+
@@ -258,6 +309,19 @@ Allow system to run with kerberos
+
allow_user_mysql_connect
+
+
Default value
+
false
+
+
Description
+
+Allow users to connect to mysql
+
+
+
+
+
allow_ypbind
Default value
@@ -299,6 +363,20 @@ to support fcron.
+
named_write_master_zones
+
+
Default value
+
false
+
+
Description
+
+Allow BIND to write the master zone files.
+Generally this is used for dynamic DNS.
+
+
+
+
+
read_default_t
Default value
diff --git a/www/api-docs/index.html b/www/api-docs/index.html
index e4290fe..07cb0df 100644
--- a/www/api-docs/index.html
+++ b/www/api-docs/index.html
@@ -13,21 +13,42 @@
admin
+
@@ -76,33 +100,60 @@
services
+
@@ -215,6 +266,11 @@
+
+ acct |
+ Berkeley process accounting |
+
+
consoletype |
@@ -227,6 +283,14 @@ Determine of the console connected to the controlling terminal.
| Policy for dmesg. |
+
+ firstboot |
+
+Final system configuration run during the first boot
+after installation of Red Hat/Fedora systems.
+ |
+
+
logrotate |
Rotate and archive system logs |
@@ -237,11 +301,36 @@ Determine of the console connected to the controlling terminal.
Network analysis utilities |
+
+ quota |
+ File system quota management |
+
+
rpm |
Policy for the RPM package manager. |
+
+ su |
+ Run shells with substitute user and group |
+
+
+
+ sudo |
+ Execute a command with a substitute user |
+
+
+
+ tmpreaper |
+ Manage temporary directory sizes and file ages |
+
+
+
+ updfstab |
+ Red Hat utility to change /etc/fstab. |
+
+
usermanage |
Policy for managing user accounts. |
@@ -354,6 +443,11 @@ Policy for kernel security interface, in particular, selinuxfs.
gpg
Policy for GNU Privacy Guard and related programs. |
+
+
+ loadkeys |
+ Load keyboard mappings. |
+
@@ -556,11 +650,26 @@ connection and disconnection of devices at runtime.
+
+ bind |
+ Berkeley internet name domain DNS server. |
+
+
cron |
Periodic execution of scheduled commands. |
+
+ gpm |
+ General Purpose Mouse driver |
+
+
+
+ howl |
+ Port of Apple Rendezvous multicast DNS |
+
+
inetd |
Internet services daemon. |
@@ -571,11 +680,21 @@ connection and disconnection of devices at runtime.
MIT Kerberos admin and KDC |
+
+ ldap |
+ OpenLDAP directory server |
+
+
mta |
Policy common to all email tranfer agents. |
+
+ mysql |
+ Policy for MySQL |
+
+
nis |
Policy for NIS (YP) servers and clients |
@@ -586,11 +705,26 @@ connection and disconnection of devices at runtime.
Name service cache daemon |
+
+ privoxy |
+ Privacy enhancing web proxy. |
+
+
remotelogin |
Policy for rshd, rlogind, and telnetd. |
+
+ rshd |
+ Remote shell service. |
+
+
+
+ rsync |
+ Fast incremental file transfer for synchronization |
+
+
sendmail |
Policy for sendmail. |
@@ -600,6 +734,11 @@ connection and disconnection of devices at runtime.
ssh
Secure shell client and server policy. |
+
+
+ tcpd |
+ Policy for TCP daemon. |
+
diff --git a/www/api-docs/interfaces.html b/www/api-docs/interfaces.html
index 6a44170..4f8d87c 100644
--- a/www/api-docs/interfaces.html
+++ b/www/api-docs/interfaces.html
@@ -13,21 +13,42 @@
admin
+
@@ -76,33 +100,60 @@
services
+
@@ -206,6 +257,136 @@
+Module:
+acct
+Layer:
+admin
+
+
+acct_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Transition to the accounting management domain.
+
+
+
+
+
+
+Module:
+acct
+Layer:
+admin
+
+
+acct_exec(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute accounting management tools in the caller domain.
+
+
+
+
+
+
+Module:
+acct
+Layer:
+admin
+
+
+acct_exec_data(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute accounting management data in the caller domain.
+
+
+
+
+
+
+Module:
+acct
+Layer:
+admin
+
+
+acct_manage_data(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete process accounting data.
+
+
+
+
+
+
+Module:
+authlogin
+Layer:
+system
+
+
+auth_create_login_records(
+
+
+
+
+ ?
+
+
+ )
+
+
+
+
+Summary is missing!
+
+
+
+
+
+
+
+
+Delete pam PID files.
+
+
+
@@ -243,6 +430,12 @@ system
)
+
+
+Run unix_chkpwd to check a password.
+
+
+
@@ -271,6 +464,12 @@ system
)
+
+
+Execute a login_program in the target domain.
+
+
+
@@ -291,6 +490,12 @@ system
)
+
+
+Execute pam programs in the pam domain.
+
+
+
@@ -337,6 +542,12 @@ system
)
+
+
+Execute utempter programs in the utempter domain.
+
+
+
@@ -384,6 +595,13 @@ system
)
+
+
+Do not audit attempts to read the shadow
+password file (/etc/shadow).
+
+
+
@@ -430,6 +648,12 @@ system
)
+
+
+Execute the pam program.
+
+
+
@@ -502,6 +726,12 @@ system
)
+
+
+Use the login program as an entry point program.
+
+
+
@@ -534,6 +764,13 @@ system
)
+
+
+Manage all files on the filesystem, except
+the shadow passwords and listed exceptions.
+
+
+
@@ -710,6 +947,12 @@ system
)
+
+
+Read the shadow passwords file (/etc/shadow)
+
+
+
@@ -742,6 +985,13 @@ system
)
+
+
+Relabel all files on the filesystem, except
+the shadow passwords and listed exceptions.
+
+
+
@@ -804,6 +1054,12 @@ system
)
+
+
+Execute pam programs in the PAM domain.
+
+
+
@@ -840,6 +1096,12 @@ system
)
+
+
+Execute utempter programs in the utempter domain.
+
+
+
@@ -938,6 +1200,12 @@ system
)
+
+
+Read and write the shadow password file (/etc/shadow).
+
+
+
@@ -967,6 +1235,154 @@ Unconfined access to the authlogin module.
+Module:
+bind
+Layer:
+services
+
+
+bind_domtrans_ndc(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute ndc in the ndc domain.
+
+
+
+
+
+
+Module:
+bind
+Layer:
+services
+
+
+bind_read_config(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read BIND named configuration files.
+
+
+
+
+
+
+Module:
+bind
+Layer:
+services
+
+
+bind_run_ndc(
+
+
+
+
+ domain
+
+
+
+ ,
+
+
+
+ role
+
+
+
+ ,
+
+
+
+ terminal
+
+
+ )
+
+
+
+
+Execute ndc in the ndc domain, and
+allow the specified role the ndc domain.
+
+
+
+
+
+
+Module:
+bind
+Layer:
+services
+
+
+bind_setattr_pid_dir(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Do not audit attempts to set the attributes
+of the BIND pid directory.
+
+
+
+
+
+
+Module:
+bind
+Layer:
+services
+
+
+bind_write_config(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Write BIND named configuration files.
+
+
+
+
+
+
+
+
+Execute hwclock in the clock domain.
+
+
+
@@ -1546,6 +1968,12 @@ system
)
+
+
+ Execute hwclock in the caller domain.
+
+
+
@@ -1582,6 +2010,13 @@ system
)
+
+
+Execute hwclock in the clock domain, and
+allow the specified role the hwclock domain.
+
+
+
@@ -1602,6 +2037,12 @@ system
)
+
+
+ Allow executing domain to modify clock drift
+
+
+
@@ -1622,6 +2063,12 @@ admin
)
+
+
+Execute consoletype in the consoletype domain.
+
+
+
@@ -1642,6 +2089,12 @@ admin
)
+
+
+Execute consoletype in the caller domain.
+
+
+
@@ -2285,6 +2738,14 @@ system
)
+
+
+Execute a shell in the target domain. This
+is an explicit transition, requiring the
+caller to use setexeccon().
+
+
+
@@ -18140,13 +18601,13 @@ Execute dmesg in the caller domain.
-Module:
+Module:
domain
Layer:
system
-
domain_base_domain_type(
+
domain_base_type(
@@ -18264,6 +18725,13 @@ system
)
+
+
+Do not audit attempts to get the attributes
+of all domains unix datagram sockets.
+
+
+
@@ -18284,6 +18752,13 @@ system
)
+
+
+Do not audit attempts to get the attributes
+of all domains unnamed pipes.
+
+
+
@@ -18331,6 +18806,13 @@ system
)
+
+
+Do not audit attempts to read the process state
+directories of all domains.
+
+
+
@@ -18519,6 +19001,33 @@ Summary is missing!
+Module:
+domain
+Layer:
+system
+
+
+domain_getattr_all_entry_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Get the attributes of entry point
+files for all domains.
+
+
+
+
+
+
+
+
+Send a kill signal to all domains.
+
+
+
@@ -18609,6 +19124,13 @@ system
)
+
+
+Makes caller an exception to the constraint preventing
+changing the user identity in object contexts.
+
+
+
@@ -18681,6 +19203,13 @@ system
)
+
+
+Makes caller an exception to the constraint preventing
+changing of role.
+
+
+
@@ -18727,6 +19256,12 @@ system
)
+
+
+Send a child terminated signal to all domains.
+
+
+
@@ -18774,6 +19309,12 @@ system
)
+
+
+Send general signals to all domains.
+
+
+
@@ -18794,6 +19335,12 @@ system
)
+
+
+Send a null signal to all domains.
+
+
+
@@ -18814,6 +19361,12 @@ system
)
+
+
+Send a stop signal to all domains.
+
+
+
@@ -18834,6 +19387,13 @@ system
)
+
+
+Makes caller an exception to the constraint preventing
+changing of user identity.
+
+
+
@@ -19255,32 +19815,6 @@ Summary is missing!
-Module:
-files
-Layer:
-system
-
-
-files_delete_all_tmp_files(
-
-
-
-
- ?
-
-
- )
-
-
-
-
-Summary is missing!
-
-
-
-
-
-
+Module:
+files
+Layer:
+system
+
+
+files_dontaudit_read_etc_runtime_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Do not audit attempts to read files
+in /etc that are dynamically
+created on boot, such as mtab.
+
+
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_dontaudit_search_home(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Do not audit attempts to search home directories root.
+
+
+
+
+
+
Module:
files
Layer:
@@ -19900,7 +20488,7 @@ system
- ?
+ domain
)
@@ -19908,7 +20496,7 @@ system
-Summary is missing!
+Get the attributes of all files.
@@ -20019,6 +20607,32 @@ Summary is missing!
+Module:
+files
+Layer:
+system
+
+
+files_getattr_usr_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Get the attributes of files in /usr.
+
+
+
+
+
+
+
+
+
+List the contents of all directories.
+
+
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_list_all_dirs(
+
+
+
+
?
@@ -20280,6 +20920,32 @@ Summary is missing!
+Module:
+files
+Layer:
+system
+
+
+files_list_var_lib(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+List the contents of the /var/lib directory.
+
+
+
+
+
+
Module:
files
Layer:
@@ -20408,7 +21074,7 @@ system
- ?
+ domain
)
@@ -20416,7 +21082,9 @@ system
-Summary is missing!
+Create, read, write, and delete files in
+/etc that are dynamically created on boot,
+such as mtab.
@@ -20689,6 +21357,58 @@ Create, read, write, and delete directories in /mnt.
+Module:
+files
+Layer:
+system
+
+
+files_manage_mnt_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete files in /mnt.
+
+
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_manage_mnt_symlinks(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete symbolic links in /mnt.
+
+
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_manage_var_dirs(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete directories
+in the /var directory.
+
+
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_manage_var_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete files in the /var directory.
+
+
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_manage_var_symlinks(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete symbolic
+links in the /var directory.
+
+
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_purge_tmp(
+
+
+
+
+ ?
+
+
+ )
+
+
+
+
+Summary is missing!
+
+
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_read_all_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_read_all_symlinks(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read all symbolic links.
+
+
+
+
+
+
Module:
files
Layer:
@@ -21039,7 +21917,7 @@ system
- ?
+ domain
)
@@ -21047,7 +21925,8 @@ system
-Summary is missing!
+Read files in /etc that are dynamically
+created on boot, such as mtab.
@@ -21159,6 +22038,32 @@ Summary is missing!
+Module:
+files
+Layer:
+system
+
+
+files_read_usr_symlinks(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read symbolic links in /usr.
+
+
+
+
+
+
+Module:
+files
+Layer:
+system
+
+
+files_relabelto_usr_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Relabel a file to the type used in /usr.
+
+
+
+
+
+
Module:
files
Layer:
@@ -21583,7 +22514,7 @@ system
-Search home directories.
+Search home directories root.
@@ -21713,7 +22644,7 @@ system
-Search the tmp directory (/tmp)
+Search the tmp directory (/tmp).
@@ -21798,6 +22729,32 @@ Search the /var/lib directory.
+Module:
+files
+Layer:
+system
+
+
+files_setattr_all_tmp_dirs(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Set the attributes of all tmp directories.
+
+
+
+
+
+
+Module:
+firstboot
+Layer:
+admin
+
+
+firstboot_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute firstboot in the firstboot domain.
+
+
+
+
+
+
+Module:
+firstboot
+Layer:
+admin
+
+
+firstboot_run(
+
+
+
+
+ domain
+
+
+
+ ,
+
+
+
+ role
+
+
+
+ ,
+
+
+
+ terminal
+
+
+ )
+
+
+
+
+Execute firstboot in the firstboot domain, and
+allow the specified role the firstboot domain.
+
+
+
+
+
+
+Module:
+firstboot
+Layer:
+admin
+
+
+firstboot_use_fd(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Inherit and use a file descriptor from firstboot.
+
+
+
+
+
+
+Module:
+firstboot
+Layer:
+admin
+
+
+firstboot_write_pipe(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Write to a firstboot unnamed pipe.
+
+
+
+
+
+
+Module:
+filesystem
+Layer:
+kernel
+
+
+fs_get_xattr_fs_quota(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Get the filesystem quotas of a filesystem
+with extended attributes.
+
+
+
+
+
+
+Module:
+filesystem
+Layer:
+kernel
+
+
+fs_search_cifs(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Search directories on a CIFS or SMB filesystem.
+
+
+
+
+
+
+Module:
+filesystem
+Layer:
+kernel
+
+
+fs_search_nfs(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Search directories on a NFS filesystem.
+
+
+
+
+
+
+Module:
+filesystem
+Layer:
+kernel
+
+
+fs_set_xattr_fs_quota(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Set the filesystem quotas of a filesystem
+with extended attributes.
+
+
+
+
+
+
-
-
-
-Module:
-fstools
-Layer:
-system
-
-
-
fstools_exec(
-
-
-
-
- domain
-
-
- )
+
+
+Execute fs tools in the fstools domain.
+
-Module:
+Module:
fstools
Layer:
system
-fstools_run(
-
-
-
-
- domain
-
-
-
- ,
-
-
-
- role
-
-
-
- ,
-
-
-
- terminal
-
-
- )
-
-
-
-
-
-Module:
-getty
-Layer:
-system
-
-
-getty_domtrans(
-
-
-
-
- domain
-
-
- )
-
-
-
-
-
-Module:
-getty
-Layer:
-system
-
-
-getty_modify_config(
-
-
-
-
- domain
-
-
- )
-
-
-
-
-
-Module:
-getty
-Layer:
-system
-
-
-
getty_read_config(
+
fstools_exec(
@@ -24810,36 +25904,22 @@ system
)
-
-
-
-Module:
-getty
-Layer:
-system
-
-
-
getty_read_log(
-
-
-
-
- domain
-
-
- )
+
+
+Execute fsadm in the caller domain.
+
-Module:
-hostname
+Module:
+fstools
Layer:
system
-
hostname_domtrans(
+
fstools_manage_entry_files(
@@ -24852,20 +25932,21 @@ system
-Execute hostname in the hostname domain.
+Create, read, write, and delete a file used by the
+filesystem tools programs.
-Module:
-hostname
+Module:
+fstools
Layer:
system
-
hostname_exec(
+
fstools_relabelto_entry_files(
@@ -24878,20 +25959,302 @@ system
- Execute hostname in the caller domain.
-
+Relabel a file to the type used by the
+filesystem tools programs.
+
-Module:
-hostname
+Module:
+fstools
Layer:
system
-hostname_run(
+fstools_run(
+
+
+
+
+ domain
+
+
+
+ ,
+
+
+
+ role
+
+
+
+ ,
+
+
+
+ terminal
+
+
+ )
+
+
+
+
+Execute fs tools in the fstools domain, and
+allow the specified role the fs tools domain.
+
+
+
+
+
+
+Module:
+getty
+Layer:
+system
+
+
+getty_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute gettys in the getty domain.
+
+
+
+
+
+
+Module:
+getty
+Layer:
+system
+
+
+getty_modify_config(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Allow process to edit getty config file.
+
+
+
+
+
+
+Module:
+getty
+Layer:
+system
+
+
+getty_read_config(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Allow process to read getty config file.
+
+
+
+
+
+
+Module:
+getty
+Layer:
+system
+
+
+getty_read_log(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Allow process to read getty log file.
+
+
+
+
+
+
+Module:
+gpm
+Layer:
+services
+
+
+gpm_dontaudit_getattr_gpmctl(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Do not audit attempts to get the
+attributes of the GPM control channel
+named socket.
+
+
+
+
+
+
+Module:
+gpm
+Layer:
+services
+
+
+gpm_getattr_gpmctl(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Get the attributes of the GPM
+control channel named socket.
+
+
+
+
+
+
+Module:
+gpm
+Layer:
+services
+
+
+gpm_setattr_gpmctl(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Set the attributes of the GPM
+control channel named socket.
+
+
+
+
+
+
+Module:
+hostname
+Layer:
+system
+
+
+hostname_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute hostname in the hostname domain.
+
+
+
+
+
+
+Module:
+hostname
+Layer:
+system
+
+
+hostname_exec(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+ Execute hostname in the caller domain.
+
+
+
+
+
+
+Module:
+hostname
+Layer:
+system
+
+
+hostname_run(
@@ -25170,6 +26533,32 @@ Define the specified domain as a inetd service.
+Module:
+inetd
+Layer:
+services
+
+
+inetd_domtrans_child(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Run inetd child process in the inet child domain
+
+
+
+
+
+
-Module:
+Module:
inetd
Layer:
services
-inetd_tcp_connectto(
+inetd_tcp_connect(
@@ -25298,6 +26687,32 @@ Define the specified domain as a UDP inetd service.
+Module:
+inetd
+Layer:
+services
+
+
+inetd_use_fd(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Inherit and use file descriptors from inetd.
+
+
+
+
+
+
+Module:
+init
+Layer:
+system
+
+
+init_list_script_pids(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+List the contents of an init script
+process id directory.
+
+
+
+
+
+
+Module:
+init
+Layer:
+system
+
+
+init_read_script(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read init scripts.
+
+
+
+
+
+
+Module:
+init
+Layer:
+system
+
+
+init_read_script_file(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read init scripts.
+
+
+
+
+
+
+
+
+Start and stop daemon programs directly.
+
+
+
@@ -26047,7 +27547,7 @@ system
- ?
+ domain
)
@@ -26055,7 +27555,7 @@ system
-Summary is missing!
+Read and write the init script pty.
@@ -26088,13 +27588,13 @@ Summary is missing!
-Module:
+Module:
ipsec
Layer:
system
-
ipsec_connectto_unix_stream_socket(
+
ipsec_domtrans(
@@ -26107,20 +27607,20 @@ system
-Connect to an IPSEC unix domain stream socket.
+Execute ipsec in the ipsec domain.
-Module:
+Module:
ipsec
Layer:
system
-
ipsec_domtrans(
+
ipsec_exec_mgmt(
@@ -26133,20 +27633,20 @@ system
-Execute ipsec in the ipsec domain.
+Execute the IPSEC management program in the caller domain.
-Module:
+Module:
ipsec
Layer:
system
-
ipsec_exec_mgmt(
+
ipsec_getattr_key_socket(
@@ -26159,20 +27659,20 @@ system
-Execute the IPSEC management program in the caller domain.
+Get the attributes of an IPSEC key socket.
-Module:
+Module:
ipsec
Layer:
system
-
ipsec_getattr_key_socket(
+
ipsec_manage_pid(
@@ -26185,20 +27685,20 @@ system
-Get the attributes of an IPSEC key socket.
+Create, read, write, and delete the IPSEC pid files.
-Module:
+Module:
ipsec
Layer:
system
-
ipsec_manage_pid(
+
ipsec_read_config(
@@ -26211,20 +27711,20 @@ system
-Create, read, write, and delete the IPSEC pid files.
+Read the IPSEC configuration
-Module:
+Module:
ipsec
Layer:
system
-
ipsec_read_config(
+
ipsec_stream_connect(
@@ -26237,7 +27737,7 @@ system
-Read the IPSEC configuration
+Connect to IPSEC using a unix domain stream socket.
@@ -26261,6 +27761,12 @@ system
)
+
+
+Execute iptables in the iptables domain.
+
+
+
@@ -26281,6 +27787,12 @@ system
)
+
+
+Execute iptables in the caller domain.
+
+
+
@@ -26317,16 +27829,23 @@ system
)
+
+
+Execute iptables in the iptables domain, and
+allow the specified role the iptables domain.
+
+
+
-Module:
+Module:
kerberos
Layer:
services
-kerberos_read_conf(
+kerberos_read_config(
@@ -26346,6 +27865,32 @@ Read the kerberos configuration file (/etc/krb5.conf).
+Module:
+kerberos
+Layer:
+services
+
+
+kerberos_rw_config(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read and write the kerberos configuration file (/etc/krb5.conf).
+
+
+
+
+
+
+Module:
+kernel
+Layer:
+kernel
+
+
+kernel_dontaudit_write_kernel_sysctl(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Do not audit attempts to write generic kernel sysctls.
+
+
+
+
+
+
+Module:
+ldap
+Layer:
+services
+
+
+ldap_list_db_dir(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read the contents of the OpenLDAP
+database directories.
+
+
+
+
+
+
+Module:
+ldap
+Layer:
+services
+
+
+ldap_read_config(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read the OpenLDAP configuration files.
+
+
+
+
+
+
+Module:
+libraries
+Layer:
+system
+
+
+libs_relabelto_lib_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Relabel files to the type used in library directories.
+
+
+
+
+
+
+Module:
+loadkeys
+Layer:
+apps
+
+
+loadkeys_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute the loadkeys program in the loadkeys domain.
+
+
+
+
+
+
+Module:
+loadkeys
+Layer:
+apps
+
+
+loadkeys_exec(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute the loadkeys program in the caller domain.
+
+
+
+
+
+
+Module:
+loadkeys
+Layer:
+apps
+
+
+loadkeys_run(
+
+
+
+
+ domain
+
+
+
+ ,
+
+
+
+ role
+
+
+
+ ,
+
+
+
+ terminal
+
+
+ )
+
+
+
+
+Execute the loadkeys program in the loadkeys domain.
+
+
+
+
+
+
+
+
+Allows the domain to open a file in the
+log directory, but does not allow the listing
+of the contents of the log directory.
+
+
+
@@ -28989,6 +30741,12 @@ system
)
+
+
+Execute lvm programs in the lvm domain.
+
+
+
@@ -29009,6 +30767,12 @@ system
)
+
+
+Read LVM configuration files.
+
+
+
@@ -29045,6 +30809,12 @@ system
)
+
+
+Execute lvm programs in the lvm domain.
+
+
+
@@ -29248,6 +31018,12 @@ system
)
+
+
+Execute depmod in the depmod domain.
+
+
+
@@ -29268,6 +31044,12 @@ system
)
+
+
+Execute insmod in the insmod domain.
+
+
+
@@ -29288,6 +31070,12 @@ system
)
+
+
+Execute depmod in the depmod domain.
+
+
+
@@ -29386,6 +31174,12 @@ system
)
+
+
+Read the dependencies of kernel modules.
+
+
+
@@ -29406,6 +31200,13 @@ system
)
+
+
+Read the configuration options used when
+loading modules.
+
+
+
@@ -29442,6 +31243,12 @@ system
)
+
+
+Execute depmod in the depmod domain.
+
+
+
@@ -29478,6 +31285,15 @@ system
)
+
+
+Execute insmod in the insmod domain, and
+allow the specified role the insmod domain,
+and use the caller's terminal. Has a sigchld
+backchannel.
+
+
+
@@ -29514,6 +31330,12 @@ system
)
+
+
+Execute update_modules in the update_modules domain.
+
+
+
@@ -29534,6 +31356,12 @@ system
)
+
+
+Execute mount in the mount domain.
+
+
+
@@ -29570,6 +31398,14 @@ system
)
+
+
+Execute mount in the mount domain, and
+allow the specified role the mount domain,
+and use the caller's terminal.
+
+
+
@@ -29590,6 +31426,13 @@ system
)
+
+
+Allow the mount domain to send nfs requests for mounting
+network drives
+
+
+
@@ -29610,6 +31453,12 @@ system
)
+
+
+Use file descriptors for mount.
+
+
+
@@ -29787,6 +31636,12 @@ services
)
+
+
+Read mail address aliases.
+
+
+
@@ -29903,13 +31758,13 @@ sendmail daemon use.
-Module:
-netutils
-Layer:
-admin
+Module:
+mysql
+Layer:
+services
-
netutils_domtrans(
+
mysql_manage_db_dir(
@@ -29922,20 +31777,20 @@ admin
-Execute network utilities in the netutils domain.
+Create, read, write, and delete MySQL database directories.
-Module:
-netutils
-Layer:
-admin
+Module:
+mysql
+Layer:
+services
-
netutils_domtrans_ping(
+
mysql_read_config(
@@ -29948,20 +31803,20 @@ admin
-Execute ping in the ping domain.
+Read MySQL configuration files.
-Module:
-netutils
-Layer:
-admin
+Module:
+mysql
+Layer:
+services
-
netutils_domtrans_traceroute(
+
mysql_rw_db_dir(
@@ -29974,20 +31829,20 @@ admin
-Execute traceroute in the traceroute domain.
+Read and write to the MySQL database directory.
-Module:
-netutils
-Layer:
-admin
+Module:
+mysql
+Layer:
+services
-
netutils_exec(
+
mysql_search_db_dir(
@@ -30000,20 +31855,21 @@ admin
-Execute network utilities in the caller domain.
+Search the directories that contain MySQL
+database storage.
-Module:
-netutils
-Layer:
-admin
+Module:
+mysql
+Layer:
+services
-
netutils_exec_ping(
+
mysql_signal(
@@ -30026,20 +31882,20 @@ admin
-Execute ping in the caller domain.
+Send a generic signal to MySQL.
-Module:
-netutils
-Layer:
-admin
+Module:
+mysql
+Layer:
+services
-
netutils_exec_traceroute(
+
mysql_stream_connect(
@@ -30052,20 +31908,46 @@ admin
-Execute traceroute in the caller domain.
+Connect to MySQL using a unix domain stream socket.
-Module:
+Module:
+mysql
+Layer:
+services
+
+
+mysql_write_log(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Write to the MySQL log.
+
+
+
+
+
+
+Module:
netutils
Layer:
admin
-
netutils_run(
+
netutils_domtrans(
@@ -30073,20 +31955,56 @@ admin
domain
-
- ,
+ )
+
+
+
+
+Execute network utilities in the netutils domain.
+
+
+
+
+
+
+Module:
+netutils
+Layer:
+admin
+
+
+netutils_domtrans_ping(
+
- role
+ domain
-
- ,
+ )
+
+
+
+
+Execute ping in the ping domain.
+
+
+
+
+
+
+Module:
+netutils
+Layer:
+admin
+
+
+
netutils_domtrans_traceroute(
+
- terminal
+ domain
)
@@ -30094,21 +32012,20 @@ admin
-Execute network utilities in the netutils domain, and
-allow the specified role the netutils domain.
+Execute traceroute in the traceroute domain.
-Module:
+Module:
netutils
Layer:
admin
-
netutils_run_ping(
+
netutils_exec(
@@ -30116,20 +32033,56 @@ admin
domain
-
- ,
+ )
+
+
+
+
+Execute network utilities in the caller domain.
+
+
+
+
+
+
+Module:
+netutils
+Layer:
+admin
+
+
+netutils_exec_ping(
+
- role
+ domain
-
- ,
+ )
+
+
+
+
+Execute ping in the caller domain.
+
+
+
+
+
+
+Module:
+netutils
+Layer:
+admin
+
+
+
netutils_exec_traceroute(
+
- terminal
+ domain
)
@@ -30137,21 +32090,106 @@ admin
-Execute ping in the ping domain, and
-allow the specified role the ping domain.
+Execute traceroute in the caller domain.
-Module:
+Module:
netutils
Layer:
admin
-netutils_run_traceroute(
+netutils_run(
+
+
+
+
+ domain
+
+
+
+ ,
+
+
+
+ role
+
+
+
+ ,
+
+
+
+ terminal
+
+
+ )
+
+
+
+
+Execute network utilities in the netutils domain, and
+allow the specified role the netutils domain.
+
+
+
+
+
+
+Module:
+netutils
+Layer:
+admin
+
+
+netutils_run_ping(
+
+
+
+
+ domain
+
+
+
+ ,
+
+
+
+ role
+
+
+
+ ,
+
+
+
+ terminal
+
+
+ )
+
+
+
+
+Execute ping in the ping domain, and
+allow the specified role the ping domain.
+
+
+
+
+
+
+Module:
+netutils
+Layer:
+admin
+
+
+
netutils_run_traceroute(
@@ -30565,223 +32603,393 @@ system
-Execute cardmgr in the cardctl domain, and
-allow the specified role the cardmgr domain.
-
-
-
-
-
-
-Module:
-raid
-Layer:
-system
-
-
-raid_domtrans_mdadm(
-
-
-
-
- domain
-
-
- )
-
-
-
-
-Execute software raid tools in the mdadm domain.
-
-
-
-
-
-
-Module:
-raid
-Layer:
-system
-
-
-raid_manage_mdadm_pid(
-
-
-
-
- domain
-
-
- )
-
-
-
-
-Create, read, write, and delete the mdadm pid files.
-
-
-
-
-
-
-
-
-Module:
-rpm
-Layer:
-admin
-
-
-rpm_domtrans(
-
-
-
-
- domain
-
-
- )
-
-
-
-
-Execute rpm programs in the rpm domain.
-
-
-
-
-
-
-Module:
-rpm
-Layer:
-admin
-
-
-rpm_manage_db(
-
-
-
-
- domain
-
-
- )
-
-
-
-
-Create, read, write, and delete the RPM package database.
-
-
-
-
-
-
-Module:
-rpm
-Layer:
-admin
-
-
-rpm_manage_log(
-
-
-
-
- domain
-
-
- )
-
-
-
-
-Create, read, write, and delete the RPM log.
-
-
-
-
-
-
-Module:
-rpm
-Layer:
-admin
-
-
-rpm_read_db(
-
-
-
-
- domain
-
-
- )
-
-
-
-
-Read the RPM package database.
-
-
-
-
-
-
-Module:
-rpm
-Layer:
-admin
-
-
-rpm_read_pipe(
-
-
-
-
- domain
-
-
- )
-
-
-
-
-Read from an unnamed RPM pipe.
+Execute cardmgr in the cardctl domain, and
+allow the specified role the cardmgr domain.
+
+
+
+
+
+
+Module:
+quota
+Layer:
+admin
+
+
+quota_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute quota management tools in the quota domain.
+
+
+
+
+
+
+Module:
+quota
+Layer:
+admin
+
+
+quota_dontaudit_getattr_db(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Do not audit attempts to get the attributes
+of filesystem quota data files.
+
+
+
+
+
+
+Module:
+quota
+Layer:
+admin
+
+
+quota_manage_flags(
+
+
+
+
+ ?
+
+
+ )
+
+
+
+
+Summary is missing!
+
+
+
+
+
+
+Module:
+quota
+Layer:
+admin
+
+
+quota_run(
+
+
+
+
+ domain
+
+
+
+ ,
+
+
+
+ role
+
+
+
+ ,
+
+
+
+ terminal
+
+
+ )
+
+
+
+
+Execute quota management tools in the quota domain, and
+allow the specified role the quota domain.
+
+
+
+
+
+
+Module:
+raid
+Layer:
+system
+
+
+raid_domtrans_mdadm(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute software raid tools in the mdadm domain.
+
+
+
+
+
+
+Module:
+raid
+Layer:
+system
+
+
+raid_manage_mdadm_pid(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete the mdadm pid files.
+
+
+
+
+
+
+Module:
+remotelogin
+Layer:
+services
+
+
+remotelogin_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Domain transition to the remote login domain.
+
+
+
+
+
+
+Module:
+rpm
+Layer:
+admin
+
+
+rpm_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute rpm programs in the rpm domain.
+
+
+
+
+
+
+Module:
+rpm
+Layer:
+admin
+
+
+rpm_manage_db(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete the RPM package database.
+
+
+
+
+
+
+Module:
+rpm
+Layer:
+admin
+
+
+rpm_manage_log(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete the RPM log.
+
+
+
+
+
+
+Module:
+rpm
+Layer:
+admin
+
+
+rpm_read_db(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read the RPM package database.
+
+
+
+
+
+
+Module:
+rpm
+Layer:
+admin
+
+
+rpm_read_pipe(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Read from an unnamed RPM pipe.
+
+
+
+
+
+
+Module:
+rpm
+Layer:
+admin
+
+
+rpm_run(
+
+
+
+
+ domain
+
+
+
+ ,
+
+
+
+ role
+
+
+
+ ,
+
+
+
+ terminal
+
+
+ )
+
+
+
+
+Execute RPM programs in the RPM domain.
-Module:
+Module:
rpm
Layer:
admin
-
rpm_run(
+
rpm_rw_pipe(
@@ -30789,41 +32997,25 @@ admin
domain
-
- ,
-
-
-
- role
-
-
-
- ,
-
-
-
- terminal
-
-
)
-Execute RPM programs in the RPM domain.
+Read and write an unnamed RPM pipe.
-Module:
+Module:
rpm
Layer:
admin
-
rpm_rw_pipe(
+
rpm_use_fd(
@@ -30836,20 +33028,20 @@ admin
-Read and write an unnamed RPM pipe.
+Inherit and use file descriptors from RPM.
-Module:
+Module:
rpm
Layer:
admin
-
rpm_use_fd(
+
rpm_use_script_fd(
@@ -30862,20 +33054,20 @@ admin
-Inherit and use file descriptors from RPM.
+Inherit and use file descriptors from RPM scripts.
-Module:
-rpm
-Layer:
-admin
+Module:
+rshd
+Layer:
+services
-
rpm_use_script_fd(
+
rshd_domtrans(
@@ -30888,7 +33080,7 @@ admin
-Inherit and use file descriptors from RPM scripts.
+Domain transition to rshd.
@@ -30940,7 +33132,7 @@ kernel
-
+Calculate the default type for object creation.
@@ -30966,7 +33158,7 @@ kernel
-
+Calculate the context for relabeling objects.
@@ -31189,7 +33381,7 @@ kernel
-Allow caller to set selinux security parameters.
+Allow caller to set SELinux access vector cache parameters.
@@ -31215,7 +33407,7 @@ kernel
-Unconfined access to the SELinux security server.
+Unconfined access to the SELinux kernel security server.
@@ -31265,6 +33457,12 @@ services
)
+
+
+Domain transition to sendmail.
+
+
+
@@ -31311,6 +33509,12 @@ system
)
+
+
+Execute checkpolicy in the checkpolicy domain.
+
+
+
@@ -31331,6 +33535,12 @@ system
)
+
+
+Execute load_policy in the load_policy domain.
+
+
+
@@ -31351,6 +33561,12 @@ system
)
+
+
+Execute newrole in the load_policy domain.
+
+
+
@@ -31371,6 +33587,12 @@ system
)
+
+
+Execute restorecon in the restorecon domain.
+
+
+
@@ -31391,6 +33613,12 @@ system
)
+
+
+Execute run_init in the run_init domain.
+
+
+
@@ -31411,6 +33639,12 @@ system
)
+
+
+Execute setfiles in the setfiles domain.
+
+
+
@@ -31458,6 +33692,13 @@ system
)
+
+
+Do not audit the caller attempts to send
+a signal to newrole.
+
+
+
@@ -31816,6 +34057,12 @@ system
)
+
+
+Allow the caller to relabel a file to the binary policy type.
+
+
+
@@ -31852,6 +34099,15 @@ system
)
+
+
+Execute checkpolicy in the checkpolicy domain, and
+allow the specified role the checkpolicy domain,
+and use the caller's terminal.
+Has a SIGCHLD signal backchannel.
+
+
+
@@ -31888,6 +34144,15 @@ system
)
+
+
+Execute load_policy in the load_policy domain, and
+allow the specified role the load_policy domain,
+and use the caller's terminal.
+Has a SIGCHLD signal backchannel.
+
+
+
@@ -31924,6 +34189,14 @@ system
)
+
+
+Execute newrole in the newrole domain, and
+allow the specified role the newrole domain,
+and use the caller's terminal.
+
+
+
@@ -31960,6 +34233,14 @@ system
)
+
+
+Execute restorecon in the restorecon domain, and
+allow the specified role the restorecon domain,
+and use the caller's terminal.
+
+
+
@@ -31996,6 +34277,14 @@ system
)
+
+
+Execute run_init in the run_init domain, and
+allow the specified role the run_init domain,
+and use the caller's terminal.
+
+
+
@@ -32032,6 +34321,14 @@ system
)
+
+
+Execute setfiles in the setfiles domain, and
+allow the specified role the setfiles domain,
+and use the caller's terminal.
+
+
+
@@ -32987,6 +35284,33 @@ a tape device.
+Module:
+sysnetwork
+Layer:
+system
+
+
+sysnet_create_config(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create files in /etc with the type used for
+the network config files.
+
+
+
+
+
+
+
+
+Execute dhcp client in dhcpc domain.
+
+
+
@@ -33024,6 +35354,12 @@ system
)
+
+
+Execute ifconfig in the ifconfig domain.
+
+
+
@@ -33190,6 +35526,14 @@ system
)
+
+
+Execute ifconfig in the ifconfig domain, and
+allow the specified role the ifconfig domain,
+and use the caller's terminal.
+
+
+
@@ -33348,6 +35692,12 @@ kernel
)
+
+
+Create a pty in the /dev/pts directory.
+
+
+
@@ -33368,6 +35718,14 @@ kernel
)
+
+
+Do not audit attempts to get the
+attributes of any user pty
+device nodes.
+
+
+
@@ -33388,6 +35746,14 @@ kernel
)
+
+
+Do not audit attempts to get the
+attributes of any user tty
+device nodes.
+
+
+
@@ -33408,6 +35774,13 @@ kernel
)
+
+
+Do not audit attempts to get the attributes
+of all unallocated tty device nodes.
+
+
+
@@ -33428,6 +35801,40 @@ kernel
)
+
+
+Do not audit attempts to read the
+/dev/pts directory.
+
+
+
+
+
+
+Module:
+terminal
+Layer:
+kernel
+
+
+term_dontaudit_manage_pty_dir(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Do not audit attempts to create, read,
+write, or delete the /dev/pts directory.
+
+
+
@@ -33448,6 +35855,13 @@ kernel
)
+
+
+Do not audit attempts to read any
+user ptys.
+
+
+
@@ -33468,6 +35882,13 @@ kernel
)
+
+
+Do not audit attempts to read or write
+any user ttys.
+
+
+
@@ -33488,6 +35909,13 @@ kernel
)
+
+
+Do not audit attemtps to read from
+or write to the console.
+
+
+
@@ -33508,6 +35936,14 @@ kernel
)
+
+
+Dot not audit attempts to read and
+write the generic pty type. This is
+generally only used in the targeted policy.
+
+
+
@@ -33528,6 +35964,13 @@ kernel
)
+
+
+Do not audit attempts to read and
+write the pty multiplexor (/dev/ptmx).
+
+
+
@@ -33548,6 +35991,13 @@ kernel
)
+
+
+Do not audit attempts to read or
+write unallocated ttys.
+
+
+
@@ -33568,6 +36018,13 @@ kernel
)
+
+
+Get the attributes of all user
+pty device nodes.
+
+
+
@@ -33588,6 +36045,13 @@ kernel
)
+
+
+Get the attributes of all user tty
+device nodes.
+
+
+
@@ -33608,6 +36072,13 @@ kernel
)
+
+
+Get the attributes of all unallocated
+tty device nodes.
+
+
+
@@ -33628,6 +36099,13 @@ kernel
)
+
+
+Read the /dev/pts directory to
+list all ptys.
+
+
+
@@ -33648,6 +36126,13 @@ kernel
)
+
+
+Transform specified type into a pty type
+used by login programs, such as sshd.
+
+
+
@@ -33668,6 +36153,12 @@ kernel
)
+
+
+Transform specified type into a pty type.
+
+
+
@@ -33688,6 +36179,13 @@ kernel
)
+
+
+Relabel from and to all user
+user pty device nodes.
+
+
+
@@ -33708,6 +36206,13 @@ kernel
)
+
+
+Relabel from and to all user
+user tty device nodes.
+
+
+
@@ -33728,6 +36233,13 @@ kernel
)
+
+
+Relabel from and to the unallocated
+tty type.
+
+
+
@@ -33774,6 +36286,13 @@ kernel
)
+
+
+Relabel from all user tty types to
+the unallocated tty type.
+
+
+
@@ -33821,6 +36340,13 @@ kernel
)
+
+
+Set the attributes of all user tty
+device nodes.
+
+
+
@@ -33841,6 +36367,13 @@ kernel
)
+
+
+Set the attributes of the console
+device node.
+
+
+
@@ -33861,6 +36394,13 @@ kernel
)
+
+
+Set the attributes of all unallocated
+tty device nodes.
+
+
+
@@ -33881,6 +36421,12 @@ kernel
)
+
+
+Transform specified type into a tty type.
+
+
+
@@ -33901,6 +36447,13 @@ kernel
)
+
+
+Read and write the console, all
+ttys and all ptys.
+
+
+
@@ -33921,6 +36474,12 @@ kernel
)
+
+
+Read and write all user ptys.
+
+
+
@@ -33941,6 +36500,12 @@ kernel
)
+
+
+Read and write all user to all user ttys.
+
+
+
@@ -33961,6 +36526,12 @@ kernel
)
+
+
+Read from and write to the console.
+
+
+
@@ -33981,6 +36552,13 @@ kernel
)
+
+
+Read and write the controlling
+terminal (/dev/tty).
+
+
+
@@ -34001,6 +36579,14 @@ kernel
)
+
+
+Read and write the generic pty
+type. This is generally only used in
+the targeted policy.
+
+
+
@@ -34021,6 +36607,12 @@ kernel
)
+
+
+Read and write unallocated ttys.
+
+
+
@@ -34049,6 +36641,14 @@ kernel
)
+
+
+Transform specified type into an user
+pty type. This allows it to be relabeled via
+type change by login programs such as ssh.
+
+
+
@@ -34069,6 +36669,12 @@ kernel
)
+
+
+Write to all user ttys.
+
+
+
@@ -34089,6 +36695,12 @@ kernel
)
+
+
+Write to the console.
+
+
+
@@ -34109,6 +36721,38 @@ kernel
)
+
+
+Write to unallocated ttys.
+
+
+
+
+
+
+Module:
+tmpreaper
+Layer:
+admin
+
+
+tmpreaper_exec(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute tmpreaper in the caller domain.
+
+
+
@@ -34329,6 +36973,12 @@ system
)
+
+
+Execute specified programs in the unconfined domain.
+
+
+
@@ -34436,6 +37086,98 @@ Inherit file descriptors from the unconfined domain.
+Module:
+updfstab
+Layer:
+admin
+
+
+updfstab_domtrans(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Execute updfstab in the updfstab domain.
+
+
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_create_user_home(
+
+
+
+
+ domain
+
+
+
+ ,
+
+
+
+ [
+
+ object_class
+
+ ]
+
+
+ )
+
+
+
+
+Create objects in generic user home directories
+with automatic file type transition.
+
+
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_create_user_home_dir(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create generic user home directories
+with automatic file type transition.
+
+
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_manage_user_home_dir(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete
+generic user home directories.
+
+
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_manage_user_home_dirs(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete
+subdirectories of generic user
+home directories.
+
+
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_manage_user_home_files(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete files
+in generic user home directories.
+
+
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_manage_user_home_pipes(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete named
+pipes in generic user home directories.
+
+
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_manage_user_home_sockets(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete named
+sockets in generic user home directories.
+
+
+
+
+
+
+Module:
+userdomain
+Layer:
+system
+
+
+userdom_manage_user_home_symlinks(
+
+
+
+
+ domain
+
+
+ )
+
+
+
+
+Create, read, write, and delete symbolic
+links in generic user home directories.
+
+
+
+
+
+
+
+
+Execute chfn in the chfn domain.
+
+
+
@@ -35183,6 +38094,12 @@ admin
)
+
+
+Execute groupadd in the groupadd domain.
+
+
+
@@ -35203,6 +38120,12 @@ admin
)
+
+
+Execute passwd in the passwd domain.
+
+
+
@@ -35223,6 +38146,12 @@ admin
)
+
+
+Execute useradd in the useradd domain.
+
+
+
@@ -35285,6 +38214,13 @@ admin
)
+
+
+Execute chfn in the chfn domain, and
+allow the specified role the chfn domain.
+
+
+
@@ -35321,6 +38257,13 @@ admin
)
+
+
+Execute groupadd in the groupadd domain, and
+allow the specified role the groupadd domain.
+
+
+
@@ -35357,6 +38300,13 @@ admin
)
+
+
+Execute passwd in the passwd domain, and
+allow the specified role the passwd domain.
+
+
+
@@ -35393,6 +38343,13 @@ admin
)
+
+
+Execute useradd in the useradd domain, and
+allow the specified role the useradd domain.
+
+
+
diff --git a/www/api-docs/kernel_devices.html b/www/api-docs/kernel_devices.html
index 9a03722..77945a0 100644
--- a/www/api-docs/kernel_devices.html
+++ b/www/api-docs/kernel_devices.html
@@ -106,6 +106,8 @@ Additionally, this module controls access to three things:
+This module is required to be included in all policies.
+
diff --git a/www/api-docs/kernel_kernel.html b/www/api-docs/kernel_kernel.html
index 2c9989b..e831885 100644
--- a/www/api-docs/kernel_kernel.html
+++ b/www/api-docs/kernel_kernel.html
@@ -518,6 +518,48 @@ No
+