<summary>
	Policy modules for system functions from init to multi-user login.
</summary>
<module name="application" filename="policy/modules/system/application.if">
<summary>Policy for user executable applications.</summary>
<interface name="application_type" lineno="13">
<summary>
Make the specified type usable as an application domain.
</summary>
<param name="type">
<summary>
Type to be used as a domain type.
</summary>
</param>
</interface>
<interface name="application_executable_file" lineno="36">
<summary>
Make the specified type usable for files
that are executables, such as binary programs.
This does not include shared libraries.
</summary>
<param name="type">
<summary>
Type to be used for files.
</summary>
</param>
</interface>
<interface name="application_exec" lineno="56">
<summary>
Execute application executables in the caller domain.
</summary>
<param name="type">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="application_exec_all" lineno="75">
<summary>
Execute all executable files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="application_domain" lineno="110">
<summary>
Create a domain for applications.
</summary>
<desc>
<p>
Create a domain for applications.  Typically these are
programs that are run interactively.
</p>
<p>
The types will be made usable as a domain and file, making
calls to domain_type() and files_type() redundant.
</p>
</desc>
<param name="domain">
<summary>
Type to be used as an application domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
<infoflow type="none"/>
</interface>
<interface name="application_signull" lineno="126">
<summary>
Send null signals to all application domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="application_dontaudit_signull" lineno="145">
<summary>
Do not audit attempts to send null signals
to all application domains.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="application_signal" lineno="163">
<summary>
Send general signals to all application domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="application_dontaudit_signal" lineno="182">
<summary>
Do not audit attempts to send general signals
to all application domains.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="application_dontaudit_sigkill" lineno="201">
<summary>
Do not audit attempts to send kill signals
to all application domains.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
</module>
<module name="authlogin" filename="policy/modules/system/authlogin.if">
<summary>Common policy for authentication and user login.</summary>
<interface name="auth_role" lineno="18">
<summary>
Role access for password authentication.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_use_pam" lineno="43">
<summary>
Use PAM for authentication.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_use_pam_systemd" lineno="92">
<summary>
Use the pam module systemd during authentication.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_use_pam_motd_dynamic" lineno="110">
<summary>
Use the pam module motd with dynamic support during authentication.
This module comes from Ubuntu (https://bugs.launchpad.net/ubuntu/+source/pam/+bug/399071)
and was added to Debian (https://sources.debian.org/src/pam/1.3.1-5/debian/patches-applied/update-motd/)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_login_pgm_domain" lineno="134">
<summary>
Make the specified domain used for a login program.
</summary>
<param name="domain">
<summary>
Domain type used for a login program domain.
</summary>
</param>
</interface>
<interface name="auth_login_entry_type" lineno="221">
<summary>
Use the login program as an entry point program.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_domtrans_login_program" lineno="244">
<summary>
Execute a login_program in the target domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
The type of the login_program process.
</summary>
</param>
</interface>
<interface name="auth_ranged_domtrans_login_program" lineno="274">
<summary>
Execute a login_program in the target domain,
with a range transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
The type of the login_program process.
</summary>
</param>
<param name="range">
<summary>
Range of the login program.
</summary>
</param>
</interface>
<interface name="auth_search_cache" lineno="300">
<summary>
Search authentication cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_read_cache" lineno="318">
<summary>
Read authentication cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_rw_cache" lineno="336">
<summary>
Read/Write authentication cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_manage_cache" lineno="354">
<summary>
Manage authentication cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_var_filetrans_cache" lineno="373">
<summary>
Automatic transition from cache_t to cache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_domtrans_chk_passwd" lineno="391">
<summary>
Run unix_chkpwd to check a password.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="auth_domtrans_chkpwd" lineno="439">
<summary>
Run unix_chkpwd to check a password.
Stripped down version to be called within boolean
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="auth_run_chk_passwd" lineno="465">
<summary>
Execute chkpwd programs in the chkpwd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the chkpwd domain.
</summary>
</param>
</interface>
<interface name="auth_domtrans_upd_passwd" lineno="484">
<summary>
Execute a domain transition to run unix_update.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="auth_run_upd_passwd" lineno="509">
<summary>
Execute updpwd programs in the updpwd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the updpwd domain.
</summary>
</param>
</interface>
<interface name="auth_getattr_shadow" lineno="528">
<summary>
Get the attributes of the shadow passwords file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_dontaudit_getattr_shadow" lineno="548">
<summary>
Do not audit attempts to get the attributes
of the shadow passwords file.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="auth_read_shadow" lineno="570">
<summary>
Read the shadow passwords file (/etc/shadow)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_map_shadow" lineno="585">
<summary>
Map the shadow passwords file (/etc/shadow)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_can_read_shadow_passwords" lineno="611">
<summary>
Pass shadow assertion for reading.
</summary>
<desc>
<p>
Pass shadow assertion for reading.
This should only be used with
auth_tunable_read_shadow(), and
only exists because typeattribute
does not work in conditionals.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_tunable_read_shadow" lineno="637">
<summary>
Read the shadow password file.
</summary>
<desc>
<p>
Read the shadow password file.  This
should only be used in a conditional;
it does not pass the reading shadow
assertion.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_dontaudit_read_shadow" lineno="657">
<summary>
Do not audit attempts to read the shadow
password file (/etc/shadow).
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="auth_rw_shadow" lineno="675">
<summary>
Read and write the shadow password file (/etc/shadow).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_manage_shadow" lineno="697">
<summary>
Create, read, write, and delete the shadow
password file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_etc_filetrans_shadow" lineno="722">
<summary>
Automatic transition from etc to shadow.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="auth_relabelto_shadow" lineno="741">
<summary>
Relabel to the shadow
password file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_relabel_shadow" lineno="763">
<summary>
Relabel from and to the shadow
password file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_append_faillog" lineno="784">
<summary>
Append to the login failure log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_create_faillog_files" lineno="803">
<summary>
Create fail log lock (in /run/faillock).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_rw_faillog" lineno="821">
<summary>
Read and write the login failure log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_manage_faillog" lineno="840">
<summary>
Manage the login failure logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_setattr_faillog_files" lineno="859">
<summary>
Setattr the login failure logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_read_lastlog" lineno="878">
<summary>
Read the last logins log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="auth_append_lastlog" lineno="897">
<summary>
Append only to the last logins log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_relabel_lastlog" lineno="916">
<summary>
relabel the last logins log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_rw_lastlog" lineno="935">
<summary>
Read and write to the last logins log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_manage_lastlog" lineno="954">
<summary>
Manage the last logins log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_domtrans_pam" lineno="973">
<summary>
Execute pam programs in the pam domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="auth_signal_pam" lineno="991">
<summary>
Send generic signals to pam processes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_run_pam" lineno="1014">
<summary>
Execute pam programs in the PAM domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the PAM domain.
</summary>
</param>
</interface>
<interface name="auth_exec_pam" lineno="1033">
<summary>
Execute the pam program.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_read_var_auth" lineno="1052">
<summary>
Read var auth files. Used by various other applications
and pam applets etc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_rw_var_auth" lineno="1072">
<summary>
Read and write var auth files. Used by various other applications
and pam applets etc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_manage_var_auth" lineno="1092">
<summary>
Manage var auth files. Used by various other applications
and pam applets etc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_read_pam_pid" lineno="1113">
<summary>
Read PAM PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_dontaudit_read_pam_pid" lineno="1128">
<summary>
Do not audit attempts to read PAM PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="auth_pid_filetrans_pam_var_run" lineno="1156">
<summary>
Create specified objects in
pid directories with the pam var
run file type using a
file type transition.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="auth_delete_pam_pid" lineno="1171">
<summary>
Delete pam PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_manage_pam_pid" lineno="1186">
<summary>
Manage pam PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_manage_pam_runtime_dirs" lineno="1202">
<summary>
Manage pam runtime dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_runtime_filetrans_pam_runtime" lineno="1233">
<summary>
Create specified objects in
pid directories with the pam runtime
file type using a type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="auth_read_pam_runtime_files" lineno="1251">
<summary>
Read PAM runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1271">
<summary>
Do not audit attempts to read PAM runtime files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="auth_delete_pam_runtime_files" lineno="1289">
<summary>
Delete pam runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_manage_pam_runtime_files" lineno="1308">
<summary>
Create, read, write, and delete pam runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_domtrans_pam_console" lineno="1327">
<summary>
Execute pam_console with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="auth_search_pam_console_data" lineno="1346">
<summary>
Search the contents of the
pam_console data directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_list_pam_console_data" lineno="1366">
<summary>
List the contents of the pam_console
data directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_create_pam_console_data_dirs" lineno="1385">
<summary>
Create pam var console pid directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_relabel_pam_console_data_dirs" lineno="1404">
<summary>
Relabel pam_console data directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_read_pam_console_data" lineno="1422">
<summary>
Read pam_console data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_manage_pam_console_data" lineno="1443">
<summary>
Create, read, write, and delete
pam_console data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_delete_pam_console_data" lineno="1463">
<summary>
Delete pam_console data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_pid_filetrans_pam_var_console" lineno="1496">
<summary>
Create specified objects in
pid directories with the pam var
console pid file type using a
file type transition.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="auth_runtime_filetrans_pam_var_console" lineno="1524">
<summary>
Create specified objects in generic
runtime directories with the pam var
console runtime file type using a
file type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="auth_domtrans_utempter" lineno="1542">
<summary>
Execute utempter programs in the utempter domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="auth_run_utempter" lineno="1565">
<summary>
Execute utempter programs in the utempter domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the utempter domain.
</summary>
</param>
</interface>
<interface name="auth_dontaudit_exec_utempter" lineno="1584">
<summary>
Do not audit attempts to execute utempter executable.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="auth_setattr_login_records" lineno="1602">
<summary>
Set the attributes of login record files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_read_login_records" lineno="1622">
<summary>
Read login records files (/var/log/wtmp).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="auth_dontaudit_read_login_records" lineno="1643">
<summary>
Do not audit attempts to read login records
files (/var/log/wtmp).
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
<rolecap/>
</interface>
<interface name="auth_dontaudit_write_login_records" lineno="1662">
<summary>
Do not audit attempts to write to
login records files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="auth_append_login_records" lineno="1680">
<summary>
Append to login records (wtmp).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_write_login_records" lineno="1699">
<summary>
Write to login records (wtmp).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_rw_login_records" lineno="1717">
<summary>
Read and write login records.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_log_filetrans_login_records" lineno="1737">
<summary>
Create a login records in the log directory
using a type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_manage_login_records" lineno="1756">
<summary>
Create, read, write, and delete login
records files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_relabel_login_records" lineno="1775">
<summary>
Relabel login record files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="auth_use_nsswitch" lineno="1803">
<summary>
Use nsswitch to look up user, password, group, or
host information.
</summary>
<desc>
<p>
Allow the specified domain to look up user, password,
group, or host information using the name service.
The most common use of this interface is for services
that do host name resolution (usually DNS resolution).
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<infoflow type="both" weight="10"/>
</interface>
<interface name="auth_unconfined" lineno="1831">
<summary>
Unconfined access to the authlogin module.
</summary>
<desc>
<p>
Unconfined access to the authlogin module.
</p>
<p>
Currently, this only allows assertions for
the shadow passwords file (/etc/shadow) to
be passed.  No access is granted yet.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="authlogin_nsswitch_use_ldap" dftval="false">
<desc>
<p>
Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
</p>
</desc>
</tunable>
</module>
<module name="clock" filename="policy/modules/system/clock.if">
<summary>Policy for reading and setting the hardware clock.</summary>
<interface name="clock_domtrans" lineno="13">
<summary>
Execute hwclock in the clock domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="clock_run" lineno="38">
<summary>
Execute hwclock in the clock domain, and
allow the specified role the hwclock domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="clock_exec" lineno="57">
<summary>
Execute hwclock in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clock_read_adjtime" lineno="75">
<summary>
Read clock drift adjustments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clock_dontaudit_write_adjtime" lineno="94">
<summary>
Do not audit attempts to write clock drift adjustments.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="clock_rw_adjtime" lineno="112">
<summary>
Read and write clock drift adjustments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="daemontools" filename="policy/modules/system/daemontools.if">
<summary>Collection of tools for managing UNIX services.</summary>
<interface name="daemontools_ipc_domain" lineno="14">
<summary>
An ipc channel between the
supervised domain and svc_start_t.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="daemontools_service_domain" lineno="41">
<summary>
Create a domain which can be
started by daemontools.
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entrypoint">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
<interface name="daemontools_domtrans_start" lineno="64">
<summary>
Execute svc start in the svc
start domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="daemonstools_run_start" lineno="91">
<summary>
Execute svc start in the svc
start domain, and allow the
specified role the svc start domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="daemontools_domtrans_run" lineno="110">
<summary>
Execute avc run in the svc run domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="daemontools_sigchld_run" lineno="130">
<summary>
Send child terminated signals
to svc run.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="daemontools_domtrans_multilog" lineno="149">
<summary>
Execute avc multilog in the svc
multilog domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="daemontools_search_svc_dir" lineno="168">
<summary>
Search svc svc directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="daemontools_read_svc" lineno="188">
<summary>
Read svc avc files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="daemontools_manage_svc" lineno="210">
<summary>
Create, read, write and delete
svc svc content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="fstools" filename="policy/modules/system/fstools.if">
<summary>Tools for filesystem management, such as mkfs and fsck.</summary>
<interface name="fstools_domtrans" lineno="13">
<summary>
Execute fs tools in the fstools domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="fstools_run" lineno="39">
<summary>
Execute fs tools in the fstools domain, and
allow the specified role the fs tools domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="fstools_exec" lineno="58">
<summary>
Execute fsadm in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fstools_signal" lineno="76">
<summary>
Send signal to fsadm process
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fstools_use_fds" lineno="94">
<summary>
Inherit fstools file descriptors.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="fstools_read_pipes" lineno="112">
<summary>
Read fstools unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fstools_relabelto_entry_files" lineno="131">
<summary>
Relabel a file to the type used by the
filesystem tools programs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fstools_manage_entry_files" lineno="150">
<summary>
Create, read, write, and delete a file used by the
filesystem tools programs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fstools_write_log" lineno="168">
<summary>
Write to fsadm_log_t
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fstools_manage_runtime_files" lineno="187">
<summary>
Create, read, write, and delete filesystem tools
runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fstools_getattr_swap_files" lineno="205">
<summary>
Getattr swapfile
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fstools_dontaudit_getattr_swap_files" lineno="223">
<summary>
Ignore access to a swapfile.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="fstools_relabelto_swap_files" lineno="241">
<summary>
Relabel to swapfile.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fstools_manage_swap_files" lineno="259">
<summary>
Manage swapfile.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="getty" filename="policy/modules/system/getty.if">
<summary>Manages physical or virtual terminals.</summary>
<interface name="getty_domtrans" lineno="13">
<summary>
Execute gettys in the getty domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="getty_use_fds" lineno="32">
<summary>
Inherit and use getty file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="getty_read_log" lineno="51">
<summary>
Allow process to read getty log file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="getty_read_config" lineno="71">
<summary>
Allow process to read getty config file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="getty_rw_config" lineno="91">
<summary>
Allow process to edit getty config file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="hostname" filename="policy/modules/system/hostname.if">
<summary>Policy for changing the system host name.</summary>
<interface name="hostname_domtrans" lineno="13">
<summary>
Execute hostname in the hostname domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hostname_run" lineno="38">
<summary>
Execute hostname in the hostname domain, and
allow the specified role the hostname domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="hostname_exec" lineno="58">
<summary>
Execute hostname in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="init" filename="policy/modules/system/init.if">
<summary>System initialization programs (init and init scripts).</summary>
<interface name="init_mountpoint" lineno="17">
<summary>
Make the specified type usable as a mountpoint.
</summary>
<desc>
Make the specified type usable as a mountpoint.
This is normally used for systemd BindPaths options.
</desc>
<param name="file_type">
<summary>
Type to be used as a mountpoint.
</summary>
</param>
</interface>
<interface name="init_path_unit_location_file" lineno="35">
<summary>
Create a file type monitored by a systemd path unit.
</summary>
<param name="script_file">
<summary>
Type to be used for a path unit monitored location.
</summary>
</param>
</interface>
<interface name="init_script_file" lineno="73">
<summary>
Create a file type used for init scripts.
</summary>
<desc>
<p>
Create a file type used for init scripts.  It can not be
used in conjunction with init_script_domain(). These
script files are typically stored in the /etc/init.d directory.
</p>
<p>
Typically this is used to constrain what services an
admin can start/stop.  For example, a policy writer may want
to constrain a web administrator to only being able to
restart the web server, not other services.  This special type
will help address that goal.
</p>
<p>
This also makes the type usable for files; thus an
explicit call to files_type() is redundant.
</p>
</desc>
<param name="script_file">
<summary>
Type to be used for a script file.
</summary>
</param>
<infoflow type="none"/>
</interface>
<interface name="init_unit_file" lineno="97">
<summary>
Make the specified type usable for
systemd unit files.
</summary>
<param name="type">
<summary>
Type to be used for systemd unit files.
</summary>
</param>
</interface>
<interface name="init_script_domain" lineno="128">
<summary>
Create a domain used for init scripts.
</summary>
<desc>
<p>
Create a domain used for init scripts.
Can not be used in conjunction with
init_script_file().
</p>
</desc>
<param name="domain">
<summary>
Type to be used as an init script domain.
</summary>
</param>
<param name="script_file">
<summary>
Type of the script file used as an entry point to this domain.
</summary>
</param>
</interface>
<interface name="init_domain" lineno="170">
<summary>
Create a domain which can be started by init.
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
<interface name="init_ranged_domain" lineno="217">
<summary>
Create a domain which can be started by init,
with a range transition.
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
<param name="range">
<summary>
Range for the domain.
</summary>
</param>
</interface>
<interface name="init_spec_daemon_domain" lineno="258">
<summary>
Setup a domain which can be manually transitioned to from init.
</summary>
<desc>
<p>
Create a domain used for systemd services where the SELinuxContext
option is specified in the .service file.  This allows for the
manual transition from systemd into the new domain.  This is used
when automatic transitions won't work.  Used for the case where the
same binary is used for multiple target domains.
</p>
</desc>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program being executed when starting this domain.
</summary>
</param>
</interface>
<interface name="init_daemon_domain" lineno="331">
<summary>
Create a domain for long running processes
(daemons/services) which are started by init scripts.
</summary>
<desc>
<p>
Create a domain for long running processes (daemons/services)
which are started by init scripts. Short running processes
should use the init_system_domain() interface instead.
Typically all long running processes started by an init
script (usually in /etc/init.d) will need to use this
interface.
</p>
<p>
The types will be made usable as a domain and file, making
calls to domain_type() and files_type() redundant.
</p>
<p>
If the process must also run in a specific MLS/MCS level,
the init_ranged_daemon_domain() should be used instead.
</p>
</desc>
<param name="domain">
<summary>
Type to be used as a daemon domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
<infoflow type="read" weight="10"/>
</interface>
<interface name="init_ranged_daemon_domain" lineno="419">
<summary>
Create a domain for long running processes
(daemons/services) which are started by init scripts,
running at a specified MLS/MCS range.
</summary>
<desc>
<p>
Create a domain for long running processes (daemons/services)
which are started by init scripts, running at a specified
MLS/MCS range. Short running processes
should use the init_ranged_system_domain() interface instead.
Typically all long running processes started by an init
script (usually in /etc/init.d) will need to use this
interface if they need to run in a specific MLS/MCS range.
</p>
<p>
The types will be made usable as a domain and file, making
calls to domain_type() and files_type() redundant.
</p>
<p>
If the policy build option TYPE is standard (MLS and MCS disabled),
this interface has the same behavior as init_daemon_domain().
</p>
</desc>
<param name="domain">
<summary>
Type to be used as a daemon domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
<param name="range">
<summary>
MLS/MCS range for the domain.
</summary>
</param>
<infoflow type="read" weight="10"/>
</interface>
<interface name="init_abstract_socket_activation" lineno="450">
<summary>
Abstract socket service activation (systemd).
</summary>
<param name="domain">
<summary>
The domain to be started by systemd socket activation.
</summary>
</param>
</interface>
<interface name="init_named_socket_activation" lineno="475">
<summary>
Named socket service activation (systemd).
</summary>
<param name="domain">
<summary>
The domain to be started by systemd socket activation.
</summary>
</param>
<param name="sock_file">
<summary>
The domain socket file type.
</summary>
</param>
</interface>
<interface name="init_system_domain" lineno="526">
<summary>
Create a domain for short running processes
which are started by init scripts.
</summary>
<desc>
<p>
Create a domain for short running processes
which are started by init scripts. These are generally applications that
are used to initialize the system during boot.
Long running processes, such as daemons/services
should use the init_daemon_domain() interface instead.
Typically all short running processes started by an init
script (usually in /etc/init.d) will need to use this
interface.
</p>
<p>
The types will be made usable as a domain and file, making
calls to domain_type() and files_type() redundant.
</p>
<p>
If the process must also run in a specific MLS/MCS level,
the init_ranged_system_domain() should be used instead.
</p>
</desc>
<param name="domain">
<summary>
Type to be used as a system domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
<infoflow type="read" weight="10"/>
</interface>
<interface name="init_ranged_system_domain" lineno="588">
<summary>
Create a domain for short running processes
which are started by init scripts.
</summary>
<desc>
<p>
Create a domain for long running processes (daemons/services)
which are started by init scripts.
These are generally applications that
are used to initialize the system during boot.
Long running processes
should use the init_ranged_system_domain() interface instead.
Typically all short running processes started by an init
script (usually in /etc/init.d) will need to use this
interface if they need to run in a specific MLS/MCS range.
</p>
<p>
The types will be made usable as a domain and file, making
calls to domain_type() and files_type() redundant.
</p>
<p>
If the policy build option TYPE is standard (MLS and MCS disabled),
this interface has the same behavior as init_system_domain().
</p>
</desc>
<param name="domain">
<summary>
Type to be used as a system domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
<param name="range">
<summary>
Range for the domain.
</summary>
</param>
<infoflow type="read" weight="10"/>
</interface>
<interface name="init_dyntrans" lineno="619">
<summary>
Allow domain dyntransition to init_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="init_daemon_pid_file" lineno="648">
<summary>
Mark the file type as a daemon pid file, allowing initrc_t
to create it  (Deprecated)
</summary>
<param name="filetype">
<summary>
Type to mark as a daemon pid file
</summary>
</param>
<param name="class">
<summary>
Class on which the type is applied
</summary>
</param>
<param name="filename">
<summary>
Filename of the file that the init script creates
</summary>
</param>
</interface>
<interface name="init_daemon_runtime_file" lineno="675">
<summary>
Mark the file type as a daemon runtime file, allowing initrc_t
to create it
</summary>
<param name="filetype">
<summary>
Type to mark as a daemon pid file
</summary>
</param>
<param name="class">
<summary>
Class on which the type is applied
</summary>
</param>
<param name="filename">
<summary>
Filename of the file that the init script creates
</summary>
</param>
</interface>
<interface name="init_daemon_lock_file" lineno="708">
<summary>
Mark the file type as a daemon lock file, allowing initrc_t
to create it
</summary>
<param name="filetype">
<summary>
Type to mark as a daemon lock file
</summary>
</param>
<param name="class">
<summary>
Class on which the type is applied
</summary>
</param>
<param name="filename">
<summary>
Filename of the file that the init script creates
</summary>
</param>
</interface>
<interface name="init_domtrans" lineno="730">
<summary>
Execute init (/sbin/init) with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="init_pgm_spec_user_daemon_domain" lineno="754">
<summary>
Execute init (/sbin/init) with a domain transition
to the provided domain.
</summary>
<desc>
Execute init (/sbin/init) with a domain transition
to the provided domain.  This is used by systemd
to execute the systemd user session.
</desc>
<param name="domain">
<summary>
The type to be used as a systemd --user domain.
</summary>
</param>
</interface>
<interface name="init_exec" lineno="782">
<summary>
Execute the init program in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="init_pgm_entrypoint" lineno="803">
<summary>
Allow the init program to be an entrypoint
for the specified domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="init_exec_rc" lineno="832">
<summary>
Execute the rc application in the caller domain.
</summary>
<desc>
<p>
This is only applicable to Gentoo or distributions that use the OpenRC
init system.
</p>
<p>
The OpenRC /sbin/rc binary is used for both init scripts as well as
management applications and tools. When used for management purposes,
calling /sbin/rc should never cause a transition to initrc_t.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_getpgid" lineno="851">
<summary>
Get the process group of init.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_signal" lineno="869">
<summary>
Send init a generic signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_signull" lineno="887">
<summary>
Send init a null signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_sigchld" lineno="905">
<summary>
Send init a SIGCHLD signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_stream_connect" lineno="923">
<summary>
Connect to init with a unix socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_unix_stream_socket_connectto" lineno="944">
<summary>
Connect to init with a unix socket.
Without any additional permissions.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_use_fds" lineno="1002">
<summary>
Inherit and use file descriptors from init.
</summary>
<desc>
<p>
Allow the specified domain to inherit file
descriptors from the init program (process ID 1).
Typically the only file descriptors to be
inherited from init are for the console.
This does not allow the domain any access to
the object to which the file descriptors references.
</p>
<p>
Related interfaces:
</p>
<ul>
<li>init_dontaudit_use_fds()</li>
<li>term_dontaudit_use_console()</li>
<li>term_use_console()</li>
</ul>
<p>
Example usage:
</p>
<p>
init_use_fds(mydomain_t)
term_use_console(mydomain_t)
</p>
<p>
Normally, processes that can inherit these file
descriptors (usually services) write messages to the
system log instead of writing to the console.
Therefore, in many cases, this access should
dontaudited instead.
</p>
<p>
Example dontaudit usage:
</p>
<p>
init_dontaudit_use_fds(mydomain_t)
term_dontaudit_use_console(mydomain_t)
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<infoflow type="read" weight="1"/>
</interface>
<interface name="init_dontaudit_use_fds" lineno="1021">
<summary>
Do not audit attempts to inherit file
descriptors from init.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="init_dgram_send" lineno="1040">
<summary>
Send messages to init unix datagram sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="init_rw_inherited_stream_socket" lineno="1060">
<summary>
Read and write to inherited init unix streams.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_rw_stream_sockets" lineno="1079">
<summary>
Allow the specified domain to read/write to
init with unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_start_system" lineno="1097">
<summary>
start service (systemd).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_stop_system" lineno="1115">
<summary>
stop service (systemd).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_get_system_status" lineno="1133">
<summary>
Get all service status (systemd).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_enable" lineno="1151">
<summary>
Enable all systemd services (systemd).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_disable" lineno="1169">
<summary>
Disable all services (systemd).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_reload" lineno="1187">
<summary>
Reload all services (systemd).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_reboot_system" lineno="1205">
<summary>
Reboot the system (systemd).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_shutdown_system" lineno="1223">
<summary>
Shutdown (halt) the system (systemd).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_service_status" lineno="1241">
<summary>
Allow specified domain to get init status
</summary>
<param name="domain">
<summary>
Domain to allow access.
</summary>
</param>
</interface>
<interface name="init_service_start" lineno="1260">
<summary>
Allow specified domain to get init start
</summary>
<param name="domain">
<summary>
Domain to allow access.
</summary>
</param>
</interface>
<interface name="init_dbus_chat" lineno="1280">
<summary>
Send and receive messages from
systemd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_read_var_lib_links" lineno="1300">
<summary>
read/follow symlinks under /var/lib/systemd/
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_list_var_lib_dirs" lineno="1319">
<summary>
List /var/lib/systemd/ dir
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_relabel_var_lib_dirs" lineno="1337">
<summary>
Relabel dirs in /var/lib/systemd/.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_manage_var_lib_files" lineno="1355">
<summary>
Manage files in /var/lib/systemd/.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_var_lib_filetrans" lineno="1390">
<summary>
Create files in /var/lib/systemd
with an automatic type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="type">
<summary>
The type of object to be created
</summary>
</param>
<param name="object_class">
<summary>
The object class.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="init_search_pids" lineno="1409">
<summary>
Allow search  directory in the /run/systemd directory.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_list_pids" lineno="1424">
<summary>
Allow listing of the /run/systemd directory.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_manage_pid_symlinks" lineno="1439">
<summary>
Create symbolic links in the /run/systemd directory.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_create_pid_files" lineno="1454">
<summary>
Create files in the /run/systemd directory.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_write_pid_files" lineno="1469">
<summary>
Write files in the /run/systemd directory.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_manage_pid_dirs" lineno="1485">
<summary>
Create, read, write, and delete
directories in the /run/systemd directory.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_pid_filetrans" lineno="1515">
<summary>
Create files in an init PID directory.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="file_type">
<summary>
The type of the object to be created
</summary>
</param>
<param name="object_class">
<summary>
The object class.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="init_search_runtime" lineno="1530">
<summary>
Search init runtime directories, e.g. /run/systemd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_list_runtime" lineno="1548">
<summary>
List init runtime directories, e.g. /run/systemd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_manage_runtime_dirs" lineno="1568">
<summary>
Create, read, write, and delete
directories in the /run/systemd directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_runtime_filetrans" lineno="1601">
<summary>
Create files in an init runtime directory with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="file_type">
<summary>
The type of the object to be created
</summary>
</param>
<param name="object_class">
<summary>
The object class.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="init_write_runtime_files" lineno="1620">
<summary>
Write init runtime files, e.g. in /run/systemd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_create_runtime_files" lineno="1638">
<summary>
Create init runtime files, e.g. in /run/systemd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_manage_runtime_symlinks" lineno="1656">
<summary>
Create init runtime symbolic links, e.g. in /run/systemd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_getattr_initctl" lineno="1674">
<summary>
Get the attributes of initctl.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_dontaudit_getattr_initctl" lineno="1695">
<summary>
Do not audit attempts to get the
attributes of initctl.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="init_write_initctl" lineno="1713">
<summary>
Write to initctl.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_telinit" lineno="1734">
<summary>
Use telinit (Read and write initctl).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="init_rw_initctl" lineno="1767">
<summary>
Read and write initctl.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_dontaudit_rw_initctl" lineno="1788">
<summary>
Do not audit attempts to read and
write initctl.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="init_script_file_entry_type" lineno="1807">
<summary>
Make init scripts an entry point for
the specified domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_spec_domtrans_script" lineno="1825">
<summary>
Execute init scripts with a specified domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="init_domtrans_script" lineno="1860">
<summary>
Execute init scripts with an automatic domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="init_domtrans_labeled_script" lineno="1887">
<summary>
Execute labelled init scripts with an automatic domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="init_script_file_domtrans" lineno="1933">
<summary>
Execute a init script in a specified domain.
</summary>
<desc>
<p>
Execute a init script in a specified domain.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="source_domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
Domain to transition to.
</summary>
</param>
</interface>
<interface name="init_kill_scripts" lineno="1952">
<summary>
Send a kill signal to init scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_manage_script_service" lineno="1970">
<summary>
Allow manage service for initrc_exec_t scripts
</summary>
<param name="domain">
<summary>
Target domain
</summary>
</param>
</interface>
<interface name="init_labeled_script_domtrans" lineno="1995">
<summary>
Transition to the init script domain
on a specified labeled init script.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="init_script_file">
<summary>
Labeled init script file.
</summary>
</param>
</interface>
<interface name="init_all_labeled_script_domtrans" lineno="2017">
<summary>
Transition to the init script domain
for all labeled init script types
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="init_get_script_status" lineno="2035">
<summary>
Allow getting service status of initrc_exec_t scripts
</summary>
<param name="domain">
<summary>
Target domain
</summary>
</param>
</interface>
<interface name="init_startstop_service" lineno="2075">
<summary>
Allow the role to start and stop
labeled services.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to be performing this action.
</summary>
</param>
<param name="domain">
<summary>
Type to be used as a daemon domain.
</summary>
</param>
<param name="init_script_file">
<summary>
Labeled init script file.
</summary>
</param>
<param name="unit" optional="true">
<summary>
Systemd unit file type.
</summary>
</param>
</interface>
<interface name="init_run_daemon" lineno="2131">
<summary>
Start and stop daemon programs directly.
</summary>
<desc>
<p>
Start and stop daemon programs directly
in the traditional "/etc/init.d/daemon start"
style, and do not require run_init.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be performing this action.
</summary>
</param>
</interface>
<interface name="init_startstop_all_script_services" lineno="2153">
<summary>
Start and stop init_script_file_type services
</summary>
<param name="domain">
<summary>
domain that can start and stop the services
</summary>
</param>
</interface>
<interface name="init_read_state" lineno="2172">
<summary>
Read the process state (/proc/pid) of init.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_dontaudit_read_state" lineno="2192">
<summary>
Dontaudit read the process state (/proc/pid) of init.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="init_ptrace" lineno="2213">
<summary>
Ptrace init
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="init_getattr" lineno="2232">
<summary>
get init process stats
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="init_write_script_pipes" lineno="2250">
<summary>
Write an init script unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_getattr_script_files" lineno="2268">
<summary>
Get the attribute of init script entrypoint files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_read_script_files" lineno="2287">
<summary>
Read init scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_exec_script_files" lineno="2306">
<summary>
Execute init scripts in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_getattr_all_script_files" lineno="2325">
<summary>
Get the attribute of all init script entrypoint files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_read_all_script_files" lineno="2344">
<summary>
Read all init script files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_dontaudit_read_all_script_files" lineno="2363">
<summary>
Dontaudit read all init script files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="init_exec_all_script_files" lineno="2381">
<summary>
Execute all init scripts in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_read_script_state" lineno="2400">
<summary>
Read the process state (/proc/pid) of the init scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_use_script_fds" lineno="2419">
<summary>
Inherit and use init script file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_dontaudit_use_script_fds" lineno="2438">
<summary>
Do not audit attempts to inherit
init script file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="init_search_script_keys" lineno="2456">
<summary>
Search init script keys.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_getpgid_script" lineno="2474">
<summary>
Get the process group ID of init scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_sigchld_script" lineno="2492">
<summary>
Send SIGCHLD signals to init scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_signal_script" lineno="2510">
<summary>
Send generic signals to init scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_signull_script" lineno="2528">
<summary>
Send null signals to init scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_rw_script_pipes" lineno="2546">
<summary>
Read and write init script unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_stream_connect_script" lineno="2565">
<summary>
Allow the specified domain to connect to
init scripts with a unix socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_rw_script_stream_sockets" lineno="2584">
<summary>
Allow the specified domain to read/write to
init scripts with a unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_dontaudit_stream_connect_script" lineno="2603">
<summary>
Dont audit the specified domain connecting to
init scripts with a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="init_dbus_send_script" lineno="2620">
<summary>
Send messages to init scripts over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_dbus_chat_script" lineno="2640">
<summary>
Send and receive messages from
init scripts over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_use_script_ptys" lineno="2669">
<summary>
Read and write the init script pty.
</summary>
<desc>
<p>
Read and write the init script pty.  This
pty is generally opened by the open_init_pty
portion of the run_init program so that the
daemon does not require direct access to
the administrator terminal.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_use_inherited_script_ptys" lineno="2688">
<summary>
Read and write inherited init script ptys.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_dontaudit_use_script_ptys" lineno="2710">
<summary>
Do not audit attempts to read and
write the init script pty.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="init_getattr_script_status_files" lineno="2729">
<summary>
Get the attributes of init script
status files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_dontaudit_read_script_status_files" lineno="2748">
<summary>
Do not audit attempts to read init script
status files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="init_search_run" lineno="2767">
<summary>
Search the /run/systemd directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_read_script_tmp_files" lineno="2786">
<summary>
Read init script temporary data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_rw_inherited_script_tmp_files" lineno="2805">
<summary>
Read and write init script inherited temporary data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_rw_script_tmp_files" lineno="2823">
<summary>
Read and write init script temporary data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_script_tmp_filetrans" lineno="2858">
<summary>
Create files in a init script
temporary data directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="file_type">
<summary>
The type of the object to be created
</summary>
</param>
<param name="object_class">
<summary>
The object class.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="init_getattr_utmp" lineno="2877">
<summary>
Get the attributes of init script process id files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_read_utmp" lineno="2895">
<summary>
Read utmp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_dontaudit_write_utmp" lineno="2914">
<summary>
Do not audit attempts to write utmp.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="init_write_utmp" lineno="2932">
<summary>
Write to utmp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_dontaudit_lock_utmp" lineno="2952">
<summary>
Do not audit attempts to lock
init script pid files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="init_rw_utmp" lineno="2970">
<summary>
Read and write utmp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_dontaudit_rw_utmp" lineno="2989">
<summary>
Do not audit attempts to read and write utmp.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="init_manage_utmp" lineno="3007">
<summary>
Create, read, write, and delete utmp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_relabel_utmp" lineno="3026">
<summary>
Relabel utmp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_watch_utmp" lineno="3044">
<summary>
Watch utmp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_runtime_filetrans_utmp" lineno="3063">
<summary>
Create files in /var/run with the
utmp file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_create_runtime_dirs" lineno="3081">
<summary>
Create a directory in the /run/systemd directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_read_runtime_files" lineno="3100">
<summary>
Read init_runtime_t files
</summary>
<param name="domain">
<summary>
domain
</summary>
</param>
</interface>
<interface name="init_rename_runtime_files" lineno="3118">
<summary>
Rename init_runtime_t files
</summary>
<param name="domain">
<summary>
domain
</summary>
</param>
</interface>
<interface name="init_setattr_runtime_files" lineno="3136">
<summary>
Setattr init_runtime_t files
</summary>
<param name="domain">
<summary>
domain
</summary>
</param>
</interface>
<interface name="init_delete_runtime_files" lineno="3154">
<summary>
Delete init_runtime_t files
</summary>
<param name="domain">
<summary>
domain
</summary>
</param>
</interface>
<interface name="init_write_runtime_socket" lineno="3173">
<summary>
Allow the specified domain to write to
init sock file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_read_runtime_pipes" lineno="3191">
<summary>
Read init unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_read_runtime_symlinks" lineno="3209">
<summary>
read systemd unit symlinks (usually under /run/systemd/units/)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_tcp_recvfrom_all_daemons" lineno="3227">
<summary>
Allow the specified domain to connect to daemon with a tcp socket
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_udp_recvfrom_all_daemons" lineno="3245">
<summary>
Allow the specified domain to connect to daemon with a udp socket
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_search_units" lineno="3262">
<summary>
Search systemd unit dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_list_unit_dirs" lineno="3287">
<summary>
List systemd unit dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_restart_units" lineno="3307">
<summary>
restart systemd units, for /run/systemd/transient/*
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_read_generic_units_files" lineno="3325">
<summary>
Read systemd unit files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_read_generic_units_symlinks" lineno="3343">
<summary>
Read systemd unit links
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_get_generic_units_status" lineno="3361">
<summary>
Get status of generic systemd units.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_start_generic_units" lineno="3380">
<summary>
Start generic systemd units.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_stop_generic_units" lineno="3399">
<summary>
Stop generic systemd units.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="init_reload_generic_units" lineno="3418">
<summary>
Reload generic systemd units.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_get_all_units_status" lineno="3437">
<summary>
Get status of all systemd units.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_manage_all_units" lineno="3456">
<summary>
All perms on all systemd units.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_start_all_units" lineno="3476">
<summary>
Start all systemd units.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_stop_all_units" lineno="3495">
<summary>
Stop all systemd units.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="init_reload_all_units" lineno="3514">
<summary>
Reload all systemd units.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_getattr_all_units" lineno="3533">
<summary>
getattr all systemd unit files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_manage_all_unit_files" lineno="3551">
<summary>
Manage systemd unit dirs and the files in them
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_linkable_keyring" lineno="3572">
<summary>
Associate the specified domain to be a domain whose
keyring init should be allowed to link.
</summary>
<param name="domain">
<summary>
Domain whose keyring init should be allowed to link.
</summary>
</param>
</interface>
<interface name="init_getattr_all_unit_files" lineno="3590">
<summary>
stat systemd unit files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="init_admin" lineno="3608">
<summary>
Allow unconfined access to send instructions to init
</summary>
<param name="domain">
<summary>
Target domain
</summary>
</param>
</interface>
<interface name="init_getrlimit" lineno="3640">
<summary>
Allow getting init_t rlimit
</summary>
<param name="domain">
<summary>
Source domain
</summary>
</param>
</interface>
<interface name="init_search_keys" lineno="3658">
<summary>
Allow searching init_t keys
</summary>
<param name="domain">
<summary>
Source domain
</summary>
</param>
</interface>
<tunable name="init_upstart" dftval="false">
<desc>
<p>
Enable support for upstart as the init program.
</p>
</desc>
</tunable>
<tunable name="init_daemons_use_tty" dftval="false">
<desc>
<p>
Allow all daemons the ability to read/write terminals
</p>
</desc>
</tunable>
<tunable name="init_mounton_non_security" dftval="false">
<desc>
<p>
Enable systemd to mount on all non-security files.
</p>
</desc>
</tunable>
</module>
<module name="ipsec" filename="policy/modules/system/ipsec.if">
<summary>TCP/IP encryption</summary>
<interface name="ipsec_domtrans" lineno="13">
<summary>
Execute ipsec in the ipsec domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ipsec_stream_connect" lineno="31">
<summary>
Connect to IPSEC using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_domtrans_mgmt" lineno="50">
<summary>
Execute ipsec in the ipsec mgmt domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_stream_connect_racoon" lineno="68">
<summary>
Connect to racoon using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_getattr_key_sockets" lineno="87">
<summary>
Get the attributes of an IPSEC key socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_exec_mgmt" lineno="105">
<summary>
Execute the IPSEC management program in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_signal_mgmt" lineno="124">
<summary>
Send ipsec mgmt a general signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_signull_mgmt" lineno="143">
<summary>
Send ipsec mgmt a null signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_kill_mgmt" lineno="162">
<summary>
Send ipsec mgmt a kill signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_mgmt_dbus_chat" lineno="181">
<summary>
Send and receive messages from
ipsec-mgmt over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_read_config" lineno="202">
<summary>
Read the IPSEC configuration
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ipsec_match_default_spd" lineno="221">
<summary>
Match the default SPD entry.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_setcontext_default_spd" lineno="241">
<summary>
Set the context of a SPD entry to
the default context.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_write_pid" lineno="259">
<summary>
write the ipsec_runtime_t files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_manage_pid" lineno="275">
<summary>
Create, read, write, and delete the IPSEC pid files.
(Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_write_runtime_files" lineno="290">
<summary>
Write ipsec runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_manage_runtime_files" lineno="309">
<summary>
Create, read, write, and delete the IPSEC runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipsec_domtrans_racoon" lineno="328">
<summary>
Execute racoon in the racoon domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ipsec_run_racoon" lineno="352">
<summary>
Execute racoon and allow the specified role the domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ipsec_domtrans_setkey" lineno="371">
<summary>
Execute setkey in the setkey domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ipsec_run_setkey" lineno="395">
<summary>
Execute setkey and allow the specified role the domains.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access..
</summary>
</param>
<rolecap/>
</interface>
<interface name="ipsec_admin" lineno="421">
<summary>
All of the rules required to
administrate an ipsec environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="racoon_read_shadow" dftval="false">
<desc>
<p>
Allow racoon to read shadow
</p>
</desc>
</tunable>
</module>
<module name="iptables" filename="policy/modules/system/iptables.if">
<summary>Administration tool for IP packet filtering and NAT.</summary>
<interface name="iptables_domtrans" lineno="13">
<summary>
Execute iptables in the iptables domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="iptables_run" lineno="43">
<summary>
Execute iptables in the iptables domain, and
allow the specified role the iptables domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="iptables_exec" lineno="62">
<summary>
Execute iptables in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iptables_initrc_domtrans" lineno="82">
<summary>
Execute iptables init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="iptables_setattr_config" lineno="100">
<summary>
Set the attributes of iptables config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iptables_read_config" lineno="119">
<summary>
Read iptables config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iptables_etc_filetrans_config" lineno="140">
<summary>
Create files in /etc with the type used for
the iptables config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iptables_manage_config" lineno="158">
<summary>
Manage iptables config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iptables_dontaudit_read_pids" lineno="177">
<summary>
dontaudit reading iptables_runtime_t  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="iptables_dontaudit_read_runtime_files" lineno="192">
<summary>
Do not audit reading iptables runtime files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="iptables_startstop" lineno="210">
<summary>
Allow specified domain to start and stop iptables service
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iptables_status" lineno="229">
<summary>
Allow specified domain to get status of iptables service
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iptables_admin" lineno="256">
<summary>
All of the rules required to
administrate an iptables
environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="iscsi" filename="policy/modules/system/iscsi.if">
<summary>Establish connections to iSCSI devices.</summary>
<interface name="iscsid_domtrans" lineno="13">
<summary>
Execute a domain transition to run iscsid.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="iscsi_manage_semaphores" lineno="33">
<summary>
Create, read, write, and delete
iscsid sempaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iscsi_stream_connect" lineno="52">
<summary>
Connect to iscsid using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iscsi_read_lib_files" lineno="71">
<summary>
Read iscsid lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iscsi_admin" lineno="98">
<summary>
All of the rules required to
administrate an iscsi environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="libraries" filename="policy/modules/system/libraries.if">
<summary>Policy for system libraries.</summary>
<interface name="libs_domtrans_ldconfig" lineno="13">
<summary>
Execute ldconfig in the ldconfig domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="libs_run_ldconfig" lineno="38">
<summary>
Execute ldconfig in the ldconfig domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the ldconfig domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="libs_exec_ldconfig" lineno="58">
<summary>
Execute ldconfig in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="libs_use_ld_so" lineno="78">
<summary>
Use the dynamic link/loader for automatic loading
of shared libraries.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_legacy_use_ld_so" lineno="103">
<summary>
Use the dynamic link/loader for automatic loading
of shared libraries with legacy support.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_exec_ld_so" lineno="123">
<summary>
Execute the dynamic link/loader in the caller's domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_manage_ld_so" lineno="145">
<summary>
Create, read, write, and delete the
dynamic link/loader.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_relabel_ld_so" lineno="165">
<summary>
Relabel to and from the type used for
the dynamic link/loader.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_rw_ld_so_cache" lineno="184">
<summary>
Modify the dynamic link/loader's cached listing
of shared libraries.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_search_lib" lineno="203">
<summary>
Search library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_dontaudit_write_lib_dirs" lineno="228">
<summary>
Do not audit attempts to write to library directories.
</summary>
<desc>
<p>
Do not audit attempts to write to library directories.
Typically this is used to quiet attempts to recompile
python byte code.
</p>
</desc>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="libs_manage_lib_dirs" lineno="246">
<summary>
Create, read, write, and delete library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_dontaudit_setattr_lib_files" lineno="264">
<summary>
dontaudit attempts to setattr on library files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="libs_read_lib_files" lineno="283">
<summary>
Read files in the library directories, such
as static libraries.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_exec_lib_files" lineno="304">
<summary>
Execute library scripts in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_manage_lib_files" lineno="327">
<summary>
Create, read, write, and delete generic
files in library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_relabelto_lib_files" lineno="345">
<summary>
Relabel files to the type used in library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_relabel_lib_files" lineno="365">
<summary>
Relabel to and from the type used
for generic lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_delete_lib_symlinks" lineno="384">
<summary>
Delete generic symlinks in library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_manage_shared_libs" lineno="403">
<summary>
Create, read, write, and delete shared libraries.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_use_shared_libs" lineno="421">
<summary>
Load and execute functions from shared libraries.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_legacy_use_shared_libs" lineno="444">
<summary>
Load and execute functions from shared libraries,
with legacy support.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_relabel_shared_libs" lineno="465">
<summary>
Relabel to and from the type used for
shared libraries.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="libs_watch_shared_libs_dir" lineno="483">
<summary>
watch lib dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="locallogin" filename="policy/modules/system/locallogin.if">
<summary>Policy for local logins.</summary>
<interface name="locallogin_domtrans" lineno="13">
<summary>
Execute local logins in the local login domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="locallogin_read_state" lineno="35">
<summary>
Allow calling domain to read locallogin state.
</summary>
<param name="domain">
<summary>
Domain allowed permission.
</summary>
</param>
</interface>
<interface name="locallogin_use_fds" lineno="56">
<summary>
Allow processes to inherit local login file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="locallogin_dontaudit_use_fds" lineno="74">
<summary>
Do not audit attempts to inherit local login file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="locallogin_signull" lineno="92">
<summary>
Send a null signal to local login processes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="locallogin_search_keys" lineno="110">
<summary>
Search for key.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="locallogin_link_keys" lineno="128">
<summary>
Allow link to the local_login key ring.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="locallogin_domtrans_sulogin" lineno="146">
<summary>
Execute single-user logins in the single-user login domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="logging" filename="policy/modules/system/logging.if">
<summary>Policy for the kernel message logger and system logging daemon.</summary>
<interface name="logging_log_file" lineno="41">
<summary>
Make the specified type usable for log files
in a filesystem.
</summary>
<desc>
<p>
Make the specified type usable for log files in a filesystem.
This will also make the type usable for files, making
calls to files_type() redundant.  Failure to use this interface
for a log file type may result in problems with log
rotation, log analysis, and log monitoring programs.
</p>
<p>
Related interfaces:
</p>
<ul>
<li>logging_log_filetrans()</li>
</ul>
<p>
Example usage with a domain that can create
and append to a private log file stored in the
general directories (e.g., /var/log):
</p>
<p>
type mylogfile_t;
logging_log_file(mylogfile_t)
allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
logging_log_filetrans(mydomain_t, mylogfile_t, file)
</p>
</desc>
<param name="type">
<summary>
Type to be used for files.
</summary>
</param>
<infoflow type="none"/>
</interface>
<interface name="logging_send_audit_msgs" lineno="62">
<summary>
Send audit messages.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_dontaudit_send_audit_msgs" lineno="77">
<summary>
dontaudit attempts to send audit messages.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="logging_set_loginuid" lineno="92">
<summary>
Set login uid
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_set_tty_audit" lineno="107">
<summary>
Set tty auditing
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_set_audit_parameters" lineno="121">
<summary>
Set up audit
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_read_audit_log" lineno="137">
<summary>
Read the audit log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_domtrans_auditctl" lineno="159">
<summary>
Execute auditctl in the auditctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="logging_run_auditctl" lineno="184">
<summary>
Execute auditctl in the auditctl domain, and
allow the specified role the auditctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_domtrans_auditd" lineno="203">
<summary>
Execute auditd in the auditd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="logging_run_auditd" lineno="227">
<summary>
Execute auditd in the auditd domain, and
allow the specified role the auditd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="logging_domtrans_dispatcher" lineno="246">
<summary>
Execute a domain transition to run the audit dispatcher.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="logging_signal_dispatcher" lineno="264">
<summary>
Signal the audit dispatcher.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_dispatcher_domain" lineno="288">
<summary>
Create a domain for processes
which can be started by the system audit dispatcher
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
<interface name="logging_stream_connect_dispatcher" lineno="316">
<summary>
Connect to the audit dispatcher over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_manage_audit_config" lineno="336">
<summary>
Manage the auditd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_manage_audit_log" lineno="358">
<summary>
Manage the audit log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_domtrans_klog" lineno="380">
<summary>
Execute klogd in the klog domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="logging_check_exec_syslog" lineno="399">
<summary>
Check if syslogd is executable.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_domtrans_syslog" lineno="418">
<summary>
Execute syslogd in the syslog domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="logging_startstop_syslog" lineno="440">
<summary>
Allow specified domain to start/stop syslog units
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_status_syslog" lineno="459">
<summary>
Allow specified domain to check status of syslog unit
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_setattr_syslogd_tmp_files" lineno="479">
<summary>
Set the attributes of syslog temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_audit_socket_activation" lineno="498">
<summary>
Allow the domain to create the audit socket
for syslogd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_relabel_syslogd_tmp_files" lineno="517">
<summary>
Relabel to and from syslog temporary file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_setattr_syslogd_tmp_dirs" lineno="536">
<summary>
Set the attributes of syslog temporary directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_relabel_syslogd_tmp_dirs" lineno="555">
<summary>
Relabel to and from syslog temporary directory type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_log_filetrans" lineno="616">
<summary>
Create an object in the log directory, with a private type.
</summary>
<desc>
<p>
Allow the specified domain to create an object
in the general system log directories (e.g., /var/log)
with a private type.  Typically this is used for creating
private log files in /var/log with the private type instead
of the general system log type. To accomplish this goal,
either the program must be SELinux-aware, or use this interface.
</p>
<p>
Related interfaces:
</p>
<ul>
<li>logging_log_file()</li>
</ul>
<p>
Example usage with a domain that can create
and append to a private log file stored in the
general directories (e.g., /var/log):
</p>
<p>
type mylogfile_t;
logging_log_file(mylogfile_t)
allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
logging_log_filetrans(mydomain_t, mylogfile_t, file)
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
<infoflow type="write" weight="10"/>
</interface>
<interface name="logging_send_syslog_msg" lineno="658">
<summary>
Send system log messages.
</summary>
<desc>
<p>
Allow the specified domain to connect to the
system log service (syslog), to send messages be added to
the system logs. Typically this is used by services
that do not have their own log file in /var/log.
</p>
<p>
This does not allow messages to be sent to
the auditing system.
</p>
<p>
Programs which use the libc function syslog() will
require this access.
</p>
<p>
Related interfaces:
</p>
<ul>
<li>logging_send_audit_msgs()</li>
</ul>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_use_syslogd_fd" lineno="700">
<summary>
Allow domain to use a file descriptor
from syslogd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_relabelto_devlog_sock_files" lineno="719">
<summary>
Allow domain to relabelto devlog sock_files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_create_devlog" lineno="737">
<summary>
Connect to the syslog control unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_read_audit_config" lineno="758">
<summary>
Read the auditd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_dontaudit_search_audit_config" lineno="781">
<summary>
dontaudit search of auditd configuration files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_read_syslog_config" lineno="800">
<summary>
Read syslog configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_watch_runtime_dirs" lineno="818">
<summary>
Watch syslog runtime dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_manage_pid_sockets" lineno="836">
<summary>
Create, read, write, and delete syslog PID sockets.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_manage_runtime_sockets" lineno="851">
<summary>
Create, read, write, and delete syslog PID sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_search_logs" lineno="872">
<summary>
Allows the domain to open a file in the
log directory, but does not allow the listing
of the contents of the log directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_dontaudit_search_logs" lineno="892">
<summary>
Do not audit attempts to search the var log directory.
</summary>
<param name="domain">
<summary>
Domain not to audit.
</summary>
</param>
</interface>
<interface name="logging_list_logs" lineno="910">
<summary>
List the contents of the generic log directory (/var/log).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_rw_generic_log_dirs" lineno="930">
<summary>
Read and write the generic log directory (/var/log).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_search_all_logs" lineno="951">
<summary>
Search through all log dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_setattr_all_log_dirs" lineno="970">
<summary>
Set attributes on all log dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_dontaudit_getattr_all_logs" lineno="989">
<summary>
Do not audit attempts to get the attributes
of any log files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="logging_getattr_all_logs" lineno="1007">
<summary>
Read the attributes of any log file
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="logging_append_all_logs" lineno="1025">
<summary>
Append to all log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_append_all_inherited_logs" lineno="1046">
<summary>
Append to all log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_read_all_logs" lineno="1065">
<summary>
Read all log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_exec_all_logs" lineno="1087">
<summary>
Execute all log files in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_rw_all_logs" lineno="1107">
<summary>
read/write to all log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_manage_all_logs" lineno="1127">
<summary>
Create, read, write, and delete all log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_manage_generic_log_dirs" lineno="1148">
<summary>
Create, read, write, and delete generic log directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_relabel_generic_log_dirs" lineno="1168">
<summary>
Relabel from and to generic log directory type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_read_generic_logs" lineno="1188">
<summary>
Read generic log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_mmap_generic_logs" lineno="1209">
<summary>
Map generic log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_write_generic_logs" lineno="1227">
<summary>
Write generic log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_dontaudit_write_generic_logs" lineno="1248">
<summary>
Dontaudit Write generic log files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="logging_rw_generic_logs" lineno="1266">
<summary>
Read and write generic log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_manage_generic_logs" lineno="1289">
<summary>
Create, read, write, and delete
generic log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_watch_generic_logs_dir" lineno="1308">
<summary>
Watch generic log dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logging_admin_audit" lineno="1333">
<summary>
All of the rules required to administrate
the audit environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
User role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_admin_syslog" lineno="1377">
<summary>
All of the rules required to administrate
the syslog environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
User role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_admin" lineno="1433">
<summary>
All of the rules required to administrate
the logging environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
User role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logging_mmap_journal" lineno="1448">
<summary>
Map files in /run/log/journal/ directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="lvm" filename="policy/modules/system/lvm.if">
<summary>Policy for logical volume management programs.</summary>
<interface name="lvm_domtrans" lineno="13">
<summary>
Execute lvm programs in the lvm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lvm_exec" lineno="32">
<summary>
Execute lvm programs in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lvm_run" lineno="57">
<summary>
Execute lvm programs in the lvm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the LVM domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="lvm_signull" lineno="77">
<summary>
Send lvm a null signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lvm_read_config" lineno="96">
<summary>
Read LVM configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="lvm_map_config" lineno="127">
<summary>
Map lvm config files.
</summary>
<desc>
<p>
Allow the specified domain to map lvm config files.
</p>
<p>
Related interfaces:
</p>
<ul>
<li>lvm_read_config()</li>
</ul>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lvm_manage_config" lineno="146">
<summary>
Manage LVM configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="lvm_create_lock_dirs" lineno="167">
<summary>
Create lvm_lock_t directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="lvm_rw_inherited_pid_pipes" lineno="186">
<summary>
Read and write a lvm unnamed pipe.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lvm_domtrans_clvmd" lineno="200">
<summary>
Execute a domain transition to run clvmd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lvm_admin" lineno="225">
<summary>
All of the rules required to
administrate an lvm environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="lvm_manage_metadata" lineno="262">
<summary>
Manage LVM metadata
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="miscfiles" filename="policy/modules/system/miscfiles.if">
<summary>Miscellaneous files.</summary>
<interface name="miscfiles_cert_type" lineno="38">
<summary>
Make the specified type usable as a cert file.
</summary>
<desc>
<p>
Make the specified type usable for cert files.
This will also make the type usable for files, making
calls to files_type() redundant.  Failure to use this interface
for a temporary file may result in problems with
cert management tools.
</p>
<p>
Related interfaces:
</p>
<ul>
<li>files_type()</li>
</ul>
<p>
Example:
</p>
<p>
type mycertfile_t;
cert_type(mycertfile_t)
allow mydomain_t mycertfile_t:file read_file_perms;
files_search_etc(mydomain_t)
</p>
</desc>
<param name="type">
<summary>
Type to be used for files.
</summary>
</param>
<infoflow type="none"/>
</interface>
<interface name="miscfiles_tls_privkey_type" lineno="83">
<summary>
Make the specified type usable
as a SSL/TLS private key file.
</summary>
<desc>
<p>
Make the specified type usable for SSL/TLS private key files.
This will also make the type usable for files, making
calls to files_type() redundant.  Failure to use this interface
for a temporary file may result in problems with
SSL/TLS private key management tools.
</p>
<p>
Related interfaces:
</p>
<ul>
<li>files_type()</li>
</ul>
<p>
Example:
</p>
<p>
type mytlsprivkeyfile_t;
tls_privkey_type(mytlsprivkeyfile_t)
allow mydomain_t mytlsprivkeyfile_t:file read_file_perms;
files_search_etc(mydomain_t)
</p>
</desc>
<param name="type">
<summary>
Type to be used for files.
</summary>
</param>
<infoflow type="none"/>
</interface>
<interface name="miscfiles_read_all_certs" lineno="103">
<summary>
Read all SSL/TLS certificates.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_read_generic_certs" lineno="124">
<summary>
Read generic SSL/TLS certificates.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_dontaudit_read_generic_certs" lineno="145">
<summary>
Do not audit attempts to read generic SSL/TLS certificates.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_manage_generic_cert_dirs" lineno="165">
<summary>
Manage generic SSL/TLS certificates.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_manage_generic_cert_files" lineno="184">
<summary>
Manage generic SSL/TLS certificates.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_read_generic_tls_privkey" lineno="205">
<summary>
Read generic SSL/TLS private
keys.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_manage_generic_tls_privkey_dirs" lineno="226">
<summary>
Manage generic SSL/TLS private
keys.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_manage_generic_tls_privkey_files" lineno="246">
<summary>
Manage generic SSL/TLS private
keys.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_manage_generic_tls_privkey_symlinks" lineno="267">
<summary>
Manage generic SSL/TLS private
keys.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_read_fonts" lineno="286">
<summary>
Read fonts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_setattr_fonts_dirs" lineno="317">
<summary>
Set the attributes on a fonts directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_dontaudit_setattr_fonts_dirs" lineno="337">
<summary>
Do not audit attempts to set the attributes
on a fonts directory.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_dontaudit_write_fonts" lineno="356">
<summary>
Do not audit attempts to write fonts.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_manage_fonts" lineno="376">
<summary>
Create, read, write, and delete fonts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_watch_fonts_dirs" lineno="401">
<summary>
Watch fonts directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_setattr_fonts_cache_dirs" lineno="419">
<summary>
Set the attributes on a fonts cache directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_dontaudit_setattr_fonts_cache_dirs" lineno="438">
<summary>
Do not audit attempts to set the attributes
on a fonts cache directory.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="miscfiles_manage_fonts_cache" lineno="457">
<summary>
Create, read, write, and delete fonts cache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_read_hwdata" lineno="479">
<summary>
Read hardware identification data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_setattr_localization" lineno="499">
<summary>
Allow process to setattr localization info
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_read_localization" lineno="531">
<summary>
Allow process to read localization information.
</summary>
<desc>
<p>
Allow the specified domain to read the localization files.
This is typically for time zone configuration files, such as
/etc/localtime and files in /usr/share/zoneinfo.
Typically, any domain which needs to know the GMT/UTC
offset of the current timezone will need access
to these files. Generally, it should be safe for any
domain to read these files.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<infoflow type="read" weight="10"/>
</interface>
<interface name="miscfiles_rw_localization" lineno="554">
<summary>
Allow process to write localization info
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_relabel_localization" lineno="574">
<summary>
Allow process to relabel localization info
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_legacy_read_localization" lineno="593">
<summary>
Allow process to read legacy time localization info
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_watch_localization" lineno="612">
<summary>
Watch time localization info
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_search_man_pages" lineno="631">
<summary>
Search man pages.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_dontaudit_search_man_pages" lineno="650">
<summary>
Do not audit attempts to search man pages.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="miscfiles_read_man_pages" lineno="669">
<summary>
Read man pages
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_delete_man_pages" lineno="691">
<summary>
Delete man pages
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_manage_man_pages" lineno="713">
<summary>
Create, read, write, and delete man pages
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_read_man_cache" lineno="734">
<summary>
Read man cache content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_map_man_cache" lineno="755">
<summary>
Map man cache content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_manage_man_cache" lineno="774">
<summary>
Create, read, write, and delete
man cache content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_relabel_man_cache" lineno="795">
<summary>
Relabel from and to man cache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_read_public_files" lineno="816">
<summary>
Read public files used for file
transfer services.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_manage_public_files" lineno="838">
<summary>
Create, read, write, and delete public files
and directories used for file transfer services.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="miscfiles_watch_public_dirs" lineno="858">
<summary>
Watch public files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_read_tetex_data" lineno="876">
<summary>
Read TeX data
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_exec_tetex_data" lineno="900">
<summary>
Execute TeX data programs in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_domain_entry_test_files" lineno="924">
<summary>
Let test files be an entry point for
a specified domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_read_test_files" lineno="942">
<summary>
Read test files and directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_exec_test_files" lineno="961">
<summary>
Execute test files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_etc_filetrans_localization" lineno="981">
<summary>
Create files in etc directories
with localization file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="miscfiles_manage_localization" lineno="1001">
<summary>
Create, read, write, and delete localization
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="modutils" filename="policy/modules/system/modutils.if">
<summary>Policy for kernel module utilities</summary>
<interface name="modutils_getattr_module_deps" lineno="13">
<summary>
Getattr the dependencies of kernel modules.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="modutils_read_module_deps" lineno="32">
<summary>
Read the dependencies of kernel modules.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="modutils_read_module_objects" lineno="51">
<summary>
Read the kernel modules.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="modutils_read_module_config" lineno="68">
<summary>
Read the configuration options used when
loading modules.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="modutils_rename_module_config" lineno="94">
<summary>
Rename a file with the configuration options used when
loading modules.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="modutils_delete_module_config" lineno="113">
<summary>
Unlink a file with the configuration options used when
loading modules.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="modutils_manage_module_config" lineno="132">
<summary>
Manage files with the configuration options used when
loading modules.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="modutils_domtrans" lineno="152">
<summary>
Execute any modutil,
like insmod, kmod, depmod or updates-modules,
in the kmod domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="modutils_run" lineno="181">
<summary>
Execute any modutil,
like insmod, kmod, depmod or updates-modules,
in the kmod domain, and allow the specified role
the kmod domain, and use the caller's terminal.
Has a sigchld backchannel.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="modutils_exec" lineno="202">
<summary>
Execute any modutil,
like insmod, kmod, depmod or updates-modules,
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="mount" filename="policy/modules/system/mount.if">
<summary>Policy for mount.</summary>
<interface name="mount_domtrans" lineno="13">
<summary>
Execute mount in the mount domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mount_run" lineno="40">
<summary>
Execute mount in the mount domain, and
allow the specified role the mount domain,
and use the caller's terminal.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mount_exec" lineno="59">
<summary>
Execute mount in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mount_signal" lineno="82">
<summary>
Send a generic signal to mount.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mount_use_fds" lineno="100">
<summary>
Use file descriptors for mount.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="mount_domtrans_unconfined" lineno="118">
<summary>
Execute mount in the unconfined mount domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mount_run_unconfined" lineno="144">
<summary>
Execute mount in the unconfined mount domain, and
allow the specified role the unconfined mount domain,
and use the caller's terminal.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mount_read_loopback_files" lineno="163">
<summary>
Read loopback filesystem image files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mount_rw_loopback_files" lineno="181">
<summary>
Read and write loopback filesystem image files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mount_list_runtime" lineno="199">
<summary>
List mount runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mount_watch_runtime_dirs" lineno="217">
<summary>
Watch mount runtime dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mount_watch_runtime_files" lineno="235">
<summary>
Watch mount runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mount_watch_reads_runtime_files" lineno="253">
<summary>
Watch reads on mount runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mount_watch_runtime_files_reads" lineno="271">
<summary>
Watch mount runtime files reads.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mount_getattr_runtime_files" lineno="289">
<summary>
Getattr on mount_runtime_t files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mount_read_runtime_files" lineno="307">
<summary>
Read mount runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mount_rw_runtime_files" lineno="325">
<summary>
Read and write mount runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="allow_mount_anyfile" dftval="false">
<desc>
<p>
Allow the mount command to mount any directory or file.
</p>
</desc>
</tunable>
</module>
<module name="netlabel" filename="policy/modules/system/netlabel.if">
<summary>NetLabel/CIPSO labeled networking management</summary>
<interface name="netlabel_domtrans_mgmt" lineno="13">
<summary>
Execute netlabel_mgmt in the netlabel_mgmt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="netlabel_run_mgmt" lineno="39">
<summary>
Execute netlabel_mgmt in the netlabel_mgmt domain, and
allow the specified role the netlabel_mgmt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="raid" filename="policy/modules/system/raid.if">
<summary>RAID array management tools.</summary>
<interface name="raid_domtrans_mdadm" lineno="14">
<summary>
Execute software raid tools in
the mdadm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="raid_run_mdadm" lineno="40">
<summary>
Execute mdadm in the mdadm
domain, and allow the specified
role the mdadm domain.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="raid_read_mdadm_pid" lineno="59">
<summary>
read mdadm pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="raid_manage_mdadm_pid" lineno="75">
<summary>
Create, read, write, and delete
mdadm pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="raid_read_mdadm_runtime_files" lineno="90">
<summary>
Read mdadm runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="raid_manage_mdadm_runtime_files" lineno="111">
<summary>
Create, read, write, and delete
mdadm runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="raid_admin_mdadm" lineno="137">
<summary>
All of the rules required to
administrate an mdadm environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="selinuxutil" filename="policy/modules/system/selinuxutil.if">
<summary>Policy for SELinux policy and userland applications.</summary>
<interface name="seutil_domtrans_checkpolicy" lineno="13">
<summary>
Execute checkpolicy in the checkpolicy domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="seutil_run_checkpolicy" lineno="41">
<summary>
Execute checkpolicy in the checkpolicy domain, and
allow the specified role the checkpolicy domain,
and use the caller's terminal.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_exec_checkpolicy" lineno="61">
<summary>
Execute checkpolicy in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_domtrans_loadpolicy" lineno="81">
<summary>
Execute load_policy in the load_policy domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="seutil_run_loadpolicy" lineno="108">
<summary>
Execute load_policy in the load_policy domain, and
allow the specified role the load_policy domain,
and use the caller's terminal.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_exec_loadpolicy" lineno="127">
<summary>
Execute load_policy in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_read_loadpolicy" lineno="146">
<summary>
Read the load_policy program file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_domtrans_newrole" lineno="165">
<summary>
Execute newrole in the newole domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="seutil_run_newrole" lineno="193">
<summary>
Execute newrole in the newrole domain, and
allow the specified role the newrole domain,
and use the caller's terminal.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_exec_newrole" lineno="212">
<summary>
Execute newrole in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_dontaudit_signal_newrole" lineno="233">
<summary>
Do not audit the caller attempts to send
a signal to newrole.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="seutil_sigchld_newrole" lineno="261">
<summary>
Send a SIGCHLD signal to newrole.
</summary>
<desc>
<p>
Allow the specified domain to send a SIGCHLD
signal to newrole.  This signal is automatically
sent from a process that is terminating to
its parent.  This may be needed by domains
that are executed from newrole.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<infoflow type="write" weight="1"/>
</interface>
<interface name="seutil_use_newrole_fds" lineno="279">
<summary>
Inherit and use newrole file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_dontaudit_use_newrole_fds" lineno="298">
<summary>
Do not audit attempts to inherit and use
newrole file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="seutil_domtrans_runinit" lineno="316">
<summary>
Execute run_init in the run_init domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="seutil_labeled_init_script_domtrans_runinit" lineno="347">
<summary>
Execute file in the run_init domain.
</summary>
<desc>
<p>
Execute file in the run_init domain.
This is used for the Gentoo integrated run_init.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="domain">
<summary>
Type of entry file.
</summary>
</param>
</interface>
<interface name="seutil_init_script_domtrans_runinit" lineno="376">
<summary>
Execute init scripts in the run_init domain.
</summary>
<desc>
<p>
Execute init scripts in the run_init domain.
This is used for the Gentoo integrated run_init.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="seutil_run_runinit" lineno="406">
<summary>
Execute run_init in the run_init domain, and
allow the specified role the run_init domain,
and use the caller's terminal.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_init_script_run_runinit" lineno="442">
<summary>
Execute init scripts in the run_init domain, and
allow the specified role the run_init domain,
and use the caller's terminal.
</summary>
<desc>
<p>
Execute init scripts in the run_init domain, and
allow the specified role the run_init domain,
and use the caller's terminal.
</p>
<p>
This is used for the Gentoo integrated run_init.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="seutil_labeled_init_script_run_runinit" lineno="483">
<summary>
Execute specified file in the run_init domain, and
allow the specified role the run_init domain,
and use the caller's terminal.
</summary>
<desc>
<p>
Execute specified file in the run_init domain, and
allow the specified role the run_init domain,
and use the caller's terminal.
</p>
<p>
This is used for the Gentoo integrated run_init.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
Type of init script.
</summary>
</param>
</interface>
<interface name="seutil_use_runinit_fds" lineno="502">
<summary>
Inherit and use run_init file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_domtrans_setfiles" lineno="520">
<summary>
Execute setfiles in the setfiles domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="seutil_run_setfiles" lineno="548">
<summary>
Execute setfiles in the setfiles domain, and
allow the specified role the setfiles domain,
and use the caller's terminal.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_exec_setfiles" lineno="567">
<summary>
Execute setfiles in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_dontaudit_search_config" lineno="588">
<summary>
Do not audit attempts to search the SELinux
configuration directory (/etc/selinux).
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="seutil_dontaudit_read_config" lineno="607">
<summary>
Do not audit attempts to read the SELinux
userland configuration (/etc/selinux).
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="seutil_read_config" lineno="627">
<summary>
Read the general SELinux configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_rw_config" lineno="649">
<summary>
Read and write the general SELinux configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_manage_config" lineno="671">
<summary>
Create, read, write, and delete
the general selinux configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_manage_config_dirs" lineno="693">
<summary>
Create, read, write, and delete
the general selinux configuration directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_search_default_contexts" lineno="712">
<summary>
Search the policy directory with default_context files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_read_default_contexts" lineno="732">
<summary>
Read the default_contexts files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_manage_default_contexts" lineno="752">
<summary>
Create, read, write, and delete the default_contexts files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_read_file_contexts" lineno="773">
<summary>
Read the file_contexts files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_dontaudit_read_file_contexts" lineno="795">
<summary>
Do not audit attempts to read the file_contexts files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_rw_file_contexts" lineno="815">
<summary>
Read and write the file_contexts files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_manage_file_contexts" lineno="837">
<summary>
Create, read, write, and delete the file_contexts files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_read_bin_policy" lineno="858">
<summary>
Read the SELinux binary policy.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_create_bin_policy" lineno="879">
<summary>
Create the SELinux binary policy.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_relabelto_bin_policy" lineno="902">
<summary>
Allow the caller to relabel a file to the binary policy type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_manage_bin_policy" lineno="923">
<summary>
Create, read, write, and delete the SELinux
binary policy.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_read_src_policy" lineno="945">
<summary>
Read SELinux policy source files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_manage_src_policy" lineno="967">
<summary>
Create, read, write, and delete SELinux
policy source files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_domtrans_semanage" lineno="988">
<summary>
Execute a domain transition to run semanage.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="seutil_run_semanage" lineno="1016">
<summary>
Execute semanage in the semanage domain, and
allow the specified role the semanage domain,
and use the caller's terminal.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="seutil_read_module_store" lineno="1035">
<summary>
Read the semanage module store.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_manage_module_store" lineno="1060">
<summary>
Full management of the semanage
module store.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_get_semanage_read_lock" lineno="1084">
<summary>
Get read lock on module store
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_get_semanage_trans_lock" lineno="1103">
<summary>
Get trans lock on module store
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_libselinux_linked" lineno="1131">
<summary>
SELinux-enabled program access for
libselinux-linked programs.
</summary>
<desc>
<p>
SELinux-enabled programs are typically
linked to the libselinux library.  This
interface will allow access required for
the libselinux constructor to function.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="seutil_dontaudit_libselinux_linked" lineno="1161">
<summary>
Do not audit SELinux-enabled program access for
libselinux-linked programs.
</summary>
<desc>
<p>
SELinux-enabled programs are typically
linked to the libselinux library.  This
interface will dontaudit access required for
the libselinux constructor to function.
</p>
<p>
Generally this should not be used on anything
but simple SELinux-enabled programs that do not
rely on data initialized by the libselinux
constructor.
</p>
</desc>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
</module>
<module name="setrans" filename="policy/modules/system/setrans.if">
<summary>SELinux MLS/MCS label translation service.</summary>
<interface name="setrans_initrc_domtrans" lineno="14">
<summary>
Execute setrans server in the setrans domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="setrans_translate_context" lineno="32">
<summary>
Allow a domain to translate contexts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="setrans_admin" lineno="58">
<summary>
All of the rules required to
administrate an setrans environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="sysnetwork" filename="policy/modules/system/sysnetwork.if">
<summary>Policy for network configuration: ifconfig and dhcp client.</summary>
<interface name="sysnet_domtrans_dhcpc" lineno="13">
<summary>
Execute dhcp client in dhcpc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sysnet_run_dhcpc" lineno="39">
<summary>
Execute DHCP clients in the dhcpc domain, and
allow the specified role the dhcpc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sysnet_dontaudit_rw_dhcpc_udp_sockets" lineno="59">
<summary>
Do not audit attempts to read and
write dhcpc udp socket descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="sysnet_dontaudit_use_dhcpc_fds" lineno="78">
<summary>
Do not audit attempts to use
the dhcp file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="sysnet_dontaudit_rw_dhcpc_unix_stream_sockets" lineno="97">
<summary>
Do not audit attempts to read/write to the
dhcp unix stream socket descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="sysnet_sigchld_dhcpc" lineno="115">
<summary>
Send a SIGCHLD signal to the dhcp client.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_kill_dhcpc" lineno="134">
<summary>
Send a kill signal to the dhcp client.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sysnet_sigstop_dhcpc" lineno="152">
<summary>
Send a SIGSTOP signal to the dhcp client.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_signull_dhcpc" lineno="170">
<summary>
Send a null signal to the dhcp client.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_signal_dhcpc" lineno="189">
<summary>
Send a generic signal to the dhcp client.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sysnet_dbus_chat_dhcpc" lineno="208">
<summary>
Send and receive messages from
dhcpc over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_rw_dhcp_config" lineno="228">
<summary>
Read and write dhcp configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_search_dhcpc_state" lineno="248">
<summary>
Search the DHCP client state
directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_read_dhcpc_state" lineno="267">
<summary>
Read dhcp client state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_delete_dhcpc_state" lineno="285">
<summary>
Delete the dhcp client state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_setattr_config" lineno="303">
<summary>
Set the attributes of network config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_read_config" lineno="343">
<summary>
Read network config files.
</summary>
<desc>
<p>
Allow the specified domain to read the
general network configuration files.  A
common example of this is the
/etc/resolv.conf file, which has domain
name system (DNS) server IP addresses.
Typically, most networking processes will
require	the access provided by this interface.
</p>
<p>
Higher-level interfaces which involve
networking will generally call this interface,
for example:
</p>
<ul>
<li>sysnet_dns_name_resolve()</li>
<li>sysnet_use_ldap()</li>
<li>sysnet_use_portmap()</li>
</ul>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_mmap_config_files" lineno="385">
<summary>
Map network config files.
</summary>
<desc>
<p>
Allow the specified domain to mmap the
general network configuration files.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_mmap_read_config" lineno="410">
<summary>
map network config files.
</summary>
<desc>
<p>
Allow the specified domain to mmap the
general network configuration files.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_dontaudit_read_config" lineno="429">
<summary>
Do not audit attempts to read network config files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="sysnet_write_config" lineno="447">
<summary>
Write network config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_create_config" lineno="466">
<summary>
Create network config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_relabel_config" lineno="485">
<summary>
Relabel network config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_etc_filetrans_config" lineno="510">
<summary>
Create files in /etc with the type used for
the network config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="sysnet_manage_config" lineno="528">
<summary>
Create, read, write, and delete network config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_watch_config_dir" lineno="560">
<summary>
Watch a network config dir
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_read_dhcpc_pid" lineno="578">
<summary>
Read the dhcp client pid file.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_delete_dhcpc_pid" lineno="593">
<summary>
Delete the dhcp client pid file.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_read_dhcpc_runtime_files" lineno="608">
<summary>
Read dhcp client runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_delete_dhcpc_runtime_files" lineno="627">
<summary>
Delete the dhcp client runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_domtrans_ifconfig" lineno="645">
<summary>
Execute ifconfig in the ifconfig domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sysnet_run_ifconfig" lineno="672">
<summary>
Execute ifconfig in the ifconfig domain, and
allow the specified role the ifconfig domain,
and use the caller's terminal.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sysnet_exec_ifconfig" lineno="692">
<summary>
Execute ifconfig in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_signal_ifconfig" lineno="712">
<summary>
Send a generic signal to ifconfig.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sysnet_signull_ifconfig" lineno="731">
<summary>
Send null signals to ifconfig.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sysnet_read_dhcp_config" lineno="749">
<summary>
Read the DHCP configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_search_dhcp_state" lineno="769">
<summary>
Search the DHCP state data directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_dhcp_state_filetrans" lineno="813">
<summary>
Create DHCP state data.
</summary>
<desc>
<p>
Create DHCP state data.
</p>
<p>
This is added for DHCP server, as
the server and client put their state
files in the same directory.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="file_type">
<summary>
The type of the object to be created
</summary>
</param>
<param name="object_class">
<summary>
The object class.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="sysnet_dns_name_resolve" lineno="833">
<summary>
Perform a DNS name resolution.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sysnet_use_ldap" lineno="883">
<summary>
Connect and use a LDAP server.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sysnet_use_portmap" lineno="910">
<summary>
Connect and use remote port mappers.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="dhcpc_manage_samba" dftval="false">
<desc>
<p>
Determine whether DHCP client
can manage samba
</p>
</desc>
</tunable>
</module>
<module name="systemd" filename="policy/modules/system/systemd.if">
<summary>Systemd components (not PID 1)</summary>
<template name="systemd_role_template" lineno="23">
<summary>
Template for systemd --user per-role domains.
</summary>
<param name="prefix">
<summary>
Prefix for generated types
</summary>
</param>
<param name="role">
<summary>
The user role.
</summary>
</param>
<param name="userdomain">
<summary>
The user domain for the role.
</summary>
</param>
</template>
<template name="systemd_user_daemon_domain" lineno="209">
<summary>
Allow the specified domain to be started as a daemon by the
specified systemd user instance.
</summary>
<param name="prefix">
<summary>
Prefix for the user domain.
</summary>
</param>
<param name="entry_point">
<summary>
Entry point file type for the domain.
</summary>
</param>
<param name="domain">
<summary>
Domain to allow the systemd user domain to run.
</summary>
</param>
</template>
<interface name="systemd_user_activated_sock_file" lineno="231">
<summary>
Associate the specified file type to be a type whose sock files
can be managed by systemd user instances for socket activation.
</summary>
<param name="file_type">
<summary>
File type to be associated.
</summary>
</param>
</interface>
<interface name="systemd_user_unix_stream_activated_socket" lineno="256">
<summary>
Associate the specified domain to be a domain whose unix stream
sockets and sock files can be managed by systemd user instances
for socket activation.
</summary>
<param name="domain">
<summary>
Domain to be associated.
</summary>
</param>
<param name="sock_file_type">
<summary>
File type of the domain's sock files to be associated.
</summary>
</param>
</interface>
<interface name="systemd_manage_conf_home_content" lineno="276">
<summary>
Allow the specified domain to manage systemd config home
content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_relabel_conf_home_content" lineno="297">
<summary>
Allow the specified domain to relabel systemd config home
content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_manage_data_home_content" lineno="318">
<summary>
Allow the specified domain to manage systemd data home
content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_relabel_data_home_content" lineno="339">
<summary>
Allow the specified domain to relabel systemd data home
content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_read_user_runtime_lnk_files" lineno="359">
<summary>
Allow the specified domain to read systemd user runtime lnk files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_read_user_unit_files" lineno="378">
<summary>
Allow the specified domain to read system-wide systemd
user unit files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_read_user_runtime_units" lineno="398">
<summary>
Allow the specified domain to read systemd user runtime unit files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_search_user_runtime_unit_dirs" lineno="418">
<summary>
Allow the specified domain to search systemd user runtime unit
directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_list_user_runtime_unit_dirs" lineno="437">
<summary>
Allow the specified domain to list the contents of systemd
user runtime unit directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_status_user_runtime_units" lineno="455">
<summary>
Allow the specified domain to get the status of systemd user runtime units.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_start_user_runtime_units" lineno="474">
<summary>
Allow the specified domain to start systemd user runtime units.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_stop_user_runtime_units" lineno="493">
<summary>
Allow the specified domain to stop systemd user runtime units.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_reload_user_runtime_units" lineno="512">
<summary>
Allow the specified domain to reload systemd user runtime units.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_log_parse_environment" lineno="532">
<summary>
Make the specified type usable as an
log parse environment type.
</summary>
<param name="domain">
<summary>
Type to be used as a log parse environment type.
</summary>
</param>
</interface>
<interface name="systemd_use_nss" lineno="552">
<summary>
Allow domain to use systemd's Name Service Switch (NSS) module.
This module provides UNIX user and group name resolution for dynamic users
and groups allocated through the DynamicUser= option in systemd unit files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="systemd_PrivateDevices" lineno="579">
<summary>
Allow domain to be used as a systemd service with a unit
that uses PrivateDevices=yes in section [Service].
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="systemd_read_hwdb" lineno="596">
<summary>
Allow domain to read udev hwdb file
</summary>
<param name="domain">
<summary>
domain allowed access
</summary>
</param>
</interface>
<interface name="systemd_map_hwdb" lineno="614">
<summary>
Allow domain to map udev hwdb file
</summary>
<param name="domain">
<summary>
domain allowed access
</summary>
</param>
</interface>
<interface name="systemd_read_logind_pids" lineno="632">
<summary>
Read systemd_login PID files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_manage_logind_pid_pipes" lineno="647">
<summary>
Manage systemd_login PID pipes.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_write_logind_pid_pipes" lineno="662">
<summary>
Write systemd_login named pipe.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_read_logind_runtime_files" lineno="677">
<summary>
Read systemd-logind runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_manage_logind_runtime_pipes" lineno="697">
<summary>
Manage systemd-logind runtime pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_write_logind_runtime_pipes" lineno="716">
<summary>
Write systemd-logind runtime named pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_watch_logind_runtime_dirs" lineno="736">
<summary>
Watch systemd-logind runtime dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_use_logind_fds" lineno="755">
<summary>
Use inherited systemd
logind file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_read_logind_sessions_files" lineno="773">
<summary>
Read logind sessions files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="794">
<summary>
Write inherited logind sessions pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_watch_logind_sessions_dirs" lineno="814">
<summary>
Watch logind sessions dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="832">
<summary>
Write inherited logind inhibit pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_dbus_chat_logind" lineno="853">
<summary>
Send and receive messages from
systemd logind over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_status_logind" lineno="873">
<summary>
Get the system status information from systemd_login
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_signull_logind" lineno="892">
<summary>
Send systemd_login a null signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_manage_userdb_runtime_dirs" lineno="910">
<summary>
Manage systemd userdb runtime directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_manage_userdb_runtime_sock_files" lineno="928">
<summary>
Manage socket files under /run/systemd/userdb .
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_stream_connect_userdb" lineno="946">
<summary>
Connect to /run/systemd/userdb/io.systemd.DynamicUser .
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_read_machines" lineno="967">
<summary>
Allow reading /run/systemd/machines
</summary>
<param name="domain">
<summary>
Domain that can access the machines files
</summary>
</param>
</interface>
<interface name="systemd_connect_machined" lineno="986">
<summary>
Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
</summary>
<param name="domain">
<summary>
Domain that can access the socket
</summary>
</param>
</interface>
<interface name="systemd_watch_machines_dirs" lineno="1004">
<summary>
Allow watching /run/systemd/machines
</summary>
<param name="domain">
<summary>
Domain that can watch the machines files
</summary>
</param>
</interface>
<interface name="systemd_dbus_chat_hostnamed" lineno="1023">
<summary>
Send and receive messages from
systemd hostnamed over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_use_passwd_agent_fds" lineno="1043">
<summary>
allow systemd_passwd_agent to inherit fds
</summary>
<param name="domain">
<summary>
Domain that owns the fds
</summary>
</param>
</interface>
<interface name="systemd_run_passwd_agent" lineno="1066">
<summary>
allow systemd_passwd_agent to be run by admin
</summary>
<param name="domain">
<summary>
Domain that runs it
</summary>
</param>
<param name="role">
<summary>
role that it runs in
</summary>
</param>
</interface>
<interface name="systemd_use_passwd_agent" lineno="1087">
<summary>
Allow a systemd_passwd_agent_t process to interact with a daemon
that needs a password from the sysadmin.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="1111">
<summary>
Transition to systemd_passwd_runtime_t when creating dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="1132">
<summary>
Transition to systemd_userdb_runtime_t when
creating the userdb directory inside an init runtime
directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_manage_passwd_runtime_symlinks" lineno="1150">
<summary>
Allow to domain to create systemd-passwd symlink
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_watch_passwd_runtime_dirs" lineno="1168">
<summary>
watch systemd_passwd_runtime_t dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_manage_all_units" lineno="1186">
<summary>
manage systemd unit dirs and the files in them  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_list_journal_dirs" lineno="1201">
<summary>
Allow domain to list the contents of systemd_journal_t dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_read_journal_files" lineno="1219">
<summary>
Allow domain to read systemd_journal_t files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_manage_journal_files" lineno="1238">
<summary>
Allow domain to create/manage systemd_journal_t files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_relabelto_journal_dirs" lineno="1258">
<summary>
Relabel to systemd-journald directory type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_relabelto_journal_files" lineno="1277">
<summary>
Relabel to systemd-journald file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_read_networkd_units" lineno="1297">
<summary>
Allow domain to read systemd_networkd_t unit files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_manage_networkd_units" lineno="1317">
<summary>
Allow domain to create/manage systemd_networkd_t unit files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_enabledisable_networkd" lineno="1337">
<summary>
Allow specified domain to enable systemd-networkd units
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_startstop_networkd" lineno="1356">
<summary>
Allow specified domain to start systemd-networkd units
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_status_networkd" lineno="1375">
<summary>
Allow specified domain to get status of systemd-networkd
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="1394">
<summary>
Relabel systemd_networkd tun socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="1412">
<summary>
Read/Write from systemd_networkd netlink route socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_list_networkd_runtime" lineno="1430">
<summary>
Allow domain to list dirs under /run/systemd/netif
</summary>
<param name="domain">
<summary>
domain permitted the access
</summary>
</param>
</interface>
<interface name="systemd_watch_networkd_runtime_dirs" lineno="1449">
<summary>
Watch directories under /run/systemd/netif
</summary>
<param name="domain">
<summary>
Domain permitted the access
</summary>
</param>
</interface>
<interface name="systemd_read_networkd_runtime" lineno="1468">
<summary>
Allow domain to read files generated by systemd_networkd
</summary>
<param name="domain">
<summary>
domain allowed access
</summary>
</param>
</interface>
<interface name="systemd_read_logind_state" lineno="1487">
<summary>
Allow systemd_logind_t to read process state for cgroup file
</summary>
<param name="domain">
<summary>
Domain systemd_logind_t may access.
</summary>
</param>
</interface>
<interface name="systemd_start_power_units" lineno="1506">
<summary>
Allow specified domain to start power units
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="systemd_status_power_units" lineno="1525">
<summary>
Get the system status information about power units
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_stream_connect_socket_proxyd" lineno="1544">
<summary>
Allows connections to the systemd-socket-proxyd's socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_tmpfiles_conf_file" lineno="1563">
<summary>
Make the specified type usable for
systemd tmpfiles config files.
</summary>
<param name="type">
<summary>
Type to be used for systemd tmpfiles config files.
</summary>
</param>
</interface>
<interface name="systemd_tmpfiles_creator" lineno="1584">
<summary>
Allow the specified domain to create
the tmpfiles config directory with
the correct context.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_tmpfiles_conf_filetrans" lineno="1620">
<summary>
Create an object in the systemd tmpfiles config
directory, with a private type
using a type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="systemd_list_tmpfiles_conf" lineno="1639">
<summary>
Allow domain to list systemd tmpfiles config directory
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="1657">
<summary>
Allow domain to relabel to systemd tmpfiles config directory
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="1675">
<summary>
Allow domain to relabel to systemd tmpfiles config files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_tmpfilesd_managed" lineno="1698">
<summary>
Allow systemd_tmpfiles_t to manage filesystem objects
</summary>
<param name="type">
<summary>
type of object to manage
</summary>
</param>
<param name="class">
<summary>
object class to manage
</summary>
</param>
</interface>
<interface name="systemd_dbus_chat_resolved" lineno="1718">
<summary>
Send and receive messages from
systemd resolved over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_read_resolved_runtime" lineno="1738">
<summary>
Allow domain to read resolv.conf file generated by systemd_resolved
</summary>
<param name="domain">
<summary>
domain allowed access
</summary>
</param>
</interface>
<interface name="systemd_getattr_updated_runtime" lineno="1756">
<summary>
Allow domain to getattr on .updated file (generated by systemd-update-done
</summary>
<param name="domain">
<summary>
domain allowed access
</summary>
</param>
</interface>
<interface name="systemd_search_all_user_keys" lineno="1774">
<summary>
Search keys for the all systemd --user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_create_all_user_keys" lineno="1792">
<summary>
Create keys for the all systemd --user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_write_all_user_keys" lineno="1810">
<summary>
Write keys for the all systemd --user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_domtrans_sysusers" lineno="1829">
<summary>
Execute systemd-sysusers in the
systemd sysusers domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_run_sysusers" lineno="1854">
<summary>
Run systemd-sysusers with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="systemd_use_inherited_machined_ptys" lineno="1874">
<summary>
receive and use a systemd_machined_devpts_t file handle
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="systemd_run_nspawn" lineno="1898">
<summary>
run systemd-nspawn in systemd_nspawn_t domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role  of the object to create.
</summary>
</param>
</interface>
<interface name="systemd_dgram_nspawn" lineno="1917">
<summary>
send datagrams to systemd_nspawn_t
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="systemd_search_user_runtime" lineno="1935">
<summary>
search systemd_user_runtime_t dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="systemd_tmpfiles_manage_all" dftval="false">
<desc>
<p>
Enable support for systemd-tmpfiles to manage all non-security files.
</p>
</desc>
</tunable>
<tunable name="systemd_nspawn_labeled_namespace" dftval="false">
<desc>
<p>
Allow systemd-nspawn to create a labelled namespace with the same types
as parent environment
</p>
</desc>
</tunable>
<tunable name="systemd_logind_get_bootloader" dftval="false">
<desc>
<p>
Allow systemd-logind to interact with the bootloader (read which one is
installed on fixed disks, enumerate entries for dbus property
BootLoaderEntries, etc.)
</p>
</desc>
</tunable>
<tunable name="systemd_socket_proxyd_bind_any" dftval="false">
<desc>
<p>
Allow systemd-socket-proxyd to bind any port instead of one labelled
with systemd_socket_proxyd_port_t.
</p>
</desc>
</tunable>
<tunable name="systemd_socket_proxyd_connect_any" dftval="false">
<desc>
<p>
Allow systemd-socket-proxyd to connect to any port instead of
labelled ones.
</p>
</desc>
</tunable>
<tunable name="systemd_tmpfilesd_factory" dftval="false">
<desc>
<p>
Allow systemd-tmpfilesd to populate missing configuration files from factory
template directory.
</p>
</desc>
</tunable>
</module>
<module name="udev" filename="policy/modules/system/udev.if">
<summary>Policy for udev.</summary>
<interface name="udev_signal" lineno="13">
<summary>
Send generic signals to udev.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_domtrans" lineno="31">
<summary>
Execute udev in the udev domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="udev_run_domain" lineno="62">
<summary>
Allow udev to execute the specified program in
the specified domain.
</summary>
<desc>
<p>
This is a interface to support the UDEV 'RUN'
command.  This will allow the command run by
udev to be run in a domain other than udev_t.
</p>
</desc>
<param name="domain">
<summary>
Domain to execute in.
</summary>
</param>
<param name="entry_file">
<summary>
Domain entry point file.
</summary>
</param>
</interface>
<interface name="udev_exec" lineno="80">
<summary>
Execute udev in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_helper_domtrans" lineno="98">
<summary>
Execute a udev helper in the udev domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="udev_read_state" lineno="116">
<summary>
Allow process to read udev process state.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_create_kobject_uevent_sockets" lineno="137">
<summary>
Allow domain to create uevent sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_dontaudit_use_fds" lineno="156">
<summary>
Do not audit attempts to inherit a
udev file descriptor.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="udev_dontaudit_rw_dgram_sockets" lineno="175">
<summary>
Do not audit attempts to read or write
to a udev unix datagram socket.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="udev_manage_rules_files" lineno="193">
<summary>
Manage udev rules files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_read_rules_files" lineno="215">
<summary>
read udev rules files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_dontaudit_search_db" lineno="235">
<summary>
Do not audit search of udev database directories.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="udev_read_db" lineno="255">
<summary>
Read the udev device table.  (Deprecated)
</summary>
<desc>
<p>
Allow the specified domain to read the udev device table.  (Deprecated)
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<infoflow type="read" weight="10"/>
</interface>
<interface name="udev_rw_db" lineno="269">
<summary>
Allow process to modify list of devices.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_relabelto_db" lineno="283">
<summary>
Allow process to relabelto udev database  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_relabelto_db_sockets" lineno="297">
<summary>
Allow process to relabelto sockets in /run/udev  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_search_pids" lineno="311">
<summary>
Search through udev pid content  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_list_pids" lineno="326">
<summary>
list udev pid content  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_manage_pid_dirs" lineno="342">
<summary>
Create, read, write, and delete
udev pid directories  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_read_pid_files" lineno="357">
<summary>
Read udev pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_dontaudit_rw_pid_files" lineno="372">
<summary>
dontaudit attempts to read/write udev pidfiles  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_manage_pid_files" lineno="388">
<summary>
Create, read, write, and delete
udev pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_generic_pid_filetrans_run_dirs" lineno="408">
<summary>
Create directories in the run location with udev_runtime_t type  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="name" optional="true">
<summary>
Name of the directory that is created
</summary>
</param>
</interface>
<interface name="udev_search_runtime" lineno="422">
<summary>
Search through udev runtime dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_list_runtime" lineno="441">
<summary>
List udev runtime dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_manage_runtime_dirs" lineno="461">
<summary>
Create, read, write, and delete
udev runtime directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_read_runtime_files" lineno="480">
<summary>
Read udev runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_dontaudit_rw_runtime_files" lineno="499">
<summary>
dontaudit attempts to read/write udev runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_manage_runtime_files" lineno="518">
<summary>
Create, read, write, and delete
udev runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_domtrans_udevadm" lineno="537">
<summary>
Execute udev admin in the udevadm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="udevadm_domtrans" lineno="555">
<summary>
Execute udev admin in the udevadm domain.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="udevadm_run" lineno="577">
<summary>
Execute udevadm in the udevadm domain, and
allow the specified role the udevadm domain.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="udev_run_udevadm" lineno="599">
<summary>
Execute udevadm in the udevadm domain, and
allow the specified role the udevadm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="udevadm_exec" lineno="618">
<summary>
Execute udevadm in the caller domain.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="udev_exec_udevadm" lineno="633">
<summary>
Execute udevadm in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="unconfined" filename="policy/modules/system/unconfined.if">
<summary>The unconfined domain.</summary>
<interface name="unconfined_stub" lineno="13">
<summary>
Unconfined stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="unconfined_domain_noaudit" lineno="29">
<summary>
Make the specified domain unconfined.
</summary>
<param name="domain">
<summary>
Domain to make unconfined.
</summary>
</param>
</interface>
<interface name="unconfined_domain" lineno="153">
<summary>
Make the specified domain unconfined and
audit executable heap usage.
</summary>
<desc>
<p>
Make the specified domain unconfined and
audit executable heap usage.  With exception
of memory protections, usage of this interface
will result in the level of access the domain has
is like SELinux	was not being used.
</p>
<p>
Only completely trusted domains should use this interface.
</p>
<p>
Does not allow return communications from confined
domains via message based mechanisms such as dbus or
SysV message queues.
</p>
</desc>
<param name="domain">
<summary>
Domain to make unconfined.
</summary>
</param>
</interface>
<interface name="unconfined_domtrans" lineno="171">
<summary>
Transition to the unconfined domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="unconfined_run" lineno="194">
<summary>
Execute specified programs in the unconfined domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the unconfined domain.
</summary>
</param>
</interface>
<interface name="unconfined_shell_domtrans" lineno="213">
<summary>
Transition to the unconfined domain by executing a shell.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="unconfined_domtrans_to" lineno="251">
<summary>
Allow unconfined to execute the specified program in
the specified domain.
</summary>
<desc>
<p>
Allow unconfined to execute the specified program in
the specified domain.
</p>
<p>
This is a interface to support third party modules
and its use is not allowed in upstream reference
policy.
</p>
</desc>
<param name="domain">
<summary>
Domain to execute in.
</summary>
</param>
<param name="entry_file">
<summary>
Domain entry point file.
</summary>
</param>
</interface>
<interface name="unconfined_run_to" lineno="288">
<summary>
Allow unconfined to execute the specified program in
the specified domain.  Allow the specified domain the
unconfined role and use of unconfined user terminals.
</summary>
<desc>
<p>
Allow unconfined to execute the specified program in
the specified domain.  Allow the specified domain the
unconfined role and use of unconfined user terminals.
</p>
<p>
This is a interface to support third party modules
and its use is not allowed in upstream reference
policy.
</p>
</desc>
<param name="domain">
<summary>
Domain to execute in.
</summary>
</param>
<param name="entry_file">
<summary>
Domain entry point file.
</summary>
</param>
</interface>
<interface name="unconfined_use_fds" lineno="309">
<summary>
Inherit file descriptors from the unconfined domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="unconfined_sigchld" lineno="327">
<summary>
Send a SIGCHLD signal to the unconfined domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="unconfined_signull" lineno="345">
<summary>
Send a SIGNULL signal to the unconfined domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="unconfined_signal" lineno="363">
<summary>
Send generic signals to the unconfined domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="unconfined_read_pipes" lineno="381">
<summary>
Read unconfined domain unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="unconfined_dontaudit_read_pipes" lineno="399">
<summary>
Do not audit attempts to read unconfined domain unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="unconfined_rw_pipes" lineno="417">
<summary>
Read and write unconfined domain unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="unconfined_dontaudit_rw_pipes" lineno="436">
<summary>
Do not audit attempts to read and write
unconfined domain unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="unconfined_stream_connect" lineno="455">
<summary>
Connect to the unconfined domain using
a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="unconfined_dontaudit_rw_stream_sockets" lineno="474">
<summary>
Do not audit attempts to read and write
unconfined domain stream.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="unconfined_dontaudit_rw_tcp_sockets" lineno="503">
<summary>
Do not audit attempts to read or write
unconfined domain tcp sockets.
</summary>
<desc>
<p>
Do not audit attempts to read or write
unconfined domain tcp sockets.
</p>
<p>
This interface was added due to a broken
symptom in ldconfig.
</p>
</desc>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="unconfined_search_keys" lineno="521">
<summary>
Search keys for the unconfined domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="unconfined_create_keys" lineno="539">
<summary>
Create keys for the unconfined domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="unconfined_write_keys" lineno="557">
<summary>
Write keys for the unconfined domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="unconfined_dbus_send" lineno="575">
<summary>
Send messages to the unconfined domain over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="unconfined_dbus_chat" lineno="595">
<summary>
Send and receive messages from
unconfined_t over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="unconfined_dbus_connect" lineno="616">
<summary>
Connect to the the unconfined DBUS
for service (acquire_svc).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="userdomain" filename="policy/modules/system/userdomain.if">
<summary>Policy for user domains</summary>
<template name="userdom_base_user_template" lineno="24">
<summary>
The template containing the most basic rules common to all users.
</summary>
<desc>
<p>
The template containing the most basic rules common to all users.
</p>
<p>
This template creates a user domain, types, and
rules for the user's tty and pty.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<rolebase/>
</template>
<template name="userdom_user_content_access_template" lineno="183">
<summary>
Template for handling user content through standard tunables
</summary>
<desc>
<p>
This template generates the tunable blocks for accessing
end user content, either the generic one (user_home_t)
or the complete one (based on user_home_content_type).
</p>
<p>
It calls the *_read_generic_user_content,
*_read_all_user_content, *_manage_generic_user_content, and
*_manage_all_user_content booleans.
</p>
</desc>
<param name="prefix">
<summary>
The application domain prefix to use, meant for the boolean
calls
</summary>
</param>
<param name="domain">
<summary>
The application domain which is granted the necessary privileges
</summary>
</param>
<rolebase/>
</template>
<interface name="userdom_ro_home_role" lineno="274">
<summary>
Allow a home directory for which the
role has read-only access.
</summary>
<desc>
<p>
Allow a home directory for which the
role has read-only access.
</p>
<p>
This does not allow execute access.
</p>
</desc>
<param name="role" unused="true">
<summary>
The user role
</summary>
</param>
<param name="userdomain">
<summary>
The user domain
</summary>
</param>
<rolebase/>
</interface>
<interface name="userdom_manage_home_role" lineno="351">
<summary>
Allow a home directory for which the
role has full access.
</summary>
<desc>
<p>
Allow a home directory for which the
role has full access.
</p>
<p>
This does not allow execute access.
</p>
</desc>
<param name="role" unused="true">
<summary>
The user role
</summary>
</param>
<param name="userdomain">
<summary>
The user domain
</summary>
</param>
<rolebase/>
</interface>
<interface name="userdom_manage_tmp_role" lineno="429">
<summary>
Manage user temporary files
</summary>
<param name="role" unused="true">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolebase/>
</interface>
<interface name="userdom_exec_user_tmp_files" lineno="456">
<summary>
The execute access user temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolebase/>
</interface>
<interface name="userdom_manage_tmpfs_role" lineno="492">
<summary>
Role access for the user tmpfs type
that the user has full access.
</summary>
<desc>
<p>
Role access for the user tmpfs type
that the user has full access.
</p>
<p>
This does not allow execute access.
</p>
</desc>
<param name="role" unused="true">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<template name="userdom_basic_networking_template" lineno="518">
<summary>
The template allowing the user basic
network permissions
</summary>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<rolebase/>
</template>
<template name="userdom_change_password_template" lineno="558">
<summary>
The template for allowing the user to change passwords.
</summary>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<rolebase/>
</template>
<template name="userdom_common_user_template" lineno="588">
<summary>
The template containing rules common to unprivileged
users and administrative users.
</summary>
<desc>
<p>
This template creates a user domain, types, and
rules for the user's tty, pty, tmp, and tmpfs files.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
</template>
<template name="userdom_login_user_template" lineno="906">
<summary>
The template for creating a login user.
</summary>
<desc>
<p>
This template creates a user domain, types, and
rules for the user's tty, pty, home directories,
tmp, and tmpfs files.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
</template>
<template name="userdom_restricted_user_template" lineno="1030">
<summary>
The template for creating a unprivileged login user.
</summary>
<desc>
<p>
This template creates a user domain, types, and
rules for the user's tty, pty, home directories,
tmp, and tmpfs files.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
</template>
<template name="userdom_restricted_xwindows_user_template" lineno="1071">
<summary>
The template for creating a unprivileged xwindows login user.
</summary>
<desc>
<p>
The template for creating a unprivileged xwindows login user.
</p>
<p>
This template creates a user domain, types, and
rules for the user's tty, pty, home directories,
tmp, and tmpfs files.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
</template>
<template name="userdom_unpriv_user_template" lineno="1154">
<summary>
The template for creating a unprivileged user roughly
equivalent to a regular linux user.
</summary>
<desc>
<p>
The template for creating a unprivileged user roughly
equivalent to a regular linux user.
</p>
<p>
This template creates a user domain, types, and
rules for the user's tty, pty, home directories,
tmp, and tmpfs files.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
</template>
<template name="userdom_admin_user_template" lineno="1278">
<summary>
The template for creating an administrative user.
</summary>
<desc>
<p>
This template creates a user domain, types, and
rules for the user's tty, pty, home directories,
tmp, and tmpfs files.
</p>
<p>
The privileges given to administrative users are:
<ul>
<li>Raw disk access</li>
<li>Set all sysctls</li>
<li>All kernel ring buffer controls</li>
<li>Create, read, write, and delete all files but shadow</li>
<li>Manage source and binary format SELinux policy</li>
<li>Run insmod</li>
</ul>
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., sysadm
is the prefix for sysadm_t).
</summary>
</param>
</template>
<template name="userdom_security_admin_template" lineno="1439">
<summary>
Allow user to run as a secadm
</summary>
<desc>
<p>
Create objects in a user home directory
with an automatic type transition to
a specified private type.
</p>
<p>
This is a templated interface, and should only
be called from a per-userdomain template.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role  of the object to create.
</summary>
</param>
</template>
<template name="userdom_xdg_user_template" lineno="1532">
<summary>
Allow user to interact with xdg content types
</summary>
<desc>
<p>
Create rules to allow a user to manage xdg
content in a user home directory with an
automatic type transition to those types.
</p>
<p>
This is a templated interface, and should only
be called from a per-userdomain template.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</template>
<interface name="userdom_user_application_type" lineno="1583">
<summary>
Make the specified type usable as
a user application domain type.
</summary>
<param name="type">
<summary>
Type to be used as a user application domain.
</summary>
</param>
</interface>
<interface name="userdom_user_application_domain" lineno="1604">
<summary>
Make the specified type usable as
a user application domain.
</summary>
<param name="type">
<summary>
Type to be used as a user application domain.
</summary>
</param>
<param name="type">
<summary>
Type to be used as the domain entry point.
</summary>
</param>
</interface>
<interface name="userdom_user_home_content" lineno="1621">
<summary>
Make the specified type usable in a
user home directory.
</summary>
<param name="type">
<summary>
Type to be used as a file in the
user home directory.
</summary>
</param>
</interface>
<interface name="userdom_user_tmp_file" lineno="1647">
<summary>
Make the specified type usable as a
user temporary file.
</summary>
<param name="type">
<summary>
Type to be used as a file in the
temporary directories.
</summary>
</param>
</interface>
<interface name="userdom_user_tmpfs_file" lineno="1664">
<summary>
Make the specified type usable as a
user tmpfs file.
</summary>
<param name="type">
<summary>
Type to be used as a file in
tmpfs directories.
</summary>
</param>
</interface>
<interface name="userdom_attach_admin_tun_iface" lineno="1679">
<summary>
Allow domain to attach to TUN devices created by administrative users.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_setattr_user_ptys" lineno="1698">
<summary>
Set the attributes of a user pty.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_create_user_pty" lineno="1716">
<summary>
Create a user pty.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_getattr_user_home_dirs" lineno="1734">
<summary>
Get the attributes of user home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_getattr_user_home_dirs" lineno="1753">
<summary>
Do not audit attempts to get the attributes of user home directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_search_user_home_dirs" lineno="1771">
<summary>
Search user home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_search_user_home_dirs" lineno="1798">
<summary>
Do not audit attempts to search user home directories.
</summary>
<desc>
<p>
Do not audit attempts to search user home directories.
This will suppress SELinux denial messages when the specified
domain is denied the permission to search these directories.
</p>
</desc>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
<infoflow type="none"/>
</interface>
<interface name="userdom_list_user_home_dirs" lineno="1816">
<summary>
List user home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_list_user_home_dirs" lineno="1835">
<summary>
Do not audit attempts to list user home subdirectories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_create_user_home_dirs" lineno="1853">
<summary>
Create user home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_user_home_dirs" lineno="1871">
<summary>
Manage user home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_relabelto_user_home_dirs" lineno="1889">
<summary>
Relabel to user home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_home_filetrans_user_home_dir" lineno="1913">
<summary>
Create directories in the home dir root with
the user home directory type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="userdom_user_home_domtrans" lineno="1950">
<summary>
Do a domain transition to the specified
domain when executing a program in the
user home directory.
</summary>
<desc>
<p>
Do a domain transition to the specified
domain when executing a program in the
user home directory.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="source_domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
Domain to transition to.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_search_user_home_content" lineno="1970">
<summary>
Do not audit attempts to search user home content directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_list_all_user_home_content" lineno="1988">
<summary>
List all users home content directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_list_user_home_content" lineno="2007">
<summary>
List contents of users home directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_user_home_content_dirs" lineno="2026">
<summary>
Create, read, write, and delete directories
in a user home subdirectory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_all_user_home_content_dirs" lineno="2045">
<summary>
Delete all user home content directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_user_home_content_dirs" lineno="2065">
<summary>
Delete directories in a user home subdirectory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_setattr_all_user_home_content_dirs" lineno="2083">
<summary>
Set attributes of all user home content directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_setattr_user_home_content_files" lineno="2103">
<summary>
Do not audit attempts to set the
attributes of user home files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_map_user_home_content_files" lineno="2121">
<summary>
Map user home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_mmap_user_home_content_files" lineno="2139">
<summary>
Mmap user home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_read_user_home_content_files" lineno="2158">
<summary>
Read user home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_read_user_home_content_files" lineno="2177">
<summary>
Do not audit attempts to read user home files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_read_all_user_home_content" lineno="2196">
<summary>
Read all user home content, including application-specific resources.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="userdom_manage_all_user_home_content" lineno="2218">
<summary>
Manage all user home content, including application-specific resources.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_append_user_home_content_files" lineno="2240">
<summary>
Do not audit attempts to append user home files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_append_inherited_user_home_content_files" lineno="2258">
<summary>
Allow append on inherited user home files.
</summary>
<param name="domain">
<summary>
Domain to allow.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_write_user_home_content_files" lineno="2276">
<summary>
Do not audit attempts to write user home files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_delete_all_user_home_content_files" lineno="2294">
<summary>
Delete all user home content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_user_home_content_files" lineno="2314">
<summary>
Delete files in a user home subdirectory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_relabel_user_home_content_files" lineno="2332">
<summary>
Do not audit attempts to relabel user home files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_read_user_home_content_symlinks" lineno="2350">
<summary>
Read user home subdirectory symbolic links.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_exec_user_home_content_files" lineno="2370">
<summary>
Execute user home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="userdom_dontaudit_exec_user_home_content_files" lineno="2397">
<summary>
Do not audit attempts to execute user home files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_manage_user_home_content_files" lineno="2416">
<summary>
Create, read, write, and delete files
in a user home subdirectory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_manage_user_home_content_dirs" lineno="2437">
<summary>
Do not audit attempts to create, read, write, and delete directories
in a user home subdirectory.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_manage_user_home_content_symlinks" lineno="2456">
<summary>
Create, read, write, and delete symbolic links
in a user home subdirectory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_all_user_home_content_symlinks" lineno="2476">
<summary>
Delete all user home content symbolic links.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_user_home_content_symlinks" lineno="2496">
<summary>
Delete symbolic links in a user home directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_user_home_content_pipes" lineno="2515">
<summary>
Create, read, write, and delete named pipes
in a user home subdirectory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_user_home_content_sockets" lineno="2536">
<summary>
Create, read, write, and delete named sockets
in a user home subdirectory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_user_home_dir_filetrans" lineno="2573">
<summary>
Create objects in a user home directory
with an automatic type transition to
a specified private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
The type of the object to create.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="userdom_user_home_content_filetrans" lineno="2610">
<summary>
Create objects in a directory located
in a user home directory with an
automatic type transition to
a specified private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
The type of the object to create.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="userdom_user_home_dir_filetrans_user_cert" lineno="2641">
<summary>
Automatically use the user_cert_t label for selected resources
created in a users home directory
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="class">
<summary>
Resource type(s) for which the label should be used
</summary>
</param>
<param name="filename" optional="true">
<summary>
Name of the resource that is being created
</summary>
</param>
</interface>
<interface name="userdom_user_home_dir_filetrans_user_home_content" lineno="2671">
<summary>
Create objects in a user home directory
with an automatic type transition to
the user home file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="userdom_read_user_certs" lineno="2691">
<summary>
Read user SSL certificates.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="userdom_dontaudit_manage_user_certs" lineno="2714">
<summary>
Do not audit attempts to manage
the user SSL certificates.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="userdom_manage_user_certs" lineno="2734">
<summary>
Manage user SSL certificates.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_write_user_tmp_sockets" lineno="2755">
<summary>
Write to user temporary named sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_list_user_tmp" lineno="2775">
<summary>
List user temporary directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_list_user_tmp" lineno="2797">
<summary>
Do not audit attempts to list user
temporary directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_delete_user_tmp_dirs" lineno="2815">
<summary>
Delete users temporary directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_manage_user_tmp_dirs" lineno="2834">
<summary>
Do not audit attempts to manage users
temporary directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_read_user_tmp_files" lineno="2852">
<summary>
Read user temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_map_user_tmp_files" lineno="2873">
<summary>
Map user temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_read_user_tmp_files" lineno="2892">
<summary>
Do not audit attempts to read users
temporary files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_append_user_tmp_files" lineno="2911">
<summary>
Do not audit attempts to append users
temporary files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_rw_user_tmp_files" lineno="2929">
<summary>
Read and write user temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_user_tmp_files" lineno="2950">
<summary>
Delete users temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_manage_user_tmp_files" lineno="2969">
<summary>
Do not audit attempts to manage users
temporary files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_read_user_tmp_symlinks" lineno="2987">
<summary>
Read user temporary symbolic links.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_user_tmp_symlinks" lineno="3008">
<summary>
Delete users temporary symbolic links.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_user_tmp_dirs" lineno="3027">
<summary>
Create, read, write, and delete user
temporary directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_user_tmp_named_pipes" lineno="3047">
<summary>
Delete users temporary named pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_user_tmp_files" lineno="3066">
<summary>
Create, read, write, and delete user
temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_user_tmp_named_sockets" lineno="3086">
<summary>
Delete users temporary named sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_user_tmp_symlinks" lineno="3105">
<summary>
Create, read, write, and delete user
temporary symbolic links.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_user_tmp_pipes" lineno="3126">
<summary>
Create, read, write, and delete user
temporary named pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_user_tmp_sockets" lineno="3147">
<summary>
Create, read, write, and delete user
temporary named sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_user_tmp_filetrans" lineno="3184">
<summary>
Create objects in a user temporary directory
with an automatic type transition to
a specified private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
The type of the object to create.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="userdom_tmp_filetrans_user_tmp" lineno="3216">
<summary>
Create objects in the temporary directory
with an automatic type transition to
the user temporary type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="userdom_map_user_tmpfs_files" lineno="3234">
<summary>
Map user tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_read_user_tmpfs_files" lineno="3252">
<summary>
Read user tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_read_user_tmpfs_files" lineno="3272">
<summary>
dontaudit Read attempts of user tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_relabel_user_tmpfs_dirs" lineno="3291">
<summary>
relabel to/from user tmpfs dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_relabel_user_tmpfs_files" lineno="3310">
<summary>
relabel to/from user tmpfs files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_user_runtime_content" lineno="3332">
<summary>
Make the specified type usable in
the directory /run/user/%{USERID}/.
</summary>
<param name="type">
<summary>
Type to be used as a file in the
user_runtime_content_dir_t.
</summary>
</param>
</interface>
<interface name="userdom_search_user_runtime" lineno="3352">
<summary>
Search users runtime directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_search_user_runtime_root" lineno="3371">
<summary>
Search user runtime root directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_user_runtime_root_dirs" lineno="3391">
<summary>
Create, read, write, and delete user
runtime root dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_relabel_user_runtime_root_dirs" lineno="3410">
<summary>
Relabel to and from user runtime root dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_user_runtime_dirs" lineno="3429">
<summary>
Create, read, write, and delete user
runtime dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_mounton_user_runtime_dirs" lineno="3449">
<summary>
Mount a filesystem on user runtime dir
directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_relabelto_user_runtime_dirs" lineno="3467">
<summary>
Relabel to user runtime directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_relabelfrom_user_runtime_dirs" lineno="3485">
<summary>
Relabel from user runtime directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_user_runtime_files" lineno="3503">
<summary>
delete user runtime files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_write_user_runtime_sockets" lineno="3522">
<summary>
write user runtime sockets
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_search_all_user_runtime" lineno="3540">
<summary>
Search users runtime directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_list_all_user_runtime" lineno="3559">
<summary>
List user runtime directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_all_user_runtime_dirs" lineno="3578">
<summary>
delete user runtime directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_write_all_user_runtime_named_sockets" lineno="3596">
<summary>
write user runtime socket files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_all_user_runtime_files" lineno="3615">
<summary>
delete user runtime files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_all_user_runtime_symlinks" lineno="3634">
<summary>
delete user runtime symlink files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_all_user_runtime_named_pipes" lineno="3653">
<summary>
delete user runtime fifo files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_all_user_runtime_named_sockets" lineno="3672">
<summary>
delete user runtime socket files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_all_user_runtime_blk_files" lineno="3691">
<summary>
delete user runtime blk files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_all_user_runtime_chr_files" lineno="3709">
<summary>
delete user runtime chr files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_pid_filetrans_user_runtime_root" lineno="3739">
<summary>
Create objects in the pid directory
with an automatic type transition to
the user runtime root type.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="userdom_runtime_filetrans_user_runtime_root" lineno="3766">
<summary>
Create objects in the runtime directory
with an automatic type transition to
the user runtime root type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="userdom_user_runtime_filetrans" lineno="3802">
<summary>
Create objects in a user runtime
directory with an automatic type
transition to a specified private
type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
The type of the object to create.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="userdom_user_runtime_filetrans_user_tmp" lineno="3833">
<summary>
Create objects in the user runtime directory
with an automatic type transition to
the user temporary type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="userdom_user_runtime_root_filetrans_user_runtime" lineno="3863">
<summary>
Create objects in the user runtime root
directory with an automatic type transition
to the user runtime dir type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="userdom_user_run_filetrans_user_runtime" lineno="3894">
<summary>
Create objects in the user runtime root
directory with an automatic type transition
to the user runtime dir type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="userdom_rw_user_tmpfs_files" lineno="3912">
<summary>
Read and write user tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_delete_user_tmpfs_files" lineno="3933">
<summary>
Delete user tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_user_tmpfs_files" lineno="3952">
<summary>
Create, read, write, and delete user tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_execmod_user_tmpfs_files" lineno="3972">
<summary>
execute and execmod user tmpfs files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_getattr_user_ttys" lineno="3990">
<summary>
Get the attributes of a user domain tty.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_getattr_user_ttys" lineno="4008">
<summary>
Do not audit attempts to get the attributes of a user domain tty.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_setattr_user_ttys" lineno="4026">
<summary>
Set the attributes of a user domain tty.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_setattr_user_ttys" lineno="4044">
<summary>
Do not audit attempts to set the attributes of a user domain tty.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_use_user_ttys" lineno="4062">
<summary>
Read and write a user domain tty.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_use_user_ptys" lineno="4080">
<summary>
Read and write a user domain pty.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_use_inherited_user_terminals" lineno="4115">
<summary>
Read and write a user TTYs and PTYs.
</summary>
<desc>
<p>
Allow the specified domain to read and write user
TTYs and PTYs. This will allow the domain to
interact with the user via the terminal. Typically
all interactive applications will require this
access.
</p>
<p>
However, this also allows the applications to spy
on user sessions or inject information into the
user session.  Thus, this access should likely
not be allowed for non-interactive domains.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<infoflow type="both" weight="10"/>
</interface>
<interface name="userdom_use_user_terminals" lineno="4156">
<summary>
Read, write and open a user TTYs and PTYs.
</summary>
<desc>
<p>
Allow the specified domain to read and write user
TTYs and PTYs. This will allow the domain to
interact with the user via the terminal. Typically
all interactive applications will require this
access.
</p>
<p>
This interface will also allow to open these user
terminals, which should not be necessary in general
and userdom_use_inherited_user_terminals() should
be sufficient.
</p>
<p>
However, this also allows the applications to spy
on user sessions or inject information into the
user session.  Thus, this access should likely
not be allowed for non-interactive domains.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<infoflow type="both" weight="10"/>
</interface>
<interface name="userdom_dontaudit_use_user_terminals" lineno="4172">
<summary>
Do not audit attempts to read and write
a user domain tty and pty.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_spec_domtrans_all_users" lineno="4193">
<summary>
Execute a shell in all user domains.  This
is an explicit transition, requiring the
caller to use setexeccon().
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="userdom_xsession_spec_domtrans_all_users" lineno="4216">
<summary>
Execute an Xserver session in all user domains.  This
is an explicit transition, requiring the
caller to use setexeccon().
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="userdom_spec_domtrans_unpriv_users" lineno="4239">
<summary>
Execute a shell in all unprivileged user domains.  This
is an explicit transition, requiring the
caller to use setexeccon().
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="userdom_xsession_spec_domtrans_unpriv_users" lineno="4262">
<summary>
Execute an Xserver session in all unprivileged user domains.  This
is an explicit transition, requiring the
caller to use setexeccon().
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="userdom_rw_unpriv_user_semaphores" lineno="4283">
<summary>
Read and write unpriviledged user SysV sempaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_unpriv_user_semaphores" lineno="4301">
<summary>
Manage unpriviledged user SysV sempaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_rw_unpriv_user_shared_mem" lineno="4320">
<summary>
Read and write unpriviledged user SysV shared
memory segments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_unpriv_user_shared_mem" lineno="4339">
<summary>
Manage unpriviledged user SysV shared
memory segments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_bin_spec_domtrans_unpriv_users" lineno="4359">
<summary>
Execute bin_t in the unprivileged user domains. This
is an explicit transition, requiring the
caller to use setexeccon().
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="userdom_entry_spec_domtrans_unpriv_users" lineno="4382">
<summary>
Execute all entrypoint files in unprivileged user
domains. This is an explicit transition, requiring the
caller to use setexeccon().
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_search_user_home_content" lineno="4403">
<summary>
Search users home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_watch_user_home_dirs" lineno="4422">
<summary>
watch users home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_signull_unpriv_users" lineno="4440">
<summary>
Send signull to unprivileged user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_signal_unpriv_users" lineno="4458">
<summary>
Send general signals to unprivileged user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_use_unpriv_users_fds" lineno="4476">
<summary>
Inherit the file descriptors from unprivileged user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_use_unpriv_user_fds" lineno="4504">
<summary>
Do not audit attempts to inherit the file descriptors
from unprivileged user domains.
</summary>
<desc>
<p>
Do not audit attempts to inherit the file descriptors
from unprivileged user domains. This will suppress
SELinux denial messages when the specified domain is denied
the permission to inherit these file descriptors.
</p>
</desc>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
<infoflow type="none"/>
</interface>
<interface name="userdom_dontaudit_use_user_ptys" lineno="4522">
<summary>
Do not audit attempts to use user ptys.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_relabelto_user_ptys" lineno="4540">
<summary>
Relabel files to unprivileged user pty types.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_relabelfrom_user_ptys" lineno="4559">
<summary>
Do not audit attempts to relabel files from
user pty types.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_write_user_tmp_files" lineno="4577">
<summary>
Write all users files in /tmp
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_write_user_tmp_files" lineno="4596">
<summary>
Do not audit attempts to write users
temporary files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_unlink_user_tmp_devices" lineno="4615">
<summary>
Delete user_tmp_t device nodes (probably should not have been
created in the first place)
</summary>
<param name="domain">
<summary>
Domain to allow deleting
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_use_user_ttys" lineno="4633">
<summary>
Do not audit attempts to use user ttys.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_read_all_users_state" lineno="4651">
<summary>
Read the process state of all user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_getattr_all_users" lineno="4671">
<summary>
Get the attributes of all user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_use_all_users_fds" lineno="4689">
<summary>
Inherit the file descriptors from all user domains
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_use_all_users_fds" lineno="4708">
<summary>
Do not audit attempts to inherit the file
descriptors from any user domains.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userdom_signal_all_users" lineno="4726">
<summary>
Send general signals to all user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_sigchld_all_users" lineno="4744">
<summary>
Send a SIGCHLD signal to all user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_read_all_users_keys" lineno="4762">
<summary>
Read keys for all user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_write_all_users_keys" lineno="4780">
<summary>
Write keys for all user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_rw_all_users_keys" lineno="4798">
<summary>
Read and write keys for all user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_create_all_users_keys" lineno="4816">
<summary>
Create keys for all user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_manage_all_users_keys" lineno="4834">
<summary>
Manage keys for all user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dbus_send_all_users" lineno="4852">
<summary>
Send a dbus message to all user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userdom_dontaudit_rw_all_users_stream_sockets" lineno="4872">
<summary>
Do not audit attempts to read and write
unserdomain stream.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<tunable name="allow_user_mysql_connect" dftval="false">
<desc>
<p>
Allow users to connect to mysql
</p>
</desc>
</tunable>
<tunable name="allow_user_postgresql_connect" dftval="false">
<desc>
<p>
Allow users to connect to PostgreSQL
</p>
</desc>
</tunable>
<tunable name="user_direct_mouse" dftval="false">
<desc>
<p>
Allow regular users direct mouse access
</p>
</desc>
</tunable>
<tunable name="user_dmesg" dftval="false">
<desc>
<p>
Allow users to read system messages.
</p>
</desc>
</tunable>
<tunable name="user_rw_noexattrfile" dftval="false">
<desc>
<p>
Allow user to r/w files on filesystems
that do not have extended attributes (FAT, CDROM, FLOPPY)
</p>
</desc>
</tunable>
<tunable name="user_exec_noexattrfile" dftval="false">
<desc>
<p>
Allow user to execute files on filesystems
that do not have extended attributes (FAT, CDROM, FLOPPY)
</p>
</desc>
</tunable>
<tunable name="user_write_removable" dftval="false">
<desc>
<p>
Allow user to write files on removable
devices (e.g. external USB memory
devices or floppies)
</p>
</desc>
</tunable>
<tunable name="user_ttyfile_stat" dftval="false">
<desc>
<p>
Allow w to display everyone
</p>
</desc>
</tunable>
</module>
<module name="xdg" filename="policy/modules/system/xdg.if">
<summary>
Freedesktop standard locations (formerly known as X Desktop Group)
</summary>
<interface name="xdg_cache_content" lineno="16">
<summary>
Mark the selected type as an xdg_cache_type
</summary>
<param name="type">
<summary>
Type to give the xdg_cache_type attribute to
</summary>
</param>
</interface>
<interface name="xdg_config_content" lineno="36">
<summary>
Mark the selected type as an xdg_config_type
</summary>
<param name="type">
<summary>
Type to give the xdg_config_type attribute to
</summary>
</param>
</interface>
<interface name="xdg_data_content" lineno="56">
<summary>
Mark the selected type as an xdg_data_type
</summary>
<param name="type">
<summary>
Type to give the xdg_data_type attribute to
</summary>
</param>
</interface>
<interface name="xdg_search_cache_dirs" lineno="76">
<summary>
Search through the xdg cache home directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_watch_cache_dirs" lineno="96">
<summary>
Watch the xdg cache home directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_watch_all_cache_dirs" lineno="114">
<summary>
Watch all the xdg cache home directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_read_cache_files" lineno="132">
<summary>
Read the xdg cache home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_read_all_cache_files" lineno="155">
<summary>
Read all xdg_cache_type files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_cache_filetrans" lineno="195">
<summary>
Create objects in an xdg_cache directory
with an automatic type transition to
a specified private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
The type of the object to create.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="filename" optional="true">
<summary>
Name of the file or directory created
</summary>
</param>
</interface>
<interface name="xdg_generic_user_home_dir_filetrans_cache" lineno="228">
<summary>
Create objects in the user home dir with an automatic type transition to
the xdg_cache_t type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="filename" optional="true">
<summary>
Name of the directory created
</summary>
</param>
</interface>
<interface name="xdg_create_cache_dirs" lineno="246">
<summary>
Create xdg cache home directories
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="xdg_manage_cache" lineno="264">
<summary>
Manage the xdg cache home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_manage_all_cache" lineno="289">
<summary>
Manage all the xdg cache home files regardless of their specific type
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_relabel_cache" lineno="314">
<summary>
Allow relabeling the xdg cache home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_relabel_all_cache" lineno="338">
<summary>
Allow relabeling the xdg cache home files, regardless of their specific type
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_search_config_dirs" lineno="362">
<summary>
Search through the xdg config home directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_watch_config_dirs" lineno="382">
<summary>
Watch the xdg config home directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_watch_config_files" lineno="400">
<summary>
Watch the xdg config home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_watch_all_config_dirs" lineno="418">
<summary>
Watch all the xdg config home directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_read_config_files" lineno="436">
<summary>
Read the xdg config home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_read_all_config_files" lineno="459">
<summary>
Read all xdg_config_type files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_config_filetrans" lineno="499">
<summary>
Create objects in an xdg_config directory
with an automatic type transition to
a specified private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
The type of the object to create.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="filename" optional="true">
<summary>
Name of the file or directory created
</summary>
</param>
</interface>
<interface name="xdg_generic_user_home_dir_filetrans_config" lineno="532">
<summary>
Create objects in the user home dir with an automatic type transition to
the xdg_config_t type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="filename" optional="true">
<summary>
Name of the directory created
</summary>
</param>
</interface>
<interface name="xdg_create_config_dirs" lineno="550">
<summary>
Create xdg config home directories
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="xdg_manage_config" lineno="568">
<summary>
Manage the xdg config home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_manage_all_config" lineno="593">
<summary>
Manage all the xdg config home files regardless of their specific type
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_relabel_config" lineno="618">
<summary>
Allow relabeling the xdg config home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_relabel_all_config" lineno="642">
<summary>
Allow relabeling the xdg config home files, regardless of their specific type
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_watch_data_dirs" lineno="666">
<summary>
Watch the xdg data home directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_watch_data_files" lineno="684">
<summary>
Watch the xdg data home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_watch_all_data_dirs" lineno="702">
<summary>
Watch all the xdg data home directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_watch_all_data_files" lineno="720">
<summary>
Watch all the xdg data home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_read_data_files" lineno="738">
<summary>
Read the xdg data home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_read_all_data_files" lineno="761">
<summary>
Read all xdg_data_type files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_data_filetrans" lineno="801">
<summary>
Create objects in an xdg_data directory
with an automatic type transition to
a specified private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
The type of the object to create.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="filename" optional="true">
<summary>
Optional name of the file or directory created
</summary>
</param>
</interface>
<interface name="xdg_generic_user_home_dir_filetrans_data" lineno="834">
<summary>
Create objects in the user home dir with an automatic type transition to
the xdg_data_t type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="filename" optional="true">
<summary>
Name of the directory created
</summary>
</param>
</interface>
<interface name="xdg_create_data_dirs" lineno="852">
<summary>
Create xdg data home directories
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="xdg_manage_data" lineno="870">
<summary>
Manage the xdg data home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_manage_all_data" lineno="895">
<summary>
Manage all the xdg data home files, regardless of their specific type
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_relabel_data" lineno="920">
<summary>
Allow relabeling the xdg data home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_exec_data" lineno="944">
<summary>
Allow domain to execute xdg_data_t, for some application config in kde
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_relabel_all_data" lineno="962">
<summary>
Allow relabeling the xdg data home files, regardless of their type
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_watch_documents_dirs" lineno="986">
<summary>
Watch the xdg documents home directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_generic_user_home_dir_filetrans_documents" lineno="1015">
<summary>
Create objects in the user home dir with an automatic type transition to
the xdg_documents_t type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="filename" optional="true">
<summary>
Name of the directory created
</summary>
</param>
</interface>
<interface name="xdg_manage_documents" lineno="1033">
<summary>
Manage documents content
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="xdg_relabel_documents" lineno="1054">
<summary>
Allow relabeling the documents resources
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_watch_downloads_dirs" lineno="1076">
<summary>
Watch the xdg downloads home directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_read_downloads" lineno="1094">
<summary>
Read downloaded content
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="xdg_create_downloads" lineno="1117">
<summary>
Create downloaded content
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="xdg_write_downloads" lineno="1140">
<summary>
Write downloaded content
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="xdg_generic_user_home_dir_filetrans_downloads" lineno="1174">
<summary>
Create objects in the user home dir with an automatic type transition to
the xdg_downloads_t type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="filename" optional="true">
<summary>
Name of the directory created
</summary>
</param>
</interface>
<interface name="xdg_manage_downloads" lineno="1192">
<summary>
Manage downloaded content
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="xdg_relabel_downloads" lineno="1213">
<summary>
Allow relabeling the downloads resources
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_watch_pictures_dirs" lineno="1235">
<summary>
Watch the xdg pictures home directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_read_pictures" lineno="1253">
<summary>
Read user pictures content
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="xdg_generic_user_home_dir_filetrans_pictures" lineno="1287">
<summary>
Create objects in the user home dir with an automatic type transition to
the xdg_pictures_t type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="filename" optional="true">
<summary>
Name of the directory created
</summary>
</param>
</interface>
<interface name="xdg_manage_pictures" lineno="1305">
<summary>
Manage pictures content
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="xdg_relabel_pictures" lineno="1326">
<summary>
Allow relabeling the pictures resources
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_watch_music_dirs" lineno="1348">
<summary>
Watch the xdg music home directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_read_music" lineno="1366">
<summary>
Read user music content
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="xdg_generic_user_home_dir_filetrans_music" lineno="1400">
<summary>
Create objects in the user home dir with an automatic type transition to
the xdg_pictures_t type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="filename" optional="true">
<summary>
Name of the directory created
</summary>
</param>
</interface>
<interface name="xdg_manage_music" lineno="1418">
<summary>
Manage music content
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="xdg_relabel_music" lineno="1439">
<summary>
Allow relabeling the music resources
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_watch_videos_dirs" lineno="1461">
<summary>
Watch the xdg video content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xdg_read_videos" lineno="1479">
<summary>
Read user video content
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="xdg_generic_user_home_dir_filetrans_videos" lineno="1513">
<summary>
Create objects in the user home dir with an automatic type transition to
the xdg_videos_t type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="filename" optional="true">
<summary>
Name of the directory created
</summary>
</param>
</interface>
<interface name="xdg_manage_videos" lineno="1531">
<summary>
Manage video content
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="xdg_relabel_videos" lineno="1552">
<summary>
Allow relabeling the videos resources
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="xen" filename="policy/modules/system/xen.if">
<summary>Xen hypervisor.</summary>
<interface name="xen_domtrans" lineno="13">
<summary>
Execute a domain transition to run xend.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="xen_exec" lineno="32">
<summary>
Execute xend in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_use_fds" lineno="51">
<summary>
Inherit and use xen file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_dontaudit_use_fds" lineno="70">
<summary>
Do not audit attempts to inherit
xen file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="xen_manage_image_dirs" lineno="89">
<summary>
Create, read, write, and delete
xend image directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_read_image_files" lineno="108">
<summary>
Read xend image files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_rw_image_files" lineno="128">
<summary>
Read and write xend image files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_append_log" lineno="148">
<summary>
Append xend log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_manage_log" lineno="169">
<summary>
Create, read, write, and delete
xend log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_read_xenstored_pid_files" lineno="189">
<summary>
Read xenstored pid files.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_read_xenstored_runtime_files" lineno="204">
<summary>
Read xenstored runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_dontaudit_rw_unix_stream_sockets" lineno="224">
<summary>
Do not audit attempts to read and write
Xen unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="xen_stream_connect_xenstore" lineno="243">
<summary>
Connect to xenstored with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_stream_connect" lineno="263">
<summary>
Connect to xend with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_pid_filetrans" lineno="295">
<summary>
Create in a xend_runtime_t directory  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
</interface>
<interface name="xen_runtime_filetrans" lineno="320">
<summary>
Create in a xend_runtime_t directory
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
</interface>
<interface name="xen_domtrans_xm" lineno="338">
<summary>
Execute a domain transition to run xm.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="xen_stream_connect_xm" lineno="358">
<summary>
Connect to xm with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="xend_run_blktap" dftval="false">
<desc>
<p>
Determine whether xend can
run blktapctrl and tapdisk.
</p>
</desc>
</tunable>
<tunable name="xen_use_fusefs" dftval="false">
<desc>
<p>
Determine whether xen can
use fusefs file systems.
</p>
</desc>
</tunable>
<tunable name="xen_use_nfs" dftval="false">
<desc>
<p>
Determine whether xen can
use nfs file systems.
</p>
</desc>
</tunable>
<tunable name="xen_use_samba" dftval="false">
<desc>
<p>
Determine whether xen can
use samba file systems.
</p>
</desc>
</tunable>
</module>