Control users use of ping and traceroute
This template creates a derived domain which is allowed to change the linux user id, to run shells as a different user.
This template creates a derived domain which is allowed to change the linux user id, to run commands as a different user.
Execute CGI in the specified domain.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t.
Allow Apache to use mod_auth_pam
Allow httpd to use built in scripting (usually php)
Allow HTTPD scripts and modules to connect to the network using TCP.
Allow HTTPD scripts and modules to connect to databases over the network.
Allow httpd to act as a relay
Allow http daemon to send mail
Allow Apache to communicate with avahi service via dbus
Allow httpd cgi support
Allow httpd to act as a FTP server by listening on the ftp port.
Allow httpd to read home directories
Allow httpd daemon to change its resource limits
Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
Unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal.
Unify HTTPD handling of all content files.
Allow httpd to access cifs file systems
Allow httpd to run gpg
Allow httpd to access nfs file systems
Allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers.
Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
Allow clamd to use JIT compiler
Cobbler is a Linux installation server that allows for rapid setup of network installation environments. It glues together and automates many associated Linux tasks so you do not have to hop between lots of various commands and applications when rolling out new systems, and, in some cases, changing existing ones.
Allow Cobbler to modify public files used for public file transfer services.
Allow system cron jobs to relabel filesystem for restoring file contexts.
Enable extra rules in the cron domain to support fcron.
Allow cvs daemon to read shadow
Policy for DJB's daemontools
Change from the database administrator role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Allow dbadm to manage files in users home directories
Allow dbadm to read files in users home directories
DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).
Allow DHCP daemon to use LDAP backends
Allow the use of the audio devices as the source for the entropy feeds
Allow exim to connect to databases (postgres, mysql)
Allow exim to read unprivileged user files.
Allow exim to create, read, write, and delete unprivileged user files.
Allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t.
Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.
Allow ftp servers to use cifs used for public file transfer services.
Allow ftp servers to use nfs used for public file transfer services.
Allow ftp to read and write files in the user home directories
Allow anon internal-sftp to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t.
Allow sftp-internal to read and write files in the user home directories
Allow sftp-internal to login to local users and read/write all files on the system, governed by DAC.
Determine whether Git CGI can search home directories.
Determine whether Git CGI can access cifs file systems.
Determine whether Git CGI can access nfs file systems.
Determine whether calling user domains can execute Git daemon in the git_session_t domain.
Determine whether Git session daemons can send syslog messages.
Determine whether Git system daemon can search home directories.
Determine whether Git system daemon can access cifs file systems.
Determine whether Git system daemon can access nfs file systems.
Allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files.
Change from the guest role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Define the specified domain as a inetd service. The inetd_service_domain(), inetd_tcp_service_domain(), or inetd_udp_service_domain() interfaces should be used instead of this interface, as this interface only provides the common rules to these three interfaces.
This template creates a derived domains which are used for java applications.
Allow java executable stack
This policy supports:
Servers:
Clients:
Allow confined applications to run with kerberos.
Likewise Open is a free, open source application that joins Linux, Unix, and Mac machines to Microsoft Active Directory to securely authenticate users with their domain credentials.
This template creates a domain to be used for a new likewise daemon.
Use lpd server instead of cups
This template creates a domain to be used for a new mailman daemon.
This template creates a derived domains which are used for mono applications.
Allow confined web browsers to read home directory content
Allow mplayer executable stack
This template creates a derived domain which is a email transfer agent, which sends mail on behalf of the user.
This is the basic types and rules, common to the system agent and user agents.
A modified MTA mail server interface for the sendmail program. It's design does not fit well with policy, and using the regular interface causes a type_transition conflict if direct running of init scripts is enabled.
This interface should most likely only be used by the sendmail policy.
Execute send mail in a specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Allow mysqld to connect to all ports
Use the ypbind service to access NIS services unconditionally.
This interface was added because of apache and spamassassin, to fix a nested conditionals problem. When that support is added, this should be removed, and the regular interface should be used.
Allow the specified domain to use the ypbind service to access Network Information Service (NIS) services. Information that can be retreived from NIS includes usernames, passwords, home directories, and groups. If the network is configured to have a single sign-on using NIS, it is likely that any program that does authentication will need this access.
Oident daemon is a server that implements the TCP/IP standard IDENT user identification protocol as specified in the RFC 1413 document.
Allow openvpn to read home directories
PADS is a libpcap based detection engine used to passively detect network assets. It is designed to complement IDS technology by providing context to IDS alerts.
Template for portage sandbox. Portage does all compiling in the sandbox.
Allow the portage domains to use NFS mounts (regular nfs_t)
Allow pppd to load kernel modules for certain modems
Allow pppd to be run for a regular user
Allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports.
Puppet is a configuration management system written in Ruby. The client daemon is responsible for periodically requesting the desired system state from the server and ensuring the state of the client system matches.
Allow Puppet client to manage all file types.
This template creates a derived domains which are used for qemu web browser.
This template is invoked automatically for each user, and generally does not need to be invoked directly by policy writers.
Allow qemu to connect fully to the network
Allow qemu to use cifs/Samba file systems
Allow qemu to use serial/parallel communication ports
Allow qemu to use nfs file systems
Allow qemu to use usb devices
Create, read, write, and delete the mdadm pid files.
Added for use in the init module.
A distributed, collaborative, spam detection and filtering network.
This policy will work with either the ATrpms provided config file in /etc/razor, or with the default of dumping everything into $HOME/.razor.
Allow rgmanager domain to connect to the network using TCP.
Allow fenced domain to connect to the network using TCP.
This template creates a domain to be used for a new rpc daemon.
Allow gssd to read temp directory. For access to kerberos tgt.
Allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.
Execute a rsync in a specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Execute a rsync in a specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Allow rsync to export any files/directories read only.
Allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.
Allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.
Allow samba to create new home directories (e.g. via PAM)
Allow samba to act as the domain controller, add users, groups and change passwords.
Allow samba to share users home directories.
Allow samba to share any file/directory read only.
Allow samba to share any file/directory read/write.
Allow samba to run unconfined scripts
Allow samba to export NFS volumes.
Allow samba to export ntfs/fusefs volumes.
Execute samhain in the samhain domain with the clearance security level and allow the specifiled role the samhain domain.
The range_transition rule used in this interface requires that the calling domain should have the clearance security level otherwise the MLS constraint for process transition would fail.
This interface assumes that the calling domain has been able to remove an entry from /var/lib/ or /var/log/ and belongs to the mlsfilewrite attribute, since samhain files may be of clearance security level while their parent directories are of s0.
Allow confined virtual guests to manage nfs files
Allow confined virtual guests to manage cifs files
Allow sasl to read shadow
Enable additional permissions needed to support devices on 3ware controllers.
Allow user spamassassin clients to use the network.
Allow spamd to read/write user home directories.
Allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports.
Allow squid to run as a transparent proxy (TPROXY)
Allow the Telepathy connection managers to connect to any generic TCP port.
Allow the Telepathy connection managers to connect to any network port.
Allow tftp to modify public files used for public file transfer services.
Linux target framework (tgt) aims to simplify various SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation and maintenance. Our key goals are the clean integration into the scsi-mid layer and implementing a great portion of tgt in user space.
Allow tor daemon to bind tcp sockets to all unreserved ports.
Tripwire file integrity checker.
NOTE: Tripwire creates temp file in its current working directory. This policy does not allow write access to home directories, so users will need to either cd to a directory where they have write permission, or set the TEMPDIRECTORY variable in the tripwire config file. The latter is preferable, as then the file_type_auto_trans rules will kick in and label the files as private to tripwire.
Policy for DJB's ucspi-tcpd
Allow varnishd to connect to all ports, not just HTTP.
Ignore vbetool mmap_zero errors.
Allow virt to use serial/parallell communication ports
Allow virt to read fuse files
Allow virt to manage nfs files
Allow virt to manage cifs files
Allow virt to manage device configuration, (pci)
Allow virt to use usb devices
Change from the web administrator role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Allow webadm to manage files in users home directories
Allow webadm to read files in users home directories
This template creates a derived domains which are used for wine applications.
This template creates a derived domains which are used for wine applications.
Ignore wine mmap_zero errors.
This template creates a derived domains which are used for window manager applications.
Allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images.
Allow xend to run qemu-dm. Not required if using paravirt and no vfb.
Allow xen to manage nfs files
Change from the xguest role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Allow xguest users to mount removable media
Allow xguest to configure Network Manager
Allow xguest to use blue tooth devices
Allow zebra daemon to write it configuration files
Create a aliased type to generic bin files. (Deprecated)
This is added to support targeted policy. Its use should be limited. It has no effect on the strict policy.
Allow the specified domain to execute generic programs in system bin directories (/bin, /sbin, /usr/bin, /usr/sbin) a without domain transition.
Typically, this interface should be used when the domain executes general system progams within the privileges of the source domain. Some examples of these programs are ls, cp, sed, python, and tar. This does not include shells, such as bash.
Related interface:
Execute a file in a bin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle the userhelper policy.
Execute a file in a bin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle the ssh-agent policy.
Execute a file in a sbin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested. (Deprecated)
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle the ssh-agent policy.
Execute a file in a sbin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested. (Deprecated)
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle the userhelper policy.
Allow the specified domain to execute shells without a domain transition.
Typically, this interface should be used when the domain executes shells within the privileges of the source domain. Some examples of these programs are bash, tcsh, and zsh.
Related interface:
Execute a shell in the target domain. This is an explicit transition, requiring the caller to use setexeccon().
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Execute a shell in the specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Define type to be a network port type
This is for supporting third party modules and its use is not allowed in upstream reference policy.
Define network type to be a reserved port (lt 1024)
This is for supporting third party modules and its use is not allowed in upstream reference policy.
Define network type to be a rpc port ( 512 lt PORT lt 1024)
This is for supporting third party modules and its use is not allowed in upstream reference policy.
Define type to be a network node type
This is for supporting third party modules and its use is not allowed in upstream reference policy.
Define type to be a network packet type
This is for supporting third party modules and its use is not allowed in upstream reference policy.
Define type to be a network client packet type
This is for supporting third party modules and its use is not allowed in upstream reference policy.
Define type to be a network server packet type
This is for supporting third party modules and its use is not allowed in upstream reference policy.
Allow the specified domain to send and receive TCP network traffic on generic network interfaces.
Related interface:
Example client being able to connect to all ports over generic nodes, without labeled networking:
allow myclient_t self:tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_generic_if(myclient_t) corenet_tcp_sendrecv_generic_node(myclient_t) corenet_tcp_sendrecv_all_ports(myclient_t) corenet_tcp_connect_all_ports(myclient_t) corenet_all_recvfrom_unlabeled(myclient_t)
Allow the specified domain to send and receive UDP network traffic on generic network interfaces.
Related interface:
Example client being able to send to all ports over generic nodes, without labeled networking:
allow myclient_t self:udp_socket create_socket_perms; corenet_udp_sendrecv_generic_if(myclient_t) corenet_udp_sendrecv_generic_node(myclient_t) corenet_udp_sendrecv_all_ports(myclient_t) corenet_all_recvfrom_unlabeled(myclient_t)
Allow the specified domain to send and receive TCP network traffic to/from generic network nodes (hostnames/networks).
Related interface:
Example client being able to connect to all ports over generic nodes, without labeled networking:
allow myclient_t self:tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_generic_if(myclient_t) corenet_tcp_sendrecv_generic_node(myclient_t) corenet_tcp_sendrecv_all_ports(myclient_t) corenet_tcp_connect_all_ports(myclient_t) corenet_all_recvfrom_unlabeled(myclient_t)
Allow the specified domain to send and receive UDP network traffic to/from generic network nodes (hostnames/networks).
Related interface:
Example client being able to send to all ports over generic nodes, without labeled networking:
allow myclient_t self:udp_socket create_socket_perms; corenet_udp_sendrecv_generic_if(myclient_t) corenet_udp_sendrecv_generic_node(myclient_t) corenet_udp_sendrecv_all_ports(myclient_t) corenet_all_recvfrom_unlabeled(myclient_t)
Bind TCP sockets to generic nodes. This is necessary for binding a socket so it can be used for servers to listen for incoming connections.
Related interface:
Bind UDP sockets to generic nodes. This is necessary for binding a socket so it can be used for servers to listen for incoming connections.
Related interface:
Send and receive TCP network traffic on all ports. Related interfaces:
Example client being able to connect to all ports over generic nodes, without labeled networking:
allow myclient_t self:tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_generic_if(myclient_t) corenet_tcp_sendrecv_generic_node(myclient_t) corenet_tcp_sendrecv_all_ports(myclient_t) corenet_tcp_connect_all_ports(myclient_t) corenet_all_recvfrom_unlabeled(myclient_t)
Send and receive UDP network traffic on all ports. Related interfaces:
Example client being able to send to all ports over generic nodes, without labeled networking:
allow myclient_t self:udp_socket create_socket_perms; corenet_udp_sendrecv_generic_if(myclient_t) corenet_udp_sendrecv_generic_node(myclient_t) corenet_udp_sendrecv_all_ports(myclient_t) corenet_all_recvfrom_unlabeled(myclient_t)
Connect TCP sockets to all ports
Related interfaces:
Example client being able to connect to all ports over generic nodes, without labeled networking:
allow myclient_t self:tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_generic_if(myclient_t) corenet_tcp_sendrecv_generic_node(myclient_t) corenet_tcp_sendrecv_all_ports(myclient_t) corenet_tcp_connect_all_ports(myclient_t) corenet_all_recvfrom_unlabeled(myclient_t)
Send and receive messages on a non-encrypted (no IPSEC) network session. (Deprecated)
The corenet_all_recvfrom_unlabeled() interface should be used instead of this one.
Do not audit attempts to send and receive messages on a non-encrypted (no IPSEC) network session.
The corenet_dontaudit_all_recvfrom_unlabeled() interface should be used instead of this one.
Allow the specified domain to receive packets from an unlabeled connection. On machines that do not utilize labeled networking, this will be required on all networking domains. On machines tha do utilize labeled networking, this will be required for any networking domain that is allowed to receive network traffic that does not have a label.
Allow the specified domain to receive NetLabel network traffic, which utilizes the Commercial IP Security Option (CIPSO) to set the MLS level of the network packets. This is required for all networking domains that receive NetLabel network traffic.
Rules for receiving labeled TCP packets.
Due to the nature of TCP, this is bidirectional.
Rules for receiving labeled packets via TCP, UDP and raw IP.
Due to the nature of TCP, the rules (for TCP networking only) are bidirectional.
Send and receive unlabeled packets. These packets do not match any netfilter SECMARK rules.
This module creates the device node concept and provides the policy for many of the device files. Notable exceptions are the mass storage and terminal devices that are covered by other modules.
This module creates the concept of a device node. That is a char or block device file, usually in /dev. All types that are used to label device nodes should use the dev_node macro.
Additionally, this module controls access to three things:
Make the specified type usable for device nodes in a filesystem. Types used for device nodes that do not use this interface, or an interface that calls this one, will have unexpected behaviors while the system is running.
Example:
type mydev_t; dev_node(mydev_t) allow mydomain_t mydev_t:chr_file read_chr_file_perms;
Related interfaces:
Read the memory type range registers (MTRR). This interface has been deprecated, dev_rw_mtrr() should be used instead.
The MTRR device ioctls can be used for reading and writing; thus, read access to the device cannot be separated from write access.
Write the memory type range registers (MTRR). This interface has been deprecated, dev_rw_mtrr() should be used instead.
The MTRR device ioctls can be used for reading and writing; thus, write access to the device cannot be separated from read access.
Allow the specified domain to read from random number generator devices (e.g., /dev/random). Typically this is used in situations when a cryptographically secure random number is needed.
Related interface:
Allow the specified domain to read the contents of the sysfs filesystem. This filesystem contains information, parameters, and other settings on the hardware installed on the system.
Allow the specified domain to read from pseudo random number generator devices (e.g., /dev/urandom). Typically this is used in situations when a cryptographically secure random number is not necessarily needed. One example is the Stack Smashing Protector (SSP, formerly known as ProPolice) support that may be compiled into programs.
Related interface:
Related tunable:
Make the specified type usable as a basic domain.
This is primarily used for kernel threads; generally the domain_type() interface is more appropriate for userland processes.
Make the specified type usable as a domain. This, or an interface that calls this interface, must be used on all types that are used as domains.
Related interfaces:
Example:
type mydomain_t; domain_type(mydomain_t) type myfile_t; files_type(myfile_t) allow mydomain_t myfile_t:file read_file_perms;
Allow the specified domain to perform dynamic transitions.
This violates process tranquility, and it is strongly suggested that this not be used.
Make the specified domain the target of the user domain exception of the SELinux role and identity change constraints.
This interface is needed to decouple the user domains from the base module. It should not be used other than on user domains.
Make the specified domain the source of the cron domain exception of the SELinux role and identity change constraints.
This interface is needed to decouple the cron domains from the base module. It should not be used other than on cron domains.
Make the specified domain the target of the cron domain exception of the SELinux role and identity change constraints.
This interface is needed to decouple the cron domains from the base module. It should not be used other than on user cron jobs.
Allow the specified domain to inherit and use file descriptors from domains with interactive programs. This does not allow access to the objects being referenced by the file descriptors.
Do not audit attempts to ptrace all domains.
Generally this needs to be suppressed because procps tries to access /proc/pid/environ and this now triggers a ptrace check in recent kernels (2.4 and 2.6).
Do not audit attempts to ptrace confined domains.
Generally this needs to be suppressed because procps tries to access /proc/pid/environ and this now triggers a ptrace check in recent kernels (2.4 and 2.6).
Get the attributes of all domains sockets, for all socket types.
This is commonly used for domains that can use lsof on all domains.
Do not audit attempts to get the attributes of all domains sockets, for all socket types.
This interface was added for PCMCIA cardmgr and is probably excessive.
Get the attributes of all domains unnamed pipes.
This is commonly used for domains that can use lsof on all domains.
Control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.
This module contains basic filesystem types and interfaces. This includes:
Make the specified type usable for files in a filesystem. Types used for files that do not use this interface, or an interface that calls this one, will have unexpected behaviors while the system is running. If the type is used for device nodes (character or block files), then the dev_node() interface is more appropriate.
Related interfaces:
Example:
type myfile_t; files_type(myfile_t) allow mydomain_t myfile_t:file read_file_perms;
Make the specified type usable for runtime process ID files, typically found in /var/run. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a PID file type may result in problems with starting or stopping services.
Related interfaces:
Example usage with a domain that can create and write its PID file with a private PID file type in the /var/run directory:
type mypidfile_t; files_pid_file(mypidfile_t) allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; files_pid_filetrans(mydomain_t, mypidfile_t, file)
Make the specified type usable for configuration files. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a temporary file may result in problems with configuration management tools.
Example usage with a domain that can read its configuration file /etc:
type myconffile_t; files_config_file(myconffile_t) allow mydomain_t myconffile_t:file read_file_perms; files_search_etc(mydomain_t)
Make the specified type usable for temporary files. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a temporary file may result in problems with purging temporary files.
Related interfaces:
Example usage with a domain that can create and write its temporary file in the system temporary file directories (/tmp or /var/tmp):
type mytmpfile_t; files_tmp_file(mytmpfile_t) allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms }; files_tmp_filetrans(mydomain_t, mytmpfile_t, file)
Allow shared library text relocations in all files.
This is added to support WINE policy.
Allow the specified domain to read generic files in /etc. These files are typically general system configuration files that do not have more specific SELinux types. Some examples of these files are:
This interface does not include access to /etc/shadow.
Generally, it is safe for many domains to have this access. However, since this interface provides access to the /etc/passwd file, caution must be exercised, as user account names can be leaked through this access.
Related interfaces:
Create a boot flag, such as /.autorelabel and /.autofsck.
Delete a boot flag, such as /.autorelabel and /.autofsck.
Allow the specified domain to read dynamically created configuration files in /etc. These files are typically general system configuration files that do not have more specific SELinux types. Some examples of these files are:
This interface does not include access to /etc/shadow.
Allow the specified domain to read generic files in /usr. These files are various program files that do not have more specific SELinux types. Some examples of these files are:
Generally, it is safe for many domains to have this access.
Search the /var/lib directory. This is necessary to access files or directories under /var/lib that have a private type. For example, a domain accessing a private library file in the /var/lib directory:
allow mydomain_t mylibfile_t:file read_file_perms; files_search_var_lib(mydomain_t)
Create an object in the process ID directory (e.g., /var/run) with a private type. Typically this is used for creating private PID files in /var/run with the private type instead of the general PID file type. To accomplish this goal, either the program must be SELinux-aware, or use this interface.
Related interfaces:
Example usage with a domain that can create and write its PID file with a private PID file type in the /var/run directory:
type mypidfile_t; files_pid_file(mypidfile_t) allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; files_pid_filetrans(mydomain_t, mypidfile_t, file)
Allow the specified domain to get the attributes of a persistent filesystems which have extended attributes, such as ext3, JFS, or XFS. Example attributes:
Register an interpreter for new binary file types, using the kernel binfmt_misc support.
A common use for this is to register a JVM as an interpreter for Java byte code. Registered binaries can be directly executed on a command line without specifying the interpreter.
Execute a file on a CIFS or SMB filesystem in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle home directories on CIFS/SMB filesystems, in particular used by the ssh-agent policy.
Read eventpollfs files
This interface has been deprecated, and will be removed in the future.
Execute a file on a NFS filesystem in the specified domain. This allows the specified domain to execute any file on a NFS filesystem in the specified domain. This is not suggested.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle home directories on NFS filesystems, in particular used by the ssh-agent policy.
Allow the specified domain to et the attributes of all filesystems. Example attributes:
Allow the specified domain to request that the kernel load a kernel module. An example of this is the auto-loading of network drivers when doing an ioctl() on a network interface.
In the specific case of a module loading request on a network interface, the domain will also need the net_admin capability.
Allow the specified domain to read (follow) generic symbolic links (symlinks) in the proc filesystem (/proc). This interface does not include access to the targets of these links. An example symlink is /proc/self.
Allow the specified domain to read general system state information from the proc filesystem (/proc).
Generally it should be safe to allow this access. Some example files that can be read based on this interface:
This does not allow access to sysctl entries (/proc/sys/*) nor process state information (/proc/pid).
Allow the specified domain to read the networking state information. This includes several pieces of networking information, such as network interface names, netfilter (iptables) statistics, protocol information, routes, and remote procedure call (RPC) information.
Allow the specified domain to read general kernel sysctl settings. These settings are typically read using the sysctl program. The settings that are included by this interface are prefixed with "kernel.", for example, kernel.sysrq.
This does not include access to the hotplug handler setting (kernel.hotplug) nor the module installer handler setting (kernel.modprobe).
Related interfaces:
Send and receive messages from an unlabeled IPSEC association. Network connections that are not protected by IPSEC have use an unlabeled assocation.
The corenetwork interface corenet_non_ipsec_sendrecv() should be used instead of this one.
Do not audit attempts to send and receive messages from an unlabeled IPSEC association. Network connections that are not protected by IPSEC have use an unlabeled assocation.
The corenetwork interface corenet_dontaudit_non_ipsec_sendrecv() should be used instead of this one.
Receive TCP packets from an unlabeled connection.
The corenetwork interface corenet_tcp_recv_unlabeled() should be used instead of this one.
Do not audit attempts to receive TCP packets from an unlabeled connection.
The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled() should be used instead of this one.
Receive UDP packets from an unlabeled connection.
The corenetwork interface corenet_udp_recv_unlabeled() should be used instead of this one.
Do not audit attempts to receive UDP packets from an unlabeled connection.
The corenetwork interface corenet_dontaudit_udp_recv_unlabeled() should be used instead of this one.
Receive Raw IP packets from an unlabeled connection.
The corenetwork interface corenet_raw_recv_unlabeled() should be used instead of this one.
Do not audit attempts to receive Raw IP packets from an unlabeled connection.
The corenetwork interface corenet_dontaudit_raw_recv_unlabeled() should be used instead of this one.
Send and receive unlabeled packets. These packets do not match any netfilter SECMARK rules.
The corenetwork interface corenet_sendrecv_unlabeled_packets() should be used instead of this one.
Receive packets from an unlabeled peer, these packets do not have any peer labeling information present.
The corenetwork interface corenet_recvfrom_unlabeled_peer() should be used instead of this one.
Do not audit attempts to receive packets from an unlabeled peer, these packets do not have any peer labeling information present.
The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled() should be used instead of this one.
Disable kernel module loading.
This module contains interfaces for handling multilevel security. The interfaces allow the specified subjects and objects to be allowed certain privileges in the MLS rules.
Make specified domain MLS trusted for reading from files at all levels.
This interface has been deprecated, please use mls_file_read_all_levels() instead.
Make specified domain MLS trusted for writing to files at all levels.
This interface has been deprecated, please use mls_file_write_all_levels() instead.
Make specified domain MLS trusted for reading from processes at all levels.
This interface has been deprecated, please use mls_process_read_all_levels() instead.
Make specified domain MLS trusted for writing to processes at all levels.
This interface has been deprecated, please use mls_process_write_all_levels() instead.
Make specified object MLS trusted. This allows all levels to read and write the object.
This currently only applies to filesystem objects, for example, files and directories.
Make the specified type used for labeling SELinux Booleans.
This makes use of genfscon statements, which are only available in the base module. Thus any module which calls this interface must be included in the base module.
Allow caller to set the mode of policy enforcement (enforcing or permissive mode).
Since this is a security event, this action is always audited.
Allow caller to set the state of Booleans to enable or disable conditional portions of the policy.
Since this is a security event, this action is always audited.
This interface has been deprecated. Please use selinux_set_generic_booleans() or selinux_set_all_booleans() instead.
Allow caller to set the state of generic Booleans to enable or disable conditional portions of the policy.
Since this is a security event, this action is always audited.
Allow caller to set the state of all Booleans to enable or disable conditional portions of the policy.
Since this is a security event, this action is always audited.
Allow caller to set SELinux access vector cache parameters. The allows the domain to set performance related parameters of the AVC, such as cache threshold.
Since this is a security event, this action is always audited.
Calculate the context for relabeling objects. This is determined by using the type_change rules in the policy, and is generally used for determining the context for relabeling a terminal when a user logs in.
Boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back.
Constrain the specified type by user-based access control (UBAC). Typically, these are user processes or user files that need to be differentiated by SELinux user. Normally this does not include administrative or privileged programs. For the UBAC rules to be enforced, both the subject (source) type and the object (target) types must be UBAC constrained.
Change from the audit administrator role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Change from the log administrator role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Change from the security administrator role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Change from the staff role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Change from the system administrator role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Allow sysadm to execute all entrypoint files in a specified domain. This is an explicit transition, requiring the caller to use setexeccon().
This is a interface to support third party modules and its use is not allowed in upstream reference policy.
Allow sysadm to execute a generic bin program in a specified domain.
This is a interface to support third party modules and its use is not allowed in upstream reference policy.
Allow sysadm to debug or ptrace all processes.
Change from the generic user role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Allow unprived users to execute DDL statement
Allow transmit client label to foreign database
Allow database admins to execute DML statement
This template creates a derived domains which are used for ssh client sessions. A derived type is also created to protect the user ssh keys.
This template was added for NX.
This template creates a domains to be used for creating a ssh server. This is typically done to have multiple ssh servers of different sensitivities, such as for an internal network-facing ssh server, and a external network-facing ssh server.
allow host key based authentication
Allow ssh logins as sysadm_r:sysadm_t
Read user fonts, user font configuration, and manage the user font cache.
This is a templated interface, and should only be called from a per-userdomain template.
Execute an Xsession in the target domain. This is an explicit transition, requiring the caller to use setexeccon().
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Allows clients to write to the X server shared memory segments.
Allow xdm logins as sysadm
Support X userspace object manager
Create a domain for applications. Typically these are programs that are run interactively.
The types will be made usable as a domain and file, making calls to domain_type() and files_type() redundant.
Make the specified type usable as a login file, This type has restricted modification capabilities when used with other interfaces that permit files_type access. The default type has properties similar to that of the shadow file. This will also make the type usable as a security file, making calls to files_security_file() redundant.
Pass shadow assertion for reading. This should only be used with auth_tunable_read_shadow(), and only exists because typeattribute does not work in conditionals.
Read the shadow password file. This should only be used in a conditional; it does not pass the reading shadow assertion.
Allow the specified domain to look up user, password, group, or host information using the name service. The most common use of this interface is for services that do host name resolution (usually DNS resolution).
Unconfined access to the authlogin module.
Currently, this only allows assertions for the shadow passwords file (/etc/shadow) to be passed. No access is granted yet.
Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
Create a file type used for init scripts. It can not be used in conjunction with init_script_domain(). These script files are typically stored in the /etc/init.d directory.
Typically this is used to constrain what services an admin can start/stop. For example, a policy writer may want to constrain a web administrator to only being able to restart the web server, not other services. This special type will help address that goal.
This also makes the type usable for files; thus an explicit call to files_type() is redundant.
Create a domain used for init scripts. Can not be used in conjunction with init_script_file().
Create a domain for long running processes (daemons/services) which are started by init scripts. Short running processes should use the init_system_domain() interface instead. Typically all long running processes started by an init script (usually in /etc/init.d) will need to use this interface.
The types will be made usable as a domain and file, making calls to domain_type() and files_type() redundant.
If the process must also run in a specific MLS/MCS level, the init_ranged_daemon_domain() should be used instead.
Create a domain for long running processes (daemons/services) which are started by init scripts, running at a specified MLS/MCS range. Short running processes should use the init_ranged_system_domain() interface instead. Typically all long running processes started by an init script (usually in /etc/init.d) will need to use this interface if they need to run in a specific MLS/MCS range.
The types will be made usable as a domain and file, making calls to domain_type() and files_type() redundant.
If the policy build option TYPE is standard (MLS and MCS disabled), this interface has the same behavior as init_daemon_domain().
Create a domain for short running processes which are started by init scripts. These are generally applications that are used to initialize the system during boot. Long running processes, such as daemons/services should use the init_daemon_domain() interface instead. Typically all short running processes started by an init script (usually in /etc/init.d) will need to use this interface.
The types will be made usable as a domain and file, making calls to domain_type() and files_type() redundant.
If the process must also run in a specific MLS/MCS level, the init_ranged_system_domain() should be used instead.
Create a domain for long running processes (daemons/services) which are started by init scripts. These are generally applications that are used to initialize the system during boot. Long running processes should use the init_ranged_system_domain() interface instead. Typically all short running processes started by an init script (usually in /etc/init.d) will need to use this interface if they need to run in a specific MLS/MCS range.
The types will be made usable as a domain and file, making calls to domain_type() and files_type() redundant.
If the policy build option TYPE is standard (MLS and MCS disabled), this interface has the same behavior as init_system_domain().
This is only applicable to Gentoo or distributions that use the OpenRC init system.
The OpenRC /sbin/rc binary is used for both init scripts as well as management applications and tools. When used for management purposes, calling /sbin/rc should never cause a transition to initrc_t.
Allow the specified domain to inherit file descriptors from the init program (process ID 1). Typically the only file descriptors to be inherited from init are for the console. This does not allow the domain any access to the object to which the file descriptors references.
Related interfaces:
Example usage:
init_use_fds(mydomain_t) term_use_console(mydomain_t)
Normally, processes that can inherit these file descriptors (usually services) write messages to the system log instead of writing to the console. Therefore, in many cases, this access should dontaudited instead.
Example dontaudit usage:
init_dontaudit_use_fds(mydomain_t) term_dontaudit_use_console(mydomain_t)
Execute a init script in a specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Start and stop daemon programs directly in the traditional "/etc/init.d/daemon start" style, and do not require run_init.
Read and write the init script pty. This pty is generally opened by the open_init_pty portion of the run_init program so that the daemon does not require direct access to the administrator terminal.
Enable support for upstart as the init program.
Allow racoon to read shadow
Do not audit attempts to write to library directories. Typically this is used to quiet attempts to recompile python byte code.
Create an object in lib directories, with the shared libraries type using a type transition. (Deprecated)
lib_filetrans_shared_lib() should be used instead.
Make the specified type usable for log files in a filesystem. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a log file type may result in problems with log rotation, log analysis, and log monitoring programs.
Related interfaces:
Example usage with a domain that can create and append to a private log file stored in the general directories (e.g., /var/log):
type mylogfile_t; logging_log_file(mylogfile_t) allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; logging_log_filetrans(mydomain_t, mylogfile_t, file)
Allow the specified domain to create an object in the general system log directories (e.g., /var/log) with a private type. Typically this is used for creating private log files in /var/log with the private type instead of the general system log type. To accomplish this goal, either the program must be SELinux-aware, or use this interface.
Related interfaces:
Example usage with a domain that can create and append to a private log file stored in the general directories (e.g., /var/log):
type mylogfile_t; logging_log_file(mylogfile_t) allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; logging_log_filetrans(mydomain_t, mylogfile_t, file)
Allow the specified domain to connect to the system log service (syslog), to send messages be added to the system logs. Typically this is used by services that do not have their own log file in /var/log.
This does not allow messages to be sent to the auditing system.
Programs which use the libc function syslog() will require this access.
Related interfaces:
Make the specified type usable for cert files. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a temporary file may result in problems with cert management tools.
Related interfaces:
Example:
type mycertfile_t; cert_type(mycertfile_t) allow mydomain_t mycertfile_t:file read_file_perms; files_search_etc(mydomain_t)
Allow the specified domain to read the localization files. This is typically for time zone configuration files, such as /etc/localtime and files in /usr/share/zoneinfo. Typically, any domain which needs to know the GMT/UTC offset of the current timezone will need access to these files. Generally, it should be safe for any domain to read these files.
Allow the mount domain to send nfs requests for mounting network drives
This interface has been deprecated as these rules were a side effect of leaked mount file descriptors. This interface has no effect.
Allow the mount command to mount any directory or file.
Allow the specified domain to send a SIGCHLD signal to newrole. This signal is automatically sent from a process that is terminating to its parent. This may be needed by domains that are executed from newrole.
Execute init scripts in the run_init domain. This is used for the Gentoo integrated run_init.
Execute init scripts in the run_init domain, and allow the specified role the run_init domain, and use the caller's terminal.
This is used for the Gentoo integrated run_init.
Create, read, write, and delete the general selinux configuration files.
This interface has been deprecated, please use the seutil_manage_config() interface instead.
SELinux-enabled programs are typically linked to the libselinux library. This interface will allow access required for the libselinux constructor to function.
SELinux-enabled programs are typically linked to the libselinux library. This interface will dontaudit access required for the libselinux constructor to function.
Generally this should not be used on anything but simple SELinux-enabled programs that do not rely on data initialized by the libselinux constructor.
Allow the specified domain to read the general network configuration files. A common example of this is the /etc/resolv.conf file, which has domain name system (DNS) server IP addresses. Typically, most networking processes will require the access provided by this interface.
Higher-level interfaces which involve networking will generally call this interface, for example:
Create DHCP state data.
This is added for DHCP server, as the server and client put their state files in the same directory.
Allow the specified domain to read the udev device table.
Make the specified domain unconfined and audit executable heap usage. With exception of memory protections, usage of this interface will result in the level of access the domain has is like SELinux was not being used.
Only completely trusted domains should use this interface.
Add an alias type to the unconfined domain. (Deprecated)
This is added to support targeted policy. Its use should be limited. It has no effect on the strict policy.
Add an alias type to the unconfined execmem program file type. (Deprecated)
This is added to support targeted policy. Its use should be limited. It has no effect on the strict policy.
Allow unconfined to execute the specified program in the specified domain.
This is a interface to support third party modules and its use is not allowed in upstream reference policy.
Allow unconfined to execute the specified program in the specified domain. Allow the specified domain the unconfined role and use of unconfined user terminals.
This is a interface to support third party modules and its use is not allowed in upstream reference policy.
Do not audit attempts to read or write unconfined domain tcp sockets.
This interface was added due to a broken symptom in ldconfig.
The template containing the most basic rules common to all users.
This template creates a user domain, types, and rules for the user's tty and pty.
Allow a home directory for which the role has read-only access.
This does not allow execute access.
Allow a home directory for which the role has full access.
This does not allow execute access.
Role access for the user tmpfs type that the user has full access.
This does not allow execute access.
This template creates a user domain, types, and rules for the user's tty, pty, tmp, and tmpfs files.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
The template for creating a unprivileged xwindows login user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
The template for creating a unprivileged user roughly equivalent to a regular linux user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
The privileges given to administrative users are:
Create objects in a user home directory with an automatic type transition to a specified private type.
This is a templated interface, and should only be called from a per-userdomain template.
Do not audit attempts to search user home directories. This will supress SELinux denial messages when the specified domain is denied the permission to search these directories.
Do a domain transition to the specified domain when executing a program in the user home directory.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Allow the specified domain to read and write user TTYs and PTYs. This will allow the domain to interact with the user via the terminal. Typically all interactive applications will require this access.
However, this also allows the applications to spy on user sessions or inject information into the user session. Thus, this access should likely not be allowed for non-interactive domains.
Do not audit attempts to inherit the file descriptors from unprivileged user domains. This will supress SELinux denial messages when the specified domain is denied the permission to inherit these file descriptors.
Allow users to connect to mysql
Allow users to connect to PostgreSQL
Allow regular users direct mouse access
Allow users to read system messages.
Allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)
Allow w to display everyone
Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
Enable polyinstantiated directory support.
Allow system to run with NIS
Allow logging in and using the system from /dev/console.
Enable reading of urandom for all domains.
This should be enabled when all programs are compiled with ProPolice/SSP stack smashing protection. All domains will be allowed to read from /dev/urandom.
Allow email client to various content. nfs, samba, removable devices, and user temp files
Allow any files/directories to be exported read/write via NFS.
Allow any files/directories to be exported read/only via NFS.
Support NFS home directories
Support SAMBA home directories
Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols.
Enabling secure mode disallows programs, such as newrole, from transitioning to administrative user domains.