Layer: kernel

Module: files

Interfaces

Description:

This module contains basic filesystem types and interfaces. This includes:

This module is required to be included in all policies.

Interfaces:

files_append_inherited_tmp_files( domain )
Summary

Allow caller to append inherited tmp files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_append_var_files( domain )
Summary

Append files in the /var directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_associate_rootfs( file_type )
Summary

Allow the specified type to associate to a filesystem with the type of the / file system

Parameters
Parameter:Description:
file_type

Type of the file to associate.

files_associate_tmp( file_type )
Summary

Allow the specified type to associate to a filesystem with the type of the temporary directory (/tmp).

Parameters
Parameter:Description:
file_type

Type of the file to associate.

files_auth_file( file_type )
Summary

Mark the specified type as a file that is related to authentication.

Parameters
Parameter:Description:
file_type

Type of the authentication-related file.

files_base_file( file_type )
Summary

Make the specified type a base file.

Description

Identify file type as base file type. Tools will use this attribute, to help users diagnose problems.

Parameters
Parameter:Description:
file_type

Type to be used as a base files.

files_boot_filetrans( domain , private_type , object_class , name )
Summary

Create a private type object in boot with an automatic type transition

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to be created.

object_class

The object class of the object being created.

name

The name of the object being created.

files_config_all_files( domain )
Summary

Allow the specified domain to modify the systemd configuration of any file.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_config_file( file_type )
Summary

Make the specified type a configuration file.

Description

Make the specified type usable for configuration files. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a temporary file may result in problems with configuration management tools.

Example usage with a domain that can read its configuration file /etc:

type myconffile_t; files_config_file(myconffile_t) allow mydomain_t myconffile_t:file read_file_perms; files_search_etc(mydomain_t)

Parameters
Parameter:Description:
file_type

Type to be used as a configuration file.

files_create_all_pid_pipes( domain )
Summary

Create all pid named pipes

Parameters
Parameter:Description:
domain

Domain allowed access.

files_create_all_pid_sockets( domain )
Summary

Create all pid sockets

Parameters
Parameter:Description:
domain

Domain allowed access.

files_create_all_spool_sockets( domain )
Summary

Create all spool sockets

Parameters
Parameter:Description:
domain

Domain allowed access.

files_create_as_is_all_files( domain )
Summary

Allow domain to create_file_ass all types

Parameters
Parameter:Description:
domain

Domain allowed access.

files_create_boot_dirs( domain )
Summary

Create directories in /boot

Parameters
Parameter:Description:
domain

Domain allowed access.

files_create_boot_flag( domain , name )
Summary

Create a boot flag.

Description

Create a boot flag, such as /.autorelabel and /.autofsck.

Parameters
Parameter:Description:
domain

Domain allowed access.

name

The name of the object being created.

files_create_default_dir( domain )
Summary

Create a default directory

Description

Create a default_t direcrory

Parameters
Parameter:Description:
domain

Domain allowed access.

files_create_kernel_img( domain )
Summary

Install a kernel into the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_create_kernel_symbol_table( domain )
Summary

Install a system.map into the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_create_lock_dirs( domain )
Summary

Create lock directories

Parameters
Parameter:Description:
domain

Domain allowed access

files_create_var_lib_dirs( domain )
Summary

Create directories in /var/lib

Parameters
Parameter:Description:
domain

Domain allowed access.

files_create_var_run_dirs( domain )
Summary

Create generic pid directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_all_locks( domain )
Summary

Delete all lock files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_all_non_security_dirs( domain )
Summary

Allow domain to delete to all dirs

Parameters
Parameter:Description:
domain

Domain to not audit.

files_delete_all_non_security_files( domain )
Summary

Allow domain to delete to all files

Parameters
Parameter:Description:
domain

Domain to not audit.

files_delete_all_pid_dirs( domain )
Summary

Delete all process ID directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_all_pid_pipes( domain )
Summary

Delete all pid named pipes

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_all_pid_sockets( domain )
Summary

Delete all pid sockets

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_all_pids( domain )
Summary

Delete all process IDs.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_all_spool_sockets( domain )
Summary

Delete all spool sockets

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_boot_flag( domain )
Summary

Delete a boot flag.

Description

Delete a boot flag, such as /.autorelabel and /.autofsck.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_etc_dir_entry( domain )
Summary

Remove entries from the etc directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_etc_files( domain )
Summary

Delete system configuration files in /etc.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_generic_locks( domain )
Summary

Delete generic lock files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_isid_type_blk_files( domain )
Summary

Delete block files on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_isid_type_chr_files( domain )
Summary

Delete chr files on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_isid_type_dirs( domain )
Summary

Delete directories on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_isid_type_fifo_files( domain )
Summary

Delete named pipes on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_isid_type_files( domain )
Summary

Delete files on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_isid_type_sock_files( domain )
Summary

Delete named sockets on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_isid_type_symlinks( domain )
Summary

Delete symbolic links on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_kernel( domain )
Summary

Delete a kernel from /boot.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_kernel_modules( domain )
Summary

Delete kernel module files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_kernel_symbol_table( domain )
Summary

Delete a system.map in the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_root_dir_entry( domain )
Summary

Remove entries from the root directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_root_files( domain )
Summary

Delete files in the root directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_tmp_dir_entry( domain )
Summary

Remove entries from the tmp directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_tmpfs_files( domain )
Summary

Allow delete all tmpfs files.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_delete_usr_dirs( domain )
Summary

Delete generic directories in /usr in the caller domain.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_delete_usr_files( domain )
Summary

Delete generic files in /usr in the caller domain.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_dontaduit_getattr_kernel_symbol_table( domain )
Summary

Dontaudit getattr attempts on the system.map file

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_access_check_etc( domain )
Summary

Do not audit attempts to check the access on etc files

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_access_check_home_dir( domain )
Summary

Do not audit attempts to check the access on home root directory.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_access_check_mnt( domain )
Summary

Do not audit attempts to check the write access on mnt files

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_access_check_root( domain )
Summary

Do not audit attempts to check the access on root directory.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_access_check_tmp( domain )
Summary

Do not audit attempts to check the access on tmp files

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_all_access_check( domain )
Summary

Do not audit attempts to check the access on all files

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_all_non_security_leaks( domain )
Summary

Do not audit attempts to rw inherited file perms of non security files.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_all_dirs( domain )
Summary

Do not audit attempts to get the attributes of all directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_all_files( domain )
Summary

Do not audit attempts to get the attributes of all files.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_all_pids( domain )
Summary

Do not audit attempts to get the attributes of daemon runtime data files.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_all_pipes( domain )
Summary

Do not audit attempts to get the attributes of all named pipes.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_all_sockets( domain )
Summary

Do not audit attempts to get the attributes of all named sockets.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_all_symlinks( domain )
Summary

Do not audit attempts to get the attributes of all symbolic links.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_all_tmp_files( domain )
Summary

Do not audit attempts to get the attributes of all tmp files.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_all_tmp_sockets( domain )
Summary

Do not audit attempts to get the attributes of all tmp sock_file.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_boot_dirs( domain )
Summary

Do not audit attempts to get attributes of the /boot directory.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_default_dirs( domain )
Summary

Do not audit attempts to get the attributes of directories with the default file type.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_default_files( domain )
Summary

Do not audit attempts to get the attributes of files with the default file type.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_home_dir( domain )
Summary

Do not audit attempts to get the attributes of the home directories root (/home).

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_lost_found_dirs( domain )
Summary

Do not audit attempts to get the attributes of lost+found directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_non_security_blk_files( domain )
Summary

Do not audit attempts to get the attributes of non security block devices.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_non_security_chr_files( domain )
Summary

Do not audit attempts to get the attributes of non security character devices.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_non_security_files( domain )
Summary

Do not audit attempts to get the attributes of non security files.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_non_security_pipes( domain )
Summary

Do not audit attempts to get the attributes of non security named pipes.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_non_security_sockets( domain )
Summary

Do not audit attempts to get the attributes of non security named sockets.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_non_security_symlinks( domain )
Summary

Do not audit attempts to get the attributes of non security symbolic links.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_pid_dirs( domain )
Summary

Do not audit attempts to get the attributes of the /var/run directory.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_tmp_dirs( domain )
Summary

Do not audit attempts to get the attributes of the tmp directory (/tmp).

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_getattr_tmpfs_files( domain )
Summary

Do not audit attempts to getattr all tmpfs files.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_ioctl_all_pids( domain )
Summary

Do not audit attempts to ioctl daemon runtime data files.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_leaks( domain )
Summary

Do not audit attempts to read or write all leaked files.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_list_all_mountpoints( domain )
Summary

Do not audit listing of all mount points.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_list_boot( domain )
Summary

Do not audit attempts to list the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_dontaudit_list_default( domain )
Summary

Do not audit attempts to list contents of directories with the default file type.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_list_home( domain )
Summary

Do not audit attempts to list home directories root (/home).

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_list_mnt( domain )
Summary

dontaudit List the contents of /mnt.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_list_non_security( domain )
Summary

Do not audit attempts to list all non-security directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_list_security_dirs( domain )
Summary

Do not audit attempts to read security dirs

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_list_tmp( domain )
Summary

Do not audit listing of the tmp directory (/tmp).

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_list_var( domain )
Summary

Do not audit listing of the var directory (/var).

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_mounton_isid( domain )
Summary

Dontaudit Moundon directories on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_dontaudit_mounton_rootfs( domain )
Summary

Mount a filesystem on the root file system

Parameters
Parameter:Description:
domain

Domain allowed access.

files_dontaudit_read_all_non_security_files( domain )
Summary

Do not audit attempts to read of all security file types.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_read_all_sockets( domain )
Summary

Do not audit attempts to read of all named sockets.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_read_all_symlinks( domain )
Summary

Do not audit attempts to read all symbolic links.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_read_default_files( domain )
Summary

Do not audit attempts to read files with the default file type.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_read_etc_runtime_files( domain )
Summary

Do not audit attempts to read files in /etc that are dynamically created on boot, such as mtab.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_read_root_files( domain )
Summary

Do not audit attempts to read files in the root directory.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_read_security_files( domain )
Summary

Do not audit attempts to read security files

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_remove_etc_dir( domain )
Summary

Dontaudit remove dir /etc directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_rw_inherited_locks( domain )
Summary

Do not audit attempts to read/write inherited locks (/var/lock).

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_rw_inherited_pipes( domain )
Summary

Do not audit attempts to read/write of non security named pipes.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_rw_root_chr_files( domain )
Summary

Do not audit attempts to read or write character device nodes in the root directory.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_rw_root_dir( domain )
Summary

Do not audit attempts to write files in the root directory.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_rw_root_files( domain )
Summary

Do not audit attempts to read or write files in the root directory.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_rw_usr_dirs( domain )
Summary

Do not audit attempts to add and remove entries from /usr directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_rw_var_files( domain )
Summary

Do not audit attempts to read and write files in the /var directory.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_all_dirs( domain )
Summary

Do not audit attempts to search the contents of any directories on extended attribute filesystems.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_all_mountpoints( domain )
Summary

Do not audit searching of all mount points.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_all_pids( domain )
Summary

Do not audit attempts to search the all /var/run directory.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_boot( domain )
Summary

Do not audit attempts to search the /boot directory.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_home( domain )
Summary

Do not audit attempts to search home directories root (/home).

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_isid_type_dirs( domain )
Summary

Do not audit attempts to search directories on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_locks( domain )
Summary

Do not audit attempts to search the locks directory (/var/lock).

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_mnt( domain )
Summary

Do not audit attempts to search /mnt.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_non_security_dirs( domain )
Summary

Do not audit attempts to search non security dirs.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_pids( domain )
Summary

Do not audit attempts to search the /var/run directory.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_security_files( domain )
Summary

Do not audit attempts to search security files

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_spool( domain )
Summary

Do not audit attempts to search generic spool directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_src( domain )
Summary

Do not audit attempts to search /usr/src.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_tmp( domain )
Summary

Do not audit attempts to search the tmp directory (/tmp).

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_var( domain )
Summary

Do not audit attempts to search the contents of /var.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_search_var_lib( domain )
Summary

Do not audit attempts to search the contents of /var/lib.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_setattr_all_mountpoints( domain )
Summary

Do not audit attempts to set the attributes on all mount points.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_setattr_etc_runtime_files( domain )
Summary

Do not audit attempts to set the attributes of the etc_runtime files

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_setattr_non_security_dirs( domain )
Summary

Do not audit attempts to set the attributes of non security directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_setattr_non_security_files( domain )
Summary

Do not audit attempts to set the attributes of non security files.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_tmp_file_leaks( domain )
Summary

Do not audit attempts to read or write all leaked tmpfiles files.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_unmount_all_mountpoints( domain )
Summary

Do not audit attempts to unmount all mount points.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_write_all_files( domain )
Summary

Do not audit attempts to write to all files

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_write_all_mountpoints( domain )
Summary

Do not audit attempts to write to mount points.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_write_all_pids( domain )
Summary

Do not audit attempts to write to daemon runtime data files.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_write_etc_dirs( domain )
Summary

Do not audit attempts to write to /etc dirs.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_write_etc_files( domain )
Summary

Do not audit attempts to write generic files in /etc.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_write_etc_runtime_files( domain )
Summary

Do not audit attempts to write etc_runtime files

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_write_isid_chr_files( domain )
Summary

Do not audit attempts to write to character files that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_write_root_dirs( domain )
Summary

Do not audit attempts to write to / dirs.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_write_usr_dirs( domain )
Summary

Do not audit write of /usr dirs

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_write_usr_files( domain )
Summary

dontaudit write of /usr files

Parameters
Parameter:Description:
domain

Domain to not audit.

files_dontaudit_write_var_dirs( domain )
Summary

Do not audit attempts to write to /var.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_entrypoint_all_files( domain )
Summary

Allow any file point to be the entrypoint of this domain

Parameters
Parameter:Description:
domain

Domain allowed access.

files_entrypoint_all_mountpoint( domain )
Summary

Make all mountpoint as entrypoint.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_etc_filetrans( domain , file_type , class , name )
Summary

Create objects in /etc with a private type using a type_transition.

Parameters
Parameter:Description:
domain

Domain allowed access.

file_type

Private file type.

class

Object classes to be created.

name

The name of the object being created.

files_etc_filetrans_etc_runtime( domain , object , name )
Summary

Create, etc runtime objects with an automatic type transition.

Parameters
Parameter:Description:
domain

Domain allowed access.

object

The class of the object being created.

name

The name of the object being created.

files_etc_filetrans_system_conf( domain )
Summary

Create files in /etc with the type used for the manageable system config files.

Parameters
Parameter:Description:
domain

The type of the process performing this action.

files_exec_all_base_ro_files( domain )
Summary

Execute all base ro files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_exec_etc_files( domain )
Summary

Execute generic files in /etc.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_exec_generic_pid_files( domain )
Summary

Execute generic programs in /var/run in the caller domain.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_exec_isid_files( domain )
Summary

Execute files on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_exec_usr_files( domain )
Summary

Execute generic programs in /usr in the caller domain.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_exec_usr_src_files( domain )
Summary

Execute programs in /usr/src in the caller domain.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_execmod_all_files( domain )
Summary

Allow shared library text relocations in all files.

Description

Allow shared library text relocations in all files.

This is added to support WINE policy.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_execmod_tmp( domain )
Summary

Allow shared library text relocations in tmp files.

Description

Allow shared library text relocations in tmp files.

This is added to support java policy.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_filetrans_lib( domain , directory_type , object , name )
Summary

Create, lib_t objects with an automatic type transition.

Parameters
Parameter:Description:
domain

Domain allowed access.

directory_type

Type of the directory to be transitioned from

object

The class of the object being created.

name

The name of the object being created.

files_filetrans_named_content( domain )
Summary

Transition named content in the var_run_t directory

Parameters
Parameter:Description:
domain

Domain allowed access.

files_filetrans_system_conf_named_files( domain )
Summary

File name transition for system configuration files in /etc.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_filetrans_system_db_named_files( domain )
Summary

File name transition for system db files in /var/lib.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_all_blk_files( domain )
Summary

Get the attributes of all blk files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_all_chr_files( domain )
Summary

Get the attributes of all chr files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_all_dirs( domain )
Summary

Get the attributes of all directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_all_file_type_fs( domain )
Summary

Get the attributes of all filesystems with the type of a file.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_all_files( domain )
Summary

Get the attributes of all files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_all_mountpoints( domain )
Summary

Get the attributes of all mount points.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_all_pipes( domain )
Summary

Get the attributes of all named pipes.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_all_sockets( domain )
Summary

Get the attributes of all named sockets.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_all_symlinks( domain )
Summary

Get the attributes of all symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_all_tmp_files( domain )
Summary

Allow attempts to get the attributes of all tmp files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_boot_dirs( domain )
Summary

Get attributes of the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_default_dirs( domain )
Summary

Getattr of directories with the default file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_generic_locks( domain )
Summary

Get the attributes of generic lock files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_home_dir( domain )
Summary

Get the attributes of the home directories root (/home).

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_isid_type( domain )
Summary

Getattr all file opbjects on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_isid_type_dirs( domain )
Summary

Getattr of directories on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_kernel_modules( domain )
Summary

Get the attributes of kernel module files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_lost_found_dirs( domain )
Summary

Get the attributes of lost+found directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_tmp_dirs( domain )
Summary

Get the attributes of the tmp directory (/tmp).

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_usr_files( domain )
Summary

Get the attributes of files in /usr.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_usr_src_files( domain )
Summary

Get the attributes of files in /usr/src.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_getattr_var_lib_dirs( domain )
Summary

Get the attributes of the /var/lib directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_home_filetrans( domain , home_type , object , name )
Summary

Create objects in /home.

Parameters
Parameter:Description:
domain

Domain allowed access.

home_type

The private type.

object

The class of the object being created.

name

The name of the object being created.

files_kernel_modules_filetrans( domain , private_type , object_class , name )
Summary

Create objects in the kernel module directories with a private type via an automatic type transition.

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to be created.

object_class

The object class of the object being created.

name

The name of the object being created.

files_list_all( domain )
Summary

List the contents of all directories on extended attribute filesystems.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_all_mountpoints( domain )
Summary

List all mount points.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_all_tmp( domain )
Summary

List all tmp directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_boot( domain )
Summary

List the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_default( domain )
Summary

List contents of directories with the default file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_etc( domain )
Summary

List the contents of /etc directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_home( domain )
Summary

Get listing of home directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_isid_type_dirs( domain )
Summary

List the contents of directories on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_kernel_modules( domain )
Summary

List the contents of the kernel module directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_locks( domain )
Summary

List generic lock directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_lost_found( domain )
Summary

List the contents of lost+found directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_mnt( domain )
Summary

List the contents of /mnt.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_non_auth_dirs( domain )
Summary

Read all non-authentication related directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_non_security( domain )
Summary

List all non-security directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_pids( domain )
Summary

List the contents of the runtime process ID directories (/var/run).

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_root( domain )
Summary

List the contents of the root directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_spool( domain )
Summary

List the contents of generic spool (/var/spool) directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_tmp( domain )
Summary

Read the tmp directory (/tmp).

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_usr( domain )
Summary

List the contents of generic directories in /usr.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_var( domain )
Summary

List the contents of /var.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_var_lib( domain )
Summary

List the contents of the /var/lib directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_list_world_readable( domain )
Summary

List world-readable directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_lock_file( type )
Summary

Make the specified type usable for lock files.

Parameters
Parameter:Description:
type

Type to be used for lock files.

files_lock_filetrans( domain , private type , object , name )
Summary

Create an object in the locks directory, with a private type using a type transition.

Parameters
Parameter:Description:
domain

Domain allowed access.

private type

The type of the object to be created.

object

The object class of the object being created.

name

The name of the object being created.

files_manage_all_files( domain , exception_types )
Summary

Manage all files on the filesystem, except the listed exceptions.

Parameters
Parameter:Description:
domain

Domain allowed access.

exception_types

The types to be excluded. Each type or attribute must be negated by the caller.

files_manage_all_locks( domain )
Summary

manage all lock files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_all_pid_dirs( domain )
Summary

manage all pidfile directories in the /var/run directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_all_pids( domain )
Summary

manage all pidfiles in the /var/run directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_boot_dirs( domain )
Summary

Create, read, write, and delete directories in /boot.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_boot_files( domain )
Summary

Create, read, write, and delete files in the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_boot_symlinks( domain )
Summary

Create, read, write, and delete symbolic links in the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_config_dirs( domain )
Summary

Manage all configuration directories on filesystem

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_config_files( domain )
Summary

Manage all configuration files on filesystem

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_default_dirs( domain )
Summary

Create, read, write, and delete directories with the default file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_default_files( domain )
Summary

Create, read, write, and delete files with the default file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_etc_dirs( domain )
Summary

Manage generic directories in /etc

Parameters
Parameter:Description:
domain

Domain allowed access

files_manage_etc_files( domain )
Summary

Create, read, write, and delete generic files in /etc.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_etc_runtime_files( domain )
Summary

Create, read, write, and delete files in /etc that are dynamically created on boot, such as mtab.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_etc_symlinks( domain )
Summary

Create, read, write, and delete symbolic links in /etc.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_generic_locks( domain )
Summary

Create, read, write, and delete generic lock files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_generic_pids_symlinks( domain )
Summary

manage generic symbolic links in the /var/run directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_generic_spool( domain )
Summary

Create, read, write, and delete generic spool files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_generic_spool_dirs( domain )
Summary

Create, read, write, and delete generic spool directories (/var/spool).

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_generic_tmp_dirs( domain )
Summary

Manage temporary directories in /tmp.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_generic_tmp_files( domain )
Summary

Manage temporary files and directories in /tmp.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_isid_type_blk_files( domain )
Summary

Create, read, write, and delete block device nodes on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_isid_type_chr_files( domain )
Summary

Create, read, write, and delete character device nodes on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_isid_type_dirs( domain )
Summary

Create, read, write, and delete directories on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_isid_type_files( domain )
Summary

Create, read, write, and delete files on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_isid_type_symlinks( domain )
Summary

Create, read, write, and delete symbolic links on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_kernel_modules( domain )
Summary

Create, read, write, and delete kernel module files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_lost_found( domain )
Summary

Create, read, write, and delete objects in lost+found directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_mnt_dirs( domain )
Summary

Create, read, write, and delete directories in /mnt.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_mnt_files( domain )
Summary

Create, read, write, and delete files in /mnt.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_mnt_symlinks( domain )
Summary

Create, read, write, and delete symbolic links in /mnt.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_mounttab( domain )
Summary

Allow domain to manage mount tables necessary for rpcd, nfsd, etc.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_non_auth_files( domain )
Summary

Manage non-authentication related files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_non_security_dirs( domain )
Summary

Allow attempts to manage non-security directories

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_non_security_files( domain )
Summary

Manage all non-security files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_root_files( domain )
Summary

Create a core files in /

Description

Create a core file in /,

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_system_conf_files( domain )
Summary

Manage manageable system configuration files in /etc.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_system_db_files( domain )
Summary

Manage manageable system db files in /var/lib.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_urandom_seed( domain )
Summary

Create, read, write, and delete the pseudorandom number generator seed.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_usr_files( domain )
Summary

Create, read, write, and delete files in the /usr directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_var_dirs( domain )
Summary

Create, read, write, and delete directories in the /var directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_var_files( domain )
Summary

Create, read, write, and delete files in the /var directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_var_lib_symlinks( domain )
Summary

manage generic symbolic links in the /var/lib directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_manage_var_symlinks( domain )
Summary

Create, read, write, and delete symbolic links in the /var directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_mount_all_file_type_fs( domain )
Summary

Mount all filesystems with the type of a file.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_mounton_all_mountpoints( domain )
Summary

Mount a filesystem on all mount points.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_mounton_all_poly_members( domain )
Summary

Mount filesystems on all polyinstantiation member directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_mounton_default( domain )
Summary

Mount a filesystem on a directory with the default file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_mounton_etc( domain )
Summary

Mounton directories on filesystem /etc.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_mounton_isid( domain )
Summary

Moundon directories on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_mounton_isid_type_chr_file( domain )
Summary

Mount a filesystem on a new chr_file that has not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_mounton_isid_type_dirs( domain )
Summary

Mount a filesystem on a directory on new filesystems that has not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_mounton_mnt( domain )
Summary

Mount a filesystem on /mnt.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_mounton_non_security( domain )
Summary

Mount a filesystem on all non-security directories and files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_mounton_rootfs( domain )
Summary

Mount a filesystem on the root file system

Parameters
Parameter:Description:
domain

Domain allowed access.

files_mountpoint( type )
Summary

Make the specified type usable for filesystem mount points.

Parameters
Parameter:Description:
type

Type to be used for mount points.

files_mountpoint_filetrans( domain , private_type , object_class , name )
Summary

Create a private type object in mountpoint dir with an automatic type transition

Parameters
Parameter:Description:
domain

Domain allowed access.

private_type

The type of the object to be created.

object_class

The object class of the object being created.

name

The name of the object being created.

files_pid_file( type )
Summary

Make the specified type usable for runtime process ID files.

Description

Make the specified type usable for runtime process ID files, typically found in /var/run. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a PID file type may result in problems with starting or stopping services.

Related interfaces:

  • files_pid_filetrans()

Example usage with a domain that can create and write its PID file with a private PID file type in the /var/run directory:

type mypidfile_t; files_pid_file(mypidfile_t) allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; files_pid_filetrans(mydomain_t, mypidfile_t, file)

Parameters
Parameter:Description:
type

Type to be used for PID files.

files_pid_filetrans( domain , private type , object , name )
Summary

Create an object in the process ID directory, with a private type.

Description

Create an object in the process ID directory (e.g., /var/run) with a private type. Typically this is used for creating private PID files in /var/run with the private type instead of the general PID file type. To accomplish this goal, either the program must be SELinux-aware, or use this interface.

Related interfaces:

  • files_pid_file()

Example usage with a domain that can create and write its PID file with a private PID file type in the /var/run directory:

type mypidfile_t; files_pid_file(mypidfile_t) allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; files_pid_filetrans(mydomain_t, mypidfile_t, file)

Parameters
Parameter:Description:
domain

Domain allowed access.

private type

The type of the object to be created.

object

The object class of the object being created.

name

The name of the object being created.

files_pid_filetrans_lock_dir( domain , name )
Summary

Create a generic lock directory within the run directories

Parameters
Parameter:Description:
domain

Domain allowed access

name

The name of the object being created.

files_poly( file_type )
Summary

Make the specified type a polyinstantiated directory.

Parameters
Parameter:Description:
file_type

Type of the file to be used as a polyinstantiated directory.

files_poly_member( file_type )
Summary

Make the specified type a polyinstantiation member directory.

Parameters
Parameter:Description:
file_type

Type of the file to be used as a member directory.

files_poly_member_tmp( domain , file_type )
Summary

Make the domain use the specified type of polyinstantiated directory.

Parameters
Parameter:Description:
domain

Domain using the polyinstantiated directory.

file_type

Type of the file to be used as a member directory.

files_poly_parent( file_type )
Summary

Make the specified type a parent of a polyinstantiated directory.

Parameters
Parameter:Description:
file_type

Type of the file to be used as a parent directory.

files_polyinstantiate_all( domain )
Summary

Allow access to manage all polyinstantiated directories on the system.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_purge_tmp( domain )
Summary

Delete the contents of /tmp.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_all_base_ro_files( domain )
Summary

Read all ro base files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_all_blk_files( domain )
Summary

Read all block nodes with file types.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_all_chr_files( domain )
Summary

Read all character nodes with file types.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_all_dirs_except( domain , exception_types )
Summary

Read all directories on the filesystem, except the listed exceptions.

Parameters
Parameter:Description:
domain

Domain allowed access.

exception_types

The types to be excluded. Each type or attribute must be negated by the caller.

files_read_all_files( domain )
Summary

Read all files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_all_files_except( domain , exception_types )
Summary

Read all files on the filesystem, except the listed exceptions.

Parameters
Parameter:Description:
domain

Domain allowed access.

exception_types

The types to be excluded. Each type or attribute must be negated by the caller.

files_read_all_locks( domain )
Summary

Read all lock files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_all_mountpoint_symlinks( domain )
Summary

Read all mountpoint symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_all_pids( domain )
Summary

Read all process ID files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_all_symlinks( domain )
Summary

Read all symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_all_symlinks_except( domain , exception_types )
Summary

Read all symbolic links on the filesystem, except the listed exceptions.

Parameters
Parameter:Description:
domain

Domain allowed access.

exception_types

The types to be excluded. Each type or attribute must be negated by the caller.

files_read_all_tmp_files( domain )
Summary

Read all tmp files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_boot_files( domain )
Summary

read files in the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_boot_symlinks( domain )
Summary

Read symbolic links in the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_config_files( domain )
Summary

Read config files in /etc.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_default_files( domain )
Summary

Read files with the default file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_default_pipes( domain )
Summary

Read named pipes with the default file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_default_sockets( domain )
Summary

Read sockets with the default file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_default_symlinks( domain )
Summary

Read symbolic links with the default file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_etc_files( domain )
Summary

Read generic files in /etc.

Description

Allow the specified domain to read generic files in /etc. These files are typically general system configuration files that do not have more specific SELinux types. Some examples of these files are:

  • /etc/fstab

  • /etc/passwd

  • /etc/services

  • /etc/shells

This interface does not include access to /etc/shadow.

Generally, it is safe for many domains to have this access. However, since this interface provides access to the /etc/passwd file, caution must be exercised, as user account names can be leaked through this access.

Related interfaces:

  • auth_read_shadow()

  • files_read_etc_runtime_files()

  • seutil_read_config()

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_etc_runtime_files( domain )
Summary

Read files in /etc that are dynamically created on boot, such as mtab.

Description

Allow the specified domain to read dynamically created configuration files in /etc. These files are typically general system configuration files that do not have more specific SELinux types. Some examples of these files are:

  • /etc/motd

  • /etc/mtab

  • /etc/nologin

This interface does not include access to /etc/shadow.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_etc_symlinks( domain )
Summary

Read symbolic links in /etc.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_generic_pids( domain )
Summary

Read generic process ID files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_generic_spool( domain )
Summary

Read generic spool files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_generic_tmp_files( domain )
Summary

Read files in the tmp directory (/tmp).

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_generic_tmp_symlinks( domain )
Summary

Read symbolic links in the tmp directory (/tmp).

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_inherited_tmp_files( domain )
Summary

Allow caller to read inherited tmp files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_isid_type_files( domain )
Summary

Read files on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_kernel_img( domain )
Summary

Read kernel files in the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_kernel_modules( domain )
Summary

Read kernel module files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_kernel_symbol_table( domain )
Summary

Read system.map in the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_mnt_files( domain )
Summary

read files in /mnt.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_mnt_symlinks( domain )
Summary

Read symbolic links in /mnt.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_non_auth_files( domain )
Summary

Read all non-authentication related files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_non_auth_symlinks( domain )
Summary

Read all non-authentication related symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_non_security_files( domain )
Summary

Read all non-security files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_system_conf_files( domain )
Summary

Read manageable system configuration files in /etc

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_usr_files( domain )
Summary

Read generic files in /usr.

Description

Allow the specified domain to read generic files in /usr. These files are various program files that do not have more specific SELinux types. Some examples of these files are:

  • /usr/include/*

  • /usr/share/doc/*

  • /usr/share/info/*

Generally, it is safe for many domains to have this access.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_usr_src_files( domain )
Summary

Read files in /usr/src.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_usr_symlinks( domain )
Summary

Read symbolic links in /usr.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_var_files( domain )
Summary

Read files in the /var directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_var_lib_files( domain )
Summary

Read generic files in /var/lib.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_var_lib_symlinks( domain )
Summary

Read generic symbolic links in /var/lib

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_var_symlinks( domain )
Summary

Read symbolic links in the /var directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_world_readable_files( domain )
Summary

Read world-readable files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_world_readable_pipes( domain )
Summary

Read world-readable named pipes.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_world_readable_sockets( domain )
Summary

Read world-readable sockets.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_read_world_readable_symlinks( domain )
Summary

Read world-readable symbolic links.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_all_file_type_fs( domain )
Summary

Relabel a filesystem to the type of a file.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_all_files( domain , exception_types )
Summary

Relabel all files on the filesystem, except the listed exceptions.

Parameters
Parameter:Description:
domain

Domain allowed access.

exception_types

The types to be excluded. Each type or attribute must be negated by the caller.

files_relabel_all_lock_dirs( domain )
Summary

Relabel to and from all lock directory types.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_all_lock_files( domain )
Summary

Relabel to and from all lock file types.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_all_pid_dirs( domain )
Summary

Relable all pid directories

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_all_pid_files( domain )
Summary

Relable all pid files

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_all_spool_dirs( domain )
Summary

Relabel to and from all spool directory types.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_all_tmp_dirs( domain )
Summary

Relabel to and from all temporary directory types.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_all_tmp_files( domain )
Summary

Relabel to and from all temporary file types.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_base_file_types( domain )
Summary

Relabel all base file types.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_config_dirs( domain )
Summary

Relabel configuration directories

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_config_files( domain )
Summary

Relabel configuration files

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_etc_files( domain )
Summary

Relabel from and to generic files in /etc.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_kernel_modules( domain )
Summary

Relabel from and to kernel module files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_non_auth_files( domain )
Summary

Relabel all non-authentication related files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_non_security_files( domain )
Summary

Relabel all non-security files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_rootfs( domain )
Summary

Relabel a rootfs filesystem.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_var_dirs( domain )
Summary

Relabel dirs in the /var directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabel_var_lib_dirs( domain )
Summary

Relabel dirs in the /var/lib directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabelfrom_boot_files( domain )
Summary

Relabel from files in the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabelfrom_isid_type( domain )
Summary

Relabelfrom all file opbjects on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabelfrom_system_conf_files( domain )
Summary

Relabel manageable system configuration files in /etc.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabelfrom_tmp_dirs( domain )
Summary

Relabel a dir from the type used in /tmp.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabelfrom_tmp_files( domain )
Summary

Relabel a file from the type used in /tmp.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabelfrom_usr_files( domain )
Summary

Relabel a file from the type used in /usr.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabelto_all_file_type_fs( domain )
Summary

Relabel a filesystem to the type of a file.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabelto_all_mountpoints( domain )
Summary

Set the attributes of all mount points.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabelto_boot_files( domain )
Summary

Relabel to files in the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabelto_home( domain )
Summary

Relabel to user home root (/home).

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabelto_system_conf_files( domain )
Summary

Relabel manageable system configuration files in /etc.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabelto_usr_files( domain )
Summary

Relabel a file to the type used in /usr.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_relabelto_var_lib_dirs( domain )
Summary

Relabel to dirs in the /var/lib directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_ro_base_file( file_type )
Summary

Make the specified type a base read only file.

Description

Make the specified type readable for all domains.

Parameters
Parameter:Description:
file_type

Type to be used as a base read only files.

files_root_filetrans( domain , private type , object , name )
Summary

Create an object in the root directory, with a private type using a type transition.

Parameters
Parameter:Description:
domain

Domain allowed access.

private type

The type of the object to be created.

object

The object class of the object being created.

name

The name of the object being created.

files_root_filetrans_default( domain , object )
Summary

Create, default_t objects with an automatic type transition.

Parameters
Parameter:Description:
domain

Domain allowed access.

object

The class of the object being created.

files_rw_all_files( domain , exception_types )
Summary

rw all files on the filesystem, except the listed exceptions.

Parameters
Parameter:Description:
domain

Domain allowed access.

exception_types

The types to be excluded. Each type or attribute must be negated by the caller.

files_rw_all_inherited_files( domain , object_type )
Summary

rw any files inherited from another process

Parameters
Parameter:Description:
domain

Domain allowed access.

object_type

Object type.

files_rw_boot_symlinks( domain )
Summary

Read and write symbolic links in the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_etc_dirs( domain )
Summary

Add and remove entries from /etc directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_etc_files( domain )
Summary

Read and write generic files in /etc.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_etc_runtime_files( domain )
Summary

Read and write files in /etc that are dynamically created on boot, such as mtab.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_generic_pids( domain )
Summary

Read and write generic process ID files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_generic_tmp_dir( domain )
Summary

Allow read and write to the tmp directory (/tmp).

Parameters
Parameter:Description:
domain

Domain not to audit.

files_rw_generic_tmp_sockets( domain )
Summary

Read and write generic named sockets in the tmp directory (/tmp).

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_inherited_generic_pid_files( domain )
Summary

rw generic pid files inherited from another process

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_inherited_isid_type_files( domain )
Summary

rw any files inherited from another process on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_inherited_non_security_files( domain )
Summary

Read/Write all inherited non-security files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_inherited_tmp_file( domain )
Summary

Allow caller to read and write inherited tmp files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_isid_type_blk_files( domain )
Summary

Read and write block device nodes on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_isid_type_dirs( domain )
Summary

Read and write directories on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_lock_dirs( domain )
Summary

Add and remove entries in the /var/lock directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_non_auth_files( domain )
Summary

rw non-authentication related files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_pid_dirs( domain )
Summary

Add and remove entries from pid directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_tmp_file_leaks( domain )
Summary

Do allow attempts to read or write all leaked tmpfiles files.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_rw_tmpfs_files( domain )
Summary

Allow read write all tmpfs files

Parameters
Parameter:Description:
domain

Domain to not audit.

files_rw_usr_dirs( domain )
Summary

Add and remove entries from /usr directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_var_files( domain )
Summary

Read and write files in the /var directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_rw_var_lib_dirs( domain )
Summary

Read-write /var/lib directories

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_all( domain )
Summary

Search the contents of all directories on extended attribute filesystems.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_all_mountpoints( domain )
Summary

Search all mount points.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_all_pids( domain )
Summary

Allow search the all /var/run directory.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_search_base_file_types( domain )
Summary

Search all base file dirs.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_boot( domain )
Summary

Search the /boot directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_default( domain )
Summary

Search the contents of directories with the default file type.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_etc( domain )
Summary

Search the contents of /etc directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_home( domain )
Summary

Search home directories root (/home).

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_kernel_modules( domain )
Summary

Search the contents of the kernel module directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_locks( domain )
Summary

Search the locks directory (/var/lock).

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_mnt( domain )
Summary

Search the contents of /mnt.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_pids( domain )
Summary

Search the contents of runtime process ID directories (/var/run).

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_spool( domain )
Summary

Search the contents of generic spool directories (/var/spool).

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_tmp( domain )
Summary

Search the tmp directory (/tmp).

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_usr( domain )
Summary

Search the content of /usr.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_var( domain )
Summary

Search the contents of /var.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_search_var_lib( domain )
Summary

Search the /var/lib directory.

Description

Search the /var/lib directory. This is necessary to access files or directories under /var/lib that have a private type. For example, a domain accessing a private library file in the /var/lib directory:

allow mydomain_t mylibfile_t:file read_file_perms; files_search_var_lib(mydomain_t)

Parameters
Parameter:Description:
domain

Domain allowed access.

files_security_file( file_type )
Summary

Make the specified type a file that should not be dontaudited from browsing from user domains.

Parameters
Parameter:Description:
file_type

Type of the file to be used as a member directory.

files_security_mountpoint( type )
Summary

Make the specified type usable for security file filesystem mount points.

Parameters
Parameter:Description:
type

Type to be used for mount points.

files_setattr_all_mountpoints( domain )
Summary

Set the attributes of all mount points.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_setattr_all_tmp_dirs( domain )
Summary

Set the attributes of all tmp directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_setattr_etc_dirs( domain )
Summary

Set the attributes of the /etc directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_setattr_isid_type_dirs( domain )
Summary

Setattr of directories on new filesystems that have not yet been labeled.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_setattr_lock_dirs( domain )
Summary

Set the attributes of the /var/lock directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_setattr_non_security_dirs( domain )
Summary

Allow attempts to setattr any directory

Parameters
Parameter:Description:
domain

Domain allowed access.

files_setattr_pid_dirs( domain )
Summary

Set the attributes of the /var/run directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_setattr_root_dirs( domain )
Summary

Set attributes of the root directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_setattr_usr_dirs( domain )
Summary

Set the attributes of the /usr directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_spool_file( file_type )
Summary

Make the specified type a file used for spool files.

Description

Make the specified type usable for spool files. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a spool file may result in problems with purging spool files.

Related interfaces:

  • files_spool_filetrans()

Example usage with a domain that can create and write its spool file in the system spool file directories (/var/spool):

type myspoolfile_t; files_spool_file(myfile_spool_t) allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; files_spool_filetrans(mydomain_t, myfile_spool_t, file)

Parameters
Parameter:Description:
file_type

Type of the file to be used as a spool file.

files_spool_filetrans( domain , file , class , name )
Summary

Create objects in the spool directory with a private type with a type transition.

Parameters
Parameter:Description:
domain

Domain allowed access.

file

Type to which the created node will be transitioned.

class

Object class(es) (single or set including {}) for which this the transition will occur.

name

The name of the object being created.

files_status_etc( domain )
Summary

Get the status of etc_t files

Parameters
Parameter:Description:
domain

Domain allowed access.

files_stub_etc( domain )
Summary

files stub etc_t interface. No access allowed.

Parameters
Parameter:Description:
domain

Domain allowed access

files_stub_tmp( domain )
Summary

files stub tmp_t interface. No access allowed.

Parameters
Parameter:Description:
domain

Domain allowed access

files_stub_var( domain )
Summary

files stub var_run_t interface. No access allowed.

Parameters
Parameter:Description:
domain

Domain allowed access

files_stub_var_lib( domain )
Summary

files stub var_lib_t interface. No access allowed.

Parameters
Parameter:Description:
domain

Domain allowed access

files_stub_var_lock( domain )
Summary

files stub var_lock_t interface. No access allowed.

Parameters
Parameter:Description:
domain

Domain allowed access

files_stub_var_log( domain )
Summary

files stub var_log_t interface. No access allowed.

Parameters
Parameter:Description:
domain

Domain allowed access

files_stub_var_run( domain )
Summary

files stub var_run_t interface. No access allowed.

Parameters
Parameter:Description:
domain

Domain allowed access

files_stub_var_spool( domain )
Summary

files stub var_run_t interface. No access allowed.

Parameters
Parameter:Description:
domain

Domain allowed access

files_tmp_file( file_type )
Summary

Make the specified type a file used for temporary files.

Description

Make the specified type usable for temporary files. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a temporary file may result in problems with purging temporary files.

Related interfaces:

  • files_tmp_filetrans()

Example usage with a domain that can create and write its temporary file in the system temporary file directories (/tmp or /var/tmp):

type mytmpfile_t; files_tmp_file(mytmpfile_t) allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms }; files_tmp_filetrans(mydomain_t, mytmpfile_t, file)

Parameters
Parameter:Description:
file_type

Type of the file to be used as a temporary file.

files_tmp_filetrans( domain , private type , object , name )
Summary

Create an object in the tmp directories, with a private type using a type transition.

Parameters
Parameter:Description:
domain

Domain allowed access.

private type

The type of the object to be created.

object

The object class of the object being created.

name

The name of the object being created.

files_tmpfs_file( type )
Summary

Transform the type into a file, for use on a virtual memory filesystem (tmpfs).

Parameters
Parameter:Description:
type

The type to be transformed.

files_type( type )
Summary

Make the specified type usable for files in a filesystem.

Description

Make the specified type usable for files in a filesystem. Types used for files that do not use this interface, or an interface that calls this one, will have unexpected behaviors while the system is running. If the type is used for device nodes (character or block files), then the dev_node() interface is more appropriate.

Related interfaces:

  • application_domain()

  • application_executable_file()

  • corecmd_executable_file()

  • init_daemon_domain()

  • init_domaion()

  • init_ranged_daemon_domain()

  • init_ranged_domain()

  • init_ranged_system_domain()

  • init_script_file()

  • init_script_domain()

  • init_system_domain()

  • files_config_files()

  • files_lock_file()

  • files_mountpoint()

  • files_pid_file()

  • files_security_file()

  • files_security_mountpoint()

  • files_spool_file()

  • files_tmp_file()

  • files_tmpfs_file()

  • logging_log_file()

  • userdom_user_home_content()

Example:

type myfile_t; files_type(myfile_t) allow mydomain_t myfile_t:file read_file_perms;

Parameters
Parameter:Description:
type

Type to be used for files.

files_unconfined( domain )
Summary

Unconfined access to files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_unmount_all_file_type_fs( domain )
Summary

Unmount all filesystems with the type of a file.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_unmount_rootfs( domain )
Summary

Unmount a rootfs filesystem.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_usr_filetrans( domain , file_type , object_class , name )
Summary

Create objects in the /usr directory

Parameters
Parameter:Description:
domain

Domain allowed access.

file_type

The type of the object to be created

object_class

The object class.

name

The name of the object being created.

files_var_filetrans( domain , file_type , object_class , name )
Summary

Create objects in the /var directory

Parameters
Parameter:Description:
domain

Domain allowed access.

file_type

The type of the object to be created

object_class

The object class.

name

The name of the object being created.

files_var_lib_filetrans( domain , file_type , object_class , name )
Summary

Create objects in the /var/lib directory

Parameters
Parameter:Description:
domain

Domain allowed access.

file_type

The type of the object to be created

object_class

The object class.

name

The name of the object being created.

files_write_all_dirs( domain )
Summary

Write all file type directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_write_all_mountpoints( domain )
Summary

Write all mount points.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_write_all_pid_sockets( domain )
Summary

Write all sockets in the /var/run directory.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_write_generic_pid_pipes( domain )
Summary

Write named generic process ID pipes

Parameters
Parameter:Description:
domain

Domain allowed access.

files_write_kernel_modules( domain )
Summary

Write kernel module files.

Parameters
Parameter:Description:
domain

Domain allowed access.

files_write_non_security_dirs( domain )
Summary

Allow attempts to modify any directory

Parameters
Parameter:Description:
domain

Domain allowed access.

files_write_root_dirs( domain )
Summary

Do not audit attempts to write to / dirs.

Parameters
Parameter:Description:
domain

Domain to not audit.

files_write_var_dirs( domain )
Summary

Allow attempts to write to /var.dirs

Parameters
Parameter:Description:
domain

Domain allowed access.

Return