This module creates the device node concept and provides the policy for many of the device files. Notable exceptions are the mass storage and terminal devices that are covered by other modules.
This module creates the concept of a device node. That is a char or block device file, usually in /dev. All types that are used to label device nodes should use the dev_node macro.
Additionally, this module controls access to three things:
the device directories containing device nodes
device nodes as a group
individual access to specific device nodes covered by this module.
This module is required to be included in all policies.
Access check for a sysfs directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Add entries to directories in /dev.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Append the printer device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Associate the specified file type with device filesystem.
Parameter: | Description: |
---|---|
file_type |
The type of the file to be associated. |
Associate a file to a sysfs filesystem.
Parameter: | Description: |
---|---|
file_type |
The type of the file to be associated to sysfs. |
Associate a file to a usbfs filesystem.
Parameter: | Description: |
---|---|
file_type |
The type of the file to be associated to usbfs. |
Configure null_device as a unit files.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Create all block device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create all character device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete the PCMCIA card manager device with the correct type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create generic block device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create generic character device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create a directory in the device directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create symbolic links in device directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create the null device (/dev/null).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create the zero device (/dev/zero).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete all block device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete all character device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete generic block device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete generic character device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete a directory in the device directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete generic files in /dev.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete symbolic links in device directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete the loop control device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete the lvm control device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete the null device (/dev/null).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Dontaudit attempts to list all device nodes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to append to the random number generator devices (e.g., /dev/random)
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit getattr on all device nodes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit getattr on all block file device nodes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit getattr on all character file device nodes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of the apm bios device node.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of the autofs device node.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit getattr on generic block devices.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit getattr for generic character device files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
dontaudit getattr generic files in /dev.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit getattr on generic pipes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
dontaudit getattr raw memory devices (e.g. /dev/mem).
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of miscellaneous devices.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of the BIOS non-volatile RAM device.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of the scanner device.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
dontaudit getattr on smartcard devices
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of a directory in the usb filesystem.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of vfio device nodes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of video4linux device nodes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit attempts to Read and write X server miscellaneous devices.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit attempts to list all device nodes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit attempts to mount a filesystem on /sys
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit read on all block file device nodes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit read on all character file device nodes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read the framebuffer.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Read generic files in /dev.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read the kernel messages
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read the memory type range registers (MTRR).
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read from random number generator devices (e.g., /dev/random)
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read raw memory devices (e.g. /dev/mem).
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read from pseudo random devices (e.g., /dev/urandom)
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read and write the PCMCIA card manager device.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit read and write on the dri devices.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit attempts to read/write generic character device files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit getattr for generic device files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read and write loop control device.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read and write lvm control device.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read and write miscellaneous devices.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search sysfs.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to set the attributes of the apm bios device node.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to set the attributes of the autofs device node.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dot not audit attempts to set the attributes of the framebuffer device node.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit setattr on generic block devices.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit setattr for generic character device files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to set the attributes of symbolic links in device directories (/dev).
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to set the attributes of miscellaneous devices.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to set the attributes of the scanner device.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to set the attributes of vfio device nodes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to set the attributes of video4linux device nodes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit write on all block file device nodes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit write on all character file device nodes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to write the memory type range registers (MTRR).
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to write in a sysfs directory.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to write to pseudo random devices (e.g., /dev/urandom)
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Execmod the zero device (/dev/zero).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, and write device nodes. The node will be transitioned to the type provided.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
file |
Type to which the created node will be transitioned. |
objectclass(es) |
Object class(es) (single or set including {}) for which this the transition will occur. |
name |
The name of the object being created. |
Create all named devices with the correct label
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Automatic type transition to the type for PCMCIA card manager device nodes when created in /dev.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
name |
The name of the object being created. |
Automatic type transition to the type for DRI device nodes when created in /dev.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
name |
The name of the object being created. |
Automatic type transition to the type for PCMCIA card manager device nodes when created in /dev.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
name |
The name of the object being created. |
Automatic type transition to the type for lirc device nodes when created in /dev.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
name |
The name of the object being created. |
Create all named devices with the correct label
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Automatic type transition to the type for xen device nodes when created in /dev.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
name |
The name of the object being created. |
Automatic type transition to the type for xserver misc device nodes when created in /dev.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create all named devices with the correct label
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Getattr the agp devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow getattr on all device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Getattr on all block file device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Getattr on all character file device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the apm bios device node.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the autofs device node.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the CPU microcode and id interfaces.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
getattr the dri devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the framebuffer device node.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get attributes of device filesystems.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow getattr on generic block devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow getattr for generic character device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Getattr generic the USB devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the event devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the ksm devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the kvm devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the loop comtrol device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the loop comtrol device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the mei devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of miscellaneous devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the modem devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the monitor devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the mouse devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the memory type range registers (MTRR) device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the network control device
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the null device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the the power management device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the printer device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the QEMU microcode and id interfaces.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the scanner device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Getattr on smartcard devices
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the sound devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of sysfs directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get attributes of sysfs filesystems.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of a directory in the usb filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of vfio devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of video4linux devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of X server miscellaneous devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List all of the device nodes in a device directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of the sysfs directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to get a list of usb hardware.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read, write, create, and delete all block device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read, write, create, and delete all character device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, delete, read, and write device nodes in device directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete the PCMCIA card manager device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete the dri devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, delete, read, and write block device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, delete, read, and write character device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage of directories in /dev.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create a file in the device directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, delete, read, and write symbolic links in device directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage ipmi devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the printer device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete smartcard devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to modify hardware state information.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete Xen devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write X server miscellaneous devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mount sysfs filesystems.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mount a usbfs filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mount a filesystem on /dev
Parameter: | Description: |
---|---|
domain |
Domain allow access. |
Mount a filesystem on /sys
Parameter: | Description: |
---|---|
domain |
Domain allow access. |
Make the specified type usable for device nodes in a filesystem.
Make the specified type usable for device nodes in a filesystem. Types used for device nodes that do not use this interface, or an interface that calls this one, will have unexpected behaviors while the system is running.
Example:
type mydev_t; dev_node(mydev_t) allow mydomain_t mydev_t:chr_file read_chr_file_perms;
Related interfaces:
term_tty()
term_pty()
Parameter: | Description: |
---|---|
type |
Type to be used for device nodes. |
Allow to be reader of raw memory devices (e.g. /dev/mem).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow to be writer of raw memory devices (e.g. /dev/mem).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read on all block file device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read cpu online hardware state information.
Allow the specified domain to read /sys/devices/system/cpu/online file.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the CPU identity.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the kernel crash device
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the framebuffer.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read block device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read generic character device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read generic files in /dev.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Read symbolic links in device directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read generic the USB devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read infiniband devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read infiniband mgmt devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read input event devices (/dev/input).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read ipmi devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the kernel messages
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the ksm devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the kvm devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the lirc device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the loop comtrol device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the lvm comtrol device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the mei devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read miscellaneous devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the modem devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the monitor devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the mouse devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the memory type range registers (MTRR).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the network control identity.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read Non-Volatile Memory Host Controller Interface.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read BIOS non-volatile RAM.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the QEMU device
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read from random number generator devices (e.g., /dev/random).
Allow the specified domain to read from random number generator devices (e.g., /dev/random). Typically this is used in situations when a cryptographically secure random number is needed.
Related interface:
dev_read_urand()
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read raw memory devices (e.g. /dev/mem).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the realtime clock (/dev/rtc).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the sound devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the sound mixer devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read hardware state information.
Allow the specified domain to read the contents of the sysfs filesystem. This filesystem contains information, parameters, and other settings on the hardware installed on the system.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read from pseudo random number generator devices (e.g., /dev/urandom).
Allow the specified domain to read from pseudo random number generator devices (e.g., /dev/urandom). Typically this is used in situations when a cryptographically secure random number is not necessarily needed. One example is the Stack Smashing Protector (SSP, formerly known as ProPolice) support that may be compiled into programs.
Related interface:
dev_read_rand()
Related tunable:
global_ssp
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read USB hardware information using the usbfs filesystem interface.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read USB monitor devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the vfio devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the video4linux devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read from watchdog devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow full relabeling (to and from) of all device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow full relabeling (to and from) of all device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel hardware state files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel the autofs device node.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel cpu online hardware state information.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow full relabeling (to and from) of directories in /dev.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel symbolic links in device directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel generic the USB devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel the printer device node.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel hardware state directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel from generic character device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Add entries to directories in /dev.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Rename all block device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Rename all character device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Rename generic block device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Rename generic character device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the agp devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
rw all inherited blk device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
rw all inherited character device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the apm bios.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the autofs device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the PCMCIA card manager device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the the CPU microcode device. This is required to load CPU microcode.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the the hardware SSL accelerator.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the the dlm control device
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the dri devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the the ecrypt filesystem device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the framebuffer.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write generic block device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write generic character device files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write generic files in /dev.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write generic the USB devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow read/write the hypervkvp device
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow read/write the hypervvssd device
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write ipmi devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write ipmi devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the dri devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read input event devices (/dev/input).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow read/write inheretid the vhost net device
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read input event devices (/dev/input).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write ipmi devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to ksm devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to kvm devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the lirc device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the loop control device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the lvm control device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to mei devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to modem devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to monitor devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to mouse devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the memory type range registers (MTRR).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the the network control device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to the null device (/dev/null).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write BIOS non-volatile RAM.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the the power management device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the printer device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the the QEMU device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and set the realtime clock (/dev/rtc).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the scanner device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write smartcard devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to modify hardware state information.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the TPM device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write uhid devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to modify usb hardware configuration files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write userio device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the VFIO devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow read/write the vhost net device
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write VMWare devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
RW to watchdog devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the the wireless device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write Xen devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write X server miscellaneous devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to the zero device (/dev/zero).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read, write, and mmap VMWare devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read, write, and execute the zero device (/dev/zero).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and execute raw memory devices (e.g. /dev/mem).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the sysfs directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the directory containing USB hardware information.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the status of a null device service.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Setattr on all block file device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Setattr on all character file device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the apm bios device node.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the autofs device node.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the CPU microcode and id interfaces.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the dlm control devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Setattr the dri devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the framebuffer device node.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of /dev directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Setattr generic the USB devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the event devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the ksm devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the kvm devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of miscellaneous devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the modem devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the monitor devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the mouse devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the null device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the the power management device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the printer device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the QEMU microcode and id interfaces.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the scanner device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the sound devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of sysfs directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of usbfs filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of vfio device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of video4linux device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of X server miscellaneous devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, and write device nodes. The node will be transitioned to the type provided. This is a temporary interface until devtmpfs functionality fixed.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
objectclass(es) |
Object class(es) (single or set including {}) for which this the transition will occur. |
name |
The name of the object being created. |
Unconfined access to devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Unmount sysfs filesystems.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write the framebuffer.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
write generic sock files in /dev.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Write generic socket files in /dev.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Write to the kernel messages device
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write miscellaneous devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write the memory type range registers (MTRR). (Deprecated)
Write the memory type range registers (MTRR). This interface has been deprecated, dev_rw_mtrr() should be used instead.
The MTRR device ioctls can be used for reading and writing; thus, write access to the device cannot be separated from read access.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write to the random device (e.g., /dev/random). This adds entropy used to generate the random data read from the random device.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write raw memory devices (e.g. /dev/mem).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the realtime clock (/dev/rtc).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write the sound devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write the sound mixer devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write in a sysfs directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write to the pseudo random device (e.g., /dev/urandom). This sets the random number generator seed.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write USB monitor devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write the vfio devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write the video4linux devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write to watchdog devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write and execute raw memory devices (e.g. /dev/mem).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |