Policy for kernel threads, proc filesystem, and unlabeled processes and objects.
This module is required to be included in all policies.
false
Disable kernel module loading.
Change the level of kernel messages logged to the console.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allows the caller to clear the ring buffer.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Receive DCCP packets from an unlabeled connection.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete unlabeled files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send messages to kernel unix datagram sockets.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allows to start userland processes by transitioning to the specified domain.
Parameter: | Description: |
---|---|
domain |
The process type entered by kernel. |
entrypoint |
The executable type for the entrypoint. |
Do not audit attempts to check the access on generic proc entries.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to receive DCCP packets from an unlabeled connection.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts by caller to get attributes on all sysctls.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of core kernel interfaces.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts by caller to get the attributes of kernel message interfaces.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts by caller to get attributes for unlabeled block devices.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts by caller to get attributes for unlabeled character devices.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts by caller to get the attributes of an unlabeled file.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts by caller to get the attributes of unlabeled named pipes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts by caller to get the attributes of unlabeled named sockets.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts by caller to get the attributes of unlabeled symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
dontaudit link to the kernel key ring.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to list all proc directories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to list all sysctl directories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to list the contents of directories in /proc.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to list unlabeled directories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to receive Raw IP packets from an unlabeled connection.
Do not audit attempts to receive Raw IP packets from an unlabeled connection.
The corenetwork interface corenet_dontaudit_raw_recv_unlabeled() should be used instead of this one.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts by caller to read system state information in proc.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read the ring buffer.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit attempts to read the process state (/proc/pid) of the kernel.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts by caller to read system state information in proc.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts by caller to read an unlabeled file.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to receive packets from an unlabeled peer.
Do not audit attempts to receive packets from an unlabeled peer, these packets do not have any peer labeling information present.
The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled() should be used instead of this one.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit requests to the kernel to load a module.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search the kernel debugging filesystem.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search generic kernel sysctls.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
dontaudit search the kernel key ring.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search the network state directory.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts by caller to search network sysctl directories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search the numa state directory.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search the security state directory.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts by caller to search the base directory of sysctls.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search the usermodehelper state directory.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search the xen state directory.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to send and receive messages from an unlabeled IPSEC association.
Do not audit attempts to send and receive messages from an unlabeled IPSEC association. Network connections that are not protected by IPSEC have use an unlabeled assocation.
The corenetwork interface corenet_dontaudit_non_ipsec_sendrecv() should be used instead of this one.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to set the attributes of directories in /proc.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to set the attributes of files in /proc.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit attempts to set the priority of kernel threads.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to receive TCP packets from an unlabeled connection.
Do not audit attempts to receive TCP packets from an unlabeled connection.
The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled() should be used instead of this one.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to receive UDP packets from an unlabeled connection.
Do not audit attempts to receive UDP packets from an unlabeled connection.
The corenetwork interface corenet_dontaudit_udp_recv_unlabeled() should be used instead of this one.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to use kernel file descriptors.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to write kernel debugging filesystem dirs.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to write generic kernel sysctls.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to write the directories in /proc.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to write the file in /proc.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit write usermodehelper state
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Get information on all System V IPC objects.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allows caller to get attribues of core kernel interface.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of a kernel debugging filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to get the attributes of kernel message interface (/proc/kmsg).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the proc filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of files in /proc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send a kill signal to kernel threads.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send a kill signal to unlabeled processes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow link to the kernel key ring.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow attempts to list all proc directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of directories in /proc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List unlabeled directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allows caller to load kernel modules
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage information from the debugging filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mount a kernel debugging filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mount a kernel VM filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mount the proc filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mount a kernel unlabeled filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow attempts to mounton all proc directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow attempts to mounton all sysctl directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to mounton the kernel messages file
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mounton a proc filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Make the specified type usable for regular entries in proc
Parameter: | Description: |
---|---|
type |
Type to be used for /proc entries. |
Allows to start userland processes by transitioning to the specified domain, with a range transition.
Parameter: | Description: |
---|---|
domain |
The process type entered by kernel. |
entrypoint |
The executable type for the entrypoint. |
range |
Range for the domain. |
Receive Raw IP packets from an unlabeled connection.
Receive Raw IP packets from an unlabeled connection.
The corenetwork interface corenet_raw_recv_unlabeled() should be used instead of this one.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow attempts to read all proc types.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read all sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allows caller to read the core kernel interface.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read generic crypto sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read information from the debugging filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read the device sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read filesystem sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the hotplug sysctl.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read IRQ sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read general kernel sysctls.
Allow the specified domain to read general kernel sysctl settings. These settings are typically read using the sysctl program. The settings that are included by this interface are prefixed with "kernel.", for example, kernel.sysrq.
This does not include access to the hotplug handler setting (kernel.hotplug) nor the module installer handler setting (kernel.modprobe).
Related interfaces:
kernel_rw_kernel_sysctl()
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read kernel messages using the /proc/kmsg interface.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the modprobe sysctl.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read network sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read netlink audit socket
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the network state information.
Allow the specified domain to read the networking state information. This includes several pieces of networking information, such as network interface names, netfilter (iptables) statistics, protocol information, routes, and remote procedure call (RPC) information.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read the network state symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read the numa state information.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read the numa state symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read generic symbolic links in /proc.
Allow the specified domain to read (follow) generic symbolic links (symlinks) in the proc filesystem (/proc). This interface does not include access to the targets of these links. An example symlink is /proc/self.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allows caller to read the ring buffer.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read RPC sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the security state information.
Allow the specified domain to read the security state information.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read the security state symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read the state information for software raid.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the process state (/proc/pid) of the kernel.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow access to read sysctl directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allows caller to read system state information in /proc.
Allow the specified domain to read general system state information from the proc filesystem (/proc).
Generally it should be safe to allow this access. Some example files that can be read based on this interface:
/proc/cpuinfo
/proc/meminfo
/proc/uptime
This does not allow access to sysctl entries (/proc/sys/*) nor process state information (/proc/pid).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read unix domain socket sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the process state (/proc/pid) of all unlabeled_t.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the usermodehelper state information.
Allow the specified domain to read the usermodehelpering state information. This includes several pieces of usermodehelpering information, such as usermodehelper interface names, usermodehelperfilter (iptables) statistics, protocol information, routes, and remote procedure call (RPC) information.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read the usermodehelper state symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read virtual memory overcommit sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read virtual memory sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read the xen state information.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read the xen state symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Receive packets from an unlabeled peer.
Receive packets from an unlabeled peer, these packets do not have any peer labeling information present.
The corenetwork interface corenet_recvfrom_unlabeled_peer() should be used instead of this one.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel from unlabeled database objects.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to relabel unlabeled directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to relabel unlabeled files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to relabel unlabeled filesystems.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to relabel unlabeled named pipes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to relabel unlabeled named sockets.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to relabel unlabeled symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel to unlabeled context .
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel to usermodehelper context .
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Remount a kernel debugging filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allows caller to request the kernel to load a module
Allow the specified domain to request that the kernel load a kernel module. An example of this is the auto-loading of network drivers when doing an ioctl() on a network interface.
In the specific case of a module loading request on a network interface, the domain will also need the net_admin capability.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allows the kernel to mount filesystems on the specified directory type.
Parameter: | Description: |
---|---|
directory_type |
The type of the directory to use as a mountpoint. |
Allow caller to read and write state information for AFS.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write all sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write device sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write fileystem sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the hotplug sysctl.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write IRQ sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write generic kernel sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the modprobe sysctl.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to modiry contents of sysctl network files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write kernel unnamed pipes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write RPC sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read the security state symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to read and set the state information for software raid.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow the specified domain to read/write on the kernel with a unix socket.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write kernel unix datagram sockets.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write unix domain socket sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write unlabeled block device nodes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write unlabeled directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write unlabeled files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read/Write Raw IP packets from an unlabeled connection.
Receive Raw IP packets from an unlabeled connection.
The corenetwork interface corenet_raw_recv_unlabeled() should be used instead of this one.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write unlabeled sockets.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write usermodehelper state
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write virtual memory overcommit sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write virtual memory sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the contents of a kernel debugging filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow search the kernel key ring.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow searching of network state directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search network sysctl directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow searching of numa state directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search directories in /proc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow searching of security state directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow searching of usermodehelper state directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to search virtual memory overcommit sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to search virtual memory sysctls.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow searching of xen state directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send and receive messages from an unlabeled IPSEC association.
Send and receive messages from an unlabeled IPSEC association. Network connections that are not protected by IPSEC have use an unlabeled assocation.
The corenetwork interface corenet_non_ipsec_sendrecv() should be used instead of this one.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send and receive unlabeled packets.
Send and receive unlabeled packets. These packets do not match any netfilter SECMARK rules.
The corenetwork interface corenet_sendrecv_unlabeled_packets() should be used instead of this one.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the process group of kernel threads.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the priority of kernel threads.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allows the kernel to share state information with the caller.
Parameter: | Description: |
---|---|
domain |
The type of the process with which to share state information. |
Send a SIGCHLD signal to kernel threads.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send a child terminated signal to unlabeled processes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send a generic signal to kernel threads.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send general signals to unlabeled processes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send signull to kernel threads.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send a null signal to unlabeled processes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send a stop signal to unlabeled processes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Connect to kernel using a unix domain stream socket.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow the specified domain to getattr on the kernel with a unix socket.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow the specified domain to write on the kernel with a unix socket.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Receive messages from kernel TCP sockets. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Receive TCP packets from an unlabeled connection.
Receive TCP packets from an unlabeled connection.
The corenetwork interface corenet_tcp_recv_unlabeled() should be used instead of this one.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Receive messages from kernel UDP sockets. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Receive UDP packets from an unlabeled connection.
Receive UDP packets from an unlabeled connection.
The corenetwork interface corenet_udp_recv_unlabeled() should be used instead of this one.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send UDP network traffic to the kernel. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Unconfined access to kernel module resources.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute an unlabeled file in the specified domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
target_domain |
The type of the new process. |
Make general progams without labeles an entrypoint for the specified domain.
Parameter: | Description: |
---|---|
domain |
The domain for which unlabeled_t is an entrypoint. |
Unmount a kernel debugging filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Unmount the proc filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Unmount a kernel unlabeled filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Permits caller to use kernel file descriptors.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to write numa state information.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write to generic proc entries.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write the security state information.
Allow the specified domain to write the security state information.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow caller to write xen state information.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |