From c2ecf024d44f826c63bb2c7d1e40a637d98b4b61 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Aug 26 2005 15:28:46 +0000 Subject: update for release --- diff --git a/www/api-docs/admin.html b/www/api-docs/admin.html index c748048..ab00294 100644 --- a/www/api-docs/admin.html +++ b/www/api-docs/admin.html @@ -13,21 +13,42 @@ admin
+    -  + acct
+    -  consoletype
   -  dmesg
+    -  + firstboot
+    -  logrotate
   -  netutils
+    -  + quota
+    -  rpm
+    -  + su
+ +    -  + sudo
+ +    -  + tmpreaper
+ +    -  + updfstab
+    -  usermanage
@@ -83,6 +104,11 @@ + + acct +

Berkeley process accounting

+ + consoletype

@@ -95,6 +121,14 @@ Determine of the console connected to the controlling terminal.

Policy for dmesg.

+ + firstboot +

+Final system configuration run during the first boot +after installation of Red Hat/Fedora systems. +

+ + logrotate

Rotate and archive system logs

@@ -105,11 +139,36 @@ Determine of the console connected to the controlling terminal.

Network analysis utilities

+ + quota +

File system quota management

+ + rpm

Policy for the RPM package manager.

+ + su +

Run shells with substitute user and group

+ + + + sudo +

Execute a command with a substitute user

+ + + + tmpreaper +

Manage temporary directory sizes and file ages

+ + + + updfstab +

Red Hat utility to change /etc/fstab.

+ + usermanage

Policy for managing user accounts.

diff --git a/www/api-docs/admin_acct.html b/www/api-docs/admin_acct.html new file mode 100644 index 0000000..f74113d --- /dev/null +++ b/www/api-docs/admin_acct.html @@ -0,0 +1,282 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: admin

+

Module: acct

+ +

Description:

+ +

Berkeley process accounting

+ + + + +

Interfaces:

+ + +
+ + +
+ +acct_domtrans( + + + + + domain + + + )
+
+
+ +
Summary
+

+Transition to the accounting management domain. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +acct_exec( + + + + + domain + + + )
+
+
+ +
Summary
+

+Execute accounting management tools in the caller domain. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +acct_exec_data( + + + + + domain + + + )
+
+
+ +
Summary
+

+Execute accounting management data in the caller domain. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +acct_manage_data( + + + + + domain + + + )
+
+
+ +
Summary
+

+Create, read, write, and delete process accounting data. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +Return + + + +
+ + diff --git a/www/api-docs/admin_consoletype.html b/www/api-docs/admin_consoletype.html index 0729c95..ef60f2d 100644 --- a/www/api-docs/admin_consoletype.html +++ b/www/api-docs/admin_consoletype.html @@ -13,21 +13,42 @@ admin
+    -  + acct
+    -  consoletype
   -  dmesg
+    -  + firstboot
+    -  logrotate
   -  netutils
+    -  + quota
+    -  rpm
+    -  + su
+ +    -  + sudo
+ +    -  + tmpreaper
+ +    -  + updfstab
+    -  usermanage
@@ -103,12 +124,12 @@ Determine of the console connected to the controlling terminal.
- -
Description
+
Summary

Execute consoletype in the consoletype domain.

+
Parameters
@@ -145,12 +166,12 @@ No
- -
Description
+
Summary

Execute consoletype in the caller domain.

+
Parameters
Parameter:Description:Optional:
diff --git a/www/api-docs/admin_dmesg.html b/www/api-docs/admin_dmesg.html index 962fc64..c8eb76b 100644 --- a/www/api-docs/admin_dmesg.html +++ b/www/api-docs/admin_dmesg.html @@ -13,21 +13,42 @@ admin
+    -  + acct
+    -  consoletype
   -  dmesg
+    -  + firstboot
+    -  logrotate
   -  netutils
+    -  + quota
+    -  rpm
+    -  + su
+ +    -  + sudo
+ +    -  + tmpreaper
+ +    -  + updfstab
+    -  usermanage
diff --git a/www/api-docs/admin_firstboot.html b/www/api-docs/admin_firstboot.html new file mode 100644 index 0000000..6e5b668 --- /dev/null +++ b/www/api-docs/admin_firstboot.html @@ -0,0 +1,322 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: admin

+

Module: firstboot

+ +

Description:

+ +

+Final system configuration run during the first boot +after installation of Red Hat/Fedora systems. +

+ + + + +

Interfaces:

+ + +
+ + +
+ +firstboot_domtrans( + + + + + domain + + + )
+
+
+ +
Summary
+

+Execute firstboot in the firstboot domain. +

+ + +
Parameters
+
Parameter:Description:Optional:
+ + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +firstboot_run( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+
+ +
Summary
+

+Execute firstboot in the firstboot domain, and +allow the specified role the firstboot domain. +

+ + +
Parameters
+ + + + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+role + + +The role to be allowed the firstboot domain. + + +No +
+terminal + + +The type of the terminal allow the firstboot domain to use. + + +No +
+
+
+ + +
+ + +
+ +firstboot_use_fd( + + + + + domain + + + )
+
+
+ +
Summary
+

+Inherit and use a file descriptor from firstboot. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +firstboot_write_pipe( + + + + + domain + + + )
+
+
+ +
Summary
+

+Write to a firstboot unnamed pipe. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +Return + + + + + + diff --git a/www/api-docs/admin_logrotate.html b/www/api-docs/admin_logrotate.html index 5e60ef8..b0f9b85 100644 --- a/www/api-docs/admin_logrotate.html +++ b/www/api-docs/admin_logrotate.html @@ -13,21 +13,42 @@ admin
+    -  + acct
+    -  consoletype
   -  dmesg
+    -  + firstboot
+    -  logrotate
   -  netutils
+    -  + quota
+    -  rpm
+    -  + su
+ +    -  + sudo
+ +    -  + tmpreaper
+ +    -  + updfstab
+    -  usermanage
diff --git a/www/api-docs/admin_netutils.html b/www/api-docs/admin_netutils.html index e119d99..28de26b 100644 --- a/www/api-docs/admin_netutils.html +++ b/www/api-docs/admin_netutils.html @@ -13,21 +13,42 @@ admin
+    -  + acct
+    -  consoletype
   -  dmesg
+    -  + firstboot
+    -  logrotate
   -  netutils
+    -  + quota
+    -  rpm
+    -  + su
+ +    -  + sudo
+ +    -  + tmpreaper
+ +    -  + updfstab
+    -  usermanage
diff --git a/www/api-docs/admin_quota.html b/www/api-docs/admin_quota.html new file mode 100644 index 0000000..db3a1a2 --- /dev/null +++ b/www/api-docs/admin_quota.html @@ -0,0 +1,320 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: admin

+

Module: quota

+ +

Description:

+ +

File system quota management

+ + + + +

Interfaces:

+ + +
+ + +
+ +quota_domtrans( + + + + + domain + + + )
+
+
+ +
Summary
+

+Execute quota management tools in the quota domain. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +quota_dontaudit_getattr_db( + + + + + domain + + + )
+
+
+ +
Summary
+

+Do not audit attempts to get the attributes +of filesystem quota data files. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain to not audit. + + +No +
+
+
+ + +
+ + +
+ +quota_manage_flags( + + + + + ? + + + )
+
+
+ +
Summary
+

+Summary is missing! +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+? + + +Parameter descriptions are missing! + + +No +
+
+
+ + +
+ + +
+ +quota_run( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+
+ +
Summary
+

+Execute quota management tools in the quota domain, and +allow the specified role the quota domain. +

+ + +
Parameters
+ + + + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+role + + +The role to be allowed the quota domain. + + +No +
+terminal + + +The type of the terminal allow the quota domain to use. + + +No +
+
+
+ + +Return + + + +
+ + diff --git a/www/api-docs/admin_rpm.html b/www/api-docs/admin_rpm.html index fe82ab7..8320490 100644 --- a/www/api-docs/admin_rpm.html +++ b/www/api-docs/admin_rpm.html @@ -13,21 +13,42 @@ admin
+    -  + acct
+    -  consoletype
   -  dmesg
+    -  + firstboot
+    -  logrotate
   -  netutils
+    -  + quota
+    -  rpm
+    -  + su
+ +    -  + sudo
+ +    -  + tmpreaper
+ +    -  + updfstab
+    -  usermanage
diff --git a/www/api-docs/admin_su.html b/www/api-docs/admin_su.html new file mode 100644 index 0000000..3666cdf --- /dev/null +++ b/www/api-docs/admin_su.html @@ -0,0 +1,171 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: admin

+

Module: su

+ +

Description:

+ +

Run shells with substitute user and group

+ + + + + +

Templates:

+ + +
+ + +
+ +su_per_userdomain_template( + + + + + userdomain_prefix + + + )
+
+
+ +
Summary
+

+The per user domain template for the su module. +

+ + +
Description
+

+

+This template creates a derived domain which is allowed +to change the linux user id, to run shells as a different +user. +

+

+This template is invoked automatically for each user, and +generally does not need to be invoked directly +by policy writers. +

+

+ +
Parameters
+ + + + + +
Parameter:Description:Optional:
+userdomain_prefix + + +The prefix of the user domain (e.g., user +is the prefix for user_t). + + +No +
+
+
+ + +Return + + +
+ + diff --git a/www/api-docs/admin_sudo.html b/www/api-docs/admin_sudo.html new file mode 100644 index 0000000..b0eff4b --- /dev/null +++ b/www/api-docs/admin_sudo.html @@ -0,0 +1,171 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: admin

+

Module: sudo

+ +

Description:

+ +

Execute a command with a substitute user

+ + + + + +

Templates:

+ + +
+ + +
+ +sudo_per_userdomain_template( + + + + + userdomain_prefix + + + )
+
+
+ +
Summary
+

+The per user domain template for the sudo module. +

+ + +
Description
+

+

+This template creates a derived domain which is allowed +to change the linux user id, to run commands as a different +user. +

+

+This template is invoked automatically for each user, and +generally does not need to be invoked directly +by policy writers. +

+

+ +
Parameters
+ + + + + +
Parameter:Description:Optional:
+userdomain_prefix + + +The prefix of the user domain (e.g., user +is the prefix for user_t). + + +No +
+
+
+ + +Return + + +
+ + diff --git a/www/api-docs/admin_tmpreaper.html b/www/api-docs/admin_tmpreaper.html new file mode 100644 index 0000000..5009cd5 --- /dev/null +++ b/www/api-docs/admin_tmpreaper.html @@ -0,0 +1,156 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: admin

+

Module: tmpreaper

+ +

Description:

+ +

Manage temporary directory sizes and file ages

+ + + + +

Interfaces:

+ + +
+ + +
+ +tmpreaper_exec( + + + + + domain + + + )
+
+
+ +
Summary
+

+Execute tmpreaper in the caller domain. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +Return + + + +
+ + diff --git a/www/api-docs/admin_updfstab.html b/www/api-docs/admin_updfstab.html new file mode 100644 index 0000000..fb5556e --- /dev/null +++ b/www/api-docs/admin_updfstab.html @@ -0,0 +1,156 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: admin

+

Module: updfstab

+ +

Description:

+ +

Red Hat utility to change /etc/fstab.

+ + + + +

Interfaces:

+ + +
+ + +
+ +updfstab_domtrans( + + + + + domain + + + )
+
+
+ +
Summary
+

+Execute updfstab in the updfstab domain. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +Return + + + +
+ + diff --git a/www/api-docs/admin_usermanage.html b/www/api-docs/admin_usermanage.html index 05426c0..8f12442 100644 --- a/www/api-docs/admin_usermanage.html +++ b/www/api-docs/admin_usermanage.html @@ -13,21 +13,42 @@ admin
+    -  + acct
+    -  consoletype
   -  dmesg
+    -  + firstboot
+    -  logrotate
   -  netutils
+    -  + quota
+    -  rpm
+    -  + su
+ +    -  + sudo
+ +    -  + tmpreaper
+ +    -  + updfstab
+    -  usermanage
@@ -101,12 +122,12 @@
- -
Description
+
Summary

Execute chfn in the chfn domain.

+
Parameters
@@ -143,12 +164,12 @@ No
- -
Description
+
Summary

Execute groupadd in the groupadd domain.

+
Parameters
Parameter:Description:Optional:
@@ -185,12 +206,12 @@ No
- -
Description
+
Summary

Execute passwd in the passwd domain.

+
Parameters
Parameter:Description:Optional:
@@ -227,12 +248,12 @@ No
- -
Description
+
Summary

Execute useradd in the useradd domain.

+
Parameters
Parameter:Description:Optional:
@@ -327,13 +348,13 @@ No
- -
Description
+
Summary

Execute chfn in the chfn domain, and allow the specified role the chfn domain.

+
Parameters
Parameter:Description:Optional:
@@ -406,13 +427,13 @@ No
- -
Description
+
Summary

Execute groupadd in the groupadd domain, and allow the specified role the groupadd domain.

+
Parameters
Parameter:Description:Optional:
@@ -485,13 +506,13 @@ No
- -
Description
+
Summary

Execute passwd in the passwd domain, and allow the specified role the passwd domain.

+
Parameters
Parameter:Description:Optional:
@@ -564,13 +585,13 @@ No
- -
Description
+
Summary

Execute useradd in the useradd domain, and allow the specified role the useradd domain.

+
Parameters
Parameter:Description:Optional:
diff --git a/www/api-docs/apps.html b/www/api-docs/apps.html index 65fbd00..df5f733 100644 --- a/www/api-docs/apps.html +++ b/www/api-docs/apps.html @@ -22,6 +22,9 @@    -  gpg
+    -  + loadkeys
+ +  @@ -73,6 +76,11 @@ gpg + + + diff --git a/www/api-docs/apps_gpg.html b/www/api-docs/apps_gpg.html index bd1790a..8ae7d90 100644 --- a/www/api-docs/apps_gpg.html +++ b/www/api-docs/apps_gpg.html @@ -22,6 +22,9 @@    -  gpg
+    -  + loadkeys
+ +  diff --git a/www/api-docs/apps_loadkeys.html b/www/api-docs/apps_loadkeys.html new file mode 100644 index 0000000..37de9b0 --- /dev/null +++ b/www/api-docs/apps_loadkeys.html @@ -0,0 +1,243 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: apps

+

Module: loadkeys

+ +

Description:

+ +

Load keyboard mappings.

+ + + + +

Interfaces:

+ + +
+ + +
+ +loadkeys_domtrans( + + + + + domain + + + )
+
+
+ +
Summary
+

+Execute the loadkeys program in the loadkeys domain. +

+ + +
Parameters
+
Parameter:Description:Optional:

Policy for GNU Privacy Guard and related programs.

+ + loadkeys

Load keyboard mappings.

+ + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +loadkeys_exec( + + + + + domain + + + )
+
+
+ +
Summary
+

+Execute the loadkeys program in the caller domain. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +loadkeys_run( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+
+ +
Summary
+

+Execute the loadkeys program in the loadkeys domain. +

+ + +
Parameters
+ + + + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+role + + +The role to allow the loadkeys domain. + + +No +
+terminal + + +The type of the terminal allow the loadkeys domain to use. + + +No +
+
+
+ + +Return + + + +
+ + diff --git a/www/api-docs/global_booleans.html b/www/api-docs/global_booleans.html index 3e94726..40075d2 100644 --- a/www/api-docs/global_booleans.html +++ b/www/api-docs/global_booleans.html @@ -13,21 +13,42 @@ admin
+    -  + acct
+    -  consoletype
   -  dmesg
+    -  + firstboot
+    -  logrotate
   -  netutils
+    -  + quota
+    -  rpm
+    -  + su
+ +    -  + sudo
+ +    -  + tmpreaper
+ +    -  + updfstab
+    -  usermanage
@@ -40,6 +61,9 @@    -  gpg
+    -  + loadkeys
+
+  @@ -76,33 +100,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  diff --git a/www/api-docs/global_tunables.html b/www/api-docs/global_tunables.html index 6767b30..c60ff47 100644 --- a/www/api-docs/global_tunables.html +++ b/www/api-docs/global_tunables.html @@ -13,21 +13,42 @@ admin
+    -  + acct
+    -  consoletype
   -  dmesg
+    -  + firstboot
+    -  logrotate
   -  netutils
+    -  + quota
+    -  rpm
+    -  + su
+ +    -  + sudo
+ +    -  + tmpreaper
+ +    -  + updfstab
+    -  usermanage
@@ -40,6 +61,9 @@    -  gpg
+    -  + loadkeys
+
+  @@ -76,33 +100,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  @@ -258,6 +309,19 @@ Allow system to run with kerberos
+
allow_user_mysql_connect
+
+
Default value
+

false

+ +
Description
+

+Allow users to connect to mysql +

+ +
+ +
allow_ypbind
Default value
@@ -299,6 +363,20 @@ to support fcron.
+
named_write_master_zones
+
+
Default value
+

false

+ +
Description
+

+Allow BIND to write the master zone files. +Generally this is used for dynamic DNS. +

+ +
+ +
read_default_t
Default value
diff --git a/www/api-docs/index.html b/www/api-docs/index.html index e4290fe..07cb0df 100644 --- a/www/api-docs/index.html +++ b/www/api-docs/index.html @@ -13,21 +13,42 @@ admin
+    -  + acct
+    -  consoletype
   -  dmesg
+    -  + firstboot
+    -  logrotate
   -  netutils
+    -  + quota
+    -  rpm
+    -  + su
+ +    -  + sudo
+ +    -  + tmpreaper
+ +    -  + updfstab
+    -  usermanage
@@ -40,6 +61,9 @@    -  gpg
+    -  + loadkeys
+
+  @@ -76,33 +100,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  @@ -215,6 +266,11 @@ + + acct +

Berkeley process accounting

+ + consoletype

@@ -227,6 +283,14 @@ Determine of the console connected to the controlling terminal.

Policy for dmesg.

+ + firstboot +

+Final system configuration run during the first boot +after installation of Red Hat/Fedora systems. +

+ + logrotate

Rotate and archive system logs

@@ -237,11 +301,36 @@ Determine of the console connected to the controlling terminal.

Network analysis utilities

+ + quota +

File system quota management

+ + rpm

Policy for the RPM package manager.

+ + su +

Run shells with substitute user and group

+ + + + sudo +

Execute a command with a substitute user

+ + + + tmpreaper +

Manage temporary directory sizes and file ages

+ + + + updfstab +

Red Hat utility to change /etc/fstab.

+ + usermanage

Policy for managing user accounts.

@@ -354,6 +443,11 @@ Policy for kernel security interface, in particular, selinuxfs. gpg

Policy for GNU Privacy Guard and related programs.

+ + + loadkeys +

Load keyboard mappings.

+ @@ -556,11 +650,26 @@ connection and disconnection of devices at runtime. + + bind +

Berkeley internet name domain DNS server.

+ + cron

Periodic execution of scheduled commands.

+ + gpm +

General Purpose Mouse driver

+ + + + howl +

Port of Apple Rendezvous multicast DNS

+ + inetd

Internet services daemon.

@@ -571,11 +680,21 @@ connection and disconnection of devices at runtime.

MIT Kerberos admin and KDC

+ + ldap +

OpenLDAP directory server

+ + mta

Policy common to all email tranfer agents.

+ + mysql +

Policy for MySQL

+ + nis

Policy for NIS (YP) servers and clients

@@ -586,11 +705,26 @@ connection and disconnection of devices at runtime.

Name service cache daemon

+ + privoxy +

Privacy enhancing web proxy.

+ + remotelogin

Policy for rshd, rlogind, and telnetd.

+ + rshd +

Remote shell service.

+ + + + rsync +

Fast incremental file transfer for synchronization

+ + sendmail

Policy for sendmail.

@@ -600,6 +734,11 @@ connection and disconnection of devices at runtime. ssh

Secure shell client and server policy.

+ + + tcpd +

Policy for TCP daemon.

+ diff --git a/www/api-docs/interfaces.html b/www/api-docs/interfaces.html index 6a44170..4f8d87c 100644 --- a/www/api-docs/interfaces.html +++ b/www/api-docs/interfaces.html @@ -13,21 +13,42 @@ admin
+    -  + acct
+    -  consoletype
   -  dmesg
+    -  + firstboot
+    -  logrotate
   -  netutils
+    -  + quota
+    -  rpm
+    -  + su
+ +    -  + sudo
+ +    -  + tmpreaper
+ +    -  + updfstab
+    -  usermanage
@@ -40,6 +61,9 @@    -  gpg
+    -  + loadkeys
+
+  @@ -76,33 +100,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  @@ -206,6 +257,136 @@
+Module: +acct

+Layer: +admin

+

+ +acct_domtrans( + + + + + domain + + + )
+
+ +
+

+Transition to the accounting management domain. +

+
+ +
+ +
+Module: +acct

+Layer: +admin

+

+ +acct_exec( + + + + + domain + + + )
+
+ +
+

+Execute accounting management tools in the caller domain. +

+
+ +
+ +
+Module: +acct

+Layer: +admin

+

+ +acct_exec_data( + + + + + domain + + + )
+
+ +
+

+Execute accounting management data in the caller domain. +

+
+ +
+ +
+Module: +acct

+Layer: +admin

+

+ +acct_manage_data( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete process accounting data. +

+
+ +
+ +
+Module: +authlogin

+Layer: +system

+

+ +auth_create_login_records( + + + + + ? + + + )
+
+ +
+

+Summary is missing! +

+
+ +
+ + +
+

+Delete pam PID files. +

+
+
@@ -243,6 +430,12 @@ system

)

+
+

+Run unix_chkpwd to check a password. +

+
+
@@ -271,6 +464,12 @@ system

)

+
+

+Execute a login_program in the target domain. +

+
+
@@ -291,6 +490,12 @@ system

)

+
+

+Execute pam programs in the pam domain. +

+
+
@@ -337,6 +542,12 @@ system

)

+
+

+Execute utempter programs in the utempter domain. +

+
+
@@ -384,6 +595,13 @@ system

)

+
+

+Do not audit attempts to read the shadow +password file (/etc/shadow). +

+
+
@@ -430,6 +648,12 @@ system

)

+
+

+Execute the pam program. +

+
+
@@ -502,6 +726,12 @@ system

)

+
+

+Use the login program as an entry point program. +

+
+
@@ -534,6 +764,13 @@ system

)

+
+

+Manage all files on the filesystem, except +the shadow passwords and listed exceptions. +

+
+
@@ -710,6 +947,12 @@ system

)

+
+

+Read the shadow passwords file (/etc/shadow) +

+
+
@@ -742,6 +985,13 @@ system

)

+
+

+Relabel all files on the filesystem, except +the shadow passwords and listed exceptions. +

+
+
@@ -804,6 +1054,12 @@ system

)

+
+

+Execute pam programs in the PAM domain. +

+
+
@@ -840,6 +1096,12 @@ system

)

+
+

+Execute utempter programs in the utempter domain. +

+
+
@@ -938,6 +1200,12 @@ system

)

+
+

+Read and write the shadow password file (/etc/shadow). +

+
+
@@ -967,6 +1235,154 @@ Unconfined access to the authlogin module.
+Module: +bind

+Layer: +services

+

+ +bind_domtrans_ndc( + + + + + domain + + + )
+
+ +
+

+Execute ndc in the ndc domain. +

+
+ +
+ +
+Module: +bind

+Layer: +services

+

+ +bind_read_config( + + + + + domain + + + )
+
+ +
+

+Read BIND named configuration files. +

+
+ +
+ +
+Module: +bind

+Layer: +services

+

+ +bind_run_ndc( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+ +
+

+Execute ndc in the ndc domain, and +allow the specified role the ndc domain. +

+
+ +
+ +
+Module: +bind

+Layer: +services

+

+ +bind_setattr_pid_dir( + + + + + domain + + + )
+
+ +
+

+Do not audit attempts to set the attributes +of the BIND pid directory. +

+
+ +
+ +
+Module: +bind

+Layer: +services

+

+ +bind_write_config( + + + + + domain + + + )
+
+ +
+

+Write BIND named configuration files. +

+
+ +
+ +
Module: bootloader

Layer: @@ -1526,6 +1942,12 @@ system

)

+
+

+Execute hwclock in the clock domain. +

+
+
@@ -1546,6 +1968,12 @@ system

)

+
+

+ Execute hwclock in the caller domain. +

+
+
@@ -1582,6 +2010,13 @@ system

)

+
+

+Execute hwclock in the clock domain, and +allow the specified role the hwclock domain. +

+
+
@@ -1602,6 +2037,12 @@ system

)

+
+

+ Allow executing domain to modify clock drift +

+
+
@@ -1622,6 +2063,12 @@ admin

)

+
+

+Execute consoletype in the consoletype domain. +

+
+
@@ -1642,6 +2089,12 @@ admin

)

+
+

+Execute consoletype in the caller domain. +

+
+
@@ -2285,6 +2738,14 @@ system

)

+
+

+Execute a shell in the target domain. This +is an explicit transition, requiring the +caller to use setexeccon(). +

+
+
@@ -18140,13 +18601,13 @@ Execute dmesg in the caller domain.
-Module: +Module: domain

Layer: system

-domain_base_domain_type( +domain_base_type( @@ -18264,6 +18725,13 @@ system

)

+
+

+Do not audit attempts to get the attributes +of all domains unix datagram sockets. +

+
+
@@ -18284,6 +18752,13 @@ system

)

+
+

+Do not audit attempts to get the attributes +of all domains unnamed pipes. +

+
+
@@ -18331,6 +18806,13 @@ system

)

+
+

+Do not audit attempts to read the process state +directories of all domains. +

+
+
@@ -18519,6 +19001,33 @@ Summary is missing!
+Module: +domain

+Layer: +system

+

+ +domain_getattr_all_entry_files( + + + + + domain + + + )
+
+ +
+

+Get the attributes of entry point +files for all domains. +

+
+ +
+ +
Module: domain

Layer: @@ -18589,6 +19098,12 @@ system

)

+
+

+Send a kill signal to all domains. +

+
+
@@ -18609,6 +19124,13 @@ system

)

+
+

+Makes caller an exception to the constraint preventing +changing the user identity in object contexts. +

+
+
@@ -18681,6 +19203,13 @@ system

)

+
+

+Makes caller an exception to the constraint preventing +changing of role. +

+
+
@@ -18727,6 +19256,12 @@ system

)

+
+

+Send a child terminated signal to all domains. +

+
+
@@ -18774,6 +19309,12 @@ system

)

+
+

+Send general signals to all domains. +

+
+
@@ -18794,6 +19335,12 @@ system

)

+
+

+Send a null signal to all domains. +

+
+
@@ -18814,6 +19361,12 @@ system

)

+
+

+Send a stop signal to all domains. +

+
+
@@ -18834,6 +19387,13 @@ system

)

+
+

+Makes caller an exception to the constraint preventing +changing of user identity. +

+
+
@@ -19255,32 +19815,6 @@ Summary is missing!
-Module: -files

-Layer: -system

-

- -files_delete_all_tmp_files( - - - - - ? - - - )
-
- -
-

-Summary is missing! -

-
- -
- -
Module: files

Layer: @@ -19575,6 +20109,34 @@ Do not audit attempts to ioctl daemon runtime data files.

+Module: +files

+Layer: +system

+

+ +files_dontaudit_read_etc_runtime_files( + + + + + domain + + + )
+
+ +
+

+Do not audit attempts to read files +in /etc that are dynamically +created on boot, such as mtab. +

+
+ +
+ +
Module: files

Layer: @@ -19679,6 +20241,32 @@ Summary is missing!

+Module: +files

+Layer: +system

+

+ +files_dontaudit_search_home( + + + + + domain + + + )
+
+ +
+

+Do not audit attempts to search home directories root. +

+
+ +
+ +
Module: files

Layer: @@ -19900,7 +20488,7 @@ system

- ? + domain )
@@ -19908,7 +20496,7 @@ system

-Summary is missing! +Get the attributes of all files.

@@ -20019,6 +20607,32 @@ Summary is missing!
+Module: +files

+Layer: +system

+

+ +files_getattr_usr_files( + + + + + domain + + + )
+
+ +
+

+Get the attributes of files in /usr. +

+
+ +
+ +
Module: files

Layer: @@ -20056,6 +20670,32 @@ system

+ domain + + + )
+

+ +
+

+List the contents of all directories. +

+
+ + + +
+Module: +files

+Layer: +system

+

+ +files_list_all_dirs( + + + + ? @@ -20280,6 +20920,32 @@ Summary is missing!
+Module: +files

+Layer: +system

+

+ +files_list_var_lib( + + + + + domain + + + )
+
+ +
+

+List the contents of the /var/lib directory. +

+
+ +
+ +
Module: files

Layer: @@ -20408,7 +21074,7 @@ system

- ? + domain )
@@ -20416,7 +21082,9 @@ system

-Summary is missing! +Create, read, write, and delete files in +/etc that are dynamically created on boot, +such as mtab.

@@ -20689,6 +21357,58 @@ Create, read, write, and delete directories in /mnt.
+Module: +files

+Layer: +system

+

+ +files_manage_mnt_files( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete files in /mnt. +

+
+ +
+ +
+Module: +files

+Layer: +system

+

+ +files_manage_mnt_symlinks( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete symbolic links in /mnt. +

+
+ +
+ +
+Module: +files

+Layer: +system

+

+ +files_manage_var_dirs( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete directories +in the /var directory. +

+
+ +
+ +
+Module: +files

+Layer: +system

+

+ +files_manage_var_files( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete files in the /var directory. +

+
+ +
+ +
+Module: +files

+Layer: +system

+

+ +files_manage_var_symlinks( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete symbolic +links in the /var directory. +

+
+ +
+ +
+Module: +files

+Layer: +system

+

+ +files_purge_tmp( + + + + + ? + + + )
+
+ +
+

+Summary is missing! +

+
+ +
+ +
+Module: +files

+Layer: +system

+

+ +files_read_all_files( + + + + + domain + + + )
+
+ +
+

+Read all files. +

+
+ +
+ +
+Module: +files

+Layer: +system

+

+ +files_read_all_symlinks( + + + + + domain + + + )
+
+ +
+

+Read all symbolic links. +

+
+ +
+ +
Module: files

Layer: @@ -21039,7 +21917,7 @@ system

- ? + domain )
@@ -21047,7 +21925,8 @@ system

-Summary is missing! +Read files in /etc that are dynamically +created on boot, such as mtab.

@@ -21159,6 +22038,32 @@ Summary is missing!
+Module: +files

+Layer: +system

+

+ +files_read_usr_symlinks( + + + + + domain + + + )
+
+ +
+

+Read symbolic links in /usr. +

+
+ +
+ +
+Module: +files

+Layer: +system

+

+ +files_relabelto_usr_files( + + + + + domain + + + )
+
+ +
+

+Relabel a file to the type used in /usr. +

+
+ +
+ +
Module: files

Layer: @@ -21583,7 +22514,7 @@ system

-Search home directories. +Search home directories root.

@@ -21713,7 +22644,7 @@ system

-Search the tmp directory (/tmp) +Search the tmp directory (/tmp).

@@ -21798,6 +22729,32 @@ Search the /var/lib directory.
+Module: +files

+Layer: +system

+

+ +files_setattr_all_tmp_dirs( + + + + + domain + + + )
+
+ +
+

+Set the attributes of all tmp directories. +

+
+ +
+ +
+Module: +firstboot

+Layer: +admin

+

+ +firstboot_domtrans( + + + + + domain + + + )
+
+ +
+

+Execute firstboot in the firstboot domain. +

+
+ +
+ +
+Module: +firstboot

+Layer: +admin

+

+ +firstboot_run( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+ +
+

+Execute firstboot in the firstboot domain, and +allow the specified role the firstboot domain. +

+
+ +
+ +
+Module: +firstboot

+Layer: +admin

+

+ +firstboot_use_fd( + + + + + domain + + + )
+
+ +
+

+Inherit and use a file descriptor from firstboot. +

+
+ +
+ +
+Module: +firstboot

+Layer: +admin

+

+ +firstboot_write_pipe( + + + + + domain + + + )
+
+ +
+

+Write to a firstboot unnamed pipe. +

+
+ +
+ +
+Module: +filesystem

+Layer: +kernel

+

+ +fs_get_xattr_fs_quota( + + + + + domain + + + )
+
+ +
+

+Get the filesystem quotas of a filesystem +with extended attributes. +

+
+ +
+ +
+Module: +filesystem

+Layer: +kernel

+

+ +fs_search_cifs( + + + + + domain + + + )
+
+ +
+

+Search directories on a CIFS or SMB filesystem. +

+
+ +
+ +
+Module: +filesystem

+Layer: +kernel

+

+ +fs_search_nfs( + + + + + domain + + + )
+
+ +
+

+Search directories on a NFS filesystem. +

+
+ +
+ +
+Module: +filesystem

+Layer: +kernel

+

+ +fs_set_xattr_fs_quota( + + + + + domain + + + )
+
+ +
+

+Set the filesystem quotas of a filesystem +with extended attributes. +

+
+ +
+ + -
- -
-Module: -fstools

-Layer: -system

-

- -fstools_exec( - - - - - domain - - - )
+
+

+Execute fs tools in the fstools domain. +

-Module: +Module: fstools

Layer: system

-fstools_run( - - - - - domain - - - - , - - - - role - - - - , - - - - terminal - - - )
-
- -
- -
-Module: -getty

-Layer: -system

-

- -getty_domtrans( - - - - - domain - - - )
-
- -
- -
-Module: -getty

-Layer: -system

-

- -getty_modify_config( - - - - - domain - - - )
-
- -
- -
-Module: -getty

-Layer: -system

-

- -getty_read_config( +fstools_exec( @@ -24810,36 +25904,22 @@ system

)

-
- -
-Module: -getty

-Layer: -system

-

- -getty_read_log( - - - - - domain - - - )
+
+

+Execute fsadm in the caller domain. +

-Module: -hostname

+Module: +fstools

Layer: system

-hostname_domtrans( +fstools_manage_entry_files( @@ -24852,20 +25932,21 @@ system

-Execute hostname in the hostname domain. +Create, read, write, and delete a file used by the +filesystem tools programs.

-Module: -hostname

+Module: +fstools

Layer: system

-hostname_exec( +fstools_relabelto_entry_files( @@ -24878,20 +25959,302 @@ system

- Execute hostname in the caller domain. -

+Relabel a file to the type used by the +filesystem tools programs. +

-Module: -hostname

+Module: +fstools

Layer: system

-hostname_run( +fstools_run( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+ +
+

+Execute fs tools in the fstools domain, and +allow the specified role the fs tools domain. +

+
+ +
+ +
+Module: +getty

+Layer: +system

+

+ +getty_domtrans( + + + + + domain + + + )
+
+ +
+

+Execute gettys in the getty domain. +

+
+ +
+ +
+Module: +getty

+Layer: +system

+

+ +getty_modify_config( + + + + + domain + + + )
+
+ +
+

+Allow process to edit getty config file. +

+
+ +
+ +
+Module: +getty

+Layer: +system

+

+ +getty_read_config( + + + + + domain + + + )
+
+ +
+

+Allow process to read getty config file. +

+
+ +
+ +
+Module: +getty

+Layer: +system

+

+ +getty_read_log( + + + + + domain + + + )
+
+ +
+

+Allow process to read getty log file. +

+
+ +
+ +
+Module: +gpm

+Layer: +services

+

+ +gpm_dontaudit_getattr_gpmctl( + + + + + domain + + + )
+
+ +
+

+Do not audit attempts to get the +attributes of the GPM control channel +named socket. +

+
+ +
+ +
+Module: +gpm

+Layer: +services

+

+ +gpm_getattr_gpmctl( + + + + + domain + + + )
+
+ +
+

+Get the attributes of the GPM +control channel named socket. +

+
+ +
+ +
+Module: +gpm

+Layer: +services

+

+ +gpm_setattr_gpmctl( + + + + + domain + + + )
+
+ +
+

+Set the attributes of the GPM +control channel named socket. +

+
+ +
+ +
+Module: +hostname

+Layer: +system

+

+ +hostname_domtrans( + + + + + domain + + + )
+
+ +
+

+Execute hostname in the hostname domain. +

+
+ +
+ +
+Module: +hostname

+Layer: +system

+

+ +hostname_exec( + + + + + domain + + + )
+
+ +
+

+ Execute hostname in the caller domain. +

+
+ +
+ +
+Module: +hostname

+Layer: +system

+

+ +hostname_run( @@ -25170,6 +26533,32 @@ Define the specified domain as a inetd service.
+Module: +inetd

+Layer: +services

+

+ +inetd_domtrans_child( + + + + + domain + + + )
+
+ +
+

+Run inetd child process in the inet child domain +

+
+ +
+ +
-Module: +Module: inetd

Layer: services

-inetd_tcp_connectto( +inetd_tcp_connect( @@ -25298,6 +26687,32 @@ Define the specified domain as a UDP inetd service.
+Module: +inetd

+Layer: +services

+

+ +inetd_use_fd( + + + + + domain + + + )
+
+ +
+

+Inherit and use file descriptors from inetd. +

+
+ +
+ +
+Module: +init

+Layer: +system

+

+ +init_list_script_pids( + + + + + domain + + + )
+
+ +
+

+List the contents of an init script +process id directory. +

+
+ +
+ +
+Module: +init

+Layer: +system

+

+ +init_read_script( + + + + + domain + + + )
+
+ +
+

+Read init scripts. +

+
+ +
+ +
+Module: +init

+Layer: +system

+

+ +init_read_script_file( + + + + + domain + + + )
+
+ +
+

+Read init scripts. +

+
+ +
+ + +
+

+Start and stop daemon programs directly. +

+
+
@@ -26047,7 +27547,7 @@ system

- ? + domain )
@@ -26055,7 +27555,7 @@ system

-Summary is missing! +Read and write the init script pty.

@@ -26088,13 +27588,13 @@ Summary is missing!
-Module: +Module: ipsec

Layer: system

-ipsec_connectto_unix_stream_socket( +ipsec_domtrans( @@ -26107,20 +27607,20 @@ system

-Connect to an IPSEC unix domain stream socket. +Execute ipsec in the ipsec domain.

-Module: +Module: ipsec

Layer: system

-ipsec_domtrans( +ipsec_exec_mgmt( @@ -26133,20 +27633,20 @@ system

-Execute ipsec in the ipsec domain. +Execute the IPSEC management program in the caller domain.

-Module: +Module: ipsec

Layer: system

-ipsec_exec_mgmt( +ipsec_getattr_key_socket( @@ -26159,20 +27659,20 @@ system

-Execute the IPSEC management program in the caller domain. +Get the attributes of an IPSEC key socket.

-Module: +Module: ipsec

Layer: system

-ipsec_getattr_key_socket( +ipsec_manage_pid( @@ -26185,20 +27685,20 @@ system

-Get the attributes of an IPSEC key socket. +Create, read, write, and delete the IPSEC pid files.

-Module: +Module: ipsec

Layer: system

-ipsec_manage_pid( +ipsec_read_config( @@ -26211,20 +27711,20 @@ system

-Create, read, write, and delete the IPSEC pid files. +Read the IPSEC configuration

-Module: +Module: ipsec

Layer: system

-ipsec_read_config( +ipsec_stream_connect( @@ -26237,7 +27737,7 @@ system

-Read the IPSEC configuration +Connect to IPSEC using a unix domain stream socket.

@@ -26261,6 +27761,12 @@ system

)

+
+

+Execute iptables in the iptables domain. +

+
+
@@ -26281,6 +27787,12 @@ system

)

+
+

+Execute iptables in the caller domain. +

+
+
@@ -26317,16 +27829,23 @@ system

)

+
+

+Execute iptables in the iptables domain, and +allow the specified role the iptables domain. +

+
+
-Module: +Module: kerberos

Layer: services

-kerberos_read_conf( +kerberos_read_config( @@ -26346,6 +27865,32 @@ Read the kerberos configuration file (/etc/krb5.conf).
+Module: +kerberos

+Layer: +services

+

+ +kerberos_rw_config( + + + + + domain + + + )
+
+ +
+

+Read and write the kerberos configuration file (/etc/krb5.conf). +

+
+ +
+ +
+Module: +kernel

+Layer: +kernel

+

+ +kernel_dontaudit_write_kernel_sysctl( + + + + + domain + + + )
+
+ +
+

+Do not audit attempts to write generic kernel sysctls. +

+
+ +
+ +
+Module: +ldap

+Layer: +services

+

+ +ldap_list_db_dir( + + + + + domain + + + )
+
+ +
+

+Read the contents of the OpenLDAP +database directories. +

+
+ +
+ +
+Module: +ldap

+Layer: +services

+

+ +ldap_read_config( + + + + + domain + + + )
+
+ +
+

+Read the OpenLDAP configuration files. +

+
+ +
+ +
+Module: +libraries

+Layer: +system

+

+ +libs_relabelto_lib_files( + + + + + domain + + + )
+
+ +
+

+Relabel files to the type used in library directories. +

+
+ +
+ +
+Module: +loadkeys

+Layer: +apps

+

+ +loadkeys_domtrans( + + + + + domain + + + )
+
+ +
+

+Execute the loadkeys program in the loadkeys domain. +

+
+ +
+ +
+Module: +loadkeys

+Layer: +apps

+

+ +loadkeys_exec( + + + + + domain + + + )
+
+ +
+

+Execute the loadkeys program in the caller domain. +

+
+ +
+ +
+Module: +loadkeys

+Layer: +apps

+

+ +loadkeys_run( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+ +
+

+Execute the loadkeys program in the loadkeys domain. +

+
+ +
+ + +
+

+Allows the domain to open a file in the +log directory, but does not allow the listing +of the contents of the log directory. +

+
+
@@ -28989,6 +30741,12 @@ system

)

+
+

+Execute lvm programs in the lvm domain. +

+
+
@@ -29009,6 +30767,12 @@ system

)

+
+

+Read LVM configuration files. +

+
+
@@ -29045,6 +30809,12 @@ system

)

+
+

+Execute lvm programs in the lvm domain. +

+
+
@@ -29248,6 +31018,12 @@ system

)

+
+

+Execute depmod in the depmod domain. +

+
+
@@ -29268,6 +31044,12 @@ system

)

+
+

+Execute insmod in the insmod domain. +

+
+
@@ -29288,6 +31070,12 @@ system

)

+
+

+Execute depmod in the depmod domain. +

+
+
@@ -29386,6 +31174,12 @@ system

)

+
+

+Read the dependencies of kernel modules. +

+
+
@@ -29406,6 +31200,13 @@ system

)

+
+

+Read the configuration options used when +loading modules. +

+
+
@@ -29442,6 +31243,12 @@ system

)

+
+

+Execute depmod in the depmod domain. +

+
+
@@ -29478,6 +31285,15 @@ system

)

+
+

+Execute insmod in the insmod domain, and +allow the specified role the insmod domain, +and use the caller's terminal. Has a sigchld +backchannel. +

+
+
@@ -29514,6 +31330,12 @@ system

)

+
+

+Execute update_modules in the update_modules domain. +

+
+
@@ -29534,6 +31356,12 @@ system

)

+
+

+Execute mount in the mount domain. +

+
+
@@ -29570,6 +31398,14 @@ system

)

+
+

+Execute mount in the mount domain, and +allow the specified role the mount domain, +and use the caller's terminal. +

+
+
@@ -29590,6 +31426,13 @@ system

)

+
+

+Allow the mount domain to send nfs requests for mounting +network drives +

+
+
@@ -29610,6 +31453,12 @@ system

)

+
+

+Use file descriptors for mount. +

+
+
@@ -29787,6 +31636,12 @@ services

)

+
+

+Read mail address aliases. +

+
+
@@ -29903,13 +31758,13 @@ sendmail daemon use.
-Module: -netutils

-Layer: -admin

+Module: +mysql

+Layer: +services

-netutils_domtrans( +mysql_manage_db_dir( @@ -29922,20 +31777,20 @@ admin

-Execute network utilities in the netutils domain. +Create, read, write, and delete MySQL database directories.

-Module: -netutils

-Layer: -admin

+Module: +mysql

+Layer: +services

-netutils_domtrans_ping( +mysql_read_config( @@ -29948,20 +31803,20 @@ admin

-Execute ping in the ping domain. +Read MySQL configuration files.

-Module: -netutils

-Layer: -admin

+Module: +mysql

+Layer: +services

-netutils_domtrans_traceroute( +mysql_rw_db_dir( @@ -29974,20 +31829,20 @@ admin

-Execute traceroute in the traceroute domain. +Read and write to the MySQL database directory.

-Module: -netutils

-Layer: -admin

+Module: +mysql

+Layer: +services

-netutils_exec( +mysql_search_db_dir( @@ -30000,20 +31855,21 @@ admin

-Execute network utilities in the caller domain. +Search the directories that contain MySQL +database storage.

-Module: -netutils

-Layer: -admin

+Module: +mysql

+Layer: +services

-netutils_exec_ping( +mysql_signal( @@ -30026,20 +31882,20 @@ admin

-Execute ping in the caller domain. +Send a generic signal to MySQL.

-Module: -netutils

-Layer: -admin

+Module: +mysql

+Layer: +services

-netutils_exec_traceroute( +mysql_stream_connect( @@ -30052,20 +31908,46 @@ admin

-Execute traceroute in the caller domain. +Connect to MySQL using a unix domain stream socket.

-Module: +Module: +mysql

+Layer: +services

+

+ +mysql_write_log( + + + + + domain + + + )
+
+ +
+

+Write to the MySQL log. +

+
+ +
+ +
+Module: netutils

Layer: admin

-netutils_run( +netutils_domtrans( @@ -30073,20 +31955,56 @@ admin

domain - - , + )
+

+ +
+

+Execute network utilities in the netutils domain. +

+
+ +
+ +
+Module: +netutils

+Layer: +admin

+

+ +netutils_domtrans_ping( + - role + domain - - , + )
+
+ +
+

+Execute ping in the ping domain. +

+
+ +
+ +
+Module: +netutils

+Layer: +admin

+

+ +netutils_domtrans_traceroute( + - terminal + domain )
@@ -30094,21 +32012,20 @@ admin

-Execute network utilities in the netutils domain, and -allow the specified role the netutils domain. +Execute traceroute in the traceroute domain.

-Module: +Module: netutils

Layer: admin

-netutils_run_ping( +netutils_exec( @@ -30116,20 +32033,56 @@ admin

domain - - , + )
+

+ +
+

+Execute network utilities in the caller domain. +

+
+ +
+ +
+Module: +netutils

+Layer: +admin

+

+ +netutils_exec_ping( + - role + domain - - , + )
+
+ +
+

+Execute ping in the caller domain. +

+
+ +
+ +
+Module: +netutils

+Layer: +admin

+

+ +netutils_exec_traceroute( + - terminal + domain )
@@ -30137,21 +32090,106 @@ admin

-Execute ping in the ping domain, and -allow the specified role the ping domain. +Execute traceroute in the caller domain.

-Module: +Module: netutils

Layer: admin

-netutils_run_traceroute( +netutils_run( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+ +
+

+Execute network utilities in the netutils domain, and +allow the specified role the netutils domain. +

+
+ +
+ +
+Module: +netutils

+Layer: +admin

+

+ +netutils_run_ping( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+ +
+

+Execute ping in the ping domain, and +allow the specified role the ping domain. +

+
+ +
+ +
+Module: +netutils

+Layer: +admin

+

+ +netutils_run_traceroute( @@ -30565,223 +32603,393 @@ system

-Execute cardmgr in the cardctl domain, and -allow the specified role the cardmgr domain. -

-
- -
- -
-Module: -raid

-Layer: -system

-

- -raid_domtrans_mdadm( - - - - - domain - - - )
-
- -
-

-Execute software raid tools in the mdadm domain. -

-
- -
- -
-Module: -raid

-Layer: -system

-

- -raid_manage_mdadm_pid( - - - - - domain - - - )
-
- -
-

-Create, read, write, and delete the mdadm pid files. -

-
- -
- -
-Module: -remotelogin

-Layer: -services

-

- -remotelogin_domtrans( - - - - - domain - - - )
-
- -
- -
-Module: -rpm

-Layer: -admin

-

- -rpm_domtrans( - - - - - domain - - - )
-
- -
-

-Execute rpm programs in the rpm domain. -

-
- -
- -
-Module: -rpm

-Layer: -admin

-

- -rpm_manage_db( - - - - - domain - - - )
-
- -
-

-Create, read, write, and delete the RPM package database. -

-
- -
- -
-Module: -rpm

-Layer: -admin

-

- -rpm_manage_log( - - - - - domain - - - )
-
- -
-

-Create, read, write, and delete the RPM log. -

-
- -
- -
-Module: -rpm

-Layer: -admin

-

- -rpm_read_db( - - - - - domain - - - )
-
- -
-

-Read the RPM package database. -

-
- -
- -
-Module: -rpm

-Layer: -admin

-

- -rpm_read_pipe( - - - - - domain - - - )
-
- -
-

-Read from an unnamed RPM pipe. +Execute cardmgr in the cardctl domain, and +allow the specified role the cardmgr domain. +

+
+ +
+ +
+Module: +quota

+Layer: +admin

+

+ +quota_domtrans( + + + + + domain + + + )
+
+ +
+

+Execute quota management tools in the quota domain. +

+
+ +
+ +
+Module: +quota

+Layer: +admin

+

+ +quota_dontaudit_getattr_db( + + + + + domain + + + )
+
+ +
+

+Do not audit attempts to get the attributes +of filesystem quota data files. +

+
+ +
+ +
+Module: +quota

+Layer: +admin

+

+ +quota_manage_flags( + + + + + ? + + + )
+
+ +
+

+Summary is missing! +

+
+ +
+ +
+Module: +quota

+Layer: +admin

+

+ +quota_run( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+ +
+

+Execute quota management tools in the quota domain, and +allow the specified role the quota domain. +

+
+ +
+ +
+Module: +raid

+Layer: +system

+

+ +raid_domtrans_mdadm( + + + + + domain + + + )
+
+ +
+

+Execute software raid tools in the mdadm domain. +

+
+ +
+ +
+Module: +raid

+Layer: +system

+

+ +raid_manage_mdadm_pid( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete the mdadm pid files. +

+
+ +
+ +
+Module: +remotelogin

+Layer: +services

+

+ +remotelogin_domtrans( + + + + + domain + + + )
+
+ +
+

+Domain transition to the remote login domain. +

+
+ +
+ +
+Module: +rpm

+Layer: +admin

+

+ +rpm_domtrans( + + + + + domain + + + )
+
+ +
+

+Execute rpm programs in the rpm domain. +

+
+ +
+ +
+Module: +rpm

+Layer: +admin

+

+ +rpm_manage_db( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete the RPM package database. +

+
+ +
+ +
+Module: +rpm

+Layer: +admin

+

+ +rpm_manage_log( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete the RPM log. +

+
+ +
+ +
+Module: +rpm

+Layer: +admin

+

+ +rpm_read_db( + + + + + domain + + + )
+
+ +
+

+Read the RPM package database. +

+
+ +
+ +
+Module: +rpm

+Layer: +admin

+

+ +rpm_read_pipe( + + + + + domain + + + )
+
+ +
+

+Read from an unnamed RPM pipe. +

+
+ +
+ +
+Module: +rpm

+Layer: +admin

+

+ +rpm_run( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+ +
+

+Execute RPM programs in the RPM domain.

-Module: +Module: rpm

Layer: admin

-rpm_run( +rpm_rw_pipe( @@ -30789,41 +32997,25 @@ admin

domain - - , - - - - role - - - - , - - - - terminal - - )

-Execute RPM programs in the RPM domain. +Read and write an unnamed RPM pipe.

-Module: +Module: rpm

Layer: admin

-rpm_rw_pipe( +rpm_use_fd( @@ -30836,20 +33028,20 @@ admin

-Read and write an unnamed RPM pipe. +Inherit and use file descriptors from RPM.

-Module: +Module: rpm

Layer: admin

-rpm_use_fd( +rpm_use_script_fd( @@ -30862,20 +33054,20 @@ admin

-Inherit and use file descriptors from RPM. +Inherit and use file descriptors from RPM scripts.

-Module: -rpm

-Layer: -admin

+Module: +rshd

+Layer: +services

-rpm_use_script_fd( +rshd_domtrans( @@ -30888,7 +33080,7 @@ admin

-Inherit and use file descriptors from RPM scripts. +Domain transition to rshd.

@@ -30940,7 +33132,7 @@ kernel

- +Calculate the default type for object creation.

@@ -30966,7 +33158,7 @@ kernel

- +Calculate the context for relabeling objects.

@@ -31189,7 +33381,7 @@ kernel

-Allow caller to set selinux security parameters. +Allow caller to set SELinux access vector cache parameters.

@@ -31215,7 +33407,7 @@ kernel

-Unconfined access to the SELinux security server. +Unconfined access to the SELinux kernel security server.

@@ -31265,6 +33457,12 @@ services

)

+
+

+Domain transition to sendmail. +

+
+
@@ -31311,6 +33509,12 @@ system

)

+
+

+Execute checkpolicy in the checkpolicy domain. +

+
+
@@ -31331,6 +33535,12 @@ system

)

+
+

+Execute load_policy in the load_policy domain. +

+
+
@@ -31351,6 +33561,12 @@ system

)

+
+

+Execute newrole in the load_policy domain. +

+
+
@@ -31371,6 +33587,12 @@ system

)

+
+

+Execute restorecon in the restorecon domain. +

+
+
@@ -31391,6 +33613,12 @@ system

)

+
+

+Execute run_init in the run_init domain. +

+
+
@@ -31411,6 +33639,12 @@ system

)

+
+

+Execute setfiles in the setfiles domain. +

+
+
@@ -31458,6 +33692,13 @@ system

)

+
+

+Do not audit the caller attempts to send +a signal to newrole. +

+
+
@@ -31816,6 +34057,12 @@ system

)

+
+

+Allow the caller to relabel a file to the binary policy type. +

+
+
@@ -31852,6 +34099,15 @@ system

)

+
+

+Execute checkpolicy in the checkpolicy domain, and +allow the specified role the checkpolicy domain, +and use the caller's terminal. +Has a SIGCHLD signal backchannel. +

+
+
@@ -31888,6 +34144,15 @@ system

)

+
+

+Execute load_policy in the load_policy domain, and +allow the specified role the load_policy domain, +and use the caller's terminal. +Has a SIGCHLD signal backchannel. +

+
+
@@ -31924,6 +34189,14 @@ system

)

+
+

+Execute newrole in the newrole domain, and +allow the specified role the newrole domain, +and use the caller's terminal. +

+
+
@@ -31960,6 +34233,14 @@ system

)

+
+

+Execute restorecon in the restorecon domain, and +allow the specified role the restorecon domain, +and use the caller's terminal. +

+
+
@@ -31996,6 +34277,14 @@ system

)

+
+

+Execute run_init in the run_init domain, and +allow the specified role the run_init domain, +and use the caller's terminal. +

+
+
@@ -32032,6 +34321,14 @@ system

)

+
+

+Execute setfiles in the setfiles domain, and +allow the specified role the setfiles domain, +and use the caller's terminal. +

+
+
@@ -32987,6 +35284,33 @@ a tape device.
+Module: +sysnetwork

+Layer: +system

+

+ +sysnet_create_config( + + + + + domain + + + )
+
+ +
+

+Create files in /etc with the type used for +the network config files. +

+
+ +
+ +
Module: sysnetwork

Layer: @@ -33004,6 +35328,12 @@ system

)

+
+

+Execute dhcp client in dhcpc domain. +

+
+
@@ -33024,6 +35354,12 @@ system

)

+
+

+Execute ifconfig in the ifconfig domain. +

+
+
@@ -33190,6 +35526,14 @@ system

)

+
+

+Execute ifconfig in the ifconfig domain, and +allow the specified role the ifconfig domain, +and use the caller's terminal. +

+
+
@@ -33348,6 +35692,12 @@ kernel

)

+
+

+Create a pty in the /dev/pts directory. +

+
+
@@ -33368,6 +35718,14 @@ kernel

)

+
+

+Do not audit attempts to get the +attributes of any user pty +device nodes. +

+
+
@@ -33388,6 +35746,14 @@ kernel

)

+
+

+Do not audit attempts to get the +attributes of any user tty +device nodes. +

+
+
@@ -33408,6 +35774,13 @@ kernel

)

+
+

+Do not audit attempts to get the attributes +of all unallocated tty device nodes. +

+
+
@@ -33428,6 +35801,40 @@ kernel

)

+
+

+Do not audit attempts to read the +/dev/pts directory. +

+
+ + + +
+Module: +terminal

+Layer: +kernel

+

+ +term_dontaudit_manage_pty_dir( + + + + + domain + + + )
+
+ +
+

+Do not audit attempts to create, read, +write, or delete the /dev/pts directory. +

+
+
@@ -33448,6 +35855,13 @@ kernel

)

+
+

+Do not audit attempts to read any +user ptys. +

+
+
@@ -33468,6 +35882,13 @@ kernel

)

+
+

+Do not audit attempts to read or write +any user ttys. +

+
+
@@ -33488,6 +35909,13 @@ kernel

)

+
+

+Do not audit attemtps to read from +or write to the console. +

+
+
@@ -33508,6 +35936,14 @@ kernel

)

+
+

+Dot not audit attempts to read and +write the generic pty type. This is +generally only used in the targeted policy. +

+
+
@@ -33528,6 +35964,13 @@ kernel

)

+
+

+Do not audit attempts to read and +write the pty multiplexor (/dev/ptmx). +

+
+
@@ -33548,6 +35991,13 @@ kernel

)

+
+

+Do not audit attempts to read or +write unallocated ttys. +

+
+
@@ -33568,6 +36018,13 @@ kernel

)

+
+

+Get the attributes of all user +pty device nodes. +

+
+
@@ -33588,6 +36045,13 @@ kernel

)

+
+

+Get the attributes of all user tty +device nodes. +

+
+
@@ -33608,6 +36072,13 @@ kernel

)

+
+

+Get the attributes of all unallocated +tty device nodes. +

+
+
@@ -33628,6 +36099,13 @@ kernel

)

+
+

+Read the /dev/pts directory to +list all ptys. +

+
+
@@ -33648,6 +36126,13 @@ kernel

)

+
+

+Transform specified type into a pty type +used by login programs, such as sshd. +

+
+
@@ -33668,6 +36153,12 @@ kernel

)

+
+

+Transform specified type into a pty type. +

+
+
@@ -33688,6 +36179,13 @@ kernel

)

+
+

+Relabel from and to all user +user pty device nodes. +

+
+
@@ -33708,6 +36206,13 @@ kernel

)

+
+

+Relabel from and to all user +user tty device nodes. +

+
+
@@ -33728,6 +36233,13 @@ kernel

)

+
+

+Relabel from and to the unallocated +tty type. +

+
+
@@ -33774,6 +36286,13 @@ kernel

)

+
+

+Relabel from all user tty types to +the unallocated tty type. +

+
+
@@ -33821,6 +36340,13 @@ kernel

)

+
+

+Set the attributes of all user tty +device nodes. +

+
+
@@ -33841,6 +36367,13 @@ kernel

)

+
+

+Set the attributes of the console +device node. +

+
+
@@ -33861,6 +36394,13 @@ kernel

)

+
+

+Set the attributes of all unallocated +tty device nodes. +

+
+
@@ -33881,6 +36421,12 @@ kernel

)

+
+

+Transform specified type into a tty type. +

+
+
@@ -33901,6 +36447,13 @@ kernel

)

+
+

+Read and write the console, all +ttys and all ptys. +

+
+
@@ -33921,6 +36474,12 @@ kernel

)

+
+

+Read and write all user ptys. +

+
+
@@ -33941,6 +36500,12 @@ kernel

)

+
+

+Read and write all user to all user ttys. +

+
+
@@ -33961,6 +36526,12 @@ kernel

)

+
+

+Read from and write to the console. +

+
+
@@ -33981,6 +36552,13 @@ kernel

)

+
+

+Read and write the controlling +terminal (/dev/tty). +

+
+
@@ -34001,6 +36579,14 @@ kernel

)

+
+

+Read and write the generic pty +type. This is generally only used in +the targeted policy. +

+
+
@@ -34021,6 +36607,12 @@ kernel

)

+
+

+Read and write unallocated ttys. +

+
+
@@ -34049,6 +36641,14 @@ kernel

)

+
+

+Transform specified type into an user +pty type. This allows it to be relabeled via +type change by login programs such as ssh. +

+
+
@@ -34069,6 +36669,12 @@ kernel

)

+
+

+Write to all user ttys. +

+
+
@@ -34089,6 +36695,12 @@ kernel

)

+
+

+Write to the console. +

+
+
@@ -34109,6 +36721,38 @@ kernel

)

+
+

+Write to unallocated ttys. +

+
+ + + +
+Module: +tmpreaper

+Layer: +admin

+

+ +tmpreaper_exec( + + + + + domain + + + )
+
+ +
+

+Execute tmpreaper in the caller domain. +

+
+
@@ -34329,6 +36973,12 @@ system

)

+
+

+Execute specified programs in the unconfined domain. +

+
+
@@ -34436,6 +37086,98 @@ Inherit file descriptors from the unconfined domain.
+Module: +updfstab

+Layer: +admin

+

+ +updfstab_domtrans( + + + + + domain + + + )
+
+ +
+

+Execute updfstab in the updfstab domain. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_create_user_home( + + + + + domain + + + + , + + + + [ + + object_class + + ] + + + )
+
+ +
+

+Create objects in generic user home directories +with automatic file type transition. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_create_user_home_dir( + + + + + domain + + + )
+
+ +
+

+Create generic user home directories +with automatic file type transition. +

+
+ +
+ +
Module: userdomain

Layer: @@ -34622,6 +37364,169 @@ user ttys.

+Module: +userdomain

+Layer: +system

+

+ +userdom_manage_user_home_dir( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete +generic user home directories. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_manage_user_home_dirs( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete +subdirectories of generic user +home directories. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_manage_user_home_files( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete files +in generic user home directories. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_manage_user_home_pipes( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete named +pipes in generic user home directories. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_manage_user_home_sockets( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete named +sockets in generic user home directories. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_manage_user_home_symlinks( + + + + + domain + + + )
+
+ +
+

+Create, read, write, and delete symbolic +links in generic user home directories. +

+
+ +
+ +
Module: userdomain

Layer: @@ -35163,6 +38068,12 @@ admin

)

+
+

+Execute chfn in the chfn domain. +

+
+
@@ -35183,6 +38094,12 @@ admin

)

+
+

+Execute groupadd in the groupadd domain. +

+
+
@@ -35203,6 +38120,12 @@ admin

)

+
+

+Execute passwd in the passwd domain. +

+
+
@@ -35223,6 +38146,12 @@ admin

)

+
+

+Execute useradd in the useradd domain. +

+
+
@@ -35285,6 +38214,13 @@ admin

)

+
+

+Execute chfn in the chfn domain, and +allow the specified role the chfn domain. +

+
+
@@ -35321,6 +38257,13 @@ admin

)

+
+

+Execute groupadd in the groupadd domain, and +allow the specified role the groupadd domain. +

+
+
@@ -35357,6 +38300,13 @@ admin

)

+
+

+Execute passwd in the passwd domain, and +allow the specified role the passwd domain. +

+
+
@@ -35393,6 +38343,13 @@ admin

)

+
+

+Execute useradd in the useradd domain, and +allow the specified role the useradd domain. +

+
+ diff --git a/www/api-docs/kernel_devices.html b/www/api-docs/kernel_devices.html index 9a03722..77945a0 100644 --- a/www/api-docs/kernel_devices.html +++ b/www/api-docs/kernel_devices.html @@ -106,6 +106,8 @@ Additionally, this module controls access to three things:

+

This module is required to be included in all policies.

+

Interfaces:

diff --git a/www/api-docs/kernel_filesystem.html b/www/api-docs/kernel_filesystem.html index 8486a7a..14435a5 100644 --- a/www/api-docs/kernel_filesystem.html +++ b/www/api-docs/kernel_filesystem.html @@ -736,6 +736,49 @@ No + +
+ + +
+ +fs_get_xattr_fs_quota( + + + + + domain + + + )
+
+
+ +
Summary
+

+Get the filesystem quotas of a filesystem +with extended attributes. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the domain mounting the filesystem. + + +No +
+
+
+
@@ -3660,6 +3703,90 @@ No
+ +
+ + +
+ +fs_search_cifs( + + + + + domain + + + )
+
+
+ +
Summary
+

+Search directories on a CIFS or SMB filesystem. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the domain reading the files. + + +No +
+
+
+ + +
+ + +
+ +fs_search_nfs( + + + + + domain + + + )
+
+
+ +
Summary
+

+Search directories on a NFS filesystem. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the domain reading the files. + + +No +
+
+
+
@@ -3744,6 +3871,49 @@ No
+ +
+ + +
+ +fs_set_xattr_fs_quota( + + + + + domain + + + )
+
+
+ +
Summary
+

+Set the filesystem quotas of a filesystem +with extended attributes. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the domain mounting the filesystem. + + +No +
+
+
+
diff --git a/www/api-docs/kernel_kernel.html b/www/api-docs/kernel_kernel.html index 2c9989b..e831885 100644 --- a/www/api-docs/kernel_kernel.html +++ b/www/api-docs/kernel_kernel.html @@ -518,6 +518,48 @@ No
+ +
+ + +
+ +kernel_dontaudit_write_kernel_sysctl( + + + + + domain + + + )
+
+
+ +
Summary
+

+Do not audit attempts to write generic kernel sysctls. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain to not audit. + + +No +
+
+
+
diff --git a/www/api-docs/kernel_selinux.html b/www/api-docs/kernel_selinux.html index be0e510..73b0e1e 100644 --- a/www/api-docs/kernel_selinux.html +++ b/www/api-docs/kernel_selinux.html @@ -155,7 +155,7 @@ No
Summary

- +Calculate the default type for object creation.

@@ -167,7 +167,7 @@ No domain - +Domain allowed access. No @@ -197,10 +197,21 @@ No
Summary

- +Calculate the context for relabeling objects.

+
Description
+

+

+Calculate the context for relabeling objects. +This is determined by using the type_change +rules in the policy, and is generally used +for determining the context for relabeling +a terminal when a user logs in. +

+

+
Parameters
@@ -209,7 +220,7 @@ No domain
Parameter:Description:Optional:
-The process type to +Domain allowed access. No @@ -467,6 +478,18 @@ enable or disable conditional portions of the policy.

+
Description
+

+

+Allow caller to set the state of Booleans to +enable or disable conditional portions of the policy. +

+

+Since this is a security event, this action is +always audited. +

+

+
Parameters
@@ -520,6 +543,18 @@ Allow caller to set the mode of policy enforcement

+
Description
+

+

+Allow caller to set the mode of policy enforcement +(enforcing or permissive mode). +

+

+Since this is a security event, this action is +always audited. +

+

+
Parameters
Parameter:Description:Optional:
@@ -558,10 +593,23 @@ No
Summary

-Allow caller to set selinux security parameters. +Allow caller to set SELinux access vector cache parameters.

+
Description
+

+

+Allow caller to set SELinux access vector cache parameters. +The allows the domain to set performance related parameters +of the AVC, such as cache threshold. +

+

+Since this is a security event, this action is +always audited. +

+

+
Parameters
Parameter:Description:Optional:
@@ -600,7 +648,7 @@ No
Summary

-Unconfined access to the SELinux security server. +Unconfined access to the SELinux kernel security server.

diff --git a/www/api-docs/kernel_terminal.html b/www/api-docs/kernel_terminal.html index 1d7ed1c..4fd469c 100644 --- a/www/api-docs/kernel_terminal.html +++ b/www/api-docs/kernel_terminal.html @@ -85,6 +85,8 @@

Policy for terminals.

+

This module is required to be included in all policies.

+

Interfaces:

@@ -115,12 +117,12 @@
- -
Description
+
Summary

Create a pty in the /dev/pts directory.

+
Parameters
Parameter:Description:Optional:
@@ -167,14 +169,14 @@ No
- -
Description
+
Summary

Do not audit attempts to get the attributes of any user pty device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -211,14 +213,14 @@ No
- -
Description
+
Summary

Do not audit attempts to get the attributes of any user tty device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -255,13 +257,13 @@ No
- -
Description
+
Summary

Do not audit attempts to get the attributes of all unallocated tty device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -298,13 +300,56 @@ No
- -
Description
+
Summary

Do not audit attempts to read the -/dev/pts directory to. +/dev/pts directory. +

+ + +
Parameters
+
Parameter:Description:Optional:
+ + + + +
Parameter:Description:Optional:
+domain + + +The type of the process to not audit. + + +No +
+ + + + +
+ + +
+ +term_dontaudit_manage_pty_dir( + + + + + domain + + + )
+
+
+ +
Summary
+

+Do not audit attempts to create, read, +write, or delete the /dev/pts directory.

+
Parameters
@@ -341,13 +386,13 @@ No
- -
Description
+
Summary

Do not audit attempts to read any user ptys.

+
Parameters
Parameter:Description:Optional:
@@ -384,13 +429,13 @@ No
- -
Description
+
Summary

Do not audit attempts to read or write any user ttys.

+
Parameters
Parameter:Description:Optional:
@@ -427,13 +472,13 @@ No
- -
Description
+
Summary

Do not audit attemtps to read from or write to the console.

+
Parameters
Parameter:Description:Optional:
@@ -470,14 +515,14 @@ No
- -
Description
+
Summary

Dot not audit attempts to read and write the generic pty type. This is generally only used in the targeted policy.

+
Parameters
Parameter:Description:Optional:
@@ -514,13 +559,13 @@ No
- -
Description
+
Summary

Do not audit attempts to read and write the pty multiplexor (/dev/ptmx).

+
Parameters
Parameter:Description:Optional:
@@ -557,13 +602,13 @@ No
- -
Description
+
Summary

Do not audit attempts to read or write unallocated ttys.

+
Parameters
Parameter:Description:Optional:
@@ -600,13 +645,13 @@ No
- -
Description
+
Summary

Get the attributes of all user pty device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -643,13 +688,13 @@ No
- -
Description
+
Summary

Get the attributes of all user tty device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -686,13 +731,13 @@ No
- -
Description
+
Summary

Get the attributes of all unallocated tty device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -729,13 +774,13 @@ No
- -
Description
+
Summary

Read the /dev/pts directory to list all ptys.

+
Parameters
Parameter:Description:Optional:
@@ -772,13 +817,13 @@ No
- -
Description
+
Summary

Transform specified type into a pty type used by login programs, such as sshd.

+
Parameters
Parameter:Description:Optional:
@@ -815,12 +860,12 @@ No
- -
Description
+
Summary

Transform specified type into a pty type.

+
Parameters
Parameter:Description:Optional:
@@ -857,13 +902,13 @@ No
- -
Description
+
Summary

Relabel from and to all user user pty device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -900,13 +945,13 @@ No
- -
Description
+
Summary

Relabel from and to all user user tty device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -943,13 +988,13 @@ No
- -
Description
+
Summary

Relabel from and to the unallocated tty type.

+
Parameters
Parameter:Description:Optional:
@@ -1028,13 +1073,13 @@ No
- -
Description
+
Summary

Relabel from all user tty types to the unallocated tty type.

+
Parameters
Parameter:Description:Optional:
@@ -1114,13 +1159,13 @@ No
- -
Description
+
Summary

Set the attributes of all user tty device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -1157,13 +1202,13 @@ No
- -
Description
+
Summary

Set the attributes of the console device node.

+
Parameters
Parameter:Description:Optional:
@@ -1200,13 +1245,13 @@ No
- -
Description
+
Summary

Set the attributes of all unallocated tty device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -1243,12 +1288,12 @@ No
- -
Description
+
Summary

Transform specified type into a tty type.

+
Parameters
Parameter:Description:Optional:
@@ -1285,13 +1330,13 @@ No
- -
Description
+
Summary

Read and write the console, all ttys and all ptys.

+
Parameters
Parameter:Description:Optional:
@@ -1328,12 +1373,12 @@ No
- -
Description
+
Summary

Read and write all user ptys.

+
Parameters
Parameter:Description:Optional:
@@ -1370,12 +1415,12 @@ No
- -
Description
+
Summary

Read and write all user to all user ttys.

+
Parameters
Parameter:Description:Optional:
@@ -1412,12 +1457,12 @@ No
- -
Description
+
Summary

Read from and write to the console.

+
Parameters
Parameter:Description:Optional:
@@ -1454,13 +1499,13 @@ No
- -
Description
+
Summary

Read and write the controlling terminal (/dev/tty).

+
Parameters
Parameter:Description:Optional:
@@ -1497,14 +1542,14 @@ No
- -
Description
+
Summary

Read and write the generic pty type. This is generally only used in the targeted policy.

+
Parameters
Parameter:Description:Optional:
@@ -1541,12 +1586,12 @@ No
- -
Description
+
Summary

Read and write unallocated ttys.

+
Parameters
Parameter:Description:Optional:
@@ -1591,14 +1636,14 @@ No
- -
Description
+
Summary

Transform specified type into an user pty type. This allows it to be relabeled via type change by login programs such as ssh.

+
Parameters
Parameter:Description:Optional:
@@ -1646,12 +1691,12 @@ No
- -
Description
+
Summary

Write to all user ttys.

+
Parameters
Parameter:Description:Optional:
@@ -1688,12 +1733,12 @@ No
- -
Description
+
Summary

Write to the console.

+
Parameters
Parameter:Description:Optional:
@@ -1730,12 +1775,12 @@ No
- -
Description
+
Summary

Write to unallocated ttys.

+
Parameters
Parameter:Description:Optional:
diff --git a/www/api-docs/services.html b/www/api-docs/services.html index cdb02aa..b87ed07 100644 --- a/www/api-docs/services.html +++ b/www/api-docs/services.html @@ -31,33 +31,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  @@ -102,11 +129,26 @@ + + + + + + + + + @@ -117,11 +159,21 @@ + + + + + + @@ -132,11 +184,26 @@ + + + + + + + + + @@ -146,6 +213,11 @@ ssh + + + diff --git a/www/api-docs/services_bind.html b/www/api-docs/services_bind.html new file mode 100644 index 0000000..53c345d --- /dev/null +++ b/www/api-docs/services_bind.html @@ -0,0 +1,377 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: services

+

Module: bind

+ +

Description:

+ +

Berkeley internet name domain DNS server.

+ + + + +

Interfaces:

+ + +
+ + +
+ +bind_domtrans_ndc( + + + + + domain + + + )
+
+
+ +
Summary
+

+Execute ndc in the ndc domain. +

+ + +
Parameters
+
Parameter:Description:Optional:
+ + bind

Berkeley internet name domain DNS server.

cron

Periodic execution of scheduled commands.
+ + gpm

General Purpose Mouse driver

+ + howl

Port of Apple Rendezvous multicast DNS

inetd

Internet services daemon.

MIT Kerberos admin and KDC
+ + ldap

OpenLDAP directory server

mta

Policy common to all email tranfer agents.
+ + mysql

Policy for MySQL

nis

Policy for NIS (YP) servers and clients

Name service cache daemon
+ + privoxy

Privacy enhancing web proxy.

remotelogin

Policy for rshd, rlogind, and telnetd.
+ + rshd

Remote shell service.

+ + rsync

Fast incremental file transfer for synchronization

sendmail

Policy for sendmail.

Secure shell client and server policy.

+ + tcpd

Policy for TCP daemon.

+ + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +bind_read_config( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read BIND named configuration files. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +bind_run_ndc( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+
+ +
Summary
+

+Execute ndc in the ndc domain, and +allow the specified role the ndc domain. +

+ + +
Parameters
+ + + + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+role + + +The role to be allowed the bind domain. + + +No +
+terminal + + +The type of the terminal allow the bind domain to use. + + +No +
+
+
+ + +
+ + +
+ +bind_setattr_pid_dir( + + + + + domain + + + )
+
+
+ +
Summary
+

+Do not audit attempts to set the attributes +of the BIND pid directory. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +bind_write_config( + + + + + domain + + + )
+
+
+ +
Summary
+

+Write BIND named configuration files. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +Return + + + + + + diff --git a/www/api-docs/services_cron.html b/www/api-docs/services_cron.html index 1005627..e0e66a0 100644 --- a/www/api-docs/services_cron.html +++ b/www/api-docs/services_cron.html @@ -31,33 +31,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  diff --git a/www/api-docs/services_gpm.html b/www/api-docs/services_gpm.html new file mode 100644 index 0000000..f4d94b8 --- /dev/null +++ b/www/api-docs/services_gpm.html @@ -0,0 +1,259 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: services

+

Module: gpm

+ +

Description:

+ +

General Purpose Mouse driver

+ + + + +

Interfaces:

+ + +
+ + +
+ +gpm_dontaudit_getattr_gpmctl( + + + + + domain + + + )
+
+
+ +
Summary
+

+Do not audit attempts to get the +attributes of the GPM control channel +named socket. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +gpm_getattr_gpmctl( + + + + + domain + + + )
+
+
+ +
Summary
+

+Get the attributes of the GPM +control channel named socket. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +gpm_setattr_gpmctl( + + + + + domain + + + )
+
+
+ +
Summary
+

+Set the attributes of the GPM +control channel named socket. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +Return + + + +
+ + diff --git a/www/api-docs/services_howl.html b/www/api-docs/services_howl.html new file mode 100644 index 0000000..bc827ce --- /dev/null +++ b/www/api-docs/services_howl.html @@ -0,0 +1,123 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: services

+

Module: howl

+ +

Description:

+ +

Port of Apple Rendezvous multicast DNS

+ + + + + +
+ + diff --git a/www/api-docs/services_inetd.html b/www/api-docs/services_inetd.html index 4fe1bca..dc5d765 100644 --- a/www/api-docs/services_inetd.html +++ b/www/api-docs/services_inetd.html @@ -31,33 +31,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  @@ -161,6 +188,48 @@ No + +
+ + +
+ +inetd_domtrans_child( + + + + + domain + + + )
+
+
+ +
Summary
+

+Run inetd child process in the inet child domain +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+
@@ -221,13 +290,13 @@ No
- +
-inetd_tcp_connectto( +inetd_tcp_connect( @@ -383,6 +452,48 @@ No
+ +
+ + +
+ +inetd_use_fd( + + + + + domain + + + )
+
+
+ +
Summary
+

+Inherit and use file descriptors from inetd. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ Return diff --git a/www/api-docs/services_kerberos.html b/www/api-docs/services_kerberos.html index feee704..0bc7c12 100644 --- a/www/api-docs/services_kerberos.html +++ b/www/api-docs/services_kerberos.html @@ -31,33 +31,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  @@ -112,13 +139,13 @@ Clients:

Interfaces:

- +
-kerberos_read_conf( +kerberos_read_config( @@ -154,6 +181,48 @@ No
+ +
+ + +
+ +kerberos_rw_config( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read and write the kerberos configuration file (/etc/krb5.conf). +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+
diff --git a/www/api-docs/services_ldap.html b/www/api-docs/services_ldap.html new file mode 100644 index 0000000..e33a18e --- /dev/null +++ b/www/api-docs/services_ldap.html @@ -0,0 +1,214 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: services

+

Module: ldap

+ +

Description:

+ +

OpenLDAP directory server

+ + + + +

Interfaces:

+ + +
+ + +
+ +ldap_list_db_dir( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read the contents of the OpenLDAP +database directories. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +ldap_read_config( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read the OpenLDAP configuration files. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +Return + + + +
+ + diff --git a/www/api-docs/services_mta.html b/www/api-docs/services_mta.html index 4da53ac..8ba217a 100644 --- a/www/api-docs/services_mta.html +++ b/www/api-docs/services_mta.html @@ -31,33 +31,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  @@ -366,12 +393,12 @@ No
- -
Description
+
Summary

Read mail address aliases.

+
Parameters
diff --git a/www/api-docs/services_mysql.html b/www/api-docs/services_mysql.html new file mode 100644 index 0000000..8cc11fb --- /dev/null +++ b/www/api-docs/services_mysql.html @@ -0,0 +1,424 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: services

+

Module: mysql

+ +

Description:

+ +

Policy for MySQL

+ + + + +

Interfaces:

+ + +
+ + +
+ +mysql_manage_db_dir( + + + + + domain + + + )
+
+
+ +
Summary
+

+Create, read, write, and delete MySQL database directories. +

+ + +
Parameters
+
Parameter:Description:Optional:
+ + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
 + + + +
+ + +
+ +mysql_read_config( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read MySQL configuration files. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +mysql_rw_db_dir( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read and write to the MySQL database directory. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +mysql_search_db_dir( + + + + + domain + + + )
+
+
+ +
Summary
+

+Search the directories that contain MySQL +database storage. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +mysql_signal( + + + + + domain + + + )
+
+
+ +
Summary
+

+Send a generic signal to MySQL. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +mysql_stream_connect( + + + + + domain + + + )
+
+
+ +
Summary
+

+Connect to MySQL using a unix domain stream socket. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +mysql_write_log( + + + + + domain + + + )
+
+
+ +
Summary
+

+Write to the MySQL log. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +Return + + + + + + diff --git a/www/api-docs/services_nis.html b/www/api-docs/services_nis.html index b58cbca..945476b 100644 --- a/www/api-docs/services_nis.html +++ b/www/api-docs/services_nis.html @@ -31,33 +31,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  diff --git a/www/api-docs/services_nscd.html b/www/api-docs/services_nscd.html index 6a24dba..443f019 100644 --- a/www/api-docs/services_nscd.html +++ b/www/api-docs/services_nscd.html @@ -31,33 +31,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  diff --git a/www/api-docs/services_privoxy.html b/www/api-docs/services_privoxy.html new file mode 100644 index 0000000..672dbc9 --- /dev/null +++ b/www/api-docs/services_privoxy.html @@ -0,0 +1,123 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: services

+

Module: privoxy

+ +

Description:

+ +

Privacy enhancing web proxy.

+ + + + + +
+ + diff --git a/www/api-docs/services_remotelogin.html b/www/api-docs/services_remotelogin.html index 794830e..c20291d 100644 --- a/www/api-docs/services_remotelogin.html +++ b/www/api-docs/services_remotelogin.html @@ -31,33 +31,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  @@ -110,12 +137,12 @@
- -
Description
+
Summary

Domain transition to the remote login domain.

+
Parameters
diff --git a/www/api-docs/services_rshd.html b/www/api-docs/services_rshd.html new file mode 100644 index 0000000..2d3e2b0 --- /dev/null +++ b/www/api-docs/services_rshd.html @@ -0,0 +1,171 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: services

+

Module: rshd

+ +

Description:

+ +

Remote shell service.

+ + + + +

Interfaces:

+ + +
+ + +
+ +rshd_domtrans( + + + + + domain + + + )
+
+
+ +
Summary
+

+Domain transition to rshd. +

+ + +
Parameters
+
Parameter:Description:Optional:
+ + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
 + + + +Return + + + + + + diff --git a/www/api-docs/services_rsync.html b/www/api-docs/services_rsync.html new file mode 100644 index 0000000..6494964 --- /dev/null +++ b/www/api-docs/services_rsync.html @@ -0,0 +1,123 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: services

+

Module: rsync

+ +

Description:

+ +

Fast incremental file transfer for synchronization

+ + + + + +
+ + diff --git a/www/api-docs/services_sendmail.html b/www/api-docs/services_sendmail.html index 9612b2f..1dc8347 100644 --- a/www/api-docs/services_sendmail.html +++ b/www/api-docs/services_sendmail.html @@ -31,33 +31,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  @@ -110,12 +137,12 @@
- -
Description
+
Summary

Domain transition to sendmail.

+
Parameters
diff --git a/www/api-docs/services_ssh.html b/www/api-docs/services_ssh.html index 4064836..c7c7515 100644 --- a/www/api-docs/services_ssh.html +++ b/www/api-docs/services_ssh.html @@ -31,33 +31,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  diff --git a/www/api-docs/services_tcpd.html b/www/api-docs/services_tcpd.html new file mode 100644 index 0000000..9a42120 --- /dev/null +++ b/www/api-docs/services_tcpd.html @@ -0,0 +1,123 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: services

+

Module: tcpd

+ +

Description:

+ +

Policy for TCP daemon.

+ + + + + +
+ + diff --git a/www/api-docs/system_authlogin.html b/www/api-docs/system_authlogin.html index f0d265d..0b3dd82 100644 --- a/www/api-docs/system_authlogin.html +++ b/www/api-docs/system_authlogin.html @@ -146,6 +146,48 @@

Interfaces:

+ +
+ + +
+ +auth_create_login_records( + + + + + ? + + + )
+
+
+ +
Summary
+

+Summary is missing! +

+ + +
Parameters
+
Parameter:Description:Optional:
+ + + + +
Parameter:Description:Optional:
+? + + +Parameter descriptions are missing! + + +No +
+
 + +
@@ -164,12 +206,12 @@
- -
Description
+
Summary

Delete pam PID files.

+
Parameters
@@ -206,12 +248,12 @@ No
- -
Description
+
Summary

Run unix_chkpwd to check a password.

+
Parameters
Parameter:Description:Optional:
@@ -256,12 +298,12 @@ No
- -
Description
+
Summary

Execute a login_program in the target domain.

+
Parameters
Parameter:Description:Optional:
@@ -308,12 +350,12 @@ No
- -
Description
+
Summary

Execute pam programs in the pam domain.

+
Parameters
Parameter:Description:Optional:
@@ -392,12 +434,12 @@ No
- -
Description
+
Summary

Execute utempter programs in the utempter domain.

+
Parameters
Parameter:Description:Optional:
@@ -477,13 +519,13 @@ No
- -
Description
+
Summary

Do not audit attempts to read the shadow password file (/etc/shadow).

+
Parameters
Parameter:Description:Optional:
@@ -562,12 +604,12 @@ No
- -
Description
+
Summary

Execute the pam program.

+
Parameters
Parameter:Description:Optional:
@@ -688,12 +730,12 @@ No
- -
Description
+
Summary

Use the login program as an entry point program.

+
Parameters
Parameter:Description:Optional:
@@ -742,13 +784,13 @@ No
- -
Description
+
Summary

Manage all files on the filesystem, except the shadow passwords and listed exceptions.

+
Parameters
Parameter:Description:Optional:
@@ -1048,12 +1090,12 @@ No
- -
Description
+
Summary

Read the shadow passwords file (/etc/shadow)

+
Parameters
Parameter:Description:Optional:
@@ -1102,13 +1144,13 @@ No
- -
Description
+
Summary

Relabel all files on the filesystem, except the shadow passwords and listed exceptions.

+
Parameters
Parameter:Description:Optional:
@@ -1214,12 +1256,12 @@ No
- -
Description
+
Summary

Execute pam programs in the PAM domain.

+
Parameters
Parameter:Description:Optional:
@@ -1292,12 +1334,12 @@ No
- -
Description
+
Summary

Execute utempter programs in the utempter domain.

+
Parameters
Parameter:Description:Optional:
@@ -1480,12 +1522,12 @@ No
- -
Description
+
Summary

Read and write the shadow password file (/etc/shadow).

+
Parameters
Parameter:Description:Optional:
@@ -1565,6 +1607,80 @@ No

Templates:

+ +
+ + +
+ +auth_domtrans_user_chk_passwd( + + + + + userdomain_prefix + + + + , + + + + domain + + + )
+
+
+ +
Summary
+

+Run unix_chkpwd to check a password +for a user domain. +

+ + +
Description
+

+

+Run unix_chkpwd to check a password +for a user domain. +

+

+This is a templated interface, and should only +be called from a per-userdomain template. +

+

+ +
Parameters
+
Parameter:Description:Optional:
+ + + + + + +
Parameter:Description:Optional:
+userdomain_prefix + + +The prefix of the user domain (e.g., user +is the prefix for user_t). + + +No +
+domain + + +The type of the process performing this action. + + +No +
+
+ +
diff --git a/www/api-docs/system_clock.html b/www/api-docs/system_clock.html index a58833e..45a5b99 100644 --- a/www/api-docs/system_clock.html +++ b/www/api-docs/system_clock.html @@ -161,12 +161,12 @@
- -
Description
+
Summary

Execute hwclock in the clock domain.

+
Parameters
@@ -203,12 +203,12 @@ No
- -
Description
+
Summary

Execute hwclock in the caller domain.

+
Parameters
Parameter:Description:Optional:
@@ -261,13 +261,13 @@ No
- -
Description
+
Summary

Execute hwclock in the clock domain, and allow the specified role the hwclock domain.

+
Parameters
Parameter:Description:Optional:
@@ -324,12 +324,12 @@ No
- -
Description
+
Summary

Allow executing domain to modify clock drift

+
Parameters
Parameter:Description:Optional:
diff --git a/www/api-docs/system_corecommands.html b/www/api-docs/system_corecommands.html index 9a61b14..0aa14c1 100644 --- a/www/api-docs/system_corecommands.html +++ b/www/api-docs/system_corecommands.html @@ -1207,6 +1207,13 @@ No
+
Summary
+

+Execute a shell in the target domain. This +is an explicit transition, requiring the +caller to use setexeccon(). +

+
Description

diff --git a/www/api-docs/system_domain.html b/www/api-docs/system_domain.html index 18e7ff2..25380ee 100644 --- a/www/api-docs/system_domain.html +++ b/www/api-docs/system_domain.html @@ -148,13 +148,13 @@

Interfaces:

- +
-domain_base_domain_type( +domain_base_type( @@ -349,13 +349,13 @@ No
- -
Description
+
Summary

Do not audit attempts to get the attributes of all domains unix datagram sockets.

+
Parameters
Parameter:Description:Optional:
@@ -392,13 +392,13 @@ No
- -
Description
+
Summary

Do not audit attempts to get the attributes of all domains unnamed pipes.

+
Parameters
Parameter:Description:Optional:
@@ -478,13 +478,13 @@ No
- -
Description
+
Summary

Do not audit attempts to read the process state directories of all domains.

+
Parameters
Parameter:Description:Optional:
@@ -800,6 +800,49 @@ No + +
+ + +
+ +domain_getattr_all_entry_files( + + + + + domain + + + )
+
+
+ +
Summary
+

+Get the attributes of entry point +files for all domains. +

+ + +
Parameters
+
Parameter:Description:Optional:
+ + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+ +
@@ -915,12 +958,12 @@ No
- -
Description
+
Summary

Send a kill signal to all domains.

+
Parameters
@@ -957,13 +1000,13 @@ No
- -
Description
+
Summary

Makes caller an exception to the constraint preventing changing the user identity in object contexts.

+
Parameters
Parameter:Description:Optional:
@@ -1084,13 +1127,13 @@ No
- -
Description
+
Summary

Makes caller an exception to the constraint preventing changing of role.

+
Parameters
Parameter:Description:Optional:
@@ -1169,12 +1212,12 @@ No
- -
Description
+
Summary

Send a child terminated signal to all domains.

+
Parameters
Parameter:Description:Optional:
@@ -1254,12 +1297,12 @@ No
- -
Description
+
Summary

Send general signals to all domains.

+
Parameters
Parameter:Description:Optional:
@@ -1296,12 +1339,12 @@ No
- -
Description
+
Summary

Send a null signal to all domains.

+
Parameters
Parameter:Description:Optional:
@@ -1338,12 +1381,12 @@ No
- -
Description
+
Summary

Send a stop signal to all domains.

+
Parameters
Parameter:Description:Optional:
@@ -1380,13 +1423,13 @@ No
- -
Description
+
Summary

Makes caller an exception to the constraint preventing changing of user identity.

+
Parameters
Parameter:Description:Optional:
diff --git a/www/api-docs/system_files.html b/www/api-docs/system_files.html index b54badf..7273fb6 100644 --- a/www/api-docs/system_files.html +++ b/www/api-docs/system_files.html @@ -684,48 +684,6 @@ No - -
- - -
- -files_delete_all_tmp_files( - - - - - ? - - - )
-
-
- -
Summary
-

-Summary is missing! -

- - -
Parameters
-
Parameter:Description:Optional:
- - - - -
Parameter:Description:Optional:
-? - - -Parameter descriptions are missing! - - -No -
-
- -
@@ -1196,6 +1154,50 @@ No
+ +
+ + +
+ +files_dontaudit_read_etc_runtime_files( + + + + + domain + + + )
+
+
+ +
Summary
+

+Do not audit attempts to read files +in /etc that are dynamically +created on boot, such as mtab. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain to not audit. + + +No +
+
+
+
@@ -1364,6 +1366,48 @@ No
+ +
+ + +
+ +files_dontaudit_search_home( + + + + + domain + + + )
+
+
+ +
Summary
+

+Do not audit attempts to search home directories root. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain to not audit. + + +No +
+
+
+
@@ -1713,7 +1757,7 @@ No - ? + domain )
@@ -1722,7 +1766,7 @@ No
Summary

-Summary is missing! +Get the attributes of all files.

@@ -1731,10 +1775,10 @@ Summary is missing!
Parameter:Description:Optional:
-? +domain -Parameter descriptions are missing! +Domain allowed access. No @@ -1912,6 +1956,48 @@ No + +
+ + +
+ +files_getattr_usr_files( + + + + + domain + + + )
+
+
+ +
Summary
+

+Get the attributes of files in /usr. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+
@@ -1965,6 +2051,48 @@ No + domain + + + )
+
+
+ +
Summary
+

+List the contents of all directories. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+ + + +
+ + +
+ +files_list_all_dirs( + + + + ? @@ -2333,6 +2461,48 @@ No
+ +
+ + +
+ +files_list_var_lib( + + + + + domain + + + )
+
+
+ +
Summary
+

+List the contents of the /var/lib directory. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+
@@ -2536,7 +2706,7 @@ No - ? + domain )
@@ -2545,7 +2715,9 @@ No
Summary

-Summary is missing! +Create, read, write, and delete files in +/etc that are dynamically created on boot, +such as mtab.

@@ -2554,10 +2726,10 @@ Summary is missing!
Parameter:Description:Optional:
-? +domain -Parameter descriptions are missing! +Domain allowed access. No @@ -2993,18 +3165,18 @@ No - +
-files_manage_urandom_seed( +files_manage_mnt_files( - ? + domain )
@@ -3013,7 +3185,91 @@ No
Summary

-Summary is missing! +Create, read, write, and delete files in /mnt. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +files_manage_mnt_symlinks( + + + + + domain + + + )
+
+
+ +
Summary
+

+Create, read, write, and delete symbolic links in /mnt. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +files_manage_urandom_seed( + + + + + ? + + + )
+
+
+ +
Summary
+

+Summary is missing!

@@ -3035,6 +3291,134 @@ No
+ +
+ + +
+ +files_manage_var_dirs( + + + + + domain + + + )
+
+
+ +
Summary
+

+Create, read, write, and delete directories +in the /var directory. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +files_manage_var_files( + + + + + domain + + + )
+
+
+ +
Summary
+

+Create, read, write, and delete files in the /var directory. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +files_manage_var_symlinks( + + + + + domain + + + )
+
+
+ +
Summary
+

+Create, read, write, and delete symbolic +links in the /var directory. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+
@@ -3288,6 +3672,90 @@ No
+ +
+ + +
+ +files_purge_tmp( + + + + + ? + + + )
+
+
+ +
Summary
+

+Summary is missing! +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+? + + +Parameter descriptions are missing! + + +No +
+
+
+ + +
+ + +
+ +files_read_all_files( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read all files. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+
@@ -3330,6 +3798,48 @@ No
+ +
+ + +
+ +files_read_all_symlinks( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read all symbolic links. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+
@@ -3551,7 +4061,7 @@ No - ? + domain )
@@ -3560,7 +4070,8 @@ No
Summary

-Summary is missing! +Read files in /etc that are dynamically +created on boot, such as mtab.

@@ -3569,10 +4080,10 @@ Summary is missing!
Parameter:Description:Optional:
-? +domain -Parameter descriptions are missing! +Domain allowed access. No @@ -3751,6 +4262,48 @@ No + +
+ + +
+ +files_read_usr_symlinks( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read symbolic links in /usr. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+
@@ -4153,6 +4706,48 @@ No
+ +
+ + +
+ +files_relabelto_usr_files( + + + + + domain + + + )
+
+
+ +
Summary
+

+Relabel a file to the type used in /usr. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+
@@ -4427,7 +5022,7 @@ No
Summary

-Search home directories. +Search home directories root.

@@ -4637,7 +5232,7 @@ No
Summary

-Search the tmp directory (/tmp) +Search the tmp directory (/tmp).

@@ -4785,6 +5380,48 @@ No
+ +
+ + +
+ +files_setattr_all_tmp_dirs( + + + + + domain + + + )
+
+
+ +
Summary
+

+Set the attributes of all tmp directories. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+
diff --git a/www/api-docs/system_fstools.html b/www/api-docs/system_fstools.html index 4e57788..b38385f 100644 --- a/www/api-docs/system_fstools.html +++ b/www/api-docs/system_fstools.html @@ -161,12 +161,12 @@
- -
Description
+
Summary

Execute fs tools in the fstools domain.

+
Parameters
@@ -203,11 +203,54 @@ No
+
Summary
+

+Execute fsadm in the caller domain. +

+ + +
Parameters
+
Parameter:Description:Optional:
+ + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+ + + +
+ -
Description
+
+ +fstools_manage_entry_files( + + + + + domain + + + )
+
+
+ +
Summary

- Execute fsadm in the caller domain. -

+Create, read, write, and delete a file used by the +filesystem tools programs. +

+
Parameters
@@ -217,8 +260,51 @@ No domain + +
- The type of the process performing this action. - +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +fstools_relabelto_entry_files( + + + + + domain + + + )
+
+
+ +
Summary
+

+Relabel a file to the type used by the +filesystem tools programs. +

+ + +
Parameters
+ + + + @@ -261,13 +347,13 @@ No
- -
Description
+
Summary

Execute fs tools in the fstools domain, and allow the specified role the fs tools domain.

+
Parameters
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + No
diff --git a/www/api-docs/system_getty.html b/www/api-docs/system_getty.html index a26aa51..a426f19 100644 --- a/www/api-docs/system_getty.html +++ b/www/api-docs/system_getty.html @@ -161,11 +161,11 @@
- -
Description
+
Summary

- Execute gettys in the getty domain. -

+Execute gettys in the getty domain. +

+
Parameters
Parameter:Description:Optional:
@@ -175,8 +175,8 @@ domain @@ -203,11 +203,11 @@ No
- -
Description
+
Summary

- Allow process to edit getty config file. -

+Allow process to edit getty config file. +

+
Parameters
- The type of the process performing this action. - +The type of the process performing this action. + No
@@ -217,8 +217,8 @@ No domain @@ -245,11 +245,11 @@ No
- -
Description
+
Summary

- Allow process to read getty config file. -

+Allow process to read getty config file. +

+
Parameters
- The type of the process performing this action. - +The type of the process performing this action. + No
@@ -259,8 +259,8 @@ No domain @@ -287,11 +287,11 @@ No
- -
Description
+
Summary

- Allow process to read getty log file. -

+Allow process to read getty log file. +

+
Parameters
- The type of the process performing this action. - +The type of the process performing this action. + No
@@ -301,8 +301,8 @@ No domain diff --git a/www/api-docs/system_init.html b/www/api-docs/system_init.html index 943e4df..6c999a5 100644 --- a/www/api-docs/system_init.html +++ b/www/api-docs/system_init.html @@ -810,6 +810,133 @@ No + +
+ + +
+ +init_list_script_pids( + + + + + domain + + + )
+
+
+ +
Summary
+

+List the contents of an init script +process id directory. +

+ + +
Parameters
+
- The type of the process performing this action. - +The type of the process performing this action. + No
+ + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +init_read_script( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read init scripts. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +
+ + +
+ +init_read_script_file( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read init scripts. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+
@@ -928,10 +1055,19 @@ No
+
Summary
+

+Start and stop daemon programs directly. +

+
Description

-Start and stop daemon programs directly. +

+Start and stop daemon programs directly +in the traditional "/etc/init.d/daemon start" +style, and do not require run_init. +

Parameters
@@ -1380,7 +1516,7 @@ No - ? + domain )
@@ -1389,19 +1525,30 @@ No
Summary

-Summary is missing! +Read and write the init script pty.

+
Description
+

+

+Read and write the init script pty. This +pty is generally opened by the open_init_pty +portion of the run_init program so that the +daemon does not require direct access to +the administrator terminal. +

+

+
Parameters
Parameter:Description:Optional:
-? +domain -Parameter descriptions are missing! +The type of the process performing this action. No diff --git a/www/api-docs/system_ipsec.html b/www/api-docs/system_ipsec.html index 141bb74..cd7a440 100644 --- a/www/api-docs/system_ipsec.html +++ b/www/api-docs/system_ipsec.html @@ -143,13 +143,13 @@

Interfaces:

- +
-ipsec_connectto_unix_stream_socket( +ipsec_domtrans( @@ -163,7 +163,7 @@
Summary

-Connect to an IPSEC unix domain stream socket. +Execute ipsec in the ipsec domain.

@@ -185,13 +185,13 @@ No
- +
-ipsec_domtrans( +ipsec_exec_mgmt( @@ -205,7 +205,7 @@ No
Summary

-Execute ipsec in the ipsec domain. +Execute the IPSEC management program in the caller domain.

@@ -227,13 +227,13 @@ No
- +
-ipsec_exec_mgmt( +ipsec_getattr_key_socket( @@ -247,7 +247,7 @@ No
Summary

-Execute the IPSEC management program in the caller domain. +Get the attributes of an IPSEC key socket.

@@ -269,13 +269,13 @@ No
- +
-ipsec_getattr_key_socket( +ipsec_manage_pid( @@ -289,7 +289,7 @@ No
Summary

-Get the attributes of an IPSEC key socket. +Create, read, write, and delete the IPSEC pid files.

@@ -311,13 +311,13 @@ No
- +
-ipsec_manage_pid( +ipsec_read_config( @@ -331,7 +331,7 @@ No
Summary

-Create, read, write, and delete the IPSEC pid files. +Read the IPSEC configuration

@@ -353,13 +353,13 @@ No
- +
-ipsec_read_config( +ipsec_stream_connect( @@ -373,7 +373,7 @@ No
Summary

-Read the IPSEC configuration +Connect to IPSEC using a unix domain stream socket.

diff --git a/www/api-docs/system_iptables.html b/www/api-docs/system_iptables.html index 64e13a7..7d64643 100644 --- a/www/api-docs/system_iptables.html +++ b/www/api-docs/system_iptables.html @@ -161,12 +161,12 @@
- -
Description
+
Summary

Execute iptables in the iptables domain.

+
Parameters
@@ -203,12 +203,12 @@ No
- -
Description
+
Summary

Execute iptables in the caller domain.

+
Parameters
Parameter:Description:Optional:
@@ -261,13 +261,13 @@ No
- -
Description
+
Summary

Execute iptables in the iptables domain, and allow the specified role the iptables domain.

+
Parameters
Parameter:Description:Optional:
diff --git a/www/api-docs/system_libraries.html b/www/api-docs/system_libraries.html index b584b79..75d8029 100644 --- a/www/api-docs/system_libraries.html +++ b/www/api-docs/system_libraries.html @@ -398,6 +398,48 @@ No + +
+ + +
+ +libs_relabelto_lib_files( + + + + + domain + + + )
+
+
+ +
Summary
+

+Relabel files to the type used in library directories. +

+ + +
Parameters
+
Parameter:Description:Optional:
+ + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+
diff --git a/www/api-docs/system_logging.html b/www/api-docs/system_logging.html index 041aa38..fbc9875 100644 --- a/www/api-docs/system_logging.html +++ b/www/api-docs/system_logging.html @@ -623,14 +623,14 @@ No
- -
Description
+
Summary

Allows the domain to open a file in the log directory, but does not allow the listing of the contents of the log directory.

+
Parameters
diff --git a/www/api-docs/system_lvm.html b/www/api-docs/system_lvm.html index 6adcd81..421dac9 100644 --- a/www/api-docs/system_lvm.html +++ b/www/api-docs/system_lvm.html @@ -161,12 +161,12 @@
- -
Description
+
Summary

Execute lvm programs in the lvm domain.

+
Parameters
Parameter:Description:Optional:
@@ -203,12 +203,12 @@ No
- -
Description
+
Summary

Read LVM configuration files.

+
Parameters
Parameter:Description:Optional:
@@ -261,12 +261,12 @@ No
- -
Description
+
Summary

Execute lvm programs in the lvm domain.

+
Parameters
Parameter:Description:Optional:
diff --git a/www/api-docs/system_modutils.html b/www/api-docs/system_modutils.html index 4fc6849..5d61c09 100644 --- a/www/api-docs/system_modutils.html +++ b/www/api-docs/system_modutils.html @@ -161,12 +161,12 @@
- -
Description
+
Summary

Execute depmod in the depmod domain.

+
Parameters
Parameter:Description:Optional:
@@ -203,12 +203,12 @@ No
- -
Description
+
Summary

Execute insmod in the insmod domain.

+
Parameters
Parameter:Description:Optional:
@@ -245,12 +245,12 @@ No
- -
Description
+
Summary

Execute depmod in the depmod domain.

+
Parameters
Parameter:Description:Optional:
@@ -413,12 +413,12 @@ No
- -
Description
+
Summary

Read the dependencies of kernel modules.

+
Parameters
Parameter:Description:Optional:
@@ -455,13 +455,13 @@ No
- -
Description
+
Summary

Read the configuration options used when loading modules.

+
Parameters
Parameter:Description:Optional:
@@ -514,12 +514,12 @@ No
- -
Description
+
Summary

Execute depmod in the depmod domain.

+
Parameters
Parameter:Description:Optional:
@@ -592,8 +592,7 @@ No
- -
Description
+
Summary

Execute insmod in the insmod domain, and allow the specified role the insmod domain, @@ -601,6 +600,7 @@ and use the caller's terminal. Has a sigchld backchannel.

+
Parameters
Parameter:Description:Optional:
@@ -673,12 +673,12 @@ No
- -
Description
+
Summary

Execute update_modules in the update_modules domain.

+
Parameters
Parameter:Description:Optional:
diff --git a/www/api-docs/system_mount.html b/www/api-docs/system_mount.html index 9f37162..e9cafd9 100644 --- a/www/api-docs/system_mount.html +++ b/www/api-docs/system_mount.html @@ -161,12 +161,12 @@
- -
Description
+
Summary

Execute mount in the mount domain.

+
Parameters
Parameter:Description:Optional:
@@ -219,14 +219,14 @@ No
- -
Description
+
Summary

Execute mount in the mount domain, and allow the specified role the mount domain, and use the caller's terminal.

+
Parameters
Parameter:Description:Optional:
@@ -283,12 +283,12 @@ No
- -
Description
+
Summary

- Allow the mount domain to send nfs requests for mounting - network drives -

+Allow the mount domain to send nfs requests for mounting +network drives +

+
Parameters
Parameter:Description:Optional:
@@ -298,8 +298,8 @@ No domain @@ -326,11 +326,11 @@ No
- -
Description
+
Summary

- Use file descriptors for mount. -

+Use file descriptors for mount. +

+
Parameters
- The type of the process performing this action. - +The type of the process performing this action. + No
@@ -340,8 +340,8 @@ No domain diff --git a/www/api-docs/system_selinuxutil.html b/www/api-docs/system_selinuxutil.html index 96f9534..74bff53 100644 --- a/www/api-docs/system_selinuxutil.html +++ b/www/api-docs/system_selinuxutil.html @@ -203,12 +203,12 @@ No
- -
Description
+
Summary

Execute checkpolicy in the checkpolicy domain.

+
Parameters
- The type of the process performing this action. - +The type of the process performing this action. + No
@@ -245,12 +245,12 @@ No
- -
Description
+
Summary

Execute load_policy in the load_policy domain.

+
Parameters
Parameter:Description:Optional:
@@ -287,12 +287,12 @@ No
- -
Description
+
Summary

Execute newrole in the load_policy domain.

+
Parameters
Parameter:Description:Optional:
@@ -329,12 +329,12 @@ No
- -
Description
+
Summary

Execute restorecon in the restorecon domain.

+
Parameters
Parameter:Description:Optional:
@@ -371,12 +371,12 @@ No
- -
Description
+
Summary

Execute run_init in the run_init domain.

+
Parameters
Parameter:Description:Optional:
@@ -413,12 +413,12 @@ No
- -
Description
+
Summary

Execute setfiles in the setfiles domain.

+
Parameters
Parameter:Description:Optional:
@@ -498,13 +498,13 @@ No
- -
Description
+
Summary

Do not audit the caller attempts to send a signal to newrole.

+
Parameters
Parameter:Description:Optional:
@@ -1087,12 +1087,12 @@ No
- -
Description
+
Summary

Allow the caller to relabel a file to the binary policy type.

+
Parameters
Parameter:Description:Optional:
@@ -1145,8 +1145,7 @@ No
- -
Description
+
Summary

Execute checkpolicy in the checkpolicy domain, and allow the specified role the checkpolicy domain, @@ -1154,6 +1153,7 @@ and use the caller's terminal. Has a SIGCHLD signal backchannel.

+
Parameters
Parameter:Description:Optional:
@@ -1226,8 +1226,7 @@ No
- -
Description
+
Summary

Execute load_policy in the load_policy domain, and allow the specified role the load_policy domain, @@ -1235,6 +1234,7 @@ and use the caller's terminal. Has a SIGCHLD signal backchannel.

+
Parameters
Parameter:Description:Optional:
@@ -1307,14 +1307,14 @@ No
- -
Description
+
Summary

Execute newrole in the newrole domain, and allow the specified role the newrole domain, and use the caller's terminal.

+
Parameters
Parameter:Description:Optional:
@@ -1387,14 +1387,14 @@ No
- -
Description
+
Summary

Execute restorecon in the restorecon domain, and allow the specified role the restorecon domain, and use the caller's terminal.

+
Parameters
Parameter:Description:Optional:
@@ -1467,14 +1467,14 @@ No
- -
Description
+
Summary

Execute run_init in the run_init domain, and allow the specified role the run_init domain, and use the caller's terminal.

+
Parameters
Parameter:Description:Optional:
@@ -1547,14 +1547,14 @@ No
- -
Description
+
Summary

Execute setfiles in the setfiles domain, and allow the specified role the setfiles domain, and use the caller's terminal.

+
Parameters
Parameter:Description:Optional:
diff --git a/www/api-docs/system_sysnetwork.html b/www/api-docs/system_sysnetwork.html index d2522d7..4159358 100644 --- a/www/api-docs/system_sysnetwork.html +++ b/www/api-docs/system_sysnetwork.html @@ -143,6 +143,49 @@

Interfaces:

+ +
+ + +
+ +sysnet_create_config( + + + + + domain + + + )
+
+
+ +
Summary
+

+Create files in /etc with the type used for +the network config files. +

+ + +
Parameters
+
Parameter:Description:Optional:
+ + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+ +
@@ -161,11 +204,11 @@
- -
Description
+
Summary

- Execute dhcp client in dhcpc domain. -

+Execute dhcp client in dhcpc domain. +

+
Parameters
@@ -175,8 +218,8 @@ domain @@ -203,12 +246,12 @@ No
- -
Description
+
Summary

Execute ifconfig in the ifconfig domain.

+
Parameters
- The type of the process performing this action. - + The type of the process performing this action. + No
@@ -471,14 +514,14 @@ No
- -
Description
+
Summary

Execute ifconfig in the ifconfig domain, and allow the specified role the ifconfig domain, and use the caller's terminal.

+
Parameters
Parameter:Description:Optional:
diff --git a/www/api-docs/system_unconfined.html b/www/api-docs/system_unconfined.html index 78263a3..629b3e2 100644 --- a/www/api-docs/system_unconfined.html +++ b/www/api-docs/system_unconfined.html @@ -319,12 +319,12 @@ No
- -
Description
+
Summary

Execute specified programs in the unconfined domain.

+
Parameters
Parameter:Description:Optional:
diff --git a/www/api-docs/system_userdomain.html b/www/api-docs/system_userdomain.html index 8644d40..726460b 100644 --- a/www/api-docs/system_userdomain.html +++ b/www/api-docs/system_userdomain.html @@ -146,13 +146,13 @@

Interfaces:

- +
-userdom_dontaudit_search_all_users_home( +userdom_create_user_home( @@ -160,13 +160,26 @@ domain + + , + + + + [ + + object_class + + ] + + )
Summary

-Do not audit attempts to search all users home directories. +Create objects in generic user home directories +with automatic file type transition.

@@ -178,23 +191,34 @@ Do not audit attempts to search all users home directories. domain
+ +
Parameter:Description:Optional:
-Domain to not audit. +Domain allowed access. No
+object_class + + +The class of the object to be created. +If not specified, file is used. + + +yes +
- +
-userdom_dontaudit_search_staff_home_dir( +userdom_create_user_home_dir( @@ -208,8 +232,8 @@ No
Summary

-Do not audit attempts to search the staff -users home directory. +Create generic user home directories +with automatic file type transition.

@@ -221,7 +245,7 @@ users home directory. domain
-Domain to not audit. +Domain allowed access. No @@ -231,13 +255,13 @@ No - +
-userdom_dontaudit_search_sysadm_home_dir( +userdom_dontaudit_search_all_users_home( @@ -251,8 +275,7 @@ No
Summary

-Do not audit attempts to search the sysadm -users home directory. +Do not audit attempts to search all users home directories.

@@ -274,13 +297,13 @@ No
- +
-userdom_dontaudit_use_sysadm_terms( +userdom_dontaudit_search_staff_home_dir( @@ -294,7 +317,8 @@ No
Summary

-Do not audit attempts to use sysadm ttys and ptys. +Do not audit attempts to search the staff +users home directory.

@@ -316,13 +340,13 @@ No
- +
-userdom_dontaudit_use_sysadm_tty( +userdom_dontaudit_search_sysadm_home_dir( @@ -336,7 +360,8 @@ No
Summary

-Do not audit attempts to use sysadm ttys. +Do not audit attempts to search the sysadm +users home directory.

@@ -358,13 +383,13 @@ No
- +
-userdom_dontaudit_use_unpriv_user_fd( +userdom_dontaudit_use_sysadm_terms( @@ -378,8 +403,7 @@ No
Summary

-Do not audit attempts to inherit the -file descriptors from all user domains. +Do not audit attempts to use sysadm ttys and ptys.

@@ -391,7 +415,7 @@ file descriptors from all user domains. domain
-The type of the process performing this action. +Domain to not audit. No @@ -401,13 +425,13 @@ No - +
-userdom_dontaudit_use_unpriv_user_tty( +userdom_dontaudit_use_sysadm_tty( @@ -421,8 +445,7 @@ No
Summary

-Do not audit attempts to use unprivileged -user ttys. +Do not audit attempts to use sysadm ttys.

@@ -434,7 +457,7 @@ user ttys. domain
-The type of the process performing this action. +Domain to not audit. No @@ -444,13 +467,13 @@ No - +
-userdom_read_all_user_files( +userdom_dontaudit_use_unpriv_user_fd( @@ -464,7 +487,8 @@ No
Summary

-Read all files in all users home directories. +Do not audit attempts to inherit the +file descriptors from all user domains.

@@ -486,13 +510,13 @@ No
- +
-userdom_read_staff_home_files( +userdom_dontaudit_use_unpriv_user_tty( @@ -506,7 +530,8 @@ No
Summary

-Read files in the staff users home directory. +Do not audit attempts to use unprivileged +user ttys.

@@ -528,13 +553,13 @@ No
- +
-userdom_read_sysadm_home_files( +userdom_manage_user_home_dir( @@ -548,7 +573,8 @@ No
Summary

-Read files in the sysadm users home directory. +Create, read, write, and delete +generic user home directories.

@@ -560,7 +586,7 @@ Read files in the sysadm users home directory. domain
-The type of the process performing this action. +Domain allowed access. No @@ -570,13 +596,13 @@ No - +
-userdom_rw_sysadm_pipe( +userdom_manage_user_home_dirs( @@ -590,7 +616,9 @@ No
Summary

-Read and write sysadm user unnamed pipes. +Create, read, write, and delete +subdirectories of generic user +home directories.

@@ -602,7 +630,7 @@ Read and write sysadm user unnamed pipes. domain
-The type of the process performing this action. +Domain allowed access. No @@ -612,13 +640,13 @@ No - +
-userdom_search_all_users_home( +userdom_manage_user_home_files( @@ -632,7 +660,8 @@ No
Summary

-Search all users home directories. +Create, read, write, and delete files +in generic user home directories.

@@ -644,7 +673,7 @@ Search all users home directories. domain
-The type of the process performing this action. +Domain allowed access. No @@ -654,13 +683,13 @@ No - +
-userdom_search_staff_home_dir( +userdom_manage_user_home_pipes( @@ -674,7 +703,8 @@ No
Summary

-Search the staff users home directory. +Create, read, write, and delete named +pipes in generic user home directories.

@@ -686,7 +716,7 @@ Search the staff users home directory. domain
-Domain to not audit. +Domain allowed access. No @@ -696,13 +726,13 @@ No - +
-userdom_search_sysadm_home_dir( +userdom_manage_user_home_sockets( @@ -716,7 +746,8 @@ No
Summary

-Search the sysadm users home directory. +Create, read, write, and delete named +sockets in generic user home directories.

@@ -728,7 +759,7 @@ Search the sysadm users home directory. domain
-Domain to not audit. +Domain allowed access. No @@ -738,13 +769,13 @@ No - +
-userdom_shell_domtrans_sysadm( +userdom_manage_user_home_symlinks( @@ -758,7 +789,8 @@ No
Summary

-Execute a shell in the sysadm domain. +Create, read, write, and delete symbolic +links in generic user home directories.

@@ -770,7 +802,7 @@ Execute a shell in the sysadm domain. domain
-The type of the process performing this action. +Domain allowed access. No @@ -780,13 +812,13 @@ No - +
-userdom_signal_all_users( +userdom_read_all_user_files( @@ -800,7 +832,7 @@ No
Summary

-Send general signals to all user domains. +Read all files in all users home directories.

@@ -822,13 +854,13 @@ No
- +
-userdom_signal_unpriv_users( +userdom_read_staff_home_files( @@ -842,7 +874,7 @@ No
Summary

-Send general signals to unprivileged user domains. +Read files in the staff users home directory.

@@ -864,13 +896,13 @@ No
- +
-userdom_spec_domtrans_all_users( +userdom_read_sysadm_home_files( @@ -884,9 +916,7 @@ No
Summary

-Execute a shell in all user domains. This -is an explicit transition, requiring the -caller to use setexeccon(). +Read files in the sysadm users home directory.

@@ -908,13 +938,13 @@ No
- +
-userdom_spec_domtrans_unpriv_users( +userdom_rw_sysadm_pipe( @@ -928,9 +958,7 @@ No
Summary

-Execute a shell in all unprivileged user domains. This -is an explicit transition, requiring the -caller to use setexeccon(). +Read and write sysadm user unnamed pipes.

@@ -952,13 +980,13 @@ No
- +
-userdom_unconfined( +userdom_search_all_users_home( @@ -972,7 +1000,7 @@ No
Summary

-Unconfined access to user domains. +Search all users home directories.

@@ -984,7 +1012,7 @@ Unconfined access to user domains. domain
-Domain allowed access. +The type of the process performing this action. No @@ -994,13 +1022,13 @@ No - +
-userdom_use_all_user_fd( +userdom_search_staff_home_dir( @@ -1014,7 +1042,7 @@ No
Summary

-Inherit the file descriptors from all user domains +Search the staff users home directory.

@@ -1026,7 +1054,7 @@ Inherit the file descriptors from all user domains domain
-The type of the process performing this action. +Domain to not audit. No @@ -1036,13 +1064,13 @@ No - +
-userdom_use_sysadm_fd( +userdom_search_sysadm_home_dir( @@ -1056,7 +1084,7 @@ No
Summary

-Inherit and use sysadm file descriptors +Search the sysadm users home directory.

@@ -1068,7 +1096,7 @@ Inherit and use sysadm file descriptors domain
-The type of the process performing this action. +Domain to not audit. No @@ -1078,13 +1106,13 @@ No - +
-userdom_use_sysadm_pty( +userdom_shell_domtrans_sysadm( @@ -1098,7 +1126,7 @@ No
Summary

-Read and write sysadm ptys. +Execute a shell in the sysadm domain.

@@ -1120,13 +1148,13 @@ No
- +
-userdom_use_sysadm_terms( +userdom_signal_all_users( @@ -1140,7 +1168,7 @@ No
Summary

-Read and write sysadm ttys and ptys. +Send general signals to all user domains.

@@ -1162,13 +1190,13 @@ No
- +
-userdom_use_sysadm_tty( +userdom_signal_unpriv_users( @@ -1182,7 +1210,7 @@ No
Summary

-Read and write sysadm ttys. +Send general signals to unprivileged user domains.

@@ -1204,13 +1232,13 @@ No
- +
-userdom_use_unpriv_users_fd( +userdom_spec_domtrans_all_users( @@ -1224,7 +1252,9 @@ No
Summary

-Inherit the file descriptors from unprivileged user domains. +Execute a shell in all user domains. This +is an explicit transition, requiring the +caller to use setexeccon().

@@ -1246,13 +1276,13 @@ No
- +
-userdom_write_unpriv_user_tmp( +userdom_spec_domtrans_unpriv_users( @@ -1266,7 +1296,9 @@ No
Summary

-Write all unprivileged users files in /tmp +Execute a shell in all unprivileged user domains. This +is an explicit transition, requiring the +caller to use setexeccon().

@@ -1288,25 +1320,18 @@ No
- -Return - - - -

Templates:

- - -
+ +
-admin_user_template( +userdom_unconfined( - userdomain_prefix + domain )
@@ -1315,43 +1340,19 @@ No
Summary

-The template for creating an administrative user. +Unconfined access to user domains.

-
Description
-

-

-This template creates a user domain, types, and -rules for the user's tty, pty, home directories, -tmp, and tmpfs files. -

-

-The privileges given to administrative users are: -

    -

  • Raw disk access

    • -

  • Set all sysctls

    • -

  • All kernel ring buffer controls

    • -

  • Set SELinux enforcement mode (enforcing/permissive)

    • -

  • Set SELinux booleans

    • -

  • Relabel all files but shadow

    • -

  • Create, read, write, and delete all files but shadow

    • -

  • Manage source and binary format SELinux policy

    • -

  • Run insmod

    • -

-

-

-
Parameters
+ + + + + loadable policy modules. Makefile support completed. @@ -166,10 +166,8 @@ are added to reference policy, it can be updated to be in line with current versions of the NSA example policy. For those who wish to contribute, here is a listing of modules which need to be converted:
    -
  • acct
  • arpwatch
  • automount
    • -
  • bind
  • bluetooth
  • cdrecord
  • comsat
    • @@ -178,16 +176,12 @@ is a listing of modules which need to be converted:
  • dovecot
  • fetchmail
  • fingerd
    • -
  • firstboot
  • ftpd
  • games
    • -
  • gpm
    • -
  • howl
  • inn
  • irqbalance
  • ktalkd
  • kudzu
    • -
  • loadkeys
  • lockdev
  • mrtg
  • ntpd
    • @@ -196,7 +190,6 @@ is a listing of modules which need to be converted:
  • postgresql
  • prelink
  • procmail
    • -
  • quota
  • radius
  • radvd
  • rlogin
    • @@ -211,12 +204,9 @@ is a listing of modules which need to be converted:
  • squid
  • stunnel
  • sysstat
    • -
  • tcpd
  • telnet
  • tftp
    • -
  • tmpreaper
  • uml
    • -
  • updfstab
  • userhelper
  • vpnc
  • zebra
    • @@ -225,7 +215,7 @@ is a listing of modules which need to be converted:

    A very minimal RedHat Enterprise Linux 4 system with the following RPMs has can be successfully booted in enforcing mode, and users can log in locally, -with Reference Policy: +with a strict Reference Policy:

    • libgcc-3.4.3-9.EL4
Parameter:Description:Optional:
-userdomain_prefix +domain -The prefix of the user domain (e.g., sysadm -is the prefix for sysadm_t). +Domain allowed access. No @@ -1361,18 +1362,18 @@ No - -
+ +
-base_user_template( +userdom_use_all_user_fd( - userdomain_prefix + domain )
@@ -1381,22 +1382,799 @@ No
Summary

-The template containing rules common to unprivileged -users and administrative users. +Inherit the file descriptors from all user domains

-
Description
-

-

-This template creates a user domain, types, and -rules for the user's tty, pty, home directories, +

Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +userdom_use_sysadm_fd( + + + + + domain + + + )
+
+
+ +
Summary
+

+Inherit and use sysadm file descriptors +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +userdom_use_sysadm_pty( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read and write sysadm ptys. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +userdom_use_sysadm_terms( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read and write sysadm ttys and ptys. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +userdom_use_sysadm_tty( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read and write sysadm ttys. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +userdom_use_unpriv_users_fd( + + + + + domain + + + )
+
+
+ +
Summary
+

+Inherit the file descriptors from unprivileged user domains. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +
+ + +
+ +userdom_write_unpriv_user_tmp( + + + + + domain + + + )
+
+
+ +
Summary
+

+Write all unprivileged users files in /tmp +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ + +Return + + + +

Templates:

+ + +
+ + +
+ +admin_user_template( + + + + + userdomain_prefix + + + )
+
+
+ +
Summary
+

+The template for creating an administrative user. +

+ + +
Description
+

+

+This template creates a user domain, types, and +rules for the user's tty, pty, home directories, +tmp, and tmpfs files. +

+

+The privileges given to administrative users are: +

    +

  • Raw disk access

    • +

  • Set all sysctls

    • +

  • All kernel ring buffer controls

    • +

  • Set SELinux enforcement mode (enforcing/permissive)

    • +

  • Set SELinux booleans

    • +

  • Relabel all files but shadow

    • +

  • Create, read, write, and delete all files but shadow

    • +

  • Manage source and binary format SELinux policy

    • +

  • Run insmod

    • +

+

+

+ +
Parameters
+ + + + + +
Parameter:Description:Optional:
+userdomain_prefix + + +The prefix of the user domain (e.g., sysadm +is the prefix for sysadm_t). + + +No +
+
+
+ + +
+ + +
+ +base_user_template( + + + + + userdomain_prefix + + + )
+
+
+ +
Summary
+

+The template containing rules common to unprivileged +users and administrative users. +

+ + +
Description
+

+

+This template creates a user domain, types, and +rules for the user's tty, pty, home directories, +tmp, and tmpfs files. +

+

+This generally should not be used, rather the +unpriv_user_template or admin_user_template should +be used. +

+

+ +
Parameters
+ + + + + +
Parameter:Description:Optional:
+userdomain_prefix + + +The prefix of the user domain (e.g., user +is the prefix for user_t). + + +No +
+
+
+ + +
+ + +
+ +unpriv_user_template( + + + + + userdomain_prefix + + + )
+
+
+ +
Summary
+

+The template for creating a unprivileged user. +

+ + +
Description
+

+

+This template creates a user domain, types, and +rules for the user's tty, pty, home directories, tmp, and tmpfs files.

+

+ +
Parameters
+ + + + + +
Parameter:Description:Optional:
+userdomain_prefix + + +The prefix of the user domain (e.g., user +is the prefix for user_t). + + +No +
+
+
+ + +
+ + +
+ +userdom_exec_user_home_files( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+
+ +
Summary
+

+Execute user home files. +

+ + +
Description
+

+

+Execute user home files. +

+

+This is a templated interface, and should only +be called from a per-userdomain template. +

+

+ +
Parameters
+ + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+userdomain_prefix + + +The prefix of the user domain (e.g., user +is the prefix for user_t). + + +No +
+
+
+ + +
+ + +
+ +userdom_manage_user_home_subdir_files( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+
+ +
Summary
+

+Create, read, write, and delete files +in a user home subdirectory. +

+ + +
Description
+

+

+Create, read, write, and delete files +in a user home subdirectory. +

+

+This is a templated interface, and should only +be called from a per-userdomain template. +

+

+ +
Parameters
+ + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+userdomain_prefix + + +The prefix of the user domain (e.g., user +is the prefix for user_t). + + +No +
+
+
+ + +
+ + +
+ +userdom_manage_user_home_subdir_symlinks( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+
+ +
Summary
+

+Create, read, write, and delete symbolic links +in a user home subdirectory. +

+ + +
Description
+

+

+Create, read, write, and delete symbolic links +in a user home subdirectory. +

+

+This is a templated interface, and should only +be called from a per-userdomain template. +

+

+ +
Parameters
+ + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+userdomain_prefix + + +The prefix of the user domain (e.g., user +is the prefix for user_t). + + +No +
+
+
+ + +
+ + +
+ +userdom_manage_user_tmp_dirs( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+
+ +
Summary
+

+Create, read, write, and delete user +temporary directories. +

+ + +
Description
+

+

+Create, read, write, and delete user +temporary directories. +

+

+This is a templated interface, and should only +be called from a per-userdomain template. +

+

+ +
Parameters
+ + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+userdomain_prefix + + +The prefix of the user domain (e.g., user +is the prefix for user_t). + + +No +
+
+
+ + +
+ + +
+ +userdom_manage_user_tmp_files( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+
+ +
Summary
+

+Create, read, write, and delete user +temporary files. +

+ + +
Description
+

+

+Create, read, write, and delete user +temporary files.

-This generally should not be used, rather the -unpriv_user_template or admin_user_template should -be used. +

+This is a templated interface, and should only +be called from a per-userdomain template.

@@ -1405,6 +2183,16 @@ be used.
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
userdomain_prefix @@ -1419,15 +2207,23 @@ No - +
-unpriv_user_template( +userdom_manage_user_tmp_pipes( + + + + + domain + + , + userdomain_prefix @@ -1439,16 +2235,240 @@ No
Summary

-The template for creating a unprivileged user. +Create, read, write, and delete user +temporary named pipes.

Description

-This template creates a user domain, types, and -rules for the user's tty, pty, home directories, -tmp, and tmpfs files. +Create, read, write, and delete user +temporary named pipes. +

+

+This is a templated interface, and should only +be called from a per-userdomain template. +

+

+ +
Parameters
+ + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+userdomain_prefix + + +The prefix of the user domain (e.g., user +is the prefix for user_t). + + +No +
+
+
+ + +
+ + +
+ +userdom_manage_user_tmp_sockets( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+
+ +
Summary
+

+Create, read, write, and delete user +temporary named sockets. +

+ + +
Description
+

+

+Create, read, write, and delete user +temporary named sockets. +

+

+This is a templated interface, and should only +be called from a per-userdomain template. +

+

+ +
Parameters
+ + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+userdomain_prefix + + +The prefix of the user domain (e.g., user +is the prefix for user_t). + + +No +
+
+
+ + +
+ + +
+ +userdom_manage_user_tmp_symlinks( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+
+ +
Summary
+

+Create, read, write, and delete user +temporary symbolic links. +

+ + +
Description
+

+

+Create, read, write, and delete user +temporary symbolic links. +

+

+This is a templated interface, and should only +be called from a per-userdomain template. +

+

+ +
Parameters
+ + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+userdomain_prefix + + +The prefix of the user domain (e.g., user +is the prefix for user_t). + + +No +
+
+
+ + +
+ + +
+ +userdom_use_user_terminals( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+
+ +
Summary
+

+Read and write a user domain tty and pty. +

+ + +
Description
+

+

+Read and write a user domain tty and pty. +

+

+This is a templated interface, and should only +be called from a per-userdomain template.

@@ -1457,6 +2477,16 @@ tmp, and tmpfs files.
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
userdomain_prefix diff --git a/www/api-docs/templates.html b/www/api-docs/templates.html index 8188d2a..f339629 100644 --- a/www/api-docs/templates.html +++ b/www/api-docs/templates.html @@ -13,21 +13,42 @@ admin
+    -  + acct
+    -  consoletype
   -  dmesg
+    -  + firstboot
+    -  logrotate
   -  netutils
+    -  + quota
+    -  rpm
+    -  + su
+ +    -  + sudo
+ +    -  + tmpreaper
+ +    -  + updfstab
+    -  usermanage
@@ -40,6 +61,9 @@    -  gpg
+    -  + loadkeys
+
+  @@ -76,33 +100,60 @@ services
+    -  + bind
+    -  cron
+    -  + gpm
+ +    -  + howl
+    -  inetd
   -  kerberos
+    -  + ldap
+    -  mta
+    -  + mysql
+    -  nis
   -  nscd
+    -  + privoxy
+    -  remotelogin
+    -  + rshd
+ +    -  + rsync
+    -  sendmail
   -  ssh
+    -  + tcpd
+
+  @@ -232,6 +283,41 @@ The template for creating an administrative user.
+Module: +authlogin

+Layer: +system

+

+ +auth_domtrans_user_chk_passwd( + + + + + userdomain_prefix + + + + , + + + + domain + + + )
+
+ +
+

+Run unix_chkpwd to check a password +for a user domain. +

+
+ +
+ +
+Module: +su

+Layer: +admin

+

+ +su_per_userdomain_template( + + + + + userdomain_prefix + + + )
+
+ +
+

+The per user domain template for the su module. +

+
+ +
+ +
+Module: +sudo

+Layer: +admin

+

+ +sudo_per_userdomain_template( + + + + + userdomain_prefix + + + )
+
+ +
+

+The per user domain template for the sudo module. +

+
+ +
+ + +
+Module: +userdomain

+Layer: +system

+

+ +userdom_exec_user_home_files( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+ +
+

+Execute user home files. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_manage_user_home_subdir_files( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+ +
+

+Create, read, write, and delete files +in a user home subdirectory. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_manage_user_home_subdir_symlinks( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+ +
+

+Create, read, write, and delete symbolic links +in a user home subdirectory. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_manage_user_tmp_dirs( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+ +
+

+Create, read, write, and delete user +temporary directories. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_manage_user_tmp_files( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+ +
+

+Create, read, write, and delete user +temporary files. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_manage_user_tmp_pipes( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+ +
+

+Create, read, write, and delete user +temporary named pipes. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_manage_user_tmp_sockets( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+ +
+

+Create, read, write, and delete user +temporary named sockets. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_manage_user_tmp_symlinks( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+ +
+

+Create, read, write, and delete user +temporary symbolic links. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ +userdom_use_user_terminals( + + + + + domain + + + + , + + + + userdomain_prefix + + + )
+
+ +
+

+Read and write a user domain tty and pty. +

+
+ +
+ diff --git a/www/html/index.html b/www/html/index.html index 008dae5..3250d59 100644 --- a/www/html/index.html +++ b/www/html/index.html @@ -1,32 +1,87 @@

Project Overview

-The SELinux Reference Policy project (refpolicy) is creating a complete SELinux policy as an alternative to the existing strict and targeted policies available from http://selinux.sf.net. Once complete, this policy will be able to be used as the system policy for a variety of systems and used as the basis for creating other policies. Refpolicy is based on the current strict and targeted policies, but aims to accomplish many additional goals. +The SELinux Reference Policy project (refpolicy) is creating a complete SELinux +policy as an alternative to the existing strict and targeted policies available +from http://selinux.sf.net. Once complete, +this policy will be able to be used as the system policy for a variety of +systems and used as the basis for creating other policies. Refpolicy is based on +the current strict and targeted policies, but aims to accomplish many additional +goals.


-Refpolicy is under active development, with support and full time development staff from Tresys Technology. The first release is available from the download page. This release is far from complete and is not usable as a drop in replacement for the existing policies. It is for interested policy developers and community members to examine and comment upon. The status page has more details on what is included in the current release. This project is just getting started and we are looking for policy developers interested in contributing. +Refpolicy is under active development, with support and full time development +staff from Tresys Technology. The +first release is available from the download +page. This release is far from complete and is not usable as a drop in +replacement for the existing policies. It is for interested policy developers +and community members to examine and comment upon. The +status page has more details on what is +included in the current release. This project is just getting started and we are +looking for policy developers interested in contributing.


Project Goals

Security

-

Security is the reason for existence for SELinux policies and must, therefore, always be the first priority. The common view of security as a binary state (secure or not secure) is not a sufficient goal for developing an SELinux policy. In reality, different systems have different requirements and purposes and corresponding differences in the meaning of secure. What is a fundamental security flaw on one system might be the acceptable, or even the primary functionality, of another. The challenge for a system policies like the current strict and targeted policy or refpolicy is to support as many of these differring security goals as is practical. To accomplish this refpolicy will provide: +

Security is the reason for existence for SELinux policies and must, +therefore, always be the first priority. The common view of security as a binary +state (secure or not secure) is not a sufficient goal for developing an SELinux +policy. In reality, different systems have different requirements and purposes +and corresponding differences in the meaning of secure. What is a fundamental +security flaw on one system might be the acceptable, or even the primary +functionality, of another. The challenge for a system policies like the current +strict and targeted policy or refpolicy is to support as many of these differring +security goals as is practical. To accomplish this refpolicy will provide:

    -
  • Security Goals: clearly stated security goals will for each component of the policy. This will allow policy developers to determine if a given component meets their security needs.
    • -
  • Flexible Base Policy: a base policy that protects the basic operating system and serves as a foundation to the rest of the policy. This base policy should be able to support a variety of application policies with differing security goals.
    • -
  • Application Policy Variations: application policy variations that make different security tradeoffs. For example, two Apache policies might be created. One that is for serving read-only, static content that is severely restricted and another that is appropriate for dynamic content.
    • -
  • Configuration Tools: configuration tools that allow the policy developer to make important security decisions including defining roles, configuring networking, and trading legacy compatibility for increased security.
    • -
  • Multi-Level Security: MLS will be supported out-of-the-box without requiring destructive changes to the policy. It will be possible to compile and MLS and non-MLS policy from the same policy files by switching a configuration option.
    • +
  • Security Goals: clearly stated security goals will for each + component of the policy. This will allow policy developers to + determine if a given component meets their security needs. +
    • +
  • Flexible Base Policy: a base policy that protects the basic + operating system and serves as a foundation to the rest of the + policy. This base policy should be able to support a variety of + application policies with differing security goals. +
    • +
  • Application Policy Variations: application policy variations + that make different security tradeoffs. For example, two Apache + policies might be created. One that is for serving read-only, + static content that is severely restricted and another that is + appropriate for dynamic content. +
    • +
  • Configuration Tools: configuration tools that allow the + policy developer to make important security decisions including + defining roles, configuring networking, and trading legacy + compatibility for increased security. +
    • +
  • Multi-Level Security: MLS will be supported out-of-the-box + without requiring destructive changes to the policy. It will be + possible to compile and MLS and non-MLS policy from the same + policy files by switching a configuration option. +

Usability and Documentation

-The difficulty and complexity of creating SELinux policies has become the number one barrier to the adoption of SELinux. It also potentially reduces the security of the policies: a policy that is too complex to easily understand is difficult to make secure. Refpolicy aims to make aggressive improvements in this area, making policies easier to develop, understand, and analyze. This will be addressed through improved structuring and organization, the addition of modularity and abstraction, and documentation. See getting started and documentation for more information. +The difficulty and complexity of creating SELinux policies has become the number +one barrier to the adoption of SELinux. It also potentially reduces the security +of the policies: a policy that is too complex to easily understand is difficult +to make secure. Refpolicy aims to make aggressive improvements in this area, +making policies easier to develop, understand, and analyze. This will be +addressed through improved structuring and organization, the addition of +modularity and abstraction, and documentation. See +getting started and +documentation for more information.

Flexibility and Configuration

-Refpolicy aims to support a variety of policy configurations and formats, including standard source policies, MLS policies, and -loadable policy modules all from the same source tree. This is done through the addition of infrastructure for automatically handling the differences between source and loadable module based policies and the additional MLS fields to all policy statements that include contexts. +Refpolicy aims to support a variety of policy configurations and formats, +including standard source policies, MLS policies, and +loadable policy modules +all from the same source tree. This is done through the addition of +infrastructure for automatically handling the differences between source and +loadable module based policies and the additional MLS fields to all policy +statements that include contexts.

diff --git a/www/html/status.html b/www/html/status.html index d847325..e82f7e2 100644 --- a/www/html/status.html +++ b/www/html/status.html @@ -1,5 +1,5 @@

Status

-Current Version: 20050802 +Current Version: 20050826

See download for download information. Details of this release are part of the changelog. This release @@ -34,7 +34,7 @@

Loadable Policy Modules Major improvements Infrastructure is in place to support both source policy and - loadable policy modules. Makefile support planned.
Documentation Infrastructure