diff --git a/www/api-docs/admin_consoletype.html b/www/api-docs/admin_consoletype.html index 37a4b2d..8e96522 100644 --- a/www/api-docs/admin_consoletype.html +++ b/www/api-docs/admin_consoletype.html @@ -72,9 +72,10 @@

Description:

-

+

Determine of the console connected to the controlling terminal. -

+

+ diff --git a/www/api-docs/admin_dmesg.html b/www/api-docs/admin_dmesg.html index 0d4fb90..45c45d7 100644 --- a/www/api-docs/admin_dmesg.html +++ b/www/api-docs/admin_dmesg.html @@ -72,7 +72,8 @@

Description:

-

Policy for dmesg.

+

Policy for dmesg.

+ diff --git a/www/api-docs/admin_logrotate.html b/www/api-docs/admin_logrotate.html index d05e732..4554745 100644 --- a/www/api-docs/admin_logrotate.html +++ b/www/api-docs/admin_logrotate.html @@ -72,7 +72,8 @@

Description:

-

Rotate and archive system logs

+

Rotate and archive system logs

+ diff --git a/www/api-docs/admin_netutils.html b/www/api-docs/admin_netutils.html index 7beb0fd..5c42b38 100644 --- a/www/api-docs/admin_netutils.html +++ b/www/api-docs/admin_netutils.html @@ -72,7 +72,8 @@

Description:

-

Network analysis utilities

+

Network analysis utilities

+ diff --git a/www/api-docs/admin_rpm.html b/www/api-docs/admin_rpm.html index ed15c7c..285109b 100644 --- a/www/api-docs/admin_rpm.html +++ b/www/api-docs/admin_rpm.html @@ -72,7 +72,8 @@

Description:

-

Policy for the RPM package manager.

+

Policy for the RPM package manager.

+ diff --git a/www/api-docs/admin_usermanage.html b/www/api-docs/admin_usermanage.html index 6453b11..a2b5a9a 100644 --- a/www/api-docs/admin_usermanage.html +++ b/www/api-docs/admin_usermanage.html @@ -72,7 +72,8 @@

Description:

-

Policy for managing user accounts.

+

Policy for managing user accounts.

+ diff --git a/www/api-docs/apps_gpg.html b/www/api-docs/apps_gpg.html index c354b75..47cd6fc 100644 --- a/www/api-docs/apps_gpg.html +++ b/www/api-docs/apps_gpg.html @@ -55,7 +55,8 @@

Description:

-

Policy for GNU Privacy Guard and related programs.

+

Policy for GNU Privacy Guard and related programs.

+ diff --git a/www/api-docs/index.html b/www/api-docs/index.html index 60256bc..76f05aa 100644 --- a/www/api-docs/index.html +++ b/www/api-docs/index.html @@ -169,6 +169,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -275,8 +278,7 @@ Device nodes and interfaces for many basic system devices. kernel

-Policy for kernel threads, proc filesystem, -and unlabeled processes and objects. +Policy for kernel threads, proc filesystem,and unlabeled processes and objects.

@@ -467,6 +469,11 @@ connection and disconnection of devices at runtime.

Policy for udev.

+ + unconfined +

The unconfined domain.

+ + userdomain

Policy for user domains

diff --git a/www/api-docs/interfaces.html b/www/api-docs/interfaces.html index aee2de3..38cd537 100644 --- a/www/api-docs/interfaces.html +++ b/www/api-docs/interfaces.html @@ -169,6 +169,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -11105,6 +11108,32 @@ Layer: kernel

+corenet_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to network objects. +

+
+ + + +
+Module: +corenetwork

+Layer: +kernel

+

+ corenet_use_tun_tap_device( @@ -13744,6 +13773,32 @@ Layer: kernel

+dev_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to devices. +

+
+ +
+ +
+Module: +devices

+Layer: +kernel

+

+ dev_write_framebuffer( @@ -14582,6 +14637,32 @@ Layer: system

+domain_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to domains. +

+
+ +
+ +
+Module: +domain

+Layer: +system

+

+ domain_use_wide_inherit_fd( @@ -14686,6 +14767,40 @@ Layer: system

+files_create_home_dirs( + + + + + domain + + + + , + + + + home_type + + + )
+
+ +
+

+Create home directories +

+
+ +
+ +
+Module: +files

+Layer: +system

+

+ files_create_lock( @@ -16613,6 +16728,32 @@ Layer: system

+files_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to files. +

+
+ +
+ +
+Module: +files

+Layer: +system

+

+ files_unmount_all_file_type_fs( @@ -18204,6 +18345,32 @@ Layer: kernel

+fs_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to filesystems +

+
+ +
+ +
+Module: +filesystem

+Layer: +kernel

+

+ fs_unmount_all_fs( @@ -19007,7 +19174,15 @@ system

- ? + domain + + + + , + + + + entry_point )
@@ -19015,7 +19190,8 @@ system

-Summary is missing! +Create a domain for long running processes +(daemons) which can be started by init scripts.

@@ -19033,7 +19209,15 @@ system

- ? + domain + + + + , + + + + entry_point )
@@ -19041,7 +19225,7 @@ system

-Summary is missing! +Create a domain which can be started by init.

@@ -19444,6 +19628,42 @@ Layer: system

+init_run_daemon( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+ +
+ +
+Module: +init

+Layer: +system

+

+ init_rw_script_pid( @@ -19553,7 +19773,15 @@ system

- ? + domain + + + + , + + + + entry_point )
@@ -19561,7 +19789,8 @@ system

-Summary is missing! +Create a domain for short running processes +which can be started by init scripts.

@@ -20876,6 +21105,32 @@ Layer: kernel

+kernel_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to the kernel. +

+
+ +
+ +
+Module: +kernel

+Layer: +kernel

+

+ kernel_use_fd( @@ -22553,7 +22808,15 @@ services

- ? + domain + + + + , + + + + entry_point )
@@ -22561,7 +22824,8 @@ services

-Summary is missing! +Modified mailserver interface for +sendmail daemon use.

@@ -23341,7 +23605,7 @@ Layer: kernel

-selinux_validate_context( +selinux_unconfined( @@ -23355,10 +23619,30 @@ kernel

-Module: -sendmail

-Layer: -services

+Module: +selinux

+Layer: +kernel

+

+ +selinux_validate_context( + + + + + domain + + + )
+
+ +
+ +
+Module: +sendmail

+Layer: +services

sendmail_domtrans( @@ -24260,6 +24544,12 @@ kernel

)

+
+

+Create block devices in /dev with the fixed disk type. +

+
+
@@ -24280,6 +24570,13 @@ kernel

)

+
+

+Do not audit attempts made by the caller to get +the attributes of fixed disk device nodes. +

+
+
@@ -24300,6 +24597,13 @@ kernel

)

+
+

+Do not audit attempts made by the caller to get +the attributes of removable devices device nodes. +

+
+
@@ -24320,6 +24624,13 @@ kernel

)

+
+

+Do not audit attempts made by the caller to set +the attributes of fixed disk device nodes. +

+
+
@@ -24340,6 +24651,13 @@ kernel

)

+
+

+Do not audit attempts made by the caller to set +the attributes of removable devices device nodes. +

+
+
@@ -24360,6 +24678,13 @@ kernel

)

+
+

+Allow the caller to get the attributes of fixed disk +device nodes. +

+
+
@@ -24380,6 +24705,13 @@ kernel

)

+
+

+Allow the caller to get the attributes of removable +devices device nodes. +

+
+
@@ -24400,6 +24732,13 @@ kernel

)

+
+

+Allow the caller to get the attributes of +the generic SCSI interface device nodes. +

+
+
@@ -24420,6 +24759,13 @@ kernel

)

+
+

+Get attributes of the device nodes +for the SCSI generic inerface. +

+
+
@@ -24440,6 +24786,13 @@ kernel

)

+
+

+Allow the caller to get the attributes +of device nodes of tape devices. +

+
+
@@ -24486,6 +24839,15 @@ kernel

)

+
+

+Allow the caller to directly read from a fixed disk. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24506,6 +24868,15 @@ kernel

)

+
+

+Allow the caller to directly read from a logical volume. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24526,6 +24897,16 @@ kernel

)

+
+

+Allow the caller to directly read from +a removable device. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24546,6 +24927,15 @@ kernel

)

+
+

+Allow the caller to directly write to a fixed disk. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24566,6 +24956,15 @@ kernel

)

+
+

+Allow the caller to directly read from a logical volume. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24586,6 +24985,16 @@ kernel

)

+
+

+Allow the caller to directly write to +a removable device. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24606,6 +25015,16 @@ kernel

)

+
+

+Allow the caller to directly read, in a +generic fashion, from any SCSI device. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24626,6 +25045,13 @@ kernel

)

+
+

+Allow the caller to directly read +a tape device. +

+
+
@@ -24672,6 +25098,13 @@ kernel

)

+
+

+Set attributes of the device nodes +for the SCSI generic inerface. +

+
+
@@ -24692,6 +25125,13 @@ kernel

)

+
+

+Allow the caller to set the attributes of fixed disk +device nodes. +

+
+
@@ -24712,6 +25152,13 @@ kernel

)

+
+

+Allow the caller to set the attributes of removable +devices device nodes. +

+
+
@@ -24732,6 +25179,13 @@ kernel

)

+
+

+Allow the caller to set the attributes of +the generic SCSI interface device nodes. +

+
+
@@ -24752,6 +25206,13 @@ kernel

)

+
+

+Allow the caller to set the attributes +of device nodes of tape devices. +

+
+
@@ -24787,6 +25248,32 @@ Layer: kernel

+storage_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to storage devices. +

+
+ +
+ +
+Module: +storage

+Layer: +kernel

+

+ storage_write_scsi_generic( @@ -24798,6 +25285,16 @@ kernel

)

+
+

+Allow the caller to directly write, in a +generic fashion, from any SCSI device. +This is extremly dangerous as it can bypass the +SELinux protections for filesystem objects, and +should only be used by trusted domains. +

+
+
@@ -24818,6 +25315,13 @@ kernel

)

+
+

+Allow the caller to directly read +a tape device. +

+
+
@@ -25887,6 +26391,136 @@ system

+Module: +unconfined

+Layer: +system

+

+ +unconfined_domtrans_shell( + + + + + domain + + + )
+
+ +
+

+Transition to the unconfined domain by executing a shell. +

+
+ +
+ +
+Module: +unconfined

+Layer: +system

+

+ +unconfined_role( + + + + + domain + + + )
+
+ +
+

+Add the unconfined domain to the specified role. +

+
+ +
+ +
+Module: +unconfined

+Layer: +system

+

+ +unconfined_rw_pipe( + + + + + domain + + + )
+
+ +
+

+Read and write unconfined domain unnamed pipes. +

+
+ +
+ +
+Module: +unconfined

+Layer: +system

+

+ +unconfined_sigchld( + + + + + domain + + + )
+
+ +
+

+Send a SIGCHLD signal to the unconfined domain. +

+
+ +
+ +
+Module: +unconfined

+Layer: +system

+

+ +unconfined_use_fd( + + + + + domain + + + )
+
+ +
+

+Inherit file descriptors from the unconfined domain. +

+
+ +
+ +
Module: userdomain

Layer: @@ -26237,6 +26871,32 @@ Layer: system

+userdom_unconfined( + + + + + domain + + + )
+
+ +
+

+Unconfined access to user domains. +

+
+ +
+ +
+Module: +userdomain

+Layer: +system

+

+ userdom_use_all_user_fd( diff --git a/www/api-docs/kernel.html b/www/api-docs/kernel.html index 2a28af8..bac7cf2 100644 --- a/www/api-docs/kernel.html +++ b/www/api-docs/kernel.html @@ -109,8 +109,7 @@ Device nodes and interfaces for many basic system devices. kernel

-Policy for kernel threads, proc filesystem, -and unlabeled processes and objects. +Policy for kernel threads, proc filesystem,and unlabeled processes and objects.

diff --git a/www/api-docs/kernel_bootloader.html b/www/api-docs/kernel_bootloader.html index f85589c..1eb1921 100644 --- a/www/api-docs/kernel_bootloader.html +++ b/www/api-docs/kernel_bootloader.html @@ -78,7 +78,8 @@

Description:

-

Policy for the kernel modules, kernel image, and bootloader.

+

Policy for the kernel modules, kernel image, and bootloader.

+ diff --git a/www/api-docs/kernel_corenetwork.html b/www/api-docs/kernel_corenetwork.html index aac2e08..94444ca 100644 --- a/www/api-docs/kernel_corenetwork.html +++ b/www/api-docs/kernel_corenetwork.html @@ -78,7 +78,10 @@

Description:

-

Policy controlling access to network objects

+

Policy controlling access to network objects

+ + +

This module is required to be included in all policies.

@@ -18293,6 +18296,47 @@ No
+corenet_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to network objects. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +The domain allowed access. + + +No +
+
+
+ +
+ + +
+ corenet_use_tun_tap_device( diff --git a/www/api-docs/kernel_devices.html b/www/api-docs/kernel_devices.html index c899619..120e3ba 100644 --- a/www/api-docs/kernel_devices.html +++ b/www/api-docs/kernel_devices.html @@ -78,7 +78,7 @@

Description:

-

+

This module creates the device node concept and provides the policy for many of the device files. Notable exceptions are @@ -94,7 +94,8 @@ are used to label device nodes should use the dev_node macro. Additionally, this module controls access to three things:

  • the device directories containing device nodes
  • device nodes as a group
  • individual access to specific device nodes covered by this module.

-

+

+ @@ -4051,6 +4052,47 @@ No
+dev_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to devices. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ dev_write_framebuffer( diff --git a/www/api-docs/kernel_filesystem.html b/www/api-docs/kernel_filesystem.html index f9f1667..a443856 100644 --- a/www/api-docs/kernel_filesystem.html +++ b/www/api-docs/kernel_filesystem.html @@ -78,7 +78,10 @@

Description:

-

Policy for filesystems.

+

Policy for filesystems.

+ + +

This module is required to be included in all policies.

@@ -3290,6 +3293,47 @@ No
+fs_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to filesystems +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ fs_unmount_all_fs( diff --git a/www/api-docs/kernel_kernel.html b/www/api-docs/kernel_kernel.html index cb23abc..f2594a2 100644 --- a/www/api-docs/kernel_kernel.html +++ b/www/api-docs/kernel_kernel.html @@ -78,10 +78,12 @@

Description:

-

-Policy for kernel threads, proc filesystem, -and unlabeled processes and objects. -

+

+Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +

+ + +

This module is required to be included in all policies.

@@ -2153,6 +2155,47 @@ No
+kernel_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to the kernel. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ kernel_use_fd( diff --git a/www/api-docs/kernel_selinux.html b/www/api-docs/kernel_selinux.html index 4d7cd7a..b691441 100644 --- a/www/api-docs/kernel_selinux.html +++ b/www/api-docs/kernel_selinux.html @@ -78,9 +78,12 @@

Description:

-

+

Policy for kernel security interface, in particular, selinuxfs. -

+

+ + +

This module is required to be included in all policies.

@@ -526,6 +529,47 @@ No
+selinux_unconfined( + + + + + domain + + + )
+
+
+ + +
Description
+

+Unconfined access to the SELinux security server. +

+ +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ selinux_validate_context( diff --git a/www/api-docs/kernel_storage.html b/www/api-docs/kernel_storage.html index 1ec3c66..61332b5 100644 --- a/www/api-docs/kernel_storage.html +++ b/www/api-docs/kernel_storage.html @@ -78,7 +78,8 @@

Description:

-

Policy controlling access to storage devices

+

Policy controlling access to storage devices

+ @@ -101,12 +102,12 @@
- -
Description
+
Summary

Create block devices in /dev with the fixed disk type.

+
Parameters
@@ -142,13 +143,13 @@ No
- -
Description
+
Summary

Do not audit attempts made by the caller to get the attributes of fixed disk device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -184,13 +185,13 @@ No
- -
Description
+
Summary

Do not audit attempts made by the caller to get the attributes of removable devices device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -226,13 +227,13 @@ No
- -
Description
+
Summary

Do not audit attempts made by the caller to set the attributes of fixed disk device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -268,13 +269,13 @@ No
- -
Description
+
Summary

Do not audit attempts made by the caller to set the attributes of removable devices device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -310,13 +311,13 @@ No
- -
Description
+
Summary

Allow the caller to get the attributes of fixed disk device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -352,13 +353,13 @@ No
- -
Description
+
Summary

Allow the caller to get the attributes of removable devices device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -394,13 +395,13 @@ No
- -
Description
+
Summary

Allow the caller to get the attributes of the generic SCSI interface device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -436,13 +437,13 @@ No
- -
Description
+
Summary

Get attributes of the device nodes for the SCSI generic inerface.

+
Parameters
Parameter:Description:Optional:
@@ -478,13 +479,13 @@ No
- -
Description
+
Summary

Allow the caller to get the attributes of device nodes of tape devices.

+
Parameters
Parameter:Description:Optional:
@@ -561,8 +562,7 @@ No
- -
Description
+
Summary

Allow the caller to directly read from a fixed disk. This is extremly dangerous as it can bypass the @@ -570,6 +570,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
Parameter:Description:Optional:
@@ -605,8 +606,7 @@ No
- -
Description
+
Summary

Allow the caller to directly read from a logical volume. This is extremly dangerous as it can bypass the @@ -614,6 +614,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
Parameter:Description:Optional:
@@ -649,8 +650,7 @@ No
- -
Description
+
Summary

Allow the caller to directly read from a removable device. @@ -659,6 +659,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
Parameter:Description:Optional:
@@ -694,8 +695,7 @@ No
- -
Description
+
Summary

Allow the caller to directly write to a fixed disk. This is extremly dangerous as it can bypass the @@ -703,6 +703,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
Parameter:Description:Optional:
@@ -738,8 +739,7 @@ No
- -
Description
+
Summary

Allow the caller to directly read from a logical volume. This is extremly dangerous as it can bypass the @@ -747,6 +747,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
Parameter:Description:Optional:
@@ -782,8 +783,7 @@ No
- -
Description
+
Summary

Allow the caller to directly write to a removable device. @@ -792,6 +792,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
Parameter:Description:Optional:
@@ -827,8 +828,7 @@ No
- -
Description
+
Summary

Allow the caller to directly read, in a generic fashion, from any SCSI device. @@ -837,6 +837,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
Parameter:Description:Optional:
@@ -872,13 +873,13 @@ No
- -
Description
+
Summary

Allow the caller to directly read a tape device.

