diff options
| author |   Jason Zaman <perfinion@gentoo.org> | 2021-11-11 17:49:54 -0800 |
|---|---|---|
| committer | Jason Zaman <perfinion@gentoo.org> | 2021-11-11 17:53:00 -0800 |
| commit | 5a4ed49eb12296e154d860f3c724c487a182e682 (patch) | |
| tree | 4d4d5b474597f9af84e12d76dac0c1c831bf217a | |
| parent | modutils.fc: Added Gentoo specific modules_conf_t paths. (diff) | |
| download | hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.tar.gz hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.tar.bz2 hardened-refpolicy-5a4ed49eb12296e154d860f3c724c487a182e682.zip | |
Update generated policy and doc files
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
| -rw-r--r-- | doc/policy.xml | 5422 | ||||
| -rw-r--r-- | policy/booleans.conf | 106 | ||||
| -rw-r--r-- | policy/modules.conf | 168 |
3 files changed, 2512 insertions, 3184 deletions
diff --git a/doc/policy.xml b/doc/policy.xml index 3c0809a4..12758be9 100644 --- a/doc/policy.xml +++ b/doc/policy.xml @@ -659,88 +659,6 @@ Role allowed access. <rolecap/> </interface> </module> -<module name="bcfg2" filename="policy/modules/admin/bcfg2.if"> -<summary>configuration management suite.</summary> -<interface name="bcfg2_domtrans" lineno="13"> -<summary> -Execute bcfg2 in the bcfg2 domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="bcfg2_initrc_domtrans" lineno="32"> -<summary> -Execute bcfg2 server in the bcfg2 domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="bcfg2_search_lib" lineno="50"> -<summary> -Search bcfg2 lib directories. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="bcfg2_read_lib_files" lineno="69"> -<summary> -Read bcfg2 lib files. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="bcfg2_manage_lib_files" lineno="89"> -<summary> -Create, read, write, and delete -bcfg2 lib files. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="bcfg2_manage_lib_dirs" lineno="109"> -<summary> -Create, read, write, and delete -bcfg2 lib directories. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="bcfg2_admin" lineno="135"> -<summary> -All of the rules required to -administrate an bcfg2 environment. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -</module> <module name="blueman" filename="policy/modules/admin/blueman.if"> <summary>Tool to manage Bluetooth devices.</summary> <interface name="blueman_domtrans" lineno="13"> @@ -1064,37 +982,6 @@ Domain allowed access. <rolecap/> </interface> </module> -<module name="ddcprobe" filename="policy/modules/admin/ddcprobe.if"> -<summary>ddcprobe retrieves monitor and graphics card information.</summary> -<interface name="ddcprobe_domtrans" lineno="13"> -<summary> -Execute ddcprobe in the ddcprobe domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="ddcprobe_run" lineno="40"> -<summary> -Execute ddcprobe in the ddcprobe -domain, and allow the specified -role the ddcprobe domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -</module> <module name="dmesg" filename="policy/modules/admin/dmesg.if"> <summary>Policy for dmesg.</summary> <interface name="dmesg_domtrans" lineno="13"> @@ -1650,7 +1537,7 @@ Role allowed access. </module> <module name="kismet" filename="policy/modules/admin/kismet.if"> <summary>IEEE 802.11 wireless LAN sniffer.</summary> -<template name="kismet_role" lineno="18"> +<interface name="kismet_role" lineno="18"> <summary> Role access for kismet. </summary> @@ -1664,7 +1551,7 @@ Role allowed access. User domain for the role. </summary> </param> -</template> +</interface> <interface name="kismet_domtrans" lineno="51"> <summary> Execute a domain transition to run kismet. @@ -1896,6 +1783,14 @@ Domain allowed access. </summary> </param> </interface> +<tunable name="logrotate_manage_audit_log" dftval="false"> +<desc> +<p> +Determine whether logrotate can manage +audit log files +</p> +</desc> +</tunable> </module> <module name="logwatch" filename="policy/modules/admin/logwatch.if"> <summary>System log analyzer and reporter.</summary> @@ -2189,7 +2084,33 @@ Domain allowed access. </summary> </param> </interface> -<interface name="netutils_domtrans_traceroute" lineno="225"> +<interface name="netutils_domtrans_ss" lineno="225"> +<summary> +Execute a domain transition to run ss. +</summary> +<param name="domain"> +<summary> +Domain allowed to transition. +</summary> +</param> +</interface> +<interface name="netutils_run_ss" lineno="250"> +<summary> +Execute ss in the ss domain, and +allow the specified role the ss domain. +</summary> +<param name="domain"> +<summary> +Domain allowed to transition. +</summary> +</param> +<param name="role"> +<summary> +Role allowed access. +</summary> +</param> +</interface> +<interface name="netutils_domtrans_traceroute" lineno="269"> <summary> Execute traceroute in the traceroute domain. </summary> @@ -2199,7 +2120,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="netutils_run_traceroute" lineno="251"> +<interface name="netutils_run_traceroute" lineno="295"> <summary> Execute traceroute in the traceroute domain, and allow the specified role the traceroute domain. @@ -2216,7 +2137,7 @@ Role allowed access. </param> <rolecap/> </interface> -<interface name="netutils_run_traceroute_cond" lineno="277"> +<interface name="netutils_run_traceroute_cond" lineno="321"> <summary> Conditionally execute traceroute in the traceroute domain, and allow the specified role the traceroute domain. @@ -2233,7 +2154,7 @@ Role allowed access. </param> <rolecap/> </interface> -<interface name="netutils_exec_traceroute" lineno="300"> +<interface name="netutils_exec_traceroute" lineno="344"> <summary> Execute traceroute in the caller domain. </summary> @@ -3791,7 +3712,7 @@ The user domain associated with the role. </summary> </param> </template> -<interface name="sudo_sigchld" lineno="190"> +<interface name="sudo_sigchld" lineno="195"> <summary> Send a SIGCHLD signal to the sudo domain. </summary> @@ -4551,7 +4472,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="chromium_tmp_filetrans" lineno="96"> +<interface name="chromium_tmp_filetrans" lineno="101"> <summary> Automatically use the specified type for resources created in chromium's temporary locations @@ -4561,6 +4482,11 @@ temporary locations Domain that creates the resource(s) </summary> </param> +<param name="private_type"> +<summary> +Private file type. +</summary> +</param> <param name="class"> <summary> Type of the resource created @@ -4572,7 +4498,7 @@ The name of the resource being created </summary> </param> </interface> -<interface name="chromium_domtrans" lineno="115"> +<interface name="chromium_domtrans" lineno="120"> <summary> Execute a domain transition to the chromium domain (chromium_t) </summary> @@ -4582,7 +4508,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="chromium_run" lineno="141"> +<interface name="chromium_run" lineno="146"> <summary> Execute chromium in the chromium domain and allow the specified role to access the chromium domain </summary> @@ -5312,25 +5238,19 @@ Domain allowed access. </summary> </param> </interface> -<interface name="gnome_dbus_chat_gconfd" lineno="646"> +<interface name="gnome_dbus_chat_gconfd" lineno="640"> <summary> Send and receive messages from gnome configuration daemon over dbus. </summary> -<param name="role_prefix"> -<summary> -The prefix of the user domain (e.g., user -is the prefix for user_t). -</summary> -</param> <param name="domain"> <summary> Domain allowed access. </summary> </param> </interface> -<interface name="gnome_dbus_chat_gkeyringd" lineno="673"> +<template name="gnome_dbus_chat_gkeyringd" lineno="667"> <summary> Send and receive messages from gnome keyring daemon over dbus. @@ -5346,8 +5266,8 @@ is the prefix for user_t). Domain allowed access. </summary> </param> -</interface> -<interface name="gnome_dbus_chat_all_gkeyringd" lineno="694"> +</template> +<interface name="gnome_dbus_chat_all_gkeyringd" lineno="688"> <summary> Send and receive messages from all gnome keyring daemon over dbus. @@ -5358,7 +5278,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="gnome_spec_domtrans_all_gkeyringd" lineno="714"> +<interface name="gnome_spec_domtrans_all_gkeyringd" lineno="708"> <summary> Run all gkeyringd in gkeyringd domain. </summary> @@ -5368,7 +5288,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="gnome_stream_connect_gkeyringd" lineno="741"> +<template name="gnome_stream_connect_gkeyringd" lineno="735"> <summary> Connect to gnome keyring daemon with a unix stream socket. @@ -5384,8 +5304,8 @@ is the prefix for user_t). Domain allowed access. </summary> </param> -</interface> -<interface name="gnome_stream_connect_all_gkeyringd" lineno="762"> +</template> +<interface name="gnome_stream_connect_all_gkeyringd" lineno="756"> <summary> Connect to all gnome keyring daemon with a unix stream socket. @@ -5396,7 +5316,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="gnome_manage_gstreamer_orcexec" lineno="784"> +<interface name="gnome_manage_gstreamer_orcexec" lineno="778"> <summary> Manage gstreamer ORC optimized code. @@ -5407,7 +5327,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="gnome_mmap_gstreamer_orcexec" lineno="803"> +<interface name="gnome_mmap_gstreamer_orcexec" lineno="797"> <summary> Mmap gstreamer ORC optimized code. @@ -5542,7 +5462,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="gpg_agent_tmp_filetrans" lineno="250"> +<interface name="gpg_agent_tmp_filetrans" lineno="266"> <summary> filetrans in gpg_agent_tmp_t dirs </summary> @@ -5551,8 +5471,24 @@ filetrans in gpg_agent_tmp_t dirs Domain allowed access. </summary> </param> +<param name="file_type"> +<summary> +Type to which the created node will be transitioned. +</summary> +</param> +<param name="class"> +<summary> +Object class(es) (single or set including {}) for which this +the transition will occur. +</summary> +</param> +<param name="name" optional="true"> +<summary> +The name of the object being created. +</summary> +</param> </interface> -<interface name="gpg_runtime_filetrans" lineno="269"> +<interface name="gpg_runtime_filetrans" lineno="301"> <summary> filetrans in gpg_runtime_t dirs </summary> @@ -5561,8 +5497,24 @@ filetrans in gpg_runtime_t dirs Domain allowed access. </summary> </param> +<param name="file_type"> +<summary> +Type to which the created node will be transitioned. +</summary> +</param> +<param name="class"> +<summary> +Object class(es) (single or set including {}) for which this +the transition will occur. +</summary> +</param> +<param name="name" optional="true"> +<summary> +The name of the object being created. +</summary> +</param> </interface> -<interface name="gpg_secret_filetrans" lineno="288"> +<interface name="gpg_secret_filetrans" lineno="336"> <summary> filetrans in gpg_secret_t dirs </summary> @@ -5571,8 +5523,24 @@ filetrans in gpg_secret_t dirs Domain allowed access. </summary> </param> +<param name="file_type"> +<summary> +Type to which the created node will be transitioned. +</summary> +</param> +<param name="class"> +<summary> +Object class(es) (single or set including {}) for which this +the transition will occur. +</summary> +</param> +<param name="name" optional="true"> +<summary> +The name of the object being created. +</summary> +</param> </interface> -<interface name="gpg_pinentry_dbus_chat" lineno="309"> +<interface name="gpg_pinentry_dbus_chat" lineno="357"> <summary> Send messages to and from gpg pinentry over DBUS. @@ -5583,7 +5551,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="gpg_list_user_secrets" lineno="329"> +<interface name="gpg_list_user_secrets" lineno="377"> <summary> List gpg user secrets. </summary> @@ -6104,24 +6072,6 @@ Domain allowed access. </param> </interface> </module> -<module name="lockdev" filename="policy/modules/apps/lockdev.if"> -<summary>Library for locking devices.</summary> -<interface name="lockdev_role" lineno="18"> -<summary> -Role access for lockdev. -</summary> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<param name="domain"> -<summary> -User domain for the role. -</summary> -</param> -</interface> -</module> <module name="man2html" filename="policy/modules/apps/man2html.if"> <summary>A Unix manpage-to-HTML converter.</summary> <tunable name="allow_httpd_man2html_script_anon_write" dftval="false"> @@ -7143,7 +7093,7 @@ Domain prefix to be used. </summary> </param> </template> -<template name="qemu_role" lineno="112"> +<interface name="qemu_role" lineno="112"> <summary> Role access for qemu. </summary> @@ -7157,7 +7107,7 @@ Role allowed access. User domain for the role. </summary> </param> -</template> +</interface> <interface name="qemu_domtrans" lineno="133"> <summary> Execute a domain transition to run qemu. @@ -7438,6 +7388,16 @@ The type of the user domain. </summary> </param> </template> +<interface name="screen_execute_sock_file" lineno="103"> +<summary> +Execute the screen runtime sock file. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> </module> <module name="seunshare" filename="policy/modules/apps/seunshare.if"> <summary>Filesystem namespacing/polyinstantiation application.</summary> @@ -8240,7 +8200,7 @@ The type of the user domain. </summary> </param> </template> -<interface name="wm_exec" lineno="116"> +<interface name="wm_exec" lineno="117"> <summary> Execute wm in the caller domain. </summary> @@ -8250,7 +8210,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="wm_dbus_chat" lineno="142"> +<template name="wm_dbus_chat" lineno="143"> <summary> Send and receive messages from specified wm over dbus. @@ -8266,8 +8226,8 @@ is the prefix for user_t). Domain allowed access. </summary> </param> -</interface> -<interface name="wm_dontaudit_exec_tmp_files" lineno="163"> +</template> +<interface name="wm_dontaudit_exec_tmp_files" lineno="164"> <summary> Do not audit attempts to execute files in temporary directories. @@ -8278,7 +8238,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="wm_dontaudit_exec_tmpfs_files" lineno="182"> +<interface name="wm_dontaudit_exec_tmpfs_files" lineno="183"> <summary> Do not audit attempts to execute files in temporary filesystems. @@ -8289,7 +8249,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="wm_application_domain" lineno="225"> +<interface name="wm_application_domain" lineno="226"> <summary> Create a domain for applications that are launched by the window @@ -8324,7 +8284,7 @@ Type to be used as the source window manager domain. </param> <infoflow type="none"/> </interface> -<interface name="wm_write_pipes" lineno="250"> +<template name="wm_write_pipes" lineno="251"> <summary> Write wm unnamed pipes. </summary> @@ -8339,7 +8299,7 @@ is the prefix for user_t). Domain allowed access. </summary> </param> -</interface> +</template> </module> <module name="xscreensaver" filename="policy/modules/apps/xscreensaver.if"> <summary>Modular screen saver and locker for X11.</summary> @@ -9185,6 +9145,13 @@ Allow phpfpm to use LDAP services </p> </desc> </tunable> +<tunable name="phpfpm_send_syslog_msg" dftval="false"> +<desc> +<p> +Allow phpfpm to send syslog messages +</p> +</desc> +</tunable> </module> <module name="resolvconf" filename="policy/modules/contrib/resolvconf.if"> <summary>OpenResolv network configuration management</summary> @@ -73381,7 +73348,7 @@ will be transitioned to the type provided. Domain allowed access. </summary> </param> -<param name="file"> +<param name="file_type"> <summary> Type to which the created node will be transitioned. </summary> @@ -74718,7 +74685,18 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_delete_null" lineno="3404"> +<interface name="dev_dontaudit_setattr_null_dev" lineno="3405"> +<summary> +Do not audit attempts to set the attributes of +the null device nodes. +</summary> +<param name="domain"> +<summary> +Domain to not audit. +</summary> +</param> +</interface> +<interface name="dev_delete_null" lineno="3423"> <summary> Delete the null device (/dev/null). </summary> @@ -74728,7 +74706,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_null" lineno="3422"> +<interface name="dev_rw_null" lineno="3441"> <summary> Read and write to the null device (/dev/null). </summary> @@ -74738,7 +74716,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_null_dev" lineno="3440"> +<interface name="dev_create_null_dev" lineno="3459"> <summary> Create the null device (/dev/null). </summary> @@ -74748,7 +74726,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_null_service" lineno="3459"> +<interface name="dev_manage_null_service" lineno="3478"> <summary> Manage services with script type null_device_t for when /lib/systemd/system/something.service is a link to /dev/null @@ -74759,7 +74737,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_nvram_dev" lineno="3479"> +<interface name="dev_dontaudit_getattr_nvram_dev" lineno="3498"> <summary> Do not audit attempts to get the attributes of the BIOS non-volatile RAM device. @@ -74770,7 +74748,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_rw_nvram" lineno="3497"> +<interface name="dev_rw_nvram" lineno="3516"> <summary> Read and write BIOS non-volatile RAM. </summary> @@ -74780,7 +74758,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_printer_dev" lineno="3515"> +<interface name="dev_getattr_printer_dev" lineno="3534"> <summary> Get the attributes of the printer device nodes. </summary> @@ -74790,7 +74768,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_printer_dev" lineno="3533"> +<interface name="dev_setattr_printer_dev" lineno="3552"> <summary> Set the attributes of the printer device nodes. </summary> @@ -74800,7 +74778,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_append_printer" lineno="3552"> +<interface name="dev_append_printer" lineno="3571"> <summary> Append the printer device. </summary> @@ -74810,7 +74788,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_printer" lineno="3570"> +<interface name="dev_rw_printer" lineno="3589"> <summary> Read and write the printer device. </summary> @@ -74820,7 +74798,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_pmqos_dev" lineno="3588"> +<interface name="dev_getattr_pmqos_dev" lineno="3607"> <summary> Get the attributes of PM QoS devices </summary> @@ -74830,7 +74808,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_pmqos" lineno="3606"> +<interface name="dev_read_pmqos" lineno="3625"> <summary> Read the PM QoS devices. </summary> @@ -74840,7 +74818,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_pmqos" lineno="3624"> +<interface name="dev_rw_pmqos" lineno="3643"> <summary> Read and write the the PM QoS devices. </summary> @@ -74850,7 +74828,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_qemu_dev" lineno="3643"> +<interface name="dev_getattr_qemu_dev" lineno="3662"> <summary> Get the attributes of the QEMU microcode and id interfaces. @@ -74861,7 +74839,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_qemu_dev" lineno="3662"> +<interface name="dev_setattr_qemu_dev" lineno="3681"> <summary> Set the attributes of the QEMU microcode and id interfaces. @@ -74872,7 +74850,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_qemu" lineno="3680"> +<interface name="dev_read_qemu" lineno="3699"> <summary> Read the QEMU device </summary> @@ -74882,7 +74860,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_qemu" lineno="3698"> +<interface name="dev_rw_qemu" lineno="3717"> <summary> Read and write the the QEMU device. </summary> @@ -74892,7 +74870,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_rand" lineno="3732"> +<interface name="dev_read_rand" lineno="3751"> <summary> Read from random number generator devices (e.g., /dev/random). @@ -74918,7 +74896,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="dev_dontaudit_read_rand" lineno="3751"> +<interface name="dev_dontaudit_read_rand" lineno="3770"> <summary> Do not audit attempts to read from random number generator devices (e.g., /dev/random) @@ -74929,7 +74907,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_dontaudit_append_rand" lineno="3770"> +<interface name="dev_dontaudit_append_rand" lineno="3789"> <summary> Do not audit attempts to append to random number generator devices (e.g., /dev/random) @@ -74940,7 +74918,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_write_rand" lineno="3790"> +<interface name="dev_write_rand" lineno="3809"> <summary> Write to the random device (e.g., /dev/random). This adds entropy used to generate the random data read from the @@ -74952,7 +74930,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_rand_dev" lineno="3808"> +<interface name="dev_create_rand_dev" lineno="3827"> <summary> Create the random device (/dev/random). </summary> @@ -74962,7 +74940,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_realtime_clock" lineno="3826"> +<interface name="dev_read_realtime_clock" lineno="3845"> <summary> Read the realtime clock (/dev/rtc). </summary> @@ -74972,7 +74950,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_realtime_clock" lineno="3844"> +<interface name="dev_write_realtime_clock" lineno="3863"> <summary> Set the realtime clock (/dev/rtc). </summary> @@ -74982,7 +74960,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_realtime_clock" lineno="3864"> +<interface name="dev_rw_realtime_clock" lineno="3883"> <summary> Read and set the realtime clock (/dev/rtc). </summary> @@ -74992,7 +74970,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_scanner_dev" lineno="3879"> +<interface name="dev_getattr_scanner_dev" lineno="3898"> <summary> Get the attributes of the scanner device. </summary> @@ -75002,7 +74980,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_scanner_dev" lineno="3898"> +<interface name="dev_dontaudit_getattr_scanner_dev" lineno="3917"> <summary> Do not audit attempts to get the attributes of the scanner device. @@ -75013,7 +74991,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_setattr_scanner_dev" lineno="3916"> +<interface name="dev_setattr_scanner_dev" lineno="3935"> <summary> Set the attributes of the scanner device. </summary> @@ -75023,7 +75001,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_scanner_dev" lineno="3935"> +<interface name="dev_dontaudit_setattr_scanner_dev" lineno="3954"> <summary> Do not audit attempts to set the attributes of the scanner device. @@ -75034,7 +75012,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_rw_scanner" lineno="3953"> +<interface name="dev_rw_scanner" lineno="3972"> <summary> Read and write the scanner device. </summary> @@ -75044,7 +75022,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_sound_dev" lineno="3971"> +<interface name="dev_getattr_sound_dev" lineno="3990"> <summary> Get the attributes of the sound devices. </summary> @@ -75054,7 +75032,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_sound_dev" lineno="3989"> +<interface name="dev_setattr_sound_dev" lineno="4008"> <summary> Set the attributes of the sound devices. </summary> @@ -75064,7 +75042,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_sound" lineno="4007"> +<interface name="dev_read_sound" lineno="4026"> <summary> Read the sound devices. </summary> @@ -75074,7 +75052,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_sound" lineno="4026"> +<interface name="dev_write_sound" lineno="4045"> <summary> Write the sound devices. </summary> @@ -75084,7 +75062,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_sound_mixer" lineno="4045"> +<interface name="dev_read_sound_mixer" lineno="4064"> <summary> Read the sound mixer devices. </summary> @@ -75094,7 +75072,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_sound_mixer" lineno="4064"> +<interface name="dev_write_sound_mixer" lineno="4083"> <summary> Write the sound mixer devices. </summary> @@ -75104,7 +75082,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_power_mgmt_dev" lineno="4083"> +<interface name="dev_getattr_power_mgmt_dev" lineno="4102"> <summary> Get the attributes of the the power management device. </summary> @@ -75114,7 +75092,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_power_mgmt_dev" lineno="4101"> +<interface name="dev_setattr_power_mgmt_dev" lineno="4120"> <summary> Set the attributes of the the power management device. </summary> @@ -75124,7 +75102,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_power_management" lineno="4119"> +<interface name="dev_rw_power_management" lineno="4138"> <summary> Read and write the the power management device. </summary> @@ -75134,7 +75112,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_smartcard_dev" lineno="4137"> +<interface name="dev_getattr_smartcard_dev" lineno="4156"> <summary> Getattr on smartcard devices </summary> @@ -75144,7 +75122,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_smartcard_dev" lineno="4156"> +<interface name="dev_dontaudit_getattr_smartcard_dev" lineno="4175"> <summary> dontaudit getattr on smartcard devices </summary> @@ -75154,7 +75132,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_rw_smartcard" lineno="4175"> +<interface name="dev_rw_smartcard" lineno="4194"> <summary> Read and write smartcard devices. </summary> @@ -75164,7 +75142,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_smartcard" lineno="4193"> +<interface name="dev_manage_smartcard" lineno="4212"> <summary> Create, read, write, and delete smartcard devices. </summary> @@ -75174,7 +75152,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_sysdig" lineno="4211"> +<interface name="dev_rw_sysdig" lineno="4230"> <summary> Read, write and map the sysdig device. </summary> @@ -75184,7 +75162,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_mounton_sysfs" lineno="4230"> +<interface name="dev_mounton_sysfs" lineno="4249"> <summary> Mount a filesystem on sysfs. </summary> @@ -75194,7 +75172,7 @@ Domain allow access. </summary> </param> </interface> -<interface name="dev_associate_sysfs" lineno="4248"> +<interface name="dev_associate_sysfs" lineno="4267"> <summary> Associate a file to a sysfs filesystem. </summary> @@ -75204,7 +75182,7 @@ The type of the file to be associated to sysfs. </summary> </param> </interface> -<interface name="dev_getattr_sysfs_dirs" lineno="4266"> +<interface name="dev_getattr_sysfs_dirs" lineno="4285"> <summary> Get the attributes of sysfs directories. </summary> @@ -75214,7 +75192,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_sysfs" lineno="4284"> +<interface name="dev_getattr_sysfs" lineno="4303"> <summary> Get the attributes of sysfs filesystem </summary> @@ -75224,7 +75202,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_mount_sysfs" lineno="4302"> +<interface name="dev_mount_sysfs" lineno="4321"> <summary> mount a sysfs filesystem </summary> @@ -75234,7 +75212,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_sysfs" lineno="4320"> +<interface name="dev_dontaudit_getattr_sysfs" lineno="4339"> <summary> Do not audit getting the attributes of sysfs filesystem </summary> @@ -75244,7 +75222,7 @@ Domain to dontaudit access from </summary> </param> </interface> -<interface name="dev_dontaudit_read_sysfs" lineno="4338"> +<interface name="dev_dontaudit_read_sysfs" lineno="4357"> <summary> Dont audit attempts to read hardware state information </summary> @@ -75254,7 +75232,7 @@ Domain for which the attempts do not need to be audited </summary> </param> </interface> -<interface name="dev_mounton_sysfs_dirs" lineno="4358"> +<interface name="dev_mounton_sysfs_dirs" lineno="4377"> <summary> mounton sysfs directories. </summary> @@ -75264,7 +75242,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_search_sysfs" lineno="4376"> +<interface name="dev_search_sysfs" lineno="4395"> <summary> Search the sysfs directories. </summary> @@ -75274,7 +75252,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_search_sysfs" lineno="4394"> +<interface name="dev_dontaudit_search_sysfs" lineno="4413"> <summary> Do not audit attempts to search sysfs. </summary> @@ -75284,7 +75262,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_list_sysfs" lineno="4412"> +<interface name="dev_list_sysfs" lineno="4431"> <summary> List the contents of the sysfs directories. </summary> @@ -75294,7 +75272,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_sysfs_dirs" lineno="4431"> +<interface name="dev_write_sysfs_dirs" lineno="4450"> <summary> Write in a sysfs directories. </summary> @@ -75304,7 +75282,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_write_sysfs_dirs" lineno="4449"> +<interface name="dev_dontaudit_write_sysfs_dirs" lineno="4468"> <summary> Do not audit attempts to write in a sysfs directory. </summary> @@ -75314,7 +75292,17 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_manage_sysfs_dirs" lineno="4468"> +<interface name="dev_dontaudit_write_sysfs_files" lineno="4486"> +<summary> +Do not audit attempts to write to a sysfs file. +</summary> +<param name="domain"> +<summary> +Domain to not audit. +</summary> +</param> +</interface> +<interface name="dev_manage_sysfs_dirs" lineno="4505"> <summary> Create, read, write, and delete sysfs directories. @@ -75325,7 +75313,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_sysfs" lineno="4495"> +<interface name="dev_read_sysfs" lineno="4532"> <summary> Read hardware state information. </summary> @@ -75344,7 +75332,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="dev_write_sysfs" lineno="4523"> +<interface name="dev_write_sysfs" lineno="4560"> <summary> Write to hardware state information. </summary> @@ -75361,7 +75349,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="dev_rw_sysfs" lineno="4542"> +<interface name="dev_rw_sysfs" lineno="4579"> <summary> Allow caller to modify hardware state information. </summary> @@ -75371,7 +75359,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_sysfs_files" lineno="4563"> +<interface name="dev_create_sysfs_files" lineno="4600"> <summary> Add a sysfs file </summary> @@ -75381,7 +75369,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_sysfs_dirs" lineno="4581"> +<interface name="dev_relabel_sysfs_dirs" lineno="4618"> <summary> Relabel hardware state directories. </summary> @@ -75391,7 +75379,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_all_sysfs" lineno="4599"> +<interface name="dev_relabel_all_sysfs" lineno="4636"> <summary> Relabel from/to all sysfs types. </summary> @@ -75401,7 +75389,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_all_sysfs" lineno="4619"> +<interface name="dev_setattr_all_sysfs" lineno="4656"> <summary> Set the attributes of sysfs files, directories and symlinks. </summary> @@ -75411,7 +75399,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_tpm" lineno="4639"> +<interface name="dev_rw_tpm" lineno="4676"> <summary> Read and write the TPM device. </summary> @@ -75421,7 +75409,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_urand" lineno="4680"> +<interface name="dev_read_urand" lineno="4717"> <summary> Read from pseudo random number generator devices (e.g., /dev/urandom). </summary> @@ -75454,7 +75442,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="dev_dontaudit_read_urand" lineno="4699"> +<interface name="dev_dontaudit_read_urand" lineno="4736"> <summary> Do not audit attempts to read from pseudo random devices (e.g., /dev/urandom) @@ -75465,7 +75453,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_write_urand" lineno="4718"> +<interface name="dev_write_urand" lineno="4755"> <summary> Write to the pseudo random device (e.g., /dev/urandom). This sets the random number generator seed. @@ -75476,7 +75464,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_urand_dev" lineno="4736"> +<interface name="dev_create_urand_dev" lineno="4773"> <summary> Create the urandom device (/dev/urandom). </summary> @@ -75486,7 +75474,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_generic_usb_dev" lineno="4754"> +<interface name="dev_getattr_generic_usb_dev" lineno="4791"> <summary> Getattr generic the USB devices. </summary> @@ -75496,7 +75484,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_generic_usb_dev" lineno="4772"> +<interface name="dev_setattr_generic_usb_dev" lineno="4809"> <summary> Setattr generic the USB devices. </summary> @@ -75506,7 +75494,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_generic_usb_dev" lineno="4790"> +<interface name="dev_read_generic_usb_dev" lineno="4827"> <summary> Read generic the USB devices. </summary> @@ -75516,7 +75504,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_generic_usb_dev" lineno="4808"> +<interface name="dev_rw_generic_usb_dev" lineno="4845"> <summary> Read and write generic the USB devices. </summary> @@ -75526,7 +75514,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_generic_usb_dev" lineno="4826"> +<interface name="dev_relabel_generic_usb_dev" lineno="4863"> <summary> Relabel generic the USB devices. </summary> @@ -75536,7 +75524,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_usbmon_dev" lineno="4844"> +<interface name="dev_read_usbmon_dev" lineno="4881"> <summary> Read USB monitor devices. </summary> @@ -75546,7 +75534,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_usbmon_dev" lineno="4862"> +<interface name="dev_write_usbmon_dev" lineno="4899"> <summary> Write USB monitor devices. </summary> @@ -75556,7 +75544,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_mount_usbfs" lineno="4880"> +<interface name="dev_mount_usbfs" lineno="4917"> <summary> Mount a usbfs filesystem. </summary> @@ -75566,7 +75554,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_associate_usbfs" lineno="4898"> +<interface name="dev_associate_usbfs" lineno="4935"> <summary> Associate a file to a usbfs filesystem. </summary> @@ -75576,7 +75564,7 @@ The type of the file to be associated to usbfs. </summary> </param> </interface> -<interface name="dev_getattr_usbfs_dirs" lineno="4916"> +<interface name="dev_getattr_usbfs_dirs" lineno="4953"> <summary> Get the attributes of a directory in the usb filesystem. </summary> @@ -75586,7 +75574,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_usbfs_dirs" lineno="4935"> +<interface name="dev_dontaudit_getattr_usbfs_dirs" lineno="4972"> <summary> Do not audit attempts to get the attributes of a directory in the usb filesystem. @@ -75597,7 +75585,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_search_usbfs" lineno="4953"> +<interface name="dev_search_usbfs" lineno="4990"> <summary> Search the directory containing USB hardware information. </summary> @@ -75607,7 +75595,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_list_usbfs" lineno="4971"> +<interface name="dev_list_usbfs" lineno="5008"> <summary> Allow caller to get a list of usb hardware. </summary> @@ -75617,7 +75605,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_usbfs_files" lineno="4992"> +<interface name="dev_setattr_usbfs_files" lineno="5029"> <summary> Set the attributes of usbfs filesystem. </summary> @@ -75627,7 +75615,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_usbfs" lineno="5012"> +<interface name="dev_read_usbfs" lineno="5049"> <summary> Read USB hardware information using the usbfs filesystem interface. @@ -75638,7 +75626,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_usbfs" lineno="5032"> +<interface name="dev_rw_usbfs" lineno="5069"> <summary> Allow caller to modify usb hardware configuration files. </summary> @@ -75648,7 +75636,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_video_dev" lineno="5052"> +<interface name="dev_getattr_video_dev" lineno="5089"> <summary> Get the attributes of video4linux devices. </summary> @@ -75658,7 +75646,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_userio_dev" lineno="5070"> +<interface name="dev_rw_userio_dev" lineno="5107"> <summary> Read and write userio device. </summary> @@ -75668,7 +75656,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_video_dev" lineno="5089"> +<interface name="dev_dontaudit_getattr_video_dev" lineno="5126"> <summary> Do not audit attempts to get the attributes of video4linux device nodes. @@ -75679,7 +75667,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_setattr_video_dev" lineno="5107"> +<interface name="dev_setattr_video_dev" lineno="5144"> <summary> Set the attributes of video4linux device nodes. </summary> @@ -75689,7 +75677,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_video_dev" lineno="5126"> +<interface name="dev_dontaudit_setattr_video_dev" lineno="5163"> <summary> Do not audit attempts to set the attributes of video4linux device nodes. @@ -75700,7 +75688,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_read_video_dev" lineno="5144"> +<interface name="dev_read_video_dev" lineno="5181"> <summary> Read the video4linux devices. </summary> @@ -75710,7 +75698,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_video_dev" lineno="5162"> +<interface name="dev_write_video_dev" lineno="5199"> <summary> Write the video4linux devices. </summary> @@ -75720,7 +75708,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_vfio_dev" lineno="5180"> +<interface name="dev_rw_vfio_dev" lineno="5217"> <summary> Read and write vfio devices. </summary> @@ -75730,7 +75718,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabelfrom_vfio_dev" lineno="5198"> +<interface name="dev_relabelfrom_vfio_dev" lineno="5235"> <summary> Relabel vfio devices. </summary> @@ -75740,7 +75728,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_vhost" lineno="5216"> +<interface name="dev_rw_vhost" lineno="5253"> <summary> Allow read/write the vhost devices </summary> @@ -75750,7 +75738,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_vmware" lineno="5234"> +<interface name="dev_rw_vmware" lineno="5271"> <summary> Read and write VMWare devices. </summary> @@ -75760,7 +75748,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rwx_vmware" lineno="5252"> +<interface name="dev_rwx_vmware" lineno="5289"> <summary> Read, write, and mmap VMWare devices. </summary> @@ -75770,7 +75758,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_watchdog" lineno="5271"> +<interface name="dev_read_watchdog" lineno="5308"> <summary> Read from watchdog devices. </summary> @@ -75780,7 +75768,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_watchdog" lineno="5289"> +<interface name="dev_write_watchdog" lineno="5326"> <summary> Write to watchdog devices. </summary> @@ -75790,7 +75778,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_wireless" lineno="5307"> +<interface name="dev_read_wireless" lineno="5344"> <summary> Read the wireless device. </summary> @@ -75800,7 +75788,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_wireless" lineno="5325"> +<interface name="dev_rw_wireless" lineno="5362"> <summary> Read and write the the wireless device. </summary> @@ -75810,7 +75798,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_wireless" lineno="5343"> +<interface name="dev_manage_wireless" lineno="5380"> <summary> manage the wireless device. </summary> @@ -75820,7 +75808,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_xen" lineno="5361"> +<interface name="dev_rw_xen" lineno="5398"> <summary> Read and write Xen devices. </summary> @@ -75830,7 +75818,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_xen" lineno="5380"> +<interface name="dev_manage_xen" lineno="5417"> <summary> Create, read, write, and delete Xen devices. </summary> @@ -75840,7 +75828,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_filetrans_xen" lineno="5404"> +<interface name="dev_filetrans_xen" lineno="5441"> <summary> Automatic type transition to the type for xen device nodes when created in /dev. @@ -75856,7 +75844,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="dev_getattr_xserver_misc_dev" lineno="5422"> +<interface name="dev_getattr_xserver_misc_dev" lineno="5459"> <summary> Get the attributes of X server miscellaneous devices. </summary> @@ -75866,7 +75854,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_xserver_misc_dev" lineno="5440"> +<interface name="dev_setattr_xserver_misc_dev" lineno="5477"> <summary> Set the attributes of X server miscellaneous devices. </summary> @@ -75876,7 +75864,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_xserver_misc" lineno="5458"> +<interface name="dev_rw_xserver_misc" lineno="5495"> <summary> Read and write X server miscellaneous devices. </summary> @@ -75886,7 +75874,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_map_xserver_misc" lineno="5476"> +<interface name="dev_map_xserver_misc" lineno="5513"> <summary> Map X server miscellaneous devices. </summary> @@ -75896,7 +75884,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_zero" lineno="5494"> +<interface name="dev_rw_zero" lineno="5531"> <summary> Read and write to the zero device (/dev/zero). </summary> @@ -75906,7 +75894,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rwx_zero" lineno="5512"> +<interface name="dev_rwx_zero" lineno="5549"> <summary> Read, write, and execute the zero device (/dev/zero). </summary> @@ -75916,7 +75904,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_execmod_zero" lineno="5531"> +<interface name="dev_execmod_zero" lineno="5568"> <summary> Execmod the zero device (/dev/zero). </summary> @@ -75926,7 +75914,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_zero_dev" lineno="5550"> +<interface name="dev_create_zero_dev" lineno="5587"> <summary> Create the zero device (/dev/zero). </summary> @@ -75936,7 +75924,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_cpu_online" lineno="5573"> +<interface name="dev_read_cpu_online" lineno="5610"> <summary> Read cpu online hardware state information </summary> @@ -75951,7 +75939,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_unconfined" lineno="5593"> +<interface name="dev_unconfined" lineno="5630"> <summary> Unconfined access to devices. </summary> @@ -75961,7 +75949,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_cpu_online" lineno="5613"> +<interface name="dev_relabel_cpu_online" lineno="5650"> <summary> Relabel cpu online hardware state information. </summary> @@ -75971,7 +75959,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_read_usbmon_dev" lineno="5632"> +<interface name="dev_dontaudit_read_usbmon_dev" lineno="5669"> <summary> Dont audit attempts to read usbmon devices </summary> @@ -77923,7 +77911,18 @@ Domain allowed access. </param> </interface> -<interface name="files_read_config_files" lineno="1624"> +<interface name="files_dontaudit_relabel_config_dirs" lineno="1625"> +<summary> +Do not audit attempts to relabel configuration directories +</summary> +<param name="domain"> +<summary> +Domain not to audit. +</summary> +</param> + +</interface> +<interface name="files_read_config_files" lineno="1643"> <summary> Read config files in /etc. </summary> @@ -77933,7 +77932,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_config_files" lineno="1645"> +<interface name="files_manage_config_files" lineno="1664"> <summary> Manage all configuration files on filesystem </summary> @@ -77944,7 +77943,7 @@ Domain allowed access. </param> </interface> -<interface name="files_relabel_config_files" lineno="1664"> +<interface name="files_relabel_config_files" lineno="1683"> <summary> Relabel configuration files </summary> @@ -77955,7 +77954,18 @@ Domain allowed access. </param> </interface> -<interface name="files_mounton_all_mountpoints" lineno="1682"> +<interface name="files_dontaudit_relabel_config_files" lineno="1702"> +<summary> +Do not audit attempts to relabel configuration files +</summary> +<param name="domain"> +<summary> +Domain not to audit. +</summary> +</param> + +</interface> +<interface name="files_mounton_all_mountpoints" lineno="1720"> <summary> Mount a filesystem on all mount points. </summary> @@ -77965,7 +77975,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_all_mountpoints" lineno="1703"> +<interface name="files_getattr_all_mountpoints" lineno="1741"> <summary> Get the attributes of all mount points. </summary> @@ -77975,7 +77985,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_all_mountpoints" lineno="1721"> +<interface name="files_setattr_all_mountpoints" lineno="1759"> <summary> Set the attributes of all mount points. </summary> @@ -77985,7 +77995,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_setattr_all_mountpoints" lineno="1739"> +<interface name="files_dontaudit_setattr_all_mountpoints" lineno="1777"> <summary> Do not audit attempts to set the attributes on all mount points. </summary> @@ -77995,7 +78005,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_search_all_mountpoints" lineno="1757"> +<interface name="files_search_all_mountpoints" lineno="1795"> <summary> Search all mount points. </summary> @@ -78005,7 +78015,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_all_mountpoints" lineno="1775"> +<interface name="files_dontaudit_search_all_mountpoints" lineno="1813"> <summary> Do not audit searching of all mount points. </summary> @@ -78015,7 +78025,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_all_mountpoints" lineno="1793"> +<interface name="files_list_all_mountpoints" lineno="1831"> <summary> List all mount points. </summary> @@ -78025,7 +78035,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_all_mountpoints" lineno="1811"> +<interface name="files_dontaudit_list_all_mountpoints" lineno="1849"> <summary> Do not audit listing of all mount points. </summary> @@ -78035,7 +78045,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_write_all_mountpoints" lineno="1829"> +<interface name="files_dontaudit_write_all_mountpoints" lineno="1867"> <summary> Do not audit attempts to write to mount points. </summary> @@ -78045,7 +78055,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_root" lineno="1847"> +<interface name="files_list_root" lineno="1885"> <summary> List the contents of the root directory. </summary> @@ -78055,7 +78065,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_root_symlinks" lineno="1867"> +<interface name="files_delete_root_symlinks" lineno="1905"> <summary> Delete symbolic links in the root directory. @@ -78066,7 +78076,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_root_dirs" lineno="1885"> +<interface name="files_dontaudit_write_root_dirs" lineno="1923"> <summary> Do not audit attempts to write to / dirs. </summary> @@ -78076,7 +78086,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_rw_root_dir" lineno="1904"> +<interface name="files_dontaudit_rw_root_dir" lineno="1942"> <summary> Do not audit attempts to write files in the root directory. @@ -78087,7 +78097,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_watch_root_dirs" lineno="1922"> +<interface name="files_watch_root_dirs" lineno="1960"> <summary> Watch the root directory. </summary> @@ -78097,7 +78107,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_root_filetrans" lineno="1956"> +<interface name="files_root_filetrans" lineno="1994"> <summary> Create an object in the root directory, with a private type using a type transition. @@ -78123,7 +78133,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_dontaudit_read_root_files" lineno="1975"> +<interface name="files_dontaudit_read_root_files" lineno="2013"> <summary> Do not audit attempts to read files in the root directory. @@ -78134,7 +78144,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_rw_root_files" lineno="1994"> +<interface name="files_dontaudit_rw_root_files" lineno="2032"> <summary> Do not audit attempts to read or write files in the root directory. @@ -78145,7 +78155,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_rw_root_chr_files" lineno="2013"> +<interface name="files_dontaudit_rw_root_chr_files" lineno="2051"> <summary> Do not audit attempts to read or write character device nodes in the root directory. @@ -78156,7 +78166,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_delete_root_chr_files" lineno="2032"> +<interface name="files_delete_root_chr_files" lineno="2070"> <summary> Delete character device nodes in the root directory. @@ -78167,7 +78177,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_root_files" lineno="2050"> +<interface name="files_delete_root_files" lineno="2088"> <summary> Delete files in the root directory. </summary> @@ -78177,7 +78187,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_exec_root_files" lineno="2068"> +<interface name="files_exec_root_files" lineno="2106"> <summary> Execute files in the root directory. </summary> @@ -78187,7 +78197,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_root_dir_entry" lineno="2086"> +<interface name="files_delete_root_dir_entry" lineno="2124"> <summary> Remove entries from the root directory. </summary> @@ -78197,7 +78207,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_root_dir" lineno="2104"> +<interface name="files_manage_root_dir" lineno="2142"> <summary> Manage the root directory. </summary> @@ -78207,7 +78217,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_rootfs" lineno="2123"> +<interface name="files_getattr_rootfs" lineno="2161"> <summary> Get the attributes of a rootfs file system. @@ -78218,7 +78228,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_associate_rootfs" lineno="2141"> +<interface name="files_associate_rootfs" lineno="2179"> <summary> Associate to root file system. </summary> @@ -78228,7 +78238,7 @@ Type of the file to associate. </summary> </param> </interface> -<interface name="files_relabel_rootfs" lineno="2159"> +<interface name="files_relabel_rootfs" lineno="2197"> <summary> Relabel to and from rootfs file system. </summary> @@ -78238,7 +78248,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_unmount_rootfs" lineno="2177"> +<interface name="files_unmount_rootfs" lineno="2215"> <summary> Unmount a rootfs filesystem. </summary> @@ -78248,7 +78258,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_root" lineno="2195"> +<interface name="files_mounton_root" lineno="2233"> <summary> Mount on the root directory (/) </summary> @@ -78258,7 +78268,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_boot_dirs" lineno="2213"> +<interface name="files_getattr_boot_dirs" lineno="2251"> <summary> Get attributes of the /boot directory. </summary> @@ -78268,7 +78278,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_boot_dirs" lineno="2232"> +<interface name="files_dontaudit_getattr_boot_dirs" lineno="2270"> <summary> Do not audit attempts to get attributes of the /boot directory. @@ -78279,7 +78289,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_search_boot" lineno="2250"> +<interface name="files_search_boot" lineno="2288"> <summary> Search the /boot directory. </summary> @@ -78289,7 +78299,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_boot" lineno="2268"> +<interface name="files_dontaudit_search_boot" lineno="2306"> <summary> Do not audit attempts to search the /boot directory. </summary> @@ -78299,7 +78309,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_boot" lineno="2286"> +<interface name="files_list_boot" lineno="2324"> <summary> List the /boot directory. </summary> @@ -78309,7 +78319,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_boot" lineno="2304"> +<interface name="files_dontaudit_list_boot" lineno="2342"> <summary> Do not audit attempts to list the /boot directory. </summary> @@ -78319,7 +78329,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_boot_dirs" lineno="2322"> +<interface name="files_create_boot_dirs" lineno="2360"> <summary> Create directories in /boot </summary> @@ -78329,7 +78339,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_boot_dirs" lineno="2341"> +<interface name="files_manage_boot_dirs" lineno="2379"> <summary> Create, read, write, and delete directories in /boot. @@ -78340,7 +78350,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_boot_filetrans" lineno="2375"> +<interface name="files_boot_filetrans" lineno="2413"> <summary> Create a private type object in boot with an automatic type transition @@ -78366,7 +78376,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_read_boot_files" lineno="2394"> +<interface name="files_read_boot_files" lineno="2432"> <summary> read files in the /boot directory. </summary> @@ -78377,7 +78387,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_boot_files" lineno="2414"> +<interface name="files_manage_boot_files" lineno="2452"> <summary> Create, read, write, and delete files in the /boot directory. @@ -78389,7 +78399,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_relabelfrom_boot_files" lineno="2432"> +<interface name="files_relabelfrom_boot_files" lineno="2470"> <summary> Relabel from files in the /boot directory. </summary> @@ -78399,7 +78409,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_boot_symlinks" lineno="2450"> +<interface name="files_read_boot_symlinks" lineno="2488"> <summary> Read symbolic links in the /boot directory. </summary> @@ -78409,7 +78419,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_boot_symlinks" lineno="2469"> +<interface name="files_rw_boot_symlinks" lineno="2507"> <summary> Read and write symbolic links in the /boot directory. @@ -78420,7 +78430,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_boot_symlinks" lineno="2489"> +<interface name="files_manage_boot_symlinks" lineno="2527"> <summary> Create, read, write, and delete symbolic links in the /boot directory. @@ -78431,7 +78441,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_kernel_img" lineno="2507"> +<interface name="files_read_kernel_img" lineno="2545"> <summary> Read kernel files in the /boot directory. </summary> @@ -78441,7 +78451,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_kernel_img" lineno="2528"> +<interface name="files_create_kernel_img" lineno="2566"> <summary> Install a kernel into the /boot directory. </summary> @@ -78452,7 +78462,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_delete_kernel" lineno="2548"> +<interface name="files_delete_kernel" lineno="2586"> <summary> Delete a kernel from /boot. </summary> @@ -78463,7 +78473,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_getattr_default_dirs" lineno="2566"> +<interface name="files_getattr_default_dirs" lineno="2604"> <summary> Getattr of directories with the default file type. </summary> @@ -78473,7 +78483,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_default_dirs" lineno="2585"> +<interface name="files_dontaudit_getattr_default_dirs" lineno="2623"> <summary> Do not audit attempts to get the attributes of directories with the default file type. @@ -78484,7 +78494,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_search_default" lineno="2603"> +<interface name="files_search_default" lineno="2641"> <summary> Search the contents of directories with the default file type. </summary> @@ -78494,7 +78504,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_default" lineno="2621"> +<interface name="files_list_default" lineno="2659"> <summary> List contents of directories with the default file type. </summary> @@ -78504,7 +78514,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_default" lineno="2640"> +<interface name="files_dontaudit_list_default" lineno="2678"> <summary> Do not audit attempts to list contents of directories with the default file type. @@ -78515,7 +78525,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_default_dirs" lineno="2659"> +<interface name="files_manage_default_dirs" lineno="2697"> <summary> Create, read, write, and delete directories with the default file type. @@ -78526,7 +78536,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_default" lineno="2677"> +<interface name="files_mounton_default" lineno="2715"> <summary> Mount a filesystem on a directory with the default file type. </summary> @@ -78536,7 +78546,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_default_files" lineno="2696"> +<interface name="files_dontaudit_getattr_default_files" lineno="2734"> <summary> Do not audit attempts to get the attributes of files with the default file type. @@ -78547,7 +78557,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_read_default_files" lineno="2714"> +<interface name="files_read_default_files" lineno="2752"> <summary> Read files with the default file type. </summary> @@ -78557,7 +78567,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_read_default_files" lineno="2733"> +<interface name="files_dontaudit_read_default_files" lineno="2771"> <summary> Do not audit attempts to read files with the default file type. @@ -78568,7 +78578,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_default_files" lineno="2752"> +<interface name="files_manage_default_files" lineno="2790"> <summary> Create, read, write, and delete files with the default file type. @@ -78579,7 +78589,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_default_symlinks" lineno="2770"> +<interface name="files_read_default_symlinks" lineno="2808"> <summary> Read symbolic links with the default file type. </summary> @@ -78589,7 +78599,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_default_sockets" lineno="2788"> +<interface name="files_read_default_sockets" lineno="2826"> <summary> Read sockets with the default file type. </summary> @@ -78599,7 +78609,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_default_pipes" lineno="2806"> +<interface name="files_read_default_pipes" lineno="2844"> <summary> Read named pipes with the default file type. </summary> @@ -78609,7 +78619,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_etc" lineno="2824"> +<interface name="files_search_etc" lineno="2862"> <summary> Search the contents of /etc directories. </summary> @@ -78619,7 +78629,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_etc_dirs" lineno="2842"> +<interface name="files_setattr_etc_dirs" lineno="2880"> <summary> Set the attributes of the /etc directories. </summary> @@ -78629,7 +78639,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_etc" lineno="2860"> +<interface name="files_list_etc" lineno="2898"> <summary> List the contents of /etc directories. </summary> @@ -78639,7 +78649,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_etc_dirs" lineno="2878"> +<interface name="files_dontaudit_write_etc_dirs" lineno="2916"> <summary> Do not audit attempts to write to /etc dirs. </summary> @@ -78649,7 +78659,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_rw_etc_dirs" lineno="2896"> +<interface name="files_rw_etc_dirs" lineno="2934"> <summary> Add and remove entries from /etc directories. </summary> @@ -78659,7 +78669,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_etc_dirs" lineno="2915"> +<interface name="files_manage_etc_dirs" lineno="2953"> <summary> Manage generic directories in /etc </summary> @@ -78670,7 +78680,7 @@ Domain allowed access </param> </interface> -<interface name="files_relabelto_etc_dirs" lineno="2933"> +<interface name="files_relabelto_etc_dirs" lineno="2971"> <summary> Relabel directories to etc_t. </summary> @@ -78680,7 +78690,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_etc_dirs" lineno="2952"> +<interface name="files_mounton_etc_dirs" lineno="2990"> <summary> Mount a filesystem on the etc directories. @@ -78691,7 +78701,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_etc_dirs" lineno="2970"> +<interface name="files_watch_etc_dirs" lineno="3008"> <summary> Watch /etc directories </summary> @@ -78701,7 +78711,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_etc_files" lineno="3022"> +<interface name="files_read_etc_files" lineno="3060"> <summary> Read generic files in /etc. </summary> @@ -78745,7 +78755,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="files_map_etc_files" lineno="3054"> +<interface name="files_map_etc_files" lineno="3092"> <summary> Map generic files in /etc. </summary> @@ -78767,7 +78777,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="files_dontaudit_write_etc_files" lineno="3072"> +<interface name="files_dontaudit_write_etc_files" lineno="3110"> <summary> Do not audit attempts to write generic files in /etc. </summary> @@ -78777,7 +78787,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_etc_files" lineno="3091"> +<interface name="files_rw_etc_files" lineno="3129"> <summary> Read and write generic files in /etc. </summary> @@ -78788,7 +78798,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_etc_files" lineno="3113"> +<interface name="files_manage_etc_files" lineno="3151"> <summary> Create, read, write, and delete generic files in /etc. @@ -78800,7 +78810,19 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_delete_etc_files" lineno="3132"> +<interface name="files_dontaudit_manage_etc_files" lineno="3172"> +<summary> +Do not audit attempts to create, read, write, +and delete generic files in /etc. +</summary> +<param name="domain"> +<summary> +Domain to not audit. +</summary> +</param> +<rolecap/> +</interface> +<interface name="files_delete_etc_files" lineno="3190"> <summary> Delete system configuration files in /etc. </summary> @@ -78810,7 +78832,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_exec_etc_files" lineno="3150"> +<interface name="files_exec_etc_files" lineno="3208"> <summary> Execute generic files in /etc. </summary> @@ -78820,7 +78842,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_get_etc_unit_status" lineno="3170"> +<interface name="files_get_etc_unit_status" lineno="3228"> <summary> Get etc_t service status. </summary> @@ -78830,7 +78852,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_start_etc_service" lineno="3188"> +<interface name="files_start_etc_service" lineno="3247"> <summary> start etc_t service </summary> @@ -78840,7 +78862,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_stop_etc_service" lineno="3206"> +<interface name="files_stop_etc_service" lineno="3266"> <summary> stop etc_t service </summary> @@ -78850,7 +78872,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_etc_files" lineno="3224"> +<interface name="files_relabel_etc_files" lineno="3285"> <summary> Relabel from and to generic files in /etc. </summary> @@ -78860,7 +78882,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_etc_symlinks" lineno="3243"> +<interface name="files_read_etc_symlinks" lineno="3304"> <summary> Read symbolic links in /etc. </summary> @@ -78870,7 +78892,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_etc_symlinks" lineno="3261"> +<interface name="files_watch_etc_symlinks" lineno="3322"> <summary> Watch /etc symlinks </summary> @@ -78880,7 +78902,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_etc_symlinks" lineno="3279"> +<interface name="files_manage_etc_symlinks" lineno="3340"> <summary> Create, read, write, and delete symbolic links in /etc. </summary> @@ -78890,7 +78912,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_etc_filetrans" lineno="3313"> +<interface name="files_etc_filetrans" lineno="3374"> <summary> Create objects in /etc with a private type using a type_transition. @@ -78916,7 +78938,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_create_boot_flag" lineno="3343"> +<interface name="files_create_boot_flag" lineno="3404"> <summary> Create a boot flag. </summary> @@ -78938,7 +78960,7 @@ The name of the object being created. </param> <rolecap/> </interface> -<interface name="files_delete_boot_flag" lineno="3369"> +<interface name="files_delete_boot_flag" lineno="3430"> <summary> Delete a boot flag. </summary> @@ -78955,7 +78977,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_getattr_etc_runtime_dirs" lineno="3388"> +<interface name="files_getattr_etc_runtime_dirs" lineno="3449"> <summary> Get the attributes of the etc_runtime directories. @@ -78966,7 +78988,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_etc_runtime_dirs" lineno="3407"> +<interface name="files_mounton_etc_runtime_dirs" lineno="3468"> <summary> Mount a filesystem on the etc_runtime directories. @@ -78977,7 +78999,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelto_etc_runtime_dirs" lineno="3425"> +<interface name="files_relabelto_etc_runtime_dirs" lineno="3486"> <summary> Relabel to etc_runtime_t dirs. </summary> @@ -78987,7 +79009,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_setattr_etc_runtime_files" lineno="3443"> +<interface name="files_dontaudit_setattr_etc_runtime_files" lineno="3504"> <summary> Do not audit attempts to set the attributes of the etc_runtime files </summary> @@ -78997,7 +79019,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_read_etc_runtime_files" lineno="3481"> +<interface name="files_read_etc_runtime_files" lineno="3542"> <summary> Read files in /etc that are dynamically created on boot, such as mtab. @@ -79027,7 +79049,7 @@ Domain allowed access. <infoflow type="read" weight="10" /> <rolecap/> </interface> -<interface name="files_dontaudit_read_etc_runtime_files" lineno="3503"> +<interface name="files_dontaudit_read_etc_runtime_files" lineno="3564"> <summary> Do not audit attempts to read files in /etc that are dynamically @@ -79039,7 +79061,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_read_etc_files" lineno="3522"> +<interface name="files_dontaudit_read_etc_files" lineno="3583"> <summary> Do not audit attempts to read files in /etc @@ -79050,7 +79072,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_write_etc_runtime_files" lineno="3541"> +<interface name="files_dontaudit_write_etc_runtime_files" lineno="3602"> <summary> Do not audit attempts to write etc runtime files. @@ -79061,7 +79083,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_rw_etc_runtime_files" lineno="3561"> +<interface name="files_rw_etc_runtime_files" lineno="3622"> <summary> Read and write files in /etc that are dynamically created on boot, such as mtab. @@ -79073,7 +79095,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_etc_runtime_files" lineno="3583"> +<interface name="files_manage_etc_runtime_files" lineno="3644"> <summary> Create, read, write, and delete files in /etc that are dynamically created on boot, @@ -79086,7 +79108,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_relabelto_etc_runtime_files" lineno="3601"> +<interface name="files_relabelto_etc_runtime_files" lineno="3662"> <summary> Relabel to etc_runtime_t files. </summary> @@ -79096,7 +79118,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_etc_filetrans_etc_runtime" lineno="3630"> +<interface name="files_etc_filetrans_etc_runtime" lineno="3691"> <summary> Create, etc runtime objects with an automatic type transition. @@ -79117,7 +79139,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_getattr_home_dir" lineno="3649"> +<interface name="files_getattr_home_dir" lineno="3710"> <summary> Get the attributes of the home directories root (/home). @@ -79128,7 +79150,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_home_dir" lineno="3670"> +<interface name="files_dontaudit_getattr_home_dir" lineno="3731"> <summary> Do not audit attempts to get the attributes of the home directories root @@ -79140,7 +79162,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_search_home" lineno="3689"> +<interface name="files_search_home" lineno="3750"> <summary> Search home directories root (/home). </summary> @@ -79150,7 +79172,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_home" lineno="3709"> +<interface name="files_dontaudit_search_home" lineno="3770"> <summary> Do not audit attempts to search home directories root (/home). @@ -79161,7 +79183,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_list_home" lineno="3729"> +<interface name="files_dontaudit_list_home" lineno="3790"> <summary> Do not audit attempts to list home directories root (/home). @@ -79172,7 +79194,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_home" lineno="3748"> +<interface name="files_list_home" lineno="3809"> <summary> Get listing of home directories. </summary> @@ -79182,7 +79204,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelto_home" lineno="3767"> +<interface name="files_relabelto_home" lineno="3828"> <summary> Relabel to user home root (/home). </summary> @@ -79192,7 +79214,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelfrom_home" lineno="3785"> +<interface name="files_relabelfrom_home" lineno="3846"> <summary> Relabel from user home root (/home). </summary> @@ -79202,7 +79224,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_home_filetrans" lineno="3818"> +<interface name="files_home_filetrans" lineno="3879"> <summary> Create objects in /home. </summary> @@ -79227,7 +79249,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_getattr_lost_found_dirs" lineno="3836"> +<interface name="files_getattr_lost_found_dirs" lineno="3897"> <summary> Get the attributes of lost+found directories. </summary> @@ -79237,7 +79259,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_lost_found_dirs" lineno="3855"> +<interface name="files_dontaudit_getattr_lost_found_dirs" lineno="3916"> <summary> Do not audit attempts to get the attributes of lost+found directories. @@ -79248,7 +79270,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_lost_found" lineno="3873"> +<interface name="files_list_lost_found" lineno="3934"> <summary> List the contents of lost+found directories. </summary> @@ -79258,7 +79280,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_lost_found" lineno="3893"> +<interface name="files_manage_lost_found" lineno="3954"> <summary> Create, read, write, and delete objects in lost+found directories. @@ -79270,7 +79292,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_search_mnt" lineno="3915"> +<interface name="files_search_mnt" lineno="3976"> <summary> Search the contents of /mnt. </summary> @@ -79280,7 +79302,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_mnt" lineno="3933"> +<interface name="files_dontaudit_search_mnt" lineno="3994"> <summary> Do not audit attempts to search /mnt. </summary> @@ -79290,7 +79312,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_mnt" lineno="3951"> +<interface name="files_list_mnt" lineno="4012"> <summary> List the contents of /mnt. </summary> @@ -79300,7 +79322,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_mnt" lineno="3969"> +<interface name="files_dontaudit_list_mnt" lineno="4030"> <summary> Do not audit attempts to list the contents of /mnt. </summary> @@ -79310,7 +79332,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_mnt" lineno="3987"> +<interface name="files_mounton_mnt" lineno="4048"> <summary> Mount a filesystem on /mnt. </summary> @@ -79320,7 +79342,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_mnt_dirs" lineno="4006"> +<interface name="files_manage_mnt_dirs" lineno="4067"> <summary> Create, read, write, and delete directories in /mnt. </summary> @@ -79331,7 +79353,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_mnt_files" lineno="4024"> +<interface name="files_manage_mnt_files" lineno="4085"> <summary> Create, read, write, and delete files in /mnt. </summary> @@ -79341,7 +79363,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_mnt_files" lineno="4042"> +<interface name="files_read_mnt_files" lineno="4103"> <summary> read files in /mnt. </summary> @@ -79351,7 +79373,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_mnt_symlinks" lineno="4060"> +<interface name="files_read_mnt_symlinks" lineno="4121"> <summary> Read symbolic links in /mnt. </summary> @@ -79361,7 +79383,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_mnt_symlinks" lineno="4078"> +<interface name="files_manage_mnt_symlinks" lineno="4139"> <summary> Create, read, write, and delete symbolic links in /mnt. </summary> @@ -79371,7 +79393,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_kernel_modules" lineno="4096"> +<interface name="files_search_kernel_modules" lineno="4157"> <summary> Search the contents of the kernel module directories. </summary> @@ -79381,7 +79403,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_kernel_modules" lineno="4115"> +<interface name="files_list_kernel_modules" lineno="4176"> <summary> List the contents of the kernel module directories. </summary> @@ -79391,7 +79413,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_kernel_modules" lineno="4134"> +<interface name="files_getattr_kernel_modules" lineno="4195"> <summary> Get the attributes of kernel module files. </summary> @@ -79401,7 +79423,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_kernel_modules" lineno="4152"> +<interface name="files_read_kernel_modules" lineno="4213"> <summary> Read kernel module files. </summary> @@ -79411,7 +79433,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mmap_read_kernel_modules" lineno="4172"> +<interface name="files_mmap_read_kernel_modules" lineno="4233"> <summary> Read and mmap kernel module files. </summary> @@ -79421,7 +79443,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_write_kernel_modules" lineno="4193"> +<interface name="files_write_kernel_modules" lineno="4254"> <summary> Write kernel module files. </summary> @@ -79431,7 +79453,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_kernel_modules" lineno="4212"> +<interface name="files_delete_kernel_modules" lineno="4273"> <summary> Delete kernel module files. </summary> @@ -79441,7 +79463,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_kernel_modules" lineno="4232"> +<interface name="files_manage_kernel_modules" lineno="4293"> <summary> Create, read, write, and delete kernel module files. @@ -79453,7 +79475,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_relabel_kernel_modules" lineno="4252"> +<interface name="files_relabel_kernel_modules" lineno="4313"> <summary> Relabel from and to kernel module files. </summary> @@ -79463,7 +79485,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_kernel_modules_filetrans" lineno="4287"> +<interface name="files_kernel_modules_filetrans" lineno="4348"> <summary> Create objects in the kernel module directories with a private type via an automatic type transition. @@ -79489,7 +79511,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_load_kernel_modules" lineno="4305"> +<interface name="files_load_kernel_modules" lineno="4366"> <summary> Load kernel module files. </summary> @@ -79499,7 +79521,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_world_readable" lineno="4325"> +<interface name="files_dontaudit_load_kernel_modules" lineno="4385"> +<summary> +Load kernel module files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="files_list_world_readable" lineno="4405"> <summary> List world-readable directories. </summary> @@ -79510,7 +79542,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_read_world_readable_files" lineno="4344"> +<interface name="files_read_world_readable_files" lineno="4424"> <summary> Read world-readable files. </summary> @@ -79521,7 +79553,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_read_world_readable_symlinks" lineno="4363"> +<interface name="files_read_world_readable_symlinks" lineno="4443"> <summary> Read world-readable symbolic links. </summary> @@ -79532,7 +79564,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_read_world_readable_pipes" lineno="4381"> +<interface name="files_read_world_readable_pipes" lineno="4461"> <summary> Read world-readable named pipes. </summary> @@ -79542,7 +79574,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_world_readable_sockets" lineno="4399"> +<interface name="files_read_world_readable_sockets" lineno="4479"> <summary> Read world-readable sockets. </summary> @@ -79552,7 +79584,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_associate_tmp" lineno="4419"> +<interface name="files_associate_tmp" lineno="4499"> <summary> Allow the specified type to associate to a filesystem with the type of the @@ -79564,7 +79596,7 @@ Type of the file to associate. </summary> </param> </interface> -<interface name="files_getattr_tmp_dirs" lineno="4437"> +<interface name="files_getattr_tmp_dirs" lineno="4517"> <summary> Get the attributes of the tmp directory (/tmp). </summary> @@ -79574,7 +79606,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_tmp_dirs" lineno="4456"> +<interface name="files_dontaudit_getattr_tmp_dirs" lineno="4536"> <summary> Do not audit attempts to get the attributes of the tmp directory (/tmp). @@ -79585,7 +79617,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_tmp" lineno="4474"> +<interface name="files_search_tmp" lineno="4554"> <summary> Search the tmp directory (/tmp). </summary> @@ -79595,7 +79627,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_tmp" lineno="4492"> +<interface name="files_dontaudit_search_tmp" lineno="4572"> <summary> Do not audit attempts to search the tmp directory (/tmp). </summary> @@ -79605,7 +79637,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_tmp" lineno="4510"> +<interface name="files_list_tmp" lineno="4590"> <summary> Read the tmp directory (/tmp). </summary> @@ -79615,7 +79647,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_tmp" lineno="4528"> +<interface name="files_dontaudit_list_tmp" lineno="4608"> <summary> Do not audit listing of the tmp directory (/tmp). </summary> @@ -79625,7 +79657,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="files_delete_tmp_dir_entry" lineno="4546"> +<interface name="files_delete_tmp_dir_entry" lineno="4626"> <summary> Remove entries from the tmp directory. </summary> @@ -79635,7 +79667,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_generic_tmp_files" lineno="4564"> +<interface name="files_read_generic_tmp_files" lineno="4644"> <summary> Read files in the tmp directory (/tmp). </summary> @@ -79645,7 +79677,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_tmp_dirs" lineno="4582"> +<interface name="files_manage_generic_tmp_dirs" lineno="4662"> <summary> Manage temporary directories in /tmp. </summary> @@ -79655,7 +79687,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_tmp_files" lineno="4600"> +<interface name="files_relabel_generic_tmp_dirs" lineno="4680"> +<summary> +Relabel temporary directories in /tmp. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="files_manage_generic_tmp_files" lineno="4698"> <summary> Manage temporary files and directories in /tmp. </summary> @@ -79665,7 +79707,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_generic_tmp_symlinks" lineno="4618"> +<interface name="files_read_generic_tmp_symlinks" lineno="4716"> <summary> Read symbolic links in the tmp directory (/tmp). </summary> @@ -79675,7 +79717,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_generic_tmp_sockets" lineno="4636"> +<interface name="files_rw_generic_tmp_sockets" lineno="4734"> <summary> Read and write generic named sockets in the tmp directory (/tmp). </summary> @@ -79685,7 +79727,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_tmp" lineno="4654"> +<interface name="files_mounton_tmp" lineno="4752"> <summary> Mount filesystems in the tmp directory (/tmp) </summary> @@ -79695,7 +79737,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_all_tmp_dirs" lineno="4672"> +<interface name="files_setattr_all_tmp_dirs" lineno="4770"> <summary> Set the attributes of all tmp directories. </summary> @@ -79705,7 +79747,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_all_tmp" lineno="4690"> +<interface name="files_list_all_tmp" lineno="4788"> <summary> List all tmp directories. </summary> @@ -79715,7 +79757,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_tmp_dirs" lineno="4710"> +<interface name="files_relabel_all_tmp_dirs" lineno="4808"> <summary> Relabel to and from all temporary directory types. @@ -79727,7 +79769,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_dontaudit_getattr_all_tmp_files" lineno="4731"> +<interface name="files_dontaudit_getattr_all_tmp_files" lineno="4829"> <summary> Do not audit attempts to get the attributes of all tmp files. @@ -79738,7 +79780,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="files_getattr_all_tmp_files" lineno="4750"> +<interface name="files_getattr_all_tmp_files" lineno="4848"> <summary> Allow attempts to get the attributes of all tmp files. @@ -79749,7 +79791,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_tmp_files" lineno="4770"> +<interface name="files_relabel_all_tmp_files" lineno="4868"> <summary> Relabel to and from all temporary file types. @@ -79761,7 +79803,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_dontaudit_getattr_all_tmp_sockets" lineno="4791"> +<interface name="files_dontaudit_getattr_all_tmp_sockets" lineno="4889"> <summary> Do not audit attempts to get the attributes of all tmp sock_file. @@ -79772,7 +79814,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="files_read_all_tmp_files" lineno="4809"> +<interface name="files_read_all_tmp_files" lineno="4907"> <summary> Read all tmp files. </summary> @@ -79782,7 +79824,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_tmp_filetrans" lineno="4843"> +<interface name="files_tmp_filetrans" lineno="4941"> <summary> Create an object in the tmp directories, with a private type using a type transition. @@ -79808,7 +79850,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_purge_tmp" lineno="4861"> +<interface name="files_purge_tmp" lineno="4959"> <summary> Delete the contents of /tmp. </summary> @@ -79818,7 +79860,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_usr_dirs" lineno="4884"> +<interface name="files_setattr_usr_dirs" lineno="4982"> <summary> Set the attributes of the /usr directory. </summary> @@ -79828,7 +79870,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_usr" lineno="4902"> +<interface name="files_search_usr" lineno="5000"> <summary> Search the content of /usr. </summary> @@ -79838,7 +79880,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_usr" lineno="4921"> +<interface name="files_list_usr" lineno="5019"> <summary> List the contents of generic directories in /usr. @@ -79849,7 +79891,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_usr_dirs" lineno="4939"> +<interface name="files_dontaudit_write_usr_dirs" lineno="5037"> <summary> Do not audit write of /usr dirs </summary> @@ -79859,7 +79901,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_rw_usr_dirs" lineno="4957"> +<interface name="files_rw_usr_dirs" lineno="5055"> <summary> Add and remove entries from /usr directories. </summary> @@ -79869,7 +79911,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_rw_usr_dirs" lineno="4976"> +<interface name="files_dontaudit_rw_usr_dirs" lineno="5074"> <summary> Do not audit attempts to add and remove entries from /usr directories. @@ -79880,7 +79922,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_delete_usr_dirs" lineno="4994"> +<interface name="files_delete_usr_dirs" lineno="5092"> <summary> Delete generic directories in /usr in the caller domain. </summary> @@ -79890,7 +79932,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_usr_dirs" lineno="5012"> +<interface name="files_watch_usr_dirs" lineno="5110"> <summary> Watch generic directories in /usr. </summary> @@ -79900,7 +79942,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_usr_files" lineno="5030"> +<interface name="files_delete_usr_files" lineno="5128"> <summary> Delete generic files in /usr in the caller domain. </summary> @@ -79910,7 +79952,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_usr_files" lineno="5048"> +<interface name="files_getattr_usr_files" lineno="5146"> <summary> Get the attributes of files in /usr. </summary> @@ -79920,7 +79962,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_map_usr_files" lineno="5067"> +<interface name="files_map_usr_files" lineno="5165"> <summary> Map generic files in /usr. </summary> @@ -79931,7 +79973,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="files_read_usr_files" lineno="5103"> +<interface name="files_read_usr_files" lineno="5201"> <summary> Read generic files in /usr. </summary> @@ -79959,7 +80001,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="files_exec_usr_files" lineno="5123"> +<interface name="files_exec_usr_files" lineno="5221"> <summary> Execute generic programs in /usr in the caller domain. </summary> @@ -79969,7 +80011,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_usr_files" lineno="5143"> +<interface name="files_dontaudit_write_usr_files" lineno="5241"> <summary> dontaudit write of /usr files </summary> @@ -79979,7 +80021,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_usr_files" lineno="5161"> +<interface name="files_manage_usr_files" lineno="5259"> <summary> Create, read, write, and delete files in the /usr directory. </summary> @@ -79989,7 +80031,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelto_usr_files" lineno="5179"> +<interface name="files_relabelto_usr_files" lineno="5277"> <summary> Relabel a file to the type used in /usr. </summary> @@ -79999,7 +80041,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelfrom_usr_files" lineno="5197"> +<interface name="files_relabelfrom_usr_files" lineno="5295"> <summary> Relabel a file from the type used in /usr. </summary> @@ -80009,7 +80051,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_usr_symlinks" lineno="5215"> +<interface name="files_read_usr_symlinks" lineno="5313"> <summary> Read symbolic links in /usr. </summary> @@ -80019,7 +80061,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_usr_filetrans" lineno="5248"> +<interface name="files_usr_filetrans" lineno="5346"> <summary> Create objects in the /usr directory </summary> @@ -80044,7 +80086,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_search_src" lineno="5266"> +<interface name="files_search_src" lineno="5364"> <summary> Search directories in /usr/src. </summary> @@ -80054,7 +80096,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_src" lineno="5284"> +<interface name="files_dontaudit_search_src" lineno="5382"> <summary> Do not audit attempts to search /usr/src. </summary> @@ -80064,7 +80106,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_getattr_usr_src_files" lineno="5302"> +<interface name="files_getattr_usr_src_files" lineno="5400"> <summary> Get the attributes of files in /usr/src. </summary> @@ -80074,7 +80116,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_usr_src_files" lineno="5323"> +<interface name="files_read_usr_src_files" lineno="5421"> <summary> Read files in /usr/src. </summary> @@ -80084,7 +80126,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_exec_usr_src_files" lineno="5344"> +<interface name="files_exec_usr_src_files" lineno="5442"> <summary> Execute programs in /usr/src in the caller domain. </summary> @@ -80094,7 +80136,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_kernel_symbol_table" lineno="5364"> +<interface name="files_create_kernel_symbol_table" lineno="5462"> <summary> Install a system.map into the /boot directory. </summary> @@ -80104,7 +80146,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_kernel_symbol_table" lineno="5383"> +<interface name="files_read_kernel_symbol_table" lineno="5481"> <summary> Read system.map in the /boot directory. </summary> @@ -80114,7 +80156,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_kernel_symbol_table" lineno="5402"> +<interface name="files_delete_kernel_symbol_table" lineno="5500"> <summary> Delete a system.map in the /boot directory. </summary> @@ -80124,7 +80166,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_var" lineno="5421"> +<interface name="files_search_var" lineno="5519"> <summary> Search the contents of /var. </summary> @@ -80134,7 +80176,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_var_dirs" lineno="5439"> +<interface name="files_dontaudit_write_var_dirs" lineno="5537"> <summary> Do not audit attempts to write to /var. </summary> @@ -80144,7 +80186,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_write_var_dirs" lineno="5457"> +<interface name="files_write_var_dirs" lineno="5555"> <summary> Allow attempts to write to /var.dirs </summary> @@ -80154,7 +80196,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_var" lineno="5476"> +<interface name="files_dontaudit_search_var" lineno="5574"> <summary> Do not audit attempts to search the contents of /var. @@ -80165,7 +80207,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_var" lineno="5494"> +<interface name="files_list_var" lineno="5592"> <summary> List the contents of /var. </summary> @@ -80175,7 +80217,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_var" lineno="5513"> +<interface name="files_dontaudit_list_var" lineno="5611"> <summary> Do not audit attempts to list the contents of /var. @@ -80186,7 +80228,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_var_dirs" lineno="5532"> +<interface name="files_manage_var_dirs" lineno="5630"> <summary> Create, read, write, and delete directories in the /var directory. @@ -80197,7 +80239,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_var_dirs" lineno="5550"> +<interface name="files_relabel_var_dirs" lineno="5648"> <summary> relabelto/from var directories </summary> @@ -80207,7 +80249,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_var_files" lineno="5568"> +<interface name="files_read_var_files" lineno="5666"> <summary> Read files in the /var directory. </summary> @@ -80217,7 +80259,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_append_var_files" lineno="5586"> +<interface name="files_append_var_files" lineno="5684"> <summary> Append files in the /var directory. </summary> @@ -80227,7 +80269,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_var_files" lineno="5604"> +<interface name="files_rw_var_files" lineno="5702"> <summary> Read and write files in the /var directory. </summary> @@ -80237,7 +80279,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_rw_var_files" lineno="5623"> +<interface name="files_dontaudit_rw_var_files" lineno="5721"> <summary> Do not audit attempts to read and write files in the /var directory. @@ -80248,7 +80290,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_var_files" lineno="5641"> +<interface name="files_manage_var_files" lineno="5739"> <summary> Create, read, write, and delete files in the /var directory. </summary> @@ -80258,7 +80300,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_var_symlinks" lineno="5659"> +<interface name="files_read_var_symlinks" lineno="5757"> <summary> Read symbolic links in the /var directory. </summary> @@ -80268,7 +80310,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_var_symlinks" lineno="5678"> +<interface name="files_manage_var_symlinks" lineno="5776"> <summary> Create, read, write, and delete symbolic links in the /var directory. @@ -80279,7 +80321,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_var_filetrans" lineno="5711"> +<interface name="files_var_filetrans" lineno="5809"> <summary> Create objects in the /var directory </summary> @@ -80304,7 +80346,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_getattr_var_lib_dirs" lineno="5729"> +<interface name="files_getattr_var_lib_dirs" lineno="5827"> <summary> Get the attributes of the /var/lib directory. </summary> @@ -80314,7 +80356,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_var_lib" lineno="5761"> +<interface name="files_search_var_lib" lineno="5859"> <summary> Search the /var/lib directory. </summary> @@ -80338,7 +80380,7 @@ Domain allowed access. </param> <infoflow type="read" weight="5"/> </interface> -<interface name="files_dontaudit_search_var_lib" lineno="5781"> +<interface name="files_dontaudit_search_var_lib" lineno="5879"> <summary> Do not audit attempts to search the contents of /var/lib. @@ -80350,7 +80392,7 @@ Domain to not audit. </param> <infoflow type="read" weight="5"/> </interface> -<interface name="files_list_var_lib" lineno="5799"> +<interface name="files_list_var_lib" lineno="5897"> <summary> List the contents of the /var/lib directory. </summary> @@ -80360,7 +80402,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_var_lib_dirs" lineno="5817"> +<interface name="files_rw_var_lib_dirs" lineno="5915"> <summary> Read-write /var/lib directories </summary> @@ -80370,7 +80412,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_var_lib_dirs" lineno="5835"> +<interface name="files_manage_var_lib_dirs" lineno="5933"> <summary> manage var_lib_t dirs </summary> @@ -80380,7 +80422,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_var_lib_dirs" lineno="5854"> +<interface name="files_relabel_var_lib_dirs" lineno="5952"> <summary> relabel var_lib_t dirs </summary> @@ -80390,7 +80432,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_var_lib_filetrans" lineno="5888"> +<interface name="files_var_lib_filetrans" lineno="5986"> <summary> Create objects in the /var/lib directory </summary> @@ -80415,7 +80457,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_read_var_lib_files" lineno="5907"> +<interface name="files_read_var_lib_files" lineno="6005"> <summary> Read generic files in /var/lib. </summary> @@ -80425,7 +80467,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_var_lib_symlinks" lineno="5926"> +<interface name="files_read_var_lib_symlinks" lineno="6024"> <summary> Read generic symbolic links in /var/lib </summary> @@ -80435,7 +80477,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_urandom_seed" lineno="5948"> +<interface name="files_manage_urandom_seed" lineno="6046"> <summary> Create, read, write, and delete the pseudorandom number generator seed. @@ -80446,7 +80488,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_mounttab" lineno="5968"> +<interface name="files_manage_mounttab" lineno="6066"> <summary> Allow domain to manage mount tables necessary for rpcd, nfsd, etc. @@ -80457,7 +80499,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_lock_dirs" lineno="5987"> +<interface name="files_setattr_lock_dirs" lineno="6085"> <summary> Set the attributes of the generic lock directories. </summary> @@ -80467,7 +80509,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_locks" lineno="6005"> +<interface name="files_search_locks" lineno="6103"> <summary> Search the locks directory (/var/lock). </summary> @@ -80477,7 +80519,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_locks" lineno="6025"> +<interface name="files_dontaudit_search_locks" lineno="6123"> <summary> Do not audit attempts to search the locks directory (/var/lock). @@ -80488,7 +80530,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_locks" lineno="6044"> +<interface name="files_list_locks" lineno="6142"> <summary> List generic lock directories. </summary> @@ -80498,7 +80540,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_check_write_lock_dirs" lineno="6063"> +<interface name="files_check_write_lock_dirs" lineno="6161"> <summary> Test write access on lock directories. </summary> @@ -80508,7 +80550,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_add_entry_lock_dirs" lineno="6082"> +<interface name="files_add_entry_lock_dirs" lineno="6180"> <summary> Add entries in the /var/lock directories. </summary> @@ -80518,7 +80560,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_lock_dirs" lineno="6102"> +<interface name="files_rw_lock_dirs" lineno="6200"> <summary> Add and remove entries in the /var/lock directories. @@ -80529,7 +80571,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_lock_dirs" lineno="6121"> +<interface name="files_create_lock_dirs" lineno="6219"> <summary> Create lock directories </summary> @@ -80539,7 +80581,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_relabel_all_lock_dirs" lineno="6142"> +<interface name="files_relabel_all_lock_dirs" lineno="6240"> <summary> Relabel to and from all lock directory types. </summary> @@ -80550,7 +80592,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_getattr_generic_locks" lineno="6163"> +<interface name="files_getattr_generic_locks" lineno="6261"> <summary> Get the attributes of generic lock files. </summary> @@ -80560,7 +80602,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_generic_locks" lineno="6184"> +<interface name="files_delete_generic_locks" lineno="6282"> <summary> Delete generic lock files. </summary> @@ -80570,7 +80612,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_locks" lineno="6205"> +<interface name="files_manage_generic_locks" lineno="6303"> <summary> Create, read, write, and delete generic lock files. @@ -80581,7 +80623,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_locks" lineno="6227"> +<interface name="files_delete_all_locks" lineno="6325"> <summary> Delete all lock files. </summary> @@ -80592,7 +80634,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_read_all_locks" lineno="6248"> +<interface name="files_read_all_locks" lineno="6346"> <summary> Read all lock files. </summary> @@ -80602,7 +80644,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_all_locks" lineno="6271"> +<interface name="files_manage_all_locks" lineno="6369"> <summary> manage all lock files. </summary> @@ -80612,7 +80654,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_locks" lineno="6294"> +<interface name="files_relabel_all_locks" lineno="6392"> <summary> Relabel from/to all lock files. </summary> @@ -80622,7 +80664,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_lock_filetrans" lineno="6333"> +<interface name="files_lock_filetrans" lineno="6431"> <summary> Create an object in the locks directory, with a private type using a type transition. @@ -80648,7 +80690,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_pid_dirs" lineno="6354"> +<interface name="files_dontaudit_getattr_pid_dirs" lineno="6452"> <summary> Do not audit attempts to get the attributes of the /var/run directory. (Deprecated) @@ -80659,7 +80701,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_mounton_pid_dirs" lineno="6369"> +<interface name="files_mounton_pid_dirs" lineno="6467"> <summary> mounton a /var/run directory. (Deprecated) </summary> @@ -80669,7 +80711,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_pid_dirs" lineno="6384"> +<interface name="files_setattr_pid_dirs" lineno="6482"> <summary> Set the attributes of the /var/run directory. (Deprecated) </summary> @@ -80679,7 +80721,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_pids" lineno="6400"> +<interface name="files_search_pids" lineno="6498"> <summary> Search the contents of runtime process ID directories (/var/run). (Deprecated) @@ -80690,7 +80732,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_pids" lineno="6416"> +<interface name="files_dontaudit_search_pids" lineno="6514"> <summary> Do not audit attempts to search the /var/run directory. (Deprecated) @@ -80701,7 +80743,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_pids" lineno="6432"> +<interface name="files_list_pids" lineno="6530"> <summary> List the contents of the runtime process ID directories (/var/run). (Deprecated) @@ -80712,7 +80754,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_check_write_pid_dirs" lineno="6447"> +<interface name="files_check_write_pid_dirs" lineno="6545"> <summary> Check write access on /var/run directories. (Deprecated) </summary> @@ -80722,7 +80764,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_pid_dirs" lineno="6462"> +<interface name="files_create_pid_dirs" lineno="6560"> <summary> Create a /var/run directory. (Deprecated) </summary> @@ -80732,7 +80774,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_runtime_dirs" lineno="6478"> +<interface name="files_dontaudit_getattr_runtime_dirs" lineno="6576"> <summary> Do not audit attempts to get the attributes of the /var/run directory. @@ -80743,7 +80785,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_mounton_runtime_dirs" lineno="6497"> +<interface name="files_mounton_runtime_dirs" lineno="6595"> <summary> mounton a /var/run directory. </summary> @@ -80753,7 +80795,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_runtime_dirs" lineno="6515"> +<interface name="files_setattr_runtime_dirs" lineno="6613"> <summary> Set the attributes of the /var/run directory. </summary> @@ -80763,7 +80805,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_runtime" lineno="6535"> +<interface name="files_search_runtime" lineno="6633"> <summary> Search the contents of runtime process ID directories (/var/run). @@ -80774,7 +80816,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_runtime" lineno="6555"> +<interface name="files_dontaudit_search_runtime" lineno="6653"> <summary> Do not audit attempts to search the /var/run directory. @@ -80785,7 +80827,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_runtime" lineno="6575"> +<interface name="files_list_runtime" lineno="6673"> <summary> List the contents of the runtime process ID directories (/var/run). @@ -80796,7 +80838,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_check_write_runtime_dirs" lineno="6594"> +<interface name="files_check_write_runtime_dirs" lineno="6692"> <summary> Check write access on /var/run directories. </summary> @@ -80806,7 +80848,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_runtime_dirs" lineno="6612"> +<interface name="files_create_runtime_dirs" lineno="6710"> <summary> Create a /var/run directory. </summary> @@ -80816,7 +80858,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_runtime_dirs" lineno="6630"> +<interface name="files_watch_runtime_dirs" lineno="6728"> <summary> Watch /var/run directories. </summary> @@ -80826,7 +80868,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_generic_pids" lineno="6648"> +<interface name="files_read_generic_pids" lineno="6746"> <summary> Read generic process ID files. (Deprecated) </summary> @@ -80836,7 +80878,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_write_generic_pid_pipes" lineno="6663"> +<interface name="files_write_generic_pid_pipes" lineno="6761"> <summary> Write named generic process ID pipes. (Deprecated) </summary> @@ -80846,7 +80888,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_pid_filetrans" lineno="6720"> +<interface name="files_pid_filetrans" lineno="6818"> <summary> Create an object in the process ID directory, with a private type. (Deprecated) </summary> @@ -80898,7 +80940,7 @@ The name of the object being created. </param> <infoflow type="write" weight="10"/> </interface> -<interface name="files_pid_filetrans_lock_dir" lineno="6740"> +<interface name="files_pid_filetrans_lock_dir" lineno="6838"> <summary> Create a generic lock directory within the run directories. (Deprecated) </summary> @@ -80913,7 +80955,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_rw_generic_pids" lineno="6755"> +<interface name="files_rw_generic_pids" lineno="6853"> <summary> Read and write generic process ID files. (Deprecated) </summary> @@ -80923,7 +80965,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_all_pids" lineno="6771"> +<interface name="files_dontaudit_getattr_all_pids" lineno="6869"> <summary> Do not audit attempts to get the attributes of daemon runtime data files. (Deprecated) @@ -80934,7 +80976,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_write_all_pids" lineno="6786"> +<interface name="files_dontaudit_write_all_pids" lineno="6884"> <summary> Do not audit attempts to write to daemon runtime data files. (Deprecated) </summary> @@ -80944,7 +80986,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_ioctl_all_pids" lineno="6801"> +<interface name="files_dontaudit_ioctl_all_pids" lineno="6899"> <summary> Do not audit attempts to ioctl daemon runtime data files. (Deprecated) </summary> @@ -80954,7 +80996,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_all_pid_dirs" lineno="6817"> +<interface name="files_manage_all_pid_dirs" lineno="6915"> <summary> manage all pidfile directories in the /var/run directory. (Deprecated) @@ -80965,7 +81007,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_all_pids" lineno="6833"> +<interface name="files_read_all_pids" lineno="6931"> <summary> Read all process ID files. (Deprecated) </summary> @@ -80976,7 +81018,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_exec_generic_pid_files" lineno="6848"> +<interface name="files_exec_generic_pid_files" lineno="6946"> <summary> Execute generic programs in /var/run in the caller domain. (Deprecated) </summary> @@ -80986,7 +81028,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_pid_files" lineno="6863"> +<interface name="files_relabel_all_pid_files" lineno="6961"> <summary> Relabel all pid files. (Deprecated) </summary> @@ -80996,7 +81038,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_pids" lineno="6879"> +<interface name="files_delete_all_pids" lineno="6977"> <summary> Delete all process IDs. (Deprecated) </summary> @@ -81007,7 +81049,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_create_all_pid_sockets" lineno="6898"> +<interface name="files_create_all_pid_sockets" lineno="6996"> <summary> Create all pid sockets. (Deprecated) </summary> @@ -81017,7 +81059,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_all_pid_pipes" lineno="6913"> +<interface name="files_create_all_pid_pipes" lineno="7011"> <summary> Create all pid named pipes. (Deprecated) </summary> @@ -81027,7 +81069,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_runtime_files" lineno="6928"> +<interface name="files_read_runtime_files" lineno="7026"> <summary> Read generic runtime files. </summary> @@ -81037,7 +81079,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_exec_runtime" lineno="6948"> +<interface name="files_exec_runtime" lineno="7046"> <summary> Execute generic programs in /var/run in the caller domain. </summary> @@ -81047,7 +81089,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_runtime_files" lineno="6966"> +<interface name="files_rw_runtime_files" lineno="7064"> <summary> Read and write generic runtime files. </summary> @@ -81057,7 +81099,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_runtime_symlinks" lineno="6986"> +<interface name="files_delete_runtime_symlinks" lineno="7084"> <summary> Delete generic runtime symlinks. </summary> @@ -81067,7 +81109,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_write_runtime_pipes" lineno="7004"> +<interface name="files_write_runtime_pipes" lineno="7102"> <summary> Write named generic runtime pipes. </summary> @@ -81077,7 +81119,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_runtime_dirs" lineno="7024"> +<interface name="files_delete_all_runtime_dirs" lineno="7122"> <summary> Delete all runtime dirs. </summary> @@ -81088,7 +81130,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_all_runtime_dirs" lineno="7042"> +<interface name="files_manage_all_runtime_dirs" lineno="7140"> <summary> Create, read, write, and delete all runtime directories. </summary> @@ -81098,7 +81140,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_runtime_dirs" lineno="7060"> +<interface name="files_relabel_all_runtime_dirs" lineno="7158"> <summary> Relabel all runtime directories. </summary> @@ -81108,7 +81150,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_all_runtime_files" lineno="7079"> +<interface name="files_dontaudit_getattr_all_runtime_files" lineno="7177"> <summary> Do not audit attempts to get the attributes of all runtime data files. @@ -81119,7 +81161,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_read_all_runtime_files" lineno="7100"> +<interface name="files_read_all_runtime_files" lineno="7198"> <summary> Read all runtime files. </summary> @@ -81130,7 +81172,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_dontaudit_ioctl_all_runtime_files" lineno="7121"> +<interface name="files_dontaudit_ioctl_all_runtime_files" lineno="7219"> <summary> Do not audit attempts to ioctl all runtime files. </summary> @@ -81140,7 +81182,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_write_all_runtime_files" lineno="7141"> +<interface name="files_dontaudit_write_all_runtime_files" lineno="7239"> <summary> Do not audit attempts to write to all runtime files. </summary> @@ -81150,7 +81192,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_delete_all_runtime_files" lineno="7162"> +<interface name="files_delete_all_runtime_files" lineno="7260"> <summary> Delete all runtime files. </summary> @@ -81161,7 +81203,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_all_runtime_files" lineno="7181"> +<interface name="files_manage_all_runtime_files" lineno="7279"> <summary> Create, read, write and delete all var_run (pid) files @@ -81172,7 +81214,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_runtime_files" lineno="7199"> +<interface name="files_relabel_all_runtime_files" lineno="7297"> <summary> Relabel all runtime files. </summary> @@ -81182,7 +81224,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_runtime_symlinks" lineno="7218"> +<interface name="files_delete_all_runtime_symlinks" lineno="7316"> <summary> Delete all runtime symlinks. </summary> @@ -81193,7 +81235,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_all_runtime_symlinks" lineno="7237"> +<interface name="files_manage_all_runtime_symlinks" lineno="7335"> <summary> Create, read, write and delete all var_run (pid) symbolic links. @@ -81204,7 +81246,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_runtime_symlinks" lineno="7255"> +<interface name="files_relabel_all_runtime_symlinks" lineno="7353"> <summary> Relabel all runtime symbolic links. </summary> @@ -81214,7 +81256,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_all_runtime_pipes" lineno="7273"> +<interface name="files_create_all_runtime_pipes" lineno="7371"> <summary> Create all runtime named pipes </summary> @@ -81224,7 +81266,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_runtime_pipes" lineno="7292"> +<interface name="files_delete_all_runtime_pipes" lineno="7390"> <summary> Delete all runtime named pipes </summary> @@ -81234,7 +81276,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_all_runtime_sockets" lineno="7311"> +<interface name="files_create_all_runtime_sockets" lineno="7409"> <summary> Create all runtime sockets. </summary> @@ -81244,7 +81286,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_runtime_sockets" lineno="7329"> +<interface name="files_delete_all_runtime_sockets" lineno="7427"> <summary> Delete all runtime sockets. </summary> @@ -81254,7 +81296,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_runtime_sockets" lineno="7347"> +<interface name="files_relabel_all_runtime_sockets" lineno="7445"> <summary> Relabel all runtime named sockets. </summary> @@ -81264,7 +81306,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_runtime_filetrans" lineno="7407"> +<interface name="files_runtime_filetrans" lineno="7505"> <summary> Create an object in the /run directory, with a private type. </summary> @@ -81316,7 +81358,7 @@ The name of the object being created. </param> <infoflow type="write" weight="10"/> </interface> -<interface name="files_runtime_filetrans_lock_dir" lineno="7432"> +<interface name="files_runtime_filetrans_lock_dir" lineno="7530"> <summary> Create a generic lock directory within the run directories. </summary> @@ -81331,7 +81373,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_create_all_spool_sockets" lineno="7450"> +<interface name="files_create_all_spool_sockets" lineno="7548"> <summary> Create all spool sockets </summary> @@ -81341,7 +81383,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_spool_sockets" lineno="7468"> +<interface name="files_delete_all_spool_sockets" lineno="7566"> <summary> Delete all spool sockets </summary> @@ -81351,7 +81393,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_pid_dirs" lineno="7486"> +<interface name="files_delete_all_pid_dirs" lineno="7584"> <summary> Delete all process ID directories. (Deprecated) </summary> @@ -81361,7 +81403,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_all_pids" lineno="7502"> +<interface name="files_manage_all_pids" lineno="7600"> <summary> Create, read, write and delete all var_run (pid) content (Deprecated) @@ -81372,7 +81414,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_pid_dirs" lineno="7519"> +<interface name="files_relabel_all_pid_dirs" lineno="7617"> <summary> Relabel to/from all var_run (pid) directories (Deprecated) </summary> @@ -81382,7 +81424,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_pid_sock_files" lineno="7534"> +<interface name="files_relabel_all_pid_sock_files" lineno="7632"> <summary> Relabel to/from all var_run (pid) socket files (Deprecated) </summary> @@ -81392,7 +81434,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_pids" lineno="7549"> +<interface name="files_relabel_all_pids" lineno="7647"> <summary> Relabel to/from all var_run (pid) files and directories (Deprecated) </summary> @@ -81402,7 +81444,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_all_poly_members" lineno="7567"> +<interface name="files_mounton_all_poly_members" lineno="7665"> <summary> Mount filesystems on all polyinstantiation member directories. @@ -81413,7 +81455,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_spool" lineno="7586"> +<interface name="files_search_spool" lineno="7684"> <summary> Search the contents of generic spool directories (/var/spool). @@ -81424,7 +81466,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_spool" lineno="7605"> +<interface name="files_dontaudit_search_spool" lineno="7703"> <summary> Do not audit attempts to search generic spool directories. @@ -81435,7 +81477,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_spool" lineno="7624"> +<interface name="files_list_spool" lineno="7722"> <summary> List the contents of generic spool (/var/spool) directories. @@ -81446,7 +81488,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_spool_dirs" lineno="7643"> +<interface name="files_manage_generic_spool_dirs" lineno="7741"> <summary> Create, read, write, and delete generic spool directories (/var/spool). @@ -81457,7 +81499,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_generic_spool" lineno="7662"> +<interface name="files_read_generic_spool" lineno="7760"> <summary> Read generic spool files. </summary> @@ -81467,7 +81509,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_spool" lineno="7682"> +<interface name="files_manage_generic_spool" lineno="7780"> <summary> Create, read, write, and delete generic spool files. @@ -81478,7 +81520,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_spool_filetrans" lineno="7718"> +<interface name="files_spool_filetrans" lineno="7816"> <summary> Create objects in the spool directory with a private type with a type transition. @@ -81488,7 +81530,7 @@ with a private type with a type transition. Domain allowed access. </summary> </param> -<param name="file"> +<param name="file_type"> <summary> Type to which the created node will be transitioned. </summary> @@ -81505,7 +81547,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_polyinstantiate_all" lineno="7738"> +<interface name="files_polyinstantiate_all" lineno="7836"> <summary> Allow access to manage all polyinstantiated directories on the system. @@ -81516,7 +81558,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_unconfined" lineno="7792"> +<interface name="files_unconfined" lineno="7890"> <summary> Unconfined access to files. </summary> @@ -81526,7 +81568,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_etc_runtime_lnk_files" lineno="7814"> +<interface name="files_manage_etc_runtime_lnk_files" lineno="7912"> <summary> Create, read, write, and delete symbolic links in /etc that are dynamically created on boot. @@ -81538,7 +81580,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_dontaudit_read_etc_runtime" lineno="7832"> +<interface name="files_dontaudit_read_etc_runtime" lineno="7930"> <summary> Do not audit attempts to read etc_runtime resources </summary> @@ -81548,7 +81590,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_src" lineno="7850"> +<interface name="files_list_src" lineno="7948"> <summary> List usr/src files </summary> @@ -81558,7 +81600,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_read_src_files" lineno="7868"> +<interface name="files_read_src_files" lineno="7966"> <summary> Read usr/src files </summary> @@ -81568,7 +81610,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_manage_src_files" lineno="7886"> +<interface name="files_manage_src_files" lineno="7984"> <summary> Manage /usr/src files </summary> @@ -81578,7 +81620,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_lib_filetrans_kernel_modules" lineno="7917"> +<interface name="files_lib_filetrans_kernel_modules" lineno="8015"> <summary> Create a resource in the generic lib location with an automatic type transition towards the kernel modules @@ -81600,7 +81642,7 @@ Optional name of the resource </summary> </param> </interface> -<interface name="files_read_etc_runtime" lineno="7935"> +<interface name="files_read_etc_runtime" lineno="8033"> <summary> Read etc runtime resources </summary> @@ -81610,7 +81652,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_relabel_all_non_security_file_types" lineno="7957"> +<interface name="files_relabel_all_non_security_file_types" lineno="8055"> <summary> Allow relabel from and to non-security types </summary> @@ -81621,7 +81663,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_all_non_security_file_types" lineno="7987"> +<interface name="files_manage_all_non_security_file_types" lineno="8085"> <summary> Manage non-security-sensitive resource types </summary> @@ -81632,7 +81674,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_relabel_all_pidfiles" lineno="8009"> +<interface name="files_relabel_all_pidfiles" lineno="8107"> <summary> Allow relabeling from and to any pidfile associated type </summary> @@ -81670,7 +81712,18 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_image_file" lineno="57"> +<interface name="fs_pseudo_type" lineno="57"> +<summary> +Transform specified type into a filesystem +type which is a pseudo filesystem. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_image_file" lineno="78"> <summary> Transform specified type into a filesystem image file type. @@ -81681,7 +81734,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_associate" lineno="80"> +<interface name="fs_associate" lineno="101"> <summary> Associate the specified file type to persistent filesystems with extended attributes. This @@ -81694,7 +81747,7 @@ The type of the to be associated. </summary> </param> </interface> -<interface name="fs_associate_noxattr" lineno="102"> +<interface name="fs_associate_noxattr" lineno="123"> <summary> Associate the specified file type to filesystems which lack extended attributes @@ -81708,7 +81761,7 @@ The type of the to be associated. </summary> </param> </interface> -<interface name="fs_exec_noxattr" lineno="122"> +<interface name="fs_exec_noxattr" lineno="143"> <summary> Execute files on a filesystem that does not support extended attributes. @@ -81720,7 +81773,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_xattr_type" lineno="142"> +<interface name="fs_xattr_type" lineno="163"> <summary> Transform specified type into a filesystem type which has extended attribute @@ -81732,7 +81785,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_all_xattr_fs" lineno="180"> +<interface name="fs_getattr_all_xattr_fs" lineno="201"> <summary> Get the attributes of all the filesystems which have extended @@ -81760,7 +81813,7 @@ Domain allowed access. <infoflow type="read" weight="5"/> <rolecap/> </interface> -<interface name="fs_mount_xattr_fs" lineno="200"> +<interface name="fs_mount_xattr_fs" lineno="221"> <summary> Mount a persistent filesystem which has extended attributes, such as @@ -81772,7 +81825,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_xattr_fs" lineno="221"> +<interface name="fs_remount_xattr_fs" lineno="242"> <summary> Remount a persistent filesystem which has extended attributes, such as @@ -81785,7 +81838,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_xattr_fs" lineno="241"> +<interface name="fs_unmount_xattr_fs" lineno="262"> <summary> Unmount a persistent filesystem which has extended attributes, such as @@ -81797,7 +81850,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_xattr_fs" lineno="277"> +<interface name="fs_getattr_xattr_fs" lineno="298"> <summary> Get the attributes of persistent filesystems which have extended @@ -81825,7 +81878,7 @@ Domain allowed access. <infoflow type="read" weight="5"/> <rolecap/> </interface> -<interface name="fs_dontaudit_getattr_xattr_fs" lineno="298"> +<interface name="fs_dontaudit_getattr_xattr_fs" lineno="319"> <summary> Do not audit attempts to get the attributes of a persistent @@ -81838,7 +81891,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_relabelfrom_xattr_fs" lineno="318"> +<interface name="fs_relabelfrom_xattr_fs" lineno="339"> <summary> Allow changing of the label of a filesystem with extended attributes @@ -81850,7 +81903,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_get_xattr_fs_quotas" lineno="338"> +<interface name="fs_get_xattr_fs_quotas" lineno="359"> <summary> Get the filesystem quotas of a filesystem with extended attributes. @@ -81862,7 +81915,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_set_xattr_fs_quotas" lineno="358"> +<interface name="fs_set_xattr_fs_quotas" lineno="379"> <summary> Set the filesystem quotas of a filesystem with extended attributes. @@ -81874,7 +81927,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_read_anon_inodefs_files" lineno="376"> +<interface name="fs_read_anon_inodefs_files" lineno="397"> <summary> Read files on anon_inodefs file systems. </summary> @@ -81884,7 +81937,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_anon_inodefs_files" lineno="396"> +<interface name="fs_rw_anon_inodefs_files" lineno="417"> <summary> Read and write files on anon_inodefs file systems. @@ -81895,7 +81948,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_rw_anon_inodefs_files" lineno="416"> +<interface name="fs_dontaudit_rw_anon_inodefs_files" lineno="437"> <summary> Do not audit attempts to read or write files on anon_inodefs file systems. @@ -81906,7 +81959,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_mount_autofs" lineno="435"> +<interface name="fs_mount_autofs" lineno="456"> <summary> Mount an automount pseudo filesystem. </summary> @@ -81916,7 +81969,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_autofs" lineno="454"> +<interface name="fs_remount_autofs" lineno="475"> <summary> Remount an automount pseudo filesystem This allows some mount options to be changed. @@ -81927,7 +81980,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_autofs" lineno="472"> +<interface name="fs_unmount_autofs" lineno="493"> <summary> Unmount an automount pseudo filesystem. </summary> @@ -81937,7 +81990,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_autofs" lineno="491"> +<interface name="fs_getattr_autofs" lineno="512"> <summary> Get the attributes of an automount pseudo filesystem. @@ -81948,7 +82001,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_auto_mountpoints" lineno="518"> +<interface name="fs_search_auto_mountpoints" lineno="539"> <summary> Search automount filesystem to use automatically mounted filesystems. @@ -81967,7 +82020,7 @@ Domain allowed access. </param> <infoflow type="read" weight="5"/> </interface> -<interface name="fs_list_auto_mountpoints" lineno="538"> +<interface name="fs_list_auto_mountpoints" lineno="559"> <summary> Read directories of automatically mounted filesystems. @@ -81979,7 +82032,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_list_auto_mountpoints" lineno="557"> +<interface name="fs_dontaudit_list_auto_mountpoints" lineno="578"> <summary> Do not audit attempts to list directories of automatically mounted filesystems. @@ -81990,7 +82043,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_autofs_symlinks" lineno="576"> +<interface name="fs_manage_autofs_symlinks" lineno="597"> <summary> Create, read, write, and delete symbolic links on an autofs filesystem. @@ -82001,7 +82054,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_binfmt_misc_dirs" lineno="595"> +<interface name="fs_getattr_binfmt_misc_dirs" lineno="616"> <summary> Get the attributes of directories on binfmt_misc filesystems. @@ -82012,7 +82065,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_register_binary_executable_type" lineno="631"> +<interface name="fs_register_binary_executable_type" lineno="652"> <summary> Register an interpreter for new binary file types, using the kernel binfmt_misc @@ -82039,7 +82092,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_mount_cgroup" lineno="651"> +<interface name="fs_mount_cgroup" lineno="672"> <summary> Mount cgroup filesystems. </summary> @@ -82049,7 +82102,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_cgroup" lineno="669"> +<interface name="fs_remount_cgroup" lineno="690"> <summary> Remount cgroup filesystems. </summary> @@ -82059,7 +82112,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_cgroup" lineno="687"> +<interface name="fs_unmount_cgroup" lineno="708"> <summary> Unmount cgroup filesystems. </summary> @@ -82069,7 +82122,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_cgroup" lineno="705"> +<interface name="fs_getattr_cgroup" lineno="726"> <summary> Get attributes of cgroup filesystems. </summary> @@ -82079,7 +82132,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_cgroup_dirs" lineno="723"> +<interface name="fs_search_cgroup_dirs" lineno="744"> <summary> Search cgroup directories. </summary> @@ -82089,7 +82142,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_cgroup_dirs" lineno="743"> +<interface name="fs_list_cgroup_dirs" lineno="764"> <summary> list cgroup directories. </summary> @@ -82099,7 +82152,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_delete_cgroup_dirs" lineno="762"> +<interface name="fs_delete_cgroup_dirs" lineno="783"> <summary> Delete cgroup directories. </summary> @@ -82109,7 +82162,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_cgroup_dirs" lineno="781"> +<interface name="fs_manage_cgroup_dirs" lineno="802"> <summary> Manage cgroup directories. </summary> @@ -82119,7 +82172,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_cgroup_dirs" lineno="801"> +<interface name="fs_relabel_cgroup_dirs" lineno="822"> <summary> Relabel cgroup directories. </summary> @@ -82129,7 +82182,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_cgroup_files" lineno="819"> +<interface name="fs_getattr_cgroup_files" lineno="840"> <summary> Get attributes of cgroup files. </summary> @@ -82139,7 +82192,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_cgroup_files" lineno="839"> +<interface name="fs_read_cgroup_files" lineno="860"> <summary> Read cgroup files. </summary> @@ -82149,7 +82202,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_watch_cgroup_files" lineno="860"> +<interface name="fs_watch_cgroup_files" lineno="881"> <summary> Watch cgroup files. </summary> @@ -82159,7 +82212,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_create_cgroup_links" lineno="879"> +<interface name="fs_create_cgroup_links" lineno="900"> <summary> Create cgroup lnk_files. </summary> @@ -82169,7 +82222,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_write_cgroup_files" lineno="899"> +<interface name="fs_write_cgroup_files" lineno="920"> <summary> Write cgroup files. </summary> @@ -82179,7 +82232,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_cgroup_files" lineno="918"> +<interface name="fs_rw_cgroup_files" lineno="939"> <summary> Read and write cgroup files. </summary> @@ -82189,7 +82242,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_rw_cgroup_files" lineno="940"> +<interface name="fs_dontaudit_rw_cgroup_files" lineno="961"> <summary> Do not audit attempts to open, get attributes, read and write @@ -82201,7 +82254,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_cgroup_files" lineno="958"> +<interface name="fs_manage_cgroup_files" lineno="979"> <summary> Manage cgroup files. </summary> @@ -82211,7 +82264,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_cgroup_symlinks" lineno="978"> +<interface name="fs_relabel_cgroup_symlinks" lineno="999"> <summary> Relabel cgroup symbolic links. </summary> @@ -82221,7 +82274,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mounton_cgroup" lineno="996"> +<interface name="fs_mounton_cgroup" lineno="1017"> <summary> Mount on cgroup directories. </summary> @@ -82231,7 +82284,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_cgroup_filetrans" lineno="1030"> +<interface name="fs_cgroup_filetrans" lineno="1051"> <summary> Create an object in a cgroup tmpfs filesystem, with a private type using a type transition. @@ -82257,7 +82310,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="fs_dontaudit_list_cifs_dirs" lineno="1051"> +<interface name="fs_dontaudit_list_cifs_dirs" lineno="1072"> <summary> Do not audit attempts to read dirs on a CIFS or SMB filesystem. @@ -82268,7 +82321,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_mount_cifs" lineno="1069"> +<interface name="fs_mount_cifs" lineno="1090"> <summary> Mount a CIFS or SMB network filesystem. </summary> @@ -82278,7 +82331,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_cifs" lineno="1088"> +<interface name="fs_remount_cifs" lineno="1109"> <summary> Remount a CIFS or SMB network filesystem. This allows some mount options to be changed. @@ -82289,7 +82342,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_cifs" lineno="1106"> +<interface name="fs_unmount_cifs" lineno="1127"> <summary> Unmount a CIFS or SMB network filesystem. </summary> @@ -82299,7 +82352,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_cifs" lineno="1126"> +<interface name="fs_getattr_cifs" lineno="1147"> <summary> Get the attributes of a CIFS or SMB network filesystem. @@ -82311,7 +82364,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_search_cifs" lineno="1144"> +<interface name="fs_search_cifs" lineno="1165"> <summary> Search directories on a CIFS or SMB filesystem. </summary> @@ -82321,7 +82374,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_cifs" lineno="1163"> +<interface name="fs_list_cifs" lineno="1184"> <summary> List the contents of directories on a CIFS or SMB filesystem. @@ -82332,7 +82385,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_cifs" lineno="1182"> +<interface name="fs_dontaudit_list_cifs" lineno="1203"> <summary> Do not audit attempts to list the contents of directories on a CIFS or SMB filesystem. @@ -82343,7 +82396,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_mounton_cifs" lineno="1200"> +<interface name="fs_mounton_cifs" lineno="1221"> <summary> Mounton a CIFS filesystem. </summary> @@ -82353,7 +82406,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_cifs_files" lineno="1219"> +<interface name="fs_read_cifs_files" lineno="1240"> <summary> Read files on a CIFS or SMB filesystem. </summary> @@ -82364,7 +82417,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_read_all_inherited_image_files" lineno="1239"> +<interface name="fs_read_all_inherited_image_files" lineno="1260"> <summary> Read all inherited filesystem image files. </summary> @@ -82375,7 +82428,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_read_all_image_files" lineno="1258"> +<interface name="fs_read_all_image_files" lineno="1279"> <summary> Read all filesystem image files. </summary> @@ -82386,7 +82439,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_mmap_read_all_image_files" lineno="1277"> +<interface name="fs_mmap_read_all_image_files" lineno="1298"> <summary> Mmap-read all filesystem image files. </summary> @@ -82397,7 +82450,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_rw_all_image_files" lineno="1296"> +<interface name="fs_rw_all_image_files" lineno="1317"> <summary> Read and write all filesystem image files. </summary> @@ -82408,7 +82461,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_mmap_rw_all_image_files" lineno="1315"> +<interface name="fs_mmap_rw_all_image_files" lineno="1336"> <summary> Mmap-Read-write all filesystem image files. </summary> @@ -82419,7 +82472,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_write_all_image_files" lineno="1334"> +<interface name="fs_dontaudit_write_all_image_files" lineno="1355"> <summary> Do not audit attempts to write all filesystem image files. </summary> @@ -82430,7 +82483,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_noxattr_fs" lineno="1354"> +<interface name="fs_getattr_noxattr_fs" lineno="1375"> <summary> Get the attributes of filesystems that do not have extended attribute support. @@ -82442,7 +82495,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_list_noxattr_fs" lineno="1372"> +<interface name="fs_list_noxattr_fs" lineno="1393"> <summary> Read all noxattrfs directories. </summary> @@ -82452,7 +82505,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_noxattr_fs" lineno="1391"> +<interface name="fs_dontaudit_list_noxattr_fs" lineno="1412"> <summary> Do not audit attempts to list all noxattrfs directories. @@ -82463,7 +82516,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_noxattr_fs_dirs" lineno="1409"> +<interface name="fs_manage_noxattr_fs_dirs" lineno="1430"> <summary> Create, read, write, and delete all noxattrfs directories. </summary> @@ -82473,7 +82526,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_noxattr_fs_files" lineno="1427"> +<interface name="fs_read_noxattr_fs_files" lineno="1448"> <summary> Read all noxattrfs files. </summary> @@ -82483,7 +82536,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_noxattr_fs_files" lineno="1447"> +<interface name="fs_dontaudit_read_noxattr_fs_files" lineno="1468"> <summary> Do not audit attempts to read all noxattrfs files. @@ -82494,7 +82547,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_dontaudit_write_noxattr_fs_files" lineno="1465"> +<interface name="fs_dontaudit_write_noxattr_fs_files" lineno="1486"> <summary> Dont audit attempts to write to noxattrfs files. </summary> @@ -82504,7 +82557,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_noxattr_fs_files" lineno="1483"> +<interface name="fs_manage_noxattr_fs_files" lineno="1504"> <summary> Create, read, write, and delete all noxattrfs files. </summary> @@ -82514,7 +82567,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_noxattr_fs_symlinks" lineno="1502"> +<interface name="fs_read_noxattr_fs_symlinks" lineno="1523"> <summary> Read all noxattrfs symbolic links. </summary> @@ -82524,7 +82577,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_noxattr_fs_symlinks" lineno="1521"> +<interface name="fs_manage_noxattr_fs_symlinks" lineno="1542"> <summary> Manage all noxattrfs symbolic links. </summary> @@ -82534,7 +82587,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabelfrom_noxattr_fs" lineno="1541"> +<interface name="fs_relabelfrom_noxattr_fs" lineno="1562"> <summary> Relabel all objects from filesystems that do not support extended attributes. @@ -82545,7 +82598,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_cifs_files" lineno="1567"> +<interface name="fs_dontaudit_read_cifs_files" lineno="1588"> <summary> Do not audit attempts to read files on a CIFS or SMB filesystem. @@ -82556,7 +82609,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_append_cifs_files" lineno="1587"> +<interface name="fs_append_cifs_files" lineno="1608"> <summary> Append files on a CIFS filesystem. @@ -82568,7 +82621,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_append_cifs_files" lineno="1607"> +<interface name="fs_dontaudit_append_cifs_files" lineno="1628"> <summary> dontaudit Append files on a CIFS filesystem. @@ -82580,7 +82633,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_rw_cifs_files" lineno="1626"> +<interface name="fs_dontaudit_rw_cifs_files" lineno="1647"> <summary> Do not audit attempts to read or write files on a CIFS or SMB filesystem. @@ -82591,7 +82644,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_read_cifs_symlinks" lineno="1644"> +<interface name="fs_read_cifs_symlinks" lineno="1665"> <summary> Read symbolic links on a CIFS or SMB filesystem. </summary> @@ -82601,7 +82654,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_cifs_named_pipes" lineno="1664"> +<interface name="fs_read_cifs_named_pipes" lineno="1685"> <summary> Read named pipes on a CIFS or SMB network filesystem. @@ -82612,7 +82665,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_cifs_named_sockets" lineno="1683"> +<interface name="fs_read_cifs_named_sockets" lineno="1704"> <summary> Read named sockets on a CIFS or SMB network filesystem. @@ -82623,7 +82676,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_exec_cifs_files" lineno="1704"> +<interface name="fs_exec_cifs_files" lineno="1725"> <summary> Execute files on a CIFS or SMB network filesystem, in the caller @@ -82636,7 +82689,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_cifs_dirs" lineno="1725"> +<interface name="fs_manage_cifs_dirs" lineno="1746"> <summary> Create, read, write, and delete directories on a CIFS or SMB network filesystem. @@ -82648,7 +82701,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_cifs_dirs" lineno="1745"> +<interface name="fs_dontaudit_manage_cifs_dirs" lineno="1766"> <summary> Do not audit attempts to create, read, write, and delete directories @@ -82660,7 +82713,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_cifs_files" lineno="1765"> +<interface name="fs_manage_cifs_files" lineno="1786"> <summary> Create, read, write, and delete files on a CIFS or SMB network filesystem. @@ -82672,7 +82725,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_cifs_files" lineno="1785"> +<interface name="fs_dontaudit_manage_cifs_files" lineno="1806"> <summary> Do not audit attempts to create, read, write, and delete files @@ -82684,7 +82737,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_cifs_symlinks" lineno="1804"> +<interface name="fs_manage_cifs_symlinks" lineno="1825"> <summary> Create, read, write, and delete symbolic links on a CIFS or SMB network filesystem. @@ -82695,7 +82748,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_cifs_named_pipes" lineno="1823"> +<interface name="fs_manage_cifs_named_pipes" lineno="1844"> <summary> Create, read, write, and delete named pipes on a CIFS or SMB network filesystem. @@ -82706,7 +82759,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_cifs_named_sockets" lineno="1842"> +<interface name="fs_manage_cifs_named_sockets" lineno="1863"> <summary> Create, read, write, and delete named sockets on a CIFS or SMB network filesystem. @@ -82717,7 +82770,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_cifs_domtrans" lineno="1885"> +<interface name="fs_cifs_domtrans" lineno="1906"> <summary> Execute a file on a CIFS or SMB filesystem in the specified domain. @@ -82752,7 +82805,7 @@ The type of the new process. </summary> </param> </interface> -<interface name="fs_manage_configfs_dirs" lineno="1905"> +<interface name="fs_manage_configfs_dirs" lineno="1926"> <summary> Create, read, write, and delete dirs on a configfs filesystem. @@ -82763,7 +82816,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_configfs_files" lineno="1924"> +<interface name="fs_manage_configfs_files" lineno="1945"> <summary> Create, read, write, and delete files on a configfs filesystem. @@ -82774,7 +82827,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_dos_fs" lineno="1943"> +<interface name="fs_mount_dos_fs" lineno="1964"> <summary> Mount a DOS filesystem, such as FAT32 or NTFS. @@ -82785,7 +82838,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_dos_fs" lineno="1963"> +<interface name="fs_remount_dos_fs" lineno="1984"> <summary> Remount a DOS filesystem, such as FAT32 or NTFS. This allows @@ -82797,7 +82850,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_dos_fs" lineno="1982"> +<interface name="fs_unmount_dos_fs" lineno="2003"> <summary> Unmount a DOS filesystem, such as FAT32 or NTFS. @@ -82808,7 +82861,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_dos_fs" lineno="2002"> +<interface name="fs_getattr_dos_fs" lineno="2023"> <summary> Get the attributes of a DOS filesystem, such as FAT32 or NTFS. @@ -82820,7 +82873,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_relabelfrom_dos_fs" lineno="2021"> +<interface name="fs_relabelfrom_dos_fs" lineno="2042"> <summary> Allow changing of the label of a DOS filesystem using the context= mount option. @@ -82831,7 +82884,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_dos_dirs" lineno="2039"> +<interface name="fs_getattr_dos_dirs" lineno="2060"> <summary> Get attributes of directories on a dosfs filesystem. </summary> @@ -82841,7 +82894,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_dos" lineno="2057"> +<interface name="fs_search_dos" lineno="2078"> <summary> Search dosfs filesystem. </summary> @@ -82851,7 +82904,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_dos" lineno="2075"> +<interface name="fs_list_dos" lineno="2096"> <summary> List dirs DOS filesystem. </summary> @@ -82861,7 +82914,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_dos_dirs" lineno="2094"> +<interface name="fs_manage_dos_dirs" lineno="2115"> <summary> Create, read, write, and delete dirs on a DOS filesystem. @@ -82872,7 +82925,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_dos_files" lineno="2112"> +<interface name="fs_read_dos_files" lineno="2133"> <summary> Read files on a DOS filesystem. </summary> @@ -82882,7 +82935,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mmap_read_dos_files" lineno="2130"> +<interface name="fs_mmap_read_dos_files" lineno="2151"> <summary> Read and map files on a DOS filesystem. </summary> @@ -82892,7 +82945,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_dos_files" lineno="2150"> +<interface name="fs_manage_dos_files" lineno="2171"> <summary> Create, read, write, and delete files on a DOS filesystem. @@ -82903,7 +82956,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_efivars" lineno="2168"> +<interface name="fs_getattr_efivarfs" lineno="2189"> +<summary> +Get the attributes of efivarfs filesystems. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_list_efivars" lineno="2207"> <summary> List dirs in efivarfs filesystem. </summary> @@ -82913,7 +82976,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_efivarfs_files" lineno="2188"> +<interface name="fs_read_efivarfs_files" lineno="2227"> <summary> Read files in efivarfs - contains Linux Kernel configuration options for UEFI systems @@ -82925,7 +82988,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_efivarfs_files" lineno="2208"> +<interface name="fs_manage_efivarfs_files" lineno="2247"> <summary> Create, read, write, and delete files on a efivarfs filesystem. @@ -82937,7 +83000,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_fusefs" lineno="2226"> +<interface name="fs_getattr_fusefs" lineno="2265"> <summary> stat a FUSE filesystem </summary> @@ -82947,7 +83010,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_fusefs" lineno="2244"> +<interface name="fs_mount_fusefs" lineno="2283"> <summary> Mount a FUSE filesystem. </summary> @@ -82957,7 +83020,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_fusefs" lineno="2262"> +<interface name="fs_unmount_fusefs" lineno="2301"> <summary> Unmount a FUSE filesystem. </summary> @@ -82967,7 +83030,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mounton_fusefs" lineno="2280"> +<interface name="fs_mounton_fusefs" lineno="2319"> <summary> Mounton a FUSEFS filesystem. </summary> @@ -82977,7 +83040,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_fusefs" lineno="2300"> +<interface name="fs_search_fusefs" lineno="2339"> <summary> Search directories on a FUSEFS filesystem. @@ -82989,7 +83052,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_list_fusefs" lineno="2319"> +<interface name="fs_dontaudit_list_fusefs" lineno="2358"> <summary> Do not audit attempts to list the contents of directories on a FUSEFS filesystem. @@ -83000,7 +83063,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_fusefs_dirs" lineno="2339"> +<interface name="fs_manage_fusefs_dirs" lineno="2378"> <summary> Create, read, write, and delete directories on a FUSEFS filesystem. @@ -83012,7 +83075,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_fusefs_dirs" lineno="2359"> +<interface name="fs_dontaudit_manage_fusefs_dirs" lineno="2398"> <summary> Do not audit attempts to create, read, write, and delete directories @@ -83024,7 +83087,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_read_fusefs_files" lineno="2378"> +<interface name="fs_read_fusefs_files" lineno="2417"> <summary> Read, a FUSEFS filesystem. </summary> @@ -83035,7 +83098,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_exec_fusefs_files" lineno="2397"> +<interface name="fs_exec_fusefs_files" lineno="2436"> <summary> Execute files on a FUSEFS filesystem. </summary> @@ -83046,7 +83109,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_fusefs_files" lineno="2417"> +<interface name="fs_manage_fusefs_files" lineno="2456"> <summary> Create, read, write, and delete files on a FUSEFS filesystem. @@ -83058,7 +83121,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_fusefs_files" lineno="2437"> +<interface name="fs_dontaudit_manage_fusefs_files" lineno="2476"> <summary> Do not audit attempts to create, read, write, and delete files @@ -83070,7 +83133,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_read_fusefs_symlinks" lineno="2455"> +<interface name="fs_read_fusefs_symlinks" lineno="2494"> <summary> Read symbolic links on a FUSEFS filesystem. </summary> @@ -83080,7 +83143,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_hugetlbfs" lineno="2475"> +<interface name="fs_getattr_hugetlbfs" lineno="2514"> <summary> Get the attributes of an hugetlbfs filesystem. @@ -83091,7 +83154,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_hugetlbfs" lineno="2493"> +<interface name="fs_list_hugetlbfs" lineno="2532"> <summary> List hugetlbfs. </summary> @@ -83101,7 +83164,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_hugetlbfs_dirs" lineno="2511"> +<interface name="fs_manage_hugetlbfs_dirs" lineno="2550"> <summary> Manage hugetlbfs dirs. </summary> @@ -83111,7 +83174,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_inherited_hugetlbfs_files" lineno="2529"> +<interface name="fs_rw_inherited_hugetlbfs_files" lineno="2568"> <summary> Read and write inherited hugetlbfs files. </summary> @@ -83121,7 +83184,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_hugetlbfs_files" lineno="2547"> +<interface name="fs_rw_hugetlbfs_files" lineno="2586"> <summary> Read and write hugetlbfs files. </summary> @@ -83131,7 +83194,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mmap_rw_hugetlbfs_files" lineno="2565"> +<interface name="fs_mmap_rw_hugetlbfs_files" lineno="2604"> <summary> Read, map and write hugetlbfs files. </summary> @@ -83141,7 +83204,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_associate_hugetlbfs" lineno="2584"> +<interface name="fs_associate_hugetlbfs" lineno="2623"> <summary> Allow the type to associate to hugetlbfs filesystems. </summary> @@ -83151,7 +83214,7 @@ The type of the object to be associated. </summary> </param> </interface> -<interface name="fs_search_inotifyfs" lineno="2602"> +<interface name="fs_search_inotifyfs" lineno="2641"> <summary> Search inotifyfs filesystem. </summary> @@ -83161,7 +83224,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_inotifyfs" lineno="2620"> +<interface name="fs_list_inotifyfs" lineno="2659"> <summary> List inotifyfs filesystem. </summary> @@ -83171,7 +83234,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_inotifyfs" lineno="2638"> +<interface name="fs_dontaudit_list_inotifyfs" lineno="2677"> <summary> Dontaudit List inotifyfs filesystem. </summary> @@ -83181,7 +83244,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_hugetlbfs_filetrans" lineno="2672"> +<interface name="fs_hugetlbfs_filetrans" lineno="2711"> <summary> Create an object in a hugetlbfs filesystem, with a private type using a type transition. @@ -83207,7 +83270,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="fs_mount_iso9660_fs" lineno="2692"> +<interface name="fs_mount_iso9660_fs" lineno="2731"> <summary> Mount an iso9660 filesystem, which is usually used on CDs. @@ -83218,7 +83281,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_iso9660_fs" lineno="2712"> +<interface name="fs_remount_iso9660_fs" lineno="2751"> <summary> Remount an iso9660 filesystem, which is usually used on CDs. This allows @@ -83230,7 +83293,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabelfrom_iso9660_fs" lineno="2731"> +<interface name="fs_relabelfrom_iso9660_fs" lineno="2770"> <summary> Allow changing of the label of a filesystem with iso9660 type @@ -83241,7 +83304,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_iso9660_fs" lineno="2750"> +<interface name="fs_unmount_iso9660_fs" lineno="2789"> <summary> Unmount an iso9660 filesystem, which is usually used on CDs. @@ -83252,7 +83315,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_iso9660_fs" lineno="2770"> +<interface name="fs_getattr_iso9660_fs" lineno="2809"> <summary> Get the attributes of an iso9660 filesystem, which is usually used on CDs. @@ -83264,7 +83327,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_iso9660_files" lineno="2789"> +<interface name="fs_getattr_iso9660_files" lineno="2828"> <summary> Get the attributes of files on an iso9660 filesystem, which is usually used on CDs. @@ -83275,7 +83338,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_iso9660_files" lineno="2809"> +<interface name="fs_read_iso9660_files" lineno="2848"> <summary> Read files on an iso9660 filesystem, which is usually used on CDs. @@ -83286,7 +83349,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_nfs" lineno="2829"> +<interface name="fs_mount_nfs" lineno="2868"> <summary> Mount a NFS filesystem. </summary> @@ -83296,7 +83359,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_nfs" lineno="2848"> +<interface name="fs_remount_nfs" lineno="2887"> <summary> Remount a NFS filesystem. This allows some mount options to be changed. @@ -83307,7 +83370,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_nfs" lineno="2866"> +<interface name="fs_unmount_nfs" lineno="2905"> <summary> Unmount a NFS filesystem. </summary> @@ -83317,7 +83380,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_nfs" lineno="2885"> +<interface name="fs_getattr_nfs" lineno="2924"> <summary> Get the attributes of a NFS filesystem. </summary> @@ -83328,7 +83391,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_search_nfs" lineno="2903"> +<interface name="fs_search_nfs" lineno="2942"> <summary> Search directories on a NFS filesystem. </summary> @@ -83338,7 +83401,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_nfs" lineno="2921"> +<interface name="fs_list_nfs" lineno="2960"> <summary> List NFS filesystem. </summary> @@ -83348,7 +83411,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_nfs" lineno="2940"> +<interface name="fs_dontaudit_list_nfs" lineno="2979"> <summary> Do not audit attempts to list the contents of directories on a NFS filesystem. @@ -83359,7 +83422,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_mounton_nfs" lineno="2958"> +<interface name="fs_mounton_nfs" lineno="2997"> <summary> Mounton a NFS filesystem. </summary> @@ -83369,7 +83432,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_nfs_files" lineno="2977"> +<interface name="fs_read_nfs_files" lineno="3016"> <summary> Read files on a NFS filesystem. </summary> @@ -83380,7 +83443,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_read_nfs_files" lineno="2997"> +<interface name="fs_dontaudit_read_nfs_files" lineno="3036"> <summary> Do not audit attempts to read files on a NFS filesystem. @@ -83391,7 +83454,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_write_nfs_files" lineno="3015"> +<interface name="fs_write_nfs_files" lineno="3054"> <summary> Read files on a NFS filesystem. </summary> @@ -83401,7 +83464,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_exec_nfs_files" lineno="3035"> +<interface name="fs_exec_nfs_files" lineno="3074"> <summary> Execute files on a NFS filesystem. </summary> @@ -83412,7 +83475,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_append_nfs_files" lineno="3056"> +<interface name="fs_append_nfs_files" lineno="3095"> <summary> Append files on a NFS filesystem. @@ -83424,7 +83487,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_append_nfs_files" lineno="3076"> +<interface name="fs_dontaudit_append_nfs_files" lineno="3115"> <summary> dontaudit Append files on a NFS filesystem. @@ -83436,7 +83499,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_rw_nfs_files" lineno="3095"> +<interface name="fs_dontaudit_rw_nfs_files" lineno="3134"> <summary> Do not audit attempts to read or write files on a NFS filesystem. @@ -83447,7 +83510,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_read_nfs_symlinks" lineno="3113"> +<interface name="fs_read_nfs_symlinks" lineno="3152"> <summary> Read symbolic links on a NFS filesystem. </summary> @@ -83457,7 +83520,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_nfs_symlinks" lineno="3132"> +<interface name="fs_dontaudit_read_nfs_symlinks" lineno="3171"> <summary> Dontaudit read symbolic links on a NFS filesystem. </summary> @@ -83467,7 +83530,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_read_nfs_named_sockets" lineno="3150"> +<interface name="fs_read_nfs_named_sockets" lineno="3189"> <summary> Read named sockets on a NFS filesystem. </summary> @@ -83477,7 +83540,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_nfs_named_pipes" lineno="3169"> +<interface name="fs_read_nfs_named_pipes" lineno="3208"> <summary> Read named pipes on a NFS network filesystem. </summary> @@ -83488,7 +83551,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_rpc_dirs" lineno="3188"> +<interface name="fs_getattr_rpc_dirs" lineno="3227"> <summary> Get the attributes of directories of RPC file system pipes. @@ -83499,7 +83562,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_rpc" lineno="3207"> +<interface name="fs_search_rpc" lineno="3246"> <summary> Search directories of RPC file system pipes. </summary> @@ -83509,7 +83572,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_removable" lineno="3225"> +<interface name="fs_search_removable" lineno="3264"> <summary> Search removable storage directories. </summary> @@ -83519,7 +83582,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_removable" lineno="3243"> +<interface name="fs_dontaudit_list_removable" lineno="3282"> <summary> Do not audit attempts to list removable storage directories. </summary> @@ -83529,7 +83592,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="fs_read_removable_files" lineno="3261"> +<interface name="fs_read_removable_files" lineno="3300"> <summary> Read removable storage files. </summary> @@ -83539,7 +83602,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_removable_files" lineno="3279"> +<interface name="fs_dontaudit_read_removable_files" lineno="3318"> <summary> Do not audit attempts to read removable storage files. </summary> @@ -83549,7 +83612,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="fs_dontaudit_write_removable_files" lineno="3297"> +<interface name="fs_dontaudit_write_removable_files" lineno="3336"> <summary> Do not audit attempts to write removable storage files. </summary> @@ -83559,7 +83622,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="fs_read_removable_symlinks" lineno="3315"> +<interface name="fs_read_removable_symlinks" lineno="3354"> <summary> Read removable storage symbolic links. </summary> @@ -83569,7 +83632,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_removable_blk_files" lineno="3333"> +<interface name="fs_read_removable_blk_files" lineno="3372"> <summary> Read block nodes on removable filesystems. </summary> @@ -83579,7 +83642,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_removable_blk_files" lineno="3352"> +<interface name="fs_rw_removable_blk_files" lineno="3391"> <summary> Read and write block nodes on removable filesystems. </summary> @@ -83589,7 +83652,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_rpc" lineno="3371"> +<interface name="fs_list_rpc" lineno="3410"> <summary> Read directories of RPC file system pipes. </summary> @@ -83599,7 +83662,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_rpc_files" lineno="3389"> +<interface name="fs_read_rpc_files" lineno="3428"> <summary> Read files of RPC file system pipes. </summary> @@ -83609,7 +83672,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_rpc_symlinks" lineno="3407"> +<interface name="fs_read_rpc_symlinks" lineno="3446"> <summary> Read symbolic links of RPC file system pipes. </summary> @@ -83619,7 +83682,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_rpc_sockets" lineno="3425"> +<interface name="fs_read_rpc_sockets" lineno="3464"> <summary> Read sockets of RPC file system pipes. </summary> @@ -83629,7 +83692,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_rpc_sockets" lineno="3443"> +<interface name="fs_rw_rpc_sockets" lineno="3482"> <summary> Read and write sockets of RPC file system pipes. </summary> @@ -83639,7 +83702,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_nfs_dirs" lineno="3463"> +<interface name="fs_manage_nfs_dirs" lineno="3502"> <summary> Create, read, write, and delete directories on a NFS filesystem. @@ -83651,7 +83714,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_nfs_dirs" lineno="3483"> +<interface name="fs_dontaudit_manage_nfs_dirs" lineno="3522"> <summary> Do not audit attempts to create, read, write, and delete directories @@ -83663,7 +83726,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_nfs_files" lineno="3503"> +<interface name="fs_manage_nfs_files" lineno="3542"> <summary> Create, read, write, and delete files on a NFS filesystem. @@ -83675,7 +83738,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_nfs_files" lineno="3523"> +<interface name="fs_dontaudit_manage_nfs_files" lineno="3562"> <summary> Do not audit attempts to create, read, write, and delete files @@ -83687,7 +83750,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_nfs_symlinks" lineno="3543"> +<interface name="fs_manage_nfs_symlinks" lineno="3582"> <summary> Create, read, write, and delete symbolic links on a NFS network filesystem. @@ -83699,7 +83762,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_nfs_named_pipes" lineno="3562"> +<interface name="fs_manage_nfs_named_pipes" lineno="3601"> <summary> Create, read, write, and delete named pipes on a NFS filesystem. @@ -83710,7 +83773,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_nfs_named_sockets" lineno="3581"> +<interface name="fs_manage_nfs_named_sockets" lineno="3620"> <summary> Create, read, write, and delete named sockets on a NFS filesystem. @@ -83721,7 +83784,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_nfs_domtrans" lineno="3624"> +<interface name="fs_nfs_domtrans" lineno="3663"> <summary> Execute a file on a NFS filesystem in the specified domain. @@ -83756,7 +83819,7 @@ The type of the new process. </summary> </param> </interface> -<interface name="fs_mount_nfsd_fs" lineno="3643"> +<interface name="fs_mount_nfsd_fs" lineno="3682"> <summary> Mount a NFS server pseudo filesystem. </summary> @@ -83766,7 +83829,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_nfsd_fs" lineno="3662"> +<interface name="fs_remount_nfsd_fs" lineno="3701"> <summary> Mount a NFS server pseudo filesystem. This allows some mount options to be changed. @@ -83777,7 +83840,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_nfsd_fs" lineno="3680"> +<interface name="fs_unmount_nfsd_fs" lineno="3719"> <summary> Unmount a NFS server pseudo filesystem. </summary> @@ -83787,7 +83850,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_nfsd_fs" lineno="3699"> +<interface name="fs_getattr_nfsd_fs" lineno="3738"> <summary> Get the attributes of a NFS server pseudo filesystem. @@ -83798,7 +83861,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_nfsd_fs" lineno="3717"> +<interface name="fs_search_nfsd_fs" lineno="3756"> <summary> Search NFS server directories. </summary> @@ -83808,7 +83871,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_nfsd_fs" lineno="3735"> +<interface name="fs_list_nfsd_fs" lineno="3774"> <summary> List NFS server directories. </summary> @@ -83818,7 +83881,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_nfsd_files" lineno="3753"> +<interface name="fs_watch_nfsd_dirs" lineno="3792"> +<summary> +Watch NFS server directories. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_getattr_nfsd_files" lineno="3810"> <summary> Getattr files on an nfsd filesystem </summary> @@ -83828,7 +83901,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_nfsd_fs" lineno="3771"> +<interface name="fs_rw_nfsd_fs" lineno="3828"> <summary> Read and write NFS server files. </summary> @@ -83838,7 +83911,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_nsfs_files" lineno="3789"> +<interface name="fs_read_nsfs_files" lineno="3846"> <summary> Read nsfs inodes (e.g. /proc/pid/ns/uts) </summary> @@ -83848,7 +83921,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_nsfs" lineno="3807"> +<interface name="fs_unmount_nsfs" lineno="3864"> <summary> Unmount an nsfs filesystem. </summary> @@ -83858,7 +83931,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_pstorefs" lineno="3825"> +<interface name="fs_getattr_pstorefs" lineno="3882"> <summary> Get the attributes of a pstore filesystem. </summary> @@ -83868,7 +83941,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_pstore_dirs" lineno="3844"> +<interface name="fs_getattr_pstore_dirs" lineno="3901"> <summary> Get the attributes of directories of a pstore filesystem. @@ -83879,7 +83952,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_pstore_dirs" lineno="3863"> +<interface name="fs_create_pstore_dirs" lineno="3920"> +<summary> +Create pstore directories. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_relabel_pstore_dirs" lineno="3939"> <summary> Relabel to/from pstore_t directories. </summary> @@ -83889,7 +83972,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_pstore_dirs" lineno="3882"> +<interface name="fs_list_pstore_dirs" lineno="3958"> <summary> List the directories of a pstore filesystem. @@ -83900,7 +83983,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_pstore_files" lineno="3901"> +<interface name="fs_read_pstore_files" lineno="3977"> <summary> Read pstore_t files </summary> @@ -83910,7 +83993,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_delete_pstore_files" lineno="3920"> +<interface name="fs_delete_pstore_files" lineno="3996"> <summary> Delete the files of a pstore filesystem. @@ -83921,7 +84004,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_associate_ramfs" lineno="3939"> +<interface name="fs_associate_ramfs" lineno="4015"> <summary> Allow the type to associate to ramfs filesystems. </summary> @@ -83931,7 +84014,7 @@ The type of the object to be associated. </summary> </param> </interface> -<interface name="fs_mount_ramfs" lineno="3957"> +<interface name="fs_mount_ramfs" lineno="4033"> <summary> Mount a RAM filesystem. </summary> @@ -83941,7 +84024,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_ramfs" lineno="3976"> +<interface name="fs_remount_ramfs" lineno="4052"> <summary> Remount a RAM filesystem. This allows some mount options to be changed. @@ -83952,7 +84035,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_ramfs" lineno="3994"> +<interface name="fs_unmount_ramfs" lineno="4070"> <summary> Unmount a RAM filesystem. </summary> @@ -83962,7 +84045,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_ramfs" lineno="4012"> +<interface name="fs_getattr_ramfs" lineno="4088"> <summary> Get the attributes of a RAM filesystem. </summary> @@ -83972,7 +84055,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_ramfs" lineno="4030"> +<interface name="fs_search_ramfs" lineno="4106"> <summary> Search directories on a ramfs </summary> @@ -83982,7 +84065,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_search_ramfs" lineno="4048"> +<interface name="fs_dontaudit_search_ramfs" lineno="4124"> <summary> Dontaudit Search directories on a ramfs </summary> @@ -83992,7 +84075,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_ramfs_dirs" lineno="4067"> +<interface name="fs_manage_ramfs_dirs" lineno="4143"> <summary> Create, read, write, and delete directories on a ramfs. @@ -84003,7 +84086,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_ramfs_files" lineno="4085"> +<interface name="fs_dontaudit_read_ramfs_files" lineno="4161"> <summary> Dontaudit read on a ramfs files. </summary> @@ -84013,7 +84096,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_dontaudit_read_ramfs_pipes" lineno="4103"> +<interface name="fs_dontaudit_read_ramfs_pipes" lineno="4179"> <summary> Dontaudit read on a ramfs fifo_files. </summary> @@ -84023,7 +84106,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_ramfs_files" lineno="4122"> +<interface name="fs_manage_ramfs_files" lineno="4198"> <summary> Create, read, write, and delete files on a ramfs filesystem. @@ -84034,7 +84117,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_write_ramfs_pipes" lineno="4140"> +<interface name="fs_write_ramfs_pipes" lineno="4216"> <summary> Write to named pipe on a ramfs filesystem. </summary> @@ -84044,7 +84127,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_write_ramfs_pipes" lineno="4159"> +<interface name="fs_dontaudit_write_ramfs_pipes" lineno="4235"> <summary> Do not audit attempts to write to named pipes on a ramfs filesystem. @@ -84055,7 +84138,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_rw_ramfs_pipes" lineno="4177"> +<interface name="fs_rw_ramfs_pipes" lineno="4253"> <summary> Read and write a named pipe on a ramfs filesystem. </summary> @@ -84065,7 +84148,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_ramfs_pipes" lineno="4196"> +<interface name="fs_manage_ramfs_pipes" lineno="4272"> <summary> Create, read, write, and delete named pipes on a ramfs filesystem. @@ -84076,7 +84159,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_write_ramfs_sockets" lineno="4214"> +<interface name="fs_write_ramfs_sockets" lineno="4290"> <summary> Write to named socket on a ramfs filesystem. </summary> @@ -84086,7 +84169,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_ramfs_sockets" lineno="4233"> +<interface name="fs_manage_ramfs_sockets" lineno="4309"> <summary> Create, read, write, and delete named sockets on a ramfs filesystem. @@ -84097,7 +84180,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_romfs" lineno="4251"> +<interface name="fs_mount_romfs" lineno="4327"> <summary> Mount a ROM filesystem. </summary> @@ -84107,7 +84190,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_romfs" lineno="4270"> +<interface name="fs_remount_romfs" lineno="4346"> <summary> Remount a ROM filesystem. This allows some mount options to be changed. @@ -84118,7 +84201,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_romfs" lineno="4288"> +<interface name="fs_unmount_romfs" lineno="4364"> <summary> Unmount a ROM filesystem. </summary> @@ -84128,7 +84211,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_romfs" lineno="4307"> +<interface name="fs_getattr_romfs" lineno="4383"> <summary> Get the attributes of a ROM filesystem. @@ -84139,7 +84222,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_rpc_pipefs" lineno="4325"> +<interface name="fs_mount_rpc_pipefs" lineno="4401"> <summary> Mount a RPC pipe filesystem. </summary> @@ -84149,7 +84232,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_rpc_pipefs" lineno="4344"> +<interface name="fs_remount_rpc_pipefs" lineno="4420"> <summary> Remount a RPC pipe filesystem. This allows some mount option to be changed. @@ -84160,7 +84243,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_rpc_pipefs" lineno="4362"> +<interface name="fs_unmount_rpc_pipefs" lineno="4438"> <summary> Unmount a RPC pipe filesystem. </summary> @@ -84170,7 +84253,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_rpc_pipefs" lineno="4381"> +<interface name="fs_getattr_rpc_pipefs" lineno="4457"> <summary> Get the attributes of a RPC pipe filesystem. @@ -84181,7 +84264,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_rpc_named_pipes" lineno="4399"> +<interface name="fs_rw_rpc_named_pipes" lineno="4475"> <summary> Read and write RPC pipe filesystem named pipes. </summary> @@ -84191,7 +84274,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_tmpfs" lineno="4417"> +<interface name="fs_mount_tmpfs" lineno="4493"> <summary> Mount a tmpfs filesystem. </summary> @@ -84201,7 +84284,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_tmpfs" lineno="4435"> +<interface name="fs_remount_tmpfs" lineno="4511"> <summary> Remount a tmpfs filesystem. </summary> @@ -84211,7 +84294,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_tmpfs" lineno="4453"> +<interface name="fs_unmount_tmpfs" lineno="4529"> <summary> Unmount a tmpfs filesystem. </summary> @@ -84221,7 +84304,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_tmpfs" lineno="4471"> +<interface name="fs_dontaudit_getattr_tmpfs" lineno="4547"> <summary> Do not audit getting the attributes of a tmpfs filesystem </summary> @@ -84231,7 +84314,7 @@ Domain to not audit </summary> </param> </interface> -<interface name="fs_getattr_tmpfs" lineno="4491"> +<interface name="fs_getattr_tmpfs" lineno="4567"> <summary> Get the attributes of a tmpfs filesystem. @@ -84243,7 +84326,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_associate_tmpfs" lineno="4509"> +<interface name="fs_associate_tmpfs" lineno="4585"> <summary> Allow the type to associate to tmpfs filesystems. </summary> @@ -84253,7 +84336,7 @@ The type of the object to be associated. </summary> </param> </interface> -<interface name="fs_relabelfrom_tmpfs" lineno="4527"> +<interface name="fs_relabelfrom_tmpfs" lineno="4603"> <summary> Relabel from tmpfs filesystem. </summary> @@ -84263,7 +84346,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_tmpfs_dirs" lineno="4545"> +<interface name="fs_getattr_tmpfs_dirs" lineno="4621"> <summary> Get the attributes of tmpfs directories. </summary> @@ -84273,7 +84356,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_tmpfs_dirs" lineno="4564"> +<interface name="fs_dontaudit_getattr_tmpfs_dirs" lineno="4640"> <summary> Do not audit attempts to get the attributes of tmpfs directories. @@ -84284,7 +84367,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_mounton_tmpfs" lineno="4582"> +<interface name="fs_mounton_tmpfs" lineno="4658"> <summary> Mount on tmpfs directories. </summary> @@ -84294,7 +84377,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mounton_tmpfs_files" lineno="4600"> +<interface name="fs_mounton_tmpfs_files" lineno="4676"> <summary> Mount on tmpfs files. </summary> @@ -84304,7 +84387,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_setattr_tmpfs_dirs" lineno="4618"> +<interface name="fs_setattr_tmpfs_dirs" lineno="4694"> <summary> Set the attributes of tmpfs directories. </summary> @@ -84314,7 +84397,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_tmpfs" lineno="4636"> +<interface name="fs_search_tmpfs" lineno="4712"> <summary> Search tmpfs directories. </summary> @@ -84324,7 +84407,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_tmpfs" lineno="4654"> +<interface name="fs_list_tmpfs" lineno="4730"> <summary> List the contents of generic tmpfs directories. </summary> @@ -84334,7 +84417,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_tmpfs" lineno="4673"> +<interface name="fs_dontaudit_list_tmpfs" lineno="4749"> <summary> Do not audit attempts to list the contents of generic tmpfs directories. @@ -84345,7 +84428,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_dirs" lineno="4692"> +<interface name="fs_manage_tmpfs_dirs" lineno="4768"> <summary> Create, read, write, and delete tmpfs directories @@ -84356,7 +84439,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_write_tmpfs_dirs" lineno="4711"> +<interface name="fs_dontaudit_write_tmpfs_dirs" lineno="4787"> <summary> Do not audit attempts to write tmpfs directories @@ -84367,7 +84450,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_relabelfrom_tmpfs_dirs" lineno="4729"> +<interface name="fs_relabelfrom_tmpfs_dirs" lineno="4805"> <summary> Relabel from tmpfs_t dir </summary> @@ -84377,7 +84460,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_tmpfs_dirs" lineno="4747"> +<interface name="fs_relabel_tmpfs_dirs" lineno="4823"> <summary> Relabel directory on tmpfs filesystems. </summary> @@ -84387,7 +84470,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_tmpfs_filetrans" lineno="4780"> +<interface name="fs_tmpfs_filetrans" lineno="4856"> <summary> Create an object in a tmpfs filesystem, with a private type using a type transition. @@ -84413,7 +84496,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_tmpfs_files" lineno="4800"> +<interface name="fs_dontaudit_getattr_tmpfs_files" lineno="4876"> <summary> Do not audit attempts to getattr generic tmpfs files. @@ -84424,7 +84507,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_dontaudit_rw_tmpfs_files" lineno="4819"> +<interface name="fs_dontaudit_rw_tmpfs_files" lineno="4895"> <summary> Do not audit attempts to read or write generic tmpfs files. @@ -84435,7 +84518,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_delete_tmpfs_symlinks" lineno="4837"> +<interface name="fs_delete_tmpfs_symlinks" lineno="4913"> <summary> Delete tmpfs symbolic links. </summary> @@ -84445,7 +84528,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_auto_mountpoints" lineno="4856"> +<interface name="fs_manage_auto_mountpoints" lineno="4932"> <summary> Create, read, write, and delete auto moutpoints. @@ -84456,7 +84539,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_tmpfs_files" lineno="4874"> +<interface name="fs_read_tmpfs_files" lineno="4950"> <summary> Read generic tmpfs files. </summary> @@ -84466,7 +84549,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_tmpfs_files" lineno="4892"> +<interface name="fs_rw_tmpfs_files" lineno="4968"> <summary> Read and write generic tmpfs files. </summary> @@ -84476,7 +84559,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_tmpfs_files" lineno="4910"> +<interface name="fs_relabel_tmpfs_files" lineno="4986"> <summary> Relabel files on tmpfs filesystems. </summary> @@ -84486,7 +84569,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_tmpfs_symlinks" lineno="4928"> +<interface name="fs_read_tmpfs_symlinks" lineno="5004"> <summary> Read tmpfs link files. </summary> @@ -84496,7 +84579,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabelfrom_tmpfs_sockets" lineno="4946"> +<interface name="fs_relabelfrom_tmpfs_sockets" lineno="5022"> <summary> Relabelfrom socket files on tmpfs filesystems. </summary> @@ -84506,7 +84589,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabelfrom_tmpfs_symlinks" lineno="4964"> +<interface name="fs_relabelfrom_tmpfs_symlinks" lineno="5040"> <summary> Relabelfrom tmpfs link files. </summary> @@ -84516,7 +84599,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_tmpfs_chr_files" lineno="4982"> +<interface name="fs_rw_tmpfs_chr_files" lineno="5058"> <summary> Read and write character nodes on tmpfs filesystems. </summary> @@ -84526,7 +84609,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_use_tmpfs_chr_dev" lineno="5001"> +<interface name="fs_dontaudit_use_tmpfs_chr_dev" lineno="5077"> <summary> dontaudit Read and write character nodes on tmpfs filesystems. </summary> @@ -84536,7 +84619,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_relabel_tmpfs_chr_file" lineno="5020"> +<interface name="fs_relabel_tmpfs_chr_files" lineno="5096"> <summary> Relabel character nodes on tmpfs filesystems. </summary> @@ -84546,7 +84629,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_tmpfs_blk_files" lineno="5039"> +<interface name="fs_relabel_tmpfs_chr_file" lineno="5115"> +<summary> +Relabel character nodes on tmpfs filesystems. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_rw_tmpfs_blk_files" lineno="5130"> <summary> Read and write block nodes on tmpfs filesystems. </summary> @@ -84556,7 +84649,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_tmpfs_blk_file" lineno="5058"> +<interface name="fs_relabel_tmpfs_blk_files" lineno="5149"> +<summary> +Relabel block nodes on tmpfs filesystems. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_relabel_tmpfs_blk_file" lineno="5168"> <summary> Relabel block nodes on tmpfs filesystems. </summary> @@ -84566,7 +84669,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_files" lineno="5078"> +<interface name="fs_relabel_tmpfs_fifo_files" lineno="5183"> +<summary> +Relabel named pipes on tmpfs filesystems. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_manage_tmpfs_files" lineno="5203"> <summary> Read and write, create and delete generic files on tmpfs filesystems. @@ -84577,7 +84690,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_symlinks" lineno="5097"> +<interface name="fs_manage_tmpfs_symlinks" lineno="5222"> <summary> Read and write, create and delete symbolic links on tmpfs filesystems. @@ -84588,7 +84701,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_sockets" lineno="5116"> +<interface name="fs_manage_tmpfs_sockets" lineno="5241"> <summary> Read and write, create and delete socket files on tmpfs filesystems. @@ -84599,7 +84712,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_chr_files" lineno="5135"> +<interface name="fs_manage_tmpfs_chr_files" lineno="5260"> <summary> Read and write, create and delete character nodes on tmpfs filesystems. @@ -84610,7 +84723,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_blk_files" lineno="5154"> +<interface name="fs_manage_tmpfs_blk_files" lineno="5279"> <summary> Read and write, create and delete block nodes on tmpfs filesystems. @@ -84621,7 +84734,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_tracefs" lineno="5172"> +<interface name="fs_getattr_tracefs" lineno="5297"> <summary> Get the attributes of a trace filesystem. </summary> @@ -84631,7 +84744,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_tracefs_dirs" lineno="5190"> +<interface name="fs_getattr_tracefs_dirs" lineno="5315"> <summary> Get attributes of dirs on tracefs filesystem. </summary> @@ -84641,7 +84754,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_tracefs" lineno="5208"> +<interface name="fs_search_tracefs" lineno="5333"> <summary> search directories on a tracefs filesystem </summary> @@ -84651,7 +84764,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_tracefs_files" lineno="5227"> +<interface name="fs_getattr_tracefs_files" lineno="5352"> <summary> Get the attributes of files on a trace filesystem. @@ -84662,7 +84775,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_xenfs" lineno="5245"> +<interface name="fs_mount_xenfs" lineno="5370"> <summary> Mount a XENFS filesystem. </summary> @@ -84672,7 +84785,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_xenfs" lineno="5263"> +<interface name="fs_search_xenfs" lineno="5388"> <summary> Search the XENFS filesystem. </summary> @@ -84682,7 +84795,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_xenfs_dirs" lineno="5283"> +<interface name="fs_manage_xenfs_dirs" lineno="5408"> <summary> Create, read, write, and delete directories on a XENFS filesystem. @@ -84694,7 +84807,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_xenfs_dirs" lineno="5303"> +<interface name="fs_dontaudit_manage_xenfs_dirs" lineno="5428"> <summary> Do not audit attempts to create, read, write, and delete directories @@ -84706,7 +84819,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_xenfs_files" lineno="5323"> +<interface name="fs_manage_xenfs_files" lineno="5448"> <summary> Create, read, write, and delete files on a XENFS filesystem. @@ -84718,7 +84831,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_mmap_xenfs_files" lineno="5341"> +<interface name="fs_mmap_xenfs_files" lineno="5466"> <summary> Map files a XENFS filesystem. </summary> @@ -84728,7 +84841,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_manage_xenfs_files" lineno="5361"> +<interface name="fs_dontaudit_manage_xenfs_files" lineno="5486"> <summary> Do not audit attempts to create, read, write, and delete files @@ -84740,7 +84853,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_mount_all_fs" lineno="5379"> +<interface name="fs_mount_all_fs" lineno="5504"> <summary> Mount all filesystems. </summary> @@ -84750,7 +84863,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_all_fs" lineno="5398"> +<interface name="fs_remount_all_fs" lineno="5523"> <summary> Remount all filesystems. This allows some mount options to be changed. @@ -84761,7 +84874,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_all_fs" lineno="5416"> +<interface name="fs_unmount_all_fs" lineno="5541"> <summary> Unmount all filesystems. </summary> @@ -84771,7 +84884,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_all_fs" lineno="5448"> +<interface name="fs_getattr_all_fs" lineno="5573"> <summary> Get the attributes of all filesystems. </summary> @@ -84795,7 +84908,7 @@ Domain allowed access. <infoflow type="read" weight="5"/> <rolecap/> </interface> -<interface name="fs_dontaudit_getattr_all_fs" lineno="5468"> +<interface name="fs_dontaudit_getattr_all_fs" lineno="5593"> <summary> Do not audit attempts to get the attributes all filesystems. @@ -84806,7 +84919,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_get_all_fs_quotas" lineno="5487"> +<interface name="fs_get_all_fs_quotas" lineno="5612"> <summary> Get the quotas of all filesystems. </summary> @@ -84817,7 +84930,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_set_all_quotas" lineno="5506"> +<interface name="fs_set_all_quotas" lineno="5631"> <summary> Set the quotas of all filesystems. </summary> @@ -84828,7 +84941,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_relabelfrom_all_fs" lineno="5524"> +<interface name="fs_relabelfrom_all_fs" lineno="5649"> <summary> Relabelfrom all filesystems. </summary> @@ -84838,7 +84951,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_all_dirs" lineno="5543"> +<interface name="fs_getattr_all_dirs" lineno="5668"> <summary> Get the attributes of all directories with a filesystem type. @@ -84849,7 +84962,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_all" lineno="5561"> +<interface name="fs_search_all" lineno="5686"> <summary> Search all directories with a filesystem type. </summary> @@ -84859,7 +84972,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_all" lineno="5579"> +<interface name="fs_list_all" lineno="5704"> <summary> List all directories with a filesystem type. </summary> @@ -84869,7 +84982,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_all_files" lineno="5598"> +<interface name="fs_getattr_all_files" lineno="5723"> <summary> Get the attributes of all files with a filesystem type. @@ -84880,7 +84993,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_all_files" lineno="5617"> +<interface name="fs_dontaudit_getattr_all_files" lineno="5742"> <summary> Do not audit attempts to get the attributes of all files with a filesystem type. @@ -84891,7 +85004,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_all_symlinks" lineno="5636"> +<interface name="fs_getattr_all_symlinks" lineno="5761"> <summary> Get the attributes of all symbolic links with a filesystem type. @@ -84902,7 +85015,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_all_symlinks" lineno="5655"> +<interface name="fs_dontaudit_getattr_all_symlinks" lineno="5780"> <summary> Do not audit attempts to get the attributes of all symbolic links with a filesystem type. @@ -84913,7 +85026,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_all_pipes" lineno="5674"> +<interface name="fs_getattr_all_pipes" lineno="5799"> <summary> Get the attributes of all named pipes with a filesystem type. @@ -84924,7 +85037,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_all_pipes" lineno="5693"> +<interface name="fs_dontaudit_getattr_all_pipes" lineno="5818"> <summary> Do not audit attempts to get the attributes of all named pipes with a filesystem type. @@ -84935,7 +85048,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_all_sockets" lineno="5712"> +<interface name="fs_getattr_all_sockets" lineno="5837"> <summary> Get the attributes of all named sockets with a filesystem type. @@ -84946,7 +85059,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_all_sockets" lineno="5731"> +<interface name="fs_dontaudit_getattr_all_sockets" lineno="5856"> <summary> Do not audit attempts to get the attributes of all named sockets with a filesystem type. @@ -84957,7 +85070,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_all_blk_files" lineno="5750"> +<interface name="fs_getattr_all_blk_files" lineno="5875"> <summary> Get the attributes of all block device nodes with a filesystem type. @@ -84968,7 +85081,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_all_chr_files" lineno="5769"> +<interface name="fs_getattr_all_chr_files" lineno="5894"> <summary> Get the attributes of all character device nodes with a filesystem type. @@ -84979,7 +85092,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unconfined" lineno="5787"> +<interface name="fs_unconfined" lineno="5912"> <summary> Unconfined access to filesystems </summary> @@ -85202,7 +85315,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_load_module" lineno="378"> +<interface name="kernel_rw_netlink_audit_sockets" lineno="378"> +<summary> +Send messages to kernel netlink audit sockets. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="kernel_load_module" lineno="396"> <summary> Allows caller to load kernel modules </summary> @@ -85212,7 +85335,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_search_key" lineno="396"> +<interface name="kernel_search_key" lineno="414"> <summary> Allow search the kernel key ring. </summary> @@ -85222,7 +85345,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_search_key" lineno="414"> +<interface name="kernel_dontaudit_search_key" lineno="432"> <summary> dontaudit search the kernel key ring. </summary> @@ -85232,7 +85355,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_link_key" lineno="432"> +<interface name="kernel_link_key" lineno="450"> <summary> Allow link to the kernel key ring. </summary> @@ -85242,7 +85365,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_link_key" lineno="450"> +<interface name="kernel_dontaudit_link_key" lineno="468"> <summary> dontaudit link to the kernel key ring. </summary> @@ -85252,7 +85375,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_view_key" lineno="468"> +<interface name="kernel_view_key" lineno="486"> <summary> Allow view the kernel key ring. </summary> @@ -85262,7 +85385,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_view_key" lineno="486"> +<interface name="kernel_dontaudit_view_key" lineno="504"> <summary> dontaudit view the kernel key ring. </summary> @@ -85272,7 +85395,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_write_key" lineno="504"> +<interface name="kernel_write_key" lineno="522"> <summary> allow write access to the kernel key ring. </summary> @@ -85282,7 +85405,7 @@ Domain to allow. </summary> </param> </interface> -<interface name="kernel_read_ring_buffer" lineno="523"> +<interface name="kernel_read_ring_buffer" lineno="541"> <summary> Allows caller to read the ring buffer. </summary> @@ -85293,7 +85416,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_read_ring_buffer" lineno="542"> +<interface name="kernel_dontaudit_read_ring_buffer" lineno="560"> <summary> Do not audit attempts to read the ring buffer. </summary> @@ -85303,7 +85426,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_change_ring_buffer_level" lineno="561"> +<interface name="kernel_change_ring_buffer_level" lineno="579"> <summary> Change the level of kernel messages logged to the console. </summary> @@ -85314,7 +85437,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_clear_ring_buffer" lineno="581"> +<interface name="kernel_clear_ring_buffer" lineno="599"> <summary> Allows the caller to clear the ring buffer. </summary> @@ -85325,7 +85448,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_request_load_module" lineno="613"> +<interface name="kernel_request_load_module" lineno="631"> <summary> Allows caller to request the kernel to load a module </summary> @@ -85348,7 +85471,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_request_load_module" lineno="631"> +<interface name="kernel_dontaudit_request_load_module" lineno="649"> <summary> Do not audit requests to the kernel to load a module. </summary> @@ -85358,7 +85481,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_get_sysvipc_info" lineno="649"> +<interface name="kernel_get_sysvipc_info" lineno="667"> <summary> Get information on all System V IPC objects. </summary> @@ -85368,7 +85491,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_getattr_debugfs" lineno="667"> +<interface name="kernel_getattr_debugfs" lineno="685"> <summary> Get the attributes of a kernel debugging filesystem. </summary> @@ -85378,7 +85501,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_mount_debugfs" lineno="685"> +<interface name="kernel_mount_debugfs" lineno="703"> <summary> Mount a kernel debugging filesystem. </summary> @@ -85388,7 +85511,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_unmount_debugfs" lineno="703"> +<interface name="kernel_unmount_debugfs" lineno="721"> <summary> Unmount a kernel debugging filesystem. </summary> @@ -85398,7 +85521,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_remount_debugfs" lineno="721"> +<interface name="kernel_remount_debugfs" lineno="739"> <summary> Remount a kernel debugging filesystem. </summary> @@ -85408,7 +85531,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_search_debugfs" lineno="739"> +<interface name="kernel_search_debugfs" lineno="757"> <summary> Search the contents of a kernel debugging filesystem. </summary> @@ -85418,7 +85541,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_search_debugfs" lineno="757"> +<interface name="kernel_dontaudit_search_debugfs" lineno="775"> <summary> Do not audit attempts to search the kernel debugging filesystem. </summary> @@ -85428,7 +85551,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_read_debugfs" lineno="775"> +<interface name="kernel_read_debugfs" lineno="793"> <summary> Read information from the debugging filesystem. </summary> @@ -85438,7 +85561,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_write_debugfs_dirs" lineno="795"> +<interface name="kernel_dontaudit_write_debugfs_dirs" lineno="813"> <summary> Do not audit attempts to write kernel debugging filesystem dirs. </summary> @@ -85448,7 +85571,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_manage_debugfs" lineno="813"> +<interface name="kernel_manage_debugfs" lineno="831"> <summary> Manage information from the debugging filesystem. </summary> @@ -85458,7 +85581,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_mount_kvmfs" lineno="833"> +<interface name="kernel_mount_kvmfs" lineno="851"> <summary> Mount a kernel VM filesystem. </summary> @@ -85468,7 +85591,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_mount_proc" lineno="851"> +<interface name="kernel_mount_proc" lineno="869"> <summary> mount the proc filesystem. </summary> @@ -85478,7 +85601,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_remount_proc" lineno="869"> +<interface name="kernel_remount_proc" lineno="887"> <summary> remount the proc filesystem. </summary> @@ -85488,7 +85611,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_unmount_proc" lineno="887"> +<interface name="kernel_unmount_proc" lineno="905"> <summary> Unmount the proc filesystem. </summary> @@ -85498,7 +85621,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_getattr_proc" lineno="905"> +<interface name="kernel_getattr_proc" lineno="923"> <summary> Get the attributes of the proc filesystem. </summary> @@ -85508,7 +85631,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_proc" lineno="923"> +<interface name="kernel_dontaudit_getattr_proc" lineno="941"> <summary> Do not audit attempts to get the attributes of the proc filesystem. </summary> @@ -85518,7 +85641,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_mounton_proc" lineno="942"> +<interface name="kernel_mounton_proc" lineno="960"> <summary> Mount on proc directories. </summary> @@ -85529,7 +85652,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_setattr_proc_dirs" lineno="961"> +<interface name="kernel_dontaudit_setattr_proc_dirs" lineno="979"> <summary> Do not audit attempts to set the attributes of directories in /proc. @@ -85540,7 +85663,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_search_proc" lineno="979"> +<interface name="kernel_search_proc" lineno="997"> <summary> Search directories in /proc. </summary> @@ -85550,7 +85673,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_list_proc" lineno="997"> +<interface name="kernel_list_proc" lineno="1015"> <summary> List the contents of directories in /proc. </summary> @@ -85560,7 +85683,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_list_proc" lineno="1016"> +<interface name="kernel_dontaudit_list_proc" lineno="1034"> <summary> Do not audit attempts to list the contents of directories in /proc. @@ -85571,7 +85694,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_write_proc_dirs" lineno="1035"> +<interface name="kernel_dontaudit_write_proc_dirs" lineno="1053"> <summary> Do not audit attempts to write the directories in /proc. @@ -85582,7 +85705,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_mounton_proc_dirs" lineno="1053"> +<interface name="kernel_mounton_proc_dirs" lineno="1071"> <summary> Mount the directories in /proc. </summary> @@ -85592,7 +85715,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_getattr_proc_files" lineno="1071"> +<interface name="kernel_getattr_proc_files" lineno="1089"> <summary> Get the attributes of files in /proc. </summary> @@ -85602,7 +85725,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_proc_symlinks" lineno="1098"> +<interface name="kernel_read_proc_symlinks" lineno="1116"> <summary> Read generic symbolic links in /proc. </summary> @@ -85621,7 +85744,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="kernel_read_system_state" lineno="1137"> +<interface name="kernel_read_system_state" lineno="1155"> <summary> Allows caller to read system state information in /proc. </summary> @@ -85652,7 +85775,7 @@ Domain allowed access. <infoflow type="read" weight="10"/> <rolecap/> </interface> -<interface name="kernel_write_proc_files" lineno="1163"> +<interface name="kernel_write_proc_files" lineno="1181"> <summary> Write to generic proc entries. </summary> @@ -85663,7 +85786,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_read_system_state" lineno="1182"> +<interface name="kernel_dontaudit_read_system_state" lineno="1200"> <summary> Do not audit attempts by caller to read system state information in proc. @@ -85674,7 +85797,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_read_proc_symlinks" lineno="1201"> +<interface name="kernel_dontaudit_read_proc_symlinks" lineno="1219"> <summary> Do not audit attempts by caller to read symbolic links in proc. @@ -85685,7 +85808,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_rw_afs_state" lineno="1220"> +<interface name="kernel_rw_afs_state" lineno="1238"> <summary> Allow caller to read and write state information for AFS. </summary> @@ -85696,7 +85819,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_software_raid_state" lineno="1240"> +<interface name="kernel_read_software_raid_state" lineno="1258"> <summary> Allow caller to read the state information for software raid. </summary> @@ -85707,7 +85830,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_software_raid_state" lineno="1260"> +<interface name="kernel_rw_software_raid_state" lineno="1278"> <summary> Allow caller to read and set the state information for software raid. </summary> @@ -85717,7 +85840,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_getattr_core_if" lineno="1280"> +<interface name="kernel_getattr_core_if" lineno="1298"> <summary> Allows caller to get attributes of core kernel interface. </summary> @@ -85727,7 +85850,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_core_if" lineno="1301"> +<interface name="kernel_dontaudit_getattr_core_if" lineno="1319"> <summary> Do not audit attempts to get the attributes of core kernel interfaces. @@ -85738,7 +85861,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_read_core_if" lineno="1319"> +<interface name="kernel_read_core_if" lineno="1337"> <summary> Allows caller to read the core kernel interface. </summary> @@ -85748,7 +85871,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_messages" lineno="1343"> +<interface name="kernel_read_messages" lineno="1361"> <summary> Allow caller to read kernel messages using the /proc/kmsg interface. @@ -85759,7 +85882,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_getattr_message_if" lineno="1365"> +<interface name="kernel_getattr_message_if" lineno="1383"> <summary> Allow caller to get the attributes of kernel message interface (/proc/kmsg). @@ -85770,7 +85893,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_message_if" lineno="1384"> +<interface name="kernel_dontaudit_getattr_message_if" lineno="1402"> <summary> Do not audit attempts by caller to get the attributes of kernel message interfaces. @@ -85781,7 +85904,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_mounton_message_if" lineno="1403"> +<interface name="kernel_mounton_message_if" lineno="1421"> <summary> Mount on kernel message interfaces files. </summary> @@ -85792,7 +85915,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_search_network_state" lineno="1424"> +<interface name="kernel_dontaudit_search_network_state" lineno="1442"> <summary> Do not audit attempts to search the network state directory. @@ -85804,7 +85927,7 @@ Domain to not audit. </param> </interface> -<interface name="kernel_search_network_state" lineno="1443"> +<interface name="kernel_search_network_state" lineno="1461"> <summary> Allow searching of network state directory. </summary> @@ -85815,7 +85938,7 @@ Domain allowed access. </param> </interface> -<interface name="kernel_read_network_state" lineno="1473"> +<interface name="kernel_read_network_state" lineno="1491"> <summary> Read the network state information. </summary> @@ -85837,7 +85960,7 @@ Domain allowed access. <infoflow type="read" weight="10"/> <rolecap/> </interface> -<interface name="kernel_read_network_state_symlinks" lineno="1494"> +<interface name="kernel_read_network_state_symlinks" lineno="1512"> <summary> Allow caller to read the network state symbolic links. </summary> @@ -85847,7 +85970,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_search_xen_state" lineno="1515"> +<interface name="kernel_search_xen_state" lineno="1533"> <summary> Allow searching of xen state directory. </summary> @@ -85858,7 +85981,7 @@ Domain allowed access. </param> </interface> -<interface name="kernel_dontaudit_search_xen_state" lineno="1535"> +<interface name="kernel_dontaudit_search_xen_state" lineno="1553"> <summary> Do not audit attempts to search the xen state directory. @@ -85870,7 +85993,7 @@ Domain to not audit. </param> </interface> -<interface name="kernel_read_xen_state" lineno="1554"> +<interface name="kernel_read_xen_state" lineno="1572"> <summary> Allow caller to read the xen state information. </summary> @@ -85881,7 +86004,7 @@ Domain allowed access. </param> </interface> -<interface name="kernel_read_xen_state_symlinks" lineno="1576"> +<interface name="kernel_read_xen_state_symlinks" lineno="1594"> <summary> Allow caller to read the xen state symbolic links. </summary> @@ -85892,7 +86015,7 @@ Domain allowed access. </param> </interface> -<interface name="kernel_write_xen_state" lineno="1597"> +<interface name="kernel_write_xen_state" lineno="1615"> <summary> Allow caller to write xen state information. </summary> @@ -85903,7 +86026,7 @@ Domain allowed access. </param> </interface> -<interface name="kernel_list_all_proc" lineno="1615"> +<interface name="kernel_list_all_proc" lineno="1633"> <summary> Allow attempts to list all proc directories. </summary> @@ -85913,7 +86036,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_list_all_proc" lineno="1634"> +<interface name="kernel_dontaudit_list_all_proc" lineno="1652"> <summary> Do not audit attempts to list all proc directories. </summary> @@ -85923,7 +86046,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_search_sysctl" lineno="1655"> +<interface name="kernel_dontaudit_search_sysctl" lineno="1673"> <summary> Do not audit attempts by caller to search the base directory of sysctls. @@ -85935,7 +86058,7 @@ Domain to not audit. </param> </interface> -<interface name="kernel_mounton_sysctl_dirs" lineno="1674"> +<interface name="kernel_mounton_sysctl_dirs" lineno="1692"> <summary> Mount on sysctl_t dirs. </summary> @@ -85946,7 +86069,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_sysctl" lineno="1694"> +<interface name="kernel_read_sysctl" lineno="1712"> <summary> Allow access to read sysctl directories. </summary> @@ -85957,7 +86080,7 @@ Domain allowed access. </param> </interface> -<interface name="kernel_mounton_sysctl_files" lineno="1714"> +<interface name="kernel_mounton_sysctl_files" lineno="1732"> <summary> Mount on sysctl files. </summary> @@ -85968,7 +86091,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_device_sysctls" lineno="1734"> +<interface name="kernel_read_device_sysctls" lineno="1752"> <summary> Allow caller to read the device sysctls. </summary> @@ -85979,7 +86102,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_device_sysctls" lineno="1755"> +<interface name="kernel_rw_device_sysctls" lineno="1773"> <summary> Read and write device sysctls. </summary> @@ -85990,7 +86113,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_search_vm_sysctl" lineno="1775"> +<interface name="kernel_search_vm_sysctl" lineno="1793"> <summary> Allow caller to search virtual memory sysctls. </summary> @@ -86000,7 +86123,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_vm_sysctls" lineno="1794"> +<interface name="kernel_read_vm_sysctls" lineno="1812"> <summary> Allow caller to read virtual memory sysctls. </summary> @@ -86011,7 +86134,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_vm_sysctls" lineno="1815"> +<interface name="kernel_rw_vm_sysctls" lineno="1833"> <summary> Read and write virtual memory sysctls. </summary> @@ -86022,7 +86145,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_search_network_sysctl" lineno="1837"> +<interface name="kernel_search_network_sysctl" lineno="1855"> <summary> Search network sysctl directories. </summary> @@ -86032,7 +86155,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_search_network_sysctl" lineno="1855"> +<interface name="kernel_dontaudit_search_network_sysctl" lineno="1873"> <summary> Do not audit attempts by caller to search network sysctl directories. </summary> @@ -86042,7 +86165,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_read_net_sysctls" lineno="1874"> +<interface name="kernel_read_net_sysctls" lineno="1892"> <summary> Allow caller to read network sysctls. </summary> @@ -86053,7 +86176,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_net_sysctls" lineno="1895"> +<interface name="kernel_rw_net_sysctls" lineno="1913"> <summary> Allow caller to modiry contents of sysctl network files. </summary> @@ -86064,7 +86187,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_unix_sysctls" lineno="1917"> +<interface name="kernel_read_unix_sysctls" lineno="1935"> <summary> Allow caller to read unix domain socket sysctls. @@ -86076,7 +86199,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_unix_sysctls" lineno="1939"> +<interface name="kernel_rw_unix_sysctls" lineno="1957"> <summary> Read and write unix domain socket sysctls. @@ -86088,7 +86211,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_hotplug_sysctls" lineno="1960"> +<interface name="kernel_read_hotplug_sysctls" lineno="1978"> <summary> Read the hotplug sysctl. </summary> @@ -86099,7 +86222,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_hotplug_sysctls" lineno="1981"> +<interface name="kernel_rw_hotplug_sysctls" lineno="1999"> <summary> Read and write the hotplug sysctl. </summary> @@ -86110,7 +86233,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_modprobe_sysctls" lineno="2002"> +<interface name="kernel_read_modprobe_sysctls" lineno="2020"> <summary> Read the modprobe sysctl. </summary> @@ -86121,7 +86244,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_modprobe_sysctls" lineno="2023"> +<interface name="kernel_rw_modprobe_sysctls" lineno="2041"> <summary> Read and write the modprobe sysctl. </summary> @@ -86132,7 +86255,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="2043"> +<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="2061"> <summary> Do not audit attempts to search generic kernel sysctls. </summary> @@ -86142,7 +86265,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_read_kernel_sysctl" lineno="2061"> +<interface name="kernel_dontaudit_read_kernel_sysctl" lineno="2079"> <summary> Do not audit attempted reading of kernel sysctls </summary> @@ -86152,7 +86275,7 @@ Domain to not audit accesses from </summary> </param> </interface> -<interface name="kernel_read_crypto_sysctls" lineno="2079"> +<interface name="kernel_read_crypto_sysctls" lineno="2097"> <summary> Read generic crypto sysctls. </summary> @@ -86162,7 +86285,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_kernel_sysctls" lineno="2120"> +<interface name="kernel_read_kernel_sysctls" lineno="2138"> <summary> Read general kernel sysctls. </summary> @@ -86194,7 +86317,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="2140"> +<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="2158"> <summary> Do not audit attempts to write generic kernel sysctls. </summary> @@ -86204,7 +86327,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_rw_kernel_sysctl" lineno="2159"> +<interface name="kernel_rw_kernel_sysctl" lineno="2177"> <summary> Read and write generic kernel sysctls. </summary> @@ -86215,7 +86338,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_mounton_kernel_sysctl_files" lineno="2180"> +<interface name="kernel_mounton_kernel_sysctl_files" lineno="2198"> <summary> Mount on kernel sysctl files. </summary> @@ -86226,7 +86349,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_kernel_ns_lastpid_sysctls" lineno="2200"> +<interface name="kernel_read_kernel_ns_lastpid_sysctls" lineno="2218"> <summary> Read kernel ns lastpid sysctls. </summary> @@ -86237,7 +86360,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_write_kernel_ns_lastpid_sysctl" lineno="2220"> +<interface name="kernel_dontaudit_write_kernel_ns_lastpid_sysctl" lineno="2238"> <summary> Do not audit attempts to write kernel ns lastpid sysctls. </summary> @@ -86247,7 +86370,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_rw_kernel_ns_lastpid_sysctl" lineno="2239"> +<interface name="kernel_rw_kernel_ns_lastpid_sysctl" lineno="2257"> <summary> Read and write kernel ns lastpid sysctls. </summary> @@ -86258,7 +86381,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_search_fs_sysctls" lineno="2260"> +<interface name="kernel_search_fs_sysctls" lineno="2278"> <summary> Search filesystem sysctl directories. </summary> @@ -86269,7 +86392,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_fs_sysctls" lineno="2279"> +<interface name="kernel_read_fs_sysctls" lineno="2297"> <summary> Read filesystem sysctls. </summary> @@ -86280,7 +86403,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_fs_sysctls" lineno="2300"> +<interface name="kernel_rw_fs_sysctls" lineno="2318"> <summary> Read and write filesystem sysctls. </summary> @@ -86291,7 +86414,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_irq_sysctls" lineno="2321"> +<interface name="kernel_read_irq_sysctls" lineno="2339"> <summary> Read IRQ sysctls. </summary> @@ -86302,7 +86425,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_irq_sysctls" lineno="2342"> +<interface name="kernel_rw_irq_sysctls" lineno="2360"> <summary> Read and write IRQ sysctls. </summary> @@ -86313,7 +86436,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_rpc_sysctls" lineno="2363"> +<interface name="kernel_read_rpc_sysctls" lineno="2381"> <summary> Read RPC sysctls. </summary> @@ -86324,7 +86447,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_rpc_sysctls" lineno="2384"> +<interface name="kernel_rw_rpc_sysctls" lineno="2402"> <summary> Read and write RPC sysctls. </summary> @@ -86335,7 +86458,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_list_all_sysctls" lineno="2404"> +<interface name="kernel_dontaudit_list_all_sysctls" lineno="2422"> <summary> Do not audit attempts to list all sysctl directories. </summary> @@ -86345,7 +86468,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_read_all_sysctls" lineno="2424"> +<interface name="kernel_read_all_sysctls" lineno="2442"> <summary> Allow caller to read all sysctls. </summary> @@ -86356,7 +86479,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_all_sysctls" lineno="2447"> +<interface name="kernel_rw_all_sysctls" lineno="2465"> <summary> Read and write all sysctls. </summary> @@ -86367,7 +86490,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_associate_proc" lineno="2472"> +<interface name="kernel_associate_proc" lineno="2490"> <summary> Associate a file to proc_t (/proc) </summary> @@ -86378,7 +86501,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_kill_unlabeled" lineno="2489"> +<interface name="kernel_kill_unlabeled" lineno="2507"> <summary> Send a kill signal to unlabeled processes. </summary> @@ -86388,7 +86511,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_mount_unlabeled" lineno="2507"> +<interface name="kernel_mount_unlabeled" lineno="2525"> <summary> Mount a kernel unlabeled filesystem. </summary> @@ -86398,7 +86521,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_unmount_unlabeled" lineno="2525"> +<interface name="kernel_unmount_unlabeled" lineno="2543"> <summary> Unmount a kernel unlabeled filesystem. </summary> @@ -86408,7 +86531,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_signal_unlabeled" lineno="2543"> +<interface name="kernel_signal_unlabeled" lineno="2561"> <summary> Send general signals to unlabeled processes. </summary> @@ -86418,7 +86541,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_signull_unlabeled" lineno="2561"> +<interface name="kernel_signull_unlabeled" lineno="2579"> <summary> Send a null signal to unlabeled processes. </summary> @@ -86428,7 +86551,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_sigstop_unlabeled" lineno="2579"> +<interface name="kernel_sigstop_unlabeled" lineno="2597"> <summary> Send a stop signal to unlabeled processes. </summary> @@ -86438,7 +86561,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_sigchld_unlabeled" lineno="2597"> +<interface name="kernel_sigchld_unlabeled" lineno="2615"> <summary> Send a child terminated signal to unlabeled processes. </summary> @@ -86448,7 +86571,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_getattr_unlabeled_dirs" lineno="2615"> +<interface name="kernel_getattr_unlabeled_dirs" lineno="2633"> <summary> Get the attributes of unlabeled directories. </summary> @@ -86458,7 +86581,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_search_unlabeled" lineno="2633"> +<interface name="kernel_dontaudit_search_unlabeled" lineno="2651"> <summary> Do not audit attempts to search unlabeled directories. </summary> @@ -86468,7 +86591,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_list_unlabeled" lineno="2651"> +<interface name="kernel_list_unlabeled" lineno="2669"> <summary> List unlabeled directories. </summary> @@ -86478,7 +86601,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_unlabeled_state" lineno="2669"> +<interface name="kernel_read_unlabeled_state" lineno="2687"> <summary> Read the process state (/proc/pid) of all unlabeled_t. </summary> @@ -86488,7 +86611,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_list_unlabeled" lineno="2689"> +<interface name="kernel_dontaudit_list_unlabeled" lineno="2707"> <summary> Do not audit attempts to list unlabeled directories. </summary> @@ -86498,7 +86621,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_rw_unlabeled_dirs" lineno="2707"> +<interface name="kernel_rw_unlabeled_dirs" lineno="2725"> <summary> Read and write unlabeled directories. </summary> @@ -86508,7 +86631,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_dirs" lineno="2725"> +<interface name="kernel_delete_unlabeled_dirs" lineno="2743"> <summary> Delete unlabeled directories. </summary> @@ -86518,7 +86641,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_dirs" lineno="2743"> +<interface name="kernel_manage_unlabeled_dirs" lineno="2761"> <summary> Create, read, write, and delete unlabeled directories. </summary> @@ -86528,7 +86651,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_mounton_unlabeled_dirs" lineno="2761"> +<interface name="kernel_mounton_unlabeled_dirs" lineno="2779"> <summary> Mount a filesystem on an unlabeled directory. </summary> @@ -86538,7 +86661,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_unlabeled_files" lineno="2779"> +<interface name="kernel_read_unlabeled_files" lineno="2797"> <summary> Read unlabeled files. </summary> @@ -86548,7 +86671,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_rw_unlabeled_files" lineno="2797"> +<interface name="kernel_rw_unlabeled_files" lineno="2815"> <summary> Read and write unlabeled files. </summary> @@ -86558,7 +86681,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_files" lineno="2815"> +<interface name="kernel_delete_unlabeled_files" lineno="2833"> <summary> Delete unlabeled files. </summary> @@ -86568,7 +86691,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_files" lineno="2833"> +<interface name="kernel_manage_unlabeled_files" lineno="2851"> <summary> Create, read, write, and delete unlabeled files. </summary> @@ -86578,7 +86701,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="2852"> +<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="2870"> <summary> Do not audit attempts by caller to get the attributes of an unlabeled file. @@ -86589,7 +86712,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_read_unlabeled_files" lineno="2871"> +<interface name="kernel_dontaudit_read_unlabeled_files" lineno="2889"> <summary> Do not audit attempts by caller to read an unlabeled file. @@ -86600,7 +86723,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_symlinks" lineno="2889"> +<interface name="kernel_delete_unlabeled_symlinks" lineno="2907"> <summary> Delete unlabeled symbolic links. </summary> @@ -86610,7 +86733,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_symlinks" lineno="2907"> +<interface name="kernel_manage_unlabeled_symlinks" lineno="2925"> <summary> Create, read, write, and delete unlabeled symbolic links. </summary> @@ -86620,7 +86743,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="2926"> +<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="2944"> <summary> Do not audit attempts by caller to get the attributes of unlabeled symbolic links. @@ -86631,7 +86754,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="2945"> +<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="2963"> <summary> Do not audit attempts by caller to get the attributes of unlabeled named pipes. @@ -86642,7 +86765,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="2964"> +<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="2982"> <summary> Do not audit attempts by caller to get the attributes of unlabeled named sockets. @@ -86653,7 +86776,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="2983"> +<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="3001"> <summary> Do not audit attempts by caller to get attributes for unlabeled block devices. @@ -86664,7 +86787,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_rw_unlabeled_blk_files" lineno="3001"> +<interface name="kernel_rw_unlabeled_blk_files" lineno="3019"> <summary> Read and write unlabeled block device nodes. </summary> @@ -86674,7 +86797,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_blk_files" lineno="3019"> +<interface name="kernel_delete_unlabeled_blk_files" lineno="3037"> <summary> Delete unlabeled block device nodes. </summary> @@ -86684,7 +86807,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_blk_files" lineno="3037"> +<interface name="kernel_manage_unlabeled_blk_files" lineno="3055"> <summary> Create, read, write, and delete unlabeled block device nodes. </summary> @@ -86694,7 +86817,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3056"> +<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3074"> <summary> Do not audit attempts by caller to get attributes for unlabeled character devices. @@ -86705,7 +86828,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3075"> +<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3093"> <summary> Do not audit attempts to write unlabeled character devices. @@ -86716,7 +86839,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_chr_files" lineno="3093"> +<interface name="kernel_delete_unlabeled_chr_files" lineno="3111"> <summary> Delete unlabeled character device nodes. </summary> @@ -86726,7 +86849,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_chr_files" lineno="3112"> +<interface name="kernel_manage_unlabeled_chr_files" lineno="3130"> <summary> Create, read, write, and delete unlabeled character device nodes. </summary> @@ -86736,7 +86859,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3130"> +<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3148"> <summary> Allow caller to relabel unlabeled directories. </summary> @@ -86746,7 +86869,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_files" lineno="3148"> +<interface name="kernel_relabelfrom_unlabeled_files" lineno="3166"> <summary> Allow caller to relabel unlabeled files. </summary> @@ -86756,7 +86879,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3167"> +<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3185"> <summary> Allow caller to relabel unlabeled symbolic links. </summary> @@ -86766,7 +86889,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3186"> +<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3204"> <summary> Allow caller to relabel unlabeled named pipes. </summary> @@ -86776,7 +86899,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_pipes" lineno="3205"> +<interface name="kernel_delete_unlabeled_pipes" lineno="3223"> <summary> Delete unlabeled named pipes </summary> @@ -86786,7 +86909,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3223"> +<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3241"> <summary> Allow caller to relabel unlabeled named sockets. </summary> @@ -86796,7 +86919,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_sockets" lineno="3242"> +<interface name="kernel_delete_unlabeled_sockets" lineno="3260"> <summary> Delete unlabeled named sockets. </summary> @@ -86806,7 +86929,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3260"> +<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3278"> <summary> Allow caller to relabel from unlabeled block devices. </summary> @@ -86816,7 +86939,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3278"> +<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3296"> <summary> Allow caller to relabel from unlabeled character devices. </summary> @@ -86826,7 +86949,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_sendrecv_unlabeled_association" lineno="3311"> +<interface name="kernel_sendrecv_unlabeled_association" lineno="3329"> <summary> Send and receive messages from an unlabeled IPSEC association. @@ -86851,7 +86974,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3344"> +<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3362"> <summary> Do not audit attempts to send and receive messages from an unlabeled IPSEC association. @@ -86876,7 +86999,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3371"> +<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3389"> <summary> Receive TCP packets from an unlabeled connection. </summary> @@ -86895,7 +87018,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3400"> +<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3418"> <summary> Do not audit attempts to receive TCP packets from an unlabeled connection. @@ -86916,7 +87039,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_udp_recvfrom_unlabeled" lineno="3427"> +<interface name="kernel_udp_recvfrom_unlabeled" lineno="3445"> <summary> Receive UDP packets from an unlabeled connection. </summary> @@ -86935,7 +87058,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3456"> +<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3474"> <summary> Do not audit attempts to receive UDP packets from an unlabeled connection. @@ -86956,7 +87079,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_raw_recvfrom_unlabeled" lineno="3483"> +<interface name="kernel_raw_recvfrom_unlabeled" lineno="3501"> <summary> Receive Raw IP packets from an unlabeled connection. </summary> @@ -86975,7 +87098,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3512"> +<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3530"> <summary> Do not audit attempts to receive Raw IP packets from an unlabeled connection. @@ -86996,7 +87119,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_sendrecv_unlabeled_packets" lineno="3542"> +<interface name="kernel_sendrecv_unlabeled_packets" lineno="3560"> <summary> Send and receive unlabeled packets. </summary> @@ -87018,7 +87141,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_recvfrom_unlabeled_peer" lineno="3570"> +<interface name="kernel_recvfrom_unlabeled_peer" lineno="3588"> <summary> Receive packets from an unlabeled peer. </summary> @@ -87038,7 +87161,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3598"> +<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3616"> <summary> Do not audit attempts to receive packets from an unlabeled peer. </summary> @@ -87058,7 +87181,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_database" lineno="3616"> +<interface name="kernel_relabelfrom_unlabeled_database" lineno="3634"> <summary> Relabel from unlabeled database objects. </summary> @@ -87068,7 +87191,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_unconfined" lineno="3653"> +<interface name="kernel_unconfined" lineno="3671"> <summary> Unconfined access to kernel module resources. </summary> @@ -87078,7 +87201,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_vm_overcommit_sysctl" lineno="3673"> +<interface name="kernel_read_vm_overcommit_sysctl" lineno="3691"> <summary> Read virtual memory overcommit sysctl. </summary> @@ -87089,7 +87212,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3693"> +<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3711"> <summary> Read and write virtual memory overcommit sysctl. </summary> @@ -87100,7 +87223,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3712"> +<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3730"> <summary> Access unlabeled infiniband pkeys. </summary> @@ -87110,7 +87233,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3730"> +<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3748"> <summary> Manage subnet on unlabeled Infiniband endports. </summary> @@ -88041,7 +88164,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="selinux_set_all_booleans" lineno="427"> +<interface name="selinux_set_all_booleans" lineno="434"> <summary> Allow caller to set the state of all Booleans to enable or disable conditional portions of the policy. @@ -88063,7 +88186,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="selinux_get_all_booleans" lineno="459"> +<interface name="selinux_get_all_booleans" lineno="476"> <summary> Allow caller to get the state of all Booleans to view conditional portions of the policy. @@ -88075,7 +88198,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="selinux_set_parameters" lineno="493"> +<interface name="selinux_set_parameters" lineno="510"> <summary> Allow caller to set SELinux access vector cache parameters. </summary> @@ -88097,7 +88220,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="selinux_validate_context" lineno="512"> +<interface name="selinux_validate_context" lineno="529"> <summary> Allows caller to validate security contexts. </summary> @@ -88108,7 +88231,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="selinux_dontaudit_validate_context" lineno="534"> +<interface name="selinux_dontaudit_validate_context" lineno="551"> <summary> Do not audit attempts to validate security contexts. </summary> @@ -88119,7 +88242,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="selinux_compute_access_vector" lineno="555"> +<interface name="selinux_compute_access_vector" lineno="572"> <summary> Allows caller to compute an access vector. </summary> @@ -88130,7 +88253,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="selinux_compute_create_context" lineno="578"> +<interface name="selinux_compute_create_context" lineno="595"> <summary> Calculate the default type for object creation. </summary> @@ -88141,7 +88264,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="selinux_compute_member" lineno="600"> +<interface name="selinux_compute_member" lineno="617"> <summary> Allows caller to compute polyinstatntiated directory members. @@ -88152,7 +88275,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="selinux_compute_relabel_context" lineno="630"> +<interface name="selinux_compute_relabel_context" lineno="647"> <summary> Calculate the context for relabeling objects. </summary> @@ -88171,7 +88294,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="selinux_compute_user_contexts" lineno="651"> +<interface name="selinux_compute_user_contexts" lineno="668"> <summary> Allows caller to compute possible contexts for a user. </summary> @@ -88181,7 +88304,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="selinux_use_status_page" lineno="673"> +<interface name="selinux_use_status_page" lineno="690"> <summary> Allows the caller to use the SELinux status page. </summary> @@ -88192,7 +88315,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="selinux_map_security_files" lineno="694"> +<interface name="selinux_map_security_files" lineno="711"> <summary> Allows caller to map secuirty_t files. (Deprecated) </summary> @@ -88202,7 +88325,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="selinux_unconfined" lineno="715"> +<interface name="selinux_unconfined" lineno="732"> <summary> Unconfined access to the SELinux kernel security server. </summary> @@ -88215,9 +88338,15 @@ Domain allowed access. <bool name="secure_mode_policyload" dftval="false"> <desc> <p> -Boolean to determine whether the system permits loading policy, setting -enforcing mode, and changing boolean values. Set this to true and you -have to reboot to set it back. +Boolean to determine whether the system permits loading policy, and setting +enforcing mode. Set this to true and you have to reboot to set it back. +</p> +</desc> +</bool> +<bool name="secure_mode_setbool" dftval="false"> +<desc> +<p> +Boolean to determine whether the system permits setting Booelan values. </p> </desc> </bool> @@ -89997,21 +90126,6 @@ Domain allowed access. </summary> </param> </interface> -<tunable name="allow_ptrace" dftval="false"> -<desc> -<p> -Allow sysadm to debug or ptrace all processes. -</p> -</desc> -</tunable> -<tunable name="sysadm_allow_rw_inherited_fifo" dftval="false"> -<desc> -<p> -Allow sysadm to read/write to fifo files inherited from -a domain allowed to change role. -</p> -</desc> -</tunable> </module> <module name="unprivuser" filename="policy/modules/roles/unprivuser.if"> <summary>Generic unprivileged user role</summary> @@ -90611,56 +90725,6 @@ Role allowed access. <rolecap/> </interface> </module> -<module name="aiccu" filename="policy/modules/services/aiccu.if"> -<summary>Automatic IPv6 Connectivity Client Utility.</summary> -<interface name="aiccu_domtrans" lineno="13"> -<summary> -Execute a domain transition to run aiccu. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="aiccu_initrc_domtrans" lineno="32"> -<summary> -Execute aiccu server in the aiccu domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="aiccu_read_pid_files" lineno="50"> -<summary> -Read aiccu PID files. (Deprecated) -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="aiccu_admin" lineno="71"> -<summary> -All of the rules required to -administrate an aiccu environment. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -</module> <module name="aisexec" filename="policy/modules/services/aisexec.if"> <summary>Aisexec Cluster Engine.</summary> <interface name="aisexec_domtrans" lineno="13"> @@ -92776,7 +92840,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="bluetooth_domtrans" lineno="83"> +<interface name="bluetooth_domtrans" lineno="84"> <summary> Execute bluetooth in the bluetooth domain. </summary> @@ -92786,7 +92850,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="bluetooth_read_config" lineno="102"> +<interface name="bluetooth_read_config" lineno="103"> <summary> Read bluetooth configuration files. </summary> @@ -92796,7 +92860,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="bluetooth_dbus_chat" lineno="121"> +<interface name="bluetooth_dbus_chat" lineno="122"> <summary> Send and receive messages from bluetooth over dbus. @@ -92807,7 +92871,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="bluetooth_dontaudit_read_helper_state" lineno="142"> +<interface name="bluetooth_dontaudit_read_helper_state" lineno="143"> <summary> Do not audit attempts to read bluetooth process state files. @@ -92818,7 +92882,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="bluetooth_admin" lineno="168"> +<interface name="bluetooth_admin" lineno="169"> <summary> All of the rules required to administrate an bluetooth environment. @@ -92935,47 +92999,6 @@ Role allowed access. <rolecap/> </interface> </module> -<module name="callweaver" filename="policy/modules/services/callweaver.if"> -<summary>PBX software.</summary> -<interface name="callweaver_exec" lineno="13"> -<summary> -Execute callweaver in the caller domain. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="callweaver_stream_connect" lineno="33"> -<summary> -Connect to callweaver over a -unix stream socket. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="callweaver_admin" lineno="59"> -<summary> -All of the rules required to -administrate an callweaver environment. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -</module> <module name="canna" filename="policy/modules/services/canna.if"> <summary>Kana-kanji conversion server.</summary> <interface name="canna_stream_connect" lineno="14"> @@ -93007,67 +93030,6 @@ Role allowed access. <rolecap/> </interface> </module> -<module name="ccs" filename="policy/modules/services/ccs.if"> -<summary>Cluster Configuration System.</summary> -<interface name="ccs_domtrans" lineno="13"> -<summary> -Execute a domain transition to run ccs. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="ccs_stream_connect" lineno="32"> -<summary> -Connect to ccs over an unix stream socket. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="ccs_read_config" lineno="51"> -<summary> -Read cluster configuration files. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="ccs_manage_config" lineno="71"> -<summary> -Create, read, write, and delete -cluster configuration files. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="ccs_admin" lineno="98"> -<summary> -All of the rules required to -administrate an ccs environment. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -</module> <module name="certbot" filename="policy/modules/services/certbot.if"> <summary>SSL certificate requesting tool certbot AKA letsencrypt.</summary> <interface name="certbot_domtrans" lineno="14"> @@ -93098,6 +93060,17 @@ Role allowed access. </summary> </param> </interface> +<interface name="certbot_read_lib" lineno="59"> +<summary> +Read TLS certificates and keys +generated by certbot. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> <tunable name="certbot_acmesh" dftval="false"> <desc> <p> @@ -93582,26 +93555,14 @@ Role allowed access. </param> <rolecap/> </interface> -</module> -<module name="cipe" filename="policy/modules/services/cipe.if"> -<summary>Encrypted tunnel daemon.</summary> -<interface name="cipe_admin" lineno="20"> -<summary> -All of the rules required to -administrate an cipe environment. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> +<tunable name="chronyd_hwtimestamp" dftval="false"> +<desc> +<p> +Determine whether chronyd can access NIC hardware +timestamping features +</p> +</desc> +</tunable> </module> <module name="clamav" filename="policy/modules/services/clamav.if"> <summary>ClamAV Virus Scanner.</summary> @@ -93879,133 +93840,6 @@ Determine whether can clamd use JIT compiler. </desc> </tunable> </module> -<module name="clockspeed" filename="policy/modules/services/clockspeed.if"> -<summary>Clock speed measurement and manipulation.</summary> -<interface name="clockspeed_domtrans_cli" lineno="14"> -<summary> -Execute clockspeed utilities in -the clockspeed_cli domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="clockspeed_run_cli" lineno="41"> -<summary> -Execute clockspeed utilities in the -clockspeed cli domain, and allow the -specified role the clockspeed cli domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -</module> -<module name="clogd" filename="policy/modules/services/clogd.if"> -<summary>Clustered Mirror Log Server.</summary> -<interface name="clogd_domtrans" lineno="13"> -<summary> -Execute a domain transition to run clogd. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="clogd_rw_semaphores" lineno="32"> -<summary> -Read and write clogd semaphores. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="clogd_rw_shm" lineno="50"> -<summary> -Read and write clogd shared memory. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -</module> -<module name="cmirrord" filename="policy/modules/services/cmirrord.if"> -<summary>Cluster mirror log daemon.</summary> -<interface name="cmirrord_domtrans" lineno="14"> -<summary> -Execute a domain transition to -run cmirrord. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="cmirrord_initrc_domtrans" lineno="34"> -<summary> -Execute cmirrord server in the -cmirrord domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="cmirrord_read_pid_files" lineno="52"> -<summary> -Read cmirrord PID files. (Deprecated) -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="cmirrord_rw_shm" lineno="66"> -<summary> -Read and write cmirrord shared memory. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="cmirrord_admin" lineno="96"> -<summary> -All of the rules required to -administrate an cmirrord environment. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -</module> <module name="cobbler" filename="policy/modules/services/cobbler.if"> <summary>Cobbler installation server.</summary> <interface name="cobblerd_domtrans" lineno="13"> @@ -95532,7 +95366,7 @@ User domain for the role </summary> </param> </template> -<interface name="dbus_system_bus_client" lineno="133"> +<interface name="dbus_system_bus_client" lineno="139"> <summary> Template for creating connections to the system bus. @@ -95543,7 +95377,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_connect_all_session_bus" lineno="172"> +<interface name="dbus_connect_all_session_bus" lineno="178"> <summary> Acquire service on all DBUS session busses. @@ -95554,7 +95388,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_connect_spec_session_bus" lineno="198"> +<template name="dbus_connect_spec_session_bus" lineno="204"> <summary> Acquire service on specified DBUS session bus. @@ -95570,8 +95404,8 @@ is the prefix for user_r). Domain allowed access. </summary> </param> -</interface> -<interface name="dbus_all_session_bus_client" lineno="218"> +</template> +<interface name="dbus_all_session_bus_client" lineno="224"> <summary> Creating connections to all DBUS session busses. @@ -95582,7 +95416,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_spec_session_bus_client" lineno="250"> +<template name="dbus_spec_session_bus_client" lineno="256"> <summary> Creating connections to specified DBUS session bus. @@ -95598,8 +95432,8 @@ is the prefix for user_r). Domain allowed access. </summary> </param> -</interface> -<interface name="dbus_send_all_session_bus" lineno="277"> +</template> +<interface name="dbus_send_all_session_bus" lineno="283"> <summary> Send messages to all DBUS session busses. @@ -95610,7 +95444,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_send_spec_session_bus" lineno="303"> +<template name="dbus_send_spec_session_bus" lineno="309"> <summary> Send messages to specified DBUS session busses. @@ -95626,8 +95460,8 @@ is the prefix for user_r). Domain allowed access. </summary> </param> -</interface> -<interface name="dbus_read_config" lineno="322"> +</template> +<interface name="dbus_read_config" lineno="328"> <summary> Read dbus configuration content. </summary> @@ -95637,7 +95471,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_read_lib_files" lineno="341"> +<interface name="dbus_read_lib_files" lineno="347"> <summary> Read system dbus lib files. </summary> @@ -95647,7 +95481,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_relabel_lib_dirs" lineno="361"> +<interface name="dbus_relabel_lib_dirs" lineno="367"> <summary> Relabel system dbus lib directory. </summary> @@ -95657,7 +95491,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_manage_lib_files" lineno="381"> +<interface name="dbus_manage_lib_files" lineno="387"> <summary> Create, read, write, and delete system dbus lib files. @@ -95668,7 +95502,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_all_session_domain" lineno="407"> +<interface name="dbus_all_session_domain" lineno="413"> <summary> Allow a application domain to be started by the specified session bus. @@ -95685,7 +95519,7 @@ entry point to this domain. </summary> </param> </interface> -<interface name="dbus_spec_session_domain" lineno="441"> +<template name="dbus_spec_session_domain" lineno="447"> <summary> Allow a application domain to be started by the specified session bus. @@ -95707,8 +95541,8 @@ Type of the program to be used as an entry point to this domain. </summary> </param> -</interface> -<interface name="dbus_connect_system_bus" lineno="462"> +</template> +<interface name="dbus_connect_system_bus" lineno="468"> <summary> Acquire service on the DBUS system bus. </summary> @@ -95718,7 +95552,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_send_system_bus" lineno="481"> +<interface name="dbus_send_system_bus" lineno="487"> <summary> Send messages to the DBUS system bus. </summary> @@ -95728,7 +95562,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_system_bus_unconfined" lineno="500"> +<interface name="dbus_system_bus_unconfined" lineno="506"> <summary> Unconfined access to DBUS system bus. </summary> @@ -95738,7 +95572,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_system_domain" lineno="525"> +<interface name="dbus_system_domain" lineno="531"> <summary> Create a domain for processes which can be started by the DBUS system bus. @@ -95754,7 +95588,7 @@ Type of the program to be used as an entry point to this domain. </summary> </param> </interface> -<interface name="dbus_use_system_bus_fds" lineno="565"> +<interface name="dbus_use_system_bus_fds" lineno="571"> <summary> Use and inherit DBUS system bus file descriptors. @@ -95765,7 +95599,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="584"> +<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="590"> <summary> Do not audit attempts to read and write DBUS system bus TCP sockets. @@ -95776,7 +95610,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dbus_watch_system_bus_runtime_dirs" lineno="602"> +<interface name="dbus_watch_system_bus_runtime_dirs" lineno="608"> <summary> Watch system bus runtime directories. </summary> @@ -95786,7 +95620,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_list_system_bus_runtime" lineno="620"> +<interface name="dbus_list_system_bus_runtime" lineno="626"> <summary> List system bus runtime directories. </summary> @@ -95796,7 +95630,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_watch_system_bus_runtime_named_sockets" lineno="638"> +<interface name="dbus_watch_system_bus_runtime_named_sockets" lineno="644"> <summary> Watch system bus runtime named sockets. </summary> @@ -95806,7 +95640,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_read_system_bus_runtime_named_sockets" lineno="656"> +<interface name="dbus_read_system_bus_runtime_named_sockets" lineno="662"> <summary> Read system bus runtime named sockets. </summary> @@ -95816,7 +95650,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_unconfined" lineno="674"> +<interface name="dbus_unconfined" lineno="680"> <summary> Unconfined access to DBUS. </summary> @@ -95826,7 +95660,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_generic_pid_filetrans_system_dbusd_var_run" lineno="704"> +<interface name="dbus_generic_pid_filetrans_system_dbusd_var_run" lineno="710"> <summary> Create resources in /run or /var/run with the system_dbusd_runtime_t label. This method is deprecated in favor of the init_daemon_run_dir @@ -95848,7 +95682,7 @@ Optional file name used for the resource </summary> </param> </interface> -<interface name="dbus_create_system_dbusd_var_run_dirs" lineno="718"> +<interface name="dbus_create_system_dbusd_var_run_dirs" lineno="724"> <summary> Create directories with the system_dbusd_runtime_t label </summary> @@ -95868,115 +95702,6 @@ over D-Bus. This is needed by openvpn3-linux. </desc> </tunable> </module> -<module name="dcc" filename="policy/modules/services/dcc.if"> -<summary>Distributed checksum clearinghouse spam filtering.</summary> -<interface name="dcc_domtrans_cdcc" lineno="13"> -<summary> -Execute cdcc in the cdcc domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="dcc_run_cdcc" lineno="40"> -<summary> -Execute cdcc in the cdcc domain, and -allow the specified role the -cdcc domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -<interface name="dcc_domtrans_client" lineno="60"> -<summary> -Execute dcc client in the dcc -client domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="dcc_signal_client" lineno="79"> -<summary> -Send generic signals to dcc client. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="dcc_run_client" lineno="105"> -<summary> -Execute dcc client in the dcc -client domain, and allow the -specified role the dcc client domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -<interface name="dcc_domtrans_dbclean" lineno="124"> -<summary> -Execute dbclean in the dcc dbclean domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="dcc_run_dbclean" lineno="151"> -<summary> -Execute dbclean in the dcc dbclean -domain, and allow the specified -role the dcc dbclean domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -<interface name="dcc_stream_connect_dccifd" lineno="171"> -<summary> -Connect to dccifd over a unix -domain stream socket. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -</module> <module name="ddclient" filename="policy/modules/services/ddclient.if"> <summary>Update dynamic IP address at DynDNS.org.</summary> <interface name="ddclient_domtrans" lineno="13"> @@ -96025,46 +95750,6 @@ Role allowed access. <rolecap/> </interface> </module> -<module name="denyhosts" filename="policy/modules/services/denyhosts.if"> -<summary>SSH dictionary attack mitigation.</summary> -<interface name="denyhosts_domtrans" lineno="13"> -<summary> -Execute a domain transition to run denyhosts. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="denyhosts_initrc_domtrans" lineno="33"> -<summary> -Execute denyhost server in the -denyhost domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="denyhosts_admin" lineno="57"> -<summary> -All of the rules required to -administrate an denyhosts environment. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -</interface> -</module> <module name="devicekit" filename="policy/modules/services/devicekit.if"> <summary>Devicekit modular hardware abstraction layer.</summary> <interface name="devicekit_domtrans" lineno="13"> @@ -96818,57 +96503,6 @@ Role allowed access. <rolecap/> </interface> </module> -<module name="dspam" filename="policy/modules/services/dspam.if"> -<summary>Content-based spam filter designed for multi-user enterprise systems.</summary> -<interface name="dspam_domtrans" lineno="13"> -<summary> -Execute a domain transition to run dspam. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="dspam_stream_connect" lineno="33"> -<summary> -Connect to dspam using a unix -domain stream socket. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="dspam_admin" lineno="60"> -<summary> -All of the rules required to -administrate an dspam environment. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -<tunable name="allow_httpd_dspam_script_anon_write" dftval="false"> -<desc> -<p> -Determine whether the script domain can -modify public files used for public file -transfer services. Directories/Files must -be labeled public_content_rw_t. -</p> -</desc> -</tunable> -</module> <module name="entropyd" filename="policy/modules/services/entropyd.if"> <summary>Generate entropy from audio input.</summary> <interface name="entropyd_admin" lineno="20"> @@ -97665,7 +97299,7 @@ Role allowed access. </module> <module name="git" filename="policy/modules/services/git.if"> <summary>GIT revision control system.</summary> -<template name="git_role" lineno="18"> +<interface name="git_role" lineno="18"> <summary> Role access for Git session. </summary> @@ -97679,8 +97313,29 @@ Role allowed access. User domain for the role. </summary> </param> +</interface> +<template name="git_client_role_template" lineno="71"> +<summary> +Role access for Git client. +</summary> +<param name="role_prefix"> +<summary> +The prefix of the user role (e.g., user +is the prefix for user_r). +</summary> +</param> +<param name="user_role"> +<summary> +The role associated with the user domain. +</summary> +</param> +<param name="user_domain"> +<summary> +The type of the user domain. +</summary> +</param> </template> -<interface name="git_read_generic_sys_content_files" lineno="60"> +<interface name="git_read_generic_sys_content_files" lineno="127"> <summary> Read generic system content files. </summary> @@ -97764,6 +97419,15 @@ can access nfs file systems. </p> </desc> </tunable> +<tunable name="git_client_manage_all_user_home_content" dftval="false"> +<desc> +<p> +Determine whether Git client domains +can manage all user home content, +including application-specific data. +</p> +</desc> +</tunable> <tunable name="allow_httpd_git_script_anon_write" dftval="false"> <desc> <p> @@ -98205,7 +97869,7 @@ Domain prefix to be used. </summary> </param> </template> -<interface name="hadoop_role" lineno="107"> +<interface name="hadoop_role" lineno="109"> <summary> Role access for hadoop. </summary> @@ -98221,7 +97885,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="hadoop_domtrans" lineno="139"> +<interface name="hadoop_domtrans" lineno="141"> <summary> Execute hadoop in the hadoop domain. @@ -98232,7 +97896,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="hadoop_recvfrom" lineno="158"> +<interface name="hadoop_recvfrom" lineno="160"> <summary> Receive from hadoop peer. </summary> @@ -98242,7 +97906,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="hadoop_domtrans_zookeeper_client" lineno="177"> +<interface name="hadoop_domtrans_zookeeper_client" lineno="179"> <summary> Execute zookeeper client in the zookeeper client domain. @@ -98253,7 +97917,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="hadoop_recvfrom_zookeeper_client" lineno="196"> +<interface name="hadoop_recvfrom_zookeeper_client" lineno="198"> <summary> Receive from zookeeper peer. </summary> @@ -98263,7 +97927,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="hadoop_domtrans_zookeeper_server" lineno="215"> +<interface name="hadoop_domtrans_zookeeper_server" lineno="217"> <summary> Execute zookeeper server in the zookeeper server domain. @@ -98274,7 +97938,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="hadoop_recvfrom_zookeeper_server" lineno="234"> +<interface name="hadoop_recvfrom_zookeeper_server" lineno="236"> <summary> Receive from zookeeper server peer. </summary> @@ -98284,7 +97948,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="hadoop_initrc_domtrans_zookeeper_server" lineno="253"> +<interface name="hadoop_initrc_domtrans_zookeeper_server" lineno="255"> <summary> Execute zookeeper server in the zookeeper domain. @@ -98295,7 +97959,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="hadoop_recvfrom_datanode" lineno="271"> +<interface name="hadoop_recvfrom_datanode" lineno="273"> <summary> Receive from datanode peer. </summary> @@ -98305,7 +97969,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="hadoop_read_config" lineno="289"> +<interface name="hadoop_read_config" lineno="291"> <summary> Read hadoop configuration files. </summary> @@ -98315,7 +97979,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="hadoop_exec_config" lineno="308"> +<interface name="hadoop_exec_config" lineno="310"> <summary> Execute hadoop configuration files. </summary> @@ -98325,7 +97989,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="hadoop_recvfrom_jobtracker" lineno="327"> +<interface name="hadoop_recvfrom_jobtracker" lineno="329"> <summary> Receive from jobtracker peer. </summary> @@ -98335,7 +97999,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="hadoop_match_lan_spd" lineno="345"> +<interface name="hadoop_match_lan_spd" lineno="347"> <summary> Match hadoop lan association. </summary> @@ -98345,7 +98009,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="hadoop_recvfrom_namenode" lineno="363"> +<interface name="hadoop_recvfrom_namenode" lineno="365"> <summary> Receive from namenode peer. </summary> @@ -98355,7 +98019,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="hadoop_recvfrom_secondarynamenode" lineno="381"> +<interface name="hadoop_recvfrom_secondarynamenode" lineno="383"> <summary> Receive from secondary namenode peer. </summary> @@ -98365,7 +98029,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="hadoop_recvfrom_tasktracker" lineno="399"> +<interface name="hadoop_recvfrom_tasktracker" lineno="401"> <summary> Receive from tasktracker peer. </summary> @@ -98375,7 +98039,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="hadoop_admin" lineno="424"> +<interface name="hadoop_admin" lineno="426"> <summary> All of the rules required to administrate an hadoop environment. @@ -98436,36 +98100,6 @@ Role allowed access. <module name="hostapd" filename="policy/modules/services/hostapd.if"> <summary>IEEE 802.11 wireless LAN Host AP daemon.</summary> </module> -<module name="howl" filename="policy/modules/services/howl.if"> -<summary>Port of Apple Rendezvous multicast DNS.</summary> -<interface name="howl_signal" lineno="13"> -<summary> -Send generic signals to howl. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="howl_admin" lineno="38"> -<summary> -All of the rules required to -administrate an howl environment. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -</module> <module name="hypervkvp" filename="policy/modules/services/hypervkvp.if"> <summary>HyperV key value pair (KVP).</summary> <interface name="hypervkvp_admin" lineno="20"> @@ -98695,9 +98329,6 @@ Role allowed access. <rolecap/> </interface> </module> -<module name="imaze" filename="policy/modules/services/imaze.if"> -<summary>iMaze game server.</summary> -</module> <module name="inetd" filename="policy/modules/services/inetd.if"> <summary>Internet services daemon.</summary> <interface name="inetd_core_service_domain" lineno="27"> @@ -99088,9 +98719,6 @@ Role allowed access. <rolecap/> </interface> </module> -<module name="jockey" filename="policy/modules/services/jockey.if"> -<summary>Jockey driver manager.</summary> -</module> <module name="kerberos" filename="policy/modules/services/kerberos.if"> <summary>MIT Kerberos admin and KDC.</summary> <interface name="kerberos_exec_kadmind" lineno="13"> @@ -99515,9 +99143,6 @@ Role allowed access. <rolecap/> </interface> </module> -<module name="ktalk" filename="policy/modules/services/ktalk.if"> -<summary>KDE Talk daemon.</summary> -</module> <module name="l2tp" filename="policy/modules/services/l2tp.if"> <summary>Layer 2 Tunneling Protocol.</summary> <interface name="l2tpd_dgram_send" lineno="14"> @@ -100107,37 +99732,6 @@ Domain allowed to transition. </param> </interface> </module> -<module name="mailscanner" filename="policy/modules/services/mailscanner.if"> -<summary>E-mail security and anti-spam package for e-mail gateway systems.</summary> -<interface name="mscan_manage_spool_content" lineno="14"> -<summary> -Create, read, write, and delete -mscan spool content. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="mscan_admin" lineno="41"> -<summary> -All of the rules required to -administrate an mscan environment -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -</module> <module name="mediawiki" filename="policy/modules/services/mediawiki.if"> <summary>Open source wiki package written in PHP.</summary> <tunable name="allow_httpd_mediawiki_script_anon_write" dftval="false"> @@ -101177,7 +100771,27 @@ Domain to not audit. </summary> </param> </interface> -<interface name="mta_dontaudit_read_spool_symlinks" lineno="803"> +<interface name="mta_list_spool" lineno="802"> +<summary> +Allow listing the mail spool. +</summary> +<param name="domain"> +<summary> +Domain to not audit. +</summary> +</param> +</interface> +<interface name="mta_read_spool_symlinks" lineno="820"> +<summary> +Allow reading mail spool symlinks. +</summary> +<param name="domain"> +<summary> +Domain to not audit. +</summary> +</param> +</interface> +<interface name="mta_dontaudit_read_spool_symlinks" lineno="839"> <summary> Do not audit attempts to read mail spool symlinks. @@ -101188,7 +100802,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="mta_getattr_spool" lineno="821"> +<interface name="mta_getattr_spool" lineno="857"> <summary> Get attributes of mail spool content. </summary> @@ -101198,7 +100812,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_dontaudit_getattr_spool_files" lineno="843"> +<interface name="mta_dontaudit_getattr_spool_files" lineno="879"> <summary> Do not audit attempts to get attributes of mail spool files. @@ -101209,7 +100823,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="mta_spool_filetrans" lineno="881"> +<interface name="mta_spool_filetrans" lineno="917"> <summary> Create specified objects in the mail spool directory with a @@ -101236,7 +100850,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="mta_read_spool_files" lineno="900"> +<interface name="mta_read_spool_files" lineno="936"> <summary> Read mail spool files. </summary> @@ -101246,7 +100860,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_rw_spool" lineno="920"> +<interface name="mta_rw_spool" lineno="956"> <summary> Read and write mail spool files. </summary> @@ -101256,7 +100870,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_append_spool" lineno="941"> +<interface name="mta_append_spool" lineno="977"> <summary> Create, read, and write mail spool files. </summary> @@ -101266,7 +100880,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_delete_spool" lineno="962"> +<interface name="mta_delete_spool" lineno="998"> <summary> Delete mail spool files. </summary> @@ -101276,7 +100890,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_manage_spool" lineno="982"> +<interface name="mta_manage_spool" lineno="1018"> <summary> Create, read, write, and delete mail spool content. @@ -101287,7 +100901,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_watch_spool" lineno="1004"> +<interface name="mta_watch_spool" lineno="1040"> <summary> Watch mail spool content. </summary> @@ -101297,7 +100911,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_queue_filetrans" lineno="1039"> +<interface name="mta_queue_filetrans" lineno="1075"> <summary> Create specified objects in the mail queue spool directory with a @@ -101324,7 +100938,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="mta_search_queue" lineno="1058"> +<interface name="mta_search_queue" lineno="1094"> <summary> Search mail queue directories. </summary> @@ -101334,7 +100948,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_list_queue" lineno="1077"> +<interface name="mta_list_queue" lineno="1113"> <summary> List mail queue directories. </summary> @@ -101344,7 +100958,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_read_queue" lineno="1096"> +<interface name="mta_read_queue" lineno="1132"> <summary> Read mail queue files. </summary> @@ -101354,7 +100968,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_dontaudit_rw_queue" lineno="1116"> +<interface name="mta_dontaudit_rw_queue" lineno="1152"> <summary> Do not audit attempts to read and write mail queue content. @@ -101365,7 +100979,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="mta_manage_queue" lineno="1136"> +<interface name="mta_manage_queue" lineno="1172"> <summary> Create, read, write, and delete mail queue content. @@ -101376,7 +100990,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_read_sendmail_bin" lineno="1156"> +<interface name="mta_read_sendmail_bin" lineno="1192"> <summary> Read sendmail binary. </summary> @@ -101386,7 +101000,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_rw_user_mail_stream_sockets" lineno="1175"> +<interface name="mta_rw_user_mail_stream_sockets" lineno="1211"> <summary> Read and write unix domain stream sockets of all base mail domains. @@ -102978,37 +102592,6 @@ The name of the object being created. </param> </interface> </module> -<module name="oav" filename="policy/modules/services/oav.if"> -<summary>Open AntiVirus scannerdaemon and signature update.</summary> -<interface name="oav_domtrans_update" lineno="13"> -<summary> -Execute oav_update in the oav_update domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="oav_run_update" lineno="40"> -<summary> -Execute oav_update in the oav update -domain, and allow the specified role -the oav_update domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -</module> <module name="obex" filename="policy/modules/services/obex.if"> <summary>D-Bus service providing high-level OBEX client and server side functionality.</summary> <template name="obex_role_template" lineno="24"> @@ -104061,107 +103644,6 @@ Domain allowed access. </param> </interface> </module> -<module name="polipo" filename="policy/modules/services/polipo.if"> -<summary>Lightweight forwarding and caching proxy server.</summary> -<template name="polipo_role" lineno="18"> -<summary> -Role access for Polipo session. -</summary> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<param name="domain"> -<summary> -User domain for the role. -</summary> -</param> -</template> -<interface name="polipo_initrc_domtrans" lineno="64"> -<summary> -Execute Polipo in the Polipo -system domain. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="polipo_log_filetrans_log" lineno="94"> -<summary> -Create specified objects in generic -log directories with the polipo -log file type. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="object_class"> -<summary> -Class of the object being created. -</summary> -</param> -<param name="name" optional="true"> -<summary> -The name of the object being created. -</summary> -</param> -</interface> -<interface name="polipo_admin" lineno="119"> -<summary> -All of the rules required to -administrate an polipo environment. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -<tunable name="polipo_system_use_cifs" dftval="false"> -<desc> -<p> -Determine whether Polipo system -daemon can access CIFS file systems. -</p> -</desc> -</tunable> -<tunable name="polipo_system_use_nfs" dftval="false"> -<desc> -<p> -Determine whether Polipo system -daemon can access NFS file systems. -</p> -</desc> -</tunable> -<tunable name="polipo_session_users" dftval="false"> -<desc> -<p> -Determine whether calling user domains -can execute Polipo daemon in the -polipo_session_t domain. -</p> -</desc> -</tunable> -<tunable name="polipo_session_send_syslog_msg" dftval="false"> -<desc> -<p> -Determine whether Polipo session daemon -can send syslog messages. -</p> -</desc> -</tunable> -</module> <module name="portmap" filename="policy/modules/services/portmap.if"> <summary>RPC port mapping service.</summary> <interface name="portmap_domtrans_helper" lineno="13"> @@ -105747,26 +105229,6 @@ Role allowed access. <rolecap/> </interface> </module> -<module name="pyicqt" filename="policy/modules/services/pyicqt.if"> -<summary>ICQ transport for XMPP server.</summary> -<interface name="pyicqt_admin" lineno="20"> -<summary> -All of the rules required to -administrate an pyicqt environment. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -</module> <module name="pyzor" filename="policy/modules/services/pyzor.if"> <summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary> <interface name="pyzor_role" lineno="18"> @@ -106280,322 +105742,6 @@ Role allowed access. <rolecap/> </interface> </module> -<module name="rgmanager" filename="policy/modules/services/rgmanager.if"> -<summary>Resource Group Manager.</summary> -<interface name="rgmanager_domtrans" lineno="13"> -<summary> -Execute a domain transition to run rgmanager. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="rgmanager_stream_connect" lineno="33"> -<summary> -Connect to rgmanager with a unix -domain stream socket. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rgmanager_manage_tmp_files" lineno="53"> -<summary> -Create, read, write, and delete -rgmanager tmp files. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rgmanager_manage_tmpfs_files" lineno="73"> -<summary> -Create, read, write, and delete -rgmanager tmpfs files. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rgmanager_admin" lineno="99"> -<summary> -All of the rules required to -administrate an rgmanager environment. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -<tunable name="rgmanager_can_network_connect" dftval="false"> -<desc> -<p> -Determine whether rgmanager can -connect to the network using TCP. -</p> -</desc> -</tunable> -</module> -<module name="rhcs" filename="policy/modules/services/rhcs.if"> -<summary>Red Hat Cluster Suite.</summary> -<template name="rhcs_domain_template" lineno="13"> -<summary> -The template to define a rhcs domain. -</summary> -<param name="domain_prefix"> -<summary> -Domain prefix to be used. -</summary> -</param> -</template> -<interface name="rhcs_domtrans_dlm_controld" lineno="75"> -<summary> -Execute a domain transition to -run dlm_controld. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="rhcs_getattr_fenced_exec_files" lineno="95"> -<summary> -Get attributes of fenced -executable files. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rhcs_stream_connect_dlm_controld" lineno="114"> -<summary> -Connect to dlm_controld with a -unix domain stream socket. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rhcs_rw_dlm_controld_semaphores" lineno="133"> -<summary> -Read and write dlm_controld semaphores. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rhcs_domtrans_fenced" lineno="154"> -<summary> -Execute a domain transition to run fenced. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="rhcs_rw_fenced_semaphores" lineno="173"> -<summary> -Read and write fenced semaphores. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rhcs_stream_connect_cluster" lineno="195"> -<summary> -Connect to all cluster domains -with a unix domain stream socket. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rhcs_stream_connect_fenced" lineno="215"> -<summary> -Connect to fenced with an unix -domain stream socket. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rhcs_domtrans_gfs_controld" lineno="235"> -<summary> -Execute a domain transition -to run gfs_controld. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="rhcs_rw_gfs_controld_semaphores" lineno="254"> -<summary> -Read and write gfs_controld semaphores. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rhcs_rw_gfs_controld_shm" lineno="275"> -<summary> -Read and write gfs_controld_t shared memory. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rhcs_stream_connect_gfs_controld" lineno="297"> -<summary> -Connect to gfs_controld_t with -a unix domain stream socket. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rhcs_domtrans_groupd" lineno="316"> -<summary> -Execute a domain transition to run groupd. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="rhcs_stream_connect_groupd" lineno="336"> -<summary> -Connect to groupd with a unix -domain stream socket. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rhcs_rw_cluster_shm" lineno="356"> -<summary> -Read and write all cluster domains -shared memory. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rhcs_rw_cluster_semaphores" lineno="378"> -<summary> -Read and write all cluster -domains semaphores. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rhcs_rw_groupd_semaphores" lineno="396"> -<summary> -Read and write groupd semaphores. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rhcs_rw_groupd_shm" lineno="417"> -<summary> -Read and write groupd shared memory. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="rhcs_domtrans_qdiskd" lineno="438"> -<summary> -Execute a domain transition to run qdiskd. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="rhcs_admin" lineno="464"> -<summary> -All of the rules required to -administrate an rhcs environment. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -<tunable name="fenced_can_network_connect" dftval="false"> -<desc> -<p> -Determine whether fenced can -connect to the TCP network. -</p> -</desc> -</tunable> -<tunable name="fenced_can_ssh" dftval="false"> -<desc> -<p> -Determine whether fenced can use ssh. -</p> -</desc> -</tunable> -</module> <module name="rhsmcertd" filename="policy/modules/services/rhsmcertd.if"> <summary>Subscription Management Certificate Daemon.</summary> <interface name="rhsmcertd_domtrans" lineno="13"> @@ -106755,124 +105901,6 @@ Role allowed access. <rolecap/> </interface> </module> -<module name="ricci" filename="policy/modules/services/ricci.if"> -<summary>Ricci cluster management agent.</summary> -<interface name="ricci_domtrans" lineno="13"> -<summary> -Execute a domain transition to run ricci. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="ricci_domtrans_modcluster" lineno="33"> -<summary> -Execute a domain transition to -run ricci modcluster. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="ricci_dontaudit_use_modcluster_fds" lineno="53"> -<summary> -Do not audit attempts to use -ricci modcluster file descriptors. -</summary> -<param name="domain"> -<summary> -Domain to not audit. -</summary> -</param> -</interface> -<interface name="ricci_dontaudit_rw_modcluster_pipes" lineno="72"> -<summary> -Do not audit attempts to read write -ricci modcluster unnamed pipes. -</summary> -<param name="domain"> -<summary> -Domain to not audit. -</summary> -</param> -</interface> -<interface name="ricci_stream_connect_modclusterd" lineno="91"> -<summary> -Connect to ricci_modclusterd with -a unix domain stream socket. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="ricci_domtrans_modlog" lineno="111"> -<summary> -Execute a domain transition to -run ricci modlog. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="ricci_domtrans_modrpm" lineno="131"> -<summary> -Execute a domain transition to -run ricci modrpm. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="ricci_domtrans_modservice" lineno="151"> -<summary> -Execute a domain transition to -run ricci modservice. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="ricci_domtrans_modstorage" lineno="171"> -<summary> -Execute a domain transition to -run ricci modstorage. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="ricci_admin" lineno="197"> -<summary> -All of the rules required to -administrate an ricci environment. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -<param name="role"> -<summary> -Role allowed access. -</summary> -</param> -<rolecap/> -</interface> -</module> <module name="rlogin" filename="policy/modules/services/rlogin.if"> <summary>Remote login daemon.</summary> <interface name="rlogin_domtrans" lineno="13"> @@ -106885,7 +105913,7 @@ Domain allowed to transition. </summary> </param> </interface> -<template name="rlogin_read_home_content" lineno="32"> +<interface name="rlogin_read_home_content" lineno="32"> <summary> Read rlogin user home content. </summary> @@ -106894,7 +105922,7 @@ Read rlogin user home content. Domain allowed access. </summary> </param> -</template> +</interface> <interface name="rlogin_manage_rlogind_home_files" lineno="54"> <summary> Create, read, write, and delete @@ -109508,7 +108536,7 @@ is the prefix for sshd_t). </summary> </param> </template> -<template name="ssh_role_template" lineno="298"> +<template name="ssh_role_template" lineno="299"> <summary> Role access for ssh </summary> @@ -109529,7 +108557,7 @@ User domain for the role </summary> </param> </template> -<interface name="ssh_sigchld" lineno="455"> +<interface name="ssh_sigchld" lineno="456"> <summary> Send a SIGCHLD signal to the ssh server. </summary> @@ -109539,7 +108567,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_signal" lineno="473"> +<interface name="ssh_signal" lineno="474"> <summary> Send a generic signal to the ssh server. </summary> @@ -109549,7 +108577,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_signull" lineno="491"> +<interface name="ssh_signull" lineno="492"> <summary> Send a null signal to sshd processes. </summary> @@ -109559,7 +108587,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_read_pipes" lineno="509"> +<interface name="ssh_read_pipes" lineno="510"> <summary> Read a ssh server unnamed pipe. </summary> @@ -109569,7 +108597,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_rw_pipes" lineno="526"> +<interface name="ssh_rw_pipes" lineno="527"> <summary> Read and write a ssh server unnamed pipe. </summary> @@ -109579,7 +108607,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_rw_stream_sockets" lineno="544"> +<interface name="ssh_rw_stream_sockets" lineno="545"> <summary> Read and write ssh server unix domain stream sockets. </summary> @@ -109589,7 +108617,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_rw_tcp_sockets" lineno="562"> +<interface name="ssh_rw_tcp_sockets" lineno="563"> <summary> Read and write ssh server TCP sockets. </summary> @@ -109599,7 +108627,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="581"> +<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="582"> <summary> Do not audit attempts to read and write ssh server TCP sockets. @@ -109610,7 +108638,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="ssh_exec_sshd" lineno="599"> +<interface name="ssh_exec_sshd" lineno="600"> <summary> Execute the ssh daemon in the caller domain. </summary> @@ -109620,7 +108648,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_domtrans" lineno="618"> +<interface name="ssh_domtrans" lineno="619"> <summary> Execute the ssh daemon sshd domain. </summary> @@ -109630,7 +108658,17 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="ssh_exec" lineno="636"> +<interface name="ssh_client_domtrans" lineno="637"> +<summary> +Execute the ssh client in the ssh client domain. +</summary> +<param name="domain"> +<summary> +Domain allowed to transition. +</summary> +</param> +</interface> +<interface name="ssh_exec" lineno="655"> <summary> Execute the ssh client in the caller domain. </summary> @@ -109640,7 +108678,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_setattr_key_files" lineno="655"> +<interface name="ssh_setattr_key_files" lineno="674"> <summary> Set the attributes of sshd key files. </summary> @@ -109650,7 +108688,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_agent_exec" lineno="674"> +<interface name="ssh_agent_exec" lineno="693"> <summary> Execute the ssh agent client in the caller domain. </summary> @@ -109660,7 +108698,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_read_user_home_files" lineno="693"> +<interface name="ssh_read_user_home_files" lineno="712"> <summary> Read ssh home directory content </summary> @@ -109670,7 +108708,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_domtrans_keygen" lineno="714"> +<interface name="ssh_domtrans_keygen" lineno="733"> <summary> Execute the ssh key generator in the ssh keygen domain. </summary> @@ -109680,7 +108718,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="ssh_dontaudit_read_server_keys" lineno="732"> +<interface name="ssh_dontaudit_read_server_keys" lineno="751"> <summary> Read ssh server keys </summary> @@ -109690,7 +108728,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="ssh_manage_home_files" lineno="750"> +<interface name="ssh_manage_home_files" lineno="769"> <summary> Manage ssh home directory content </summary> @@ -109700,7 +108738,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_delete_tmp" lineno="769"> +<interface name="ssh_delete_tmp" lineno="788"> <summary> Delete from the ssh temp files. </summary> @@ -109710,7 +108748,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_dontaudit_agent_tmp" lineno="788"> +<interface name="ssh_dontaudit_agent_tmp" lineno="807"> <summary> dontaudit access to ssh agent tmp dirs </summary> @@ -112854,7 +111892,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_manage_core_devices" lineno="1560"> +<interface name="xserver_manage_core_devices" lineno="1561"> <summary> Interface to provide X object permissions on a given X server to an X client domain. Gives the domain permission to read the @@ -112866,7 +111904,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_unconfined" lineno="1583"> +<interface name="xserver_unconfined" lineno="1584"> <summary> Interface to provide X object permissions on a given X server to an X client domain. Gives the domain complete control over the @@ -112878,7 +111916,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_rw_xdm_keys" lineno="1603"> +<interface name="xserver_rw_xdm_keys" lineno="1604"> <summary> Manage keys for xdm. </summary> @@ -112888,7 +111926,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_link_xdm_keys" lineno="1621"> +<interface name="xserver_link_xdm_keys" lineno="1622"> <summary> Manage keys for xdm. </summary> @@ -112898,7 +111936,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_rw_mesa_shader_cache" lineno="1639"> +<interface name="xserver_rw_mesa_shader_cache" lineno="1640"> <summary> Read and write the mesa shader cache. </summary> @@ -112908,7 +111946,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_manage_mesa_shader_cache" lineno="1660"> +<interface name="xserver_manage_mesa_shader_cache" lineno="1661"> <summary> Manage the mesa shader cache. </summary> @@ -113353,7 +112391,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_use_pam_systemd" lineno="99"> +<interface name="auth_use_pam_systemd" lineno="92"> <summary> Use the pam module systemd during authentication. </summary> @@ -113363,7 +112401,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_use_pam_motd_dynamic" lineno="117"> +<interface name="auth_use_pam_motd_dynamic" lineno="110"> <summary> Use the pam module motd with dynamic support during authentication. This module comes from Ubuntu (https://bugs.launchpad.net/ubuntu/+source/pam/+bug/399071) @@ -113375,7 +112413,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_login_pgm_domain" lineno="141"> +<interface name="auth_login_pgm_domain" lineno="134"> <summary> Make the specified domain used for a login program. </summary> @@ -113385,7 +112423,7 @@ Domain type used for a login program domain. </summary> </param> </interface> -<interface name="auth_login_entry_type" lineno="228"> +<interface name="auth_login_entry_type" lineno="221"> <summary> Use the login program as an entry point program. </summary> @@ -113395,7 +112433,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_domtrans_login_program" lineno="251"> +<interface name="auth_domtrans_login_program" lineno="244"> <summary> Execute a login_program in the target domain. </summary> @@ -113410,7 +112448,7 @@ The type of the login_program process. </summary> </param> </interface> -<interface name="auth_ranged_domtrans_login_program" lineno="281"> +<interface name="auth_ranged_domtrans_login_program" lineno="274"> <summary> Execute a login_program in the target domain, with a range transition. @@ -113431,7 +112469,7 @@ Range of the login program. </summary> </param> </interface> -<interface name="auth_search_cache" lineno="307"> +<interface name="auth_search_cache" lineno="300"> <summary> Search authentication cache </summary> @@ -113441,7 +112479,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_cache" lineno="325"> +<interface name="auth_read_cache" lineno="318"> <summary> Read authentication cache </summary> @@ -113451,7 +112489,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_cache" lineno="343"> +<interface name="auth_rw_cache" lineno="336"> <summary> Read/Write authentication cache </summary> @@ -113461,7 +112499,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_cache" lineno="361"> +<interface name="auth_manage_cache" lineno="354"> <summary> Manage authentication cache </summary> @@ -113471,7 +112509,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_var_filetrans_cache" lineno="380"> +<interface name="auth_var_filetrans_cache" lineno="373"> <summary> Automatic transition from cache_t to cache. </summary> @@ -113481,7 +112519,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_domtrans_chk_passwd" lineno="398"> +<interface name="auth_domtrans_chk_passwd" lineno="391"> <summary> Run unix_chkpwd to check a password. </summary> @@ -113491,7 +112529,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_domtrans_chkpwd" lineno="446"> +<interface name="auth_domtrans_chkpwd" lineno="435"> <summary> Run unix_chkpwd to check a password. Stripped down version to be called within boolean @@ -113502,7 +112540,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_run_chk_passwd" lineno="472"> +<interface name="auth_run_chk_passwd" lineno="457"> <summary> Execute chkpwd programs in the chkpwd domain. </summary> @@ -113517,7 +112555,7 @@ The role to allow the chkpwd domain. </summary> </param> </interface> -<interface name="auth_domtrans_upd_passwd" lineno="491"> +<interface name="auth_domtrans_upd_passwd" lineno="476"> <summary> Execute a domain transition to run unix_update. </summary> @@ -113527,7 +112565,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_run_upd_passwd" lineno="516"> +<interface name="auth_run_upd_passwd" lineno="501"> <summary> Execute updpwd programs in the updpwd domain. </summary> @@ -113542,7 +112580,7 @@ The role to allow the updpwd domain. </summary> </param> </interface> -<interface name="auth_getattr_shadow" lineno="535"> +<interface name="auth_getattr_shadow" lineno="520"> <summary> Get the attributes of the shadow passwords file. </summary> @@ -113552,7 +112590,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_dontaudit_getattr_shadow" lineno="555"> +<interface name="auth_dontaudit_getattr_shadow" lineno="540"> <summary> Do not audit attempts to get the attributes of the shadow passwords file. @@ -113563,7 +112601,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_read_shadow" lineno="577"> +<interface name="auth_read_shadow" lineno="562"> <summary> Read the shadow passwords file (/etc/shadow) </summary> @@ -113573,7 +112611,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_map_shadow" lineno="592"> +<interface name="auth_map_shadow" lineno="577"> <summary> Map the shadow passwords file (/etc/shadow) </summary> @@ -113583,7 +112621,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_can_read_shadow_passwords" lineno="618"> +<interface name="auth_can_read_shadow_passwords" lineno="603"> <summary> Pass shadow assertion for reading. </summary> @@ -113602,7 +112640,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_tunable_read_shadow" lineno="644"> +<interface name="auth_tunable_read_shadow" lineno="629"> <summary> Read the shadow password file. </summary> @@ -113620,7 +112658,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_dontaudit_read_shadow" lineno="664"> +<interface name="auth_dontaudit_read_shadow" lineno="649"> <summary> Do not audit attempts to read the shadow password file (/etc/shadow). @@ -113631,7 +112669,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_rw_shadow" lineno="682"> +<interface name="auth_rw_shadow" lineno="667"> <summary> Read and write the shadow password file (/etc/shadow). </summary> @@ -113641,7 +112679,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_shadow" lineno="704"> +<interface name="auth_manage_shadow" lineno="690"> <summary> Create, read, write, and delete the shadow password file. @@ -113652,7 +112690,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_etc_filetrans_shadow" lineno="729"> +<interface name="auth_etc_filetrans_shadow" lineno="716"> <summary> Automatic transition from etc to shadow. </summary> @@ -113667,7 +112705,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="auth_relabelto_shadow" lineno="748"> +<interface name="auth_relabelto_shadow" lineno="735"> <summary> Relabel to the shadow password file type. @@ -113678,7 +112716,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_relabel_shadow" lineno="770"> +<interface name="auth_relabel_shadow" lineno="757"> <summary> Relabel from and to the shadow password file type. @@ -113689,7 +112727,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_append_faillog" lineno="791"> +<interface name="auth_rw_shadow_lock" lineno="778"> +<summary> +Read/Write shadow lock files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="auth_append_faillog" lineno="796"> <summary> Append to the login failure log. </summary> @@ -113699,7 +112747,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_create_faillog_files" lineno="810"> +<interface name="auth_create_faillog_files" lineno="815"> <summary> Create fail log lock (in /run/faillock). </summary> @@ -113709,7 +112757,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_faillog" lineno="828"> +<interface name="auth_rw_faillog" lineno="833"> <summary> Read and write the login failure log. </summary> @@ -113719,7 +112767,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_faillog" lineno="847"> +<interface name="auth_manage_faillog" lineno="852"> <summary> Manage the login failure logs. </summary> @@ -113729,7 +112777,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_setattr_faillog_files" lineno="866"> +<interface name="auth_setattr_faillog_files" lineno="871"> <summary> Setattr the login failure logs. </summary> @@ -113739,7 +112787,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_lastlog" lineno="885"> +<interface name="auth_read_lastlog" lineno="890"> <summary> Read the last logins log. </summary> @@ -113750,7 +112798,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="auth_append_lastlog" lineno="904"> +<interface name="auth_append_lastlog" lineno="909"> <summary> Append only to the last logins log. </summary> @@ -113760,7 +112808,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_relabel_lastlog" lineno="923"> +<interface name="auth_relabel_lastlog" lineno="928"> <summary> relabel the last logins log. </summary> @@ -113770,7 +112818,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_lastlog" lineno="942"> +<interface name="auth_rw_lastlog" lineno="947"> <summary> Read and write to the last logins log. </summary> @@ -113780,7 +112828,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_lastlog" lineno="961"> +<interface name="auth_manage_lastlog" lineno="966"> <summary> Manage the last logins log. </summary> @@ -113790,7 +112838,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_domtrans_pam" lineno="980"> +<interface name="auth_domtrans_pam" lineno="985"> <summary> Execute pam programs in the pam domain. </summary> @@ -113800,7 +112848,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_signal_pam" lineno="998"> +<interface name="auth_signal_pam" lineno="1003"> <summary> Send generic signals to pam processes. </summary> @@ -113810,7 +112858,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_run_pam" lineno="1021"> +<interface name="auth_run_pam" lineno="1026"> <summary> Execute pam programs in the PAM domain. </summary> @@ -113825,7 +112873,7 @@ The role to allow the PAM domain. </summary> </param> </interface> -<interface name="auth_exec_pam" lineno="1040"> +<interface name="auth_exec_pam" lineno="1045"> <summary> Execute the pam program. </summary> @@ -113835,7 +112883,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_var_auth" lineno="1059"> +<interface name="auth_read_var_auth" lineno="1064"> <summary> Read var auth files. Used by various other applications and pam applets etc. @@ -113846,7 +112894,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_var_auth" lineno="1079"> +<interface name="auth_rw_var_auth" lineno="1084"> <summary> Read and write var auth files. Used by various other applications and pam applets etc. @@ -113857,7 +112905,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_var_auth" lineno="1099"> +<interface name="auth_manage_var_auth" lineno="1104"> <summary> Manage var auth files. Used by various other applications and pam applets etc. @@ -113868,7 +112916,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_pam_pid" lineno="1120"> +<interface name="auth_read_pam_pid" lineno="1125"> <summary> Read PAM PID files. (Deprecated) </summary> @@ -113878,7 +112926,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_dontaudit_read_pam_pid" lineno="1135"> +<interface name="auth_dontaudit_read_pam_pid" lineno="1140"> <summary> Do not audit attempts to read PAM PID files. (Deprecated) </summary> @@ -113888,7 +112936,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_pid_filetrans_pam_var_run" lineno="1163"> +<interface name="auth_pid_filetrans_pam_var_run" lineno="1168"> <summary> Create specified objects in pid directories with the pam var @@ -113911,7 +112959,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="auth_delete_pam_pid" lineno="1178"> +<interface name="auth_delete_pam_pid" lineno="1183"> <summary> Delete pam PID files. (Deprecated) </summary> @@ -113921,7 +112969,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_pam_pid" lineno="1193"> +<interface name="auth_manage_pam_pid" lineno="1198"> <summary> Manage pam PID files. (Deprecated) </summary> @@ -113931,7 +112979,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_pam_runtime_dirs" lineno="1209"> +<interface name="auth_manage_pam_runtime_dirs" lineno="1214"> <summary> Manage pam runtime dirs. </summary> @@ -113941,7 +112989,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_runtime_filetrans_pam_runtime" lineno="1240"> +<interface name="auth_runtime_filetrans_pam_runtime" lineno="1245"> <summary> Create specified objects in pid directories with the pam runtime @@ -113963,7 +113011,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="auth_read_pam_runtime_files" lineno="1258"> +<interface name="auth_read_pam_runtime_files" lineno="1263"> <summary> Read PAM runtime files. </summary> @@ -113973,7 +113021,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1278"> +<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1283"> <summary> Do not audit attempts to read PAM runtime files. </summary> @@ -113983,7 +113031,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_delete_pam_runtime_files" lineno="1296"> +<interface name="auth_delete_pam_runtime_files" lineno="1301"> <summary> Delete pam runtime files. </summary> @@ -113993,7 +113041,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_pam_runtime_files" lineno="1315"> +<interface name="auth_manage_pam_runtime_files" lineno="1320"> <summary> Create, read, write, and delete pam runtime files. </summary> @@ -114003,7 +113051,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_domtrans_pam_console" lineno="1334"> +<interface name="auth_domtrans_pam_console" lineno="1339"> <summary> Execute pam_console with a domain transition. </summary> @@ -114013,7 +113061,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_search_pam_console_data" lineno="1353"> +<interface name="auth_search_pam_console_data" lineno="1358"> <summary> Search the contents of the pam_console data directory. @@ -114024,7 +113072,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_list_pam_console_data" lineno="1373"> +<interface name="auth_list_pam_console_data" lineno="1378"> <summary> List the contents of the pam_console data directory. @@ -114035,7 +113083,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_create_pam_console_data_dirs" lineno="1392"> +<interface name="auth_create_pam_console_data_dirs" lineno="1397"> <summary> Create pam var console pid directories. </summary> @@ -114045,7 +113093,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_relabel_pam_console_data_dirs" lineno="1411"> +<interface name="auth_relabel_pam_console_data_dirs" lineno="1416"> <summary> Relabel pam_console data directories. </summary> @@ -114055,7 +113103,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_pam_console_data" lineno="1429"> +<interface name="auth_read_pam_console_data" lineno="1434"> <summary> Read pam_console data files. </summary> @@ -114065,7 +113113,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_pam_console_data" lineno="1450"> +<interface name="auth_manage_pam_console_data" lineno="1455"> <summary> Create, read, write, and delete pam_console data files. @@ -114076,7 +113124,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_delete_pam_console_data" lineno="1470"> +<interface name="auth_delete_pam_console_data" lineno="1475"> <summary> Delete pam_console data. </summary> @@ -114086,7 +113134,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_pid_filetrans_pam_var_console" lineno="1503"> +<interface name="auth_pid_filetrans_pam_var_console" lineno="1508"> <summary> Create specified objects in pid directories with the pam var @@ -114109,7 +113157,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="auth_runtime_filetrans_pam_var_console" lineno="1531"> +<interface name="auth_runtime_filetrans_pam_var_console" lineno="1536"> <summary> Create specified objects in generic runtime directories with the pam var @@ -114132,7 +113180,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="auth_domtrans_utempter" lineno="1549"> +<interface name="auth_domtrans_utempter" lineno="1554"> <summary> Execute utempter programs in the utempter domain. </summary> @@ -114142,7 +113190,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_run_utempter" lineno="1572"> +<interface name="auth_run_utempter" lineno="1577"> <summary> Execute utempter programs in the utempter domain. </summary> @@ -114157,7 +113205,7 @@ The role to allow the utempter domain. </summary> </param> </interface> -<interface name="auth_dontaudit_exec_utempter" lineno="1591"> +<interface name="auth_dontaudit_exec_utempter" lineno="1596"> <summary> Do not audit attempts to execute utempter executable. </summary> @@ -114167,7 +113215,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_setattr_login_records" lineno="1609"> +<interface name="auth_setattr_login_records" lineno="1614"> <summary> Set the attributes of login record files. </summary> @@ -114177,7 +113225,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_login_records" lineno="1629"> +<interface name="auth_read_login_records" lineno="1634"> <summary> Read login records files (/var/log/wtmp). </summary> @@ -114188,7 +113236,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="auth_dontaudit_read_login_records" lineno="1650"> +<interface name="auth_dontaudit_read_login_records" lineno="1655"> <summary> Do not audit attempts to read login records files (/var/log/wtmp). @@ -114200,7 +113248,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="auth_dontaudit_write_login_records" lineno="1669"> +<interface name="auth_dontaudit_write_login_records" lineno="1674"> <summary> Do not audit attempts to write to login records files. @@ -114211,7 +113259,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_append_login_records" lineno="1687"> +<interface name="auth_append_login_records" lineno="1692"> <summary> Append to login records (wtmp). </summary> @@ -114221,7 +113269,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_write_login_records" lineno="1706"> +<interface name="auth_write_login_records" lineno="1711"> <summary> Write to login records (wtmp). </summary> @@ -114231,7 +113279,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_login_records" lineno="1724"> +<interface name="auth_rw_login_records" lineno="1729"> <summary> Read and write login records. </summary> @@ -114241,7 +113289,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_log_filetrans_login_records" lineno="1744"> +<interface name="auth_log_filetrans_login_records" lineno="1749"> <summary> Create a login records in the log directory using a type transition. @@ -114252,7 +113300,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_login_records" lineno="1763"> +<interface name="auth_manage_login_records" lineno="1768"> <summary> Create, read, write, and delete login records files. @@ -114263,7 +113311,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_relabel_login_records" lineno="1782"> +<interface name="auth_relabel_login_records" lineno="1787"> <summary> Relabel login record files. </summary> @@ -114273,7 +113321,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_use_nsswitch" lineno="1810"> +<interface name="auth_use_nsswitch" lineno="1815"> <summary> Use nsswitch to look up user, password, group, or host information. @@ -114293,7 +113341,7 @@ Domain allowed access. </param> <infoflow type="both" weight="10"/> </interface> -<interface name="auth_unconfined" lineno="1838"> +<interface name="auth_unconfined" lineno="1843"> <summary> Unconfined access to the authlogin module. </summary> @@ -114313,6 +113361,13 @@ Domain allowed access. </summary> </param> </interface> +<tunable name="authlogin_pam" dftval="true"> +<desc> +<p> +Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM. +</p> +</desc> +</tunable> <tunable name="authlogin_nsswitch_use_ldap" dftval="false"> <desc> <p> @@ -114877,7 +113932,7 @@ Type of the program to be used as an entry point to this domain. </summary> </param> </interface> -<interface name="init_ranged_domain" lineno="213"> +<interface name="init_ranged_domain" lineno="221"> <summary> Create a domain which can be started by init, with a range transition. @@ -114898,7 +113953,7 @@ Range for the domain. </summary> </param> </interface> -<interface name="init_spec_daemon_domain" lineno="254"> +<interface name="init_spec_daemon_domain" lineno="262"> <summary> Setup a domain which can be manually transitioned to from init. </summary> @@ -114922,7 +113977,7 @@ Type of the program being executed when starting this domain. </summary> </param> </interface> -<interface name="init_daemon_domain" lineno="327"> +<interface name="init_daemon_domain" lineno="343"> <summary> Create a domain for long running processes (daemons/services) which are started by init scripts. @@ -114957,7 +114012,7 @@ Type of the program to be used as an entry point to this domain. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="init_ranged_daemon_domain" lineno="415"> +<interface name="init_ranged_daemon_domain" lineno="431"> <summary> Create a domain for long running processes (daemons/services) which are started by init scripts, @@ -114999,7 +114054,7 @@ MLS/MCS range for the domain. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="init_abstract_socket_activation" lineno="446"> +<interface name="init_abstract_socket_activation" lineno="462"> <summary> Abstract socket service activation (systemd). </summary> @@ -115009,7 +114064,7 @@ The domain to be started by systemd socket activation. </summary> </param> </interface> -<interface name="init_named_socket_activation" lineno="471"> +<interface name="init_named_socket_activation" lineno="487"> <summary> Named socket service activation (systemd). </summary> @@ -115024,7 +114079,7 @@ The domain socket file type. </summary> </param> </interface> -<interface name="init_system_domain" lineno="522"> +<interface name="init_system_domain" lineno="538"> <summary> Create a domain for short running processes which are started by init scripts. @@ -115061,7 +114116,7 @@ Type of the program to be used as an entry point to this domain. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="init_ranged_system_domain" lineno="584"> +<interface name="init_ranged_system_domain" lineno="600"> <summary> Create a domain for short running processes which are started by init scripts. @@ -115104,7 +114159,7 @@ Range for the domain. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="init_dyntrans" lineno="615"> +<interface name="init_dyntrans" lineno="631"> <summary> Allow domain dyntransition to init_t domain. </summary> @@ -115114,7 +114169,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_daemon_pid_file" lineno="644"> +<interface name="init_daemon_pid_file" lineno="660"> <summary> Mark the file type as a daemon pid file, allowing initrc_t to create it (Deprecated) @@ -115135,7 +114190,7 @@ Filename of the file that the init script creates </summary> </param> </interface> -<interface name="init_daemon_runtime_file" lineno="671"> +<interface name="init_daemon_runtime_file" lineno="687"> <summary> Mark the file type as a daemon runtime file, allowing initrc_t to create it @@ -115156,7 +114211,7 @@ Filename of the file that the init script creates </summary> </param> </interface> -<interface name="init_daemon_lock_file" lineno="704"> +<interface name="init_daemon_lock_file" lineno="720"> <summary> Mark the file type as a daemon lock file, allowing initrc_t to create it @@ -115177,7 +114232,7 @@ Filename of the file that the init script creates </summary> </param> </interface> -<interface name="init_domtrans" lineno="726"> +<interface name="init_domtrans" lineno="742"> <summary> Execute init (/sbin/init) with a domain transition. </summary> @@ -115187,7 +114242,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_pgm_spec_user_daemon_domain" lineno="750"> +<interface name="init_pgm_spec_user_daemon_domain" lineno="766"> <summary> Execute init (/sbin/init) with a domain transition to the provided domain. @@ -115203,7 +114258,7 @@ The type to be used as a systemd --user domain. </summary> </param> </interface> -<interface name="init_exec" lineno="778"> +<interface name="init_exec" lineno="794"> <summary> Execute the init program in the caller domain. </summary> @@ -115214,7 +114269,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_pgm_entrypoint" lineno="799"> +<interface name="init_pgm_entrypoint" lineno="815"> <summary> Allow the init program to be an entrypoint for the specified domain. @@ -115226,7 +114281,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_exec_rc" lineno="828"> +<interface name="init_exec_rc" lineno="844"> <summary> Execute the rc application in the caller domain. </summary> @@ -115247,7 +114302,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getpgid" lineno="847"> +<interface name="init_getpgid" lineno="863"> <summary> Get the process group of init. </summary> @@ -115257,7 +114312,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_signal" lineno="865"> +<interface name="init_signal" lineno="881"> <summary> Send init a generic signal. </summary> @@ -115267,7 +114322,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_signull" lineno="883"> +<interface name="init_signull" lineno="899"> <summary> Send init a null signal. </summary> @@ -115277,7 +114332,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_sigchld" lineno="901"> +<interface name="init_sigchld" lineno="917"> <summary> Send init a SIGCHLD signal. </summary> @@ -115287,7 +114342,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stream_connect" lineno="919"> +<interface name="init_stream_connect" lineno="935"> <summary> Connect to init with a unix socket. </summary> @@ -115297,7 +114352,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_unix_stream_socket_connectto" lineno="940"> +<interface name="init_unix_stream_socket_connectto" lineno="956"> <summary> Connect to init with a unix socket. Without any additional permissions. @@ -115308,7 +114363,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_use_fds" lineno="998"> +<interface name="init_use_fds" lineno="1014"> <summary> Inherit and use file descriptors from init. </summary> @@ -115358,7 +114413,7 @@ Domain allowed access. </param> <infoflow type="read" weight="1"/> </interface> -<interface name="init_dontaudit_use_fds" lineno="1017"> +<interface name="init_dontaudit_use_fds" lineno="1033"> <summary> Do not audit attempts to inherit file descriptors from init. @@ -115369,7 +114424,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_dgram_send" lineno="1036"> +<interface name="init_dgram_send" lineno="1052"> <summary> Send messages to init unix datagram sockets. </summary> @@ -115380,7 +114435,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_rw_inherited_stream_socket" lineno="1056"> +<interface name="init_rw_inherited_stream_socket" lineno="1072"> <summary> Read and write to inherited init unix streams. </summary> @@ -115390,7 +114445,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_stream_sockets" lineno="1075"> +<interface name="init_rw_stream_sockets" lineno="1091"> <summary> Allow the specified domain to read/write to init with unix domain stream sockets. @@ -115401,7 +114456,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_start_system" lineno="1093"> +<interface name="init_start_system" lineno="1109"> <summary> start service (systemd). </summary> @@ -115411,7 +114466,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stop_system" lineno="1111"> +<interface name="init_stop_system" lineno="1127"> <summary> stop service (systemd). </summary> @@ -115421,7 +114476,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_get_system_status" lineno="1129"> +<interface name="init_get_system_status" lineno="1145"> <summary> Get all service status (systemd). </summary> @@ -115431,7 +114486,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_enable" lineno="1147"> +<interface name="init_enable" lineno="1163"> <summary> Enable all systemd services (systemd). </summary> @@ -115441,7 +114496,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_disable" lineno="1165"> +<interface name="init_disable" lineno="1181"> <summary> Disable all services (systemd). </summary> @@ -115451,7 +114506,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_reload" lineno="1183"> +<interface name="init_reload" lineno="1199"> <summary> Reload all services (systemd). </summary> @@ -115461,7 +114516,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_reboot_system" lineno="1201"> +<interface name="init_reboot_system" lineno="1217"> <summary> Reboot the system (systemd). </summary> @@ -115471,7 +114526,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_shutdown_system" lineno="1219"> +<interface name="init_shutdown_system" lineno="1235"> <summary> Shutdown (halt) the system (systemd). </summary> @@ -115481,7 +114536,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_service_status" lineno="1237"> +<interface name="init_service_status" lineno="1253"> <summary> Allow specified domain to get init status </summary> @@ -115491,7 +114546,7 @@ Domain to allow access. </summary> </param> </interface> -<interface name="init_service_start" lineno="1256"> +<interface name="init_service_start" lineno="1272"> <summary> Allow specified domain to get init start </summary> @@ -115501,7 +114556,7 @@ Domain to allow access. </summary> </param> </interface> -<interface name="init_dbus_chat" lineno="1276"> +<interface name="init_dbus_chat" lineno="1292"> <summary> Send and receive messages from systemd over dbus. @@ -115512,7 +114567,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_var_lib_links" lineno="1296"> +<interface name="init_read_var_lib_links" lineno="1312"> <summary> read/follow symlinks under /var/lib/systemd/ </summary> @@ -115522,7 +114577,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_list_var_lib_dirs" lineno="1315"> +<interface name="init_list_var_lib_dirs" lineno="1331"> <summary> List /var/lib/systemd/ dir </summary> @@ -115532,7 +114587,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_relabel_var_lib_dirs" lineno="1333"> +<interface name="init_relabel_var_lib_dirs" lineno="1349"> <summary> Relabel dirs in /var/lib/systemd/. </summary> @@ -115542,7 +114597,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_var_lib_files" lineno="1351"> +<interface name="init_manage_var_lib_files" lineno="1367"> <summary> Manage files in /var/lib/systemd/. </summary> @@ -115552,7 +114607,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_var_lib_filetrans" lineno="1386"> +<interface name="init_var_lib_filetrans" lineno="1402"> <summary> Create files in /var/lib/systemd with an automatic type transition. @@ -115578,7 +114633,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="init_search_pids" lineno="1405"> +<interface name="init_search_pids" lineno="1421"> <summary> Allow search directory in the /run/systemd directory. (Deprecated) </summary> @@ -115588,7 +114643,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_list_pids" lineno="1420"> +<interface name="init_list_pids" lineno="1436"> <summary> Allow listing of the /run/systemd directory. (Deprecated) </summary> @@ -115598,7 +114653,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_pid_symlinks" lineno="1435"> +<interface name="init_manage_pid_symlinks" lineno="1451"> <summary> Create symbolic links in the /run/systemd directory. (Deprecated) </summary> @@ -115608,7 +114663,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_create_pid_files" lineno="1450"> +<interface name="init_create_pid_files" lineno="1466"> <summary> Create files in the /run/systemd directory. (Deprecated) </summary> @@ -115618,7 +114673,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_write_pid_files" lineno="1465"> +<interface name="init_write_pid_files" lineno="1481"> <summary> Write files in the /run/systemd directory. (Deprecated) </summary> @@ -115628,7 +114683,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_pid_dirs" lineno="1481"> +<interface name="init_manage_pid_dirs" lineno="1497"> <summary> Create, read, write, and delete directories in the /run/systemd directory. (Deprecated) @@ -115639,7 +114694,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_pid_filetrans" lineno="1511"> +<interface name="init_pid_filetrans" lineno="1527"> <summary> Create files in an init PID directory. (Deprecated) </summary> @@ -115664,7 +114719,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="init_search_runtime" lineno="1526"> +<interface name="init_search_runtime" lineno="1542"> <summary> Search init runtime directories, e.g. /run/systemd. </summary> @@ -115674,7 +114729,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_list_runtime" lineno="1544"> +<interface name="init_list_runtime" lineno="1560"> <summary> List init runtime directories, e.g. /run/systemd. </summary> @@ -115684,7 +114739,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_runtime_dirs" lineno="1564"> +<interface name="init_manage_runtime_dirs" lineno="1580"> <summary> Create, read, write, and delete directories in the /run/systemd directory. @@ -115695,7 +114750,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_runtime_filetrans" lineno="1597"> +<interface name="init_runtime_filetrans" lineno="1613"> <summary> Create files in an init runtime directory with a private type. </summary> @@ -115720,7 +114775,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="init_write_runtime_files" lineno="1616"> +<interface name="init_write_runtime_files" lineno="1632"> <summary> Write init runtime files, e.g. in /run/systemd. </summary> @@ -115730,7 +114785,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_create_runtime_files" lineno="1634"> +<interface name="init_create_runtime_files" lineno="1650"> <summary> Create init runtime files, e.g. in /run/systemd. </summary> @@ -115740,7 +114795,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_runtime_symlinks" lineno="1652"> +<interface name="init_manage_runtime_symlinks" lineno="1668"> <summary> Create init runtime symbolic links, e.g. in /run/systemd. </summary> @@ -115750,7 +114805,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getattr_initctl" lineno="1670"> +<interface name="init_getattr_initctl" lineno="1686"> <summary> Get the attributes of initctl. </summary> @@ -115760,7 +114815,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_getattr_initctl" lineno="1691"> +<interface name="init_dontaudit_getattr_initctl" lineno="1707"> <summary> Do not audit attempts to get the attributes of initctl. @@ -115771,7 +114826,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_write_initctl" lineno="1709"> +<interface name="init_write_initctl" lineno="1725"> <summary> Write to initctl. </summary> @@ -115781,7 +114836,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_telinit" lineno="1730"> +<interface name="init_telinit" lineno="1746"> <summary> Use telinit (Read and write initctl). </summary> @@ -115792,7 +114847,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_rw_initctl" lineno="1763"> +<interface name="init_rw_initctl" lineno="1779"> <summary> Read and write initctl. </summary> @@ -115802,7 +114857,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_rw_initctl" lineno="1784"> +<interface name="init_dontaudit_rw_initctl" lineno="1800"> <summary> Do not audit attempts to read and write initctl. @@ -115813,7 +114868,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_script_file_entry_type" lineno="1803"> +<interface name="init_script_file_entry_type" lineno="1819"> <summary> Make init scripts an entry point for the specified domain. @@ -115824,7 +114879,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_spec_domtrans_script" lineno="1826"> +<interface name="init_spec_domtrans_script" lineno="1842"> <summary> Execute init scripts with a specified domain transition. </summary> @@ -115834,7 +114889,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_domtrans_script" lineno="1853"> +<interface name="init_domtrans_script" lineno="1869"> <summary> Execute init scripts with an automatic domain transition. </summary> @@ -115844,7 +114899,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_domtrans_labeled_script" lineno="1888"> +<interface name="init_domtrans_labeled_script" lineno="1904"> <summary> Execute labelled init scripts with an automatic domain transition. </summary> @@ -115854,7 +114909,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_script_file_domtrans" lineno="1934"> +<interface name="init_script_file_domtrans" lineno="1950"> <summary> Execute a init script in a specified domain. </summary> @@ -115879,7 +114934,7 @@ Domain to transition to. </summary> </param> </interface> -<interface name="init_kill_scripts" lineno="1953"> +<interface name="init_kill_scripts" lineno="1969"> <summary> Send a kill signal to init scripts. </summary> @@ -115889,7 +114944,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_script_service" lineno="1971"> +<interface name="init_manage_script_service" lineno="1987"> <summary> Allow manage service for initrc_exec_t scripts </summary> @@ -115899,7 +114954,7 @@ Target domain </summary> </param> </interface> -<interface name="init_labeled_script_domtrans" lineno="1996"> +<interface name="init_labeled_script_domtrans" lineno="2012"> <summary> Transition to the init script domain on a specified labeled init script. @@ -115915,7 +114970,7 @@ Labeled init script file. </summary> </param> </interface> -<interface name="init_all_labeled_script_domtrans" lineno="2018"> +<interface name="init_all_labeled_script_domtrans" lineno="2034"> <summary> Transition to the init script domain for all labeled init script types @@ -115926,7 +114981,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_get_script_status" lineno="2036"> +<interface name="init_get_script_status" lineno="2052"> <summary> Allow getting service status of initrc_exec_t scripts </summary> @@ -115936,7 +114991,7 @@ Target domain </summary> </param> </interface> -<interface name="init_startstop_service" lineno="2076"> +<interface name="init_startstop_service" lineno="2092"> <summary> Allow the role to start and stop labeled services. @@ -115967,7 +115022,7 @@ Systemd unit file type. </summary> </param> </interface> -<interface name="init_run_daemon" lineno="2132"> +<interface name="init_run_daemon" lineno="2148"> <summary> Start and stop daemon programs directly. </summary> @@ -115989,7 +115044,7 @@ The role to be performing this action. </summary> </param> </interface> -<interface name="init_startstop_all_script_services" lineno="2154"> +<interface name="init_startstop_all_script_services" lineno="2170"> <summary> Start and stop init_script_file_type services </summary> @@ -115999,7 +115054,7 @@ domain that can start and stop the services </summary> </param> </interface> -<interface name="init_read_state" lineno="2173"> +<interface name="init_read_state" lineno="2189"> <summary> Read the process state (/proc/pid) of init. </summary> @@ -116009,7 +115064,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_read_state" lineno="2193"> +<interface name="init_dontaudit_read_state" lineno="2209"> <summary> Dontaudit read the process state (/proc/pid) of init. </summary> @@ -116019,7 +115074,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_ptrace" lineno="2214"> +<interface name="init_ptrace" lineno="2230"> <summary> Ptrace init </summary> @@ -116030,7 +115085,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_getattr" lineno="2233"> +<interface name="init_getattr" lineno="2249"> <summary> get init process stats </summary> @@ -116041,7 +115096,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_read_script_pipes" lineno="2251"> +<interface name="init_read_script_pipes" lineno="2267"> <summary> Read an init script unnamed pipe. </summary> @@ -116051,7 +115106,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_write_script_pipes" lineno="2269"> +<interface name="init_write_script_pipes" lineno="2285"> <summary> Write an init script unnamed pipe. </summary> @@ -116061,7 +115116,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getattr_script_files" lineno="2287"> +<interface name="init_getattr_script_files" lineno="2303"> <summary> Get the attribute of init script entrypoint files. </summary> @@ -116071,7 +115126,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_script_files" lineno="2306"> +<interface name="init_read_script_files" lineno="2322"> <summary> Read init scripts. </summary> @@ -116081,7 +115136,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_exec_script_files" lineno="2325"> +<interface name="init_exec_script_files" lineno="2341"> <summary> Execute init scripts in the caller domain. </summary> @@ -116091,7 +115146,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getattr_all_script_files" lineno="2344"> +<interface name="init_getattr_all_script_files" lineno="2360"> <summary> Get the attribute of all init script entrypoint files. </summary> @@ -116101,7 +115156,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_all_script_files" lineno="2363"> +<interface name="init_read_all_script_files" lineno="2379"> <summary> Read all init script files. </summary> @@ -116111,7 +115166,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_read_all_script_files" lineno="2387"> +<interface name="init_dontaudit_read_all_script_files" lineno="2403"> <summary> Dontaudit read all init script files. </summary> @@ -116121,7 +115176,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_exec_all_script_files" lineno="2405"> +<interface name="init_exec_all_script_files" lineno="2421"> <summary> Execute all init scripts in the caller domain. </summary> @@ -116131,7 +115186,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_script_state" lineno="2424"> +<interface name="init_read_script_state" lineno="2440"> <summary> Read the process state (/proc/pid) of the init scripts. </summary> @@ -116141,7 +115196,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_use_script_fds" lineno="2443"> +<interface name="init_use_script_fds" lineno="2459"> <summary> Inherit and use init script file descriptors. </summary> @@ -116151,7 +115206,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_use_script_fds" lineno="2462"> +<interface name="init_dontaudit_use_script_fds" lineno="2478"> <summary> Do not audit attempts to inherit init script file descriptors. @@ -116162,7 +115217,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_search_script_keys" lineno="2480"> +<interface name="init_search_script_keys" lineno="2496"> <summary> Search init script keys. </summary> @@ -116172,7 +115227,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getpgid_script" lineno="2498"> +<interface name="init_getpgid_script" lineno="2514"> <summary> Get the process group ID of init scripts. </summary> @@ -116182,7 +115237,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_sigchld_script" lineno="2516"> +<interface name="init_sigchld_script" lineno="2532"> <summary> Send SIGCHLD signals to init scripts. </summary> @@ -116192,7 +115247,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_signal_script" lineno="2534"> +<interface name="init_signal_script" lineno="2550"> <summary> Send generic signals to init scripts. </summary> @@ -116202,7 +115257,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_signull_script" lineno="2552"> +<interface name="init_signull_script" lineno="2568"> <summary> Send null signals to init scripts. </summary> @@ -116212,7 +115267,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_script_pipes" lineno="2570"> +<interface name="init_rw_script_pipes" lineno="2586"> <summary> Read and write init script unnamed pipes. </summary> @@ -116222,7 +115277,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stream_connect_script" lineno="2589"> +<interface name="init_stream_connect_script" lineno="2605"> <summary> Allow the specified domain to connect to init scripts with a unix socket. @@ -116233,7 +115288,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_script_stream_sockets" lineno="2608"> +<interface name="init_rw_script_stream_sockets" lineno="2624"> <summary> Allow the specified domain to read/write to init scripts with a unix domain stream sockets. @@ -116244,7 +115299,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_stream_connect_script" lineno="2627"> +<interface name="init_dontaudit_stream_connect_script" lineno="2643"> <summary> Dont audit the specified domain connecting to init scripts with a unix domain stream socket. @@ -116255,7 +115310,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_dbus_send_script" lineno="2644"> +<interface name="init_dbus_send_script" lineno="2660"> <summary> Send messages to init scripts over dbus. </summary> @@ -116265,7 +115320,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dbus_chat_script" lineno="2664"> +<interface name="init_dbus_chat_script" lineno="2680"> <summary> Send and receive messages from init scripts over dbus. @@ -116276,7 +115331,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_use_script_ptys" lineno="2693"> +<interface name="init_use_script_ptys" lineno="2709"> <summary> Read and write the init script pty. </summary> @@ -116295,7 +115350,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_use_inherited_script_ptys" lineno="2712"> +<interface name="init_use_inherited_script_ptys" lineno="2728"> <summary> Read and write inherited init script ptys. </summary> @@ -116305,7 +115360,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_use_script_ptys" lineno="2734"> +<interface name="init_dontaudit_use_script_ptys" lineno="2750"> <summary> Do not audit attempts to read and write the init script pty. @@ -116316,7 +115371,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_getattr_script_status_files" lineno="2753"> +<interface name="init_getattr_script_status_files" lineno="2769"> <summary> Get the attributes of init script status files. @@ -116327,7 +115382,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_read_script_status_files" lineno="2772"> +<interface name="init_dontaudit_read_script_status_files" lineno="2788"> <summary> Do not audit attempts to read init script status files. @@ -116338,7 +115393,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_search_run" lineno="2791"> +<interface name="init_search_run" lineno="2807"> <summary> Search the /run/systemd directory. </summary> @@ -116348,7 +115403,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_script_tmp_files" lineno="2810"> +<interface name="init_read_script_tmp_files" lineno="2826"> <summary> Read init script temporary data. </summary> @@ -116358,7 +115413,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_inherited_script_tmp_files" lineno="2829"> +<interface name="init_rw_inherited_script_tmp_files" lineno="2845"> <summary> Read and write init script inherited temporary data. </summary> @@ -116368,7 +115423,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_script_tmp_files" lineno="2847"> +<interface name="init_rw_script_tmp_files" lineno="2863"> <summary> Read and write init script temporary data. </summary> @@ -116378,7 +115433,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_script_tmp_filetrans" lineno="2882"> +<interface name="init_script_tmp_filetrans" lineno="2898"> <summary> Create files in a init script temporary data directory. @@ -116404,7 +115459,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="init_getattr_utmp" lineno="2901"> +<interface name="init_getattr_utmp" lineno="2917"> <summary> Get the attributes of init script process id files. </summary> @@ -116414,7 +115469,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_utmp" lineno="2919"> +<interface name="init_read_utmp" lineno="2935"> <summary> Read utmp. </summary> @@ -116424,7 +115479,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_write_utmp" lineno="2938"> +<interface name="init_dontaudit_write_utmp" lineno="2954"> <summary> Do not audit attempts to write utmp. </summary> @@ -116434,7 +115489,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_write_utmp" lineno="2956"> +<interface name="init_write_utmp" lineno="2972"> <summary> Write to utmp. </summary> @@ -116444,7 +115499,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_lock_utmp" lineno="2976"> +<interface name="init_dontaudit_lock_utmp" lineno="2992"> <summary> Do not audit attempts to lock init script pid files. @@ -116455,7 +115510,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_rw_utmp" lineno="2994"> +<interface name="init_rw_utmp" lineno="3010"> <summary> Read and write utmp. </summary> @@ -116465,7 +115520,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_rw_utmp" lineno="3013"> +<interface name="init_dontaudit_rw_utmp" lineno="3029"> <summary> Do not audit attempts to read and write utmp. </summary> @@ -116475,7 +115530,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_manage_utmp" lineno="3031"> +<interface name="init_manage_utmp" lineno="3047"> <summary> Create, read, write, and delete utmp. </summary> @@ -116485,7 +115540,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_relabel_utmp" lineno="3050"> +<interface name="init_watch_utmp" lineno="3066"> +<summary> +Add a watch on utmp. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="init_relabel_utmp" lineno="3084"> <summary> Relabel utmp. </summary> @@ -116495,7 +115560,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_runtime_filetrans_utmp" lineno="3069"> +<interface name="init_runtime_filetrans_utmp" lineno="3103"> <summary> Create files in /var/run with the utmp file type. @@ -116506,7 +115571,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_create_runtime_dirs" lineno="3087"> +<interface name="init_create_runtime_dirs" lineno="3121"> <summary> Create a directory in the /run/systemd directory. </summary> @@ -116516,7 +115581,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_runtime_files" lineno="3106"> +<interface name="init_read_runtime_files" lineno="3140"> <summary> Read init_runtime_t files </summary> @@ -116526,7 +115591,7 @@ domain </summary> </param> </interface> -<interface name="init_rename_runtime_files" lineno="3124"> +<interface name="init_rename_runtime_files" lineno="3158"> <summary> Rename init_runtime_t files </summary> @@ -116536,7 +115601,7 @@ domain </summary> </param> </interface> -<interface name="init_setattr_runtime_files" lineno="3142"> +<interface name="init_setattr_runtime_files" lineno="3176"> <summary> Setattr init_runtime_t files </summary> @@ -116546,7 +115611,7 @@ domain </summary> </param> </interface> -<interface name="init_delete_runtime_files" lineno="3160"> +<interface name="init_delete_runtime_files" lineno="3194"> <summary> Delete init_runtime_t files </summary> @@ -116556,7 +115621,7 @@ domain </summary> </param> </interface> -<interface name="init_write_runtime_socket" lineno="3179"> +<interface name="init_write_runtime_socket" lineno="3213"> <summary> Allow the specified domain to write to init sock file. @@ -116567,7 +115632,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_runtime_pipes" lineno="3197"> +<interface name="init_read_runtime_pipes" lineno="3231"> <summary> Read init unnamed pipes. </summary> @@ -116577,7 +115642,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_runtime_symlinks" lineno="3215"> +<interface name="init_read_runtime_symlinks" lineno="3249"> <summary> read systemd unit symlinks (usually under /run/systemd/units/) </summary> @@ -116587,7 +115652,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_tcp_recvfrom_all_daemons" lineno="3233"> +<interface name="init_tcp_recvfrom_all_daemons" lineno="3267"> <summary> Allow the specified domain to connect to daemon with a tcp socket </summary> @@ -116597,7 +115662,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_udp_recvfrom_all_daemons" lineno="3251"> +<interface name="init_udp_recvfrom_all_daemons" lineno="3285"> <summary> Allow the specified domain to connect to daemon with a udp socket </summary> @@ -116607,7 +115672,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_script_status_files" lineno="3270"> +<interface name="init_read_script_status_files" lineno="3304"> <summary> Allow reading the init script state files </summary> @@ -116617,7 +115682,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="init_relabelto_script_state" lineno="3288"> +<interface name="init_relabelto_script_state" lineno="3322"> <summary> Label to init script status files </summary> @@ -116627,7 +115692,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="init_script_readable_type" lineno="3307"> +<interface name="init_script_readable_type" lineno="3341"> <summary> Mark as a readable type for the initrc_t domain </summary> @@ -116637,7 +115702,7 @@ Type that initrc_t needs read access to </summary> </param> </interface> -<interface name="init_search_units" lineno="3325"> +<interface name="init_search_units" lineno="3359"> <summary> Search systemd unit dirs. </summary> @@ -116647,7 +115712,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_list_unit_dirs" lineno="3350"> +<interface name="init_list_unit_dirs" lineno="3384"> <summary> List systemd unit dirs. </summary> @@ -116657,7 +115722,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_generic_units_symlinks" lineno="3370"> +<interface name="init_read_generic_units_files" lineno="3404"> +<summary> +Read systemd unit files +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="init_read_generic_units_symlinks" lineno="3422"> <summary> Read systemd unit links </summary> @@ -116667,7 +115742,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_get_generic_units_status" lineno="3388"> +<interface name="init_get_generic_units_status" lineno="3440"> <summary> Get status of generic systemd units. </summary> @@ -116677,7 +115752,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_start_generic_units" lineno="3407"> +<interface name="init_start_generic_units" lineno="3459"> <summary> Start generic systemd units. </summary> @@ -116687,7 +115762,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stop_generic_units" lineno="3426"> +<interface name="init_stop_generic_units" lineno="3478"> <summary> Stop generic systemd units. </summary> @@ -116697,7 +115772,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_reload_generic_units" lineno="3445"> +<interface name="init_reload_generic_units" lineno="3497"> <summary> Reload generic systemd units. </summary> @@ -116707,7 +115782,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_get_all_units_status" lineno="3464"> +<interface name="init_get_all_units_status" lineno="3516"> <summary> Get status of all systemd units. </summary> @@ -116717,7 +115792,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_all_units" lineno="3483"> +<interface name="init_manage_all_units" lineno="3535"> <summary> All perms on all systemd units. </summary> @@ -116727,7 +115802,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_start_all_units" lineno="3503"> +<interface name="init_start_all_units" lineno="3555"> <summary> Start all systemd units. </summary> @@ -116737,7 +115812,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stop_all_units" lineno="3522"> +<interface name="init_stop_all_units" lineno="3574"> <summary> Stop all systemd units. </summary> @@ -116747,7 +115822,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_reload_all_units" lineno="3541"> +<interface name="init_reload_all_units" lineno="3593"> <summary> Reload all systemd units. </summary> @@ -116757,7 +115832,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_all_unit_files" lineno="3560"> +<interface name="init_manage_all_unit_files" lineno="3612"> <summary> Manage systemd unit dirs and the files in them </summary> @@ -116767,7 +115842,18 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_admin" lineno="3580"> +<interface name="init_linkable_keyring" lineno="3633"> +<summary> +Associate the specified domain to be a domain whose +keyring init should be allowed to link. +</summary> +<param name="domain"> +<summary> +Domain whose keyring init should be allowed to link. +</summary> +</param> +</interface> +<interface name="init_admin" lineno="3651"> <summary> Allow unconfined access to send instructions to init </summary> @@ -116777,7 +115863,7 @@ Target domain </summary> </param> </interface> -<interface name="init_getrlimit" lineno="3612"> +<interface name="init_getrlimit" lineno="3683"> <summary> Allow getting init_t rlimit </summary> @@ -117775,7 +116861,18 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_domtrans_auditctl" lineno="159"> +<interface name="logging_watch_audit_log" lineno="160"> +<summary> +Watch the audit log. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<rolecap/> +</interface> +<interface name="logging_domtrans_auditctl" lineno="178"> <summary> Execute auditctl in the auditctl domain. </summary> @@ -117785,7 +116882,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="logging_run_auditctl" lineno="184"> +<interface name="logging_run_auditctl" lineno="203"> <summary> Execute auditctl in the auditctl domain, and allow the specified role the auditctl domain. @@ -117802,7 +116899,7 @@ Role allowed access. </param> <rolecap/> </interface> -<interface name="logging_domtrans_auditd" lineno="203"> +<interface name="logging_domtrans_auditd" lineno="222"> <summary> Execute auditd in the auditd domain. </summary> @@ -117812,7 +116909,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="logging_run_auditd" lineno="227"> +<interface name="logging_run_auditd" lineno="246"> <summary> Execute auditd in the auditd domain, and allow the specified role the auditd domain. @@ -117828,7 +116925,7 @@ Role allowed access. </summary> </param> </interface> -<interface name="logging_domtrans_dispatcher" lineno="246"> +<interface name="logging_domtrans_dispatcher" lineno="265"> <summary> Execute a domain transition to run the audit dispatcher. </summary> @@ -117838,7 +116935,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="logging_signal_dispatcher" lineno="264"> +<interface name="logging_signal_dispatcher" lineno="283"> <summary> Signal the audit dispatcher. </summary> @@ -117848,7 +116945,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_dispatcher_domain" lineno="288"> +<interface name="logging_dispatcher_domain" lineno="307"> <summary> Create a domain for processes which can be started by the system audit dispatcher @@ -117864,7 +116961,7 @@ Type of the program to be used as an entry point to this domain. </summary> </param> </interface> -<interface name="logging_stream_connect_dispatcher" lineno="316"> +<interface name="logging_stream_connect_dispatcher" lineno="335"> <summary> Connect to the audit dispatcher over an unix stream socket. </summary> @@ -117874,7 +116971,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_manage_audit_config" lineno="336"> +<interface name="logging_manage_audit_config" lineno="355"> <summary> Manage the auditd configuration files. </summary> @@ -117885,7 +116982,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_manage_audit_log" lineno="358"> +<interface name="logging_manage_audit_log" lineno="377"> <summary> Manage the audit log. </summary> @@ -117896,7 +116993,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_domtrans_klog" lineno="380"> +<interface name="logging_domtrans_klog" lineno="399"> <summary> Execute klogd in the klog domain. </summary> @@ -117906,7 +117003,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="logging_check_exec_syslog" lineno="399"> +<interface name="logging_check_exec_syslog" lineno="418"> <summary> Check if syslogd is executable. </summary> @@ -117916,7 +117013,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_domtrans_syslog" lineno="418"> +<interface name="logging_domtrans_syslog" lineno="437"> <summary> Execute syslogd in the syslog domain. </summary> @@ -117926,7 +117023,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="logging_startstop_syslog" lineno="440"> +<interface name="logging_startstop_syslog" lineno="459"> <summary> Allow specified domain to start/stop syslog units </summary> @@ -117936,7 +117033,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_status_syslog" lineno="459"> +<interface name="logging_status_syslog" lineno="478"> <summary> Allow specified domain to check status of syslog unit </summary> @@ -117946,7 +117043,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_setattr_syslogd_tmp_files" lineno="479"> +<interface name="logging_setattr_syslogd_tmp_files" lineno="498"> <summary> Set the attributes of syslog temporary files. </summary> @@ -117957,7 +117054,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_audit_socket_activation" lineno="498"> +<interface name="logging_audit_socket_activation" lineno="517"> <summary> Allow the domain to create the audit socket for syslogd. @@ -117968,7 +117065,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_relabel_syslogd_tmp_files" lineno="517"> +<interface name="logging_relabel_syslogd_tmp_files" lineno="536"> <summary> Relabel to and from syslog temporary file type. </summary> @@ -117979,7 +117076,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_setattr_syslogd_tmp_dirs" lineno="536"> +<interface name="logging_setattr_syslogd_tmp_dirs" lineno="555"> <summary> Set the attributes of syslog temporary directories. </summary> @@ -117990,7 +117087,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_relabel_syslogd_tmp_dirs" lineno="555"> +<interface name="logging_relabel_syslogd_tmp_dirs" lineno="574"> <summary> Relabel to and from syslog temporary directory type. </summary> @@ -118001,7 +117098,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_log_filetrans" lineno="616"> +<interface name="logging_log_filetrans" lineno="635"> <summary> Create an object in the log directory, with a private type. </summary> @@ -118054,7 +117151,7 @@ The name of the object being created. </param> <infoflow type="write" weight="10"/> </interface> -<interface name="logging_send_syslog_msg" lineno="658"> +<interface name="logging_send_syslog_msg" lineno="677"> <summary> Send system log messages. </summary> @@ -118086,7 +117183,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_use_syslogd_fd" lineno="701"> +<interface name="logging_use_syslogd_fd" lineno="719"> <summary> Allow domain to use a file descriptor from syslogd. @@ -118097,7 +117194,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_relabelto_devlog_sock_files" lineno="720"> +<interface name="logging_relabelto_devlog_sock_files" lineno="738"> <summary> Allow domain to relabelto devlog sock_files </summary> @@ -118108,7 +117205,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_create_devlog" lineno="738"> +<interface name="logging_create_devlog" lineno="756"> <summary> Connect to the syslog control unix stream socket. </summary> @@ -118118,7 +117215,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_read_audit_config" lineno="759"> +<interface name="logging_read_audit_config" lineno="777"> <summary> Read the auditd configuration files. </summary> @@ -118129,7 +117226,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_dontaudit_search_audit_config" lineno="782"> +<interface name="logging_dontaudit_search_audit_config" lineno="800"> <summary> dontaudit search of auditd configuration files. </summary> @@ -118140,7 +117237,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="logging_read_syslog_config" lineno="801"> +<interface name="logging_read_syslog_config" lineno="819"> <summary> Read syslog configuration files. </summary> @@ -118151,7 +117248,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_watch_runtime_dirs" lineno="819"> +<interface name="logging_watch_runtime_dirs" lineno="837"> <summary> Watch syslog runtime dirs. </summary> @@ -118161,7 +117258,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_delete_devlog_socket" lineno="838"> +<interface name="logging_delete_devlog_socket" lineno="856"> <summary> Delete the syslog socket files </summary> @@ -118172,7 +117269,7 @@ Domain allowed access </param> <rolecap/> </interface> -<interface name="logging_manage_pid_sockets" lineno="856"> +<interface name="logging_manage_pid_sockets" lineno="874"> <summary> Create, read, write, and delete syslog PID sockets. (Deprecated) </summary> @@ -118182,7 +117279,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_manage_runtime_sockets" lineno="871"> +<interface name="logging_manage_runtime_sockets" lineno="889"> <summary> Create, read, write, and delete syslog PID sockets. </summary> @@ -118192,7 +117289,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_search_logs" lineno="892"> +<interface name="logging_search_logs" lineno="910"> <summary> Allows the domain to open a file in the log directory, but does not allow the listing @@ -118204,7 +117301,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_dontaudit_search_logs" lineno="912"> +<interface name="logging_dontaudit_search_logs" lineno="930"> <summary> Do not audit attempts to search the var log directory. </summary> @@ -118214,7 +117311,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="logging_list_logs" lineno="930"> +<interface name="logging_list_logs" lineno="948"> <summary> List the contents of the generic log directory (/var/log). </summary> @@ -118224,7 +117321,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_rw_generic_log_dirs" lineno="950"> +<interface name="logging_rw_generic_log_dirs" lineno="968"> <summary> Read and write the generic log directory (/var/log). </summary> @@ -118234,7 +117331,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_search_all_logs" lineno="971"> +<interface name="logging_search_all_logs" lineno="989"> <summary> Search through all log dirs. </summary> @@ -118245,7 +117342,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_setattr_all_log_dirs" lineno="990"> +<interface name="logging_setattr_all_log_dirs" lineno="1008"> <summary> Set attributes on all log dirs. </summary> @@ -118256,7 +117353,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_dontaudit_getattr_all_logs" lineno="1009"> +<interface name="logging_dontaudit_getattr_all_logs" lineno="1027"> <summary> Do not audit attempts to get the attributes of any log files. @@ -118267,7 +117364,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="logging_getattr_all_logs" lineno="1027"> +<interface name="logging_getattr_all_logs" lineno="1045"> <summary> Read the attributes of any log file </summary> @@ -118277,7 +117374,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="logging_append_all_logs" lineno="1045"> +<interface name="logging_append_all_logs" lineno="1063"> <summary> Append to all log files. </summary> @@ -118287,7 +117384,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_append_all_inherited_logs" lineno="1066"> +<interface name="logging_append_all_inherited_logs" lineno="1084"> <summary> Append to all log files. </summary> @@ -118297,7 +117394,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_read_all_logs" lineno="1085"> +<interface name="logging_read_all_logs" lineno="1103"> <summary> Read all log files. </summary> @@ -118308,7 +117405,18 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_exec_all_logs" lineno="1107"> +<interface name="logging_watch_all_logs" lineno="1124"> +<summary> +Watch all log files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<rolecap/> +</interface> +<interface name="logging_exec_all_logs" lineno="1144"> <summary> Execute all log files in the caller domain. </summary> @@ -118318,7 +117426,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_rw_all_logs" lineno="1127"> +<interface name="logging_rw_all_logs" lineno="1164"> <summary> read/write to all log files. </summary> @@ -118328,7 +117436,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_manage_all_logs" lineno="1147"> +<interface name="logging_manage_all_logs" lineno="1184"> <summary> Create, read, write, and delete all log files. </summary> @@ -118339,7 +117447,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_manage_generic_log_dirs" lineno="1168"> +<interface name="logging_manage_generic_log_dirs" lineno="1205"> <summary> Create, read, write, and delete generic log directories. </summary> @@ -118350,7 +117458,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_relabel_generic_log_dirs" lineno="1188"> +<interface name="logging_relabel_generic_log_dirs" lineno="1225"> <summary> Relabel from and to generic log directory type. </summary> @@ -118361,7 +117469,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_read_generic_logs" lineno="1208"> +<interface name="logging_read_generic_logs" lineno="1245"> <summary> Read generic log files. </summary> @@ -118372,7 +117480,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_mmap_generic_logs" lineno="1229"> +<interface name="logging_mmap_generic_logs" lineno="1266"> <summary> Map generic log files. </summary> @@ -118383,7 +117491,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_write_generic_logs" lineno="1247"> +<interface name="logging_write_generic_logs" lineno="1284"> <summary> Write generic log files. </summary> @@ -118393,7 +117501,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_dontaudit_write_generic_logs" lineno="1268"> +<interface name="logging_dontaudit_write_generic_logs" lineno="1305"> <summary> Dontaudit Write generic log files. </summary> @@ -118403,7 +117511,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="logging_rw_generic_logs" lineno="1286"> +<interface name="logging_rw_generic_logs" lineno="1323"> <summary> Read and write generic log files. </summary> @@ -118413,7 +117521,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_manage_generic_logs" lineno="1309"> +<interface name="logging_manage_generic_logs" lineno="1346"> <summary> Create, read, write, and delete generic log files. @@ -118425,7 +117533,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_watch_generic_logs_dir" lineno="1328"> +<interface name="logging_watch_generic_logs_dir" lineno="1365"> <summary> Watch generic log dirs. </summary> @@ -118435,7 +117543,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_admin_audit" lineno="1353"> +<interface name="logging_admin_audit" lineno="1390"> <summary> All of the rules required to administrate the audit environment @@ -118452,7 +117560,7 @@ User role allowed access. </param> <rolecap/> </interface> -<interface name="logging_admin_syslog" lineno="1397"> +<interface name="logging_admin_syslog" lineno="1434"> <summary> All of the rules required to administrate the syslog environment @@ -118469,7 +117577,7 @@ User role allowed access. </param> <rolecap/> </interface> -<interface name="logging_admin" lineno="1453"> +<interface name="logging_admin" lineno="1490"> <summary> All of the rules required to administrate the logging environment @@ -118486,7 +117594,7 @@ User role allowed access. </param> <rolecap/> </interface> -<interface name="logging_syslog_managed_log_file" lineno="1476"> +<interface name="logging_syslog_managed_log_file" lineno="1513"> <summary> Mark the type as a syslog managed log file and introduce the proper file transition when @@ -118504,7 +117612,7 @@ Name to use for the file </summary> </param> </interface> -<interface name="logging_syslog_managed_log_dir" lineno="1515"> +<interface name="logging_syslog_managed_log_dir" lineno="1552"> <summary> Mark the type as a syslog managed log dir and introduce the proper file transition when @@ -118531,7 +117639,7 @@ Name to use for the directory </summary> </param> </interface> -<interface name="logging_mmap_journal" lineno="1537"> +<interface name="logging_mmap_journal" lineno="1574"> <summary> Map files in /run/log/journal/ directory. </summary> @@ -118654,17 +117762,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="lvm_domtrans_clvmd" lineno="199"> -<summary> -Execute a domain transition to run clvmd. -</summary> -<param name="domain"> -<summary> -Domain allowed to transition. -</summary> -</param> -</interface> -<interface name="lvm_admin" lineno="224"> +<interface name="lvm_admin" lineno="205"> <summary> All of the rules required to administrate an lvm environment. @@ -119506,7 +118604,27 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_getattr_runtime_files" lineno="235"> +<interface name="mount_watch_runtime_files" lineno="235"> +<summary> +Watch mount runtime files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="mount_watch_reads_runtime_files" lineno="253"> +<summary> +Watch reads on mount runtime files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="mount_getattr_runtime_files" lineno="271"> <summary> Getattr on mount_runtime_t files </summary> @@ -119516,7 +118634,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_rw_runtime_files" lineno="253"> +<interface name="mount_read_runtime_files" lineno="289"> +<summary> +Read mount runtime files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="mount_rw_runtime_files" lineno="307"> <summary> Read and write mount runtime files. </summary> @@ -119526,7 +118654,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_rw_pipes" lineno="273"> +<interface name="mount_rw_pipes" lineno="327"> <summary> Read and write mount unnamed pipes </summary> @@ -120678,7 +119806,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_read_dhcpc_pid" lineno="556"> +<interface name="sysnet_read_dhcpc_pid" lineno="560"> <summary> Read the dhcp client pid file. (Deprecated) </summary> @@ -120688,7 +119816,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_delete_dhcpc_pid" lineno="571"> +<interface name="sysnet_delete_dhcpc_pid" lineno="575"> <summary> Delete the dhcp client pid file. (Deprecated) </summary> @@ -120698,7 +119826,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_read_dhcpc_runtime_files" lineno="586"> +<interface name="sysnet_read_dhcpc_runtime_files" lineno="590"> <summary> Read dhcp client runtime files. </summary> @@ -120708,7 +119836,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_delete_dhcpc_runtime_files" lineno="605"> +<interface name="sysnet_delete_dhcpc_runtime_files" lineno="609"> <summary> Delete the dhcp client runtime files. </summary> @@ -120718,7 +119846,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_domtrans_ifconfig" lineno="623"> +<interface name="sysnet_domtrans_ifconfig" lineno="627"> <summary> Execute ifconfig in the ifconfig domain. </summary> @@ -120728,7 +119856,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="sysnet_run_ifconfig" lineno="650"> +<interface name="sysnet_run_ifconfig" lineno="654"> <summary> Execute ifconfig in the ifconfig domain, and allow the specified role the ifconfig domain, @@ -120746,7 +119874,7 @@ Role allowed access. </param> <rolecap/> </interface> -<interface name="sysnet_exec_ifconfig" lineno="670"> +<interface name="sysnet_exec_ifconfig" lineno="674"> <summary> Execute ifconfig in the caller domain. </summary> @@ -120756,7 +119884,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_signal_ifconfig" lineno="690"> +<interface name="sysnet_signal_ifconfig" lineno="694"> <summary> Send a generic signal to ifconfig. </summary> @@ -120767,7 +119895,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="sysnet_signull_ifconfig" lineno="709"> +<interface name="sysnet_signull_ifconfig" lineno="713"> <summary> Send null signals to ifconfig. </summary> @@ -120778,7 +119906,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="sysnet_read_dhcp_config" lineno="727"> +<interface name="sysnet_read_dhcp_config" lineno="731"> <summary> Read the DHCP configuration files. </summary> @@ -120788,7 +119916,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_search_dhcp_state" lineno="747"> +<interface name="sysnet_search_dhcp_state" lineno="751"> <summary> Search the DHCP state data directory. </summary> @@ -120798,7 +119926,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_dhcp_state_filetrans" lineno="791"> +<interface name="sysnet_dhcp_state_filetrans" lineno="795"> <summary> Create DHCP state data. </summary> @@ -120833,7 +119961,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="sysnet_dns_name_resolve" lineno="811"> +<interface name="sysnet_dns_name_resolve" lineno="815"> <summary> Perform a DNS name resolution. </summary> @@ -120844,7 +119972,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="sysnet_use_ldap" lineno="861"> +<interface name="sysnet_use_ldap" lineno="865"> <summary> Connect and use a LDAP server. </summary> @@ -120854,7 +119982,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_use_portmap" lineno="888"> +<interface name="sysnet_use_portmap" lineno="892"> <summary> Connect and use remote port mappers. </summary> @@ -120864,7 +119992,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_dhcpc_script_entry" lineno="922"> +<interface name="sysnet_dhcpc_script_entry" lineno="926"> <summary> Make the specified program domain accessable from the DHCP hooks/scripts. @@ -120916,7 +120044,252 @@ The type for the user pty </summary> </param> </template> -<interface name="systemd_log_parse_environment" lineno="96"> +<template name="systemd_user_daemon_domain" lineno="194"> +<summary> +Allow the specified domain to be started as a daemon by the +specified systemd user instance. +</summary> +<param name="prefix"> +<summary> +Prefix for the user domain. +</summary> +</param> +<param name="entry_point"> +<summary> +Entry point file type for the domain. +</summary> +</param> +<param name="domain"> +<summary> +Domain to allow the systemd user domain to run. +</summary> +</param> +</template> +<interface name="systemd_user_activated_sock_file" lineno="215"> +<summary> +Associate the specified file type to be a type whose sock files +can be managed by systemd user instances for socket activation. +</summary> +<param name="file_type"> +<summary> +File type to be associated. +</summary> +</param> +</interface> +<interface name="systemd_user_unix_stream_activated_socket" lineno="240"> +<summary> +Associate the specified domain to be a domain whose unix stream +sockets and sock files can be managed by systemd user instances +for socket activation. +</summary> +<param name="domain"> +<summary> +Domain to be associated. +</summary> +</param> +<param name="sock_file_type"> +<summary> +File type of the domain's sock files to be associated. +</summary> +</param> +</interface> +<template name="systemd_user_app_status" lineno="265"> +<summary> +Allow the target domain to be monitored and have its output +captured by the specified systemd user instance domain. +</summary> +<param name="prefix"> +<summary> +Prefix for the user domain. +</summary> +</param> +<param name="domain"> +<summary> +Domain to allow the systemd user instance to monitor. +</summary> +</param> +</template> +<interface name="systemd_search_conf_home_content" lineno="300"> +<summary> +Allow the specified domain to search systemd config home +content. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_manage_conf_home_content" lineno="319"> +<summary> +Allow the specified domain to manage systemd config home +content. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_relabel_conf_home_content" lineno="340"> +<summary> +Allow the specified domain to relabel systemd config home +content. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_search_data_home_content" lineno="361"> +<summary> +Allow the specified domain to search systemd data home +content. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_manage_data_home_content" lineno="380"> +<summary> +Allow the specified domain to manage systemd data home +content. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_relabel_data_home_content" lineno="401"> +<summary> +Allow the specified domain to relabel systemd data home +content. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_search_user_runtime" lineno="422"> +<summary> +Allow the specified domain to search systemd user runtime +content. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_read_user_runtime_files" lineno="440"> +<summary> +Allow the specified domain to read systemd user runtime files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_read_user_runtime_lnk_files" lineno="458"> +<summary> +Allow the specified domain to read systemd user runtime lnk files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_read_user_unit_files" lineno="477"> +<summary> +Allow the specified domain to read system-wide systemd +user unit files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_read_user_runtime_units" lineno="497"> +<summary> +Allow the specified domain to read systemd user runtime unit files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_search_user_runtime_unit_dirs" lineno="517"> +<summary> +Allow the specified domain to search systemd user runtime unit +directories. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_list_user_runtime_unit_dirs" lineno="536"> +<summary> +Allow the specified domain to list the contents of systemd +user runtime unit directories. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_status_user_runtime_units" lineno="554"> +<summary> +Allow the specified domain to get the status of systemd user runtime units. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_start_user_runtime_units" lineno="573"> +<summary> +Allow the specified domain to start systemd user runtime units. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_stop_user_runtime_units" lineno="592"> +<summary> +Allow the specified domain to stop systemd user runtime units. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_reload_user_runtime_units" lineno="611"> +<summary> +Allow the specified domain to reload systemd user runtime units. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_log_parse_environment" lineno="631"> <summary> Make the specified type usable as an log parse environment type. @@ -120927,7 +120300,7 @@ Type to be used as a log parse environment type. </summary> </param> </interface> -<interface name="systemd_use_nss" lineno="116"> +<interface name="systemd_use_nss" lineno="651"> <summary> Allow domain to use systemd's Name Service Switch (NSS) module. This module provides UNIX user and group name resolution for dynamic users @@ -120939,7 +120312,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="systemd_PrivateDevices" lineno="143"> +<interface name="systemd_PrivateDevices" lineno="678"> <summary> Allow domain to be used as a systemd service with a unit that uses PrivateDevices=yes in section [Service]. @@ -120950,7 +120323,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="systemd_read_hwdb" lineno="160"> +<interface name="systemd_read_hwdb" lineno="695"> <summary> Allow domain to read udev hwdb file </summary> @@ -120960,7 +120333,7 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_map_hwdb" lineno="178"> +<interface name="systemd_map_hwdb" lineno="713"> <summary> Allow domain to map udev hwdb file </summary> @@ -120970,7 +120343,7 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_read_logind_pids" lineno="196"> +<interface name="systemd_read_logind_pids" lineno="731"> <summary> Read systemd_login PID files. (Deprecated) </summary> @@ -120980,7 +120353,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_logind_pid_pipes" lineno="211"> +<interface name="systemd_manage_logind_pid_pipes" lineno="746"> <summary> Manage systemd_login PID pipes. (Deprecated) </summary> @@ -120990,7 +120363,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_logind_pid_pipes" lineno="226"> +<interface name="systemd_write_logind_pid_pipes" lineno="761"> <summary> Write systemd_login named pipe. (Deprecated) </summary> @@ -121000,7 +120373,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_logind_runtime_files" lineno="241"> +<interface name="systemd_watch_logind_runtime_dirs" lineno="776"> +<summary> +Watch systemd-logind runtime dirs. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_read_logind_runtime_files" lineno="795"> <summary> Read systemd-logind runtime files. </summary> @@ -121010,7 +120393,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_logind_runtime_pipes" lineno="261"> +<interface name="systemd_manage_logind_runtime_pipes" lineno="815"> <summary> Manage systemd-logind runtime pipes. </summary> @@ -121020,7 +120403,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_logind_runtime_pipes" lineno="280"> +<interface name="systemd_write_logind_runtime_pipes" lineno="834"> <summary> Write systemd-logind runtime named pipe. </summary> @@ -121030,7 +120413,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_use_logind_fds" lineno="301"> +<interface name="systemd_use_logind_fds" lineno="855"> <summary> Use inherited systemd logind file descriptors. @@ -121041,7 +120424,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_logind_sessions_files" lineno="319"> +<interface name="systemd_watch_logind_sessions_dirs" lineno="873"> +<summary> +Watch logind sessions dirs. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_read_logind_sessions_files" lineno="892"> <summary> Read logind sessions files. </summary> @@ -121051,7 +120444,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="340"> +<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="913"> <summary> Write inherited logind sessions pipes. </summary> @@ -121061,7 +120454,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="360"> +<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="933"> <summary> Write inherited logind inhibit pipes. </summary> @@ -121071,7 +120464,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_dbus_chat_logind" lineno="381"> +<interface name="systemd_dbus_chat_logind" lineno="954"> <summary> Send and receive messages from systemd logind over dbus. @@ -121082,7 +120475,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_status_logind" lineno="401"> +<interface name="systemd_status_logind" lineno="974"> <summary> Get the system status information from systemd_login </summary> @@ -121092,7 +120485,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_signull_logind" lineno="420"> +<interface name="systemd_signull_logind" lineno="993"> <summary> Send systemd_login a null signal. </summary> @@ -121102,7 +120495,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_userdb_runtime_dirs" lineno="438"> +<interface name="systemd_manage_userdb_runtime_dirs" lineno="1011"> <summary> Manage systemd userdb runtime directories. </summary> @@ -121112,7 +120505,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_userdb_runtime_sock_files" lineno="456"> +<interface name="systemd_manage_userdb_runtime_sock_files" lineno="1029"> <summary> Manage socket files under /run/systemd/userdb . </summary> @@ -121122,7 +120515,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_stream_connect_userdb" lineno="474"> +<interface name="systemd_stream_connect_userdb" lineno="1047"> <summary> Connect to /run/systemd/userdb/io.systemd.DynamicUser . </summary> @@ -121132,7 +120525,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_machines" lineno="495"> +<interface name="systemd_read_machines" lineno="1068"> <summary> Allow reading /run/systemd/machines </summary> @@ -121142,7 +120535,7 @@ Domain that can access the machines files </summary> </param> </interface> -<interface name="systemd_connect_machined" lineno="514"> +<interface name="systemd_connect_machined" lineno="1087"> <summary> Allow connecting to /run/systemd/userdb/io.systemd.Machine socket </summary> @@ -121152,7 +120545,7 @@ Domain that can access the socket </summary> </param> </interface> -<interface name="systemd_dbus_chat_hostnamed" lineno="533"> +<interface name="systemd_dbus_chat_hostnamed" lineno="1106"> <summary> Send and receive messages from systemd hostnamed over dbus. @@ -121163,7 +120556,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_use_passwd_agent_fds" lineno="553"> +<interface name="systemd_use_passwd_agent_fds" lineno="1126"> <summary> allow systemd_passwd_agent to inherit fds </summary> @@ -121173,7 +120566,7 @@ Domain that owns the fds </summary> </param> </interface> -<interface name="systemd_run_passwd_agent" lineno="576"> +<interface name="systemd_run_passwd_agent" lineno="1149"> <summary> allow systemd_passwd_agent to be run by admin </summary> @@ -121188,7 +120581,7 @@ role that it runs in </summary> </param> </interface> -<interface name="systemd_use_passwd_agent" lineno="597"> +<interface name="systemd_use_passwd_agent" lineno="1170"> <summary> Allow a systemd_passwd_agent_t process to interact with a daemon that needs a password from the sysadmin. @@ -121199,7 +120592,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="621"> +<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="1194"> <summary> Transition to systemd_passwd_runtime_t when creating dirs </summary> @@ -121209,7 +120602,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="642"> +<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="1215"> <summary> Transition to systemd_userdb_runtime_t when creating the userdb directory inside an init runtime @@ -121221,7 +120614,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_passwd_runtime_symlinks" lineno="660"> +<interface name="systemd_manage_passwd_runtime_symlinks" lineno="1233"> <summary> Allow to domain to create systemd-passwd symlink </summary> @@ -121231,7 +120624,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_all_units" lineno="678"> +<interface name="systemd_watch_passwd_runtime_dirs" lineno="1251"> +<summary> +Allow a domain to watch systemd-passwd runtime dirs. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_manage_all_units" lineno="1269"> <summary> manage systemd unit dirs and the files in them (Deprecated) </summary> @@ -121241,7 +120644,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_journal_files" lineno="693"> +<interface name="systemd_list_journal_dirs" lineno="1284"> +<summary> +Allow domain to list the contents of systemd_journal_t dirs +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_read_journal_files" lineno="1302"> <summary> Allow domain to read systemd_journal_t files </summary> @@ -121251,7 +120664,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_journal_files" lineno="712"> +<interface name="systemd_manage_journal_files" lineno="1321"> <summary> Allow domain to create/manage systemd_journal_t files </summary> @@ -121261,7 +120674,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelto_journal_dirs" lineno="732"> +<interface name="systemd_watch_journal_dirs" lineno="1341"> +<summary> +Allow domain to add a watch on systemd_journal_t directories +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_relabelto_journal_dirs" lineno="1359"> <summary> Relabel to systemd-journald directory type. </summary> @@ -121271,7 +120694,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelto_journal_files" lineno="751"> +<interface name="systemd_relabelto_journal_files" lineno="1378"> <summary> Relabel to systemd-journald file type. </summary> @@ -121281,7 +120704,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_networkd_units" lineno="771"> +<interface name="systemd_read_networkd_units" lineno="1398"> <summary> Allow domain to read systemd_networkd_t unit files </summary> @@ -121291,7 +120714,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_networkd_units" lineno="791"> +<interface name="systemd_manage_networkd_units" lineno="1418"> <summary> Allow domain to create/manage systemd_networkd_t unit files </summary> @@ -121301,7 +120724,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_enabledisable_networkd" lineno="811"> +<interface name="systemd_enabledisable_networkd" lineno="1438"> <summary> Allow specified domain to enable systemd-networkd units </summary> @@ -121311,7 +120734,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_startstop_networkd" lineno="830"> +<interface name="systemd_startstop_networkd" lineno="1457"> <summary> Allow specified domain to start systemd-networkd units </summary> @@ -121321,7 +120744,18 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_status_networkd" lineno="849"> +<interface name="systemd_dbus_chat_networkd" lineno="1477"> +<summary> +Send and receive messages from +systemd networkd over dbus. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_status_networkd" lineno="1497"> <summary> Allow specified domain to get status of systemd-networkd </summary> @@ -121331,7 +120765,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="868"> +<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="1516"> <summary> Relabel systemd_networkd tun socket. </summary> @@ -121341,7 +120775,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="886"> +<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="1534"> <summary> Read/Write from systemd_networkd netlink route socket. </summary> @@ -121351,7 +120785,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_list_networkd_runtime" lineno="904"> +<interface name="systemd_list_networkd_runtime" lineno="1552"> <summary> Allow domain to list dirs under /run/systemd/netif </summary> @@ -121361,7 +120795,7 @@ domain permitted the access </summary> </param> </interface> -<interface name="systemd_watch_networkd_runtime_dirs" lineno="923"> +<interface name="systemd_watch_networkd_runtime_dirs" lineno="1571"> <summary> Watch directories under /run/systemd/netif </summary> @@ -121371,7 +120805,7 @@ Domain permitted the access </summary> </param> </interface> -<interface name="systemd_read_networkd_runtime" lineno="942"> +<interface name="systemd_read_networkd_runtime" lineno="1590"> <summary> Allow domain to read files generated by systemd_networkd </summary> @@ -121381,7 +120815,7 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_read_logind_state" lineno="961"> +<interface name="systemd_read_logind_state" lineno="1609"> <summary> Allow systemd_logind_t to read process state for cgroup file </summary> @@ -121391,7 +120825,7 @@ Domain systemd_logind_t may access. </summary> </param> </interface> -<interface name="systemd_start_power_units" lineno="980"> +<interface name="systemd_start_power_units" lineno="1628"> <summary> Allow specified domain to start power units </summary> @@ -121401,7 +120835,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="systemd_status_power_units" lineno="999"> +<interface name="systemd_status_power_units" lineno="1647"> <summary> Get the system status information about power units </summary> @@ -121411,7 +120845,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_stream_connect_socket_proxyd" lineno="1018"> +<interface name="systemd_stream_connect_socket_proxyd" lineno="1666"> <summary> Allows connections to the systemd-socket-proxyd's socket. </summary> @@ -121421,7 +120855,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_tmpfiles_conf_file" lineno="1037"> +<interface name="systemd_tmpfiles_conf_file" lineno="1685"> <summary> Make the specified type usable for systemd tmpfiles config files. @@ -121432,7 +120866,7 @@ Type to be used for systemd tmpfiles config files. </summary> </param> </interface> -<interface name="systemd_tmpfiles_creator" lineno="1058"> +<interface name="systemd_tmpfiles_creator" lineno="1706"> <summary> Allow the specified domain to create the tmpfiles config directory with @@ -121444,7 +120878,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_tmpfiles_conf_filetrans" lineno="1094"> +<interface name="systemd_tmpfiles_conf_filetrans" lineno="1742"> <summary> Create an object in the systemd tmpfiles config directory, with a private type @@ -121471,7 +120905,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="systemd_list_tmpfiles_conf" lineno="1113"> +<interface name="systemd_list_tmpfiles_conf" lineno="1761"> <summary> Allow domain to list systemd tmpfiles config directory </summary> @@ -121481,7 +120915,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="1131"> +<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="1779"> <summary> Allow domain to relabel to systemd tmpfiles config directory </summary> @@ -121491,7 +120925,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="1149"> +<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="1797"> <summary> Allow domain to relabel to systemd tmpfiles config files </summary> @@ -121501,22 +120935,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_tmpfilesd_managed" lineno="1172"> +<interface name="systemd_tmpfilesd_managed" lineno="1815"> <summary> Allow systemd_tmpfiles_t to manage filesystem objects </summary> <param name="type"> <summary> -type of object to manage -</summary> -</param> -<param name="class"> -<summary> -object class to manage +Type of object to manage </summary> </param> </interface> -<interface name="systemd_dbus_chat_resolved" lineno="1191"> +<interface name="systemd_dbus_chat_resolved" lineno="1842"> <summary> Send and receive messages from systemd resolved over dbus. @@ -121527,7 +120956,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_resolved_runtime" lineno="1211"> +<interface name="systemd_read_resolved_runtime" lineno="1862"> <summary> Allow domain to read resolv.conf file generated by systemd_resolved </summary> @@ -121537,7 +120966,7 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_getattr_updated_runtime" lineno="1229"> +<interface name="systemd_getattr_updated_runtime" lineno="1880"> <summary> Allow domain to getattr on .updated file (generated by systemd-update-done </summary> @@ -121547,7 +120976,7 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_search_all_user_keys" lineno="1247"> +<interface name="systemd_search_all_user_keys" lineno="1898"> <summary> Search keys for the all systemd --user domains. </summary> @@ -121557,7 +120986,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_create_all_user_keys" lineno="1265"> +<interface name="systemd_create_all_user_keys" lineno="1916"> <summary> Create keys for the all systemd --user domains. </summary> @@ -121567,7 +120996,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_all_user_keys" lineno="1283"> +<interface name="systemd_write_all_user_keys" lineno="1934"> <summary> Write keys for the all systemd --user domains. </summary> @@ -121577,7 +121006,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_domtrans_sysusers" lineno="1302"> +<interface name="systemd_domtrans_sysusers" lineno="1953"> <summary> Execute systemd-sysusers in the systemd sysusers domain. @@ -121588,7 +121017,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_run_sysusers" lineno="1327"> +<interface name="systemd_run_sysusers" lineno="1978"> <summary> Run systemd-sysusers with a domain transition. </summary> @@ -121604,7 +121033,7 @@ Role allowed access. </param> <rolecap/> </interface> -<interface name="systemd_use_inherited_machined_ptys" lineno="1347"> +<interface name="systemd_use_inherited_machined_ptys" lineno="1998"> <summary> receive and use a systemd_machined_devpts_t file handle </summary> @@ -121655,6 +121084,14 @@ labelled ones. </p> </desc> </tunable> +<tunable name="systemd_tmpfilesd_factory" dftval="false"> +<desc> +<p> +Allow systemd-tmpfilesd to populate missing configuration files from factory +template directory. +</p> +</desc> +</tunable> </module> <module name="tmpfiles" filename="policy/modules/system/tmpfiles.if"> <summary>Policy for tmpfiles, a boot-time temporary file handler</summary> @@ -121876,7 +121313,27 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_dontaudit_search_db" lineno="236"> +<interface name="udev_relabel_rules_dirs" lineno="236"> +<summary> +Relabel udev rules directories +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="udev_relabel_rules_files" lineno="256"> +<summary> +Relabel udev rules files +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="udev_dontaudit_search_db" lineno="276"> <summary> Do not audit search of udev database directories. (Deprecated) </summary> @@ -121886,7 +121343,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="udev_read_db" lineno="256"> +<interface name="udev_read_db" lineno="296"> <summary> Read the udev device table. (Deprecated) </summary> @@ -121902,7 +121359,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="udev_rw_db" lineno="270"> +<interface name="udev_rw_db" lineno="310"> <summary> Allow process to modify list of devices. (Deprecated) </summary> @@ -121912,7 +121369,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_create_db_dirs" lineno="284"> +<interface name="udev_create_db_dirs" lineno="324"> <summary> Create udev database directories </summary> @@ -121922,7 +121379,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_pid_filetrans_db" lineno="315"> +<interface name="udev_pid_filetrans_db" lineno="355"> <summary> Write in /var/run/udev with the udev_tbl_t (udev database) file type </summary> @@ -121942,7 +121399,7 @@ Name of the directory that the file transition will work on </summary> </param> </interface> -<interface name="udev_relabelto_db" lineno="334"> +<interface name="udev_relabelto_db" lineno="374"> <summary> Allow process to relabelto udev database (Deprecated) </summary> @@ -121952,7 +121409,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_relabelto_db_sockets" lineno="348"> +<interface name="udev_relabelto_db_sockets" lineno="388"> <summary> Allow process to relabelto sockets in /run/udev (Deprecated) </summary> @@ -121962,7 +121419,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_search_pids" lineno="362"> +<interface name="udev_search_pids" lineno="402"> <summary> Search through udev pid content (Deprecated) </summary> @@ -121972,7 +121429,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_list_pids" lineno="377"> +<interface name="udev_list_pids" lineno="417"> <summary> list udev pid content (Deprecated) </summary> @@ -121982,7 +121439,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_manage_pid_dirs" lineno="393"> +<interface name="udev_manage_pid_dirs" lineno="433"> <summary> Create, read, write, and delete udev pid directories (Deprecated) @@ -121993,7 +121450,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_read_pid_files" lineno="408"> +<interface name="udev_read_pid_files" lineno="448"> <summary> Read udev pid files. (Deprecated) </summary> @@ -122003,7 +121460,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_dontaudit_rw_pid_files" lineno="423"> +<interface name="udev_dontaudit_rw_pid_files" lineno="463"> <summary> dontaudit attempts to read/write udev pidfiles (Deprecated) </summary> @@ -122013,7 +121470,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_manage_pid_files" lineno="439"> +<interface name="udev_manage_pid_files" lineno="479"> <summary> Create, read, write, and delete udev pid files. (Deprecated) @@ -122024,7 +121481,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_generic_pid_filetrans_run_dirs" lineno="459"> +<interface name="udev_generic_pid_filetrans_run_dirs" lineno="499"> <summary> Create directories in the run location with udev_runtime_t type (Deprecated) </summary> @@ -122039,7 +121496,7 @@ Name of the directory that is created </summary> </param> </interface> -<interface name="udev_search_runtime" lineno="473"> +<interface name="udev_search_runtime" lineno="513"> <summary> Search through udev runtime dirs. </summary> @@ -122049,7 +121506,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_list_runtime" lineno="492"> +<interface name="udev_list_runtime" lineno="532"> <summary> List udev runtime dirs. </summary> @@ -122059,7 +121516,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_manage_runtime_dirs" lineno="512"> +<interface name="udev_manage_runtime_dirs" lineno="552"> <summary> Create, read, write, and delete udev runtime directories @@ -122070,7 +121527,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_read_runtime_files" lineno="531"> +<interface name="udev_read_runtime_files" lineno="571"> <summary> Read udev runtime files. </summary> @@ -122080,7 +121537,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_dontaudit_rw_runtime_files" lineno="551"> +<interface name="udev_dontaudit_rw_runtime_files" lineno="591"> <summary> dontaudit attempts to read/write udev runtime files. </summary> @@ -122090,7 +121547,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_manage_runtime_files" lineno="570"> +<interface name="udev_manage_runtime_files" lineno="610"> <summary> Create, read, write, and delete udev runtime files. @@ -122101,7 +121558,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_domtrans_udevadm" lineno="589"> +<interface name="udev_domtrans_udevadm" lineno="629"> <summary> Execute udev admin in the udevadm domain. </summary> @@ -122111,7 +121568,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="udevadm_domtrans" lineno="607"> +<interface name="udevadm_domtrans" lineno="647"> <summary> Execute udev admin in the udevadm domain. (Deprecated) </summary> @@ -122121,7 +121578,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="udevadm_run" lineno="629"> +<interface name="udevadm_run" lineno="669"> <summary> Execute udevadm in the udevadm domain, and allow the specified role the udevadm domain. (Deprecated) @@ -122138,7 +121595,7 @@ Role allowed access. </param> <rolecap/> </interface> -<interface name="udev_run_udevadm" lineno="651"> +<interface name="udev_run_udevadm" lineno="691"> <summary> Execute udevadm in the udevadm domain, and allow the specified role the udevadm domain. @@ -122155,7 +121612,7 @@ Role allowed access. </param> <rolecap/> </interface> -<interface name="udevadm_exec" lineno="670"> +<interface name="udevadm_exec" lineno="710"> <summary> Execute udevadm in the caller domain. (Deprecated) </summary> @@ -122165,7 +121622,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_exec_udevadm" lineno="685"> +<interface name="udev_exec_udevadm" lineno="725"> <summary> Execute udevadm in the caller domain. </summary> @@ -122175,7 +121632,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="udev_pid_filetrans_rules" lineno="715"> +<interface name="udev_pid_filetrans_rules" lineno="755"> <summary> Write in /var/run/udev with the udev_rules_t (udev rules) file type </summary> @@ -122195,7 +121652,7 @@ Name of the directory that the file transition will work on </summary> </param> </interface> -<interface name="udev_create_rules_dirs" lineno="734"> +<interface name="udev_create_rules_dirs" lineno="774"> <summary> Create udev rules directories </summary> @@ -122557,7 +122014,7 @@ is the prefix for user_t). </param> <rolebase/> </template> -<template name="userdom_user_content_access_template" lineno="179"> +<template name="userdom_user_content_access_template" lineno="181"> <summary> Template for handling user content through standard tunables </summary> @@ -122586,7 +122043,27 @@ The application domain which is granted the necessary privileges </param> <rolebase/> </template> -<interface name="userdom_ro_home_role" lineno="270"> +<interface name="userdom_application_exec_domain" lineno="266"> +<summary> +Associate the specified domain to be +a domain capable of executing other +applications on behalf of the specified +user. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<param name="userdomain_prefix"> +<summary> +The prefix of the user domain (e.g., user +is the prefix for user_t). +</summary> +</param> +<rolebase/> +</interface> +<interface name="userdom_ro_home_role" lineno="300"> <summary> Allow a home directory for which the role has read-only access. @@ -122612,7 +122089,7 @@ The user domain </param> <rolebase/> </interface> -<interface name="userdom_manage_home_role" lineno="347"> +<interface name="userdom_manage_home_role" lineno="377"> <summary> Allow a home directory for which the role has full access. @@ -122638,7 +122115,7 @@ The user domain </param> <rolebase/> </interface> -<interface name="userdom_manage_tmp_role" lineno="433"> +<interface name="userdom_manage_tmp_role" lineno="463"> <summary> Manage user temporary files </summary> @@ -122654,7 +122131,7 @@ Domain allowed access. </param> <rolebase/> </interface> -<interface name="userdom_exec_user_tmp_files" lineno="460"> +<interface name="userdom_exec_user_tmp_files" lineno="490"> <summary> The execute access user temporary files. </summary> @@ -122665,7 +122142,7 @@ Domain allowed access. </param> <rolebase/> </interface> -<interface name="userdom_manage_tmpfs_role" lineno="496"> +<interface name="userdom_manage_tmpfs_role" lineno="526"> <summary> Role access for the user tmpfs type that the user has full access. @@ -122691,7 +122168,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<template name="userdom_basic_networking_template" lineno="522"> +<template name="userdom_basic_networking_template" lineno="552"> <summary> The template allowing the user basic network permissions @@ -122704,7 +122181,7 @@ is the prefix for user_t). </param> <rolebase/> </template> -<template name="userdom_change_password_template" lineno="562"> +<template name="userdom_change_password_template" lineno="592"> <summary> The template for allowing the user to change passwords. </summary> @@ -122716,7 +122193,7 @@ is the prefix for user_t). </param> <rolebase/> </template> -<template name="userdom_common_user_template" lineno="592"> +<template name="userdom_common_user_template" lineno="622"> <summary> The template containing rules common to unprivileged users and administrative users. @@ -122734,7 +122211,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_login_user_template" lineno="914"> +<template name="userdom_login_user_template" lineno="945"> <summary> The template for creating a login user. </summary> @@ -122752,7 +122229,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_restricted_user_template" lineno="1037"> +<template name="userdom_restricted_user_template" lineno="1068"> <summary> The template for creating a unprivileged login user. </summary> @@ -122770,7 +122247,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_restricted_xwindows_user_template" lineno="1078"> +<template name="userdom_restricted_xwindows_user_template" lineno="1109"> <summary> The template for creating a unprivileged xwindows login user. </summary> @@ -122791,7 +122268,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_unpriv_user_template" lineno="1161"> +<template name="userdom_unpriv_user_template" lineno="1192"> <summary> The template for creating a unprivileged user roughly equivalent to a regular linux user. @@ -122814,7 +122291,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_admin_user_template" lineno="1281"> +<template name="userdom_admin_user_template" lineno="1312"> <summary> The template for creating an administrative user. </summary> @@ -122843,7 +122320,7 @@ is the prefix for sysadm_t). </summary> </param> </template> -<template name="userdom_security_admin_template" lineno="1456"> +<interface name="userdom_security_admin_template" lineno="1491"> <summary> Allow user to run as a secadm </summary> @@ -122868,8 +122345,8 @@ Domain allowed access. The role of the object to create. </summary> </param> -</template> -<template name="userdom_xdg_user_template" lineno="1554"> +</interface> +<template name="userdom_xdg_user_template" lineno="1594"> <summary> Allow user to interact with xdg content types </summary> @@ -122890,7 +122367,7 @@ Domain allowed access. </summary> </param> </template> -<interface name="userdom_user_application_type" lineno="1603"> +<interface name="userdom_user_application_type" lineno="1643"> <summary> Make the specified type usable as a user application domain type. @@ -122901,7 +122378,7 @@ Type to be used as a user application domain. </summary> </param> </interface> -<interface name="userdom_user_application_domain" lineno="1624"> +<interface name="userdom_user_application_domain" lineno="1664"> <summary> Make the specified type usable as a user application domain. @@ -122917,7 +122394,7 @@ Type to be used as the domain entry point. </summary> </param> </interface> -<interface name="userdom_user_home_content" lineno="1641"> +<interface name="userdom_user_home_content" lineno="1681"> <summary> Make the specified type usable in a user home directory. @@ -122929,7 +122406,7 @@ user home directory. </summary> </param> </interface> -<interface name="userdom_user_tmp_file" lineno="1667"> +<interface name="userdom_user_tmp_file" lineno="1707"> <summary> Make the specified type usable as a user temporary file. @@ -122941,7 +122418,7 @@ temporary directories. </summary> </param> </interface> -<interface name="userdom_user_tmpfs_file" lineno="1684"> +<interface name="userdom_user_tmpfs_file" lineno="1724"> <summary> Make the specified type usable as a user tmpfs file. @@ -122953,7 +122430,7 @@ tmpfs directories. </summary> </param> </interface> -<interface name="userdom_attach_admin_tun_iface" lineno="1699"> +<interface name="userdom_attach_admin_tun_iface" lineno="1739"> <summary> Allow domain to attach to TUN devices created by administrative users. </summary> @@ -122963,7 +122440,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_setattr_user_ptys" lineno="1718"> +<interface name="userdom_setattr_user_ptys" lineno="1758"> <summary> Set the attributes of a user pty. </summary> @@ -122973,7 +122450,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_create_user_pty" lineno="1736"> +<interface name="userdom_create_user_pty" lineno="1776"> <summary> Create a user pty. </summary> @@ -122983,7 +122460,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_getattr_user_home_dirs" lineno="1754"> +<interface name="userdom_getattr_user_home_dirs" lineno="1794"> <summary> Get the attributes of user home directories. </summary> @@ -122993,7 +122470,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_getattr_user_home_dirs" lineno="1773"> +<interface name="userdom_dontaudit_getattr_user_home_dirs" lineno="1813"> <summary> Do not audit attempts to get the attributes of user home directories. </summary> @@ -123003,7 +122480,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_search_user_home_dirs" lineno="1791"> +<interface name="userdom_search_user_home_dirs" lineno="1831"> <summary> Search user home directories. </summary> @@ -123013,7 +122490,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_search_user_home_dirs" lineno="1818"> +<interface name="userdom_dontaudit_search_user_home_dirs" lineno="1858"> <summary> Do not audit attempts to search user home directories. </summary> @@ -123031,7 +122508,7 @@ Domain to not audit. </param> <infoflow type="none"/> </interface> -<interface name="userdom_list_user_home_dirs" lineno="1836"> +<interface name="userdom_list_user_home_dirs" lineno="1876"> <summary> List user home directories. </summary> @@ -123041,7 +122518,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_list_user_home_dirs" lineno="1855"> +<interface name="userdom_dontaudit_list_user_home_dirs" lineno="1895"> <summary> Do not audit attempts to list user home subdirectories. </summary> @@ -123051,7 +122528,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_create_user_home_dirs" lineno="1873"> +<interface name="userdom_create_user_home_dirs" lineno="1913"> <summary> Create user home directories. </summary> @@ -123061,7 +122538,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_home_dirs" lineno="1891"> +<interface name="userdom_manage_user_home_dirs" lineno="1931"> <summary> Manage user home directories. </summary> @@ -123071,7 +122548,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabelto_user_home_dirs" lineno="1909"> +<interface name="userdom_relabelto_user_home_dirs" lineno="1949"> <summary> Relabel to user home directories. </summary> @@ -123081,7 +122558,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_home_filetrans_user_home_dir" lineno="1933"> +<interface name="userdom_home_filetrans_user_home_dir" lineno="1973"> <summary> Create directories in the home dir root with the user home directory type. @@ -123097,7 +122574,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_home_domtrans" lineno="1970"> +<interface name="userdom_user_home_domtrans" lineno="2010"> <summary> Do a domain transition to the specified domain when executing a program in the @@ -123126,7 +122603,7 @@ Domain to transition to. </summary> </param> </interface> -<interface name="userdom_dontaudit_search_user_home_content" lineno="1990"> +<interface name="userdom_dontaudit_search_user_home_content" lineno="2030"> <summary> Do not audit attempts to search user home content directories. </summary> @@ -123136,7 +122613,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_list_all_user_home_content" lineno="2008"> +<interface name="userdom_list_all_user_home_content" lineno="2048"> <summary> List all users home content directories. </summary> @@ -123146,7 +122623,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_list_user_home_content" lineno="2027"> +<interface name="userdom_list_user_home_content" lineno="2067"> <summary> List contents of users home directory. </summary> @@ -123156,7 +122633,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_dirs" lineno="2046"> +<interface name="userdom_manage_user_home_content_dirs" lineno="2086"> <summary> Create, read, write, and delete directories in a user home subdirectory. @@ -123167,7 +122644,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_home_content_dirs" lineno="2065"> +<interface name="userdom_delete_all_user_home_content_dirs" lineno="2105"> <summary> Delete all user home content directories. </summary> @@ -123177,7 +122654,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_home_content_dirs" lineno="2085"> +<interface name="userdom_delete_user_home_content_dirs" lineno="2125"> <summary> Delete directories in a user home subdirectory. </summary> @@ -123187,7 +122664,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_setattr_all_user_home_content_dirs" lineno="2103"> +<interface name="userdom_setattr_all_user_home_content_dirs" lineno="2143"> <summary> Set attributes of all user home content directories. </summary> @@ -123197,7 +122674,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_setattr_user_home_content_files" lineno="2123"> +<interface name="userdom_dontaudit_setattr_user_home_content_files" lineno="2163"> <summary> Do not audit attempts to set the attributes of user home files. @@ -123208,7 +122685,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_map_user_home_content_files" lineno="2141"> +<interface name="userdom_map_user_home_content_files" lineno="2181"> <summary> Map user home files. </summary> @@ -123218,7 +122695,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_mmap_user_home_content_files" lineno="2159"> +<interface name="userdom_mmap_user_home_content_files" lineno="2199"> <summary> Mmap user home files. </summary> @@ -123228,7 +122705,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_read_user_home_content_files" lineno="2178"> +<interface name="userdom_read_user_home_content_files" lineno="2218"> <summary> Read user home files. </summary> @@ -123238,7 +122715,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_read_user_home_content_files" lineno="2197"> +<interface name="userdom_dontaudit_read_user_home_content_files" lineno="2237"> <summary> Do not audit attempts to read user home files. </summary> @@ -123248,7 +122725,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_all_user_home_content" lineno="2216"> +<interface name="userdom_read_all_user_home_content" lineno="2256"> <summary> Read all user home content, including application-specific resources. </summary> @@ -123258,7 +122735,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="userdom_manage_all_user_home_content" lineno="2238"> +<interface name="userdom_manage_all_user_home_content" lineno="2278"> <summary> Manage all user home content, including application-specific resources. </summary> @@ -123268,7 +122745,17 @@ Domain allowed access </summary> </param> </interface> -<interface name="userdom_dontaudit_append_user_home_content_files" lineno="2260"> +<interface name="userdom_map_all_user_home_content_files" lineno="2300"> +<summary> +Map all user home content, including application-specific resources. +</summary> +<param name="domain"> +<summary> +Domain allowed access +</summary> +</param> +</interface> +<interface name="userdom_dontaudit_append_user_home_content_files" lineno="2318"> <summary> Do not audit attempts to append user home files. </summary> @@ -123278,7 +122765,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_dontaudit_write_user_home_content_files" lineno="2278"> +<interface name="userdom_dontaudit_write_user_home_content_files" lineno="2336"> <summary> Do not audit attempts to write user home files. </summary> @@ -123288,7 +122775,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_delete_all_user_home_content_files" lineno="2296"> +<interface name="userdom_delete_all_user_home_content_files" lineno="2354"> <summary> Delete all user home content files. </summary> @@ -123298,7 +122785,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_home_content_files" lineno="2316"> +<interface name="userdom_delete_user_home_content_files" lineno="2374"> <summary> Delete files in a user home subdirectory. </summary> @@ -123308,7 +122795,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_relabel_user_home_content_files" lineno="2334"> +<interface name="userdom_dontaudit_relabel_user_home_content_files" lineno="2392"> <summary> Do not audit attempts to relabel user home files. </summary> @@ -123318,7 +122805,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_user_home_content_symlinks" lineno="2352"> +<interface name="userdom_read_user_home_content_symlinks" lineno="2410"> <summary> Read user home subdirectory symbolic links. </summary> @@ -123328,7 +122815,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_exec_user_home_content_files" lineno="2372"> +<interface name="userdom_exec_user_home_content_files" lineno="2430"> <summary> Execute user home files. </summary> @@ -123339,7 +122826,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="userdom_dontaudit_exec_user_home_content_files" lineno="2399"> +<interface name="userdom_dontaudit_exec_user_home_content_files" lineno="2457"> <summary> Do not audit attempts to execute user home files. </summary> @@ -123349,7 +122836,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_files" lineno="2418"> +<interface name="userdom_manage_user_home_content_files" lineno="2476"> <summary> Create, read, write, and delete files in a user home subdirectory. @@ -123360,7 +122847,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_manage_user_home_content_dirs" lineno="2439"> +<interface name="userdom_dontaudit_manage_user_home_content_dirs" lineno="2497"> <summary> Do not audit attempts to create, read, write, and delete directories in a user home subdirectory. @@ -123371,7 +122858,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_symlinks" lineno="2458"> +<interface name="userdom_manage_user_home_content_symlinks" lineno="2516"> <summary> Create, read, write, and delete symbolic links in a user home subdirectory. @@ -123382,7 +122869,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_home_content_symlinks" lineno="2478"> +<interface name="userdom_delete_all_user_home_content_symlinks" lineno="2536"> <summary> Delete all user home content symbolic links. </summary> @@ -123392,7 +122879,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_home_content_symlinks" lineno="2498"> +<interface name="userdom_delete_user_home_content_symlinks" lineno="2556"> <summary> Delete symbolic links in a user home directory. </summary> @@ -123402,7 +122889,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_pipes" lineno="2517"> +<interface name="userdom_manage_user_home_content_pipes" lineno="2575"> <summary> Create, read, write, and delete named pipes in a user home subdirectory. @@ -123413,7 +122900,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_sockets" lineno="2538"> +<interface name="userdom_manage_user_home_content_sockets" lineno="2596"> <summary> Create, read, write, and delete named sockets in a user home subdirectory. @@ -123424,7 +122911,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_user_home_dir_filetrans" lineno="2575"> +<interface name="userdom_user_home_dir_filetrans" lineno="2633"> <summary> Create objects in a user home directory with an automatic type transition to @@ -123451,7 +122938,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_home_content_filetrans" lineno="2612"> +<interface name="userdom_user_home_content_filetrans" lineno="2670"> <summary> Create objects in a directory located in a user home directory with an @@ -123479,7 +122966,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_home_dir_filetrans_user_cert" lineno="2643"> +<interface name="userdom_user_home_dir_filetrans_user_cert" lineno="2701"> <summary> Automatically use the user_cert_t label for selected resources created in a users home directory @@ -123500,7 +122987,7 @@ Name of the resource that is being created </summary> </param> </interface> -<interface name="userdom_user_home_dir_filetrans_user_home_content" lineno="2673"> +<interface name="userdom_user_home_dir_filetrans_user_home_content" lineno="2731"> <summary> Create objects in a user home directory with an automatic type transition to @@ -123522,7 +123009,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_read_user_certs" lineno="2693"> +<interface name="userdom_read_user_certs" lineno="2751"> <summary> Read user SSL certificates. </summary> @@ -123533,7 +123020,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="userdom_dontaudit_manage_user_certs" lineno="2716"> +<interface name="userdom_dontaudit_manage_user_certs" lineno="2774"> <summary> Do not audit attempts to manage the user SSL certificates. @@ -123545,7 +123032,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="userdom_manage_user_certs" lineno="2736"> +<interface name="userdom_manage_user_certs" lineno="2794"> <summary> Manage user SSL certificates. </summary> @@ -123555,7 +123042,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_write_user_tmp_sockets" lineno="2757"> +<interface name="userdom_write_user_tmp_sockets" lineno="2815"> <summary> Write to user temporary named sockets. </summary> @@ -123565,7 +123052,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_list_user_tmp" lineno="2777"> +<interface name="userdom_list_user_tmp" lineno="2835"> <summary> List user temporary directories. </summary> @@ -123575,7 +123062,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_list_user_tmp" lineno="2799"> +<interface name="userdom_dontaudit_list_user_tmp" lineno="2857"> <summary> Do not audit attempts to list user temporary directories. @@ -123586,7 +123073,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_dirs" lineno="2817"> +<interface name="userdom_delete_user_tmp_dirs" lineno="2875"> <summary> Delete users temporary directories. </summary> @@ -123596,7 +123083,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_manage_user_tmp_dirs" lineno="2836"> +<interface name="userdom_dontaudit_manage_user_tmp_dirs" lineno="2894"> <summary> Do not audit attempts to manage users temporary directories. @@ -123607,7 +123094,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_user_tmp_files" lineno="2854"> +<interface name="userdom_read_user_tmp_files" lineno="2912"> <summary> Read user temporary files. </summary> @@ -123617,7 +123104,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_map_user_tmp_files" lineno="2875"> +<interface name="userdom_map_user_tmp_files" lineno="2933"> <summary> Map user temporary files. </summary> @@ -123627,7 +123114,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_read_user_tmp_files" lineno="2894"> +<interface name="userdom_dontaudit_read_user_tmp_files" lineno="2952"> <summary> Do not audit attempts to read users temporary files. @@ -123638,7 +123125,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_dontaudit_append_user_tmp_files" lineno="2913"> +<interface name="userdom_dontaudit_append_user_tmp_files" lineno="2971"> <summary> Do not audit attempts to append users temporary files. @@ -123649,7 +123136,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_rw_user_tmp_files" lineno="2931"> +<interface name="userdom_rw_user_tmp_files" lineno="2989"> <summary> Read and write user temporary files. </summary> @@ -123659,7 +123146,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_files" lineno="2952"> +<interface name="userdom_delete_user_tmp_files" lineno="3010"> <summary> Delete users temporary files. </summary> @@ -123669,7 +123156,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_manage_user_tmp_files" lineno="2971"> +<interface name="userdom_dontaudit_manage_user_tmp_files" lineno="3029"> <summary> Do not audit attempts to manage users temporary files. @@ -123680,7 +123167,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_user_tmp_symlinks" lineno="2989"> +<interface name="userdom_read_user_tmp_symlinks" lineno="3047"> <summary> Read user temporary symbolic links. </summary> @@ -123690,7 +123177,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_symlinks" lineno="3010"> +<interface name="userdom_delete_user_tmp_symlinks" lineno="3068"> <summary> Delete users temporary symbolic links. </summary> @@ -123700,7 +123187,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_dirs" lineno="3029"> +<interface name="userdom_manage_user_tmp_dirs" lineno="3087"> <summary> Create, read, write, and delete user temporary directories. @@ -123711,7 +123198,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_named_pipes" lineno="3049"> +<interface name="userdom_delete_user_tmp_named_pipes" lineno="3107"> <summary> Delete users temporary named pipes. </summary> @@ -123721,7 +123208,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_files" lineno="3068"> +<interface name="userdom_manage_user_tmp_files" lineno="3126"> <summary> Create, read, write, and delete user temporary files. @@ -123732,7 +123219,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_named_sockets" lineno="3088"> +<interface name="userdom_delete_user_tmp_named_sockets" lineno="3146"> <summary> Delete users temporary named sockets. </summary> @@ -123742,7 +123229,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_symlinks" lineno="3107"> +<interface name="userdom_manage_user_tmp_symlinks" lineno="3165"> <summary> Create, read, write, and delete user temporary symbolic links. @@ -123753,7 +123240,18 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_pipes" lineno="3128"> +<interface name="userdom_dontaudit_rw_user_tmp_pipes" lineno="3186"> +<summary> +Do not audit attempts to read and write +temporary pipes. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="userdom_manage_user_tmp_pipes" lineno="3205"> <summary> Create, read, write, and delete user temporary named pipes. @@ -123764,7 +123262,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_sockets" lineno="3149"> +<interface name="userdom_manage_user_tmp_sockets" lineno="3226"> <summary> Create, read, write, and delete user temporary named sockets. @@ -123775,7 +123273,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_user_tmp_filetrans" lineno="3186"> +<interface name="userdom_user_tmp_filetrans" lineno="3263"> <summary> Create objects in a user temporary directory with an automatic type transition to @@ -123802,7 +123300,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_tmp_filetrans_user_tmp" lineno="3218"> +<interface name="userdom_tmp_filetrans_user_tmp" lineno="3295"> <summary> Create objects in the temporary directory with an automatic type transition to @@ -123824,7 +123322,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_map_user_tmpfs_files" lineno="3236"> +<interface name="userdom_map_user_tmpfs_files" lineno="3313"> <summary> Map user tmpfs files. </summary> @@ -123834,7 +123332,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_read_user_tmpfs_files" lineno="3254"> +<interface name="userdom_read_user_tmpfs_files" lineno="3331"> <summary> Read user tmpfs files. </summary> @@ -123844,7 +123342,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_read_user_tmpfs_files" lineno="3274"> +<interface name="userdom_dontaudit_read_user_tmpfs_files" lineno="3351"> <summary> dontaudit Read attempts of user tmpfs files. </summary> @@ -123854,7 +123352,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_user_tmpfs_dirs" lineno="3293"> +<interface name="userdom_relabel_user_tmpfs_dirs" lineno="3370"> <summary> relabel to/from user tmpfs dirs </summary> @@ -123864,7 +123362,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_user_tmpfs_files" lineno="3312"> +<interface name="userdom_relabel_user_tmpfs_files" lineno="3389"> <summary> relabel to/from user tmpfs files </summary> @@ -123874,7 +123372,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_user_runtime_content" lineno="3334"> +<interface name="userdom_user_runtime_content" lineno="3411"> <summary> Make the specified type usable in the directory /run/user/%{USERID}/. @@ -123886,7 +123384,7 @@ user_runtime_content_dir_t. </summary> </param> </interface> -<interface name="userdom_search_user_runtime" lineno="3354"> +<interface name="userdom_search_user_runtime" lineno="3431"> <summary> Search users runtime directories. </summary> @@ -123896,7 +123394,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_search_user_runtime_root" lineno="3373"> +<interface name="userdom_search_user_runtime_root" lineno="3450"> <summary> Search user runtime root directories. </summary> @@ -123906,7 +123404,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_runtime_root_dirs" lineno="3393"> +<interface name="userdom_manage_user_runtime_root_dirs" lineno="3470"> <summary> Create, read, write, and delete user runtime root dirs. @@ -123917,7 +123415,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_user_runtime_root_dirs" lineno="3412"> +<interface name="userdom_relabel_user_runtime_root_dirs" lineno="3489"> <summary> Relabel to and from user runtime root dirs. </summary> @@ -123927,7 +123425,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_runtime_dirs" lineno="3431"> +<interface name="userdom_manage_user_runtime_dirs" lineno="3508"> <summary> Create, read, write, and delete user runtime dirs. @@ -123938,7 +123436,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_mounton_user_runtime_dirs" lineno="3451"> +<interface name="userdom_mounton_user_runtime_dirs" lineno="3528"> <summary> Mount a filesystem on user runtime dir directories. @@ -123949,7 +123447,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabelto_user_runtime_dirs" lineno="3469"> +<interface name="userdom_relabelto_user_runtime_dirs" lineno="3546"> <summary> Relabel to user runtime directories. </summary> @@ -123959,7 +123457,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabelfrom_user_runtime_dirs" lineno="3487"> +<interface name="userdom_relabelfrom_user_runtime_dirs" lineno="3564"> <summary> Relabel from user runtime directories. </summary> @@ -123969,7 +123467,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_runtime_files" lineno="3505"> +<interface name="userdom_delete_user_runtime_files" lineno="3582"> <summary> delete user runtime files </summary> @@ -123979,7 +123477,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_search_all_user_runtime" lineno="3524"> +<interface name="userdom_search_all_user_runtime" lineno="3601"> <summary> Search users runtime directories. </summary> @@ -123989,7 +123487,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_list_all_user_runtime" lineno="3543"> +<interface name="userdom_list_all_user_runtime" lineno="3620"> <summary> List user runtime directories. </summary> @@ -123999,7 +123497,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_dirs" lineno="3562"> +<interface name="userdom_delete_all_user_runtime_dirs" lineno="3639"> <summary> delete user runtime directories </summary> @@ -124009,7 +123507,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_files" lineno="3580"> +<interface name="userdom_delete_all_user_runtime_files" lineno="3657"> <summary> delete user runtime files </summary> @@ -124019,7 +123517,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_symlinks" lineno="3599"> +<interface name="userdom_delete_all_user_runtime_symlinks" lineno="3675"> <summary> delete user runtime symlink files </summary> @@ -124029,7 +123527,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_named_pipes" lineno="3618"> +<interface name="userdom_delete_all_user_runtime_named_pipes" lineno="3693"> <summary> delete user runtime fifo files </summary> @@ -124039,7 +123537,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_named_sockets" lineno="3637"> +<interface name="userdom_delete_all_user_runtime_named_sockets" lineno="3711"> <summary> delete user runtime socket files </summary> @@ -124049,7 +123547,27 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_pid_filetrans_user_runtime_root" lineno="3668"> +<interface name="userdom_delete_all_user_runtime_blk_files" lineno="3729"> +<summary> +delete user runtime blk files +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="userdom_delete_all_user_runtime_chr_files" lineno="3747"> +<summary> +delete user runtime chr files +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="userdom_pid_filetrans_user_runtime_root" lineno="3777"> <summary> Create objects in the pid directory with an automatic type transition to @@ -124071,7 +123589,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_runtime_filetrans_user_runtime_root" lineno="3695"> +<interface name="userdom_runtime_filetrans_user_runtime_root" lineno="3804"> <summary> Create objects in the runtime directory with an automatic type transition to @@ -124093,7 +123611,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_runtime_filetrans" lineno="3731"> +<interface name="userdom_user_runtime_filetrans" lineno="3840"> <summary> Create objects in a user runtime directory with an automatic type @@ -124121,7 +123639,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_runtime_filetrans_user_tmp" lineno="3762"> +<interface name="userdom_user_runtime_filetrans_user_tmp" lineno="3871"> <summary> Create objects in the user runtime directory with an automatic type transition to @@ -124143,7 +123661,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_runtime_root_filetrans_user_runtime" lineno="3792"> +<interface name="userdom_user_runtime_root_filetrans_user_runtime" lineno="3901"> <summary> Create objects in the user runtime root directory with an automatic type transition @@ -124165,7 +123683,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_run_filetrans_user_runtime" lineno="3823"> +<interface name="userdom_user_run_filetrans_user_runtime" lineno="3932"> <summary> Create objects in the user runtime root directory with an automatic type transition @@ -124187,7 +123705,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_rw_user_tmpfs_files" lineno="3841"> +<interface name="userdom_rw_user_tmpfs_files" lineno="3950"> <summary> Read and write user tmpfs files. </summary> @@ -124197,7 +123715,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmpfs_files" lineno="3862"> +<interface name="userdom_delete_user_tmpfs_files" lineno="3971"> <summary> Delete user tmpfs files. </summary> @@ -124207,7 +123725,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmpfs_files" lineno="3881"> +<interface name="userdom_manage_user_tmpfs_files" lineno="3990"> <summary> Create, read, write, and delete user tmpfs files. </summary> @@ -124217,7 +123735,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_getattr_user_ttys" lineno="3901"> +<interface name="userdom_getattr_user_ttys" lineno="4010"> <summary> Get the attributes of a user domain tty. </summary> @@ -124227,7 +123745,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_getattr_user_ttys" lineno="3919"> +<interface name="userdom_dontaudit_getattr_user_ttys" lineno="4028"> <summary> Do not audit attempts to get the attributes of a user domain tty. </summary> @@ -124237,7 +123755,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_setattr_user_ttys" lineno="3937"> +<interface name="userdom_setattr_user_ttys" lineno="4046"> <summary> Set the attributes of a user domain tty. </summary> @@ -124247,7 +123765,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_setattr_user_ttys" lineno="3955"> +<interface name="userdom_dontaudit_setattr_user_ttys" lineno="4064"> <summary> Do not audit attempts to set the attributes of a user domain tty. </summary> @@ -124257,7 +123775,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_use_user_ttys" lineno="3973"> +<interface name="userdom_use_user_ttys" lineno="4082"> <summary> Read and write a user domain tty. </summary> @@ -124267,7 +123785,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_use_user_ptys" lineno="3991"> +<interface name="userdom_use_user_ptys" lineno="4100"> <summary> Read and write a user domain pty. </summary> @@ -124277,7 +123795,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_use_inherited_user_terminals" lineno="4026"> +<interface name="userdom_use_inherited_user_terminals" lineno="4135"> <summary> Read and write a user TTYs and PTYs. </summary> @@ -124303,7 +123821,7 @@ Domain allowed access. </param> <infoflow type="both" weight="10"/> </interface> -<interface name="userdom_use_user_terminals" lineno="4067"> +<interface name="userdom_use_user_terminals" lineno="4176"> <summary> Read, write and open a user TTYs and PTYs. </summary> @@ -124335,7 +123853,7 @@ Domain allowed access. </param> <infoflow type="both" weight="10"/> </interface> -<interface name="userdom_dontaudit_use_user_terminals" lineno="4083"> +<interface name="userdom_dontaudit_use_user_terminals" lineno="4192"> <summary> Do not audit attempts to read and write a user domain tty and pty. @@ -124346,7 +123864,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_spec_domtrans_all_users" lineno="4104"> +<interface name="userdom_spec_domtrans_all_users" lineno="4213"> <summary> Execute a shell in all user domains. This is an explicit transition, requiring the @@ -124358,7 +123876,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_xsession_spec_domtrans_all_users" lineno="4127"> +<interface name="userdom_xsession_spec_domtrans_all_users" lineno="4236"> <summary> Execute an Xserver session in all user domains. This is an explicit transition, requiring the @@ -124370,7 +123888,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_spec_domtrans_unpriv_users" lineno="4150"> +<interface name="userdom_spec_domtrans_unpriv_users" lineno="4259"> <summary> Execute a shell in all unprivileged user domains. This is an explicit transition, requiring the @@ -124382,7 +123900,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_xsession_spec_domtrans_unpriv_users" lineno="4173"> +<interface name="userdom_xsession_spec_domtrans_unpriv_users" lineno="4282"> <summary> Execute an Xserver session in all unprivileged user domains. This is an explicit transition, requiring the @@ -124394,7 +123912,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_rw_unpriv_user_semaphores" lineno="4194"> +<interface name="userdom_rw_unpriv_user_semaphores" lineno="4303"> <summary> Read and write unpriviledged user SysV sempaphores. </summary> @@ -124404,7 +123922,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_unpriv_user_semaphores" lineno="4212"> +<interface name="userdom_manage_unpriv_user_semaphores" lineno="4321"> <summary> Manage unpriviledged user SysV sempaphores. </summary> @@ -124414,7 +123932,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_rw_unpriv_user_shared_mem" lineno="4231"> +<interface name="userdom_rw_unpriv_user_shared_mem" lineno="4340"> <summary> Read and write unpriviledged user SysV shared memory segments. @@ -124425,7 +123943,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_unpriv_user_shared_mem" lineno="4250"> +<interface name="userdom_manage_unpriv_user_shared_mem" lineno="4359"> <summary> Manage unpriviledged user SysV shared memory segments. @@ -124436,7 +123954,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_bin_spec_domtrans_unpriv_users" lineno="4270"> +<interface name="userdom_bin_spec_domtrans_unpriv_users" lineno="4379"> <summary> Execute bin_t in the unprivileged user domains. This is an explicit transition, requiring the @@ -124448,7 +123966,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_entry_spec_domtrans_unpriv_users" lineno="4293"> +<interface name="userdom_entry_spec_domtrans_unpriv_users" lineno="4402"> <summary> Execute all entrypoint files in unprivileged user domains. This is an explicit transition, requiring the @@ -124460,7 +123978,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_search_user_home_content" lineno="4314"> +<interface name="userdom_search_user_home_content" lineno="4423"> <summary> Search users home directories. </summary> @@ -124470,7 +123988,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_signull_unpriv_users" lineno="4333"> +<interface name="userdom_signull_unpriv_users" lineno="4442"> <summary> Send signull to unprivileged user domains. </summary> @@ -124480,7 +123998,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_signal_unpriv_users" lineno="4351"> +<interface name="userdom_signal_unpriv_users" lineno="4460"> <summary> Send general signals to unprivileged user domains. </summary> @@ -124490,7 +124008,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_use_unpriv_users_fds" lineno="4369"> +<interface name="userdom_use_unpriv_users_fds" lineno="4478"> <summary> Inherit the file descriptors from unprivileged user domains. </summary> @@ -124500,7 +124018,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_use_unpriv_user_fds" lineno="4397"> +<interface name="userdom_dontaudit_use_unpriv_user_fds" lineno="4506"> <summary> Do not audit attempts to inherit the file descriptors from unprivileged user domains. @@ -124520,7 +124038,7 @@ Domain to not audit. </param> <infoflow type="none"/> </interface> -<interface name="userdom_dontaudit_use_user_ptys" lineno="4415"> +<interface name="userdom_dontaudit_use_user_ptys" lineno="4524"> <summary> Do not audit attempts to use user ptys. </summary> @@ -124530,7 +124048,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_relabelto_user_ptys" lineno="4433"> +<interface name="userdom_relabelto_user_ptys" lineno="4542"> <summary> Relabel files to unprivileged user pty types. </summary> @@ -124540,7 +124058,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_relabelfrom_user_ptys" lineno="4452"> +<interface name="userdom_dontaudit_relabelfrom_user_ptys" lineno="4561"> <summary> Do not audit attempts to relabel files from user pty types. @@ -124551,7 +124069,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_write_user_tmp_files" lineno="4470"> +<interface name="userdom_write_user_tmp_files" lineno="4579"> <summary> Write all users files in /tmp </summary> @@ -124561,7 +124079,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_write_user_tmp_files" lineno="4489"> +<interface name="userdom_dontaudit_write_user_tmp_files" lineno="4598"> <summary> Do not audit attempts to write users temporary files. @@ -124572,7 +124090,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_dontaudit_use_user_ttys" lineno="4507"> +<interface name="userdom_dontaudit_use_user_ttys" lineno="4616"> <summary> Do not audit attempts to use user ttys. </summary> @@ -124582,7 +124100,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_all_users_state" lineno="4525"> +<interface name="userdom_read_all_users_state" lineno="4634"> <summary> Read the process state of all user domains. </summary> @@ -124592,7 +124110,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_getattr_all_users" lineno="4545"> +<interface name="userdom_getattr_all_users" lineno="4654"> <summary> Get the attributes of all user domains. </summary> @@ -124602,7 +124120,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_use_all_users_fds" lineno="4563"> +<interface name="userdom_use_all_users_fds" lineno="4672"> <summary> Inherit the file descriptors from all user domains </summary> @@ -124612,7 +124130,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_use_all_users_fds" lineno="4582"> +<interface name="userdom_dontaudit_use_all_users_fds" lineno="4691"> <summary> Do not audit attempts to inherit the file descriptors from any user domains. @@ -124623,7 +124141,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_signal_all_users" lineno="4600"> +<interface name="userdom_signal_all_users" lineno="4709"> <summary> Send general signals to all user domains. </summary> @@ -124633,7 +124151,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_sigchld_all_users" lineno="4618"> +<interface name="userdom_sigchld_all_users" lineno="4727"> <summary> Send a SIGCHLD signal to all user domains. </summary> @@ -124643,7 +124161,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_read_all_users_keys" lineno="4636"> +<interface name="userdom_read_all_users_keys" lineno="4745"> <summary> Read keys for all user domains. </summary> @@ -124653,7 +124171,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_write_all_users_keys" lineno="4654"> +<interface name="userdom_write_all_users_keys" lineno="4763"> <summary> Write keys for all user domains. </summary> @@ -124663,7 +124181,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_rw_all_users_keys" lineno="4672"> +<interface name="userdom_rw_all_users_keys" lineno="4781"> <summary> Read and write keys for all user domains. </summary> @@ -124673,7 +124191,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_create_all_users_keys" lineno="4690"> +<interface name="userdom_create_all_users_keys" lineno="4799"> <summary> Create keys for all user domains. </summary> @@ -124683,7 +124201,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_all_users_keys" lineno="4708"> +<interface name="userdom_manage_all_users_keys" lineno="4817"> <summary> Manage keys for all user domains. </summary> @@ -124693,7 +124211,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dbus_send_all_users" lineno="4726"> +<interface name="userdom_dbus_send_all_users" lineno="4835"> <summary> Send a dbus message to all user domains. </summary> @@ -124703,7 +124221,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_chr_files" lineno="4748"> +<interface name="userdom_manage_user_tmp_chr_files" lineno="4857"> <summary> Create, read, write, and delete user temporary character files. @@ -124714,7 +124232,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_user_certs" lineno="4769"> +<interface name="userdom_relabel_user_certs" lineno="4878"> <summary> Allow relabeling resources to user_cert_t </summary> @@ -124724,7 +124242,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="userdom_dontaudit_rw_all_users_stream_sockets" lineno="4792"> +<interface name="userdom_dontaudit_rw_all_users_stream_sockets" lineno="4901"> <summary> Do not audit attempts to read and write unserdomain stream. diff --git a/policy/booleans.conf b/policy/booleans.conf index 38a4ea50..368c5856 100644 --- a/policy/booleans.conf +++ b/policy/booleans.conf @@ -4,13 +4,17 @@ secure_mode_insmod = false # -# Boolean to determine whether the system permits loading policy, setting -# enforcing mode, and changing boolean values. Set this to true and you -# have to reboot to set it back. +# Boolean to determine whether the system permits loading policy, and setting +# enforcing mode. Set this to true and you have to reboot to set it back. # secure_mode_policyload = false # +# Boolean to determine whether the system permits setting Booelan values. +# +secure_mode_setbool = false + +# # Enabling secure mode disallows programs, such as # newrole, from transitioning to administrative # user domains. @@ -45,6 +49,12 @@ firstboot_manage_generic_user_content = false firstboot_manage_all_user_content = false # +# Determine whether logrotate can manage +# audit log files +# +logrotate_manage_audit_log = false + +# # Determine whether logwatch can connect # to mail over the network. # @@ -721,6 +731,11 @@ pan_manage_user_content = false phpfpm_use_ldap = false # +# Allow phpfpm to send syslog messages +# +phpfpm_send_syslog_msg = false + +# # Allow rtorrent to use dht. # The correspondig port must be rtorrent_udp_port_t. # @@ -767,17 +782,6 @@ dbadm_manage_user_files = false dbadm_read_user_files = false # -# Allow sysadm to debug or ptrace all processes. -# -allow_ptrace = false - -# -# Allow sysadm to read/write to fifo files inherited from -# a domain allowed to change role. -# -sysadm_allow_rw_inherited_fifo = false - -# # Determine whether webadm can # manage generic user files. # @@ -1086,6 +1090,12 @@ allow_httpd_bugzilla_script_anon_write = false certbot_acmesh = false # +# Determine whether chronyd can access NIC hardware +# timestamping features +# +chronyd_hwtimestamp = false + +# # Determine whether clamscan can # read user content files. # @@ -1221,14 +1231,6 @@ dhcpd_use_ldap = false dovecot_can_connect_db = false # -# Determine whether the script domain can -# modify public files used for public file -# transfer services. Directories/Files must -# be labeled public_content_rw_t. -# -allow_httpd_dspam_script_anon_write = false - -# # Determine whether entropyd can use # audio devices as the source for # the entropy feeds. @@ -1389,6 +1391,13 @@ git_system_use_cifs = false git_system_use_nfs = false # +# Determine whether Git client domains +# can manage all user home content, +# including application-specific data. +# +git_client_manage_all_user_home_content = false + +# # Determine whether the script domain can # modify public files used for public file # transfer services. Directories/Files must @@ -1515,31 +1524,6 @@ openvpn_can_network_connect = false pacemaker_startstop_all_services = false # -# Determine whether Polipo system -# daemon can access CIFS file systems. -# -polipo_system_use_cifs = false - -# -# Determine whether Polipo system -# daemon can access NFS file systems. -# -polipo_system_use_nfs = false - -# -# Determine whether calling user domains -# can execute Polipo daemon in the -# polipo_session_t domain. -# -polipo_session_users = false - -# -# Determine whether Polipo session daemon -# can send syslog messages. -# -polipo_session_send_syslog_msg = false - -# # Determine whether postfix local # can manage mail spool content. # @@ -1607,23 +1591,6 @@ allow_httpd_prewikka_script_anon_write = false privoxy_connect_any = false # -# Determine whether rgmanager can -# connect to the network using TCP. -# -rgmanager_can_network_connect = false - -# -# Determine whether fenced can -# connect to the TCP network. -# -fenced_can_network_connect = false - -# -# Determine whether fenced can use ssh. -# -fenced_can_ssh = false - -# # Determine whether gssd can read # generic user temporary content. # @@ -1968,6 +1935,11 @@ zabbix_can_network = false allow_zebra_write_config = false # +# Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM. +# +authlogin_pam = true + +# # Allow users to resolve user passwd entries directly from ldap rather then using a sssd server # authlogin_nsswitch_use_ldap = false @@ -2034,6 +2006,12 @@ systemd_socket_proxyd_bind_any = false systemd_socket_proxyd_connect_any = false # +# Allow systemd-tmpfilesd to populate missing configuration files from factory +# template directory. +# +systemd_tmpfilesd_factory = false + +# # Determine whether tmpfiles can manage # all non-security sensitive resources. # Without this, it is only allowed rights towards diff --git a/policy/modules.conf b/policy/modules.conf index 205c52fe..2a5a2aeb 100644 --- a/policy/modules.conf +++ b/policy/modules.conf @@ -173,13 +173,6 @@ backup = module bacula = module # Layer: admin -# Module: bcfg2 -# -# configuration management suite. -# -bcfg2 = module - -# Layer: admin # Module: blueman # # Tool to manage Bluetooth devices. @@ -229,13 +222,6 @@ chkrootkit = module consoletype = module # Layer: admin -# Module: ddcprobe -# -# ddcprobe retrieves monitor and graphics card information. -# -ddcprobe = module - -# Layer: admin # Module: dmesg # # Policy for dmesg. @@ -636,13 +622,6 @@ livecd = module loadkeys = module # Layer: apps -# Module: lockdev -# -# Library for locking devices. -# -lockdev = module - -# Layer: apps # Module: man2html # # A Unix manpage-to-HTML converter. @@ -1119,13 +1098,6 @@ acpi = module afs = module # Layer: services -# Module: aiccu -# -# Automatic IPv6 Connectivity Client Utility. -# -aiccu = module - -# Layer: services # Module: aisexec # # Aisexec Cluster Engine. @@ -1238,13 +1210,6 @@ bugzilla = module cachefilesd = module # Layer: services -# Module: callweaver -# -# PBX software. -# -callweaver = module - -# Layer: services # Module: canna # # Kana-kanji conversion server. @@ -1252,13 +1217,6 @@ callweaver = module canna = module # Layer: services -# Module: ccs -# -# Cluster Configuration System. -# -ccs = module - -# Layer: services # Module: certbot # # SSL certificate requesting tool certbot AKA letsencrypt. @@ -1301,13 +1259,6 @@ cgroup = module chronyd = module # Layer: services -# Module: cipe -# -# Encrypted tunnel daemon. -# -cipe = module - -# Layer: services # Module: clamav # # ClamAV Virus Scanner. @@ -1315,27 +1266,6 @@ cipe = module clamav = module # Layer: services -# Module: clockspeed -# -# Clock speed measurement and manipulation. -# -clockspeed = module - -# Layer: services -# Module: clogd -# -# Clustered Mirror Log Server. -# -clogd = module - -# Layer: services -# Module: cmirrord -# -# Cluster mirror log daemon. -# -cmirrord = module - -# Layer: services # Module: cobbler # # Cobbler installation server. @@ -1469,13 +1399,6 @@ dbskk = module dbus = module # Layer: services -# Module: dcc -# -# Distributed checksum clearinghouse spam filtering. -# -dcc = module - -# Layer: services # Module: ddclient # # Update dynamic IP address at DynDNS.org. @@ -1483,13 +1406,6 @@ dcc = module ddclient = module # Layer: services -# Module: denyhosts -# -# SSH dictionary attack mitigation. -# -denyhosts = module - -# Layer: services # Module: devicekit # # Devicekit modular hardware abstraction layer. @@ -1560,13 +1476,6 @@ dovecot = module drbd = module # Layer: services -# Module: dspam -# -# Content-based spam filter designed for multi-user enterprise systems. -# -dspam = module - -# Layer: services # Module: entropyd # # Generate entropy from audio input. @@ -1721,13 +1630,6 @@ hddtemp = module hostapd = module # Layer: services -# Module: howl -# -# Port of Apple Rendezvous multicast DNS. -# -howl = module - -# Layer: services # Module: hypervkvp # # HyperV key value pair (KVP). @@ -1756,13 +1658,6 @@ icecast = module ifplugd = module # Layer: services -# Module: imaze -# -# iMaze game server. -# -imaze = module - -# Layer: services # Module: inetd # # Internet services daemon. @@ -1812,13 +1707,6 @@ isns = module jabber = module # Layer: services -# Module: jockey -# -# Jockey driver manager. -# -jockey = module - -# Layer: services # Module: kerberos # # MIT Kerberos admin and KDC. @@ -1854,13 +1742,6 @@ knot = module ksmtuned = module # Layer: services -# Module: ktalk -# -# KDE Talk daemon. -# -ktalk = module - -# Layer: services # Module: l2tp # # Layer 2 Tunneling Protocol. @@ -1917,13 +1798,6 @@ lsm = module mailman = module # Layer: services -# Module: mailscanner -# -# E-mail security and anti-spam package for e-mail gateway systems. -# -mailscanner = module - -# Layer: services # Module: mediawiki # # Open source wiki package written in PHP. @@ -2120,13 +1994,6 @@ nut = module nx = module # Layer: services -# Module: oav -# -# Open AntiVirus scannerdaemon and signature update. -# -oav = module - -# Layer: services # Module: obex # # D-Bus service providing high-level OBEX client and server side functionality. @@ -2246,13 +2113,6 @@ plymouthd = module policykit = module # Layer: services -# Module: polipo -# -# Lightweight forwarding and caching proxy server. -# -polipo = module - -# Layer: services # Module: portmap # # RPC port mapping service. @@ -2358,13 +2218,6 @@ pwauth = module pxe = module # Layer: services -# Module: pyicqt -# -# ICQ transport for XMPP server. -# -pyicqt = module - -# Layer: services # Module: pyzor # # Pyzor is a distributed, collaborative spam detection and filtering network. @@ -2456,20 +2309,6 @@ remotelogin = module resmgr = module # Layer: services -# Module: rgmanager -# -# Resource Group Manager. -# -rgmanager = module - -# Layer: services -# Module: rhcs -# -# Red Hat Cluster Suite. -# -rhcs = module - -# Layer: services # Module: rhsmcertd # # Subscription Management Certificate Daemon. @@ -2477,13 +2316,6 @@ rhcs = module rhsmcertd = module # Layer: services -# Module: ricci -# -# Ricci cluster management agent. -# -ricci = module - -# Layer: services # Module: rlogin # # Remote login daemon. |