domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_exec" lineno="77">
<summary>
Execute the standalone spamassassin
program in the caller directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_signal_spamd" lineno="96">
<summary>
Send generic signals to spamd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_reload" lineno="115">
<summary>
reload SA service
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="spamassassin_status" lineno="135">
<summary>
Get SA service status
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="spamassassin_exec_spamd" lineno="154">
<summary>
Execute spamd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_domtrans_client" lineno="173">
<summary>
Execute spamc in the spamc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="spamassassin_exec_client" lineno="192">
<summary>
Execute spamc in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_kill_client" lineno="211">
<summary>
Send kill signals to spamc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_domtrans_local_client" lineno="230">
<summary>
Execute spamassassin standalone client
in the user spamassassin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="spamassassin_manage_spamd_home_content" lineno="250">
<summary>
Create, read, write, and delete
spamd home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_relabel_spamd_home_content" lineno="271">
<summary>
Relabel spamd home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_home_filetrans_spamd_home" lineno="303">
<summary>
Create objects in user home
directories with the spamd home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="spamassassin_read_lib_files" lineno="321">
<summary>
Read spamd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_manage_lib_files" lineno="341">
<summary>
Create, read, write, and delete
spamd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_read_spamd_pid_files" lineno="360">
<summary>
Read spamd pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_read_spamd_runtime_files" lineno="375">
<summary>
Read spamd runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_read_spamd_tmp_files" lineno="394">
<summary>
Read temporary spamd files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_dontaudit_getattr_spamd_tmp_sockets" lineno="413">
<summary>
Do not audit attempts to get
attributes of temporary spamd sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="spamassassin_stream_connect_spamd" lineno="432">
<summary>
Connect to spamd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_admin" lineno="458">
<summary>
All of the rules required to
administrate an spamassassin environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="spamassassin_can_network" dftval="false">
<desc>
<p>
Determine whether spamassassin
clients can use the network.
</p>
</desc>
</tunable>
<tunable name="spamd_enable_home_dirs" dftval="false">
<desc>
<p>
Determine whether spamd can manage
generic user home content.
</p>
</desc>
</tunable>
<tunable name="rspamd_spamd" dftval="false">
<desc>
<p>
Determine whether extra rules should
be enabled to support rspamd.
</p>
</desc>
</tunable>
</module>
<module name="squid" filename="policy/modules/services/squid.if">
<summary>Squid caching http proxy server.</summary>
<interface name="squid_domtrans" lineno="13">
<summary>
Execute squid in the squid domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="squid_exec" lineno="32">
<summary>
Execute squid in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="squid_signal" lineno="51">
<summary>
Send generic signals to squid.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="squid_rw_stream_sockets" lineno="70">
<summary>
Read and write squid unix
domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="squid_dontaudit_search_cache" lineno="90">
<summary>
Do not audit attempts to search
squid cache directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
<rolecap/>
</interface>
<interface name="squid_read_config" lineno="109">
<summary>
Read squid configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="squid_read_log" lineno="129">
<summary>
Read squid log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="squid_append_log" lineno="148">
<summary>
Append squid log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="squid_manage_logs" lineno="169">
<summary>
Create, read, write, and delete
squid log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="squid_dontaudit_read_tmpfs_files" lineno="189">
<summary>
dontaudit statting tmpfs files
</summary>
<param name="domain">
<summary>
Domain to not be audited
</summary>
</param>
<rolecap/>
</interface>
<interface name="squid_admin" lineno="214">
<summary>
All of the rules required to
administrate an squid environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="squid_connect_any" dftval="false">
<desc>
<p>
Determine whether squid can
connect to all TCP ports.
</p>
</desc>
</tunable>
<tunable name="squid_use_tproxy" dftval="false">
<desc>
<p>
Determine whether squid can run
as a transparent proxy.
</p>
</desc>
</tunable>
<tunable name="squid_use_pinger" dftval="true">
<desc>
<p>
Determine whether squid can use the
pinger daemon (needs raw net access)
</p>
</desc>
</tunable>
<tunable name="allow_httpd_squid_script_anon_write" dftval="false">
<desc>
<p>
Determine whether the script domain can
modify public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
</module>
<module name="ssh" filename="policy/modules/services/ssh.if">
<summary>Secure shell client and server policy.</summary>
<template name="ssh_basic_client_template" lineno="34">
<summary>
Basic SSH client template.
</summary>
<desc>
<p>
This template creates a derived domains which are used
for ssh client sessions.  A derived
type is also created to protect the user ssh keys.
</p>
<p>
This template was added for NX.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The prefix of the domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_domain">
<summary>
The type of the domain.
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
</template>
<template name="ssh_server_template" lineno="168">
<summary>
The template to define a ssh server.
</summary>
<desc>
<p>
This template creates a domains to be used for
creating a ssh server.  This is typically done
to have multiple ssh servers of different sensitivities,
such as for an internal network-facing ssh server, and
a external network-facing ssh server.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The prefix of the server domain (e.g., sshd
is the prefix for sshd_t).
</summary>
</param>
</template>
<template name="ssh_role_template" lineno="298">
<summary>
Role access for ssh
</summary>
<param name="role_prefix">
<summary>
The prefix of the role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</template>
<interface name="ssh_sigchld" lineno="457">
<summary>
Send a SIGCHLD signal to the ssh server.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_signal" lineno="475">
<summary>
Send a generic signal to the ssh server.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_signull" lineno="493">
<summary>
Send a null signal to sshd processes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_read_pipes" lineno="511">
<summary>
Read a ssh server unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_rw_pipes" lineno="528">
<summary>
Read and write a ssh server unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_rw_stream_sockets" lineno="546">
<summary>
Read and write ssh server unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_rw_tcp_sockets" lineno="564">
<summary>
Read and write ssh server TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="583">
<summary>
Do not audit attempts to read and write
ssh server TCP sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ssh_exec_sshd" lineno="601">
<summary>
Execute the ssh daemon in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_domtrans" lineno="620">
<summary>
Execute the ssh daemon sshd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ssh_exec" lineno="638">
<summary>
Execute the ssh client in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_setattr_key_files" lineno="657">
<summary>
Set the attributes of sshd key files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_agent_exec" lineno="676">
<summary>
Execute the ssh agent client in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_read_user_home_files" lineno="695">
<summary>
Read ssh home directory content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_domtrans_keygen" lineno="716">
<summary>
Execute the ssh key generator in the ssh keygen domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ssh_dontaudit_read_server_keys" lineno="734">
<summary>
Read ssh server keys
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ssh_manage_home_files" lineno="752">
<summary>
Manage ssh home directory content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_delete_tmp" lineno="771">
<summary>
Delete from the ssh temp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_dontaudit_agent_tmp" lineno="790">
<summary>
dontaudit access to ssh agent tmp dirs
</summary>
<param name="domain">
<summary>
Domain not to audit.
</summary>
</param>
</interface>
<tunable name="allow_ssh_keysign" dftval="false">
<desc>
<p>
allow host key based authentication
</p>
</desc>
</tunable>
<tunable name="ssh_sysadm_login" dftval="false">
<desc>
<p>
Allow ssh logins as sysadm_r:sysadm_t
</p>
</desc>
</tunable>
<tunable name="ssh_use_gpg_agent" dftval="false">
<desc>
<p>
Allow ssh to use gpg-agent
</p>
</desc>
</tunable>
</module>
<module name="sssd" filename="policy/modules/services/sssd.if">
<summary>System Security Services Daemon.</summary>
<interface name="sssd_getattr_exec" lineno="13">
<summary>
Get attributes of sssd executable files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_domtrans" lineno="31">
<summary>
Execute a domain transition to run sssd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sssd_initrc_domtrans" lineno="51">
<summary>
Execute sssd init scripts in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sssd_read_config" lineno="69">
<summary>
Read sssd configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_write_config" lineno="89">
<summary>
Write sssd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_manage_config" lineno="109">
<summary>
Create, read, write, and delete
sssd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_read_public_files" lineno="128">
<summary>
Read sssd public files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_manage_public_files" lineno="149">
<summary>
Create, read, write, and delete
sssd public files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_read_pid_files" lineno="168">
<summary>
Read sssd pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_manage_pids" lineno="184">
<summary>
Create, read, write, and delete
sssd pid content.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_read_runtime_files" lineno="198">
<summary>
Read sssd runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_search_lib" lineno="217">
<summary>
Search sssd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_dontaudit_search_lib" lineno="237">
<summary>
Do not audit attempts to search
sssd lib directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="sssd_read_lib_files" lineno="255">
<summary>
Read sssd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_manage_lib_files" lineno="276">
<summary>
Create, read, write, and delete
sssd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_dbus_chat" lineno="297">
<summary>
Send and receive messages from
sssd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_stream_connect" lineno="318">
<summary>
Connect to sssd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_admin" lineno="344">
<summary>
All of the rules required to
administrate an sssd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="stubby" filename="policy/modules/services/stubby.if">
<summary>DNS Privacy stub resolver.</summary>
</module>
<module name="stunnel" filename="policy/modules/services/stunnel.if">
<summary>SSL Tunneling Proxy.</summary>
<interface name="stunnel_service_domain" lineno="18">
<summary>
Define the specified domain as a stunnel inetd service.
</summary>
<param name="domain">
<summary>
The type associated with the stunnel inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="stunnel_read_config" lineno="37">
<summary>
Read stunnel configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="svnserve" filename="policy/modules/services/svnserve.if">
<summary>Server for the svn repository access method.</summary>
<interface name="svnserve_admin" lineno="20">
<summary>
All of the rules required to
administrate an svnserve environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="sympa" filename="policy/modules/services/sympa.if">
<summary></summary>
<interface name="sympa_append_var_files" lineno="13">
<summary>
Allow appending to sympa_var_t (for error log)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sympa_read_var_files" lineno="31">
<summary>
Allow reading sympa_var_t files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sympa_manage_var_files" lineno="50">
<summary>
Allow managing sympa_var_t files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sympa_domtrans" lineno="69">
<summary>
Transition to sympa_t when executing sympa_exec_t
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sympa_use_fd" lineno="87">
<summary>
Use file handles inherited from sympa
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sympa_dontaudit_tcp_rw" lineno="105">
<summary>
Dontaudit access to inherited sympa tcp sockets
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="sympa_read_conf" lineno="123">
<summary>
Allow reading sympa config files
</summary>
<param name="domain">
<summary>
Domain to allow
</summary>
</param>
</interface>
<interface name="sympa_manage_runtime_files" lineno="142">
<summary>
Allow rw sympa runtime dirs and manage sympa runtime files
</summary>
<param name="domain">
<summary>
Domain to allow
</summary>
</param>
</interface>
<interface name="sympa_manage_runtime_sock_files" lineno="161">
<summary>
Allow rw sympa runtime dirs and manage sympa runtime sock files
</summary>
<param name="domain">
<summary>
Domain to allow
</summary>
</param>
</interface>
</module>
<module name="sysstat" filename="policy/modules/services/sysstat.if">
<summary>Reports on various system states.</summary>
<interface name="sysstat_manage_log" lineno="15">
<summary>
Create, read, write, and delete
sysstat log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sysstat_admin" lineno="41">
<summary>
All of the rules required to
administrate an sysstat environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="systemtap" filename="policy/modules/services/systemtap.if">
<summary>instrumentation system for Linux.</summary>
<interface name="stapserver_admin" lineno="20">
<summary>
All of the rules required to
administrate an stapserver environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="tcpd" filename="policy/modules/services/tcpd.if">
<summary>TCP daemon.</summary>
<interface name="tcpd_domtrans" lineno="13">
<summary>
Execute tcpd in the tcpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tcpd_wrapped_domain" lineno="38">
<summary>
Create a domain for services that
utilize tcp wrappers.
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
</module>
<module name="tcsd" filename="policy/modules/services/tcsd.if">
<summary>TSS Core Services daemon.</summary>
<interface name="tcsd_domtrans" lineno="13">
<summary>
Execute a domain transition to run tcsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tcsd_initrc_domtrans" lineno="33">
<summary>
Execute tcsd init scripts in the
initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tcsd_search_lib" lineno="51">
<summary>
Search tcsd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tcsd_manage_lib_dirs" lineno="71">
<summary>
Create, read, write, and delete
tcsd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tcsd_read_lib_files" lineno="90">
<summary>
Read tcsd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tcsd_manage_lib_files" lineno="110">
<summary>
Create, read, write, and delete
tcsd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tcsd_admin" lineno="136">
<summary>
All of the rules required to
administrate an tcsd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="telnet" filename="policy/modules/services/telnet.if">
<summary>Telnet daemon.</summary>
<interface name="telnet_use_ptys" lineno="13">
<summary>
Read and write telnetd pty devices.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="tftp" filename="policy/modules/services/tftp.if">
<summary>Trivial file transfer protocol daemon.</summary>
<interface name="tftp_read_content" lineno="13">
<summary>
Read tftp content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_manage_rw_content" lineno="35">
<summary>
Create, read, write, and delete
tftp rw content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_read_config_files" lineno="56">
<summary>
Read tftpd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_manage_config_files" lineno="76">
<summary>
Create, read, write, and delete
tftpd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_etc_filetrans_config" lineno="106">
<summary>
Create objects in etc directories
with tftp conf type.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="tftp_filetrans_tftpdir" lineno="140">
<summary>
Create objects in tftpdir directories
with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
Private file type.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="tftp_admin" lineno="166">
<summary>
All of the rules required to
administrate an tftp environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role" unused="true">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="tftp_anon_write" dftval="false">
<desc>
<p>
Determine whether tftp can modify
public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="tftp_enable_homedir" dftval="false">
<desc>
<p>
Determine whether tftp can manage
generic user home content.
</p>
</desc>
</tunable>
</module>
<module name="tgtd" filename="policy/modules/services/tgtd.if">
<summary>Linux Target Framework Daemon.</summary>
<interface name="tgtd_rw_semaphores" lineno="13">
<summary>
Read and write tgtd semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tgtd_manage_semaphores" lineno="32">
<summary>
Create, read, write, and delete
tgtd sempaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tgtd_stream_connect" lineno="51">
<summary>
Connect to tgtd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tgtd_admin" lineno="77">
<summary>
All of the rules required to
administrate an tgtd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="timidity" filename="policy/modules/services/timidity.if">
<summary>MIDI to WAV converter and player configured as a service.</summary>
</module>
<module name="tor" filename="policy/modules/services/tor.if">
<summary>The onion router.</summary>
<interface name="tor_domtrans" lineno="13">
<summary>
Execute a domain transition to run tor.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tor_admin" lineno="39">
<summary>
All of the rules required to
administrate an tor environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="tor_bind_all_unreserved_ports" dftval="false">
<desc>
<p>
Determine whether tor can bind
tcp sockets to all unreserved ports.
</p>
</desc>
</tunable>
</module>
<module name="tpm2" filename="policy/modules/services/tpm2.if">
<summary>Trusted Platform Module 2.0</summary>
<interface name="tpm2_exec" lineno="14">
<summary>
Execute tpm2_* processes
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tpm2_domtrans" lineno="33">
<summary>
Execute tpm2_* processes in the tpm2 domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tpm2_run" lineno="58">
<summary>
Execute tpm2_* processes in the tpm2
domain and allow the specified role
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="tpm2_use_fds" lineno="78">
<summary>
Use tpm2 file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tpm2_dontaudit_use_fds" lineno="97">
<summary>
Do not audit attempts to inherit file
descriptors from tpm2.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="tpm2_dbus_chat_abrmd" lineno="116">
<summary>
Send and receive messages from
tpm2-abrmd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tpm2_read_pipes" lineno="144">
<summary>
Allow tpm2 to read unnamed pipes from other process.
</summary>
<desc>
<p>
Allow the tpm to open and read pipes from other
domain.  This is seen when piping input to one
of the tpm2_* processes.  For example:
sha512sum my_file | tpm2_hmac -k 0x81001000 -g sha256 /dev/stdin
</p>
</desc>
<param name="domain">
<summary>
Domain of pipe to be read by tpm2_t.
</summary>
</param>
</interface>
<interface name="tpm2_enabledisable_abrmd" lineno="162">
<summary>
Allow specified domain to enable/disable tpm2-abrmd unit
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tpm2_startstop_abrmd" lineno="181">
<summary>
Allow specified domain to start/stop tpm2-abrmd unit
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tpm2_status_abrmd" lineno="200">
<summary>
Allow specified domain to get status of tpm2-abrmd unit
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tpm2_rw_abrmd_pipes" lineno="219">
<summary>
access tpm2-abrmd fifos
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
</module>
<module name="transproxy" filename="policy/modules/services/transproxy.if">
<summary>Portable Transparent Proxy Solution.</summary>
<interface name="transproxy_admin" lineno="20">
<summary>
All of the rules required to
administrate an transproxy environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="tuned" filename="policy/modules/services/tuned.if">
<summary>Dynamic adaptive system tuning daemon.</summary>
<interface name="tuned_domtrans" lineno="13">
<summary>
Execute a domain transition to run tuned.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tuned_exec" lineno="32">
<summary>
Execute tuned in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tuned_read_pid_files" lineno="51">
<summary>
Read tuned pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tuned_manage_pid_files" lineno="66">
<summary>
Create, read, write, and delete
tuned pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tuned_initrc_domtrans" lineno="81">
<summary>
Execute tuned init scripts in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tuned_admin" lineno="106">
<summary>
All of the rules required to
administrate an tuned environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ucspitcp" filename="policy/modules/services/ucspitcp.if">
<summary>UNIX Client-Server Program Interface for TCP.</summary>
<interface name="ucspitcp_service_domain" lineno="18">
<summary>
Define a specified domain as a ucspitcp service.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
</module>
<module name="ulogd" filename="policy/modules/services/ulogd.if">
<summary>Iptables/netfilter userspace logging daemon.</summary>
<interface name="ulogd_domtrans" lineno="13">
<summary>
Execute a domain transition to run ulogd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ulogd_read_config" lineno="33">
<summary>
Read ulogd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ulogd_read_log" lineno="53">
<summary>
Read ulogd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ulogd_search_log" lineno="73">
<summary>
Search ulogd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ulogd_append_log" lineno="93">
<summary>
Append to ulogd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ulogd_admin" lineno="120">
<summary>
All of the rules required to
administrate an ulogd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="uptime" filename="policy/modules/services/uptime.if">
<summary>Daemon to record and keep track of system up times.</summary>
<interface name="uptime_admin" lineno="20">
<summary>
All of the rules required to
administrate an uptime environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="usbmuxd" filename="policy/modules/services/usbmuxd.if">
<summary>USB multiplexing daemon for communicating with Apple iPod Touch and iPhone.</summary>
<interface name="usbmuxd_domtrans" lineno="13">
<summary>
Execute a domain transition to run usbmuxd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="usbmuxd_stream_connect" lineno="33">
<summary>
Connect to usbmuxd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="uucp" filename="policy/modules/services/uucp.if">
<summary>Unix to Unix Copy.</summary>
<interface name="uucp_domtrans" lineno="13">
<summary>
Execute uucico in the uucpd_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="uucp_append_log" lineno="32">
<summary>
Append uucp log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uucp_manage_spool" lineno="53">
<summary>
Create, read, write, and delete
uucp spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uucp_domtrans_uux" lineno="74">
<summary>
Execute uux in the uux_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="uucp_admin" lineno="100">
<summary>
All of the rules required to
administrate an uucp environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="uuidd" filename="policy/modules/services/uuidd.if">
<summary>UUID generation daemon.</summary>
<interface name="uuidd_domtrans" lineno="13">
<summary>
Execute uuidd in the uuidd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="uuidd_initrc_domtrans" lineno="33">
<summary>
Execute uuidd init scripts in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_search_lib" lineno="51">
<summary>
Search uuidd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_read_lib_files" lineno="70">
<summary>
Read uuidd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_manage_lib_files" lineno="90">
<summary>
Create, read, write, and delete
uuidd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_manage_lib_dirs" lineno="110">
<summary>
Create, read, write, and delete
uuidd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_read_pid_files" lineno="129">
<summary>
Read uuidd pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_stream_connect_manager" lineno="144">
<summary>
Connect to uuidd with an unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_admin" lineno="170">
<summary>
All of the rules required to
administrate an uuidd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="uwimap" filename="policy/modules/services/uwimap.if">
<summary>University of Washington IMAP toolkit POP3 and IMAP mail server.</summary>
<interface name="uwimap_domtrans" lineno="13">
<summary>
Execute imapd in the imapd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="varnishd" filename="policy/modules/services/varnishd.if">
<summary>Varnishd http accelerator daemon.</summary>
<interface name="varnishd_domtrans" lineno="13">
<summary>
Execute varnishd in the varnishd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="varnishd_exec" lineno="32">
<summary>
Execute varnishd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_read_config" lineno="51">
<summary>
Read varnishd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_read_lib_files" lineno="70">
<summary>
Read varnish lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_read_log" lineno="89">
<summary>
Read varnish log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_append_log" lineno="108">
<summary>
Append varnish log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_manage_log" lineno="128">
<summary>
Create, read, write, and delete
varnish log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_admin_varnishlog" lineno="154">
<summary>
All of the rules required to
administrate an varnishlog environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="varnishd_admin" lineno="189">
<summary>
All of the rules required to
administrate an varnishd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="varnishd_connect_any" dftval="false">
<desc>
<p>
Determine whether varnishd can
use the full TCP network.
</p>
</desc>
</tunable>
</module>
<module name="vdagent" filename="policy/modules/services/vdagent.if">
<summary>Spice agent for Linux.</summary>
<interface name="vdagent_domtrans" lineno="13">
<summary>
Execute a domain transition to run vdagent.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vdagent_getattr_exec_files" lineno="32">
<summary>
Get attributes of vdagent executable files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vdagent_getattr_log" lineno="50">
<summary>
Get attributes of vdagent log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vdagent_read_pid_files" lineno="69">
<summary>
Read vdagent pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vdagent_stream_connect" lineno="84">
<summary>
Connect to vdagent with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vdagent_admin" lineno="110">
<summary>
All of the rules required to
administrate an vdagent environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="vhostmd" filename="policy/modules/services/vhostmd.if">
<summary>Virtual host metrics daemon.</summary>
<interface name="vhostmd_domtrans" lineno="13">
<summary>
Execute a domain transition to run vhostmd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vhostmd_initrc_domtrans" lineno="33">
<summary>
Execute vhostmd init scripts in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vhostmd_read_tmpfs_files" lineno="51">
<summary>
Read vhostmd tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_dontaudit_read_tmpfs_files" lineno="71">
<summary>
Do not audit attempts to read
vhostmd tmpfs files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="vhostmd_rw_tmpfs_files" lineno="89">
<summary>
Read and write vhostmd tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_manage_tmpfs_files" lineno="109">
<summary>
Create, read, write, and delete
vhostmd tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_read_pid_files" lineno="128">
<summary>
Read vhostmd pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_manage_pid_files" lineno="143">
<summary>
Create, read, write, and delete
vhostmd pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_stream_connect" lineno="158">
<summary>
Connect to vhostmd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_dontaudit_rw_stream_connect" lineno="178">
<summary>
Do not audit attempts to read and
write vhostmd unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="vhostmd_admin" lineno="203">
<summary>
All of the rules required to
administrate an vhostmd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="virt" filename="policy/modules/services/virt.if">
<summary>Libvirt virtualization API.</summary>
<template name="virt_domain_template" lineno="13">
<summary>
The template to define a virt domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<template name="virt_lxc_domain_template" lineno="97">
<summary>
The template to define a virt lxc domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="virt_image" lineno="121">
<summary>
Make the specified type virt image type.
</summary>
<param name="type">
<summary>
Type to be used as a virtual image.
</summary>
</param>
</interface>
<interface name="virt_domtrans" lineno="141">
<summary>
Execute a domain transition to run virtd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="virt_domtrans_qmf" lineno="160">
<summary>
Execute a domain transition to run virt qmf.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="virt_domtrans_bridgehelper" lineno="180">
<summary>
Execute a domain transition to
run virt bridgehelper.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="virt_domtrans_leaseshelper" lineno="200">
<summary>
Execute a domain transition to
run virt leaseshelper.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="virt_run_bridgehelper" lineno="226">
<summary>
Execute bridgehelper in the bridgehelper
domain, and allow the specified role
the bridgehelper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="virt_run_virt_domain" lineno="252">
<summary>
Execute virt domain in the their
domain, and allow the specified
role that virt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="virt_signal_all_virt_domains" lineno="276">
<summary>
Send generic signals to all virt domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_kill_all_virt_domains" lineno="294">
<summary>
Send kill signals to all virt domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_run_svirt_lxc_domain" lineno="319">
<summary>
Execute svirt lxc domains in their
domain, and allow the specified
role that svirt lxc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="virt_getattr_virtd_exec_files" lineno="343">
<summary>
Get attributes of virtd executable files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_stream_connect" lineno="362">
<summary>
Connect to virt with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_attach_tun_iface" lineno="381">
<summary>
Attach to virt tun devices.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_config" lineno="400">
<summary>
Read virt configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_config" lineno="423">
<summary>
Create, read, write, and delete
virt configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_content" lineno="445">
<summary>
Read virt content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_virt_content" lineno="481">
<summary>
Create, read, write, and delete
virt content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_relabel_virt_content" lineno="517">
<summary>
Relabel virt content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_home_filetrans_virt_content" lineno="552">
<summary>
Create specified objects in user home
directories with the virt content type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="virt_manage_svirt_home_content" lineno="571">
<summary>
Create, read, write, and delete
svirt home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_relabel_svirt_home_content" lineno="606">
<summary>
Relabel svirt home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_home_filetrans_svirt_home" lineno="640">
<summary>
Create specified objects in user home
directories with the svirt home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="virt_home_filetrans" lineno="675">
<summary>
Create specified objects in generic
virt home directories with private
home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
Private file type.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="virt_manage_home_files" lineno="695">
<summary>
Create, read, write, and delete
virt home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_generic_virt_home_content" lineno="715">
<summary>
Create, read, write, and delete
virt home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_relabel_generic_virt_home_content" lineno="750">
<summary>
Relabel virt home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_home_filetrans_virt_home" lineno="785">
<summary>
Create specified objects in user home
directories with the generic virt
home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="virt_read_pid_files" lineno="803">
<summary>
Read virt pid files.  (Depprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_pid_files" lineno="819">
<summary>
Create, read, write, and delete
virt pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_runtime_files" lineno="833">
<summary>
Read virt runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_runtime_filetrans" lineno="868">
<summary>
Create an object in the libvirt runtime directory, with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
<infoflow type="write" weight="10"/>
</interface>
<interface name="virt_search_lib" lineno="886">
<summary>
Search virt lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_lib_files" lineno="905">
<summary>
Read virt lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_lib_files" lineno="926">
<summary>
Create, read, write, and delete
virt lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_pid_filetrans" lineno="962">
<summary>
Create objects in virt pid
directories with a private type.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
<infoflow type="write" weight="10"/>
</interface>
<interface name="virt_read_log" lineno="978">
<summary>
Read virt log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="virt_append_log" lineno="997">
<summary>
Append virt log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_log" lineno="1017">
<summary>
Create, read, write, and delete
virt log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_search_images" lineno="1038">
<summary>
Search virt image directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_images" lineno="1057">
<summary>
Read virt image files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_rw_all_image_chr_files" lineno="1093">
<summary>
Read and write all virt image
character files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_virt_cache" lineno="1114">
<summary>
Create, read, write, and delete
virt cache content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_images" lineno="1136">
<summary>
Create, read, write, and delete
virt image files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_admin" lineno="1178">
<summary>
All of the rules required to
administrate an virt environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="virt_use_comm" dftval="false">
<desc>
<p>
Determine whether confined virtual guests
can use serial/parallel communication ports.
</p>
</desc>
</tunable>
<tunable name="virt_use_execmem" dftval="false">
<desc>
<p>
Determine whether confined virtual guests
can use executable memory and can make
their stack executable.
</p>
</desc>
</tunable>
<tunable name="virt_use_fusefs" dftval="false">
<desc>
<p>
Determine whether confined virtual guests
can use fuse file systems.
</p>
</desc>
</tunable>
<tunable name="virt_use_nfs" dftval="false">
<desc>
<p>
Determine whether confined virtual guests
can use nfs file systems.
</p>
</desc>
</tunable>
<tunable name="virt_use_samba" dftval="false">
<desc>
<p>
Determine whether confined virtual guests
can use cifs file systems.
</p>
</desc>
</tunable>
<tunable name="virt_use_sysfs" dftval="false">
<desc>
<p>
Determine whether confined virtual guests
can manage device configuration.
</p>
</desc>
</tunable>
<tunable name="virt_use_usb" dftval="false">
<desc>
<p>
Determine whether confined virtual guests
can use usb devices.
</p>
</desc>
</tunable>
<tunable name="virt_use_xserver" dftval="false">
<desc>
<p>
Determine whether confined virtual guests
can interact with xserver.
</p>
</desc>
</tunable>
<tunable name="virt_use_vfio" dftval="false">
<desc>
<p>
Determine whether confined virtual guests
can use vfio for pci device pass through (vt-d).
</p>
</desc>
</tunable>
<tunable name="virt_use_evdev" dftval="false">
<desc>
<p>
Determine whether confined virtual guests
can use input devices via evdev pass through.
</p>
</desc>
</tunable>
</module>
<module name="vnstatd" filename="policy/modules/services/vnstatd.if">
<summary>Console network traffic monitor.</summary>
<interface name="vnstatd_domtrans_vnstat" lineno="13">
<summary>
Execute a domain transition to run vnstat.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vnstatd_run_vnstat" lineno="39">
<summary>
Execute vnstat in the vnstat domain,
and allow the specified role
the vnstat domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="vnstatd_admin" lineno="65">
<summary>
All of the rules required to
administrate an vnstatd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="watchdog" filename="policy/modules/services/watchdog.if">
<summary>Software watchdog.</summary>
<interface name="watchdog_admin" lineno="20">
<summary>
All of the rules required to
administrate an watchdog environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="wdmd" filename="policy/modules/services/wdmd.if">
<summary>Watchdog multiplexing daemon.</summary>
<interface name="wdmd_stream_connect" lineno="14">
<summary>
Connect to wdmd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="wdmd_admin" lineno="40">
<summary>
All of the rules required to
administrate an wdmd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="wireguard" filename="policy/modules/services/wireguard.if">
<summary>WireGuard VPN.</summary>
<interface name="wireguard_domtrans" lineno="13">
<summary>
Execute WireGuard in the wireguard domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="wireguard_run" lineno="39">
<summary>
Execute WireGuard in the wireguard domain, and
allow the specified role the wireguard domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="wireguard_admin" lineno="66">
<summary>
All of the rules required to
administrate a WireGuard
environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="xfs" filename="policy/modules/services/xfs.if">
<summary>X Windows Font Server.</summary>
<interface name="xfs_read_sockets" lineno="13">
<summary>
Read xfs temporary sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xfs_stream_connect" lineno="33">
<summary>
Connect to xfs with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xfs_exec" lineno="52">
<summary>
Execute xfs in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xfs_create_tmp_dirs" lineno="71">
<summary>
Create xfs temporary dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xfs_admin" lineno="97">
<summary>
All of the rules required to
administrate an xfs environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="xserver" filename="policy/modules/services/xserver.if">
<summary>X Windows Server</summary>
<interface name="xserver_restricted_role" lineno="19">
<summary>
Rules required for using the X Windows server
and environment, for restricted users.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_role" lineno="141">
<summary>
Rules required for using the X Windows server
and environment.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_ro_session" lineno="212">
<summary>
Create sessions on the X server, with read-only
access to the X server shared
memory segments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="tmpfs_type">
<summary>
The type of the domain SYSV tmpfs files.
</summary>
</param>
</interface>
<interface name="xserver_rw_session" lineno="254">
<summary>
Create sessions on the X server, with read and write
access to the X server shared
memory segments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="tmpfs_type">
<summary>
The type of the domain SYSV tmpfs files.
</summary>
</param>
</interface>
<interface name="xserver_non_drawing_client" lineno="274">
<summary>
Create non-drawing client sessions on an X server.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="xserver_common_x_domain_template" lineno="313">
<summary>
Interface to provide X object permissions on a given X server to
an X client domain.  Provides the minimal set required by a basic
X client application.
</summary>
<param name="prefix">
<summary>
The prefix of the X client domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="domain">
<summary>
Client domain allowed access.
</summary>
</param>
</template>
<template name="xserver_object_types_template" lineno="372">
<summary>
Template for creating the set of types used
in an X windows domain.
</summary>
<param name="prefix">
<summary>
The prefix of the X client domain (e.g., user
is the prefix for user_t).
</summary>
</param>
</template>
<template name="xserver_user_x_domain_template" lineno="414">
<summary>
Interface to provide X object permissions on a given X server to
an X client domain.  Provides the minimal set required by a basic
X client application.
</summary>
<param name="prefix">
<summary>
The prefix of the X client domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="domain">
<summary>
Client domain allowed access.
</summary>
</param>
<param name="tmpfs_type">
<summary>
The type of the domain SYSV tmpfs files.
</summary>
</param>
</template>
<interface name="xserver_use_user_fonts" lineno="481">
<summary>
Read user fonts, user font configuration,
and manage the user font cache.
</summary>
<desc>
<p>
Read user fonts, user font configuration,
and manage the user font cache.
</p>
<p>
This is a templated interface, and should only
be called from a per-userdomain template.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_domtrans_xauth" lineno="513">
<summary>
Transition to the Xauthority domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="xserver_user_home_dir_filetrans_user_xauth" lineno="536">
<summary>
Create a Xauthority file in the user home directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="xserver_user_home_dir_filetrans_user_iceauth" lineno="560">
<summary>
Create a ICEauthority file in
the user home directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="xserver_user_home_dir_filetrans_user_xsession_log" lineno="579">
<summary>
Create a .xsession-errors log
file in the user home directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_user_xauth" lineno="597">
<summary>
Read all users .Xauthority.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_user_dmrc" lineno="616">
<summary>
Read all users .dmrc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_user_iceauth" lineno="635">
<summary>
Read all users .ICEauthority.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_setattr_console_pipes" lineno="654">
<summary>
Set the attributes of the X windows console named pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_rw_console" lineno="672">
<summary>
Read and write the X windows console named pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_create_console_pipes" lineno="690">
<summary>
Create the X windows console named pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_relabel_console_pipes" lineno="708">
<summary>
relabel the X windows console named pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_use_xdm_fds" lineno="726">
<summary>
Use file descriptors for xdm.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_use_xdm_fds" lineno="745">
<summary>
Do not audit attempts to inherit
XDM file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="xserver_sigchld_xdm" lineno="763">
<summary>
Allow domain to send sigchld to xdm_t
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_rw_xdm_pipes" lineno="781">
<summary>
Read and write XDM unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_rw_xdm_pipes" lineno="800">
<summary>
Do not audit attempts to read and write
XDM unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="xserver_dbus_chat_xdm" lineno="820">
<summary>
Send and receive messages from
xdm over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_xdm_state" lineno="840">
<summary>
Read xdm process state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_setsched_xdm" lineno="862">
<summary>
Set the priority of the X Display
Manager (XDM).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_stream_connect_xdm" lineno="881">
<summary>
Connect to XDM over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_xdm_rw_config" lineno="900">
<summary>
Read xdm-writable configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_setattr_xdm_tmp_dirs" lineno="919">
<summary>
Set the attributes of XDM temporary directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_create_xdm_tmp_sockets" lineno="938">
<summary>
Create a named socket in a XDM
temporary directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_delete_xdm_tmp_sockets" lineno="959">
<summary>
Delete a named socket in a XDM
temporary directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_xdm_pid" lineno="978">
<summary>
Read XDM pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_xdm_runtime_files" lineno="993">
<summary>
Read XDM runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_xdm_lib_files" lineno="1012">
<summary>
Read XDM var lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_xsession_entry_type" lineno="1030">
<summary>
Make an X session script an entrypoint for the specified domain.
</summary>
<param name="domain">
<summary>
The domain for which the shell is an entrypoint.
</summary>
</param>
</interface>
<interface name="xserver_xsession_spec_domtrans" lineno="1067">
<summary>
Execute an X session in the target domain.  This
is an explicit transition, requiring the
caller to use setexeccon().
</summary>
<desc>
<p>
Execute an Xsession in the target domain.  This
is an explicit transition, requiring the
caller to use setexeccon().
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
The type of the shell process.
</summary>
</param>
</interface>
<interface name="xserver_write_inherited_xsession_log" lineno="1086">
<summary>
Write to inherited  xsession log
files such as .xsession-errors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_rw_xsession_log" lineno="1106">
<summary>
Read and write xsession log
files such as .xsession-errors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_manage_xsession_log" lineno="1125">
<summary>
Manage xsession log files such
as .xsession-errors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_write_inherited_log" lineno="1144">
<summary>
Write to inherited X server log
files like /var/log/lightdm/lightdm.log
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_getattr_log" lineno="1162">
<summary>
Get the attributes of X server logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_write_log" lineno="1182">
<summary>
Do not audit attempts to write the X server
log files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="xserver_delete_log" lineno="1200">
<summary>
Delete X server log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_xkb_libs" lineno="1221">
<summary>
Read X keyboard extension libraries.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_create_xdm_tmp_dirs" lineno="1243">
<summary>
Create xdm temporary directories.
</summary>
<param name="domain">
<summary>
Domain to allow access.
</summary>
</param>
</interface>
<interface name="xserver_read_xdm_tmp_files" lineno="1261">
<summary>
Read xdm temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_read_xdm_tmp_files" lineno="1280">
<summary>
Do not audit attempts to read xdm temporary files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="xserver_rw_xdm_tmp_files" lineno="1299">
<summary>
Read write xdm temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_manage_xdm_tmp_files" lineno="1318">
<summary>
Create, read, write, and delete xdm temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_getattr_xdm_tmp_sockets" lineno="1337">
<summary>
Do not audit attempts to get the attributes of
xdm temporary named sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="xserver_list_xdm_tmp" lineno="1355">
<summary>
list xdm_tmp_t directories
</summary>
<param name="domain">
<summary>
Domain to allow
</summary>
</param>
</interface>
<interface name="xserver_domtrans" lineno="1373">
<summary>
Execute the X server in the X server domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="xserver_signal" lineno="1392">
<summary>
Signal X servers
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_kill" lineno="1410">
<summary>
Kill X servers
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_state" lineno="1428">
<summary>
Allow reading xserver_t files to get cgroup and sessionid
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_rw_shm" lineno="1448">
<summary>
Read and write X server Sys V Shared
memory segments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_rw_tcp_sockets" lineno="1467">
<summary>
Do not audit attempts to read and write to
X server sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_rw_stream_sockets" lineno="1486">
<summary>
Do not audit attempts to read and write X server
unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="xserver_stream_connect" lineno="1505">
<summary>
Connect to the X server over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_tmp_files" lineno="1524">
<summary>
Read X server temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dbus_chat" lineno="1543">
<summary>
talk to xserver_t by dbus
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_manage_core_devices" lineno="1564">
<summary>
Interface to provide X object permissions on a given X server to
an X client domain.  Gives the domain permission to read the
virtual core keyboard and virtual core pointer devices.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_unconfined" lineno="1587">
<summary>
Interface to provide X object permissions on a given X server to
an X client domain.  Gives the domain complete control over the
display.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_rw_xdm_keys" lineno="1607">
<summary>
Manage keys for xdm.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_link_xdm_keys" lineno="1625">
<summary>
Manage keys for xdm.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_rw_mesa_shader_cache" lineno="1643">
<summary>
Read and write the mesa shader cache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_manage_mesa_shader_cache" lineno="1664">
<summary>
Manage the mesa shader cache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="allow_write_xshm" dftval="false">
<desc>
<p>
Allows clients to write to the X server shared
memory segments.
</p>
</desc>
</tunable>
<tunable name="xdm_sysadm_login" dftval="false">
<desc>
<p>
Allow xdm logins as sysadm
</p>
</desc>
</tunable>
<tunable name="xserver_gnome_xdm" dftval="false">
<desc>
<p>
Use gnome-shell in gdm mode as the
X Display Manager (XDM)
</p>
</desc>
</tunable>
<tunable name="xserver_object_manager" dftval="false">
<desc>
<p>
Support X userspace object manager
</p>
</desc>
</tunable>
<tunable name="xserver_allow_dri" dftval="false">
<desc>
<p>
Allow DRI access
</p>
</desc>
</tunable>
</module>
<module name="zabbix" filename="policy/modules/services/zabbix.if">
<summary>Distributed infrastructure monitoring.</summary>
<interface name="zabbix_domtrans" lineno="13">
<summary>
Execute a domain transition to run zabbix.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zabbix_tcp_connect" lineno="32">
<summary>
Connect to zabbit on the TCP network.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zabbix_read_log" lineno="53">
<summary>
Read zabbix log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="zabbix_append_log" lineno="72">
<summary>
Append zabbix log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zabbix_read_pid_files" lineno="91">
<summary>
Read zabbix pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zabbix_agent_tcp_connect" lineno="105">
<summary>
Connect to zabbix agent on the TCP network.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zabbix_admin" lineno="132">
<summary>
All of the rules required to
administrate an zabbix environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="zabbix_can_network" dftval="false">
<desc>
<p>
Determine whether zabbix can
connect to all TCP ports
</p>
</desc>
</tunable>
</module>
<module name="zarafa" filename="policy/modules/services/zarafa.if">
<summary>Zarafa collaboration platform.</summary>
<template name="zarafa_domain_template" lineno="13">
<summary>
The template to define a zarafa domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="zarafa_search_config" lineno="60">
<summary>
search zarafa configuration directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zarafa_domtrans_deliver" lineno="79">
<summary>
Execute a domain transition to run zarafa deliver.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zarafa_domtrans_server" lineno="98">
<summary>
Execute a domain transition to run zarafa server.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zarafa_stream_connect_server" lineno="118">
<summary>
Connect to zarafa server with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zarafa_admin" lineno="144">
<summary>
All of the rules required to
administrate an zarafa environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="zebra" filename="policy/modules/services/zebra.if">
<summary>Zebra border gateway protocol network routing service.</summary>
<interface name="zebra_read_config" lineno="14">
<summary>
Read zebra configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="zebra_stream_connect" lineno="36">
<summary>
Connect to zebra with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zebra_admin" lineno="62">
<summary>
All of the rules required to
administrate an zebra environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_zebra_write_config" dftval="false">
<desc>
<p>
Determine whether zebra daemon can
manage its configuration files.
</p>
</desc>
</tunable>
</module>
<module name="zosremote" filename="policy/modules/services/zosremote.if">
<summary>z/OS Remote-services Audit dispatcher plugin.</summary>
<interface name="zosremote_domtrans" lineno="13">
<summary>
Execute a domain transition to run audispd-zos-remote.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zosremote_run" lineno="39">
<summary>
Execute zos remote in the zos remote
domain, and allow the specified role
the zos remote domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>