+
Parameters
Parameter:Description:Optional:
@@ -955,13 +956,13 @@ No
- -
Description
+
Summary

Set attributes of the device nodes for the SCSI generic inerface.

+
Parameters
Parameter:Description:Optional:
@@ -997,13 +998,13 @@ No
- -
Description
+
Summary

Allow the caller to set the attributes of fixed disk device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -1039,13 +1040,13 @@ No
- -
Description
+
Summary

Allow the caller to set the attributes of removable devices device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -1081,13 +1082,13 @@ No
- -
Description
+
Summary

Allow the caller to set the attributes of the generic SCSI interface device nodes.

+
Parameters
Parameter:Description:Optional:
@@ -1123,13 +1124,13 @@ No
- -
Description
+
Summary

Allow the caller to set the attributes of device nodes of tape devices.

+
Parameters
Parameter:Description:Optional:
@@ -1194,7 +1195,7 @@ No
-storage_write_scsi_generic( +storage_unconfined( @@ -1206,8 +1207,48 @@ No
+
Summary
+

+Unconfined access to storage devices. +

+ + +
Parameters
+
Parameter:Description:Optional:
+ -
Description
+ + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ +storage_write_scsi_generic( + + + + + domain + + + )
+
+
+ +
Summary

Allow the caller to directly write, in a generic fashion, from any SCSI device. @@ -1216,6 +1257,7 @@ SELinux protections for filesystem objects, and should only be used by trusted domains.

+
Parameters
@@ -1251,13 +1293,13 @@ No
- -
Description
+
Summary

Allow the caller to directly read a tape device.

+
Parameters
Parameter:Description:Optional:
diff --git a/www/api-docs/kernel_terminal.html b/www/api-docs/kernel_terminal.html index 4547c70..86b7485 100644 --- a/www/api-docs/kernel_terminal.html +++ b/www/api-docs/kernel_terminal.html @@ -78,7 +78,8 @@

Description:

-

Policy for terminals.

+

Policy for terminals.

+ diff --git a/www/api-docs/services_cron.html b/www/api-docs/services_cron.html index a940957..7b6981b 100644 --- a/www/api-docs/services_cron.html +++ b/www/api-docs/services_cron.html @@ -81,7 +81,8 @@

Description:

-

Periodic execution of scheduled commands.

+

Periodic execution of scheduled commands.

+ diff --git a/www/api-docs/services_inetd.html b/www/api-docs/services_inetd.html index 74c94b2..1e0009c 100644 --- a/www/api-docs/services_inetd.html +++ b/www/api-docs/services_inetd.html @@ -78,7 +78,8 @@

Description:

-

Internet services daemon.

+

Internet services daemon.

+ diff --git a/www/api-docs/services_kerberos.html b/www/api-docs/services_kerberos.html index d25efc4..f6f5724 100644 --- a/www/api-docs/services_kerberos.html +++ b/www/api-docs/services_kerberos.html @@ -78,7 +78,7 @@

Description:

-

+

This policy supports:

@@ -88,7 +88,8 @@ Servers:

Clients:

  • kinit
  • kdestroy
  • klist
  • ksu (incomplete)

-

+

+ diff --git a/www/api-docs/services_mta.html b/www/api-docs/services_mta.html index 949e72d..036a1fc 100644 --- a/www/api-docs/services_mta.html +++ b/www/api-docs/services_mta.html @@ -81,7 +81,8 @@

Description:

-

Policy common to all email tranfer agents.

+

Policy common to all email tranfer agents.

+ @@ -466,7 +467,15 @@ No - ? + domain + + + + , + + + + entry_point )
@@ -475,19 +484,46 @@ No
Summary

-Summary is missing! +Modified mailserver interface for +sendmail daemon use.

+
Description
+

+

+A modified MTA mail server interface for +the sendmail program. It's design does +not fit well with policy, and using the +regular interface causes a type_transition +conflict if direct running of init scripts +is enabled. +

+

+This interface should most likely only be used +by the sendmail policy. +

+

+
Parameters
Parameter:Description:Optional:
+ + + + + diff --git a/www/api-docs/system_authlogin.html b/www/api-docs/system_authlogin.html index bcd8a82..89a2f0c 100644 --- a/www/api-docs/system_authlogin.html +++ b/www/api-docs/system_authlogin.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -123,7 +126,8 @@

Description:

-

Common policy for authentication and user login.

+

Common policy for authentication and user login.

+ diff --git a/www/api-docs/system_clock.html b/www/api-docs/system_clock.html index 3301e7c..fba0684 100644 --- a/www/api-docs/system_clock.html +++ b/www/api-docs/system_clock.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for reading and setting the hardware clock.

+

Policy for reading and setting the hardware clock.

+ diff --git a/www/api-docs/system_corecommands.html b/www/api-docs/system_corecommands.html index 7d065e9..cb66c7f 100644 --- a/www/api-docs/system_corecommands.html +++ b/www/api-docs/system_corecommands.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,10 +123,11 @@

Description:

-

+

Core policy for shells, and generic programs in /bin, /sbin, /usr/bin, and /usr/sbin. -

+

+ diff --git a/www/api-docs/system_domain.html b/www/api-docs/system_domain.html index f02e5b7..7ab8532 100644 --- a/www/api-docs/system_domain.html +++ b/www/api-docs/system_domain.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -123,7 +126,10 @@

Description:

-

Core policy for domains.

+

Core policy for domains.

+ + +

This module is required to be included in all policies.

@@ -1127,6 +1133,47 @@ No
+domain_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to domains. +

+ + +
Parameters
+
Parameter:Description:Optional:
-? +domain -Parameter descriptions are missing! +The type to be used for the mail server. + + +No +
+entry_point + + +The type to be used for the domain entry point program. No diff --git a/www/api-docs/services_nis.html b/www/api-docs/services_nis.html index 5997c42..9670fc7 100644 --- a/www/api-docs/services_nis.html +++ b/www/api-docs/services_nis.html @@ -78,7 +78,8 @@

Description:

-

Policy for NIS (YP) servers and clients

+

Policy for NIS (YP) servers and clients

+ diff --git a/www/api-docs/services_remotelogin.html b/www/api-docs/services_remotelogin.html index 8bd22ed..70a0b7b 100644 --- a/www/api-docs/services_remotelogin.html +++ b/www/api-docs/services_remotelogin.html @@ -78,7 +78,8 @@

Description:

-

Policy for rshd, rlogind, and telnetd.

+

Policy for rshd, rlogind, and telnetd.

+ diff --git a/www/api-docs/services_sendmail.html b/www/api-docs/services_sendmail.html index a8561ad..1dd53f4 100644 --- a/www/api-docs/services_sendmail.html +++ b/www/api-docs/services_sendmail.html @@ -78,7 +78,8 @@

Description:

-

Policy for sendmail.

+

Policy for sendmail.

+ diff --git a/www/api-docs/services_ssh.html b/www/api-docs/services_ssh.html index 2eadd26..46a0a11 100644 --- a/www/api-docs/services_ssh.html +++ b/www/api-docs/services_ssh.html @@ -81,7 +81,8 @@

Description:

-

Secure shell client and server policy.

+

Secure shell client and server policy.

+ diff --git a/www/api-docs/system.html b/www/api-docs/system.html index 3002695..267d377 100644 --- a/www/api-docs/system.html +++ b/www/api-docs/system.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -245,6 +248,11 @@ connection and disconnection of devices at runtime.

Policy for udev.
+ + unconfined

The unconfined domain.

userdomain

Policy for user domains
+ + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+
+
+ +
+ + +
+ domain_use_wide_inherit_fd( diff --git a/www/api-docs/system_files.html b/www/api-docs/system_files.html index cdfd1f7..b2b23a6 100644 --- a/www/api-docs/system_files.html +++ b/www/api-docs/system_files.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,14 +123,17 @@

Description:

-

+

This module contains basic filesystem types and interfaces. This includes:

  • The concept of different file types including basic files, mount points, tmp files, etc.
  • Access to groups of files and all files.
  • Types and interfaces for the basic filesystem layout (/, /etc, /tmp, /usr, etc.).

-

+

+ + +

This module is required to be included in all policies.

@@ -220,6 +226,65 @@ No
+files_create_home_dirs( + + + + + domain + + + + , + + + + home_type + + + )
+
+
+ +
Summary
+

+Create home directories +

+ + +
Parameters
+ + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+home_type + + +The type of the home directory + + +No +
+
+
+ +
+ + +
+ files_create_lock( @@ -3361,6 +3426,47 @@ No
+files_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to files. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ files_unmount_all_file_type_fs( diff --git a/www/api-docs/system_fstools.html b/www/api-docs/system_fstools.html index 6475699..bf68ba9 100644 --- a/www/api-docs/system_fstools.html +++ b/www/api-docs/system_fstools.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Tools for filesystem management, such as mkfs and fsck.

+

Tools for filesystem management, such as mkfs and fsck.

+ diff --git a/www/api-docs/system_getty.html b/www/api-docs/system_getty.html index eb97234..810af4d 100644 --- a/www/api-docs/system_getty.html +++ b/www/api-docs/system_getty.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for getty.

+

Policy for getty.

+ diff --git a/www/api-docs/system_hostname.html b/www/api-docs/system_hostname.html index a45d686..93e46aa 100644 --- a/www/api-docs/system_hostname.html +++ b/www/api-docs/system_hostname.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for changing the system host name.

+

Policy for changing the system host name.

+ diff --git a/www/api-docs/system_hotplug.html b/www/api-docs/system_hotplug.html index c517d4b..519b4a9 100644 --- a/www/api-docs/system_hotplug.html +++ b/www/api-docs/system_hotplug.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,10 +123,11 @@

Description:

-

+

Policy for hotplug system, for supporting the connection and disconnection of devices at runtime. -

+

+ diff --git a/www/api-docs/system_init.html b/www/api-docs/system_init.html index 6c086fc..265a959 100644 --- a/www/api-docs/system_init.html +++ b/www/api-docs/system_init.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

System initialization programs (init and init scripts).

+

System initialization programs (init and init scripts).

+ @@ -136,7 +140,15 @@ - ? + domain + + + + , + + + + entry_point )
@@ -145,7 +157,8 @@
Summary

-Summary is missing! +Create a domain for long running processes +(daemons) which can be started by init scripts.

@@ -154,10 +167,20 @@ Summary is missing! Parameter:Description:Optional: -? +domain -Parameter descriptions are missing! +Type to be used as a domain. + + +No + + + +entry_point + + +Type of the program to be used as an entry point to this domain. No @@ -177,7 +200,15 @@ No - ? + domain + + + + , + + + + entry_point )
@@ -186,7 +217,7 @@ No
Summary

-Summary is missing! +Create a domain which can be started by init.

@@ -195,10 +226,20 @@ Summary is missing! Parameter:Description:Optional: -? +domain -Parameter descriptions are missing! +Type to be used as a domain. + + +No + + + +entry_point + + +Type of the program to be used as an entry point to this domain. No @@ -828,6 +869,83 @@ No
+init_run_daemon( + + + + + domain + + + + , + + + + role + + + + , + + + + terminal + + + )
+
+
+ + +
Description
+

+Start and stop daemon programs directly. +

+ +
Parameters
+ + + + + + + + + +
Parameter:Description:Optional:
+domain + + +The type of the process performing this action. + + +No +
+role + + +The role to be performing this action. + + +No +
+terminal + + +The type of the terminal of the user. + + +No +
+
+
+ +
+ + +
+ init_rw_script_pid( @@ -997,7 +1115,15 @@ No - ? + domain + + + + , + + + + entry_point )
@@ -1006,7 +1132,8 @@ No
Summary

-Summary is missing! +Create a domain for short running processes +which can be started by init scripts.

@@ -1015,10 +1142,20 @@ Summary is missing! Parameter:Description:Optional: -? +domain -Parameter descriptions are missing! +Type to be used as a domain. + + +No + + + +entry_point + + +Type of the program to be used as an entry point to this domain. No diff --git a/www/api-docs/system_iptables.html b/www/api-docs/system_iptables.html index d0cff12..c57dd88 100644 --- a/www/api-docs/system_iptables.html +++ b/www/api-docs/system_iptables.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for iptables.

+

Policy for iptables.

+ diff --git a/www/api-docs/system_libraries.html b/www/api-docs/system_libraries.html index 73686d5..ff2c5b3 100644 --- a/www/api-docs/system_libraries.html +++ b/www/api-docs/system_libraries.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for system libraries.

+

Policy for system libraries.

+ diff --git a/www/api-docs/system_locallogin.html b/www/api-docs/system_locallogin.html index 248f982..34495f7 100644 --- a/www/api-docs/system_locallogin.html +++ b/www/api-docs/system_locallogin.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for local logins.

+

Policy for local logins.

+ diff --git a/www/api-docs/system_logging.html b/www/api-docs/system_logging.html index 4554b10..bc1079e 100644 --- a/www/api-docs/system_logging.html +++ b/www/api-docs/system_logging.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for the kernel message logger and system logging daemon.

+

Policy for the kernel message logger and system logging daemon.

+ diff --git a/www/api-docs/system_lvm.html b/www/api-docs/system_lvm.html index 0da71a8..ce57f08 100644 --- a/www/api-docs/system_lvm.html +++ b/www/api-docs/system_lvm.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for logical volume management programs.

+

Policy for logical volume management programs.

+ diff --git a/www/api-docs/system_miscfiles.html b/www/api-docs/system_miscfiles.html index be5525b..1bf647e 100644 --- a/www/api-docs/system_miscfiles.html +++ b/www/api-docs/system_miscfiles.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Miscelaneous files.

+

Miscelaneous files.

+ diff --git a/www/api-docs/system_modutils.html b/www/api-docs/system_modutils.html index 3684975..fdbb731 100644 --- a/www/api-docs/system_modutils.html +++ b/www/api-docs/system_modutils.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for kernel module utilities

+

Policy for kernel module utilities

+ diff --git a/www/api-docs/system_mount.html b/www/api-docs/system_mount.html index 7f61be8..48b6164 100644 --- a/www/api-docs/system_mount.html +++ b/www/api-docs/system_mount.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for mount.

+

Policy for mount.

+ diff --git a/www/api-docs/system_selinuxutil.html b/www/api-docs/system_selinuxutil.html index ad54f25..6ed7287 100644 --- a/www/api-docs/system_selinuxutil.html +++ b/www/api-docs/system_selinuxutil.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for SELinux policy and userland applications.

+

Policy for SELinux policy and userland applications.

+ diff --git a/www/api-docs/system_sysnetwork.html b/www/api-docs/system_sysnetwork.html index 7fcfd26..3dca320 100644 --- a/www/api-docs/system_sysnetwork.html +++ b/www/api-docs/system_sysnetwork.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for network configuration: ifconfig and dhcp client.

+

Policy for network configuration: ifconfig and dhcp client.

+ diff --git a/www/api-docs/system_udev.html b/www/api-docs/system_udev.html index d25f12e..d6d9caa 100644 --- a/www/api-docs/system_udev.html +++ b/www/api-docs/system_udev.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -120,7 +123,8 @@

Description:

-

Policy for udev.

+

Policy for udev.

+ diff --git a/www/api-docs/system_unconfined.html b/www/api-docs/system_unconfined.html new file mode 100644 index 0000000..a57bce1 --- /dev/null +++ b/www/api-docs/system_unconfined.html @@ -0,0 +1,395 @@ + + + + Security Enhanced Linux Reference Policy + + + + + + + +
+ +

Layer: system

+

Module: unconfined

+ + +Interfaces +Templates + + +

Description:

+ +

The unconfined domain.

+ + + + +

Interfaces:

+ +
+ + +
+ +unconfined_domtrans_shell( + + + + + domain + + + )
+
+
+ +
Summary
+

+Transition to the unconfined domain by executing a shell. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ +unconfined_role( + + + + + domain + + + )
+
+
+ +
Summary
+

+Add the unconfined domain to the specified role. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ +unconfined_rw_pipe( + + + + + domain + + + )
+
+
+ +
Summary
+

+Read and write unconfined domain unnamed pipes. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ +unconfined_sigchld( + + + + + domain + + + )
+
+
+ +
Summary
+

+Send a SIGCHLD signal to the unconfined domain. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ +unconfined_use_fd( + + + + + domain + + + )
+
+
+ +
Summary
+

+Inherit file descriptors from the unconfined domain. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ + +Return + + + +

Templates:

+ +
+ + +
+ +unconfined_domain_template( + + + + + domain + + + )
+
+
+ +
Summary
+

+A template to make the specified domain unconfined. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain to make unconfined. + + +No +
+
+
+ + +Return + + +
+ + diff --git a/www/api-docs/system_userdomain.html b/www/api-docs/system_userdomain.html index e428af7..0d4c3b9 100644 --- a/www/api-docs/system_userdomain.html +++ b/www/api-docs/system_userdomain.html @@ -100,6 +100,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -123,7 +126,8 @@

Description:

-

Policy for user domains

+

Policy for user domains

+ @@ -673,6 +677,47 @@ No
+userdom_unconfined( + + + + + domain + + + )
+
+
+ +
Summary
+

+Unconfined access to user domains. +

+ + +
Parameters
+ + + + + +
Parameter:Description:Optional:
+domain + + +Domain allowed access. + + +No +
+
+
+ +
+ + +
+ userdom_use_all_user_fd( diff --git a/www/api-docs/templates.html b/www/api-docs/templates.html index 38289ba..258b89c 100644 --- a/www/api-docs/templates.html +++ b/www/api-docs/templates.html @@ -169,6 +169,9 @@    -  udev
+    -  + unconfined
+    -  userdomain
@@ -472,6 +475,32 @@ The template to define a ssh server.
+Module: +unconfined

+Layer: +system

+

+ +unconfined_domain_template( + + + + + domain + + + )
+
+ +
+

+A template to make the specified domain unconfined. +

+
+ +
+ +
Module: userdomain

Layer: