This module contains basic filesystem types and interfaces. This includes:
The concept of different file types including basic files, mount points, tmp files, etc.
Access to groups of files and all files.
Types and interfaces for the basic filesystem layout (/, /etc, /tmp, /usr, etc.).
This module is required to be included in all policies.
Create a aliased type to etc_t files.
Create a aliased type to etc files.
This is added to remove types that should have been etc_t
Parameter: | Description: | Optional: |
---|---|---|
domain |
Alias type for etc_t. | No |
Create a aliased type to etc_runtime_t files.
Create a aliased type to etc runtime files.
This is added to remove types that should have been etc_runtime_t
Parameter: | Description: | Optional: |
---|---|---|
domain |
Alias type for etc_runtime_t. | No |
Allow the specified type to associate to a filesystem with the type of the temporary directory (/tmp).
Parameter: | Description: | Optional: |
---|---|---|
file_type |
Type of the file to associate. | No |
Create a private type object in boot with an automatic type transition
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
private_type |
The type of the object to be created. | No |
object_class |
The object class of the object being created. | No |
Make the specified type a configuration file.
Parameter: | Description: | Optional: |
---|---|---|
file_type |
Type to be used as a configuration file. | No |
Create directories in /boot
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create a boot flag.
Create a boot flag, such as /.autorelabel and /.autofsck.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Install a kernel into the /boot directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Install a system.map into the /boot directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Delete all lock files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Delete all process ID directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Delete all process IDs.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Delete system configuration files in /etc.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Delete a kernel from /boot.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Delete kernel module files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Delete a system.map in the /boot directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Remove entries from the root directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to get the attributes of all directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of all files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of all named pipes.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of all named sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of all symbolic links.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of all tmp sock_file.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain not to audit. | No |
Do not audit attempts to get attributes of the /boot directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of directories with the default file type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of files with the default file type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of the home directories root (/home).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of non security block devices.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of non security character devices.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of non security files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of non security named pipes.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of non security named sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of non security symbolic links.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of the /var/run directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to get the attributes of the tmp directory (/tmp).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit getattr of all tmp files
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain not to audit. | No |
Do not audit attempts to ioctl daemon runtime data files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to list contents of directories with the default file type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to list home directories root (/home).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to list all non-security directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit listing of the tmp directory (/tmp).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain not to audit. | No |
Do not audit attempts to read all symbolic links.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to read files with the default file type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to read files in /etc that are dynamically created on boot, such as mtab.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to read files in the root directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to read or write character device nodes in the root directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to read or write files in the root directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
dontaudit Add and remove entries from /usr directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to search the contents of any directories on extended attribute filesystems.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to search the /boot directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to search home directories root (/home).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to search directories on new filesystems that have not yet been labeled.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to search the locks directory (/var/lock).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to search /mnt.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to search the /var/run directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to search generic spool directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to search /usr/src.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to search the tmp directory (/tmp).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to search the contents of /var.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Do not audit attempts to write to daemon runtime data files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to write generic files in /etc.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Do not audit attempts to write to /var.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |
Create a core files in /
Create a core file in /,
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create objects in /etc with a private type using a type_transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
file_type |
Private file type. | No |
class |
Object classes to be created. | No |
Create, etc runtime objects with an automatic type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
object |
The class of the object being created. | No |
Execute generic files in /etc.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute generic programs in /usr in the caller domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Execute programs in /usr/src in the caller domain.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Allow shared library text relocations in all files.
Allow shared library text relocations in all files.
This is added to support WINE in the targeted policy. It has no effect on the strict policy.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of all directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of all files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of all filesystems.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of all mount points.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of all named pipes.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of all named sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of all symbolic links.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Allow attempts to get the attributes of all tmp files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain not to audit. | No |
Get attributes of the /boot directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Getattr of directories with the default file type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of generic lock files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of the home directories root (/home).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Getattr of directories on new filesystems that have not yet been labeled.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of kernel module files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of lost+found directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of the tmp directory (/tmp).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of files in /usr.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of files in /usr/src.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get the attributes of the /var/lib directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create objects in /home.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
home_type |
The private type. | No |
object |
The class of the object being created. | No |
Create objects in the kernel module directories with a private type via an automatic type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
private_type |
The type of the object to be created. | No |
object_class |
The object class of the object being created. | No |
List the contents of all directories on extended attribute filesystems.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List contents of directories with the default file type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List the contents of /etc directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Get listing of home directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List the contents of directories on new filesystems that have not yet been labeled.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List the contents of the kernel module directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List the contents of /mnt.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List all non-security directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List the contents of the runtime process ID directories (/var/run).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List the contents of the root directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List the contents of generic spool (/var/spool) directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read the tmp directory (/tmp).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List the contents of generic directories in /usr.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List the contents of /var.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List the contents of the /var/lib directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
List world-readable directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Make the specified type usable for lock files.
Parameter: | Description: | Optional: |
---|---|---|
type |
Type to be used for lock files. | No |
Create an object in the locks directory, with a private type using a type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
private type |
The type of the object to be created. | No |
object |
The object class of the object being created. | No |
Manage all files on the filesystem, except the listed exceptions.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of the domain perfoming this action. | No |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. | Yes |
Create, read, write, and delete files in the /boot directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete symbolic links in the /boot directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete generic files in /etc.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete files in /etc that are dynamically created on boot, such as mtab.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete symbolic links in /etc.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete generic lock files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete generic spool files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete generic spool directories (/var/spool).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Manage temporary directories in /tmp.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of the process performing this action. | No |
Manage temporary files and directories in /tmp.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of the process performing this action. | No |
Create, read, write, and delete block device nodes on new filesystems that have not yet been labeled.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete character device nodes on new filesystems that have not yet been labeled.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete directories on new filesystems that have not yet been labeled.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete files on new filesystems that have not yet been labeled.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete symbolic links on new filesystems that have not yet been labeled.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete kernel module files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete objects in lost+found directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete directories in /mnt.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete files in /mnt.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete symbolic links in /mnt.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Allow domain to manage mount tables necessary for rpcd, nfsd, etc.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Allow attempts to monage any directory
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to allow | No |
Create, read, write, and delete the pseudorandom number generator seed.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete files in the /usr directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete directories in the /var directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete files in the /var directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create, read, write, and delete symbolic links in the /var directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Mount all filesystems with the type of a file.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Mount a filesystem on all mount points.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Mount filesystems on all polyinstantiation member directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Mount a filesystem on a directory with the default file type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Mount a filesystem on a directory on new filesystems that has not yet been labeled.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Mount a filesystem on /mnt.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Mount a filesystem on all non-security directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Mount a filesystem on all non-security and files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Make the specified type usable for filesystem mount points.
Parameter: | Description: | Optional: |
---|---|---|
type |
Type to be used for mount points. | No |
Make the specified type usable for runtime process ID files.
Parameter: | Description: | Optional: |
---|---|---|
type |
Type to be used for PID files. | No |
Create an object in the process ID directory, with a private type using a type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
private type |
The type of the object to be created. | No |
object |
The object class of the object being created. | No |
Make the specified type a polyinstantiated directory.
Parameter: | Description: | Optional: |
---|---|---|
file_type |
Type of the file to be used as a polyinstantiated directory. | No |
Make the specified type a polyinstantiation member directory.
Parameter: | Description: | Optional: |
---|---|---|
file_type |
Type of the file to be used as a member directory. | No |
Make the domain use the specified type of polyinstantiated directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain using the polyinstantiated directory. | No |
file_type |
Type of the file to be used as a member directory. | No |
Make the specified type a parent of a polyinstantiated directory.
Parameter: | Description: | Optional: |
---|---|---|
file_type |
Type of the file to be used as a parent directory. | No |
Allow access to manage all polyinstantiated directories on the system.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Delete the contents of /tmp.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all block nodes with file types.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all character nodes with file types.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all directories on the filesystem, except the listed exceptions.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of the domain perfoming this action. | No |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. | Yes |
Read all files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all files on the filesystem, except the listed exceptions.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of the domain perfoming this action. | No |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. | Yes |
Read all lock files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all process ID files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all symbolic links.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all symbolic links on the filesystem, except the listed exceptions.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of the domain perfoming this action. | No |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. | Yes |
read all tmp files
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read files with the default file type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read named pipes with the default file type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read sockets with the default file type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read symbolic links with the default file type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read generic files in /etc.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read files in /etc that are dynamically created on boot, such as mtab.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read symbolic links in /etc.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read generic spool files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read files in the tmp directory (/tmp).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read symbolic links in the tmp directory (/tmp).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read files on new filesystems that have not yet been labeled.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read kernel files in the /boot directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read kernel module files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read system.map in the /boot directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read all non-security files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read generic files in /usr.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read files in /usr/src.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read symbolic links in /usr.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read files in the /var directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read generic files in /var/lib.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read generic symbolic links in /var/lib
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read symbolic links in the /var directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read world-readable files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read world-readable named pipes.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read world-readable sockets.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read world-readable symbolic links.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Relabel all files on the filesystem, except the listed exceptions.
Parameter: | Description: | Optional: |
---|---|---|
domain |
The type of the domain perfoming this action. | No |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. | Yes |
Relabel from and to generic files in /etc.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Relabel from and to kernel module files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Relabel from files in the /boot directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Relabel a file from the type used in /usr.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Relabel a filesystem to the type of a file.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Relabel a file to the type used in /usr.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create an object in the root directory, with a private type using a type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
private type |
The type of the object to be created. | No |
object |
The object class of the object being created. | No |
Read and write symbolic links in the /boot directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Add and remove entries from /etc directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write generic files in /etc.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write files in /etc that are dynamically created on boot, such as mtab.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write generic process ID files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write generic named sockets in the tmp directory (/tmp).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write block device nodes on new filesystems that have not yet been labeled.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write directories on new filesystems that have not yet been labeled.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Add and remove entries in the /var/lock directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Add and remove entries in the /usr directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Read and write files in the /var directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the contents of all directories on extended attribute filesystems.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the /boot directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the contents of directories with the default file type.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the contents of /etc directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search home directories root (/home).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the contents of the kernel module directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the locks directory (/var/lock).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the contents of /mnt.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the contents of runtime process ID directories (/var/run).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the contents of generic spool directories (/var/spool).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the tmp directory (/tmp).
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the content of /etc.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the contents of /var.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Search the /var/lib directory.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Make the specified type a file that should not be dontaudited from browsing from user domains.
Parameter: | Description: | Optional: |
---|---|---|
file_type |
Type of the file to be used as a member directory. | No |
Set the attributes of all tmp directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Set the attributes of the /etc directories.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create objects in the spool directory with a private type with a type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Make the specified type a file used for temporary files.
Parameter: | Description: | Optional: |
---|---|---|
file_type |
Type of the file to be used as a temporary file. | No |
Create an object in the tmp directories, with a private type using a type transition.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
private type |
The type of the object to be created. | No |
object |
The object class of the object being created. | No |
Transform the type into a file, for use on a virtual memory filesystem (tmpfs).
Parameter: | Description: | Optional: |
---|---|---|
type |
The type to be transformed. | No |
Make the specified type usable for files in a filesystem.
Parameter: | Description: | Optional: |
---|---|---|
type |
Type to be used for files. | No |
Unconfined access to files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Unmount all filesystems with the type of a file.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Unmount a rootfs filesystem.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Create objects in the /usr directory
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
file_type |
The type of the object to be created | No |
object_class |
The object class. | No |
Create objects in the /var directory
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
file_type |
The type of the object to be created | No |
object_class |
The object class. | No |
Create objects in the /var/lib directory
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
file_type |
The type of the object to be created | No |
object_class |
The object class. | No |
Write kernel module files.
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain allowed access. | No |
Allow attempts to modify any directory
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to allow | No |
Allow attempts to write to /var.dirs
Parameter: | Description: | Optional: |
---|---|---|
domain |
Domain to not audit. | No |