Blob Blame History Raw
<html>
<head>
<title>
 Security Enhanced Linux Reference Policy
 </title>
<style type="text/css" media="all">@import "style.css";</style>
</head>
<body>
<div id="Header">Security Enhanced Linux Reference Policy</div>
<div id='Menu'>
	
		<a href="admin.html">+&nbsp;
		admin</a></br/>
		<div id='subitem'>
		
		</div>
	
		<a href="apps.html">+&nbsp;
		apps</a></br/>
		<div id='subitem'>
		
		</div>
	
		<a href="kernel.html">+&nbsp;
		kernel</a></br/>
		<div id='subitem'>
		
			&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_bootloader.html'>
			bootloader</a><br/>
		
			&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_corenetwork.html'>
			corenetwork</a><br/>
		
			&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_devices.html'>
			devices</a><br/>
		
			&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_filesystem.html'>
			filesystem</a><br/>
		
			&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_kernel.html'>
			kernel</a><br/>
		
			&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_selinux.html'>
			selinux</a><br/>
		
			&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_storage.html'>
			storage</a><br/>
		
			&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_terminal.html'>
			terminal</a><br/>
		
		</div>
	
		<a href="services.html">+&nbsp;
		services</a></br/>
		<div id='subitem'>
		
		</div>
	
		<a href="system.html">+&nbsp;
		system</a></br/>
		<div id='subitem'>
		
		</div>
	
	<br/><p/>
	<a href="global_booleans.html">*&nbsp;Global&nbsp;Booleans&nbsp;</a>
	<br/><p/>
	<a href="global_tunables.html">*&nbsp;Global&nbsp;Tunables&nbsp;</a>
	<p/><br/><p/>
	<a href="index.html">*&nbsp;Layer Index</a>
	<br/><p/>
	<a href="interfaces.html">*&nbsp;Interface&nbsp;Index</a>
	<br/><p/>
	<a href="templates.html">*&nbsp;Template&nbsp;Index</a>
</div>

<div id="Content">
<a name="top":></a>
<h1>Layer: kernel</h1><p/>
<h2>Module: selinux</h2><p/>

<h3>Description:</h3>

<p><p>
Policy for kernel security interface, in particular, selinuxfs.
</p></p>


<p>This module is required to be included in all policies.</p>


<a name="interfaces"></a>
<h3>Interfaces: </h3>

<a name="link_selinux_compute_access_vector"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_compute_access_vector</b>(
	
		
		
		
		domain
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Allows caller to compute an access vector.
</p>


<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

The process type allowed to compute an access vector.

</td><td>
No
</td></tr>

</table>
</div>
</div>

<a name="link_selinux_compute_create_context"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_compute_create_context</b>(
	
		
		
		
		domain
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Calculate the default type for object creation.
</p>


<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

Domain allowed access.

</td><td>
No
</td></tr>

</table>
</div>
</div>

<a name="link_selinux_compute_member"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_compute_member</b>(
	
		
		
		
		domain
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Allows caller to compute polyinstatntiated
directory members.
</p>


<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

Domain allowed access.

</td><td>
No
</td></tr>

</table>
</div>
</div>

<a name="link_selinux_compute_relabel_context"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_compute_relabel_context</b>(
	
		
		
		
		domain
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Calculate the context for relabeling objects.
</p>


<h5>Description</h5>
<p>
</p><p>
Calculate the context for relabeling objects.
This is determined by using the type_change
rules in the policy, and is generally used
for determining the context for relabeling
a terminal when a user logs in.
</p><p>
</p>

<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

Domain allowed access.

</td><td>
No
</td></tr>

</table>
</div>
</div>

<a name="link_selinux_compute_user_contexts"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_compute_user_contexts</b>(
	
		
		
		
		domain
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Allows caller to compute possible contexts for a user.
</p>


<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

The process type allowed to compute user contexts.

</td><td>
No
</td></tr>

</table>
</div>
</div>

<a name="link_selinux_dontaudit_getattr_dir"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_dontaudit_getattr_dir</b>(
	
		
		
		
		domain
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Do not audit attempts to get the
attributes of the selinuxfs directory.
</p>


<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

Domain to not audit.

</td><td>
No
</td></tr>

</table>
</div>
</div>

<a name="link_selinux_dontaudit_search_fs"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_dontaudit_search_fs</b>(
	
		
		
		
		domain
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Do not audit attempts to search selinuxfs.
</p>


<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

Domain to not audit.

</td><td>
No
</td></tr>

</table>
</div>
</div>

<a name="link_selinux_get_enforce_mode"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_get_enforce_mode</b>(
	
		
		
		
		domain
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Allows the caller to get the mode of policy enforcement
(enforcing or permissive mode).
</p>


<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

The process type to allow to get the enforcing mode.

</td><td>
No
</td></tr>

</table>
</div>
</div>

<a name="link_selinux_get_fs_mount"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_get_fs_mount</b>(
	
		
		
		
		domain
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Gets the caller the mountpoint of the selinuxfs filesystem.
</p>


<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

The process type requesting the selinuxfs mountpoint.

</td><td>
No
</td></tr>

</table>
</div>
</div>

<a name="link_selinux_load_policy"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_load_policy</b>(
	
		
		
		
		domain
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Allow caller to load the policy into the kernel.
</p>


<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

The process type that will load the policy.

</td><td>
No
</td></tr>

</table>
</div>
</div>

<a name="link_selinux_set_boolean"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_set_boolean</b>(
	
		
		
		
		domain
		
	
		
			,
		
		
		
			[
		
		booltype
		
			]
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Allow caller to set the state of Booleans to
enable or disable conditional portions of the policy.
</p>


<h5>Description</h5>
<p>
</p><p>
Allow caller to set the state of Booleans to
enable or disable conditional portions of the policy.
</p><p>
</p><p>
Since this is a security event, this action is
always audited.
</p><p>
</p>

<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

The process type allowed to set the Boolean.

</td><td>
No
</td></tr>

<tr><td>
booltype
</td><td>

The type of Booleans the caller is allowed to set.

</td><td>
yes
</td></tr>

</table>
</div>
</div>

<a name="link_selinux_set_enforce_mode"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_set_enforce_mode</b>(
	
		
		
		
		domain
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Allow caller to set the mode of policy enforcement
(enforcing or permissive mode).
</p>


<h5>Description</h5>
<p>
</p><p>
Allow caller to set the mode of policy enforcement
(enforcing or permissive mode).
</p><p>
</p><p>
Since this is a security event, this action is
always audited.
</p><p>
</p>

<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

The process type to allow to set the enforcement mode.

</td><td>
No
</td></tr>

</table>
</div>
</div>

<a name="link_selinux_set_parameters"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_set_parameters</b>(
	
		
		
		
		domain
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Allow caller to set SELinux access vector cache parameters.
</p>


<h5>Description</h5>
<p>
</p><p>
Allow caller to set SELinux access vector cache parameters.
The allows the domain to set performance related parameters
of the AVC, such as cache threshold.
</p><p>
</p><p>
Since this is a security event, this action is
always audited.
</p><p>
</p>

<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

The process type to allow to set security parameters.

</td><td>
No
</td></tr>

</table>
</div>
</div>

<a name="link_selinux_unconfined"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_unconfined</b>(
	
		
		
		
		domain
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Unconfined access to the SELinux kernel security server.
</p>


<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

Domain allowed access.

</td><td>
No
</td></tr>

</table>
</div>
</div>

<a name="link_selinux_validate_context"></a>
<div id="interface">


<div id="codeblock">

<b>selinux_validate_context</b>(
	
		
		
		
		domain
		
	
	)<br>
</div>
<div id="description">

<h5>Summary</h5>
<p>
Allows caller to validate security contexts.
</p>


<h5>Parameters</h5>
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>

<tr><td>
domain
</td><td>

The process type permitted to validate contexts.

</td><td>
No
</td></tr>

</table>
</div>
</div>


<a href=#top>Return</a>




</div>
</body>
</html>