Policy for SELinux policy and userland applications.
Allow access check on load_policy.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List of the semanage module store.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow access check on setfiles.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create the SELinux binary policy.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send and receive messages from semanage dbus server over dbus.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute checkpolicy in the checkpolicy domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Execute load_policy in the load_policy domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Execute newrole in the newole domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Execute restorecon in the restorecon domain. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Execute run_init in the run_init domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Execute a domain transition to run semanage.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Execute setfiles in the setfiles domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Execute setfiles in the setfiles domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute a domain transition to run setsebool.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Dontaudit access check on load_policy.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Dontaudit access check on module store
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Dontaudit access check on module store
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Dontaudit access check on setfiles.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit SELinux-enabled program access for libselinux-linked programs.
SELinux-enabled programs are typically linked to the libselinux library. This interface will dontaudit access required for the libselinux constructor to function.
Generally this should not be used on anything but simple SELinux-enabled programs that do not rely on data initialized by the libselinux constructor.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read the SELinux userland configuration (/etc/selinux).
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read the file_contexts files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read the SELinux login configuration.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search the SELinux configuration directory (/etc/selinux).
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search the SELinux login configuration directory.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit the caller attempts to send a signal to newrole.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to inherit and use newrole file descriptors.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Execute checkpolicy in the caller domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute load_policy in the caller domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute newrole in the caller domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute restorecon in the caller domain. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute restorecond in the caller domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute setfiles in the caller domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
File name transition for selinux utility content
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get read lock on module store
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get trans lock on module store
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute init scripts in the run_init domain.
Execute init scripts in the run_init domain. This is used for the Gentoo integrated run_init.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Execute init scripts in the run_init domain, and allow the specified role the run_init domain, and use the caller's terminal.
Execute init scripts in the run_init domain, and allow the specified role the run_init domain, and use the caller's terminal.
This is used for the Gentoo integrated run_init.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
role |
Role allowed access. |
SELinux-enabled program access for libselinux-linked programs.
SELinux-enabled programs are typically linked to the libselinux library. This interface will allow access required for the libselinux constructor to function.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete the SELinux binary policy.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete the general selinux configuration files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete the general selinux configuration files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete the default_contexts files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete the file_contexts files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete the general selinux configuration files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
manage the login selinux configuration files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Full management of the semanage module store.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete the general selinux configuration files. (Deprecated)
Create, read, write, and delete the general selinux configuration files.
This interface has been deprecated, please use the seutil_manage_config() interface instead.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete SELinux policy source files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the SELinux binary policy.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the general SELinux configuration files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the default_contexts files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the file_contexts files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the load_policy program file.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the SELinux login configuration files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Full management of the semanage module store.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read SELinux policy source files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow the caller to relabel a file to the binary policy type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute checkpolicy in the checkpolicy domain, and allow the specified role the checkpolicy domain, and use the caller's terminal.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
role |
Role allowed access. |
Execute load_policy in the load_policy domain, and allow the specified role the load_policy domain, and use the caller's terminal.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
role |
Role allowed access. |
Execute newrole in the newrole domain, and allow the specified role the newrole domain, and use the caller's terminal.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
role |
Role allowed access. |
Execute restorecon in the restorecon domain, and allow the specified role the restorecon domain, and use the caller's terminal. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
role |
Role allowed access. |
Execute run_init in the run_init domain, and allow the specified role the run_init domain, and use the caller's terminal.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
role |
Role allowed access. |
Execute semanage in the semanage domain, and allow the specified role the semanage domain, and use the caller's terminal.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
role |
Role allowed access. |
Execute setfiles in the setfiles domain, and allow the specified role the setfiles domain, and use the caller's terminal.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
role |
Role allowed access. |
Execute setfiles in the setfiles_mac domain, and allow the specified role the setfiles_mac domain, and use the caller's terminal.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
role |
The role to be allowed the setfiles_mac domain. |
Execute setsebool in the semanage domain, and allow the specified role the semanage domain, and use the caller's terminal.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
role |
The role to be allowed the setsebool domain. |
Read and write the general SELinux configuration files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the default_contexts files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the file_contexts files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write the SELinux login configuration files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete the general selinux configuration files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow attempts to search the SELinux configuration directory (/etc/selinux).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the policy directory with default_context files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
All rules necessary to run semanage command
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
All rules necessary to run setfiles command
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send a SIGCHLD signal to newrole.
Allow the specified domain to send a SIGCHLD signal to newrole. This signal is automatically sent from a process that is terminating to its parent. This may be needed by domains that are executed from newrole.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Inherit and use newrole file descriptors.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Inherit and use run_init file descriptors.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |