diff options
| -rw-r--r-- | doc/policy.xml | 4320 | ||||
| -rw-r--r-- | policy/booleans.conf | 103 | ||||
| -rw-r--r-- | policy/modules.conf | 49 |
3 files changed, 2651 insertions, 1821 deletions
diff --git a/doc/policy.xml b/doc/policy.xml index ec78d338..e96f1ea2 100644 --- a/doc/policy.xml +++ b/doc/policy.xml @@ -5634,7 +5634,28 @@ The domain for which gpg_exec_t is an entrypoint. </summary> </param> </interface> -<interface name="gpg_signal" lineno="208"> +<interface name="gpg_agent_exec" lineno="208"> +<summary> +Execute the gpg_agent in the caller domain. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="gpg_agent_entry_type" lineno="228"> +<summary> +Make gpg_agent executable files an +entrypoint for the specified domain. +</summary> +<param name="domain"> +<summary> +The domain for which gpg_agent_exec_t is an entrypoint. +</summary> +</param> +</interface> +<interface name="gpg_signal" lineno="246"> <summary> Send generic signals to gpg. </summary> @@ -5644,7 +5665,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="gpg_rw_agent_pipes" lineno="226"> +<interface name="gpg_rw_agent_pipes" lineno="264"> <summary> Read and write gpg agent pipes. </summary> @@ -5654,7 +5675,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="gpg_stream_connect_agent" lineno="244"> +<interface name="gpg_stream_connect_agent" lineno="282"> <summary> Connect to gpg agent socket </summary> @@ -5664,7 +5685,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="gpg_search_agent_tmp_dirs" lineno="266"> +<interface name="gpg_search_agent_tmp_dirs" lineno="304"> <summary> Search gpg agent dirs. </summary> @@ -5674,7 +5695,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="gpg_agent_tmp_filetrans" lineno="300"> +<interface name="gpg_agent_tmp_filetrans" lineno="338"> <summary> filetrans in gpg_agent_tmp_t dirs </summary> @@ -5700,7 +5721,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="gpg_runtime_filetrans" lineno="335"> +<interface name="gpg_runtime_filetrans" lineno="373"> <summary> filetrans in gpg_runtime_t dirs </summary> @@ -5726,7 +5747,17 @@ The name of the object being created. </summary> </param> </interface> -<interface name="gpg_secret_filetrans" lineno="370"> +<interface name="gpg_dontaudit_getattr_gpg_runtime_dirs" lineno="392"> +<summary> +Do not audit attempt to getattr gpg runtime dirs. +</summary> +<param name="domain"> +<summary> +Domain to not audit. +</summary> +</param> +</interface> +<interface name="gpg_secret_filetrans" lineno="428"> <summary> filetrans in gpg_secret_t dirs </summary> @@ -5752,7 +5783,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="gpg_pinentry_dbus_chat" lineno="391"> +<interface name="gpg_pinentry_dbus_chat" lineno="449"> <summary> Send messages to and from gpg pinentry over DBUS. @@ -5763,7 +5794,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="gpg_dontaudit_search_user_secrets" lineno="412"> +<interface name="gpg_dontaudit_search_user_secrets" lineno="470"> <summary> Do not audit attempts to search gpg user secrets. @@ -5774,7 +5805,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="gpg_list_user_secrets" lineno="430"> +<interface name="gpg_list_user_secrets" lineno="490"> <summary> List gpg user secrets. </summary> @@ -5784,6 +5815,16 @@ Domain allowed access. </summary> </param> </interface> +<interface name="gpg_dontaudit_search_user_secrets_dirs" lineno="509"> +<summary> +Do not audit attempt to search gpg user secrets dirs. +</summary> +<param name="domain"> +<summary> +Domain to not audit. +</summary> +</param> +</interface> <tunable name="gpg_agent_env_file" dftval="false"> <desc> <p> @@ -7384,6 +7425,14 @@ writable memory </p> </desc> </tunable> +<tunable name="pulseaudio_can_network" dftval="false"> +<desc> +<p> +Determine whether pulseaudio +can use the network. +</p> +</desc> +</tunable> </module> <module name="qemu" filename="policy/modules/apps/qemu.if"> <summary>QEMU machine emulator and virtualizer.</summary> @@ -8618,7 +8667,7 @@ Role allowed access </summary> </param> </template> -<interface name="wm_exec" lineno="126"> +<interface name="wm_exec" lineno="132"> <summary> Execute wm in the caller domain. </summary> @@ -8628,7 +8677,7 @@ Domain allowed access. </summary> </param> </interface> -<template name="wm_dbus_chat" lineno="152"> +<template name="wm_dbus_chat" lineno="158"> <summary> Send and receive messages from specified wm over dbus. @@ -8645,7 +8694,7 @@ Domain allowed access. </summary> </param> </template> -<interface name="wm_dontaudit_exec_tmp_files" lineno="173"> +<interface name="wm_dontaudit_exec_tmp_files" lineno="179"> <summary> Do not audit attempts to execute files in temporary directories. @@ -8656,7 +8705,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="wm_dontaudit_exec_tmpfs_files" lineno="192"> +<interface name="wm_dontaudit_exec_tmpfs_files" lineno="198"> <summary> Do not audit attempts to execute files in temporary filesystems. @@ -8667,7 +8716,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="wm_application_domain" lineno="235"> +<interface name="wm_application_domain" lineno="241"> <summary> Create a domain for applications that are launched by the window @@ -8702,7 +8751,7 @@ Type to be used as the source window manager domain. </param> <infoflow type="none"/> </interface> -<template name="wm_write_pipes" lineno="260"> +<template name="wm_write_pipes" lineno="266"> <summary> Write wm unnamed pipes. </summary> @@ -8747,6 +8796,34 @@ Role allowed access </summary> </param> </template> +<interface name="xscreensaver_domtrans" lineno="69"> +<summary> +Make a domain transition to the +xscreensaver target domain. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="xscreensaver_run" lineno="95"> +<summary> +Execute xscreensaver in the xscreensaver +domain, and allow the specified role +the xscreensaver domain. +</summary> +<param name="domain"> +<summary> +Domain allowed to transition. +</summary> +</param> +<param name="role"> +<summary> +Role allowed access. +</summary> +</param> +</interface> <tunable name="xscreensaver_read_generic_user_content" dftval="true"> <desc> <p> @@ -57198,7 +57275,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_infiniband" lineno="2417"> +<interface name="dev_read_iio" lineno="2417"> +<summary> +Allow read/write access to InfiniBand devices. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="dev_rw_infiniband" lineno="2435"> <summary> Allow read/write access to InfiniBand devices. </summary> @@ -57208,7 +57295,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_kmsg" lineno="2435"> +<interface name="dev_read_kmsg" lineno="2453"> <summary> Read the kernel messages </summary> @@ -57218,7 +57305,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_read_kmsg" lineno="2453"> +<interface name="dev_dontaudit_read_kmsg" lineno="2471"> <summary> Do not audit attempts to read the kernel messages </summary> @@ -57228,7 +57315,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_write_kmsg" lineno="2471"> +<interface name="dev_write_kmsg" lineno="2489"> <summary> Write to the kernel messages device </summary> @@ -57238,7 +57325,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_kmsg" lineno="2489"> +<interface name="dev_rw_kmsg" lineno="2507"> <summary> Read and write to the kernel messages device </summary> @@ -57248,7 +57335,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_mounton_kmsg" lineno="2507"> +<interface name="dev_mounton_kmsg" lineno="2525"> <summary> Mount on the kernel messages device </summary> @@ -57258,7 +57345,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_ksm_dev" lineno="2525"> +<interface name="dev_getattr_ksm_dev" lineno="2543"> <summary> Get the attributes of the ksm devices. </summary> @@ -57268,7 +57355,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_ksm_dev" lineno="2543"> +<interface name="dev_setattr_ksm_dev" lineno="2561"> <summary> Set the attributes of the ksm devices. </summary> @@ -57278,7 +57365,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_ksm" lineno="2561"> +<interface name="dev_read_ksm" lineno="2579"> <summary> Read the ksm devices. </summary> @@ -57288,7 +57375,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_ksm" lineno="2579"> +<interface name="dev_rw_ksm" lineno="2597"> <summary> Read and write to ksm devices. </summary> @@ -57298,7 +57385,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_kvm_dev" lineno="2597"> +<interface name="dev_getattr_kvm_dev" lineno="2615"> <summary> Get the attributes of the kvm devices. </summary> @@ -57308,7 +57395,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_kvm_dev" lineno="2615"> +<interface name="dev_setattr_kvm_dev" lineno="2633"> <summary> Set the attributes of the kvm devices. </summary> @@ -57318,7 +57405,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_kvm" lineno="2633"> +<interface name="dev_read_kvm" lineno="2651"> <summary> Read the kvm devices. </summary> @@ -57328,7 +57415,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_kvm" lineno="2651"> +<interface name="dev_rw_kvm" lineno="2669"> <summary> Read and write to kvm devices. </summary> @@ -57338,7 +57425,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_lirc" lineno="2669"> +<interface name="dev_read_lirc" lineno="2687"> <summary> Read the lirc device. </summary> @@ -57348,7 +57435,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_lirc" lineno="2687"> +<interface name="dev_rw_lirc" lineno="2705"> <summary> Read and write the lirc device. </summary> @@ -57358,7 +57445,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_filetrans_lirc" lineno="2711"> +<interface name="dev_filetrans_lirc" lineno="2729"> <summary> Automatic type transition to the type for lirc device nodes when created in /dev. @@ -57374,7 +57461,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="dev_rw_loop_control" lineno="2729"> +<interface name="dev_rw_loop_control" lineno="2747"> <summary> Read and write the loop-control device. </summary> @@ -57384,7 +57471,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_lvm_control" lineno="2747"> +<interface name="dev_getattr_lvm_control" lineno="2765"> <summary> Get the attributes of the lvm comtrol device. </summary> @@ -57394,7 +57481,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_lvm_control" lineno="2765"> +<interface name="dev_read_lvm_control" lineno="2783"> <summary> Read the lvm comtrol device. </summary> @@ -57404,7 +57491,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_lvm_control" lineno="2783"> +<interface name="dev_rw_lvm_control" lineno="2801"> <summary> Read and write the lvm control device. </summary> @@ -57414,7 +57501,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_rw_lvm_control" lineno="2801"> +<interface name="dev_dontaudit_rw_lvm_control" lineno="2819"> <summary> Do not audit attempts to read and write lvm control device. </summary> @@ -57424,7 +57511,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_delete_lvm_control_dev" lineno="2819"> +<interface name="dev_delete_lvm_control_dev" lineno="2837"> <summary> Delete the lvm control device. </summary> @@ -57434,7 +57521,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_memory_dev" lineno="2837"> +<interface name="dev_dontaudit_getattr_memory_dev" lineno="2855"> <summary> dontaudit getattr raw memory devices (e.g. /dev/mem). </summary> @@ -57444,7 +57531,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_read_raw_memory" lineno="2858"> +<interface name="dev_read_raw_memory" lineno="2876"> <summary> Read raw memory devices (e.g. /dev/mem). This is extremely dangerous as it can bypass the @@ -57457,7 +57544,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_raw_memory_cond" lineno="2888"> +<interface name="dev_read_raw_memory_cond" lineno="2906"> <summary> Read raw memory devices (e.g. /dev/mem) if a tunable is set. This is extremely dangerous as it can bypass the @@ -57475,7 +57562,7 @@ Tunable to depend on </summary> </param> </interface> -<interface name="dev_dontaudit_read_raw_memory" lineno="2915"> +<interface name="dev_dontaudit_read_raw_memory" lineno="2933"> <summary> Do not audit attempts to read raw memory devices (e.g. /dev/mem). @@ -57489,7 +57576,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_write_raw_memory" lineno="2936"> +<interface name="dev_write_raw_memory" lineno="2954"> <summary> Write raw memory devices (e.g. /dev/mem). This is extremely dangerous as it can bypass the @@ -57502,7 +57589,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_raw_memory_cond" lineno="2966"> +<interface name="dev_write_raw_memory_cond" lineno="2984"> <summary> Write raw memory devices (e.g. /dev/mem) if a tunable is set. This is extremely dangerous as it can bypass the @@ -57520,7 +57607,7 @@ Tunable to depend on </summary> </param> </interface> -<interface name="dev_rx_raw_memory" lineno="2992"> +<interface name="dev_rx_raw_memory" lineno="3010"> <summary> Read and execute raw memory devices (e.g. /dev/mem). This is extremely dangerous as it can bypass the @@ -57533,7 +57620,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_wx_raw_memory" lineno="3014"> +<interface name="dev_wx_raw_memory" lineno="3032"> <summary> Write and execute raw memory devices (e.g. /dev/mem). This is extremely dangerous as it can bypass the @@ -57546,7 +57633,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_wx_raw_memory_cond" lineno="3041"> +<interface name="dev_wx_raw_memory_cond" lineno="3059"> <summary> Write and execute raw memory devices (e.g. /dev/mem) if a tunable is set. This is extremely dangerous as it can bypass the @@ -57564,7 +57651,7 @@ Tunable to depend on </summary> </param> </interface> -<interface name="dev_getattr_misc_dev" lineno="3064"> +<interface name="dev_getattr_misc_dev" lineno="3082"> <summary> Get the attributes of miscellaneous devices. </summary> @@ -57574,7 +57661,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_misc_dev" lineno="3083"> +<interface name="dev_dontaudit_getattr_misc_dev" lineno="3101"> <summary> Do not audit attempts to get the attributes of miscellaneous devices. @@ -57585,7 +57672,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_setattr_misc_dev" lineno="3101"> +<interface name="dev_setattr_misc_dev" lineno="3119"> <summary> Set the attributes of miscellaneous devices. </summary> @@ -57595,7 +57682,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_misc_dev" lineno="3120"> +<interface name="dev_dontaudit_setattr_misc_dev" lineno="3138"> <summary> Do not audit attempts to set the attributes of miscellaneous devices. @@ -57606,7 +57693,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_read_misc" lineno="3138"> +<interface name="dev_read_misc" lineno="3156"> <summary> Read miscellaneous devices. </summary> @@ -57616,7 +57703,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_misc" lineno="3156"> +<interface name="dev_write_misc" lineno="3174"> <summary> Write miscellaneous devices. </summary> @@ -57626,7 +57713,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_rw_misc" lineno="3174"> +<interface name="dev_dontaudit_rw_misc" lineno="3192"> <summary> Do not audit attempts to read and write miscellaneous devices. </summary> @@ -57636,7 +57723,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_modem_dev" lineno="3192"> +<interface name="dev_getattr_modem_dev" lineno="3210"> <summary> Get the attributes of the modem devices. </summary> @@ -57646,7 +57733,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_modem_dev" lineno="3210"> +<interface name="dev_setattr_modem_dev" lineno="3228"> <summary> Set the attributes of the modem devices. </summary> @@ -57656,7 +57743,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_modem" lineno="3228"> +<interface name="dev_read_modem" lineno="3246"> <summary> Read the modem devices. </summary> @@ -57666,7 +57753,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_modem" lineno="3246"> +<interface name="dev_rw_modem" lineno="3264"> <summary> Read and write to modem devices. </summary> @@ -57676,7 +57763,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_mouse_dev" lineno="3264"> +<interface name="dev_getattr_mouse_dev" lineno="3282"> <summary> Get the attributes of the mouse devices. </summary> @@ -57686,7 +57773,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_mouse_dev" lineno="3282"> +<interface name="dev_setattr_mouse_dev" lineno="3300"> <summary> Set the attributes of the mouse devices. </summary> @@ -57696,7 +57783,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_mouse" lineno="3300"> +<interface name="dev_read_mouse" lineno="3318"> <summary> Read the mouse devices. </summary> @@ -57706,7 +57793,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_mouse" lineno="3318"> +<interface name="dev_rw_mouse" lineno="3336"> <summary> Read and write to mouse devices. </summary> @@ -57716,7 +57803,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_mtrr_dev" lineno="3337"> +<interface name="dev_getattr_mtrr_dev" lineno="3355"> <summary> Get the attributes of the memory type range registers (MTRR) device. @@ -57727,7 +57814,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_write_mtrr" lineno="3357"> +<interface name="dev_dontaudit_write_mtrr" lineno="3375"> <summary> Do not audit attempts to write the memory type range registers (MTRR). @@ -57738,7 +57825,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_rw_mtrr" lineno="3376"> +<interface name="dev_rw_mtrr" lineno="3394"> <summary> Read and write the memory type range registers (MTRR). </summary> @@ -57748,7 +57835,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_null_dev" lineno="3395"> +<interface name="dev_getattr_null_dev" lineno="3413"> <summary> Get the attributes of the null device nodes. </summary> @@ -57758,7 +57845,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_null_dev" lineno="3413"> +<interface name="dev_setattr_null_dev" lineno="3431"> <summary> Set the attributes of the null device nodes. </summary> @@ -57768,7 +57855,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_null_dev" lineno="3432"> +<interface name="dev_dontaudit_setattr_null_dev" lineno="3450"> <summary> Do not audit attempts to set the attributes of the null device nodes. @@ -57779,7 +57866,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_delete_null" lineno="3450"> +<interface name="dev_delete_null" lineno="3468"> <summary> Delete the null device (/dev/null). </summary> @@ -57789,7 +57876,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_null" lineno="3468"> +<interface name="dev_rw_null" lineno="3486"> <summary> Read and write to the null device (/dev/null). </summary> @@ -57799,7 +57886,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_null_dev" lineno="3486"> +<interface name="dev_create_null_dev" lineno="3504"> <summary> Create the null device (/dev/null). </summary> @@ -57809,7 +57896,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_null_service" lineno="3505"> +<interface name="dev_manage_null_service" lineno="3523"> <summary> Manage services with script type null_device_t for when /lib/systemd/system/something.service is a link to /dev/null @@ -57820,7 +57907,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_nvram_dev" lineno="3525"> +<interface name="dev_dontaudit_getattr_nvram_dev" lineno="3543"> <summary> Do not audit attempts to get the attributes of the BIOS non-volatile RAM device. @@ -57831,7 +57918,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_rw_nvram" lineno="3543"> +<interface name="dev_rw_nvram" lineno="3561"> <summary> Read and write BIOS non-volatile RAM. </summary> @@ -57841,7 +57928,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_printer_dev" lineno="3561"> +<interface name="dev_getattr_printer_dev" lineno="3579"> <summary> Get the attributes of the printer device nodes. </summary> @@ -57851,7 +57938,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_printer_dev" lineno="3579"> +<interface name="dev_setattr_printer_dev" lineno="3597"> <summary> Set the attributes of the printer device nodes. </summary> @@ -57861,7 +57948,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_append_printer" lineno="3598"> +<interface name="dev_append_printer" lineno="3616"> <summary> Append the printer device. </summary> @@ -57871,7 +57958,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_printer" lineno="3616"> +<interface name="dev_rw_printer" lineno="3634"> <summary> Read and write the printer device. </summary> @@ -57881,7 +57968,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_pmqos_dev" lineno="3634"> +<interface name="dev_getattr_pmqos_dev" lineno="3652"> <summary> Get the attributes of PM QoS devices </summary> @@ -57891,7 +57978,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_pmqos" lineno="3652"> +<interface name="dev_read_pmqos" lineno="3670"> <summary> Read the PM QoS devices. </summary> @@ -57901,7 +57988,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_pmqos" lineno="3670"> +<interface name="dev_rw_pmqos" lineno="3688"> <summary> Read and write the the PM QoS devices. </summary> @@ -57911,7 +57998,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_qemu_dev" lineno="3689"> +<interface name="dev_getattr_qemu_dev" lineno="3707"> <summary> Get the attributes of the QEMU microcode and id interfaces. @@ -57922,7 +58009,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_qemu_dev" lineno="3708"> +<interface name="dev_setattr_qemu_dev" lineno="3726"> <summary> Set the attributes of the QEMU microcode and id interfaces. @@ -57933,7 +58020,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_qemu" lineno="3726"> +<interface name="dev_read_qemu" lineno="3744"> <summary> Read the QEMU device </summary> @@ -57943,7 +58030,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_qemu" lineno="3744"> +<interface name="dev_rw_qemu" lineno="3762"> <summary> Read and write the the QEMU device. </summary> @@ -57953,7 +58040,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_rand" lineno="3778"> +<interface name="dev_read_rand" lineno="3796"> <summary> Read from random number generator devices (e.g., /dev/random). @@ -57979,7 +58066,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="dev_dontaudit_read_rand" lineno="3797"> +<interface name="dev_dontaudit_read_rand" lineno="3815"> <summary> Do not audit attempts to read from random number generator devices (e.g., /dev/random) @@ -57990,7 +58077,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_dontaudit_append_rand" lineno="3816"> +<interface name="dev_dontaudit_append_rand" lineno="3834"> <summary> Do not audit attempts to append to random number generator devices (e.g., /dev/random) @@ -58001,7 +58088,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_write_rand" lineno="3836"> +<interface name="dev_write_rand" lineno="3854"> <summary> Write to the random device (e.g., /dev/random). This adds entropy used to generate the random data read from the @@ -58013,7 +58100,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_rand_dev" lineno="3854"> +<interface name="dev_create_rand_dev" lineno="3872"> <summary> Create the random device (/dev/random). </summary> @@ -58023,7 +58110,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_realtime_clock" lineno="3872"> +<interface name="dev_read_realtime_clock" lineno="3890"> <summary> Read the realtime clock (/dev/rtc). </summary> @@ -58033,7 +58120,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_realtime_clock" lineno="3890"> +<interface name="dev_write_realtime_clock" lineno="3908"> <summary> Set the realtime clock (/dev/rtc). </summary> @@ -58043,7 +58130,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_realtime_clock" lineno="3910"> +<interface name="dev_rw_realtime_clock" lineno="3928"> <summary> Read and set the realtime clock (/dev/rtc). </summary> @@ -58053,7 +58140,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_scanner_dev" lineno="3925"> +<interface name="dev_getattr_scanner_dev" lineno="3943"> <summary> Get the attributes of the scanner device. </summary> @@ -58063,7 +58150,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_scanner_dev" lineno="3944"> +<interface name="dev_dontaudit_getattr_scanner_dev" lineno="3962"> <summary> Do not audit attempts to get the attributes of the scanner device. @@ -58074,7 +58161,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_setattr_scanner_dev" lineno="3962"> +<interface name="dev_setattr_scanner_dev" lineno="3980"> <summary> Set the attributes of the scanner device. </summary> @@ -58084,7 +58171,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_scanner_dev" lineno="3981"> +<interface name="dev_dontaudit_setattr_scanner_dev" lineno="3999"> <summary> Do not audit attempts to set the attributes of the scanner device. @@ -58095,7 +58182,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_rw_scanner" lineno="3999"> +<interface name="dev_rw_scanner" lineno="4017"> <summary> Read and write the scanner device. </summary> @@ -58105,7 +58192,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_sound_dev" lineno="4017"> +<interface name="dev_getattr_sound_dev" lineno="4035"> <summary> Get the attributes of the sound devices. </summary> @@ -58115,7 +58202,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_sound_dev" lineno="4035"> +<interface name="dev_setattr_sound_dev" lineno="4053"> <summary> Set the attributes of the sound devices. </summary> @@ -58125,7 +58212,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_sound" lineno="4053"> +<interface name="dev_read_sound" lineno="4071"> <summary> Read the sound devices. </summary> @@ -58135,7 +58222,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_sound" lineno="4072"> +<interface name="dev_write_sound" lineno="4090"> <summary> Write the sound devices. </summary> @@ -58145,7 +58232,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_sound_mixer" lineno="4091"> +<interface name="dev_read_sound_mixer" lineno="4109"> <summary> Read the sound mixer devices. </summary> @@ -58155,7 +58242,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_sound_mixer" lineno="4110"> +<interface name="dev_write_sound_mixer" lineno="4128"> <summary> Write the sound mixer devices. </summary> @@ -58165,7 +58252,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_power_mgmt_dev" lineno="4129"> +<interface name="dev_getattr_power_mgmt_dev" lineno="4147"> <summary> Get the attributes of the the power management device. </summary> @@ -58175,7 +58262,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_power_mgmt_dev" lineno="4147"> +<interface name="dev_setattr_power_mgmt_dev" lineno="4165"> <summary> Set the attributes of the the power management device. </summary> @@ -58185,7 +58272,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_power_management" lineno="4165"> +<interface name="dev_rw_power_management" lineno="4183"> <summary> Read and write the the power management device. </summary> @@ -58195,7 +58282,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_smartcard_dev" lineno="4183"> +<interface name="dev_getattr_smartcard_dev" lineno="4201"> <summary> Getattr on smartcard devices </summary> @@ -58205,7 +58292,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_smartcard_dev" lineno="4202"> +<interface name="dev_dontaudit_getattr_smartcard_dev" lineno="4220"> <summary> dontaudit getattr on smartcard devices </summary> @@ -58215,7 +58302,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_rw_smartcard" lineno="4221"> +<interface name="dev_rw_smartcard" lineno="4239"> <summary> Read and write smartcard devices. </summary> @@ -58225,7 +58312,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_smartcard" lineno="4239"> +<interface name="dev_manage_smartcard" lineno="4257"> <summary> Create, read, write, and delete smartcard devices. </summary> @@ -58235,7 +58322,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_sysdig" lineno="4257"> +<interface name="dev_rw_sysdig" lineno="4275"> <summary> Read, write and map the sysdig device. </summary> @@ -58245,7 +58332,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_mounton_sysfs" lineno="4276"> +<interface name="dev_mounton_sysfs" lineno="4294"> <summary> Mount a filesystem on sysfs. (Deprecated) </summary> @@ -58255,7 +58342,7 @@ Domain allow access. </summary> </param> </interface> -<interface name="dev_associate_sysfs" lineno="4291"> +<interface name="dev_associate_sysfs" lineno="4309"> <summary> Associate a file to a sysfs filesystem. </summary> @@ -58265,7 +58352,7 @@ The type of the file to be associated to sysfs. </summary> </param> </interface> -<interface name="dev_getattr_sysfs_dirs" lineno="4309"> +<interface name="dev_getattr_sysfs_dirs" lineno="4327"> <summary> Get the attributes of sysfs directories. </summary> @@ -58275,7 +58362,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_sysfs" lineno="4327"> +<interface name="dev_getattr_sysfs" lineno="4345"> <summary> Get the attributes of sysfs filesystem </summary> @@ -58285,7 +58372,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_mount_sysfs" lineno="4345"> +<interface name="dev_mount_sysfs" lineno="4363"> <summary> mount a sysfs filesystem </summary> @@ -58295,7 +58382,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_remount_sysfs" lineno="4363"> +<interface name="dev_remount_sysfs" lineno="4381"> <summary> Remount a sysfs filesystem. </summary> @@ -58305,7 +58392,7 @@ Domain allow access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_sysfs" lineno="4381"> +<interface name="dev_dontaudit_getattr_sysfs" lineno="4399"> <summary> Do not audit getting the attributes of sysfs filesystem </summary> @@ -58315,7 +58402,7 @@ Domain to dontaudit access from </summary> </param> </interface> -<interface name="dev_dontaudit_read_sysfs" lineno="4399"> +<interface name="dev_dontaudit_read_sysfs" lineno="4417"> <summary> Dont audit attempts to read hardware state information </summary> @@ -58325,7 +58412,7 @@ Domain for which the attempts do not need to be audited </summary> </param> </interface> -<interface name="dev_mounton_sysfs_dirs" lineno="4419"> +<interface name="dev_mounton_sysfs_dirs" lineno="4437"> <summary> Mount on sysfs directories. </summary> @@ -58335,7 +58422,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_search_sysfs" lineno="4437"> +<interface name="dev_search_sysfs" lineno="4455"> <summary> Search the sysfs directories. </summary> @@ -58345,7 +58432,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_search_sysfs" lineno="4455"> +<interface name="dev_dontaudit_search_sysfs" lineno="4473"> <summary> Do not audit attempts to search sysfs. </summary> @@ -58355,7 +58442,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_list_sysfs" lineno="4473"> +<interface name="dev_list_sysfs" lineno="4491"> <summary> List the contents of the sysfs directories. </summary> @@ -58365,7 +58452,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_sysfs_dirs" lineno="4492"> +<interface name="dev_write_sysfs_dirs" lineno="4510"> <summary> Write in a sysfs directories. </summary> @@ -58375,7 +58462,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_write_sysfs_dirs" lineno="4510"> +<interface name="dev_dontaudit_write_sysfs_dirs" lineno="4528"> <summary> Do not audit attempts to write in a sysfs directory. </summary> @@ -58385,7 +58472,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_dontaudit_write_sysfs_files" lineno="4528"> +<interface name="dev_dontaudit_write_sysfs_files" lineno="4546"> <summary> Do not audit attempts to write to a sysfs file. </summary> @@ -58395,7 +58482,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_manage_sysfs_dirs" lineno="4547"> +<interface name="dev_manage_sysfs_dirs" lineno="4565"> <summary> Create, read, write, and delete sysfs directories. @@ -58406,7 +58493,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_sysfs" lineno="4574"> +<interface name="dev_read_sysfs" lineno="4592"> <summary> Read hardware state information. </summary> @@ -58425,7 +58512,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="dev_write_sysfs" lineno="4602"> +<interface name="dev_write_sysfs" lineno="4620"> <summary> Write to hardware state information. </summary> @@ -58442,7 +58529,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="dev_rw_sysfs" lineno="4621"> +<interface name="dev_rw_sysfs" lineno="4639"> <summary> Allow caller to modify hardware state information. </summary> @@ -58452,7 +58539,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_sysfs_files" lineno="4642"> +<interface name="dev_create_sysfs_files" lineno="4660"> <summary> Add a sysfs file </summary> @@ -58462,7 +58549,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_sysfs_dirs" lineno="4660"> +<interface name="dev_relabel_sysfs_dirs" lineno="4678"> <summary> Relabel hardware state directories. </summary> @@ -58472,7 +58559,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_all_sysfs" lineno="4678"> +<interface name="dev_relabel_all_sysfs" lineno="4696"> <summary> Relabel from/to all sysfs types. </summary> @@ -58482,7 +58569,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_all_sysfs" lineno="4698"> +<interface name="dev_setattr_all_sysfs" lineno="4716"> <summary> Set the attributes of sysfs files, directories and symlinks. </summary> @@ -58492,7 +58579,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_tpm" lineno="4718"> +<interface name="dev_rw_tpm" lineno="4736"> <summary> Read and write the TPM device. </summary> @@ -58502,7 +58589,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_urand" lineno="4759"> +<interface name="dev_read_urand" lineno="4777"> <summary> Read from pseudo random number generator devices (e.g., /dev/urandom). </summary> @@ -58535,7 +58622,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="dev_dontaudit_read_urand" lineno="4778"> +<interface name="dev_dontaudit_read_urand" lineno="4796"> <summary> Do not audit attempts to read from pseudo random devices (e.g., /dev/urandom) @@ -58546,7 +58633,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_write_urand" lineno="4797"> +<interface name="dev_write_urand" lineno="4815"> <summary> Write to the pseudo random device (e.g., /dev/urandom). This sets the random number generator seed. @@ -58557,7 +58644,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_urand_dev" lineno="4815"> +<interface name="dev_create_urand_dev" lineno="4833"> <summary> Create the urandom device (/dev/urandom). </summary> @@ -58567,7 +58654,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_urand_dev" lineno="4833"> +<interface name="dev_setattr_urand_dev" lineno="4851"> <summary> Set attributes on the urandom device (/dev/urandom). </summary> @@ -58577,7 +58664,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_generic_usb_dev" lineno="4851"> +<interface name="dev_getattr_generic_usb_dev" lineno="4869"> <summary> Getattr generic the USB devices. </summary> @@ -58587,7 +58674,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_generic_usb_dev" lineno="4869"> +<interface name="dev_setattr_generic_usb_dev" lineno="4887"> <summary> Setattr generic the USB devices. </summary> @@ -58597,7 +58684,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_generic_usb_dev" lineno="4887"> +<interface name="dev_read_generic_usb_dev" lineno="4905"> <summary> Read generic the USB devices. </summary> @@ -58607,7 +58694,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_generic_usb_dev" lineno="4905"> +<interface name="dev_rw_generic_usb_dev" lineno="4923"> <summary> Read and write generic the USB devices. </summary> @@ -58617,7 +58704,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_generic_usb_dev" lineno="4923"> +<interface name="dev_relabel_generic_usb_dev" lineno="4941"> <summary> Relabel generic the USB devices. </summary> @@ -58627,7 +58714,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_usbmon_dev" lineno="4941"> +<interface name="dev_read_usbmon_dev" lineno="4959"> <summary> Read USB monitor devices. </summary> @@ -58637,7 +58724,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_usbmon_dev" lineno="4959"> +<interface name="dev_write_usbmon_dev" lineno="4977"> <summary> Write USB monitor devices. </summary> @@ -58647,7 +58734,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_mount_usbfs" lineno="4977"> +<interface name="dev_mount_usbfs" lineno="4995"> <summary> Mount a usbfs filesystem. </summary> @@ -58657,7 +58744,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_associate_usbfs" lineno="4995"> +<interface name="dev_associate_usbfs" lineno="5013"> <summary> Associate a file to a usbfs filesystem. </summary> @@ -58667,7 +58754,7 @@ The type of the file to be associated to usbfs. </summary> </param> </interface> -<interface name="dev_getattr_usbfs_dirs" lineno="5013"> +<interface name="dev_getattr_usbfs_dirs" lineno="5031"> <summary> Get the attributes of a directory in the usb filesystem. </summary> @@ -58677,7 +58764,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_usbfs_dirs" lineno="5032"> +<interface name="dev_dontaudit_getattr_usbfs_dirs" lineno="5050"> <summary> Do not audit attempts to get the attributes of a directory in the usb filesystem. @@ -58688,7 +58775,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_search_usbfs" lineno="5050"> +<interface name="dev_search_usbfs" lineno="5068"> <summary> Search the directory containing USB hardware information. </summary> @@ -58698,7 +58785,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_list_usbfs" lineno="5068"> +<interface name="dev_list_usbfs" lineno="5086"> <summary> Allow caller to get a list of usb hardware. </summary> @@ -58708,7 +58795,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_usbfs_files" lineno="5089"> +<interface name="dev_setattr_usbfs_files" lineno="5107"> <summary> Set the attributes of usbfs filesystem. </summary> @@ -58718,7 +58805,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_usbfs" lineno="5109"> +<interface name="dev_read_usbfs" lineno="5127"> <summary> Read USB hardware information using the usbfs filesystem interface. @@ -58729,7 +58816,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_usbfs" lineno="5129"> +<interface name="dev_rw_usbfs" lineno="5147"> <summary> Allow caller to modify usb hardware configuration files. </summary> @@ -58739,7 +58826,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_video_dev" lineno="5149"> +<interface name="dev_getattr_video_dev" lineno="5167"> <summary> Get the attributes of video4linux devices. </summary> @@ -58749,7 +58836,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_userio_dev" lineno="5167"> +<interface name="dev_rw_userio_dev" lineno="5185"> <summary> Read and write userio device. </summary> @@ -58759,7 +58846,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_video_dev" lineno="5186"> +<interface name="dev_dontaudit_getattr_video_dev" lineno="5204"> <summary> Do not audit attempts to get the attributes of video4linux device nodes. @@ -58770,7 +58857,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_setattr_video_dev" lineno="5204"> +<interface name="dev_setattr_video_dev" lineno="5222"> <summary> Set the attributes of video4linux device nodes. </summary> @@ -58780,7 +58867,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_video_dev" lineno="5223"> +<interface name="dev_dontaudit_setattr_video_dev" lineno="5241"> <summary> Do not audit attempts to set the attributes of video4linux device nodes. @@ -58791,7 +58878,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_read_video_dev" lineno="5241"> +<interface name="dev_read_video_dev" lineno="5259"> <summary> Read the video4linux devices. </summary> @@ -58801,7 +58888,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_video_dev" lineno="5259"> +<interface name="dev_write_video_dev" lineno="5277"> <summary> Write the video4linux devices. </summary> @@ -58811,7 +58898,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_vfio_dev" lineno="5277"> +<interface name="dev_rw_vfio_dev" lineno="5295"> <summary> Read and write vfio devices. </summary> @@ -58821,7 +58908,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabelfrom_vfio_dev" lineno="5295"> +<interface name="dev_relabelfrom_vfio_dev" lineno="5313"> <summary> Relabel vfio devices. </summary> @@ -58831,7 +58918,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_vhost" lineno="5313"> +<interface name="dev_rw_vhost" lineno="5331"> <summary> Allow read/write the vhost devices </summary> @@ -58841,7 +58928,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_vmware" lineno="5331"> +<interface name="dev_rw_vmware" lineno="5349"> <summary> Read and write VMWare devices. </summary> @@ -58851,7 +58938,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rwx_vmware" lineno="5349"> +<interface name="dev_rwx_vmware" lineno="5367"> <summary> Read, write, and mmap VMWare devices. </summary> @@ -58861,7 +58948,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_watchdog" lineno="5368"> +<interface name="dev_read_watchdog" lineno="5386"> <summary> Read from watchdog devices. </summary> @@ -58871,7 +58958,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_watchdog" lineno="5386"> +<interface name="dev_write_watchdog" lineno="5404"> <summary> Write to watchdog devices. </summary> @@ -58881,7 +58968,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_wireless" lineno="5404"> +<interface name="dev_read_wireless" lineno="5422"> <summary> Read the wireless device. </summary> @@ -58891,7 +58978,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_wireless" lineno="5422"> +<interface name="dev_rw_wireless" lineno="5440"> <summary> Read and write the the wireless device. </summary> @@ -58901,7 +58988,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_wireless" lineno="5440"> +<interface name="dev_manage_wireless" lineno="5458"> <summary> manage the wireless device. </summary> @@ -58911,7 +58998,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_xen" lineno="5458"> +<interface name="dev_rw_xen" lineno="5476"> <summary> Read and write Xen devices. </summary> @@ -58921,7 +59008,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_xen" lineno="5477"> +<interface name="dev_manage_xen" lineno="5495"> <summary> Create, read, write, and delete Xen devices. </summary> @@ -58931,7 +59018,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_filetrans_xen" lineno="5501"> +<interface name="dev_filetrans_xen" lineno="5519"> <summary> Automatic type transition to the type for xen device nodes when created in /dev. @@ -58947,7 +59034,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="dev_getattr_xserver_misc_dev" lineno="5519"> +<interface name="dev_getattr_xserver_misc_dev" lineno="5537"> <summary> Get the attributes of X server miscellaneous devices. </summary> @@ -58957,7 +59044,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_xserver_misc_dev" lineno="5537"> +<interface name="dev_setattr_xserver_misc_dev" lineno="5555"> <summary> Set the attributes of X server miscellaneous devices. </summary> @@ -58967,7 +59054,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_xserver_misc" lineno="5555"> +<interface name="dev_rw_xserver_misc" lineno="5573"> <summary> Read and write X server miscellaneous devices. </summary> @@ -58977,7 +59064,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_map_xserver_misc" lineno="5573"> +<interface name="dev_map_xserver_misc" lineno="5591"> <summary> Map X server miscellaneous devices. </summary> @@ -58987,7 +59074,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_zero" lineno="5591"> +<interface name="dev_rw_zero" lineno="5609"> <summary> Read and write to the zero device (/dev/zero). </summary> @@ -58997,7 +59084,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rwx_zero" lineno="5609"> +<interface name="dev_rwx_zero" lineno="5627"> <summary> Read, write, and execute the zero device (/dev/zero). </summary> @@ -59007,7 +59094,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_execmod_zero" lineno="5628"> +<interface name="dev_execmod_zero" lineno="5646"> <summary> Execmod the zero device (/dev/zero). </summary> @@ -59017,7 +59104,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_zero_dev" lineno="5647"> +<interface name="dev_create_zero_dev" lineno="5665"> <summary> Create the zero device (/dev/zero). </summary> @@ -59027,7 +59114,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_cpu_online" lineno="5670"> +<interface name="dev_read_cpu_online" lineno="5688"> <summary> Read cpu online hardware state information </summary> @@ -59042,7 +59129,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_unconfined" lineno="5690"> +<interface name="dev_rw_gpiochip" lineno="5708"> +<summary> +Read and write to the gpiochip device, /dev/gpiochip[0-9] +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="dev_unconfined" lineno="5726"> <summary> Unconfined access to devices. </summary> @@ -59052,7 +59149,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_cpu_online" lineno="5710"> +<interface name="dev_relabel_cpu_online" lineno="5746"> <summary> Relabel cpu online hardware state information. </summary> @@ -59062,7 +59159,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_read_usbmon_dev" lineno="5729"> +<interface name="dev_dontaudit_read_usbmon_dev" lineno="5765"> <summary> Dont audit attempts to read usbmon devices </summary> @@ -60339,7 +60436,17 @@ The type to be transformed. </summary> </param> </interface> -<interface name="files_getattr_all_dirs" lineno="447"> +<interface name="files_dontaudit_getattr_all_tmpfs_files" lineno="447"> +<summary> +dontaudit getattr on tmpfs files +</summary> +<param name="domain"> +<summary> +Domain to not have stat on tmpfs files audited +</summary> +</param> +</interface> +<interface name="files_getattr_all_dirs" lineno="465"> <summary> Get the attributes of all directories. </summary> @@ -60349,7 +60456,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_all_dirs" lineno="466"> +<interface name="files_dontaudit_getattr_all_dirs" lineno="484"> <summary> Do not audit attempts to get the attributes of all directories. @@ -60360,7 +60467,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_non_security" lineno="484"> +<interface name="files_list_non_security" lineno="502"> <summary> List all non-security directories. </summary> @@ -60370,7 +60477,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_non_security" lineno="503"> +<interface name="files_dontaudit_list_non_security" lineno="521"> <summary> Do not audit attempts to list all non-security directories. @@ -60381,7 +60488,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_mounton_non_security" lineno="522"> +<interface name="files_mounton_non_security" lineno="540"> <summary> Mount a filesystem on all non-security directories and files. @@ -60392,7 +60499,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_write_non_security_dirs" lineno="541"> +<interface name="files_write_non_security_dirs" lineno="559"> <summary> Allow attempts to modify any directory </summary> @@ -60402,7 +60509,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_non_security_dirs" lineno="559"> +<interface name="files_manage_non_security_dirs" lineno="577"> <summary> Allow attempts to manage non-security directories </summary> @@ -60412,7 +60519,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_non_security_dirs" lineno="577"> +<interface name="files_create_non_security_dirs" lineno="595"> <summary> Create non-security directories. </summary> @@ -60422,7 +60529,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_non_security_dirs" lineno="595"> +<interface name="files_relabel_non_security_dirs" lineno="613"> <summary> Relabel from/to non-security directories. </summary> @@ -60432,7 +60539,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_all_files" lineno="613"> +<interface name="files_getattr_all_files" lineno="631"> <summary> Get the attributes of all files. </summary> @@ -60442,7 +60549,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_all_files" lineno="633"> +<interface name="files_dontaudit_getattr_all_files" lineno="651"> <summary> Do not audit attempts to get the attributes of all files. @@ -60453,7 +60560,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_non_security_files" lineno="652"> +<interface name="files_dontaudit_getattr_non_security_files" lineno="670"> <summary> Do not audit attempts to get the attributes of non security files. @@ -60464,7 +60571,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_non_security_files" lineno="671"> +<interface name="files_manage_non_security_files" lineno="689"> <summary> Create, read, write, and delete all non-security files. </summary> @@ -60475,7 +60582,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_relabel_non_security_files" lineno="690"> +<interface name="files_relabel_non_security_files" lineno="708"> <summary> Relabel from/to all non-security files. </summary> @@ -60486,7 +60593,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_read_all_files" lineno="708"> +<interface name="files_read_all_files" lineno="726"> <summary> Read all files. </summary> @@ -60496,7 +60603,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_execmod_all_files" lineno="739"> +<interface name="files_execmod_all_files" lineno="757"> <summary> Allow shared library text relocations in all files. </summary> @@ -60514,7 +60621,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_non_security_files" lineno="758"> +<interface name="files_read_non_security_files" lineno="776"> <summary> Read all non-security files. </summary> @@ -60525,7 +60632,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_write_non_security_files" lineno="778"> +<interface name="files_write_non_security_files" lineno="796"> <summary> Write all non-security files. </summary> @@ -60536,7 +60643,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_create_non_security_files" lineno="798"> +<interface name="files_create_non_security_files" lineno="816"> <summary> Create all non-security files. </summary> @@ -60547,7 +60654,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_read_all_dirs_except" lineno="824"> +<interface name="files_read_all_dirs_except" lineno="842"> <summary> Read all directories on the filesystem, except the listed exceptions. @@ -60564,7 +60671,7 @@ must be negated by the caller. </summary> </param> </interface> -<interface name="files_read_all_files_except" lineno="849"> +<interface name="files_read_all_files_except" lineno="867"> <summary> Read all files on the filesystem, except the listed exceptions. @@ -60581,7 +60688,7 @@ must be negated by the caller. </summary> </param> </interface> -<interface name="files_read_all_symlinks_except" lineno="874"> +<interface name="files_read_all_symlinks_except" lineno="892"> <summary> Read all symbolic links on the filesystem, except the listed exceptions. @@ -60598,7 +60705,7 @@ must be negated by the caller. </summary> </param> </interface> -<interface name="files_getattr_all_symlinks" lineno="892"> +<interface name="files_getattr_all_symlinks" lineno="910"> <summary> Get the attributes of all symbolic links. </summary> @@ -60608,7 +60715,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_all_symlinks" lineno="911"> +<interface name="files_dontaudit_getattr_all_symlinks" lineno="929"> <summary> Do not audit attempts to get the attributes of all symbolic links. @@ -60619,7 +60726,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_read_all_symlinks" lineno="929"> +<interface name="files_dontaudit_read_all_symlinks" lineno="947"> <summary> Do not audit attempts to read all symbolic links. </summary> @@ -60629,7 +60736,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_non_security_symlinks" lineno="948"> +<interface name="files_dontaudit_getattr_non_security_symlinks" lineno="966"> <summary> Do not audit attempts to get the attributes of non security symbolic links. @@ -60640,7 +60747,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_non_security_blk_files" lineno="967"> +<interface name="files_dontaudit_getattr_non_security_blk_files" lineno="985"> <summary> Do not audit attempts to get the attributes of non security block devices. @@ -60651,7 +60758,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_non_security_chr_files" lineno="986"> +<interface name="files_dontaudit_getattr_non_security_chr_files" lineno="1004"> <summary> Do not audit attempts to get the attributes of non security character devices. @@ -60662,7 +60769,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_read_all_symlinks" lineno="1005"> +<interface name="files_read_all_symlinks" lineno="1023"> <summary> Read all symbolic links. </summary> @@ -60673,7 +60780,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_getattr_all_pipes" lineno="1024"> +<interface name="files_getattr_all_pipes" lineno="1042"> <summary> Get the attributes of all named pipes. </summary> @@ -60683,7 +60790,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_all_pipes" lineno="1044"> +<interface name="files_dontaudit_getattr_all_pipes" lineno="1062"> <summary> Do not audit attempts to get the attributes of all named pipes. @@ -60694,7 +60801,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_non_security_pipes" lineno="1063"> +<interface name="files_dontaudit_getattr_non_security_pipes" lineno="1081"> <summary> Do not audit attempts to get the attributes of non security named pipes. @@ -60705,7 +60812,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_getattr_all_sockets" lineno="1081"> +<interface name="files_getattr_all_sockets" lineno="1099"> <summary> Get the attributes of all named sockets. </summary> @@ -60715,7 +60822,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_all_sockets" lineno="1101"> +<interface name="files_dontaudit_getattr_all_sockets" lineno="1119"> <summary> Do not audit attempts to get the attributes of all named sockets. @@ -60726,7 +60833,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_non_security_sockets" lineno="1120"> +<interface name="files_dontaudit_getattr_non_security_sockets" lineno="1138"> <summary> Do not audit attempts to get the attributes of non security named sockets. @@ -60737,7 +60844,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_read_all_blk_files" lineno="1138"> +<interface name="files_read_all_blk_files" lineno="1156"> <summary> Read all block nodes with file types. </summary> @@ -60747,7 +60854,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_all_chr_files" lineno="1156"> +<interface name="files_read_all_chr_files" lineno="1174"> <summary> Read all character nodes with file types. </summary> @@ -60757,7 +60864,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_files" lineno="1182"> +<interface name="files_relabel_all_files" lineno="1200"> <summary> Relabel all files on the filesystem, except the listed exceptions. @@ -60775,7 +60882,7 @@ must be negated by the caller. </param> <rolecap/> </interface> -<interface name="files_rw_all_files" lineno="1220"> +<interface name="files_rw_all_files" lineno="1238"> <summary> rw all files on the filesystem, except the listed exceptions. @@ -60793,7 +60900,7 @@ must be negated by the caller. </param> <rolecap/> </interface> -<interface name="files_manage_all_files" lineno="1246"> +<interface name="files_manage_all_files" lineno="1264"> <summary> Manage all files on the filesystem, except the listed exceptions. @@ -60811,7 +60918,7 @@ must be negated by the caller. </param> <rolecap/> </interface> -<interface name="files_search_all" lineno="1269"> +<interface name="files_search_all" lineno="1287"> <summary> Search the contents of all directories on extended attribute filesystems. @@ -60822,7 +60929,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_all" lineno="1288"> +<interface name="files_list_all" lineno="1306"> <summary> List the contents of all directories on extended attribute filesystems. @@ -60833,7 +60940,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_all_files_as" lineno="1306"> +<interface name="files_create_all_files_as" lineno="1324"> <summary> Create all files as is. </summary> @@ -60843,7 +60950,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_all_dirs" lineno="1326"> +<interface name="files_dontaudit_search_all_dirs" lineno="1344"> <summary> Do not audit attempts to search the contents of any directories on extended @@ -60855,7 +60962,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_getattr_all_file_type_fs" lineno="1349"> +<interface name="files_getattr_all_file_type_fs" lineno="1367"> <summary> Get the attributes of all filesystems with the type of a file. @@ -60866,7 +60973,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelto_all_file_type_fs" lineno="1367"> +<interface name="files_relabelto_all_file_type_fs" lineno="1385"> <summary> Relabel a filesystem to the type of a file. </summary> @@ -60876,7 +60983,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_file_type_fs" lineno="1385"> +<interface name="files_relabel_all_file_type_fs" lineno="1403"> <summary> Relabel a filesystem to and from the type of a file. </summary> @@ -60886,7 +60993,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mount_all_file_type_fs" lineno="1403"> +<interface name="files_mount_all_file_type_fs" lineno="1421"> <summary> Mount all filesystems with the type of a file. </summary> @@ -60896,7 +61003,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_unmount_all_file_type_fs" lineno="1421"> +<interface name="files_unmount_all_file_type_fs" lineno="1439"> <summary> Unmount all filesystems with the type of a file. </summary> @@ -60906,7 +61013,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_non_auth_dirs" lineno="1440"> +<interface name="files_watch_all_dirs" lineno="1457"> +<summary> +watch all directories of file_type +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="files_list_non_auth_dirs" lineno="1477"> <summary> Read all non-authentication related directories. @@ -60917,7 +61034,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_non_auth_files" lineno="1459"> +<interface name="files_read_non_auth_files" lineno="1496"> <summary> Read all non-authentication related files. @@ -60928,7 +61045,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_non_auth_symlinks" lineno="1478"> +<interface name="files_read_non_auth_symlinks" lineno="1515"> <summary> Read all non-authentication related symbolic links. @@ -60939,7 +61056,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_non_auth_files" lineno="1496"> +<interface name="files_rw_non_auth_files" lineno="1533"> <summary> rw non-authentication related files. </summary> @@ -60949,7 +61066,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_non_auth_files" lineno="1516"> +<interface name="files_manage_non_auth_files" lineno="1553"> <summary> Manage non-authentication related files. @@ -60961,7 +61078,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_map_non_auth_files" lineno="1540"> +<interface name="files_map_non_auth_files" lineno="1577"> <summary> Mmap non-authentication related files. @@ -60973,7 +61090,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_relabel_non_auth_files" lineno="1560"> +<interface name="files_relabel_non_auth_files" lineno="1597"> <summary> Relabel all non-authentication related files. @@ -60985,7 +61102,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_config_dirs" lineno="1593"> +<interface name="files_manage_config_dirs" lineno="1630"> <summary> Manage all configuration directories on filesystem </summary> @@ -60996,7 +61113,7 @@ Domain allowed access. </param> </interface> -<interface name="files_relabel_config_dirs" lineno="1612"> +<interface name="files_relabel_config_dirs" lineno="1649"> <summary> Relabel configuration directories </summary> @@ -61007,7 +61124,7 @@ Domain allowed access. </param> </interface> -<interface name="files_dontaudit_relabel_config_dirs" lineno="1631"> +<interface name="files_dontaudit_relabel_config_dirs" lineno="1668"> <summary> Do not audit attempts to relabel configuration directories </summary> @@ -61018,7 +61135,7 @@ Domain not to audit. </param> </interface> -<interface name="files_read_config_files" lineno="1649"> +<interface name="files_read_config_files" lineno="1686"> <summary> Read config files in /etc. </summary> @@ -61028,7 +61145,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_config_files" lineno="1670"> +<interface name="files_manage_config_files" lineno="1707"> <summary> Manage all configuration files on filesystem </summary> @@ -61039,7 +61156,7 @@ Domain allowed access. </param> </interface> -<interface name="files_relabel_config_files" lineno="1689"> +<interface name="files_relabel_config_files" lineno="1726"> <summary> Relabel configuration files </summary> @@ -61050,7 +61167,7 @@ Domain allowed access. </param> </interface> -<interface name="files_dontaudit_relabel_config_files" lineno="1708"> +<interface name="files_dontaudit_relabel_config_files" lineno="1745"> <summary> Do not audit attempts to relabel configuration files </summary> @@ -61061,7 +61178,7 @@ Domain not to audit. </param> </interface> -<interface name="files_relabel_config_symlinks" lineno="1727"> +<interface name="files_relabel_config_symlinks" lineno="1764"> <summary> Relabel configuration symlinks. </summary> @@ -61072,7 +61189,7 @@ Domain allowed access. </param> </interface> -<interface name="files_mounton_all_mountpoints" lineno="1745"> +<interface name="files_mounton_all_mountpoints" lineno="1782"> <summary> Mount a filesystem on all mount points. </summary> @@ -61082,7 +61199,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_all_mountpoints" lineno="1766"> +<interface name="files_getattr_all_mountpoints" lineno="1803"> <summary> Get the attributes of all mount points. </summary> @@ -61092,7 +61209,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_all_mountpoints" lineno="1784"> +<interface name="files_setattr_all_mountpoints" lineno="1821"> <summary> Set the attributes of all mount points. </summary> @@ -61102,7 +61219,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_setattr_all_mountpoints" lineno="1802"> +<interface name="files_dontaudit_setattr_all_mountpoints" lineno="1839"> <summary> Do not audit attempts to set the attributes on all mount points. </summary> @@ -61112,7 +61229,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_search_all_mountpoints" lineno="1820"> +<interface name="files_search_all_mountpoints" lineno="1857"> <summary> Search all mount points. </summary> @@ -61122,7 +61239,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_all_mountpoints" lineno="1838"> +<interface name="files_dontaudit_search_all_mountpoints" lineno="1875"> <summary> Do not audit searching of all mount points. </summary> @@ -61132,7 +61249,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_all_mountpoints" lineno="1856"> +<interface name="files_list_all_mountpoints" lineno="1893"> <summary> List all mount points. </summary> @@ -61142,7 +61259,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_all_mountpoints" lineno="1874"> +<interface name="files_dontaudit_list_all_mountpoints" lineno="1911"> <summary> Do not audit listing of all mount points. </summary> @@ -61152,7 +61269,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_watch_all_mountpoints" lineno="1892"> +<interface name="files_watch_all_mountpoints" lineno="1929"> <summary> Watch all mountpoints. </summary> @@ -61162,7 +61279,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_all_mount_perm" lineno="1910"> +<interface name="files_watch_all_mount_perm" lineno="1947"> <summary> Watch all mountpoints. </summary> @@ -61172,7 +61289,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_write_all_mountpoints" lineno="1928"> +<interface name="files_write_all_mountpoints" lineno="1965"> <summary> Check if all mountpoints are writable. </summary> @@ -61182,7 +61299,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_all_mountpoints" lineno="1946"> +<interface name="files_dontaudit_write_all_mountpoints" lineno="1983"> <summary> Do not audit attempts to write to mount points. </summary> @@ -61192,7 +61309,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_root" lineno="1964"> +<interface name="files_list_root" lineno="2001"> <summary> List the contents of the root directory. </summary> @@ -61202,7 +61319,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_root_symlinks" lineno="1984"> +<interface name="files_delete_root_symlinks" lineno="2021"> <summary> Delete symbolic links in the root directory. @@ -61213,7 +61330,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_root_dirs" lineno="2002"> +<interface name="files_dontaudit_write_root_dirs" lineno="2039"> <summary> Do not audit attempts to write to / dirs. </summary> @@ -61223,7 +61340,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_rw_root_dir" lineno="2021"> +<interface name="files_dontaudit_rw_root_dir" lineno="2058"> <summary> Do not audit attempts to write files in the root directory. @@ -61234,7 +61351,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_watch_root_dirs" lineno="2039"> +<interface name="files_watch_root_dirs" lineno="2076"> <summary> Watch the root directory. </summary> @@ -61244,7 +61361,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_root_filetrans" lineno="2073"> +<interface name="files_root_filetrans" lineno="2110"> <summary> Create an object in the root directory, with a private type using a type transition. @@ -61270,7 +61387,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_dontaudit_read_root_files" lineno="2092"> +<interface name="files_dontaudit_read_root_files" lineno="2129"> <summary> Do not audit attempts to read files in the root directory. @@ -61281,7 +61398,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_rw_root_files" lineno="2111"> +<interface name="files_dontaudit_rw_root_files" lineno="2148"> <summary> Do not audit attempts to read or write files in the root directory. @@ -61292,7 +61409,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_rw_root_chr_files" lineno="2130"> +<interface name="files_dontaudit_rw_root_chr_files" lineno="2167"> <summary> Do not audit attempts to read or write character device nodes in the root directory. @@ -61303,7 +61420,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_delete_root_chr_files" lineno="2149"> +<interface name="files_delete_root_chr_files" lineno="2186"> <summary> Delete character device nodes in the root directory. @@ -61314,7 +61431,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_root_files" lineno="2167"> +<interface name="files_delete_root_files" lineno="2204"> <summary> Delete files in the root directory. </summary> @@ -61324,7 +61441,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_exec_root_files" lineno="2185"> +<interface name="files_exec_root_files" lineno="2222"> <summary> Execute files in the root directory. </summary> @@ -61334,7 +61451,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_root_dir_entry" lineno="2203"> +<interface name="files_delete_root_dir_entry" lineno="2240"> <summary> Remove entries from the root directory. </summary> @@ -61344,7 +61461,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_root_dir" lineno="2221"> +<interface name="files_manage_root_dir" lineno="2258"> <summary> Manage the root directory. </summary> @@ -61354,7 +61471,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_rootfs" lineno="2240"> +<interface name="files_getattr_rootfs" lineno="2277"> <summary> Get the attributes of a rootfs file system. @@ -61365,7 +61482,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_associate_rootfs" lineno="2258"> +<interface name="files_associate_rootfs" lineno="2295"> <summary> Associate to root file system. </summary> @@ -61375,7 +61492,7 @@ Type of the file to associate. </summary> </param> </interface> -<interface name="files_relabel_rootfs" lineno="2276"> +<interface name="files_relabel_rootfs" lineno="2313"> <summary> Relabel to and from rootfs file system. </summary> @@ -61385,7 +61502,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_unmount_rootfs" lineno="2294"> +<interface name="files_unmount_rootfs" lineno="2331"> <summary> Unmount a rootfs filesystem. </summary> @@ -61395,7 +61512,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_root" lineno="2312"> +<interface name="files_mounton_root" lineno="2349"> <summary> Mount on the root directory (/) </summary> @@ -61405,7 +61522,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_boot_fs" lineno="2331"> +<interface name="files_getattr_boot_fs" lineno="2368"> <summary> Get the attributes of a filesystem mounted on /boot. @@ -61416,7 +61533,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_remount_boot" lineno="2349"> +<interface name="files_remount_boot" lineno="2386"> <summary> Remount a filesystem mounted on /boot. </summary> @@ -61426,7 +61543,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_boot_dirs" lineno="2367"> +<interface name="files_getattr_boot_dirs" lineno="2404"> <summary> Get attributes of the /boot directory. </summary> @@ -61436,7 +61553,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_boot_dirs" lineno="2386"> +<interface name="files_dontaudit_getattr_boot_dirs" lineno="2423"> <summary> Do not audit attempts to get attributes of the /boot directory. @@ -61447,7 +61564,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_search_boot" lineno="2404"> +<interface name="files_search_boot" lineno="2441"> <summary> Search the /boot directory. </summary> @@ -61457,7 +61574,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_boot" lineno="2422"> +<interface name="files_dontaudit_search_boot" lineno="2459"> <summary> Do not audit attempts to search the /boot directory. </summary> @@ -61467,7 +61584,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_boot" lineno="2440"> +<interface name="files_list_boot" lineno="2477"> <summary> List the /boot directory. </summary> @@ -61477,7 +61594,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_boot" lineno="2458"> +<interface name="files_dontaudit_list_boot" lineno="2495"> <summary> Do not audit attempts to list the /boot directory. </summary> @@ -61487,7 +61604,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_boot_dirs" lineno="2476"> +<interface name="files_create_boot_dirs" lineno="2513"> <summary> Create directories in /boot </summary> @@ -61497,7 +61614,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_boot_dirs" lineno="2495"> +<interface name="files_manage_boot_dirs" lineno="2532"> <summary> Create, read, write, and delete directories in /boot. @@ -61508,7 +61625,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_boot_filetrans" lineno="2529"> +<interface name="files_boot_filetrans" lineno="2566"> <summary> Create a private type object in boot with an automatic type transition @@ -61534,7 +61651,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_read_boot_files" lineno="2548"> +<interface name="files_read_boot_files" lineno="2585"> <summary> read files in the /boot directory. </summary> @@ -61545,7 +61662,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_boot_files" lineno="2568"> +<interface name="files_manage_boot_files" lineno="2605"> <summary> Create, read, write, and delete files in the /boot directory. @@ -61557,7 +61674,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_relabelfrom_boot_files" lineno="2586"> +<interface name="files_relabelfrom_boot_files" lineno="2623"> <summary> Relabel from files in the /boot directory. </summary> @@ -61567,7 +61684,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_boot_symlinks" lineno="2604"> +<interface name="files_read_boot_symlinks" lineno="2641"> <summary> Read symbolic links in the /boot directory. </summary> @@ -61577,7 +61694,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_boot_symlinks" lineno="2623"> +<interface name="files_rw_boot_symlinks" lineno="2660"> <summary> Read and write symbolic links in the /boot directory. @@ -61588,7 +61705,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_boot_symlinks" lineno="2643"> +<interface name="files_manage_boot_symlinks" lineno="2680"> <summary> Create, read, write, and delete symbolic links in the /boot directory. @@ -61599,7 +61716,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_kernel_img" lineno="2661"> +<interface name="files_read_kernel_img" lineno="2698"> <summary> Read kernel files in the /boot directory. </summary> @@ -61609,7 +61726,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_kernel_img" lineno="2682"> +<interface name="files_create_kernel_img" lineno="2719"> <summary> Install a kernel into the /boot directory. </summary> @@ -61620,7 +61737,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_delete_kernel" lineno="2702"> +<interface name="files_delete_kernel" lineno="2739"> <summary> Delete a kernel from /boot. </summary> @@ -61631,7 +61748,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_getattr_default_dirs" lineno="2720"> +<interface name="files_getattr_default_dirs" lineno="2757"> <summary> Getattr of directories with the default file type. </summary> @@ -61641,7 +61758,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_default_dirs" lineno="2739"> +<interface name="files_dontaudit_getattr_default_dirs" lineno="2776"> <summary> Do not audit attempts to get the attributes of directories with the default file type. @@ -61652,7 +61769,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_search_default" lineno="2757"> +<interface name="files_search_default" lineno="2794"> <summary> Search the contents of directories with the default file type. </summary> @@ -61662,7 +61779,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_default" lineno="2775"> +<interface name="files_list_default" lineno="2812"> <summary> List contents of directories with the default file type. </summary> @@ -61672,7 +61789,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_default" lineno="2794"> +<interface name="files_dontaudit_list_default" lineno="2831"> <summary> Do not audit attempts to list contents of directories with the default file type. @@ -61683,7 +61800,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_default_dirs" lineno="2813"> +<interface name="files_manage_default_dirs" lineno="2850"> <summary> Create, read, write, and delete directories with the default file type. @@ -61694,7 +61811,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_default" lineno="2831"> +<interface name="files_mounton_default" lineno="2868"> <summary> Mount a filesystem on a directory with the default file type. </summary> @@ -61704,7 +61821,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_default_files" lineno="2850"> +<interface name="files_dontaudit_getattr_default_files" lineno="2887"> <summary> Do not audit attempts to get the attributes of files with the default file type. @@ -61715,7 +61832,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_read_default_files" lineno="2868"> +<interface name="files_read_default_files" lineno="2905"> <summary> Read files with the default file type. </summary> @@ -61725,7 +61842,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_read_default_files" lineno="2887"> +<interface name="files_dontaudit_read_default_files" lineno="2924"> <summary> Do not audit attempts to read files with the default file type. @@ -61736,7 +61853,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_default_files" lineno="2906"> +<interface name="files_manage_default_files" lineno="2943"> <summary> Create, read, write, and delete files with the default file type. @@ -61747,7 +61864,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_default_symlinks" lineno="2924"> +<interface name="files_read_default_symlinks" lineno="2961"> <summary> Read symbolic links with the default file type. </summary> @@ -61757,7 +61874,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_default_sockets" lineno="2942"> +<interface name="files_read_default_sockets" lineno="2979"> <summary> Read sockets with the default file type. </summary> @@ -61767,7 +61884,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_default_pipes" lineno="2960"> +<interface name="files_read_default_pipes" lineno="2997"> <summary> Read named pipes with the default file type. </summary> @@ -61777,7 +61894,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_etc" lineno="2978"> +<interface name="files_search_etc" lineno="3015"> <summary> Search the contents of /etc directories. </summary> @@ -61787,7 +61904,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_etc_dirs" lineno="2996"> +<interface name="files_setattr_etc_dirs" lineno="3033"> <summary> Set the attributes of the /etc directories. </summary> @@ -61797,7 +61914,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_etc" lineno="3014"> +<interface name="files_list_etc" lineno="3051"> <summary> List the contents of /etc directories. </summary> @@ -61807,7 +61924,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_etc_dirs" lineno="3032"> +<interface name="files_dontaudit_write_etc_dirs" lineno="3069"> <summary> Do not audit attempts to write to /etc dirs. </summary> @@ -61817,7 +61934,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_rw_etc_dirs" lineno="3050"> +<interface name="files_rw_etc_dirs" lineno="3087"> <summary> Add and remove entries from /etc directories. </summary> @@ -61827,7 +61944,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_etc_dirs" lineno="3069"> +<interface name="files_manage_etc_dirs" lineno="3106"> <summary> Manage generic directories in /etc </summary> @@ -61838,7 +61955,7 @@ Domain allowed access </param> </interface> -<interface name="files_relabelto_etc_dirs" lineno="3087"> +<interface name="files_relabelto_etc_dirs" lineno="3124"> <summary> Relabel directories to etc_t. </summary> @@ -61848,7 +61965,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_etc_dirs" lineno="3106"> +<interface name="files_mounton_etc_dirs" lineno="3143"> <summary> Mount a filesystem on the etc directories. @@ -61859,7 +61976,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_remount_etc" lineno="3124"> +<interface name="files_remount_etc" lineno="3161"> <summary> Remount etc filesystems. </summary> @@ -61869,7 +61986,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_etc_dirs" lineno="3142"> +<interface name="files_watch_etc_dirs" lineno="3179"> <summary> Watch /etc directories </summary> @@ -61879,7 +61996,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_etc_files" lineno="3194"> +<interface name="files_read_etc_files" lineno="3231"> <summary> Read generic files in /etc. </summary> @@ -61923,7 +62040,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="files_map_etc_files" lineno="3226"> +<interface name="files_map_etc_files" lineno="3263"> <summary> Map generic files in /etc. </summary> @@ -61945,7 +62062,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="files_dontaudit_write_etc_files" lineno="3244"> +<interface name="files_dontaudit_write_etc_files" lineno="3281"> <summary> Do not audit attempts to write generic files in /etc. </summary> @@ -61955,7 +62072,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_etc_files" lineno="3263"> +<interface name="files_rw_etc_files" lineno="3300"> <summary> Read and write generic files in /etc. </summary> @@ -61966,7 +62083,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_etc_files" lineno="3285"> +<interface name="files_manage_etc_files" lineno="3322"> <summary> Create, read, write, and delete generic files in /etc. @@ -61978,7 +62095,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_dontaudit_manage_etc_files" lineno="3306"> +<interface name="files_dontaudit_manage_etc_files" lineno="3343"> <summary> Do not audit attempts to create, read, write, and delete generic files in /etc. @@ -61990,7 +62107,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="files_delete_etc_files" lineno="3324"> +<interface name="files_delete_etc_files" lineno="3361"> <summary> Delete system configuration files in /etc. </summary> @@ -62000,7 +62117,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_exec_etc_files" lineno="3342"> +<interface name="files_exec_etc_files" lineno="3379"> <summary> Execute generic files in /etc. </summary> @@ -62010,7 +62127,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_etc_files" lineno="3362"> +<interface name="files_watch_etc_files" lineno="3399"> <summary> Watch /etc files. </summary> @@ -62020,7 +62137,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_get_etc_unit_status" lineno="3380"> +<interface name="files_get_etc_unit_status" lineno="3417"> <summary> Get etc_t service status. </summary> @@ -62030,7 +62147,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_start_etc_service" lineno="3399"> +<interface name="files_start_etc_service" lineno="3436"> <summary> start etc_t service </summary> @@ -62040,7 +62157,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_stop_etc_service" lineno="3418"> +<interface name="files_stop_etc_service" lineno="3455"> <summary> stop etc_t service </summary> @@ -62050,7 +62167,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_etc_files" lineno="3437"> +<interface name="files_relabel_etc_files" lineno="3474"> <summary> Relabel from and to generic files in /etc. </summary> @@ -62060,7 +62177,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_etc_symlinks" lineno="3456"> +<interface name="files_read_etc_symlinks" lineno="3493"> <summary> Read symbolic links in /etc. </summary> @@ -62070,7 +62187,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_etc_symlinks" lineno="3474"> +<interface name="files_watch_etc_symlinks" lineno="3511"> <summary> Watch /etc symlinks </summary> @@ -62080,7 +62197,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_etc_symlinks" lineno="3492"> +<interface name="files_manage_etc_symlinks" lineno="3529"> <summary> Create, read, write, and delete symbolic links in /etc. </summary> @@ -62090,7 +62207,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_etc_filetrans" lineno="3526"> +<interface name="files_etc_filetrans" lineno="3563"> <summary> Create objects in /etc with a private type using a type_transition. @@ -62116,7 +62233,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_create_boot_flag" lineno="3556"> +<interface name="files_create_boot_flag" lineno="3593"> <summary> Create a boot flag. </summary> @@ -62138,7 +62255,7 @@ The name of the object being created. </param> <rolecap/> </interface> -<interface name="files_delete_boot_flag" lineno="3582"> +<interface name="files_delete_boot_flag" lineno="3619"> <summary> Delete a boot flag. </summary> @@ -62155,7 +62272,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_getattr_etc_runtime_dirs" lineno="3601"> +<interface name="files_getattr_etc_runtime_dirs" lineno="3638"> <summary> Get the attributes of the etc_runtime directories. @@ -62166,7 +62283,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_etc_runtime_dirs" lineno="3620"> +<interface name="files_mounton_etc_runtime_dirs" lineno="3657"> <summary> Mount a filesystem on the etc_runtime directories. @@ -62177,7 +62294,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelto_etc_runtime_dirs" lineno="3638"> +<interface name="files_relabelto_etc_runtime_dirs" lineno="3675"> <summary> Relabel to etc_runtime_t dirs. </summary> @@ -62187,7 +62304,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_setattr_etc_runtime_files" lineno="3656"> +<interface name="files_dontaudit_setattr_etc_runtime_files" lineno="3693"> <summary> Do not audit attempts to set the attributes of the etc_runtime files </summary> @@ -62197,7 +62314,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_read_etc_runtime_files" lineno="3694"> +<interface name="files_read_etc_runtime_files" lineno="3731"> <summary> Read files in /etc that are dynamically created on boot, such as mtab. @@ -62227,7 +62344,7 @@ Domain allowed access. <infoflow type="read" weight="10" /> <rolecap/> </interface> -<interface name="files_dontaudit_read_etc_runtime_files" lineno="3716"> +<interface name="files_dontaudit_read_etc_runtime_files" lineno="3753"> <summary> Do not audit attempts to read files in /etc that are dynamically @@ -62239,7 +62356,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_read_etc_files" lineno="3735"> +<interface name="files_dontaudit_read_etc_files" lineno="3772"> <summary> Do not audit attempts to read files in /etc @@ -62250,7 +62367,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_write_etc_runtime_files" lineno="3754"> +<interface name="files_dontaudit_write_etc_runtime_files" lineno="3791"> <summary> Do not audit attempts to write etc runtime files. @@ -62261,7 +62378,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_rw_etc_runtime_files" lineno="3774"> +<interface name="files_rw_etc_runtime_files" lineno="3811"> <summary> Read and write files in /etc that are dynamically created on boot, such as mtab. @@ -62273,7 +62390,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_etc_runtime_files" lineno="3796"> +<interface name="files_manage_etc_runtime_files" lineno="3833"> <summary> Create, read, write, and delete files in /etc that are dynamically created on boot, @@ -62286,7 +62403,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_relabelto_etc_runtime_files" lineno="3814"> +<interface name="files_relabelto_etc_runtime_files" lineno="3851"> <summary> Relabel to etc_runtime_t files. </summary> @@ -62296,7 +62413,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_etc_filetrans_etc_runtime" lineno="3843"> +<interface name="files_etc_filetrans_etc_runtime" lineno="3880"> <summary> Create, etc runtime objects with an automatic type transition. @@ -62317,7 +62434,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_getattr_home_dir" lineno="3862"> +<interface name="files_getattr_home_dir" lineno="3899"> <summary> Get the attributes of the home directories root (/home). @@ -62328,7 +62445,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_home_dir" lineno="3883"> +<interface name="files_dontaudit_getattr_home_dir" lineno="3920"> <summary> Do not audit attempts to get the attributes of the home directories root @@ -62340,7 +62457,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_search_home" lineno="3902"> +<interface name="files_search_home" lineno="3939"> <summary> Search home directories root (/home). </summary> @@ -62350,7 +62467,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_home" lineno="3922"> +<interface name="files_dontaudit_search_home" lineno="3959"> <summary> Do not audit attempts to search home directories root (/home). @@ -62361,7 +62478,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_list_home" lineno="3942"> +<interface name="files_dontaudit_list_home" lineno="3979"> <summary> Do not audit attempts to list home directories root (/home). @@ -62372,7 +62489,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_home" lineno="3961"> +<interface name="files_list_home" lineno="3998"> <summary> Get listing of home directories. </summary> @@ -62382,7 +62499,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelto_home" lineno="3980"> +<interface name="files_relabelto_home" lineno="4017"> <summary> Relabel to user home root (/home). </summary> @@ -62392,7 +62509,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelfrom_home" lineno="3998"> +<interface name="files_relabelfrom_home" lineno="4035"> <summary> Relabel from user home root (/home). </summary> @@ -62402,7 +62519,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_home" lineno="4016"> +<interface name="files_watch_home" lineno="4053"> <summary> Watch the user home root (/home). </summary> @@ -62412,7 +62529,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_home_filetrans" lineno="4049"> +<interface name="files_home_filetrans" lineno="4086"> <summary> Create objects in /home. </summary> @@ -62437,7 +62554,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_getattr_lost_found_dirs" lineno="4067"> +<interface name="files_getattr_lost_found_dirs" lineno="4104"> <summary> Get the attributes of lost+found directories. </summary> @@ -62447,7 +62564,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_lost_found_dirs" lineno="4086"> +<interface name="files_dontaudit_getattr_lost_found_dirs" lineno="4123"> <summary> Do not audit attempts to get the attributes of lost+found directories. @@ -62458,7 +62575,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_lost_found" lineno="4104"> +<interface name="files_list_lost_found" lineno="4141"> <summary> List the contents of lost+found directories. </summary> @@ -62468,7 +62585,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_lost_found" lineno="4124"> +<interface name="files_manage_lost_found" lineno="4161"> <summary> Create, read, write, and delete objects in lost+found directories. @@ -62480,7 +62597,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_search_mnt" lineno="4146"> +<interface name="files_search_mnt" lineno="4183"> <summary> Search the contents of /mnt. </summary> @@ -62490,7 +62607,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_mnt" lineno="4164"> +<interface name="files_dontaudit_search_mnt" lineno="4201"> <summary> Do not audit attempts to search /mnt. </summary> @@ -62500,7 +62617,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_mnt" lineno="4182"> +<interface name="files_list_mnt" lineno="4219"> <summary> List the contents of /mnt. </summary> @@ -62510,7 +62627,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_mnt" lineno="4200"> +<interface name="files_dontaudit_list_mnt" lineno="4237"> <summary> Do not audit attempts to list the contents of /mnt. </summary> @@ -62520,7 +62637,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_mnt" lineno="4218"> +<interface name="files_mounton_mnt" lineno="4255"> <summary> Mount a filesystem on /mnt. </summary> @@ -62530,7 +62647,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_mnt_dirs" lineno="4237"> +<interface name="files_manage_mnt_dirs" lineno="4274"> <summary> Create, read, write, and delete directories in /mnt. </summary> @@ -62541,7 +62658,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_mnt_files" lineno="4255"> +<interface name="files_manage_mnt_files" lineno="4292"> <summary> Create, read, write, and delete files in /mnt. </summary> @@ -62551,7 +62668,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_mnt_files" lineno="4273"> +<interface name="files_read_mnt_files" lineno="4310"> <summary> read files in /mnt. </summary> @@ -62561,7 +62678,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_mnt_symlinks" lineno="4291"> +<interface name="files_read_mnt_symlinks" lineno="4328"> <summary> Read symbolic links in /mnt. </summary> @@ -62571,7 +62688,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_mnt_symlinks" lineno="4309"> +<interface name="files_manage_mnt_symlinks" lineno="4346"> <summary> Create, read, write, and delete symbolic links in /mnt. </summary> @@ -62581,7 +62698,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_kernel_modules" lineno="4327"> +<interface name="files_search_kernel_modules" lineno="4364"> <summary> Search the contents of the kernel module directories. </summary> @@ -62591,7 +62708,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_kernel_modules" lineno="4346"> +<interface name="files_list_kernel_modules" lineno="4383"> <summary> List the contents of the kernel module directories. </summary> @@ -62601,7 +62718,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_kernel_modules" lineno="4365"> +<interface name="files_getattr_kernel_modules" lineno="4402"> <summary> Get the attributes of kernel module files. </summary> @@ -62611,7 +62728,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_kernel_modules" lineno="4383"> +<interface name="files_read_kernel_modules" lineno="4420"> <summary> Read kernel module files. </summary> @@ -62621,7 +62738,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mmap_read_kernel_modules" lineno="4403"> +<interface name="files_mmap_read_kernel_modules" lineno="4440"> <summary> Read and mmap kernel module files. </summary> @@ -62631,7 +62748,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_write_kernel_modules" lineno="4424"> +<interface name="files_write_kernel_modules" lineno="4461"> <summary> Write kernel module files. </summary> @@ -62641,7 +62758,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_kernel_modules" lineno="4443"> +<interface name="files_delete_kernel_modules" lineno="4480"> <summary> Delete kernel module files. </summary> @@ -62651,7 +62768,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_kernel_modules" lineno="4463"> +<interface name="files_manage_kernel_modules" lineno="4500"> <summary> Create, read, write, and delete kernel module files. @@ -62663,7 +62780,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_relabel_kernel_modules" lineno="4483"> +<interface name="files_relabel_kernel_modules" lineno="4520"> <summary> Relabel from and to kernel module files. </summary> @@ -62673,7 +62790,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_kernel_modules_dirs" lineno="4502"> +<interface name="files_mounton_kernel_modules_dirs" lineno="4539"> <summary> Mount on kernel module directories. </summary> @@ -62683,7 +62800,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_kernel_modules_filetrans" lineno="4536"> +<interface name="files_kernel_modules_filetrans" lineno="4573"> <summary> Create objects in the kernel module directories with a private type via an automatic type transition. @@ -62709,7 +62826,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_load_kernel_modules" lineno="4554"> +<interface name="files_load_kernel_modules" lineno="4591"> <summary> Load kernel module files. </summary> @@ -62719,7 +62836,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_load_kernel_modules" lineno="4573"> +<interface name="files_dontaudit_load_kernel_modules" lineno="4610"> <summary> Load kernel module files. </summary> @@ -62729,7 +62846,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_world_readable" lineno="4593"> +<interface name="files_list_world_readable" lineno="4630"> <summary> List world-readable directories. </summary> @@ -62740,7 +62857,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_read_world_readable_files" lineno="4612"> +<interface name="files_read_world_readable_files" lineno="4649"> <summary> Read world-readable files. </summary> @@ -62751,7 +62868,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_read_world_readable_symlinks" lineno="4631"> +<interface name="files_read_world_readable_symlinks" lineno="4668"> <summary> Read world-readable symbolic links. </summary> @@ -62762,7 +62879,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_read_world_readable_pipes" lineno="4649"> +<interface name="files_read_world_readable_pipes" lineno="4686"> <summary> Read world-readable named pipes. </summary> @@ -62772,7 +62889,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_world_readable_sockets" lineno="4667"> +<interface name="files_read_world_readable_sockets" lineno="4704"> <summary> Read world-readable sockets. </summary> @@ -62782,7 +62899,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_associate_tmp" lineno="4687"> +<interface name="files_associate_tmp" lineno="4724"> <summary> Allow the specified type to associate to a filesystem with the type of the @@ -62794,7 +62911,7 @@ Type of the file to associate. </summary> </param> </interface> -<interface name="files_getattr_tmp_dirs" lineno="4705"> +<interface name="files_getattr_tmp_dirs" lineno="4742"> <summary> Get the attributes of the tmp directory (/tmp). </summary> @@ -62804,7 +62921,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_tmp_dirs" lineno="4724"> +<interface name="files_dontaudit_getattr_tmp_dirs" lineno="4761"> <summary> Do not audit attempts to get the attributes of the tmp directory (/tmp). @@ -62815,7 +62932,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_tmp" lineno="4742"> +<interface name="files_search_tmp" lineno="4779"> <summary> Search the tmp directory (/tmp). </summary> @@ -62825,7 +62942,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_tmp" lineno="4760"> +<interface name="files_dontaudit_search_tmp" lineno="4797"> <summary> Do not audit attempts to search the tmp directory (/tmp). </summary> @@ -62835,7 +62952,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_tmp" lineno="4778"> +<interface name="files_list_tmp" lineno="4815"> <summary> Read the tmp directory (/tmp). </summary> @@ -62845,7 +62962,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_tmp" lineno="4796"> +<interface name="files_dontaudit_list_tmp" lineno="4833"> <summary> Do not audit listing of the tmp directory (/tmp). </summary> @@ -62855,7 +62972,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="files_delete_tmp_dir_entry" lineno="4814"> +<interface name="files_delete_tmp_dir_entry" lineno="4851"> <summary> Remove entries from the tmp directory. </summary> @@ -62865,7 +62982,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_generic_tmp_files" lineno="4832"> +<interface name="files_read_generic_tmp_files" lineno="4869"> <summary> Read files in the tmp directory (/tmp). </summary> @@ -62875,7 +62992,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_tmp_dirs" lineno="4850"> +<interface name="files_manage_generic_tmp_dirs" lineno="4887"> <summary> Manage temporary directories in /tmp. </summary> @@ -62885,7 +63002,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_generic_tmp_dirs" lineno="4868"> +<interface name="files_relabel_generic_tmp_dirs" lineno="4905"> <summary> Relabel temporary directories in /tmp. </summary> @@ -62895,7 +63012,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_tmp_files" lineno="4886"> +<interface name="files_manage_generic_tmp_files" lineno="4923"> <summary> Manage temporary files and directories in /tmp. </summary> @@ -62905,7 +63022,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_generic_tmp_symlinks" lineno="4904"> +<interface name="files_read_generic_tmp_symlinks" lineno="4941"> <summary> Read symbolic links in the tmp directory (/tmp). </summary> @@ -62915,7 +63032,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_generic_tmp_sockets" lineno="4922"> +<interface name="files_rw_generic_tmp_sockets" lineno="4959"> <summary> Read and write generic named sockets in the tmp directory (/tmp). </summary> @@ -62925,7 +63042,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_tmp" lineno="4940"> +<interface name="files_mounton_tmp" lineno="4977"> <summary> Mount filesystems in the tmp directory (/tmp) </summary> @@ -62935,7 +63052,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_all_tmp_dirs" lineno="4958"> +<interface name="files_setattr_all_tmp_dirs" lineno="4995"> <summary> Set the attributes of all tmp directories. </summary> @@ -62945,7 +63062,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_all_tmp" lineno="4976"> +<interface name="files_list_all_tmp" lineno="5013"> <summary> List all tmp directories. </summary> @@ -62955,7 +63072,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_tmp_dirs" lineno="4996"> +<interface name="files_relabel_all_tmp_dirs" lineno="5033"> <summary> Relabel to and from all temporary directory types. @@ -62967,7 +63084,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_dontaudit_getattr_all_tmp_files" lineno="5017"> +<interface name="files_dontaudit_getattr_all_tmp_files" lineno="5054"> <summary> Do not audit attempts to get the attributes of all tmp files. @@ -62978,7 +63095,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="files_getattr_all_tmp_files" lineno="5036"> +<interface name="files_getattr_all_tmp_files" lineno="5073"> <summary> Allow attempts to get the attributes of all tmp files. @@ -62989,7 +63106,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_tmp_files" lineno="5056"> +<interface name="files_relabel_all_tmp_files" lineno="5093"> <summary> Relabel to and from all temporary file types. @@ -63001,7 +63118,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_dontaudit_getattr_all_tmp_sockets" lineno="5077"> +<interface name="files_dontaudit_getattr_all_tmp_sockets" lineno="5114"> <summary> Do not audit attempts to get the attributes of all tmp sock_file. @@ -63012,7 +63129,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="files_read_all_tmp_files" lineno="5095"> +<interface name="files_read_all_tmp_files" lineno="5132"> <summary> Read all tmp files. </summary> @@ -63022,7 +63139,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_tmp_filetrans" lineno="5129"> +<interface name="files_tmp_filetrans" lineno="5166"> <summary> Create an object in the tmp directories, with a private type using a type transition. @@ -63048,7 +63165,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_purge_tmp" lineno="5147"> +<interface name="files_purge_tmp" lineno="5184"> <summary> Delete the contents of /tmp. </summary> @@ -63058,7 +63175,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_all_tmpfs_files" lineno="5170"> +<interface name="files_getattr_all_tmpfs_files" lineno="5207"> <summary> Get the attributes of all tmpfs files. </summary> @@ -63068,7 +63185,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_usr_dirs" lineno="5189"> +<interface name="files_setattr_usr_dirs" lineno="5226"> <summary> Set the attributes of the /usr directory. </summary> @@ -63078,7 +63195,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_usr" lineno="5207"> +<interface name="files_search_usr" lineno="5244"> <summary> Search the content of /usr. </summary> @@ -63088,7 +63205,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_usr" lineno="5226"> +<interface name="files_list_usr" lineno="5263"> <summary> List the contents of generic directories in /usr. @@ -63099,7 +63216,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_usr_dirs" lineno="5244"> +<interface name="files_dontaudit_write_usr_dirs" lineno="5281"> <summary> Do not audit write of /usr dirs </summary> @@ -63109,7 +63226,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_rw_usr_dirs" lineno="5262"> +<interface name="files_rw_usr_dirs" lineno="5299"> <summary> Add and remove entries from /usr directories. </summary> @@ -63119,7 +63236,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_rw_usr_dirs" lineno="5281"> +<interface name="files_dontaudit_rw_usr_dirs" lineno="5318"> <summary> Do not audit attempts to add and remove entries from /usr directories. @@ -63130,7 +63247,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_delete_usr_dirs" lineno="5299"> +<interface name="files_delete_usr_dirs" lineno="5336"> <summary> Delete generic directories in /usr in the caller domain. </summary> @@ -63140,7 +63257,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_usr_dirs" lineno="5317"> +<interface name="files_watch_usr_dirs" lineno="5354"> <summary> Watch generic directories in /usr. </summary> @@ -63150,7 +63267,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_usr_files" lineno="5335"> +<interface name="files_delete_usr_files" lineno="5372"> <summary> Delete generic files in /usr in the caller domain. </summary> @@ -63160,7 +63277,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_usr_files" lineno="5353"> +<interface name="files_getattr_usr_files" lineno="5390"> <summary> Get the attributes of files in /usr. </summary> @@ -63170,7 +63287,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_map_usr_files" lineno="5372"> +<interface name="files_map_usr_files" lineno="5409"> <summary> Map generic files in /usr. </summary> @@ -63181,7 +63298,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="files_read_usr_files" lineno="5408"> +<interface name="files_read_usr_files" lineno="5445"> <summary> Read generic files in /usr. </summary> @@ -63209,7 +63326,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="files_exec_usr_files" lineno="5428"> +<interface name="files_exec_usr_files" lineno="5465"> <summary> Execute generic programs in /usr in the caller domain. </summary> @@ -63219,7 +63336,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_usr_files" lineno="5448"> +<interface name="files_dontaudit_write_usr_files" lineno="5485"> <summary> dontaudit write of /usr files </summary> @@ -63229,7 +63346,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_usr_files" lineno="5466"> +<interface name="files_manage_usr_files" lineno="5503"> <summary> Create, read, write, and delete files in the /usr directory. </summary> @@ -63239,7 +63356,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelto_usr_files" lineno="5484"> +<interface name="files_relabelto_usr_files" lineno="5521"> <summary> Relabel a file to the type used in /usr. </summary> @@ -63249,7 +63366,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelfrom_usr_files" lineno="5502"> +<interface name="files_relabelfrom_usr_files" lineno="5539"> <summary> Relabel a file from the type used in /usr. </summary> @@ -63259,7 +63376,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_usr_symlinks" lineno="5520"> +<interface name="files_read_usr_symlinks" lineno="5557"> <summary> Read symbolic links in /usr. </summary> @@ -63269,7 +63386,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_usr_filetrans" lineno="5553"> +<interface name="files_usr_filetrans" lineno="5590"> <summary> Create objects in the /usr directory </summary> @@ -63294,7 +63411,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_search_src" lineno="5571"> +<interface name="files_search_src" lineno="5608"> <summary> Search directories in /usr/src. </summary> @@ -63304,7 +63421,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_src" lineno="5589"> +<interface name="files_dontaudit_search_src" lineno="5626"> <summary> Do not audit attempts to search /usr/src. </summary> @@ -63314,7 +63431,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_getattr_usr_src_files" lineno="5607"> +<interface name="files_getattr_usr_src_files" lineno="5644"> <summary> Get the attributes of files in /usr/src. </summary> @@ -63324,7 +63441,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_usr_src_files" lineno="5628"> +<interface name="files_read_usr_src_files" lineno="5665"> <summary> Read files in /usr/src. </summary> @@ -63334,7 +63451,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_exec_usr_src_files" lineno="5649"> +<interface name="files_exec_usr_src_files" lineno="5686"> <summary> Execute programs in /usr/src in the caller domain. </summary> @@ -63344,7 +63461,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_kernel_symbol_table" lineno="5669"> +<interface name="files_create_kernel_symbol_table" lineno="5706"> <summary> Install a system.map into the /boot directory. </summary> @@ -63354,7 +63471,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_kernel_symbol_table" lineno="5688"> +<interface name="files_read_kernel_symbol_table" lineno="5725"> <summary> Read system.map in the /boot directory. </summary> @@ -63364,7 +63481,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_kernel_symbol_table" lineno="5707"> +<interface name="files_delete_kernel_symbol_table" lineno="5744"> <summary> Delete a system.map in the /boot directory. </summary> @@ -63374,7 +63491,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_var" lineno="5726"> +<interface name="files_search_var" lineno="5763"> <summary> Search the contents of /var. </summary> @@ -63384,7 +63501,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_var_dirs" lineno="5744"> +<interface name="files_dontaudit_write_var_dirs" lineno="5781"> <summary> Do not audit attempts to write to /var. </summary> @@ -63394,7 +63511,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_write_var_dirs" lineno="5762"> +<interface name="files_write_var_dirs" lineno="5799"> <summary> Allow attempts to write to /var.dirs </summary> @@ -63404,7 +63521,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_var" lineno="5781"> +<interface name="files_dontaudit_search_var" lineno="5818"> <summary> Do not audit attempts to search the contents of /var. @@ -63415,7 +63532,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_var" lineno="5799"> +<interface name="files_list_var" lineno="5836"> <summary> List the contents of /var. </summary> @@ -63425,7 +63542,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_var" lineno="5818"> +<interface name="files_dontaudit_list_var" lineno="5855"> <summary> Do not audit attempts to list the contents of /var. @@ -63436,7 +63553,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_var_dirs" lineno="5837"> +<interface name="files_manage_var_dirs" lineno="5874"> <summary> Create, read, write, and delete directories in the /var directory. @@ -63447,7 +63564,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_var_dirs" lineno="5855"> +<interface name="files_relabel_var_dirs" lineno="5892"> <summary> relabelto/from var directories </summary> @@ -63457,7 +63574,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_var_files" lineno="5873"> +<interface name="files_read_var_files" lineno="5910"> <summary> Read files in the /var directory. </summary> @@ -63467,7 +63584,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_append_var_files" lineno="5891"> +<interface name="files_append_var_files" lineno="5928"> <summary> Append files in the /var directory. </summary> @@ -63477,7 +63594,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_var_files" lineno="5909"> +<interface name="files_rw_var_files" lineno="5946"> <summary> Read and write files in the /var directory. </summary> @@ -63487,7 +63604,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_rw_var_files" lineno="5928"> +<interface name="files_dontaudit_rw_var_files" lineno="5965"> <summary> Do not audit attempts to read and write files in the /var directory. @@ -63498,7 +63615,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_var_files" lineno="5946"> +<interface name="files_manage_var_files" lineno="5983"> <summary> Create, read, write, and delete files in the /var directory. </summary> @@ -63508,7 +63625,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_var_symlinks" lineno="5964"> +<interface name="files_read_var_symlinks" lineno="6001"> <summary> Read symbolic links in the /var directory. </summary> @@ -63518,7 +63635,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_var_symlinks" lineno="5983"> +<interface name="files_manage_var_symlinks" lineno="6020"> <summary> Create, read, write, and delete symbolic links in the /var directory. @@ -63529,7 +63646,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_var_filetrans" lineno="6016"> +<interface name="files_var_filetrans" lineno="6053"> <summary> Create objects in the /var directory </summary> @@ -63554,7 +63671,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_getattr_var_lib_dirs" lineno="6034"> +<interface name="files_getattr_var_lib_dirs" lineno="6071"> <summary> Get the attributes of the /var/lib directory. </summary> @@ -63564,7 +63681,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_var_lib" lineno="6066"> +<interface name="files_search_var_lib" lineno="6103"> <summary> Search the /var/lib directory. </summary> @@ -63588,7 +63705,7 @@ Domain allowed access. </param> <infoflow type="read" weight="5"/> </interface> -<interface name="files_dontaudit_search_var_lib" lineno="6086"> +<interface name="files_dontaudit_search_var_lib" lineno="6123"> <summary> Do not audit attempts to search the contents of /var/lib. @@ -63600,7 +63717,7 @@ Domain to not audit. </param> <infoflow type="read" weight="5"/> </interface> -<interface name="files_list_var_lib" lineno="6104"> +<interface name="files_list_var_lib" lineno="6141"> <summary> List the contents of the /var/lib directory. </summary> @@ -63610,7 +63727,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_var_lib_dirs" lineno="6122"> +<interface name="files_rw_var_lib_dirs" lineno="6159"> <summary> Read-write /var/lib directories </summary> @@ -63620,7 +63737,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_var_lib_dirs" lineno="6140"> +<interface name="files_manage_var_lib_dirs" lineno="6177"> <summary> manage var_lib_t dirs </summary> @@ -63630,7 +63747,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_var_lib_dirs" lineno="6159"> +<interface name="files_relabel_var_lib_dirs" lineno="6196"> <summary> relabel var_lib_t dirs </summary> @@ -63640,7 +63757,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_var_lib_filetrans" lineno="6193"> +<interface name="files_var_lib_filetrans" lineno="6230"> <summary> Create objects in the /var/lib directory </summary> @@ -63665,7 +63782,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_read_var_lib_files" lineno="6212"> +<interface name="files_read_var_lib_files" lineno="6249"> <summary> Read generic files in /var/lib. </summary> @@ -63675,7 +63792,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_var_lib_symlinks" lineno="6231"> +<interface name="files_read_var_lib_symlinks" lineno="6268"> <summary> Read generic symbolic links in /var/lib </summary> @@ -63685,7 +63802,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_urandom_seed" lineno="6253"> +<interface name="files_manage_urandom_seed" lineno="6290"> <summary> Create, read, write, and delete the pseudorandom number generator seed. @@ -63696,7 +63813,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_mounttab" lineno="6273"> +<interface name="files_manage_mounttab" lineno="6309"> <summary> Allow domain to manage mount tables necessary for rpcd, nfsd, etc. @@ -63707,7 +63824,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_lock_dirs" lineno="6292"> +<interface name="files_setattr_lock_dirs" lineno="6328"> <summary> Set the attributes of the generic lock directories. </summary> @@ -63717,7 +63834,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_locks" lineno="6310"> +<interface name="files_search_locks" lineno="6346"> <summary> Search the locks directory (/var/lock). </summary> @@ -63727,7 +63844,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_locks" lineno="6330"> +<interface name="files_dontaudit_search_locks" lineno="6366"> <summary> Do not audit attempts to search the locks directory (/var/lock). @@ -63738,7 +63855,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_locks" lineno="6349"> +<interface name="files_list_locks" lineno="6385"> <summary> List generic lock directories. </summary> @@ -63748,7 +63865,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_check_write_lock_dirs" lineno="6368"> +<interface name="files_check_write_lock_dirs" lineno="6404"> <summary> Test write access on lock directories. </summary> @@ -63758,7 +63875,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_add_entry_lock_dirs" lineno="6387"> +<interface name="files_add_entry_lock_dirs" lineno="6423"> <summary> Add entries in the /var/lock directories. </summary> @@ -63768,7 +63885,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_lock_dirs" lineno="6407"> +<interface name="files_rw_lock_dirs" lineno="6443"> <summary> Add and remove entries in the /var/lock directories. @@ -63779,7 +63896,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_lock_dirs" lineno="6426"> +<interface name="files_create_lock_dirs" lineno="6462"> <summary> Create lock directories </summary> @@ -63789,7 +63906,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_relabel_all_lock_dirs" lineno="6447"> +<interface name="files_relabel_all_lock_dirs" lineno="6483"> <summary> Relabel to and from all lock directory types. </summary> @@ -63800,7 +63917,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_getattr_generic_locks" lineno="6468"> +<interface name="files_getattr_generic_locks" lineno="6504"> <summary> Get the attributes of generic lock files. </summary> @@ -63810,7 +63927,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_generic_locks" lineno="6489"> +<interface name="files_delete_generic_locks" lineno="6525"> <summary> Delete generic lock files. </summary> @@ -63820,7 +63937,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_locks" lineno="6510"> +<interface name="files_manage_generic_locks" lineno="6546"> <summary> Create, read, write, and delete generic lock files. @@ -63831,7 +63948,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_locks" lineno="6532"> +<interface name="files_delete_all_locks" lineno="6568"> <summary> Delete all lock files. </summary> @@ -63842,7 +63959,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_read_all_locks" lineno="6553"> +<interface name="files_read_all_locks" lineno="6589"> <summary> Read all lock files. </summary> @@ -63852,7 +63969,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_all_locks" lineno="6576"> +<interface name="files_manage_all_locks" lineno="6612"> <summary> manage all lock files. </summary> @@ -63862,7 +63979,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_locks" lineno="6599"> +<interface name="files_relabel_all_locks" lineno="6635"> <summary> Relabel from/to all lock files. </summary> @@ -63872,7 +63989,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_lock_filetrans" lineno="6638"> +<interface name="files_lock_filetrans" lineno="6674"> <summary> Create an object in the locks directory, with a private type using a type transition. @@ -63898,7 +64015,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_runtime_dirs" lineno="6659"> +<interface name="files_dontaudit_getattr_runtime_dirs" lineno="6695"> <summary> Do not audit attempts to get the attributes of the /var/run directory. @@ -63909,7 +64026,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_mounton_runtime_dirs" lineno="6678"> +<interface name="files_mounton_runtime_dirs" lineno="6714"> <summary> mounton a /var/run directory. </summary> @@ -63919,7 +64036,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_runtime_dirs" lineno="6696"> +<interface name="files_setattr_runtime_dirs" lineno="6732"> <summary> Set the attributes of the /var/run directory. </summary> @@ -63929,7 +64046,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_runtime" lineno="6716"> +<interface name="files_search_runtime" lineno="6752"> <summary> Search the contents of runtime process ID directories (/var/run). @@ -63940,7 +64057,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_runtime" lineno="6736"> +<interface name="files_dontaudit_search_runtime" lineno="6772"> <summary> Do not audit attempts to search the /var/run directory. @@ -63951,7 +64068,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_runtime" lineno="6756"> +<interface name="files_list_runtime" lineno="6792"> <summary> List the contents of the runtime process ID directories (/var/run). @@ -63962,7 +64079,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_check_write_runtime_dirs" lineno="6775"> +<interface name="files_check_write_runtime_dirs" lineno="6811"> <summary> Check write access on /var/run directories. </summary> @@ -63972,7 +64089,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_runtime_dirs" lineno="6793"> +<interface name="files_create_runtime_dirs" lineno="6829"> <summary> Create a /var/run directory. </summary> @@ -63982,7 +64099,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_runtime_dirs" lineno="6811"> +<interface name="files_rw_runtime_dirs" lineno="6847"> +<summary> +Read and write a /var/run directory. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="files_watch_runtime_dirs" lineno="6865"> <summary> Watch /var/run directories. </summary> @@ -63992,7 +64119,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_runtime_files" lineno="6829"> +<interface name="files_read_runtime_files" lineno="6883"> <summary> Read generic runtime files. </summary> @@ -64002,7 +64129,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_exec_runtime" lineno="6849"> +<interface name="files_exec_runtime" lineno="6903"> <summary> Execute generic programs in /var/run in the caller domain. </summary> @@ -64012,7 +64139,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_runtime_files" lineno="6867"> +<interface name="files_rw_runtime_files" lineno="6921"> <summary> Read and write generic runtime files. </summary> @@ -64022,7 +64149,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_runtime_symlinks" lineno="6887"> +<interface name="files_delete_runtime_symlinks" lineno="6941"> <summary> Delete generic runtime symlinks. </summary> @@ -64032,7 +64159,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_write_runtime_pipes" lineno="6905"> +<interface name="files_write_runtime_pipes" lineno="6959"> <summary> Write named generic runtime pipes. </summary> @@ -64042,7 +64169,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_runtime_dirs" lineno="6925"> +<interface name="files_delete_all_runtime_dirs" lineno="6979"> <summary> Delete all runtime dirs. </summary> @@ -64053,7 +64180,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_all_runtime_dirs" lineno="6943"> +<interface name="files_manage_all_runtime_dirs" lineno="6997"> <summary> Create, read, write, and delete all runtime directories. </summary> @@ -64063,7 +64190,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_runtime_dirs" lineno="6961"> +<interface name="files_relabel_all_runtime_dirs" lineno="7015"> <summary> Relabel all runtime directories. </summary> @@ -64073,7 +64200,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_all_runtime_files" lineno="6980"> +<interface name="files_dontaudit_getattr_all_runtime_files" lineno="7034"> <summary> Do not audit attempts to get the attributes of all runtime data files. @@ -64084,7 +64211,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_read_all_runtime_files" lineno="7001"> +<interface name="files_read_all_runtime_files" lineno="7055"> <summary> Read all runtime files. </summary> @@ -64095,7 +64222,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_dontaudit_ioctl_all_runtime_files" lineno="7022"> +<interface name="files_dontaudit_ioctl_all_runtime_files" lineno="7076"> <summary> Do not audit attempts to ioctl all runtime files. </summary> @@ -64105,7 +64232,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_write_all_runtime_files" lineno="7042"> +<interface name="files_dontaudit_write_all_runtime_files" lineno="7096"> <summary> Do not audit attempts to write to all runtime files. </summary> @@ -64115,7 +64242,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_delete_all_runtime_files" lineno="7063"> +<interface name="files_delete_all_runtime_files" lineno="7117"> <summary> Delete all runtime files. </summary> @@ -64126,7 +64253,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_all_runtime_files" lineno="7082"> +<interface name="files_manage_all_runtime_files" lineno="7136"> <summary> Create, read, write and delete all var_run (pid) files @@ -64137,7 +64264,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_runtime_files" lineno="7100"> +<interface name="files_relabel_all_runtime_files" lineno="7154"> <summary> Relabel all runtime files. </summary> @@ -64147,7 +64274,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_runtime_symlinks" lineno="7119"> +<interface name="files_delete_all_runtime_symlinks" lineno="7173"> <summary> Delete all runtime symlinks. </summary> @@ -64158,7 +64285,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_all_runtime_symlinks" lineno="7138"> +<interface name="files_manage_all_runtime_symlinks" lineno="7192"> <summary> Create, read, write and delete all var_run (pid) symbolic links. @@ -64169,7 +64296,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_runtime_symlinks" lineno="7156"> +<interface name="files_relabel_all_runtime_symlinks" lineno="7210"> <summary> Relabel all runtime symbolic links. </summary> @@ -64179,7 +64306,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_all_runtime_pipes" lineno="7174"> +<interface name="files_create_all_runtime_pipes" lineno="7228"> <summary> Create all runtime named pipes </summary> @@ -64189,7 +64316,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_runtime_pipes" lineno="7193"> +<interface name="files_delete_all_runtime_pipes" lineno="7247"> <summary> Delete all runtime named pipes </summary> @@ -64199,7 +64326,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_all_runtime_sockets" lineno="7212"> +<interface name="files_create_all_runtime_sockets" lineno="7266"> <summary> Create all runtime sockets. </summary> @@ -64209,7 +64336,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_runtime_sockets" lineno="7230"> +<interface name="files_delete_all_runtime_sockets" lineno="7284"> <summary> Delete all runtime sockets. </summary> @@ -64219,7 +64346,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_runtime_sockets" lineno="7248"> +<interface name="files_relabel_all_runtime_sockets" lineno="7302"> <summary> Relabel all runtime named sockets. </summary> @@ -64229,7 +64356,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_runtime_filetrans" lineno="7308"> +<interface name="files_runtime_filetrans" lineno="7362"> <summary> Create an object in the /run directory, with a private type. </summary> @@ -64281,7 +64408,7 @@ The name of the object being created. </param> <infoflow type="write" weight="10"/> </interface> -<interface name="files_runtime_filetrans_lock_dir" lineno="7333"> +<interface name="files_runtime_filetrans_lock_dir" lineno="7387"> <summary> Create a generic lock directory within the run directories. </summary> @@ -64296,7 +64423,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_create_all_spool_sockets" lineno="7351"> +<interface name="files_create_all_spool_sockets" lineno="7405"> <summary> Create all spool sockets </summary> @@ -64306,7 +64433,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_spool_sockets" lineno="7369"> +<interface name="files_delete_all_spool_sockets" lineno="7423"> <summary> Delete all spool sockets </summary> @@ -64316,7 +64443,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_all_poly_members" lineno="7388"> +<interface name="files_mounton_all_poly_members" lineno="7442"> <summary> Mount filesystems on all polyinstantiation member directories. @@ -64327,7 +64454,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_spool" lineno="7407"> +<interface name="files_search_spool" lineno="7461"> <summary> Search the contents of generic spool directories (/var/spool). @@ -64338,7 +64465,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_spool" lineno="7426"> +<interface name="files_dontaudit_search_spool" lineno="7480"> <summary> Do not audit attempts to search generic spool directories. @@ -64349,7 +64476,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_spool" lineno="7445"> +<interface name="files_list_spool" lineno="7499"> <summary> List the contents of generic spool (/var/spool) directories. @@ -64360,7 +64487,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_spool_dirs" lineno="7464"> +<interface name="files_manage_generic_spool_dirs" lineno="7518"> <summary> Create, read, write, and delete generic spool directories (/var/spool). @@ -64371,7 +64498,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_generic_spool" lineno="7483"> +<interface name="files_read_generic_spool" lineno="7537"> <summary> Read generic spool files. </summary> @@ -64381,7 +64508,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_spool" lineno="7503"> +<interface name="files_manage_generic_spool" lineno="7557"> <summary> Create, read, write, and delete generic spool files. @@ -64392,7 +64519,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_spool_filetrans" lineno="7539"> +<interface name="files_spool_filetrans" lineno="7593"> <summary> Create objects in the spool directory with a private type with a type transition. @@ -64419,7 +64546,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_polyinstantiate_all" lineno="7559"> +<interface name="files_polyinstantiate_all" lineno="7613"> <summary> Allow access to manage all polyinstantiated directories on the system. @@ -64430,7 +64557,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_unconfined" lineno="7613"> +<interface name="files_unconfined" lineno="7667"> <summary> Unconfined access to files. </summary> @@ -64440,7 +64567,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_etc_runtime_lnk_files" lineno="7635"> +<interface name="files_manage_etc_runtime_lnk_files" lineno="7689"> <summary> Create, read, write, and delete symbolic links in /etc that are dynamically created on boot. @@ -64452,7 +64579,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_dontaudit_read_etc_runtime" lineno="7653"> +<interface name="files_dontaudit_read_etc_runtime" lineno="7707"> <summary> Do not audit attempts to read etc_runtime resources </summary> @@ -64462,7 +64589,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_src" lineno="7671"> +<interface name="files_list_src" lineno="7725"> <summary> List usr/src files </summary> @@ -64472,7 +64599,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_read_src_files" lineno="7689"> +<interface name="files_read_src_files" lineno="7743"> <summary> Read usr/src files </summary> @@ -64482,7 +64609,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_manage_src_files" lineno="7707"> +<interface name="files_manage_src_files" lineno="7761"> <summary> Manage /usr/src files </summary> @@ -64492,7 +64619,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_lib_filetrans_kernel_modules" lineno="7738"> +<interface name="files_lib_filetrans_kernel_modules" lineno="7792"> <summary> Create a resource in the generic lib location with an automatic type transition towards the kernel modules @@ -64514,7 +64641,7 @@ Optional name of the resource </summary> </param> </interface> -<interface name="files_read_etc_runtime" lineno="7756"> +<interface name="files_read_etc_runtime" lineno="7810"> <summary> Read etc runtime resources </summary> @@ -64524,7 +64651,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_relabel_all_non_security_file_types" lineno="7778"> +<interface name="files_relabel_all_non_security_file_types" lineno="7832"> <summary> Allow relabel from and to non-security types </summary> @@ -64535,7 +64662,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_all_non_security_file_types" lineno="7808"> +<interface name="files_manage_all_non_security_file_types" lineno="7862"> <summary> Manage non-security-sensitive resource types </summary> @@ -64546,7 +64673,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_relabel_all_pidfiles" lineno="7830"> +<interface name="files_relabel_all_pidfiles" lineno="7884"> <summary> Allow relabeling from and to any pidfile associated type </summary> @@ -65226,7 +65353,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_cgroup_filetrans" lineno="1180"> +<interface name="fs_mounton_cgroup_files" lineno="1164"> +<summary> +Mount on cgroup files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_cgroup_filetrans" lineno="1198"> <summary> Create an object in a cgroup tmpfs filesystem, with a private type using a type transition. @@ -65252,7 +65389,38 @@ The name of the object being created. </summary> </param> </interface> -<interface name="fs_dontaudit_list_cifs_dirs" lineno="1201"> +<interface name="fs_cgroup_filetrans_memory_pressure" lineno="1229"> +<summary> +Create an object in a cgroup tmpfs filesystem, with the memory_pressure_t +type using a type transition. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<param name="object"> +<summary> +The object class of the object being created. +</summary> +</param> +<param name="name" optional="true"> +<summary> +The name of the object being created. +</summary> +</param> +</interface> +<interface name="fs_watch_memory_pressure" lineno="1247"> +<summary> +Allow managing a cgroup's memory.pressure file to get notifications +</summary> +<param name="domain"> +<summary> +Source domain +</summary> +</param> +</interface> +<interface name="fs_dontaudit_list_cifs_dirs" lineno="1266"> <summary> Do not audit attempts to read dirs on a CIFS or SMB filesystem. @@ -65263,7 +65431,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_mount_cifs" lineno="1219"> +<interface name="fs_mount_cifs" lineno="1284"> <summary> Mount a CIFS or SMB network filesystem. </summary> @@ -65273,7 +65441,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_cifs" lineno="1238"> +<interface name="fs_remount_cifs" lineno="1303"> <summary> Remount a CIFS or SMB network filesystem. This allows some mount options to be changed. @@ -65284,7 +65452,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_cifs" lineno="1256"> +<interface name="fs_unmount_cifs" lineno="1321"> <summary> Unmount a CIFS or SMB network filesystem. </summary> @@ -65294,7 +65462,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_cifs" lineno="1276"> +<interface name="fs_getattr_cifs" lineno="1341"> <summary> Get the attributes of a CIFS or SMB network filesystem. @@ -65306,7 +65474,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_search_cifs" lineno="1294"> +<interface name="fs_search_cifs" lineno="1359"> <summary> Search directories on a CIFS or SMB filesystem. </summary> @@ -65316,7 +65484,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_cifs" lineno="1313"> +<interface name="fs_list_cifs" lineno="1378"> <summary> List the contents of directories on a CIFS or SMB filesystem. @@ -65327,7 +65495,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_cifs" lineno="1332"> +<interface name="fs_dontaudit_list_cifs" lineno="1397"> <summary> Do not audit attempts to list the contents of directories on a CIFS or SMB filesystem. @@ -65338,7 +65506,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_mounton_cifs" lineno="1350"> +<interface name="fs_mounton_cifs" lineno="1415"> <summary> Mounton a CIFS filesystem. </summary> @@ -65348,7 +65516,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_cifs_files" lineno="1369"> +<interface name="fs_read_cifs_files" lineno="1434"> <summary> Read files on a CIFS or SMB filesystem. </summary> @@ -65359,7 +65527,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_read_all_inherited_image_files" lineno="1389"> +<interface name="fs_read_all_inherited_image_files" lineno="1454"> <summary> Read all inherited filesystem image files. </summary> @@ -65370,7 +65538,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_read_all_image_files" lineno="1408"> +<interface name="fs_read_all_image_files" lineno="1473"> <summary> Read all filesystem image files. </summary> @@ -65381,7 +65549,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_mmap_read_all_image_files" lineno="1427"> +<interface name="fs_mmap_read_all_image_files" lineno="1492"> <summary> Mmap-read all filesystem image files. </summary> @@ -65392,7 +65560,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_rw_all_image_files" lineno="1446"> +<interface name="fs_rw_all_image_files" lineno="1511"> <summary> Read and write all filesystem image files. </summary> @@ -65403,7 +65571,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_mmap_rw_all_image_files" lineno="1465"> +<interface name="fs_mmap_rw_all_image_files" lineno="1530"> <summary> Mmap-Read-write all filesystem image files. </summary> @@ -65414,7 +65582,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_write_all_image_files" lineno="1484"> +<interface name="fs_dontaudit_write_all_image_files" lineno="1549"> <summary> Do not audit attempts to write all filesystem image files. </summary> @@ -65425,7 +65593,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_noxattr_fs" lineno="1504"> +<interface name="fs_getattr_noxattr_fs" lineno="1569"> <summary> Get the attributes of filesystems that do not have extended attribute support. @@ -65437,7 +65605,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_list_noxattr_fs" lineno="1522"> +<interface name="fs_list_noxattr_fs" lineno="1587"> <summary> Read all noxattrfs directories. </summary> @@ -65447,7 +65615,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_noxattr_fs" lineno="1541"> +<interface name="fs_dontaudit_list_noxattr_fs" lineno="1606"> <summary> Do not audit attempts to list all noxattrfs directories. @@ -65458,7 +65626,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_noxattr_fs_dirs" lineno="1559"> +<interface name="fs_manage_noxattr_fs_dirs" lineno="1624"> <summary> Create, read, write, and delete all noxattrfs directories. </summary> @@ -65468,7 +65636,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_noxattr_fs_files" lineno="1577"> +<interface name="fs_read_noxattr_fs_files" lineno="1642"> <summary> Read all noxattrfs files. </summary> @@ -65478,7 +65646,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_noxattr_fs_files" lineno="1597"> +<interface name="fs_dontaudit_read_noxattr_fs_files" lineno="1662"> <summary> Do not audit attempts to read all noxattrfs files. @@ -65489,7 +65657,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_dontaudit_write_noxattr_fs_files" lineno="1615"> +<interface name="fs_dontaudit_write_noxattr_fs_files" lineno="1680"> <summary> Dont audit attempts to write to noxattrfs files. </summary> @@ -65499,7 +65667,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_noxattr_fs_files" lineno="1633"> +<interface name="fs_manage_noxattr_fs_files" lineno="1698"> <summary> Create, read, write, and delete all noxattrfs files. </summary> @@ -65509,7 +65677,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_noxattr_fs_symlinks" lineno="1652"> +<interface name="fs_read_noxattr_fs_symlinks" lineno="1717"> <summary> Read all noxattrfs symbolic links. </summary> @@ -65519,7 +65687,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_noxattr_fs_symlinks" lineno="1671"> +<interface name="fs_manage_noxattr_fs_symlinks" lineno="1736"> <summary> Manage all noxattrfs symbolic links. </summary> @@ -65529,7 +65697,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabelfrom_noxattr_fs" lineno="1691"> +<interface name="fs_relabelfrom_noxattr_fs" lineno="1756"> <summary> Relabel all objects from filesystems that do not support extended attributes. @@ -65540,7 +65708,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_cifs_files" lineno="1717"> +<interface name="fs_dontaudit_read_cifs_files" lineno="1782"> <summary> Do not audit attempts to read files on a CIFS or SMB filesystem. @@ -65551,7 +65719,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_append_cifs_files" lineno="1737"> +<interface name="fs_append_cifs_files" lineno="1802"> <summary> Append files on a CIFS filesystem. @@ -65563,7 +65731,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_append_cifs_files" lineno="1757"> +<interface name="fs_dontaudit_append_cifs_files" lineno="1822"> <summary> dontaudit Append files on a CIFS filesystem. @@ -65575,7 +65743,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_rw_cifs_files" lineno="1776"> +<interface name="fs_dontaudit_rw_cifs_files" lineno="1841"> <summary> Do not audit attempts to read or write files on a CIFS or SMB filesystem. @@ -65586,7 +65754,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_read_cifs_symlinks" lineno="1794"> +<interface name="fs_read_cifs_symlinks" lineno="1859"> <summary> Read symbolic links on a CIFS or SMB filesystem. </summary> @@ -65596,7 +65764,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_cifs_named_pipes" lineno="1814"> +<interface name="fs_read_cifs_named_pipes" lineno="1879"> <summary> Read named pipes on a CIFS or SMB network filesystem. @@ -65607,7 +65775,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_cifs_named_sockets" lineno="1833"> +<interface name="fs_read_cifs_named_sockets" lineno="1898"> <summary> Read named sockets on a CIFS or SMB network filesystem. @@ -65618,7 +65786,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_exec_cifs_files" lineno="1854"> +<interface name="fs_exec_cifs_files" lineno="1919"> <summary> Execute files on a CIFS or SMB network filesystem, in the caller @@ -65631,7 +65799,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_cifs_dirs" lineno="1875"> +<interface name="fs_manage_cifs_dirs" lineno="1940"> <summary> Create, read, write, and delete directories on a CIFS or SMB network filesystem. @@ -65643,7 +65811,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_cifs_dirs" lineno="1895"> +<interface name="fs_dontaudit_manage_cifs_dirs" lineno="1960"> <summary> Do not audit attempts to create, read, write, and delete directories @@ -65655,7 +65823,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_cifs_files" lineno="1915"> +<interface name="fs_manage_cifs_files" lineno="1980"> <summary> Create, read, write, and delete files on a CIFS or SMB network filesystem. @@ -65667,7 +65835,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_cifs_files" lineno="1935"> +<interface name="fs_dontaudit_manage_cifs_files" lineno="2000"> <summary> Do not audit attempts to create, read, write, and delete files @@ -65679,7 +65847,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_cifs_symlinks" lineno="1954"> +<interface name="fs_manage_cifs_symlinks" lineno="2019"> <summary> Create, read, write, and delete symbolic links on a CIFS or SMB network filesystem. @@ -65690,7 +65858,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_cifs_named_pipes" lineno="1973"> +<interface name="fs_manage_cifs_named_pipes" lineno="2038"> <summary> Create, read, write, and delete named pipes on a CIFS or SMB network filesystem. @@ -65701,7 +65869,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_cifs_named_sockets" lineno="1992"> +<interface name="fs_manage_cifs_named_sockets" lineno="2057"> <summary> Create, read, write, and delete named sockets on a CIFS or SMB network filesystem. @@ -65712,7 +65880,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_cifs_domtrans" lineno="2035"> +<interface name="fs_cifs_domtrans" lineno="2100"> <summary> Execute a file on a CIFS or SMB filesystem in the specified domain. @@ -65747,7 +65915,7 @@ The type of the new process. </summary> </param> </interface> -<interface name="fs_manage_configfs_dirs" lineno="2055"> +<interface name="fs_manage_configfs_dirs" lineno="2120"> <summary> Create, read, write, and delete dirs on a configfs filesystem. @@ -65758,7 +65926,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_configfs_files" lineno="2074"> +<interface name="fs_manage_configfs_files" lineno="2139"> <summary> Create, read, write, and delete files on a configfs filesystem. @@ -65769,7 +65937,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_dos_fs" lineno="2093"> +<interface name="fs_mount_dos_fs" lineno="2158"> <summary> Mount a DOS filesystem, such as FAT32 or NTFS. @@ -65780,7 +65948,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_dos_fs" lineno="2113"> +<interface name="fs_remount_dos_fs" lineno="2178"> <summary> Remount a DOS filesystem, such as FAT32 or NTFS. This allows @@ -65792,7 +65960,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_dos_fs" lineno="2132"> +<interface name="fs_unmount_dos_fs" lineno="2197"> <summary> Unmount a DOS filesystem, such as FAT32 or NTFS. @@ -65803,7 +65971,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_dos_fs" lineno="2152"> +<interface name="fs_getattr_dos_fs" lineno="2217"> <summary> Get the attributes of a DOS filesystem, such as FAT32 or NTFS. @@ -65815,7 +65983,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_relabelfrom_dos_fs" lineno="2171"> +<interface name="fs_relabelfrom_dos_fs" lineno="2236"> <summary> Allow changing of the label of a DOS filesystem using the context= mount option. @@ -65826,7 +65994,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_dos_dirs" lineno="2189"> +<interface name="fs_getattr_dos_dirs" lineno="2254"> <summary> Get attributes of directories on a dosfs filesystem. </summary> @@ -65836,7 +66004,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_dos" lineno="2207"> +<interface name="fs_search_dos" lineno="2272"> <summary> Search dosfs filesystem. </summary> @@ -65846,7 +66014,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_dos" lineno="2225"> +<interface name="fs_list_dos" lineno="2290"> <summary> List dirs DOS filesystem. </summary> @@ -65856,7 +66024,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_dos_dirs" lineno="2244"> +<interface name="fs_manage_dos_dirs" lineno="2309"> <summary> Create, read, write, and delete dirs on a DOS filesystem. @@ -65867,7 +66035,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_dos_files" lineno="2262"> +<interface name="fs_read_dos_files" lineno="2327"> <summary> Read files on a DOS filesystem. </summary> @@ -65877,7 +66045,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mmap_read_dos_files" lineno="2280"> +<interface name="fs_mmap_read_dos_files" lineno="2345"> <summary> Read and map files on a DOS filesystem. </summary> @@ -65887,7 +66055,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_dos_files" lineno="2300"> +<interface name="fs_manage_dos_files" lineno="2365"> <summary> Create, read, write, and delete files on a DOS filesystem. @@ -65898,7 +66066,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_ecryptfs" lineno="2318"> +<interface name="fs_list_ecryptfs" lineno="2383"> <summary> Read symbolic links on an eCryptfs filesystem. </summary> @@ -65908,7 +66076,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_ecryptfs_dirs" lineno="2339"> +<interface name="fs_manage_ecryptfs_dirs" lineno="2404"> <summary> Create, read, write, and delete directories on an eCryptfs filesystem. @@ -65920,7 +66088,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_ecryptfs_files" lineno="2359"> +<interface name="fs_manage_ecryptfs_files" lineno="2424"> <summary> Create, read, write, and delete files on an eCryptfs filesystem. @@ -65932,7 +66100,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_ecryptfs_named_sockets" lineno="2378"> +<interface name="fs_manage_ecryptfs_named_sockets" lineno="2443"> <summary> Create, read, write, and delete named sockets on an eCryptfs filesystem. @@ -65943,7 +66111,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_efivarfs" lineno="2396"> +<interface name="fs_getattr_efivarfs" lineno="2461"> <summary> Get the attributes of efivarfs filesystems. </summary> @@ -65953,7 +66121,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_efivars" lineno="2414"> +<interface name="fs_list_efivars" lineno="2479"> <summary> List dirs in efivarfs filesystem. </summary> @@ -65963,7 +66131,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_efivarfs_files" lineno="2434"> +<interface name="fs_read_efivarfs_files" lineno="2499"> <summary> Read files in efivarfs - contains Linux Kernel configuration options for UEFI systems @@ -65975,7 +66143,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_setattr_efivarfs_files" lineno="2454"> +<interface name="fs_setattr_efivarfs_files" lineno="2519"> <summary> Set the attributes of files in efivarfs - contains Linux Kernel configuration options for UEFI systems @@ -65987,7 +66155,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_efivarfs_files" lineno="2474"> +<interface name="fs_manage_efivarfs_files" lineno="2539"> <summary> Create, read, write, and delete files on a efivarfs filesystem. @@ -65999,7 +66167,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_fusefs" lineno="2492"> +<interface name="fs_getattr_fusefs" lineno="2557"> <summary> stat a FUSE filesystem </summary> @@ -66009,7 +66177,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_fusefs" lineno="2510"> +<interface name="fs_mount_fusefs" lineno="2575"> <summary> Mount a FUSE filesystem. </summary> @@ -66019,7 +66187,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_fusefs" lineno="2528"> +<interface name="fs_unmount_fusefs" lineno="2593"> <summary> Unmount a FUSE filesystem. </summary> @@ -66029,7 +66197,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_fusefs" lineno="2546"> +<interface name="fs_remount_fusefs" lineno="2611"> <summary> Remount a FUSE filesystem. </summary> @@ -66039,7 +66207,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mounton_fusefs" lineno="2564"> +<interface name="fs_mounton_fusefs" lineno="2629"> <summary> Mounton a FUSEFS filesystem. </summary> @@ -66049,7 +66217,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_fusefs_entry_type" lineno="2583"> +<interface name="fs_fusefs_entry_type" lineno="2648"> <summary> Make FUSEFS files an entrypoint for the specified domain. @@ -66060,7 +66228,7 @@ The domain for which fusefs_t is an entrypoint. </summary> </param> </interface> -<interface name="fs_fusefs_domtrans" lineno="2616"> +<interface name="fs_fusefs_domtrans" lineno="2681"> <summary> Execute FUSEFS files in a specified domain. </summary> @@ -66085,7 +66253,7 @@ Domain to transition to. </summary> </param> </interface> -<interface name="fs_search_fusefs" lineno="2636"> +<interface name="fs_search_fusefs" lineno="2701"> <summary> Search directories on a FUSEFS filesystem. @@ -66097,7 +66265,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_list_fusefs" lineno="2656"> +<interface name="fs_list_fusefs" lineno="2721"> <summary> List the contents of directories on a FUSEFS filesystem. @@ -66109,7 +66277,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_list_fusefs" lineno="2675"> +<interface name="fs_dontaudit_list_fusefs" lineno="2740"> <summary> Do not audit attempts to list the contents of directories on a FUSEFS filesystem. @@ -66120,7 +66288,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_setattr_fusefs_dirs" lineno="2695"> +<interface name="fs_setattr_fusefs_dirs" lineno="2760"> <summary> Set the attributes of directories on a FUSEFS filesystem. @@ -66132,7 +66300,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_fusefs_dirs" lineno="2715"> +<interface name="fs_manage_fusefs_dirs" lineno="2780"> <summary> Create, read, write, and delete directories on a FUSEFS filesystem. @@ -66144,7 +66312,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_fusefs_dirs" lineno="2735"> +<interface name="fs_dontaudit_manage_fusefs_dirs" lineno="2800"> <summary> Do not audit attempts to create, read, write, and delete directories @@ -66156,7 +66324,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_fusefs_files" lineno="2755"> +<interface name="fs_getattr_fusefs_files" lineno="2820"> <summary> Get the attributes of files on a FUSEFS filesystem. @@ -66168,7 +66336,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_read_fusefs_files" lineno="2774"> +<interface name="fs_read_fusefs_files" lineno="2839"> <summary> Read, a FUSEFS filesystem. </summary> @@ -66179,7 +66347,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_exec_fusefs_files" lineno="2793"> +<interface name="fs_exec_fusefs_files" lineno="2858"> <summary> Execute files on a FUSEFS filesystem. </summary> @@ -66190,7 +66358,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_setattr_fusefs_files" lineno="2813"> +<interface name="fs_setattr_fusefs_files" lineno="2878"> <summary> Set the attributes of files on a FUSEFS filesystem. @@ -66202,7 +66370,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_fusefs_files" lineno="2833"> +<interface name="fs_manage_fusefs_files" lineno="2898"> <summary> Create, read, write, and delete files on a FUSEFS filesystem. @@ -66214,7 +66382,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_fusefs_files" lineno="2853"> +<interface name="fs_dontaudit_manage_fusefs_files" lineno="2918"> <summary> Do not audit attempts to create, read, write, and delete files @@ -66226,7 +66394,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_fusefs_symlinks" lineno="2873"> +<interface name="fs_getattr_fusefs_symlinks" lineno="2938"> <summary> Get the attributes of symlinks on a FUSEFS filesystem. @@ -66238,7 +66406,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_read_fusefs_symlinks" lineno="2891"> +<interface name="fs_read_fusefs_symlinks" lineno="2956"> <summary> Read symbolic links on a FUSEFS filesystem. </summary> @@ -66248,7 +66416,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_setattr_fusefs_symlinks" lineno="2912"> +<interface name="fs_setattr_fusefs_symlinks" lineno="2977"> <summary> Set the attributes of symlinks on a FUSEFS filesystem. @@ -66260,7 +66428,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_fusefs_symlinks" lineno="2931"> +<interface name="fs_manage_fusefs_symlinks" lineno="2996"> <summary> Manage symlinks on a FUSEFS filesystem. </summary> @@ -66271,7 +66439,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_fusefs_fifo_files" lineno="2951"> +<interface name="fs_getattr_fusefs_fifo_files" lineno="3016"> <summary> Get the attributes of named pipes on a FUSEFS filesystem. @@ -66283,7 +66451,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_setattr_fusefs_fifo_files" lineno="2971"> +<interface name="fs_setattr_fusefs_fifo_files" lineno="3036"> <summary> Set the attributes of named pipes on a FUSEFS filesystem. @@ -66295,7 +66463,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_fusefs_fifo_files" lineno="2991"> +<interface name="fs_manage_fusefs_fifo_files" lineno="3056"> <summary> Manage named pipes on a FUSEFS filesystem. @@ -66307,7 +66475,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_fusefs_sock_files" lineno="3011"> +<interface name="fs_getattr_fusefs_sock_files" lineno="3076"> <summary> Get the attributes of named sockets on a FUSEFS filesystem. @@ -66319,7 +66487,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_setattr_fusefs_sock_files" lineno="3031"> +<interface name="fs_setattr_fusefs_sock_files" lineno="3096"> <summary> Set the attributes of named sockets on a FUSEFS filesystem. @@ -66331,7 +66499,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_fusefs_sock_files" lineno="3051"> +<interface name="fs_manage_fusefs_sock_files" lineno="3116"> <summary> Manage named sockets on a FUSEFS filesystem. @@ -66343,7 +66511,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_fusefs_chr_files" lineno="3071"> +<interface name="fs_getattr_fusefs_chr_files" lineno="3136"> <summary> Get the attributes of character files on a FUSEFS filesystem. @@ -66355,7 +66523,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_setattr_fusefs_chr_files" lineno="3091"> +<interface name="fs_setattr_fusefs_chr_files" lineno="3156"> <summary> Set the attributes of character files on a FUSEFS filesystem. @@ -66367,7 +66535,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_fusefs_chr_files" lineno="3111"> +<interface name="fs_manage_fusefs_chr_files" lineno="3176"> <summary> Manage character files on a FUSEFS filesystem. @@ -66379,7 +66547,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_hugetlbfs" lineno="3130"> +<interface name="fs_getattr_hugetlbfs" lineno="3195"> <summary> Get the attributes of an hugetlbfs filesystem. @@ -66390,7 +66558,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_hugetlbfs" lineno="3148"> +<interface name="fs_list_hugetlbfs" lineno="3213"> <summary> List hugetlbfs. </summary> @@ -66400,7 +66568,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_hugetlbfs_dirs" lineno="3166"> +<interface name="fs_manage_hugetlbfs_dirs" lineno="3231"> <summary> Manage hugetlbfs dirs. </summary> @@ -66410,7 +66578,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_inherited_hugetlbfs_files" lineno="3184"> +<interface name="fs_rw_inherited_hugetlbfs_files" lineno="3249"> <summary> Read and write inherited hugetlbfs files. </summary> @@ -66420,7 +66588,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_hugetlbfs_files" lineno="3202"> +<interface name="fs_rw_hugetlbfs_files" lineno="3267"> <summary> Read and write hugetlbfs files. </summary> @@ -66430,7 +66598,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mmap_rw_hugetlbfs_files" lineno="3220"> +<interface name="fs_mmap_rw_hugetlbfs_files" lineno="3285"> <summary> Read, map and write hugetlbfs files. </summary> @@ -66440,7 +66608,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_associate_hugetlbfs" lineno="3239"> +<interface name="fs_associate_hugetlbfs" lineno="3304"> <summary> Allow the type to associate to hugetlbfs filesystems. </summary> @@ -66450,7 +66618,7 @@ The type of the object to be associated. </summary> </param> </interface> -<interface name="fs_search_inotifyfs" lineno="3257"> +<interface name="fs_search_inotifyfs" lineno="3322"> <summary> Search inotifyfs filesystem. </summary> @@ -66460,7 +66628,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_inotifyfs" lineno="3275"> +<interface name="fs_list_inotifyfs" lineno="3340"> <summary> List inotifyfs filesystem. </summary> @@ -66470,7 +66638,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_inotifyfs" lineno="3293"> +<interface name="fs_dontaudit_list_inotifyfs" lineno="3358"> <summary> Dontaudit List inotifyfs filesystem. </summary> @@ -66480,7 +66648,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_hugetlbfs_filetrans" lineno="3327"> +<interface name="fs_hugetlbfs_filetrans" lineno="3392"> <summary> Create an object in a hugetlbfs filesystem, with a private type using a type transition. @@ -66506,7 +66674,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="fs_mount_iso9660_fs" lineno="3347"> +<interface name="fs_mount_iso9660_fs" lineno="3412"> <summary> Mount an iso9660 filesystem, which is usually used on CDs. @@ -66517,7 +66685,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_iso9660_fs" lineno="3367"> +<interface name="fs_remount_iso9660_fs" lineno="3432"> <summary> Remount an iso9660 filesystem, which is usually used on CDs. This allows @@ -66529,7 +66697,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabelfrom_iso9660_fs" lineno="3386"> +<interface name="fs_relabelfrom_iso9660_fs" lineno="3451"> <summary> Allow changing of the label of a filesystem with iso9660 type @@ -66540,7 +66708,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_iso9660_fs" lineno="3405"> +<interface name="fs_unmount_iso9660_fs" lineno="3470"> <summary> Unmount an iso9660 filesystem, which is usually used on CDs. @@ -66551,7 +66719,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_iso9660_fs" lineno="3425"> +<interface name="fs_getattr_iso9660_fs" lineno="3490"> <summary> Get the attributes of an iso9660 filesystem, which is usually used on CDs. @@ -66563,7 +66731,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_iso9660_files" lineno="3444"> +<interface name="fs_getattr_iso9660_files" lineno="3509"> <summary> Get the attributes of files on an iso9660 filesystem, which is usually used on CDs. @@ -66574,7 +66742,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_iso9660_files" lineno="3464"> +<interface name="fs_read_iso9660_files" lineno="3529"> <summary> Read files on an iso9660 filesystem, which is usually used on CDs. @@ -66585,7 +66753,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_nfs" lineno="3484"> +<interface name="fs_mount_nfs" lineno="3549"> <summary> Mount a NFS filesystem. </summary> @@ -66595,7 +66763,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_nfs" lineno="3503"> +<interface name="fs_remount_nfs" lineno="3568"> <summary> Remount a NFS filesystem. This allows some mount options to be changed. @@ -66606,7 +66774,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_nfs" lineno="3521"> +<interface name="fs_unmount_nfs" lineno="3586"> <summary> Unmount a NFS filesystem. </summary> @@ -66616,7 +66784,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_nfs" lineno="3540"> +<interface name="fs_getattr_nfs" lineno="3605"> <summary> Get the attributes of a NFS filesystem. </summary> @@ -66627,7 +66795,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_search_nfs" lineno="3558"> +<interface name="fs_search_nfs" lineno="3623"> <summary> Search directories on a NFS filesystem. </summary> @@ -66637,7 +66805,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_nfs" lineno="3576"> +<interface name="fs_list_nfs" lineno="3641"> <summary> List NFS filesystem. </summary> @@ -66647,7 +66815,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_nfs" lineno="3595"> +<interface name="fs_dontaudit_list_nfs" lineno="3660"> <summary> Do not audit attempts to list the contents of directories on a NFS filesystem. @@ -66658,7 +66826,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_watch_nfs_dirs" lineno="3614"> +<interface name="fs_watch_nfs_dirs" lineno="3679"> <summary> Add a watch on directories on an NFS filesystem. @@ -66669,7 +66837,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mounton_nfs" lineno="3632"> +<interface name="fs_mounton_nfs" lineno="3697"> <summary> Mounton a NFS filesystem. </summary> @@ -66679,7 +66847,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_nfs_files" lineno="3651"> +<interface name="fs_read_nfs_files" lineno="3716"> <summary> Read files on a NFS filesystem. </summary> @@ -66690,7 +66858,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_read_nfs_files" lineno="3671"> +<interface name="fs_dontaudit_read_nfs_files" lineno="3736"> <summary> Do not audit attempts to read files on a NFS filesystem. @@ -66701,7 +66869,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_write_nfs_files" lineno="3689"> +<interface name="fs_write_nfs_files" lineno="3754"> <summary> Read files on a NFS filesystem. </summary> @@ -66711,7 +66879,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_exec_nfs_files" lineno="3709"> +<interface name="fs_exec_nfs_files" lineno="3774"> <summary> Execute files on a NFS filesystem. </summary> @@ -66722,7 +66890,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_append_nfs_files" lineno="3730"> +<interface name="fs_append_nfs_files" lineno="3795"> <summary> Append files on a NFS filesystem. @@ -66734,7 +66902,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_append_nfs_files" lineno="3750"> +<interface name="fs_dontaudit_append_nfs_files" lineno="3815"> <summary> dontaudit Append files on a NFS filesystem. @@ -66746,7 +66914,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_rw_nfs_files" lineno="3769"> +<interface name="fs_dontaudit_rw_nfs_files" lineno="3834"> <summary> Do not audit attempts to read or write files on a NFS filesystem. @@ -66757,7 +66925,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_watch_nfs_files" lineno="3787"> +<interface name="fs_watch_nfs_files" lineno="3852"> <summary> Add a watch on files on an NFS filesystem. </summary> @@ -66767,7 +66935,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_nfs_symlinks" lineno="3805"> +<interface name="fs_read_nfs_symlinks" lineno="3870"> <summary> Read symbolic links on a NFS filesystem. </summary> @@ -66777,7 +66945,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_nfs_symlinks" lineno="3824"> +<interface name="fs_dontaudit_read_nfs_symlinks" lineno="3889"> <summary> Dontaudit read symbolic links on a NFS filesystem. </summary> @@ -66787,7 +66955,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_read_nfs_named_sockets" lineno="3842"> +<interface name="fs_read_nfs_named_sockets" lineno="3907"> <summary> Read named sockets on a NFS filesystem. </summary> @@ -66797,7 +66965,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_nfs_named_pipes" lineno="3861"> +<interface name="fs_read_nfs_named_pipes" lineno="3926"> <summary> Read named pipes on a NFS network filesystem. </summary> @@ -66808,7 +66976,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_rpc_dirs" lineno="3880"> +<interface name="fs_getattr_rpc_dirs" lineno="3945"> <summary> Get the attributes of directories of RPC file system pipes. @@ -66819,7 +66987,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_rpc" lineno="3899"> +<interface name="fs_search_rpc" lineno="3964"> <summary> Search directories of RPC file system pipes. </summary> @@ -66829,7 +66997,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_removable" lineno="3917"> +<interface name="fs_search_removable" lineno="3982"> <summary> Search removable storage directories. </summary> @@ -66839,7 +67007,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_removable" lineno="3935"> +<interface name="fs_dontaudit_list_removable" lineno="4000"> <summary> Do not audit attempts to list removable storage directories. </summary> @@ -66849,7 +67017,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="fs_read_removable_files" lineno="3953"> +<interface name="fs_read_removable_files" lineno="4018"> <summary> Read removable storage files. </summary> @@ -66859,7 +67027,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_removable_files" lineno="3971"> +<interface name="fs_dontaudit_read_removable_files" lineno="4036"> <summary> Do not audit attempts to read removable storage files. </summary> @@ -66869,7 +67037,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="fs_dontaudit_write_removable_files" lineno="3989"> +<interface name="fs_dontaudit_write_removable_files" lineno="4054"> <summary> Do not audit attempts to write removable storage files. </summary> @@ -66879,7 +67047,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="fs_read_removable_symlinks" lineno="4007"> +<interface name="fs_read_removable_symlinks" lineno="4072"> <summary> Read removable storage symbolic links. </summary> @@ -66889,7 +67057,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_removable_blk_files" lineno="4025"> +<interface name="fs_read_removable_blk_files" lineno="4090"> <summary> Read block nodes on removable filesystems. </summary> @@ -66899,7 +67067,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_removable_blk_files" lineno="4044"> +<interface name="fs_rw_removable_blk_files" lineno="4109"> <summary> Read and write block nodes on removable filesystems. </summary> @@ -66909,7 +67077,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_rpc" lineno="4063"> +<interface name="fs_list_rpc" lineno="4128"> <summary> Read directories of RPC file system pipes. </summary> @@ -66919,7 +67087,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_rpc_files" lineno="4081"> +<interface name="fs_read_rpc_files" lineno="4146"> <summary> Read files of RPC file system pipes. </summary> @@ -66929,7 +67097,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_rpc_symlinks" lineno="4099"> +<interface name="fs_read_rpc_symlinks" lineno="4164"> <summary> Read symbolic links of RPC file system pipes. </summary> @@ -66939,7 +67107,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_rpc_sockets" lineno="4117"> +<interface name="fs_read_rpc_sockets" lineno="4182"> <summary> Read sockets of RPC file system pipes. </summary> @@ -66949,7 +67117,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_rpc_sockets" lineno="4135"> +<interface name="fs_rw_rpc_sockets" lineno="4200"> <summary> Read and write sockets of RPC file system pipes. </summary> @@ -66959,7 +67127,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_nfs_dirs" lineno="4155"> +<interface name="fs_manage_nfs_dirs" lineno="4220"> <summary> Create, read, write, and delete directories on a NFS filesystem. @@ -66971,7 +67139,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_nfs_dirs" lineno="4175"> +<interface name="fs_dontaudit_manage_nfs_dirs" lineno="4240"> <summary> Do not audit attempts to create, read, write, and delete directories @@ -66983,7 +67151,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_nfs_files" lineno="4195"> +<interface name="fs_manage_nfs_files" lineno="4260"> <summary> Create, read, write, and delete files on a NFS filesystem. @@ -66995,7 +67163,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_nfs_files" lineno="4215"> +<interface name="fs_dontaudit_manage_nfs_files" lineno="4280"> <summary> Do not audit attempts to create, read, write, and delete files @@ -67007,7 +67175,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_nfs_symlinks" lineno="4235"> +<interface name="fs_manage_nfs_symlinks" lineno="4300"> <summary> Create, read, write, and delete symbolic links on a NFS network filesystem. @@ -67019,7 +67187,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_nfs_named_pipes" lineno="4254"> +<interface name="fs_manage_nfs_named_pipes" lineno="4319"> <summary> Create, read, write, and delete named pipes on a NFS filesystem. @@ -67030,7 +67198,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_nfs_named_sockets" lineno="4273"> +<interface name="fs_manage_nfs_named_sockets" lineno="4338"> <summary> Create, read, write, and delete named sockets on a NFS filesystem. @@ -67041,7 +67209,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_nfs_domtrans" lineno="4316"> +<interface name="fs_nfs_domtrans" lineno="4381"> <summary> Execute a file on a NFS filesystem in the specified domain. @@ -67076,7 +67244,7 @@ The type of the new process. </summary> </param> </interface> -<interface name="fs_mount_nfsd_fs" lineno="4335"> +<interface name="fs_mount_nfsd_fs" lineno="4400"> <summary> Mount a NFS server pseudo filesystem. </summary> @@ -67086,7 +67254,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_nfsd_fs" lineno="4354"> +<interface name="fs_remount_nfsd_fs" lineno="4419"> <summary> Mount a NFS server pseudo filesystem. This allows some mount options to be changed. @@ -67097,7 +67265,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_nfsd_fs" lineno="4372"> +<interface name="fs_unmount_nfsd_fs" lineno="4437"> <summary> Unmount a NFS server pseudo filesystem. </summary> @@ -67107,7 +67275,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_nfsd_fs" lineno="4391"> +<interface name="fs_getattr_nfsd_fs" lineno="4456"> <summary> Get the attributes of a NFS server pseudo filesystem. @@ -67118,7 +67286,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_nfsd_fs" lineno="4409"> +<interface name="fs_search_nfsd_fs" lineno="4474"> <summary> Search NFS server directories. </summary> @@ -67128,7 +67296,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_nfsd_fs" lineno="4427"> +<interface name="fs_list_nfsd_fs" lineno="4492"> <summary> List NFS server directories. </summary> @@ -67138,7 +67306,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_watch_nfsd_dirs" lineno="4445"> +<interface name="fs_watch_nfsd_dirs" lineno="4510"> <summary> Watch NFS server directories. </summary> @@ -67148,7 +67316,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_nfsd_files" lineno="4463"> +<interface name="fs_getattr_nfsd_files" lineno="4528"> <summary> Getattr files on an nfsd filesystem </summary> @@ -67158,7 +67326,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_nfsd_fs" lineno="4481"> +<interface name="fs_rw_nfsd_fs" lineno="4546"> <summary> Read and write NFS server files. </summary> @@ -67168,7 +67336,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_nsfs_files" lineno="4499"> +<interface name="fs_getattr_nsfs_files" lineno="4564"> <summary> Get the attributes of nsfs inodes (e.g. /proc/pid/ns/uts) </summary> @@ -67178,7 +67346,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_nsfs_files" lineno="4517"> +<interface name="fs_read_nsfs_files" lineno="4582"> <summary> Read nsfs inodes (e.g. /proc/pid/ns/uts) </summary> @@ -67188,7 +67356,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_watch_nfsd_files" lineno="4535"> +<interface name="fs_watch_nfsd_files" lineno="4600"> <summary> Watch NFS server files. </summary> @@ -67198,7 +67366,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_nsfs" lineno="4553"> +<interface name="fs_getattr_nsfs" lineno="4618"> <summary> Get the attributes of an nsfs filesystem. </summary> @@ -67208,7 +67376,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_nsfs" lineno="4571"> +<interface name="fs_unmount_nsfs" lineno="4636"> <summary> Unmount an nsfs filesystem. </summary> @@ -67218,7 +67386,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_pstorefs" lineno="4589"> +<interface name="fs_getattr_pstorefs" lineno="4654"> <summary> Get the attributes of a pstore filesystem. </summary> @@ -67228,7 +67396,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_pstore_dirs" lineno="4608"> +<interface name="fs_getattr_pstore_dirs" lineno="4673"> <summary> Get the attributes of directories of a pstore filesystem. @@ -67239,7 +67407,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_create_pstore_dirs" lineno="4627"> +<interface name="fs_create_pstore_dirs" lineno="4692"> <summary> Create pstore directories. </summary> @@ -67249,7 +67417,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_pstore_dirs" lineno="4646"> +<interface name="fs_relabel_pstore_dirs" lineno="4711"> <summary> Relabel to/from pstore_t directories. </summary> @@ -67259,7 +67427,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_pstore_dirs" lineno="4665"> +<interface name="fs_list_pstore_dirs" lineno="4730"> <summary> List the directories of a pstore filesystem. @@ -67270,7 +67438,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_pstore_files" lineno="4684"> +<interface name="fs_read_pstore_files" lineno="4749"> <summary> Read pstore_t files </summary> @@ -67280,7 +67448,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_delete_pstore_files" lineno="4703"> +<interface name="fs_delete_pstore_files" lineno="4768"> <summary> Delete the files of a pstore filesystem. @@ -67291,7 +67459,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_associate_ramfs" lineno="4722"> +<interface name="fs_associate_ramfs" lineno="4787"> <summary> Allow the type to associate to ramfs filesystems. </summary> @@ -67301,7 +67469,7 @@ The type of the object to be associated. </summary> </param> </interface> -<interface name="fs_mount_ramfs" lineno="4740"> +<interface name="fs_mount_ramfs" lineno="4805"> <summary> Mount a RAM filesystem. </summary> @@ -67311,7 +67479,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_ramfs" lineno="4759"> +<interface name="fs_remount_ramfs" lineno="4824"> <summary> Remount a RAM filesystem. This allows some mount options to be changed. @@ -67322,7 +67490,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_ramfs" lineno="4777"> +<interface name="fs_unmount_ramfs" lineno="4842"> <summary> Unmount a RAM filesystem. </summary> @@ -67332,7 +67500,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_ramfs" lineno="4795"> +<interface name="fs_getattr_ramfs" lineno="4860"> <summary> Get the attributes of a RAM filesystem. </summary> @@ -67342,7 +67510,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_ramfs" lineno="4813"> +<interface name="fs_search_ramfs" lineno="4878"> <summary> Search directories on a ramfs </summary> @@ -67352,7 +67520,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_search_ramfs" lineno="4831"> +<interface name="fs_dontaudit_search_ramfs" lineno="4896"> <summary> Dontaudit Search directories on a ramfs </summary> @@ -67362,7 +67530,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_setattr_ramfs_dirs" lineno="4850"> +<interface name="fs_setattr_ramfs_dirs" lineno="4915"> <summary> Set the attributes of directories on a ramfs. @@ -67373,7 +67541,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_ramfs_dirs" lineno="4869"> +<interface name="fs_manage_ramfs_dirs" lineno="4934"> <summary> Create, read, write, and delete directories on a ramfs. @@ -67384,7 +67552,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_ramfs_files" lineno="4887"> +<interface name="fs_dontaudit_read_ramfs_files" lineno="4952"> <summary> Dontaudit read on a ramfs files. </summary> @@ -67394,7 +67562,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_dontaudit_read_ramfs_pipes" lineno="4905"> +<interface name="fs_dontaudit_read_ramfs_pipes" lineno="4970"> <summary> Dontaudit read on a ramfs fifo_files. </summary> @@ -67404,7 +67572,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_ramfs_files" lineno="4924"> +<interface name="fs_manage_ramfs_files" lineno="4989"> <summary> Create, read, write, and delete files on a ramfs filesystem. @@ -67415,7 +67583,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_write_ramfs_pipes" lineno="4942"> +<interface name="fs_write_ramfs_pipes" lineno="5007"> <summary> Write to named pipe on a ramfs filesystem. </summary> @@ -67425,7 +67593,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_write_ramfs_pipes" lineno="4961"> +<interface name="fs_dontaudit_write_ramfs_pipes" lineno="5026"> <summary> Do not audit attempts to write to named pipes on a ramfs filesystem. @@ -67436,7 +67604,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_rw_ramfs_pipes" lineno="4979"> +<interface name="fs_rw_ramfs_pipes" lineno="5044"> <summary> Read and write a named pipe on a ramfs filesystem. </summary> @@ -67446,7 +67614,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_ramfs_pipes" lineno="4998"> +<interface name="fs_manage_ramfs_pipes" lineno="5063"> <summary> Create, read, write, and delete named pipes on a ramfs filesystem. @@ -67457,7 +67625,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_write_ramfs_sockets" lineno="5016"> +<interface name="fs_write_ramfs_sockets" lineno="5081"> <summary> Write to named socket on a ramfs filesystem. </summary> @@ -67467,7 +67635,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_ramfs_sockets" lineno="5035"> +<interface name="fs_manage_ramfs_sockets" lineno="5100"> <summary> Create, read, write, and delete named sockets on a ramfs filesystem. @@ -67478,7 +67646,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_romfs" lineno="5053"> +<interface name="fs_mount_romfs" lineno="5118"> <summary> Mount a ROM filesystem. </summary> @@ -67488,7 +67656,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_romfs" lineno="5072"> +<interface name="fs_remount_romfs" lineno="5137"> <summary> Remount a ROM filesystem. This allows some mount options to be changed. @@ -67499,7 +67667,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_romfs" lineno="5090"> +<interface name="fs_unmount_romfs" lineno="5155"> <summary> Unmount a ROM filesystem. </summary> @@ -67509,7 +67677,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_romfs" lineno="5109"> +<interface name="fs_getattr_romfs" lineno="5174"> <summary> Get the attributes of a ROM filesystem. @@ -67520,7 +67688,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_rpc_pipefs" lineno="5127"> +<interface name="fs_mount_rpc_pipefs" lineno="5192"> <summary> Mount a RPC pipe filesystem. </summary> @@ -67530,7 +67698,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_rpc_pipefs" lineno="5146"> +<interface name="fs_remount_rpc_pipefs" lineno="5211"> <summary> Remount a RPC pipe filesystem. This allows some mount option to be changed. @@ -67541,7 +67709,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_rpc_pipefs" lineno="5164"> +<interface name="fs_unmount_rpc_pipefs" lineno="5229"> <summary> Unmount a RPC pipe filesystem. </summary> @@ -67551,7 +67719,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_rpc_pipefs" lineno="5183"> +<interface name="fs_getattr_rpc_pipefs" lineno="5248"> <summary> Get the attributes of a RPC pipe filesystem. @@ -67562,7 +67730,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_rpc_named_pipes" lineno="5201"> +<interface name="fs_rw_rpc_named_pipes" lineno="5266"> <summary> Read and write RPC pipe filesystem named pipes. </summary> @@ -67572,7 +67740,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_watch_rpc_pipefs_dirs" lineno="5219"> +<interface name="fs_watch_rpc_pipefs_dirs" lineno="5284"> <summary> Watch RPC pipe filesystem directories. </summary> @@ -67582,7 +67750,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_tmpfs" lineno="5237"> +<interface name="fs_mount_tmpfs" lineno="5302"> <summary> Mount a tmpfs filesystem. </summary> @@ -67592,7 +67760,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_tmpfs" lineno="5255"> +<interface name="fs_remount_tmpfs" lineno="5320"> <summary> Remount a tmpfs filesystem. </summary> @@ -67602,7 +67770,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_tmpfs" lineno="5273"> +<interface name="fs_unmount_tmpfs" lineno="5338"> <summary> Unmount a tmpfs filesystem. </summary> @@ -67612,7 +67780,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_tmpfs" lineno="5291"> +<interface name="fs_dontaudit_getattr_tmpfs" lineno="5356"> <summary> Do not audit getting the attributes of a tmpfs filesystem </summary> @@ -67622,7 +67790,7 @@ Domain to not audit </summary> </param> </interface> -<interface name="fs_getattr_tmpfs" lineno="5311"> +<interface name="fs_getattr_tmpfs" lineno="5376"> <summary> Get the attributes of a tmpfs filesystem. @@ -67634,7 +67802,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_associate_tmpfs" lineno="5329"> +<interface name="fs_associate_tmpfs" lineno="5394"> <summary> Allow the type to associate to tmpfs filesystems. </summary> @@ -67644,7 +67812,7 @@ The type of the object to be associated. </summary> </param> </interface> -<interface name="fs_relabelfrom_tmpfs" lineno="5347"> +<interface name="fs_relabelfrom_tmpfs" lineno="5412"> <summary> Relabel from tmpfs filesystem. </summary> @@ -67654,7 +67822,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_tmpfs_dirs" lineno="5365"> +<interface name="fs_getattr_tmpfs_dirs" lineno="5430"> <summary> Get the attributes of tmpfs directories. </summary> @@ -67664,7 +67832,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_tmpfs_dirs" lineno="5384"> +<interface name="fs_dontaudit_getattr_tmpfs_dirs" lineno="5449"> <summary> Do not audit attempts to get the attributes of tmpfs directories. @@ -67675,7 +67843,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_mounton_tmpfs" lineno="5402"> +<interface name="fs_mounton_tmpfs" lineno="5467"> <summary> Mount on tmpfs directories. </summary> @@ -67685,7 +67853,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mounton_tmpfs_files" lineno="5420"> +<interface name="fs_mounton_tmpfs_files" lineno="5485"> <summary> Mount on tmpfs files. </summary> @@ -67695,7 +67863,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_setattr_tmpfs_dirs" lineno="5438"> +<interface name="fs_setattr_tmpfs_dirs" lineno="5503"> <summary> Set the attributes of tmpfs directories. </summary> @@ -67705,7 +67873,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_tmpfs" lineno="5456"> +<interface name="fs_search_tmpfs" lineno="5521"> <summary> Search tmpfs directories. </summary> @@ -67715,7 +67883,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_tmpfs" lineno="5474"> +<interface name="fs_list_tmpfs" lineno="5539"> <summary> List the contents of generic tmpfs directories. </summary> @@ -67725,7 +67893,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_tmpfs" lineno="5493"> +<interface name="fs_dontaudit_list_tmpfs" lineno="5558"> <summary> Do not audit attempts to list the contents of generic tmpfs directories. @@ -67736,7 +67904,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_dirs" lineno="5512"> +<interface name="fs_manage_tmpfs_dirs" lineno="5577"> <summary> Create, read, write, and delete tmpfs directories @@ -67747,7 +67915,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_write_tmpfs_dirs" lineno="5531"> +<interface name="fs_dontaudit_write_tmpfs_dirs" lineno="5596"> <summary> Do not audit attempts to write tmpfs directories @@ -67758,7 +67926,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_relabelfrom_tmpfs_dirs" lineno="5549"> +<interface name="fs_relabelfrom_tmpfs_dirs" lineno="5614"> <summary> Relabel from tmpfs_t dir </summary> @@ -67768,7 +67936,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_tmpfs_dirs" lineno="5567"> +<interface name="fs_relabel_tmpfs_dirs" lineno="5632"> <summary> Relabel directory on tmpfs filesystems. </summary> @@ -67778,7 +67946,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_watch_tmpfs_dirs" lineno="5584"> +<interface name="fs_watch_tmpfs_dirs" lineno="5649"> <summary> Watch directories on tmpfs filesystems. </summary> @@ -67788,7 +67956,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_tmpfs_filetrans" lineno="5618"> +<interface name="fs_tmpfs_filetrans" lineno="5683"> <summary> Create an object in a tmpfs filesystem, with a private type using a type transition. @@ -67814,7 +67982,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_tmpfs_files" lineno="5638"> +<interface name="fs_dontaudit_getattr_tmpfs_files" lineno="5703"> <summary> Do not audit attempts to getattr generic tmpfs files. @@ -67825,7 +67993,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_dontaudit_rw_tmpfs_files" lineno="5657"> +<interface name="fs_dontaudit_rw_tmpfs_files" lineno="5722"> <summary> Do not audit attempts to read or write generic tmpfs files. @@ -67836,7 +68004,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_delete_tmpfs_symlinks" lineno="5675"> +<interface name="fs_delete_tmpfs_symlinks" lineno="5740"> <summary> Delete tmpfs symbolic links. </summary> @@ -67846,7 +68014,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_auto_mountpoints" lineno="5694"> +<interface name="fs_manage_auto_mountpoints" lineno="5759"> <summary> Create, read, write, and delete auto moutpoints. @@ -67857,7 +68025,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_tmpfs_files" lineno="5712"> +<interface name="fs_read_tmpfs_files" lineno="5777"> <summary> Read generic tmpfs files. </summary> @@ -67867,7 +68035,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_tmpfs_files" lineno="5730"> +<interface name="fs_rw_tmpfs_files" lineno="5795"> <summary> Read and write generic tmpfs files. </summary> @@ -67877,7 +68045,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_tmpfs_files" lineno="5748"> +<interface name="fs_relabel_tmpfs_files" lineno="5813"> <summary> Relabel files on tmpfs filesystems. </summary> @@ -67887,7 +68055,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_tmpfs_symlinks" lineno="5766"> +<interface name="fs_read_tmpfs_symlinks" lineno="5831"> <summary> Read tmpfs link files. </summary> @@ -67897,7 +68065,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabelfrom_tmpfs_sockets" lineno="5784"> +<interface name="fs_relabelfrom_tmpfs_sockets" lineno="5849"> <summary> Relabelfrom socket files on tmpfs filesystems. </summary> @@ -67907,7 +68075,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabelfrom_tmpfs_symlinks" lineno="5802"> +<interface name="fs_relabelfrom_tmpfs_symlinks" lineno="5867"> <summary> Relabelfrom tmpfs link files. </summary> @@ -67917,7 +68085,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_tmpfs_chr_files" lineno="5820"> +<interface name="fs_rw_tmpfs_chr_files" lineno="5885"> <summary> Read and write character nodes on tmpfs filesystems. </summary> @@ -67927,7 +68095,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_use_tmpfs_chr_dev" lineno="5839"> +<interface name="fs_dontaudit_use_tmpfs_chr_dev" lineno="5904"> <summary> dontaudit Read and write character nodes on tmpfs filesystems. </summary> @@ -67937,7 +68105,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_relabel_tmpfs_chr_files" lineno="5858"> +<interface name="fs_relabel_tmpfs_chr_files" lineno="5923"> <summary> Relabel character nodes on tmpfs filesystems. </summary> @@ -67947,7 +68115,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_tmpfs_blk_files" lineno="5877"> +<interface name="fs_rw_tmpfs_blk_files" lineno="5942"> <summary> Read and write block nodes on tmpfs filesystems. </summary> @@ -67957,7 +68125,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_tmpfs_blk_files" lineno="5896"> +<interface name="fs_relabel_tmpfs_blk_files" lineno="5961"> <summary> Relabel block nodes on tmpfs filesystems. </summary> @@ -67967,7 +68135,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_tmpfs_fifo_files" lineno="5915"> +<interface name="fs_relabel_tmpfs_fifo_files" lineno="5980"> <summary> Relabel named pipes on tmpfs filesystems. </summary> @@ -67977,7 +68145,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_files" lineno="5935"> +<interface name="fs_manage_tmpfs_files" lineno="6000"> <summary> Read and write, create and delete generic files on tmpfs filesystems. @@ -67988,7 +68156,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_symlinks" lineno="5954"> +<interface name="fs_manage_tmpfs_symlinks" lineno="6019"> <summary> Read and write, create and delete symbolic links on tmpfs filesystems. @@ -67999,7 +68167,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_sockets" lineno="5973"> +<interface name="fs_manage_tmpfs_sockets" lineno="6038"> <summary> Read and write, create and delete socket files on tmpfs filesystems. @@ -68010,7 +68178,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_chr_files" lineno="5992"> +<interface name="fs_manage_tmpfs_chr_files" lineno="6057"> <summary> Read and write, create and delete character nodes on tmpfs filesystems. @@ -68021,7 +68189,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_blk_files" lineno="6011"> +<interface name="fs_manage_tmpfs_blk_files" lineno="6076"> <summary> Read and write, create and delete block nodes on tmpfs filesystems. @@ -68032,7 +68200,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_tracefs" lineno="6029"> +<interface name="fs_getattr_tracefs" lineno="6094"> <summary> Get the attributes of a trace filesystem. </summary> @@ -68042,7 +68210,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_tracefs_dirs" lineno="6047"> +<interface name="fs_getattr_tracefs_dirs" lineno="6112"> <summary> Get attributes of dirs on tracefs filesystem. </summary> @@ -68052,7 +68220,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_tracefs" lineno="6065"> +<interface name="fs_search_tracefs" lineno="6130"> <summary> search directories on a tracefs filesystem </summary> @@ -68062,7 +68230,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_tracefs_files" lineno="6084"> +<interface name="fs_getattr_tracefs_files" lineno="6149"> <summary> Get the attributes of files on a trace filesystem. @@ -68073,7 +68241,27 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_xenfs" lineno="6102"> +<interface name="fs_rw_tracefs_files" lineno="6167"> +<summary> +Read/write trace filesystem files +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_create_tracefs_dirs" lineno="6186"> +<summary> +create trace filesystem directories +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_mount_xenfs" lineno="6204"> <summary> Mount a XENFS filesystem. </summary> @@ -68083,7 +68271,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_xenfs" lineno="6120"> +<interface name="fs_search_xenfs" lineno="6222"> <summary> Search the XENFS filesystem. </summary> @@ -68093,7 +68281,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_xenfs_dirs" lineno="6140"> +<interface name="fs_manage_xenfs_dirs" lineno="6242"> <summary> Create, read, write, and delete directories on a XENFS filesystem. @@ -68105,7 +68293,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_xenfs_dirs" lineno="6160"> +<interface name="fs_dontaudit_manage_xenfs_dirs" lineno="6262"> <summary> Do not audit attempts to create, read, write, and delete directories @@ -68117,7 +68305,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_xenfs_files" lineno="6180"> +<interface name="fs_manage_xenfs_files" lineno="6282"> <summary> Create, read, write, and delete files on a XENFS filesystem. @@ -68129,7 +68317,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_mmap_xenfs_files" lineno="6198"> +<interface name="fs_mmap_xenfs_files" lineno="6300"> <summary> Map files a XENFS filesystem. </summary> @@ -68139,7 +68327,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_manage_xenfs_files" lineno="6218"> +<interface name="fs_dontaudit_manage_xenfs_files" lineno="6320"> <summary> Do not audit attempts to create, read, write, and delete files @@ -68151,7 +68339,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_mount_all_fs" lineno="6236"> +<interface name="fs_mount_all_fs" lineno="6338"> <summary> Mount all filesystems. </summary> @@ -68161,7 +68349,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_all_fs" lineno="6255"> +<interface name="fs_remount_all_fs" lineno="6357"> <summary> Remount all filesystems. This allows some mount options to be changed. @@ -68172,7 +68360,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_all_fs" lineno="6273"> +<interface name="fs_unmount_all_fs" lineno="6375"> <summary> Unmount all filesystems. </summary> @@ -68182,7 +68370,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_all_fs" lineno="6305"> +<interface name="fs_getattr_all_fs" lineno="6407"> <summary> Get the attributes of all filesystems. </summary> @@ -68206,7 +68394,7 @@ Domain allowed access. <infoflow type="read" weight="5"/> <rolecap/> </interface> -<interface name="fs_dontaudit_getattr_all_fs" lineno="6325"> +<interface name="fs_dontaudit_getattr_all_fs" lineno="6427"> <summary> Do not audit attempts to get the attributes all filesystems. @@ -68217,7 +68405,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_get_all_fs_quotas" lineno="6344"> +<interface name="fs_get_all_fs_quotas" lineno="6446"> <summary> Get the quotas of all filesystems. </summary> @@ -68228,7 +68416,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_set_all_quotas" lineno="6363"> +<interface name="fs_set_all_quotas" lineno="6465"> <summary> Set the quotas of all filesystems. </summary> @@ -68239,7 +68427,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_relabelfrom_all_fs" lineno="6381"> +<interface name="fs_relabelfrom_all_fs" lineno="6483"> <summary> Relabelfrom all filesystems. </summary> @@ -68249,7 +68437,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_all_dirs" lineno="6400"> +<interface name="fs_getattr_all_dirs" lineno="6502"> <summary> Get the attributes of all directories with a filesystem type. @@ -68260,7 +68448,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_all" lineno="6418"> +<interface name="fs_search_all" lineno="6520"> <summary> Search all directories with a filesystem type. </summary> @@ -68270,7 +68458,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_all" lineno="6436"> +<interface name="fs_list_all" lineno="6538"> <summary> List all directories with a filesystem type. </summary> @@ -68280,7 +68468,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_all_files" lineno="6455"> +<interface name="fs_getattr_all_files" lineno="6557"> <summary> Get the attributes of all files with a filesystem type. @@ -68291,7 +68479,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_all_files" lineno="6474"> +<interface name="fs_dontaudit_getattr_all_files" lineno="6576"> <summary> Do not audit attempts to get the attributes of all files with a filesystem type. @@ -68302,7 +68490,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_all_symlinks" lineno="6493"> +<interface name="fs_getattr_all_symlinks" lineno="6595"> <summary> Get the attributes of all symbolic links with a filesystem type. @@ -68313,7 +68501,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_all_symlinks" lineno="6512"> +<interface name="fs_dontaudit_getattr_all_symlinks" lineno="6614"> <summary> Do not audit attempts to get the attributes of all symbolic links with a filesystem type. @@ -68324,7 +68512,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_all_pipes" lineno="6531"> +<interface name="fs_getattr_all_pipes" lineno="6633"> <summary> Get the attributes of all named pipes with a filesystem type. @@ -68335,7 +68523,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_all_pipes" lineno="6550"> +<interface name="fs_dontaudit_getattr_all_pipes" lineno="6652"> <summary> Do not audit attempts to get the attributes of all named pipes with a filesystem type. @@ -68346,7 +68534,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_all_sockets" lineno="6569"> +<interface name="fs_getattr_all_sockets" lineno="6671"> <summary> Get the attributes of all named sockets with a filesystem type. @@ -68357,7 +68545,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_all_sockets" lineno="6588"> +<interface name="fs_dontaudit_getattr_all_sockets" lineno="6690"> <summary> Do not audit attempts to get the attributes of all named sockets with a filesystem type. @@ -68368,7 +68556,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_all_blk_files" lineno="6607"> +<interface name="fs_getattr_all_blk_files" lineno="6709"> <summary> Get the attributes of all block device nodes with a filesystem type. @@ -68379,7 +68567,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_all_chr_files" lineno="6626"> +<interface name="fs_getattr_all_chr_files" lineno="6728"> <summary> Get the attributes of all character device nodes with a filesystem type. @@ -68390,7 +68578,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unconfined" lineno="6644"> +<interface name="fs_unconfined" lineno="6746"> <summary> Unconfined access to filesystems </summary> @@ -69279,7 +69467,29 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_search_xen_state" lineno="1549"> +<interface name="kernel_read_psi" lineno="1549"> +<summary> +Allow caller to receive pressure stall information (PSI). +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<rolecap/> +</interface> +<interface name="kernel_rw_psi" lineno="1570"> +<summary> +Allow caller to set up pressure stall information (PSI). +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<rolecap/> +</interface> +<interface name="kernel_search_xen_state" lineno="1594"> <summary> Allow searching of xen state directory. </summary> @@ -69290,7 +69500,7 @@ Domain allowed access. </param> </interface> -<interface name="kernel_dontaudit_search_xen_state" lineno="1569"> +<interface name="kernel_dontaudit_search_xen_state" lineno="1614"> <summary> Do not audit attempts to search the xen state directory. @@ -69302,7 +69512,7 @@ Domain to not audit. </param> </interface> -<interface name="kernel_read_xen_state" lineno="1588"> +<interface name="kernel_read_xen_state" lineno="1633"> <summary> Allow caller to read the xen state information. </summary> @@ -69313,7 +69523,7 @@ Domain allowed access. </param> </interface> -<interface name="kernel_read_xen_state_symlinks" lineno="1610"> +<interface name="kernel_read_xen_state_symlinks" lineno="1655"> <summary> Allow caller to read the xen state symbolic links. </summary> @@ -69324,7 +69534,7 @@ Domain allowed access. </param> </interface> -<interface name="kernel_write_xen_state" lineno="1631"> +<interface name="kernel_write_xen_state" lineno="1676"> <summary> Allow caller to write xen state information. </summary> @@ -69335,7 +69545,7 @@ Domain allowed access. </param> </interface> -<interface name="kernel_list_all_proc" lineno="1649"> +<interface name="kernel_list_all_proc" lineno="1694"> <summary> Allow attempts to list all proc directories. </summary> @@ -69345,7 +69555,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_list_all_proc" lineno="1668"> +<interface name="kernel_dontaudit_list_all_proc" lineno="1713"> <summary> Do not audit attempts to list all proc directories. </summary> @@ -69355,7 +69565,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_write_non_proc_init_mountpoint_files" lineno="1687"> +<interface name="kernel_write_non_proc_init_mountpoint_files" lineno="1732"> <summary> Write systemd mountpoint files except proc entries. </summary> @@ -69365,7 +69575,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_create_non_proc_init_mountpoint_files" lineno="1705"> +<interface name="kernel_create_non_proc_init_mountpoint_files" lineno="1750"> <summary> Create systemd mountpoint files except proc entries. </summary> @@ -69375,7 +69585,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_search_sysctl" lineno="1725"> +<interface name="kernel_dontaudit_search_sysctl" lineno="1770"> <summary> Do not audit attempts by caller to search the base directory of sysctls. @@ -69387,7 +69597,7 @@ Domain to not audit. </param> </interface> -<interface name="kernel_mounton_sysctl_dirs" lineno="1744"> +<interface name="kernel_mounton_sysctl_dirs" lineno="1789"> <summary> Mount on sysctl_t dirs. </summary> @@ -69398,7 +69608,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_sysctl" lineno="1764"> +<interface name="kernel_read_sysctl" lineno="1809"> <summary> Allow access to read sysctl directories. </summary> @@ -69409,7 +69619,7 @@ Domain allowed access. </param> </interface> -<interface name="kernel_mounton_sysctl_files" lineno="1784"> +<interface name="kernel_mounton_sysctl_files" lineno="1829"> <summary> Mount on sysctl files. </summary> @@ -69420,7 +69630,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_device_sysctls" lineno="1804"> +<interface name="kernel_read_device_sysctls" lineno="1849"> <summary> Allow caller to read the device sysctls. </summary> @@ -69431,7 +69641,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_device_sysctls" lineno="1825"> +<interface name="kernel_rw_device_sysctls" lineno="1870"> <summary> Read and write device sysctls. </summary> @@ -69442,7 +69652,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_search_vm_sysctl" lineno="1845"> +<interface name="kernel_search_vm_sysctl" lineno="1890"> <summary> Allow caller to search virtual memory sysctls. </summary> @@ -69452,7 +69662,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_vm_sysctls" lineno="1864"> +<interface name="kernel_read_vm_sysctls" lineno="1909"> <summary> Allow caller to read virtual memory sysctls. </summary> @@ -69463,7 +69673,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_vm_sysctls" lineno="1885"> +<interface name="kernel_rw_vm_sysctls" lineno="1930"> <summary> Read and write virtual memory sysctls. </summary> @@ -69474,7 +69684,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_search_network_sysctl" lineno="1907"> +<interface name="kernel_search_network_sysctl" lineno="1952"> <summary> Search network sysctl directories. </summary> @@ -69484,7 +69694,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_search_network_sysctl" lineno="1925"> +<interface name="kernel_dontaudit_search_network_sysctl" lineno="1970"> <summary> Do not audit attempts by caller to search network sysctl directories. </summary> @@ -69494,7 +69704,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_read_net_sysctls" lineno="1944"> +<interface name="kernel_read_net_sysctls" lineno="1989"> <summary> Allow caller to read network sysctls. </summary> @@ -69505,7 +69715,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_net_sysctls" lineno="1965"> +<interface name="kernel_rw_net_sysctls" lineno="2010"> <summary> Allow caller to modiry contents of sysctl network files. </summary> @@ -69516,7 +69726,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_unix_sysctls" lineno="1987"> +<interface name="kernel_read_unix_sysctls" lineno="2032"> <summary> Allow caller to read unix domain socket sysctls. @@ -69528,7 +69738,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_unix_sysctls" lineno="2009"> +<interface name="kernel_rw_unix_sysctls" lineno="2054"> <summary> Read and write unix domain socket sysctls. @@ -69540,7 +69750,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_hotplug_sysctls" lineno="2030"> +<interface name="kernel_read_hotplug_sysctls" lineno="2075"> <summary> Read the hotplug sysctl. </summary> @@ -69551,7 +69761,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_hotplug_sysctls" lineno="2051"> +<interface name="kernel_rw_hotplug_sysctls" lineno="2096"> <summary> Read and write the hotplug sysctl. </summary> @@ -69562,7 +69772,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_modprobe_sysctls" lineno="2072"> +<interface name="kernel_read_modprobe_sysctls" lineno="2117"> <summary> Read the modprobe sysctl. </summary> @@ -69573,7 +69783,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_modprobe_sysctls" lineno="2093"> +<interface name="kernel_rw_modprobe_sysctls" lineno="2138"> <summary> Read and write the modprobe sysctl. </summary> @@ -69584,7 +69794,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="2113"> +<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="2158"> <summary> Do not audit attempts to search generic kernel sysctls. </summary> @@ -69594,7 +69804,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_read_kernel_sysctl" lineno="2131"> +<interface name="kernel_dontaudit_read_kernel_sysctl" lineno="2176"> <summary> Do not audit attempted reading of kernel sysctls </summary> @@ -69604,7 +69814,7 @@ Domain to not audit accesses from </summary> </param> </interface> -<interface name="kernel_read_crypto_sysctls" lineno="2149"> +<interface name="kernel_read_crypto_sysctls" lineno="2194"> <summary> Read generic crypto sysctls. </summary> @@ -69614,7 +69824,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_kernel_sysctls" lineno="2190"> +<interface name="kernel_read_kernel_sysctls" lineno="2235"> <summary> Read general kernel sysctls. </summary> @@ -69646,7 +69856,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="2210"> +<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="2255"> <summary> Do not audit attempts to write generic kernel sysctls. </summary> @@ -69656,7 +69866,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_rw_kernel_sysctl" lineno="2229"> +<interface name="kernel_rw_kernel_sysctl" lineno="2274"> <summary> Read and write generic kernel sysctls. </summary> @@ -69667,7 +69877,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_mounton_kernel_sysctl_files" lineno="2250"> +<interface name="kernel_mounton_kernel_sysctl_files" lineno="2295"> <summary> Mount on kernel sysctl files. </summary> @@ -69678,7 +69888,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_kernel_ns_lastpid_sysctls" lineno="2270"> +<interface name="kernel_read_kernel_ns_lastpid_sysctls" lineno="2315"> <summary> Read kernel ns lastpid sysctls. </summary> @@ -69689,7 +69899,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_write_kernel_ns_lastpid_sysctl" lineno="2290"> +<interface name="kernel_dontaudit_write_kernel_ns_lastpid_sysctl" lineno="2335"> <summary> Do not audit attempts to write kernel ns lastpid sysctls. </summary> @@ -69699,7 +69909,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_rw_kernel_ns_lastpid_sysctl" lineno="2309"> +<interface name="kernel_rw_kernel_ns_lastpid_sysctl" lineno="2354"> <summary> Read and write kernel ns lastpid sysctls. </summary> @@ -69710,7 +69920,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_search_fs_sysctls" lineno="2330"> +<interface name="kernel_search_fs_sysctls" lineno="2375"> <summary> Search filesystem sysctl directories. </summary> @@ -69721,7 +69931,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_fs_sysctls" lineno="2349"> +<interface name="kernel_read_fs_sysctls" lineno="2394"> <summary> Read filesystem sysctls. </summary> @@ -69732,7 +69942,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_fs_sysctls" lineno="2370"> +<interface name="kernel_rw_fs_sysctls" lineno="2415"> <summary> Read and write filesystem sysctls. </summary> @@ -69743,7 +69953,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_irq_sysctls" lineno="2391"> +<interface name="kernel_read_irq_sysctls" lineno="2436"> <summary> Read IRQ sysctls. </summary> @@ -69754,7 +69964,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_search_fs_sysctls" lineno="2413"> +<interface name="kernel_dontaudit_search_fs_sysctls" lineno="2458"> <summary> Do not audit attempts to search filesystem sysctl directories. @@ -69766,7 +69976,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="kernel_rw_irq_sysctls" lineno="2432"> +<interface name="kernel_rw_irq_sysctls" lineno="2477"> <summary> Read and write IRQ sysctls. </summary> @@ -69777,7 +69987,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_rpc_sysctls" lineno="2453"> +<interface name="kernel_read_rpc_sysctls" lineno="2498"> <summary> Read RPC sysctls. </summary> @@ -69788,7 +69998,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_rpc_sysctls" lineno="2474"> +<interface name="kernel_rw_rpc_sysctls" lineno="2519"> <summary> Read and write RPC sysctls. </summary> @@ -69799,7 +70009,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_list_all_sysctls" lineno="2494"> +<interface name="kernel_dontaudit_list_all_sysctls" lineno="2539"> <summary> Do not audit attempts to list all sysctl directories. </summary> @@ -69809,7 +70019,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_read_all_sysctls" lineno="2514"> +<interface name="kernel_read_all_sysctls" lineno="2559"> <summary> Allow caller to read all sysctls. </summary> @@ -69820,7 +70030,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_all_sysctls" lineno="2537"> +<interface name="kernel_rw_all_sysctls" lineno="2582"> <summary> Read and write all sysctls. </summary> @@ -69831,7 +70041,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_associate_proc" lineno="2562"> +<interface name="kernel_associate_proc" lineno="2607"> <summary> Associate a file to proc_t (/proc) </summary> @@ -69842,7 +70052,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_kill_unlabeled" lineno="2579"> +<interface name="kernel_kill_unlabeled" lineno="2624"> <summary> Send a kill signal to unlabeled processes. </summary> @@ -69852,7 +70062,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_mount_unlabeled" lineno="2597"> +<interface name="kernel_mount_unlabeled" lineno="2642"> <summary> Mount a kernel unlabeled filesystem. </summary> @@ -69862,7 +70072,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_unmount_unlabeled" lineno="2615"> +<interface name="kernel_unmount_unlabeled" lineno="2660"> <summary> Unmount a kernel unlabeled filesystem. </summary> @@ -69872,7 +70082,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_signal_unlabeled" lineno="2633"> +<interface name="kernel_signal_unlabeled" lineno="2678"> <summary> Send general signals to unlabeled processes. </summary> @@ -69882,7 +70092,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_signull_unlabeled" lineno="2651"> +<interface name="kernel_signull_unlabeled" lineno="2696"> <summary> Send a null signal to unlabeled processes. </summary> @@ -69892,7 +70102,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_sigstop_unlabeled" lineno="2669"> +<interface name="kernel_sigstop_unlabeled" lineno="2714"> <summary> Send a stop signal to unlabeled processes. </summary> @@ -69902,7 +70112,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_sigchld_unlabeled" lineno="2687"> +<interface name="kernel_sigchld_unlabeled" lineno="2732"> <summary> Send a child terminated signal to unlabeled processes. </summary> @@ -69912,7 +70122,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_getattr_unlabeled_dirs" lineno="2705"> +<interface name="kernel_getattr_unlabeled_dirs" lineno="2750"> <summary> Get the attributes of unlabeled directories. </summary> @@ -69922,7 +70132,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_search_unlabeled" lineno="2723"> +<interface name="kernel_dontaudit_search_unlabeled" lineno="2768"> <summary> Do not audit attempts to search unlabeled directories. </summary> @@ -69932,7 +70142,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_list_unlabeled" lineno="2741"> +<interface name="kernel_list_unlabeled" lineno="2786"> <summary> List unlabeled directories. </summary> @@ -69942,7 +70152,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_unlabeled_state" lineno="2759"> +<interface name="kernel_read_unlabeled_state" lineno="2804"> <summary> Read the process state (/proc/pid) of all unlabeled_t. </summary> @@ -69952,7 +70162,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_list_unlabeled" lineno="2779"> +<interface name="kernel_dontaudit_list_unlabeled" lineno="2824"> <summary> Do not audit attempts to list unlabeled directories. </summary> @@ -69962,7 +70172,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_rw_unlabeled_dirs" lineno="2797"> +<interface name="kernel_rw_unlabeled_dirs" lineno="2842"> <summary> Read and write unlabeled directories. </summary> @@ -69972,7 +70182,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_dirs" lineno="2815"> +<interface name="kernel_delete_unlabeled_dirs" lineno="2860"> <summary> Delete unlabeled directories. </summary> @@ -69982,7 +70192,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_dirs" lineno="2833"> +<interface name="kernel_manage_unlabeled_dirs" lineno="2878"> <summary> Create, read, write, and delete unlabeled directories. </summary> @@ -69992,7 +70202,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_mounton_unlabeled_dirs" lineno="2851"> +<interface name="kernel_mounton_unlabeled_dirs" lineno="2896"> <summary> Mount a filesystem on an unlabeled directory. </summary> @@ -70002,7 +70212,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_unlabeled_files" lineno="2869"> +<interface name="kernel_read_unlabeled_files" lineno="2914"> <summary> Read unlabeled files. </summary> @@ -70012,7 +70222,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_rw_unlabeled_files" lineno="2887"> +<interface name="kernel_rw_unlabeled_files" lineno="2932"> <summary> Read and write unlabeled files. </summary> @@ -70022,7 +70232,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_files" lineno="2905"> +<interface name="kernel_delete_unlabeled_files" lineno="2950"> <summary> Delete unlabeled files. </summary> @@ -70032,7 +70242,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_files" lineno="2923"> +<interface name="kernel_manage_unlabeled_files" lineno="2968"> <summary> Create, read, write, and delete unlabeled files. </summary> @@ -70042,7 +70252,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="2942"> +<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="2987"> <summary> Do not audit attempts by caller to get the attributes of an unlabeled file. @@ -70053,7 +70263,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_read_unlabeled_files" lineno="2961"> +<interface name="kernel_dontaudit_read_unlabeled_files" lineno="3006"> <summary> Do not audit attempts by caller to read an unlabeled file. @@ -70064,7 +70274,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_unlabeled_filetrans" lineno="2995"> +<interface name="kernel_unlabeled_filetrans" lineno="3040"> <summary> Create an object in unlabeled directories with a private type. @@ -70090,7 +70300,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_symlinks" lineno="3013"> +<interface name="kernel_delete_unlabeled_symlinks" lineno="3058"> <summary> Delete unlabeled symbolic links. </summary> @@ -70100,7 +70310,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_symlinks" lineno="3031"> +<interface name="kernel_manage_unlabeled_symlinks" lineno="3076"> <summary> Create, read, write, and delete unlabeled symbolic links. </summary> @@ -70110,7 +70320,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="3050"> +<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="3095"> <summary> Do not audit attempts by caller to get the attributes of unlabeled symbolic links. @@ -70121,7 +70331,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="3069"> +<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="3114"> <summary> Do not audit attempts by caller to get the attributes of unlabeled named pipes. @@ -70132,7 +70342,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="3088"> +<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="3133"> <summary> Do not audit attempts by caller to get the attributes of unlabeled named sockets. @@ -70143,7 +70353,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="3107"> +<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="3152"> <summary> Do not audit attempts by caller to get attributes for unlabeled block devices. @@ -70154,7 +70364,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_rw_unlabeled_blk_files" lineno="3125"> +<interface name="kernel_rw_unlabeled_blk_files" lineno="3170"> <summary> Read and write unlabeled block device nodes. </summary> @@ -70164,7 +70374,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_blk_files" lineno="3143"> +<interface name="kernel_delete_unlabeled_blk_files" lineno="3188"> <summary> Delete unlabeled block device nodes. </summary> @@ -70174,7 +70384,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_blk_files" lineno="3161"> +<interface name="kernel_manage_unlabeled_blk_files" lineno="3206"> <summary> Create, read, write, and delete unlabeled block device nodes. </summary> @@ -70184,7 +70394,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3180"> +<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3225"> <summary> Do not audit attempts by caller to get attributes for unlabeled character devices. @@ -70195,7 +70405,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3199"> +<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3244"> <summary> Do not audit attempts to write unlabeled character devices. @@ -70206,7 +70416,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_chr_files" lineno="3217"> +<interface name="kernel_delete_unlabeled_chr_files" lineno="3262"> <summary> Delete unlabeled character device nodes. </summary> @@ -70216,7 +70426,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_chr_files" lineno="3236"> +<interface name="kernel_manage_unlabeled_chr_files" lineno="3281"> <summary> Create, read, write, and delete unlabeled character device nodes. </summary> @@ -70226,7 +70436,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3254"> +<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3299"> <summary> Allow caller to relabel unlabeled directories. </summary> @@ -70236,7 +70446,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_files" lineno="3272"> +<interface name="kernel_relabelfrom_unlabeled_files" lineno="3317"> <summary> Allow caller to relabel unlabeled files. </summary> @@ -70246,7 +70456,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3291"> +<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3336"> <summary> Allow caller to relabel unlabeled symbolic links. </summary> @@ -70256,7 +70466,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3310"> +<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3355"> <summary> Allow caller to relabel unlabeled named pipes. </summary> @@ -70266,7 +70476,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_pipes" lineno="3329"> +<interface name="kernel_delete_unlabeled_pipes" lineno="3374"> <summary> Delete unlabeled named pipes </summary> @@ -70276,7 +70486,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3347"> +<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3392"> <summary> Allow caller to relabel unlabeled named sockets. </summary> @@ -70286,7 +70496,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_sockets" lineno="3366"> +<interface name="kernel_delete_unlabeled_sockets" lineno="3411"> <summary> Delete unlabeled named sockets. </summary> @@ -70296,7 +70506,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3384"> +<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3429"> <summary> Allow caller to relabel from unlabeled block devices. </summary> @@ -70306,7 +70516,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3402"> +<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3447"> <summary> Allow caller to relabel from unlabeled character devices. </summary> @@ -70316,7 +70526,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_sendrecv_unlabeled_association" lineno="3435"> +<interface name="kernel_sendrecv_unlabeled_association" lineno="3480"> <summary> Send and receive messages from an unlabeled IPSEC association. @@ -70341,7 +70551,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3468"> +<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3513"> <summary> Do not audit attempts to send and receive messages from an unlabeled IPSEC association. @@ -70366,7 +70576,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3495"> +<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3540"> <summary> Receive TCP packets from an unlabeled connection. </summary> @@ -70385,7 +70595,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3524"> +<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3569"> <summary> Do not audit attempts to receive TCP packets from an unlabeled connection. @@ -70406,7 +70616,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_udp_recvfrom_unlabeled" lineno="3551"> +<interface name="kernel_udp_recvfrom_unlabeled" lineno="3596"> <summary> Receive UDP packets from an unlabeled connection. </summary> @@ -70425,7 +70635,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3580"> +<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3625"> <summary> Do not audit attempts to receive UDP packets from an unlabeled connection. @@ -70446,7 +70656,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_raw_recvfrom_unlabeled" lineno="3607"> +<interface name="kernel_raw_recvfrom_unlabeled" lineno="3652"> <summary> Receive Raw IP packets from an unlabeled connection. </summary> @@ -70465,7 +70675,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3636"> +<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3681"> <summary> Do not audit attempts to receive Raw IP packets from an unlabeled connection. @@ -70486,7 +70696,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_sendrecv_unlabeled_packets" lineno="3666"> +<interface name="kernel_sendrecv_unlabeled_packets" lineno="3711"> <summary> Send and receive unlabeled packets. </summary> @@ -70508,7 +70718,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_recvfrom_unlabeled_peer" lineno="3694"> +<interface name="kernel_recvfrom_unlabeled_peer" lineno="3739"> <summary> Receive packets from an unlabeled peer. </summary> @@ -70528,7 +70738,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3722"> +<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3767"> <summary> Do not audit attempts to receive packets from an unlabeled peer. </summary> @@ -70548,7 +70758,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_database" lineno="3740"> +<interface name="kernel_relabelfrom_unlabeled_database" lineno="3785"> <summary> Relabel from unlabeled database objects. </summary> @@ -70558,7 +70768,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_unconfined" lineno="3777"> +<interface name="kernel_unconfined" lineno="3822"> <summary> Unconfined access to kernel module resources. </summary> @@ -70568,7 +70778,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_vm_overcommit_sysctl" lineno="3797"> +<interface name="kernel_read_vm_overcommit_sysctl" lineno="3842"> <summary> Read virtual memory overcommit sysctl. </summary> @@ -70579,7 +70789,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3817"> +<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3862"> <summary> Read and write virtual memory overcommit sysctl. </summary> @@ -70590,7 +70800,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3836"> +<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3881"> <summary> Access unlabeled infiniband pkeys. </summary> @@ -70600,7 +70810,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3854"> +<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3899"> <summary> Manage subnet on unlabeled Infiniband endports. </summary> @@ -71885,7 +72095,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_dev_filetrans_fixed_disk" lineno="305"> +<interface name="storage_dev_filetrans_fixed_disk" lineno="310"> <summary> Create block devices in /dev with the fixed disk type via an automatic type transition. @@ -71895,13 +72105,18 @@ via an automatic type transition. Domain allowed access. </summary> </param> +<param name="object_class"> +<summary> +The class of the object to be created. +</summary> +</param> <param name="filename" optional="true"> <summary> Optional filename of the block device to be created </summary> </param> </interface> -<interface name="storage_tmpfs_filetrans_fixed_disk" lineno="324"> +<interface name="storage_tmpfs_filetrans_fixed_disk" lineno="329"> <summary> Create block devices in on a tmpfs filesystem with the fixed disk type via an automatic type transition. @@ -71912,7 +72127,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_relabel_fixed_disk" lineno="342"> +<interface name="storage_relabel_fixed_disk" lineno="347"> <summary> Relabel fixed disk device nodes. </summary> @@ -71922,7 +72137,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_swapon_fixed_disk" lineno="361"> +<interface name="storage_swapon_fixed_disk" lineno="366"> <summary> Enable a fixed disk device as swap space </summary> @@ -71932,7 +72147,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_watch_fixed_disk" lineno="380"> +<interface name="storage_watch_fixed_disk" lineno="385"> <summary> Watch fixed disk device nodes. </summary> @@ -71942,7 +72157,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_getattr_fuse_dev" lineno="401"> +<interface name="storage_getattr_fuse_dev" lineno="406"> <summary> Allow the caller to get the attributes of device nodes of fuse devices. @@ -71953,7 +72168,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_rw_fuse" lineno="420"> +<interface name="storage_rw_fuse" lineno="425"> <summary> read or write fuse device interfaces. </summary> @@ -71963,7 +72178,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_dontaudit_rw_fuse" lineno="439"> +<interface name="storage_dontaudit_rw_fuse" lineno="444"> <summary> Do not audit attempts to read or write fuse device interfaces. @@ -71974,7 +72189,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_getattr_scsi_generic_dev" lineno="458"> +<interface name="storage_getattr_scsi_generic_dev" lineno="463"> <summary> Allow the caller to get the attributes of the generic SCSI interface device nodes. @@ -71985,7 +72200,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_setattr_scsi_generic_dev" lineno="478"> +<interface name="storage_setattr_scsi_generic_dev" lineno="483"> <summary> Allow the caller to set the attributes of the generic SCSI interface device nodes. @@ -71996,7 +72211,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_read_scsi_generic" lineno="501"> +<interface name="storage_read_scsi_generic" lineno="506"> <summary> Allow the caller to directly read, in a generic fashion, from any SCSI device. @@ -72010,7 +72225,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_write_scsi_generic" lineno="526"> +<interface name="storage_write_scsi_generic" lineno="531"> <summary> Allow the caller to directly write, in a generic fashion, from any SCSI device. @@ -72024,7 +72239,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_setattr_scsi_generic_dev_dev" lineno="548"> +<interface name="storage_setattr_scsi_generic_dev_dev" lineno="553"> <summary> Set attributes of the device nodes for the SCSI generic interface. @@ -72035,7 +72250,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_dontaudit_rw_scsi_generic" lineno="568"> +<interface name="storage_dontaudit_rw_scsi_generic" lineno="573"> <summary> Do not audit attempts to read or write SCSI generic device interfaces. @@ -72046,7 +72261,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_getattr_removable_dev" lineno="587"> +<interface name="storage_getattr_removable_dev" lineno="592"> <summary> Allow the caller to get the attributes of removable devices device nodes. @@ -72057,7 +72272,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_dontaudit_getattr_removable_dev" lineno="607"> +<interface name="storage_dontaudit_getattr_removable_dev" lineno="612"> <summary> Do not audit attempts made by the caller to get the attributes of removable devices device nodes. @@ -72068,7 +72283,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_dontaudit_read_removable_device" lineno="626"> +<interface name="storage_dontaudit_read_removable_device" lineno="631"> <summary> Do not audit attempts made by the caller to read removable devices device nodes. @@ -72079,7 +72294,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_dontaudit_write_removable_device" lineno="646"> +<interface name="storage_dontaudit_write_removable_device" lineno="651"> <summary> Do not audit attempts made by the caller to write removable devices device nodes. @@ -72090,7 +72305,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_setattr_removable_dev" lineno="665"> +<interface name="storage_setattr_removable_dev" lineno="670"> <summary> Allow the caller to set the attributes of removable devices device nodes. @@ -72101,7 +72316,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_dontaudit_setattr_removable_dev" lineno="685"> +<interface name="storage_dontaudit_setattr_removable_dev" lineno="690"> <summary> Do not audit attempts made by the caller to set the attributes of removable devices device nodes. @@ -72112,7 +72327,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_raw_read_removable_device" lineno="707"> +<interface name="storage_raw_read_removable_device" lineno="712"> <summary> Allow the caller to directly read from a removable device. @@ -72126,7 +72341,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_dontaudit_raw_read_removable_device" lineno="726"> +<interface name="storage_dontaudit_raw_read_removable_device" lineno="731"> <summary> Do not audit attempts to directly read removable devices. </summary> @@ -72136,7 +72351,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_raw_write_removable_device" lineno="748"> +<interface name="storage_raw_write_removable_device" lineno="753"> <summary> Allow the caller to directly write to a removable device. @@ -72150,7 +72365,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_dontaudit_raw_write_removable_device" lineno="767"> +<interface name="storage_dontaudit_raw_write_removable_device" lineno="772"> <summary> Do not audit attempts to directly write removable devices. </summary> @@ -72160,7 +72375,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_read_tape" lineno="786"> +<interface name="storage_read_tape" lineno="791"> <summary> Allow the caller to directly read a tape device. @@ -72171,7 +72386,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_write_tape" lineno="806"> +<interface name="storage_write_tape" lineno="811"> <summary> Allow the caller to directly write a tape device. @@ -72182,7 +72397,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_getattr_tape_dev" lineno="826"> +<interface name="storage_getattr_tape_dev" lineno="831"> <summary> Allow the caller to get the attributes of device nodes of tape devices. @@ -72193,7 +72408,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_setattr_tape_dev" lineno="846"> +<interface name="storage_setattr_tape_dev" lineno="851"> <summary> Allow the caller to set the attributes of device nodes of tape devices. @@ -72204,7 +72419,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_unconfined" lineno="865"> +<interface name="storage_unconfined" lineno="870"> <summary> Unconfined access to storage devices. </summary> @@ -78959,6 +79174,15 @@ Allow containers to use eCryptfs filesystems. </p> </desc> </tunable> +<tunable name="container_use_host_all_caps" dftval="false"> +<desc> +<p> +Allow containers to use all capabilities in a +non-namespaced context for various privileged operations +directly on the host. +</p> +</desc> +</tunable> <tunable name="container_use_hugetlbfs" dftval="false"> <desc> <p> @@ -78966,6 +79190,14 @@ Allow containers to use huge pages. </p> </desc> </tunable> +<tunable name="container_use_mknod" dftval="false"> +<desc> +<p> +Allow containers to use the mknod syscall, e.g. for +creating special device files. +</p> +</desc> +</tunable> <tunable name="container_use_nfs" dftval="false"> <desc> <p> @@ -78980,6 +79212,41 @@ Allow containers to use CIFS filesystems. </p> </desc> </tunable> +<tunable name="container_use_sysadmin" dftval="false"> +<desc> +<p> +Allow containers to use the sysadmin capability, e.g. +for mounting filesystems. +</p> +</desc> +</tunable> +<tunable name="container_use_userns_all_caps" dftval="false"> +<desc> +<p> +Allow containers to use all capabilities in a +namespaced context for various privileged operations +within the container itself. +</p> +</desc> +</tunable> +<tunable name="container_use_userns_mknod" dftval="false"> +<desc> +<p> +Allow containers to use the mknod syscall in a +namespaced context, e.g. for creating special device +files within the container itself. +</p> +</desc> +</tunable> +<tunable name="container_use_userns_sysadmin" dftval="false"> +<desc> +<p> +Allow containers to use the sysadmin capability in a +namespaced context, e.g. for mounting filesystems +within the container itself. +</p> +</desc> +</tunable> </module> <module name="corosync" filename="policy/modules/services/corosync.if"> <summary>Corosync Cluster Engine.</summary> @@ -79644,7 +79911,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="cron_read_system_job_lib_files" lineno="768"> +<interface name="cron_rw_inherited_tmp_files" lineno="768"> +<summary> +Read and write inherited crond temporary files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cron_read_system_job_lib_files" lineno="786"> <summary> Read system cron job lib files. </summary> @@ -79654,7 +79931,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="cron_manage_system_job_lib_files" lineno="788"> +<interface name="cron_manage_system_job_lib_files" lineno="806"> <summary> Create, read, write, and delete system cron job lib files. @@ -79665,7 +79942,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="cron_write_system_job_pipes" lineno="807"> +<interface name="cron_write_system_job_pipes" lineno="825"> <summary> Write system cron job unnamed pipes. </summary> @@ -79675,7 +79952,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="cron_rw_system_job_pipes" lineno="826"> +<interface name="cron_rw_system_job_pipes" lineno="844"> <summary> Read and write system cron job unnamed pipes. @@ -79686,7 +79963,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="cron_rw_system_job_stream_sockets" lineno="845"> +<interface name="cron_rw_system_job_stream_sockets" lineno="863"> <summary> Read and write inherited system cron job unix domain stream sockets. @@ -79697,7 +79974,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="cron_read_system_job_tmp_files" lineno="863"> +<interface name="cron_read_system_job_tmp_files" lineno="881"> <summary> Read system cron job temporary files. </summary> @@ -79707,7 +79984,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="cron_dontaudit_append_system_job_tmp_files" lineno="883"> +<interface name="cron_dontaudit_append_system_job_tmp_files" lineno="901"> <summary> Do not audit attempts to append temporary system cron job files. @@ -79718,7 +79995,17 @@ Domain to not audit. </summary> </param> </interface> -<interface name="cron_rw_inherited_system_job_tmp_files" lineno="901"> +<interface name="cron_append_system_job_tmp_files" lineno="919"> +<summary> +allow appending temporary system cron job files. +</summary> +<param name="domain"> +<summary> +Domain to allow. +</summary> +</param> +</interface> +<interface name="cron_rw_inherited_system_job_tmp_files" lineno="937"> <summary> Read and write to inherited system cron job temporary files. </summary> @@ -79728,7 +80015,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="cron_dontaudit_write_system_job_tmp_files" lineno="920"> +<interface name="cron_dontaudit_write_system_job_tmp_files" lineno="956"> <summary> Do not audit attempts to write temporary system cron job files. @@ -79739,7 +80026,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="cron_exec_crontab" lineno="939"> +<interface name="cron_exec_crontab" lineno="975"> <summary> Execute crontab in the caller domain. </summary> @@ -79750,7 +80037,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="cron_admin" lineno="965"> +<interface name="cron_admin" lineno="1001"> <summary> All of the rules required to administrate a cron environment. @@ -80257,7 +80544,7 @@ User domain for the role </summary> </param> </template> -<interface name="dbus_system_bus_client" lineno="137"> +<interface name="dbus_system_bus_client" lineno="140"> <summary> Template for creating connections to the system bus. @@ -80268,7 +80555,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_connect_all_session_bus" lineno="176"> +<interface name="dbus_connect_all_session_bus" lineno="181"> <summary> Acquire service on all DBUS session busses. @@ -80279,7 +80566,7 @@ Domain allowed access. </summary> </param> </interface> -<template name="dbus_connect_spec_session_bus" lineno="202"> +<template name="dbus_connect_spec_session_bus" lineno="207"> <summary> Acquire service on specified DBUS session bus. @@ -80296,7 +80583,7 @@ Domain allowed access. </summary> </param> </template> -<interface name="dbus_all_session_bus_client" lineno="222"> +<interface name="dbus_all_session_bus_client" lineno="227"> <summary> Creating connections to all DBUS session busses. @@ -80307,7 +80594,7 @@ Domain allowed access. </summary> </param> </interface> -<template name="dbus_spec_session_bus_client" lineno="254"> +<template name="dbus_spec_session_bus_client" lineno="261"> <summary> Creating connections to specified DBUS session bus. @@ -80324,7 +80611,7 @@ Domain allowed access. </summary> </param> </template> -<interface name="dbus_send_all_session_bus" lineno="281"> +<interface name="dbus_send_all_session_bus" lineno="288"> <summary> Send messages to all DBUS session busses. @@ -80335,7 +80622,7 @@ Domain allowed access. </summary> </param> </interface> -<template name="dbus_send_spec_session_bus" lineno="307"> +<template name="dbus_send_spec_session_bus" lineno="314"> <summary> Send messages to specified DBUS session busses. @@ -80352,7 +80639,7 @@ Domain allowed access. </summary> </param> </template> -<interface name="dbus_getattr_session_runtime_socket" lineno="327"> +<interface name="dbus_getattr_session_runtime_socket" lineno="334"> <summary> Allow the specified domain to get the attributes of the session dbus sock file. @@ -80363,7 +80650,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_write_session_runtime_socket" lineno="346"> +<interface name="dbus_write_session_runtime_socket" lineno="353"> <summary> Allow the specified domain to write to the session dbus sock file. @@ -80374,7 +80661,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_read_config" lineno="364"> +<interface name="dbus_read_config" lineno="371"> <summary> Read dbus configuration content. </summary> @@ -80384,7 +80671,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_read_lib_files" lineno="383"> +<interface name="dbus_read_lib_files" lineno="390"> <summary> Read system dbus lib files. </summary> @@ -80394,7 +80681,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_relabel_lib_dirs" lineno="403"> +<interface name="dbus_relabel_lib_dirs" lineno="410"> <summary> Relabel system dbus lib directory. </summary> @@ -80404,7 +80691,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_manage_lib_files" lineno="423"> +<interface name="dbus_manage_lib_files" lineno="430"> <summary> Create, read, write, and delete system dbus lib files. @@ -80415,7 +80702,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_all_session_domain" lineno="449"> +<interface name="dbus_all_session_domain" lineno="456"> <summary> Allow a application domain to be started by the specified session bus. @@ -80432,7 +80719,7 @@ entry point to this domain. </summary> </param> </interface> -<template name="dbus_spec_session_domain" lineno="483"> +<template name="dbus_spec_session_domain" lineno="490"> <summary> Allow a application domain to be started by the specified session bus. @@ -80455,7 +80742,7 @@ entry point to this domain. </summary> </param> </template> -<interface name="dbus_connect_system_bus" lineno="504"> +<interface name="dbus_connect_system_bus" lineno="511"> <summary> Acquire service on the DBUS system bus. </summary> @@ -80465,7 +80752,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_send_system_bus" lineno="523"> +<interface name="dbus_send_system_bus" lineno="530"> <summary> Send messages to the DBUS system bus. </summary> @@ -80475,7 +80762,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_system_bus_unconfined" lineno="542"> +<interface name="dbus_system_bus_unconfined" lineno="549"> <summary> Unconfined access to DBUS system bus. </summary> @@ -80485,7 +80772,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_system_domain" lineno="567"> +<interface name="dbus_system_domain" lineno="574"> <summary> Create a domain for processes which can be started by the DBUS system bus. @@ -80501,7 +80788,7 @@ Type of the program to be used as an entry point to this domain. </summary> </param> </interface> -<interface name="dbus_use_system_bus_fds" lineno="605"> +<interface name="dbus_use_system_bus_fds" lineno="612"> <summary> Use and inherit DBUS system bus file descriptors. @@ -80512,7 +80799,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="624"> +<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="631"> <summary> Do not audit attempts to read and write DBUS system bus TCP sockets. @@ -80523,7 +80810,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dbus_watch_system_bus_runtime_dirs" lineno="642"> +<interface name="dbus_watch_system_bus_runtime_dirs" lineno="649"> <summary> Watch system bus runtime directories. </summary> @@ -80533,7 +80820,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_read_system_bus_runtime_files" lineno="660"> +<interface name="dbus_read_system_bus_runtime_files" lineno="667"> <summary> Read system bus runtime files. </summary> @@ -80543,7 +80830,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_list_system_bus_runtime" lineno="679"> +<interface name="dbus_list_system_bus_runtime" lineno="686"> <summary> List system bus runtime directories. </summary> @@ -80553,7 +80840,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_watch_system_bus_runtime_named_sockets" lineno="697"> +<interface name="dbus_watch_system_bus_runtime_named_sockets" lineno="704"> <summary> Watch system bus runtime named sockets. </summary> @@ -80563,7 +80850,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_read_system_bus_runtime_named_sockets" lineno="715"> +<interface name="dbus_read_system_bus_runtime_named_sockets" lineno="722"> <summary> Read system bus runtime named sockets. </summary> @@ -80573,7 +80860,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_dontaudit_write_system_bus_runtime_named_sockets" lineno="734"> +<interface name="dbus_dontaudit_write_system_bus_runtime_named_sockets" lineno="741"> <summary> Do not audit attempts to write to system bus runtime named sockets. @@ -80584,7 +80871,17 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dbus_unconfined" lineno="752"> +<interface name="dbus_rw_session_tmp_sockets" lineno="759"> +<summary> +Read and write session named sockets in the tmp directory (/tmp). +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="dbus_unconfined" lineno="777"> <summary> Unconfined access to DBUS. </summary> @@ -80594,7 +80891,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_generic_pid_filetrans_system_dbusd_var_run" lineno="782"> +<interface name="dbus_generic_pid_filetrans_system_dbusd_var_run" lineno="807"> <summary> Create resources in /run or /var/run with the system_dbusd_runtime_t label. This method is deprecated in favor of the init_daemon_run_dir @@ -80616,7 +80913,7 @@ Optional file name used for the resource </summary> </param> </interface> -<interface name="dbus_create_system_dbusd_var_run_dirs" lineno="796"> +<interface name="dbus_create_system_dbusd_var_run_dirs" lineno="821"> <summary> Create directories with the system_dbusd_runtime_t label </summary> @@ -80626,6 +80923,16 @@ Domain allowed access </summary> </param> </interface> +<tunable name="dbus_can_network" dftval="false"> +<desc> +<p> +Determine whether the dbus server +can use the network (insecure +except than in the case of the +loopback interface). +</p> +</desc> +</tunable> <tunable name="dbus_pass_tuntap_fd" dftval="false"> <desc> <p> @@ -81517,6 +81824,21 @@ Role allowed access. <rolecap/> </interface> </module> +<module name="eg25manager" filename="policy/modules/services/eg25manager.if"> +<summary>Manager daemon for the Quectel EG25 modem</summary> + +<desc> +eg25-manager (Debian package eg25-manager) is a daemon aimed at configuring +and monitoring the Quectel EG25 modem on a running system. It is used on the +PinePhone (Pro) and performs the +following functions: +* power on/off +* startup configuration using AT commands +* AGPS data upload +* status monitoring (and restart if it becomes unavailable) +Homepage: https://gitlab.com/mobian1/eg25-manager +</desc> +</module> <module name="entropyd" filename="policy/modules/services/entropyd.if"> <summary>Generate entropy from audio input.</summary> <interface name="entropyd_admin" lineno="20"> @@ -83384,6 +83706,29 @@ Role allowed access. <rolecap/> </interface> </module> +<module name="iiosensorproxy" filename="policy/modules/services/iiosensorproxy.if"> +<summary>IIO sensors to D-Bus proxy</summary> + +<desc> +Industrial I/O subsystem is intended to provide support for devices +that in some sense are analog to digital or digital to analog convertors +. +Devices that fall into this category are: +* ADCs +* Accelerometers +* Gyros +* IMUs +* Capacitance to Digital Converters (CDCs) +* Pressure Sensors +* Color, Light and Proximity Sensors +* Temperature Sensors +* Magnetometers +* DACs +* DDS (Direct Digital Synthesis) +* PLLs (Phase Locked Loops) +* Variable/Programmable Gain Amplifiers (VGA, PGA) +</desc> +</module> <module name="inetd" filename="policy/modules/services/inetd.if"> <summary>Internet services daemon.</summary> <interface name="inetd_core_service_domain" lineno="27"> @@ -84913,6 +85258,28 @@ Role allowed access. <rolecap/> </interface> </module> +<module name="lowmemorymonitor" filename="policy/modules/services/lowmemorymonitor.if"> +<summary>low memory monitor daemon</summary> + +<desc> +The Low Memory Monitor is an early boot daemon that will monitor memory +pressure information coming from the kernel, and, first, send a signal +to user-space applications when memory is running low, and then optionally +activate the kernel's OOM killer when memory is running really low. +https://gitlab.freedesktop.org/hadess/low-memory-monitor +</desc> +<interface name="low_mem_mon_dbus_chat" lineno="22"> +<summary> +Send and receive messages from +low_mem_mon_t over dbus. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +</module> <module name="lpd" filename="policy/modules/services/lpd.if"> <summary>Line printer daemon.</summary> <template name="lpd_role" lineno="29"> @@ -86046,7 +86413,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_home_filetrans_mail_home_rw" lineno="295"> +<interface name="mta_home_filetrans_mail_home_rw" lineno="296"> <summary> Create specified objects in user home directories with the generic mail @@ -86068,7 +86435,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="mta_system_content" lineno="313"> +<interface name="mta_system_content" lineno="314"> <summary> Make the specified type by a system MTA. </summary> @@ -86078,7 +86445,7 @@ Type to be used as a mail client. </summary> </param> </interface> -<interface name="mta_sendmail_mailserver" lineno="346"> +<interface name="mta_sendmail_mailserver" lineno="347"> <summary> Modified mailserver interface for sendmail daemon use. @@ -86103,7 +86470,7 @@ The type to be used for the mail server. </summary> </param> </interface> -<interface name="mta_use_mailserver_fds" lineno="367"> +<interface name="mta_use_mailserver_fds" lineno="368"> <summary> Inherit FDs from mailserver_domain domains </summary> @@ -86113,7 +86480,7 @@ Type for a list server or delivery agent that inherits fds </summary> </param> </interface> -<interface name="mta_mailserver_sender" lineno="386"> +<interface name="mta_mailserver_sender" lineno="387"> <summary> Make a type a mailserver type used for sending mail. @@ -86124,7 +86491,7 @@ Mail server domain type used for sending mail. </summary> </param> </interface> -<interface name="mta_mailserver_delivery" lineno="405"> +<interface name="mta_mailserver_delivery" lineno="406"> <summary> Make a type a mailserver type used for delivering mail to local users. @@ -86135,7 +86502,7 @@ Mail server domain type used for delivering mail. </summary> </param> </interface> -<interface name="mta_mailserver_user_agent" lineno="425"> +<interface name="mta_mailserver_user_agent" lineno="426"> <summary> Make a type a mailserver type used for sending mail on behalf of local @@ -86147,7 +86514,7 @@ Mail server domain type used for sending local mail. </summary> </param> </interface> -<interface name="mta_send_mail" lineno="443"> +<interface name="mta_send_mail" lineno="444"> <summary> Send mail from the system. </summary> @@ -86157,7 +86524,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="mta_sendmail_domtrans" lineno="488"> +<interface name="mta_sendmail_domtrans" lineno="489"> <summary> Execute send mail in a specified domain. </summary> @@ -86182,7 +86549,7 @@ Domain to transition to. </summary> </param> </interface> -<interface name="mta_signal_system_mail" lineno="510"> +<interface name="mta_signal_system_mail" lineno="511"> <summary> Send signals to system mail. </summary> @@ -86192,7 +86559,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_kill_system_mail" lineno="528"> +<interface name="mta_kill_system_mail" lineno="529"> <summary> Send kill signals to system mail. </summary> @@ -86202,7 +86569,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_sendmail_exec" lineno="546"> +<interface name="mta_sendmail_exec" lineno="547"> <summary> Execute sendmail in the caller domain. </summary> @@ -86212,7 +86579,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_sendmail_entry_point" lineno="566"> +<interface name="mta_sendmail_entry_point" lineno="567"> <summary> Make sendmail usable as an entry point for the domain. @@ -86223,7 +86590,7 @@ Domain to be entered. </summary> </param> </interface> -<interface name="mta_read_config" lineno="585"> +<interface name="mta_read_config" lineno="586"> <summary> Read mail server configuration content. </summary> @@ -86234,7 +86601,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="mta_write_config" lineno="607"> +<interface name="mta_write_config" lineno="608"> <summary> Write mail server configuration files. </summary> @@ -86245,7 +86612,18 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="mta_read_aliases" lineno="626"> +<interface name="mta_manage_config" lineno="628"> +<summary> +Create, read, write, and delete +mail server configuration content. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="mta_read_aliases" lineno="648"> <summary> Read mail address alias files. </summary> @@ -86255,7 +86633,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_map_aliases" lineno="654"> +<interface name="mta_map_aliases" lineno="676"> <summary> Read mail address alias files. </summary> @@ -86265,7 +86643,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_manage_aliases" lineno="673"> +<interface name="mta_manage_aliases" lineno="695"> <summary> Create, read, write, and delete mail address alias content. @@ -86276,7 +86654,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_etc_filetrans_aliases" lineno="715"> +<interface name="mta_etc_filetrans_aliases" lineno="737"> <summary> Create specified object in generic etc directories with the mail address @@ -86298,7 +86676,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="mta_spec_filetrans_aliases" lineno="750"> +<interface name="mta_spec_filetrans_aliases" lineno="772"> <summary> Create specified objects in specified directories with a type transition to @@ -86325,7 +86703,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="mta_rw_aliases" lineno="769"> +<interface name="mta_rw_aliases" lineno="791"> <summary> Read and write mail alias files. </summary> @@ -86336,7 +86714,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="mta_dontaudit_rw_delivery_tcp_sockets" lineno="799"> +<interface name="mta_dontaudit_rw_delivery_tcp_sockets" lineno="821"> <summary> Do not audit attempts to read and write TCP sockets of mail @@ -86348,7 +86726,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="mta_list_spool" lineno="817"> +<interface name="mta_list_spool" lineno="839"> <summary> Allow listing the mail spool. </summary> @@ -86358,7 +86736,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="mta_read_spool_symlinks" lineno="836"> +<interface name="mta_read_spool_symlinks" lineno="858"> <summary> Allow reading mail spool symlinks. </summary> @@ -86368,7 +86746,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="mta_rw_inherited_delivery_pipes" lineno="854"> +<interface name="mta_rw_inherited_delivery_pipes" lineno="876"> <summary> read and write fifo files inherited from delivery domains </summary> @@ -86378,7 +86756,7 @@ Domain to use fifo files </summary> </param> </interface> -<interface name="mta_dontaudit_read_spool_symlinks" lineno="875"> +<interface name="mta_dontaudit_read_spool_symlinks" lineno="897"> <summary> Do not audit attempts to read mail spool symlinks. @@ -86389,7 +86767,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="mta_getattr_spool" lineno="893"> +<interface name="mta_getattr_spool" lineno="915"> <summary> Get attributes of mail spool content. </summary> @@ -86399,7 +86777,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_dontaudit_getattr_spool_files" lineno="915"> +<interface name="mta_dontaudit_getattr_spool_files" lineno="937"> <summary> Do not audit attempts to get attributes of mail spool files. @@ -86410,7 +86788,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="mta_spool_filetrans" lineno="953"> +<interface name="mta_spool_filetrans" lineno="975"> <summary> Create specified objects in the mail spool directory with a @@ -86437,7 +86815,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="mta_read_spool_files" lineno="972"> +<interface name="mta_read_spool_files" lineno="994"> <summary> Read mail spool files. </summary> @@ -86447,7 +86825,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_rw_spool" lineno="992"> +<interface name="mta_rw_spool" lineno="1014"> <summary> Read and write mail spool files. </summary> @@ -86457,7 +86835,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_append_spool" lineno="1013"> +<interface name="mta_append_spool" lineno="1035"> <summary> Create, read, and write mail spool files. </summary> @@ -86467,7 +86845,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_delete_spool" lineno="1034"> +<interface name="mta_delete_spool" lineno="1056"> <summary> Delete mail spool files. </summary> @@ -86477,7 +86855,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_manage_spool" lineno="1054"> +<interface name="mta_manage_spool" lineno="1076"> <summary> Create, read, write, and delete mail spool content. @@ -86488,7 +86866,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_watch_spool" lineno="1076"> +<interface name="mta_watch_spool" lineno="1098"> <summary> Watch mail spool content. </summary> @@ -86498,7 +86876,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_queue_filetrans" lineno="1111"> +<interface name="mta_queue_filetrans" lineno="1133"> <summary> Create specified objects in the mail queue spool directory with a @@ -86525,7 +86903,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="mta_search_queue" lineno="1130"> +<interface name="mta_search_queue" lineno="1152"> <summary> Search mail queue directories. </summary> @@ -86535,7 +86913,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_list_queue" lineno="1149"> +<interface name="mta_list_queue" lineno="1171"> <summary> List mail queue directories. </summary> @@ -86545,7 +86923,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_read_queue" lineno="1168"> +<interface name="mta_read_queue" lineno="1190"> <summary> Read mail queue files. </summary> @@ -86555,7 +86933,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_dontaudit_rw_queue" lineno="1188"> +<interface name="mta_dontaudit_rw_queue" lineno="1210"> <summary> Do not audit attempts to read and write mail queue content. @@ -86566,7 +86944,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="mta_manage_queue" lineno="1208"> +<interface name="mta_manage_queue" lineno="1230"> <summary> Create, read, write, and delete mail queue content. @@ -86577,7 +86955,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_read_sendmail_bin" lineno="1228"> +<interface name="mta_read_sendmail_bin" lineno="1250"> <summary> Read sendmail binary. </summary> @@ -86587,7 +86965,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mta_rw_user_mail_stream_sockets" lineno="1247"> +<interface name="mta_rw_user_mail_stream_sockets" lineno="1269"> <summary> Read and write unix domain stream sockets of all base mail domains. @@ -87933,7 +88311,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ntp_rw_shm" lineno="189"> +<interface name="ntp_filetrans_drift" lineno="189"> +<summary> +specified domain creates /var/lib/ntpsec/ with the correct type +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="ntp_rw_shm" lineno="208"> <summary> Read and write ntpd shared memory. </summary> @@ -87943,7 +88331,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ntp_enabledisable" lineno="211"> +<interface name="ntp_enabledisable" lineno="230"> <summary> Allow specified domain to enable/disable ntpd unit </summary> @@ -87953,7 +88341,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ntp_startstop" lineno="232"> +<interface name="ntp_startstop" lineno="251"> <summary> Allow specified domain to start/stop ntpd unit </summary> @@ -87963,7 +88351,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ntp_status" lineno="253"> +<interface name="ntp_status" lineno="272"> <summary> Allow specified domain to get status of ntpd unit </summary> @@ -87973,7 +88361,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ntp_admin" lineno="281"> +<interface name="ntp_admin" lineno="300"> <summary> All of the rules required to administrate an ntp environment. @@ -87990,7 +88378,7 @@ Role allowed access. </param> <rolecap/> </interface> -<interface name="ntp_manage_config" lineno="333"> +<interface name="ntp_manage_config" lineno="352"> <summary> Manage ntp(d) configuration. </summary> @@ -89596,7 +89984,7 @@ Domain prefix to be used. </summary> </param> </template> -<template name="postfix_server_domain_template" lineno="65"> +<template name="postfix_server_domain_template" lineno="68"> <summary> The template to define a postfix server domain. </summary> @@ -89606,7 +89994,7 @@ Domain prefix to be used. </summary> </param> </template> -<template name="postfix_user_domain_template" lineno="105"> +<template name="postfix_user_domain_template" lineno="108"> <summary> The template to define a postfix user domain. </summary> @@ -89616,7 +90004,7 @@ Domain prefix to be used. </summary> </param> </template> -<interface name="postfix_read_config" lineno="142"> +<interface name="postfix_read_config" lineno="145"> <summary> Read postfix configuration content. </summary> @@ -89627,7 +90015,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="postfix_config_filetrans" lineno="179"> +<interface name="postfix_config_filetrans" lineno="182"> <summary> Create specified object in postfix etc directories with a type transition. @@ -89653,7 +90041,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="postfix_dontaudit_rw_local_tcp_sockets" lineno="199"> +<interface name="postfix_dontaudit_rw_local_tcp_sockets" lineno="202"> <summary> Do not audit attempts to read and write postfix local delivery @@ -89665,7 +90053,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="postfix_rw_local_pipes" lineno="217"> +<interface name="postfix_rw_local_pipes" lineno="220"> <summary> Read and write postfix local pipes. </summary> @@ -89675,7 +90063,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_read_local_state" lineno="235"> +<interface name="postfix_read_local_state" lineno="238"> <summary> Read postfix local process state files. </summary> @@ -89685,7 +90073,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_rw_inherited_master_pipes" lineno="256"> +<interface name="postfix_rw_inherited_master_pipes" lineno="259"> <summary> Read and write inherited postfix master pipes. </summary> @@ -89695,7 +90083,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_read_master_state" lineno="275"> +<interface name="postfix_read_master_state" lineno="278"> <summary> Read postfix master process state files. </summary> @@ -89705,7 +90093,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_use_fds_master" lineno="296"> +<interface name="postfix_use_fds_master" lineno="299"> <summary> Use postfix master file descriptors. </summary> @@ -89715,7 +90103,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_dontaudit_use_fds" lineno="316"> +<interface name="postfix_dontaudit_use_fds" lineno="319"> <summary> Do not audit attempts to use postfix master process file @@ -89727,7 +90115,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="postfix_domtrans_map" lineno="334"> +<interface name="postfix_domtrans_map" lineno="337"> <summary> Execute postfix_map in the postfix_map domain. </summary> @@ -89737,7 +90125,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="postfix_run_map" lineno="361"> +<interface name="postfix_run_map" lineno="364"> <summary> Execute postfix map in the postfix map domain, and allow the specified @@ -89755,7 +90143,7 @@ Role allowed access. </param> <rolecap/> </interface> -<interface name="postfix_domtrans_master" lineno="381"> +<interface name="postfix_domtrans_master" lineno="384"> <summary> Execute the master postfix program in the postfix_master domain. @@ -89766,7 +90154,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="postfix_exec_master" lineno="401"> +<interface name="postfix_exec_master" lineno="404"> <summary> Execute the master postfix program in the caller domain. @@ -89777,7 +90165,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_stream_connect_master" lineno="422"> +<interface name="postfix_stream_connect_master" lineno="425"> <summary> Connect to postfix master process using a unix domain stream socket. @@ -89789,7 +90177,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="postfix_domtrans_postdrop" lineno="441"> +<interface name="postfix_domtrans_postdrop" lineno="444"> <summary> Execute the master postdrop in the postfix postdrop domain. @@ -89800,7 +90188,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="postfix_domtrans_postqueue" lineno="461"> +<interface name="postfix_domtrans_postqueue" lineno="464"> <summary> Execute the master postqueue in the postfix postqueue domain. @@ -89811,7 +90199,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="postfix_exec_postqueue" lineno="481"> +<interface name="postfix_exec_postqueue" lineno="484"> <summary> Execute postfix postqueue in the caller domain. @@ -89822,7 +90210,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_create_private_sockets" lineno="500"> +<interface name="postfix_create_private_sockets" lineno="503"> <summary> Create postfix private sock files. </summary> @@ -89832,7 +90220,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_manage_private_sockets" lineno="519"> +<interface name="postfix_manage_private_sockets" lineno="522"> <summary> Create, read, write, and delete postfix private sock files. @@ -89843,7 +90231,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_domtrans_smtp" lineno="538"> +<interface name="postfix_domtrans_smtp" lineno="541"> <summary> Execute the smtp postfix program in the postfix smtp domain. @@ -89854,7 +90242,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="postfix_getattr_all_spool_files" lineno="558"> +<interface name="postfix_getattr_all_spool_files" lineno="561"> <summary> Get attributes of all postfix mail spool files. @@ -89865,7 +90253,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_search_spool" lineno="577"> +<interface name="postfix_search_spool" lineno="580"> <summary> Search postfix mail spool directories. </summary> @@ -89875,7 +90263,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_list_spool" lineno="596"> +<interface name="postfix_list_spool" lineno="599"> <summary> List postfix mail spool directories. </summary> @@ -89885,7 +90273,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_read_spool_files" lineno="615"> +<interface name="postfix_read_spool_files" lineno="618"> <summary> Read postfix mail spool files. </summary> @@ -89895,7 +90283,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_manage_spool_files" lineno="635"> +<interface name="postfix_manage_spool_files" lineno="638"> <summary> Create, read, write, and delete postfix mail spool files. @@ -89906,7 +90294,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_domtrans_user_mail_handler" lineno="655"> +<interface name="postfix_domtrans_user_mail_handler" lineno="658"> <summary> Execute postfix user mail programs in their respective domains. @@ -89917,7 +90305,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postfix_admin" lineno="680"> +<interface name="postfix_admin" lineno="683"> <summary> All of the rules required to administrate an postfix environment. @@ -90312,6 +90700,13 @@ Role allowed access. <rolecap/> </interface> </module> +<module name="powerprofiles" filename="policy/modules/services/powerprofiles.if"> +<summary>power profiles daemon</summary> + +<desc> +Daemon to control power profiles for laptop +</desc> +</module> <module name="ppp" filename="policy/modules/services/ppp.if"> <summary>Point to Point Protocol daemon creates links in ppp networks.</summary> <interface name="ppp_manage_home_files" lineno="14"> @@ -91307,6 +91702,18 @@ Role allowed access. <rolecap/> </interface> </module> +<module name="rasdaemon" filename="policy/modules/services/rasdaemon.if"> +<summary>RAS (Reliability, Availability and Serviceability) logging tool</summary> + +<desc> +rasdaemon is a RAS (Reliability, Availability and Serviceability) logging +tool. It currently records memory errors, using the EDAC tracing events. +EDAC are drivers in the Linux kernel that handle detection of ECC errors +from memory controllers for most chipsets on x86 and ARM architectures. + +https://git.infradead.org/users/mchehab/rasdaemon.git +</desc> +</module> <module name="razor" filename="policy/modules/services/razor.if"> <summary>A distributed, collaborative, spam detection and filtering network.</summary> <template name="razor_common_domain_template" lineno="13"> @@ -93583,6 +93990,17 @@ Role allowed access. </param> <rolecap/> </interface> +<interface name="fsdaemon_read_lib" lineno="71"> +<summary> +Read fsdaemon /var/lib files +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<rolecap/> +</interface> <tunable name="smartmon_3ware" dftval="false"> <desc> <p> @@ -93877,7 +94295,7 @@ Role allowed access </summary> </param> </template> -<interface name="spamassassin_run_update" lineno="73"> +<interface name="spamassassin_run_update" lineno="75"> <summary> Execute sa-update in the spamd-update domain, and allow the specified role @@ -93895,7 +94313,7 @@ Role allowed access. </summary> </param> </interface> -<interface name="spamassassin_exec" lineno="93"> +<interface name="spamassassin_exec" lineno="95"> <summary> Execute the standalone spamassassin program in the caller directory. @@ -93906,7 +94324,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="spamassassin_signal_spamd" lineno="112"> +<interface name="spamassassin_signal_spamd" lineno="114"> <summary> Send generic signals to spamd. </summary> @@ -93916,7 +94334,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="spamassassin_reload" lineno="131"> +<interface name="spamassassin_reload" lineno="133"> <summary> reload SA service </summary> @@ -93927,7 +94345,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="spamassassin_status" lineno="151"> +<interface name="spamassassin_status" lineno="153"> <summary> Get SA service status </summary> @@ -93938,7 +94356,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="spamassassin_exec_spamd" lineno="170"> +<interface name="spamassassin_exec_spamd" lineno="172"> <summary> Execute spamd in the caller domain. </summary> @@ -93948,7 +94366,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="spamassassin_domtrans_client" lineno="189"> +<interface name="spamassassin_domtrans_client" lineno="191"> <summary> Execute spamc in the spamc domain. </summary> @@ -93958,7 +94376,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="spamassassin_exec_client" lineno="208"> +<interface name="spamassassin_exec_client" lineno="210"> <summary> Execute spamc in the caller domain. </summary> @@ -93968,7 +94386,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="spamassassin_kill_client" lineno="227"> +<interface name="spamassassin_kill_client" lineno="229"> <summary> Send kill signals to spamc. </summary> @@ -93978,7 +94396,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="spamassassin_domtrans_local_client" lineno="246"> +<interface name="spamassassin_domtrans_local_client" lineno="248"> <summary> Execute spamassassin standalone client in the user spamassassin domain. @@ -93989,7 +94407,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="spamassassin_manage_spamd_home_content" lineno="266"> +<interface name="spamassassin_manage_spamd_home_content" lineno="268"> <summary> Create, read, write, and delete spamd home content. @@ -94000,7 +94418,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="spamassassin_relabel_spamd_home_content" lineno="287"> +<interface name="spamassassin_relabel_spamd_home_content" lineno="289"> <summary> Relabel spamd home content. </summary> @@ -94010,7 +94428,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="spamassassin_home_filetrans_spamd_home" lineno="319"> +<interface name="spamassassin_home_filetrans_spamd_home" lineno="321"> <summary> Create objects in user home directories with the spamd home type. @@ -94031,7 +94449,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="spamassassin_read_lib_files" lineno="337"> +<interface name="spamassassin_read_lib_files" lineno="339"> <summary> Read spamd lib files. </summary> @@ -94041,7 +94459,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="spamassassin_manage_lib_files" lineno="357"> +<interface name="spamassassin_manage_lib_files" lineno="359"> <summary> Create, read, write, and delete spamd lib files. @@ -94052,7 +94470,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="spamassassin_read_spamd_runtime_files" lineno="376"> +<interface name="spamassassin_read_spamd_runtime_files" lineno="378"> <summary> Read spamd runtime files. </summary> @@ -94062,7 +94480,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="spamassassin_read_spamd_tmp_files" lineno="395"> +<interface name="spamassassin_read_spamd_tmp_files" lineno="397"> <summary> Read temporary spamd files. </summary> @@ -94072,7 +94490,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="spamassassin_dontaudit_getattr_spamd_tmp_sockets" lineno="414"> +<interface name="spamassassin_dontaudit_getattr_spamd_tmp_sockets" lineno="416"> <summary> Do not audit attempts to get attributes of temporary spamd sockets. @@ -94083,7 +94501,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="spamassassin_stream_connect_spamd" lineno="433"> +<interface name="spamassassin_stream_connect_spamd" lineno="435"> <summary> Connect to spamd with a unix domain stream socket. @@ -94094,7 +94512,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="spamassassin_admin" lineno="459"> +<interface name="spamassassin_admin" lineno="461"> <summary> All of the rules required to administrate an spamassassin environment. @@ -94115,7 +94533,8 @@ Role allowed access. <desc> <p> Determine whether spamassassin -clients can use the network. +daemon or clients can use the +network. </p> </desc> </tunable> @@ -94127,6 +94546,15 @@ generic user home content. </p> </desc> </tunable> +<tunable name="spamassassin_network_update" dftval="true"> +<desc> +<p> +Determine whether spamassassin +can update the rules using the +network. +</p> +</desc> +</tunable> <tunable name="rspamd_spamd" dftval="false"> <desc> <p> @@ -94135,6 +94563,14 @@ be enabled to support rspamd. </p> </desc> </tunable> +<tunable name="spamd_execmem" dftval="false"> +<desc> +<p> +Determine whether execmem should be allowed +Needed if LUA JIT is enabled for rspamd +</p> +</desc> +</tunable> </module> <module name="squid" filename="policy/modules/services/squid.if"> <summary>Squid caching http proxy server.</summary> @@ -94377,7 +94813,7 @@ Role allowed access </summary> </param> </template> -<interface name="ssh_sigchld" lineno="486"> +<interface name="ssh_sigchld" lineno="488"> <summary> Send a SIGCHLD signal to the ssh server. </summary> @@ -94387,7 +94823,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_signal" lineno="504"> +<interface name="ssh_signal" lineno="506"> <summary> Send a generic signal to the ssh server. </summary> @@ -94397,7 +94833,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_signull" lineno="522"> +<interface name="ssh_signull" lineno="524"> <summary> Send a null signal to sshd processes. </summary> @@ -94407,7 +94843,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_read_pipes" lineno="540"> +<interface name="ssh_read_pipes" lineno="542"> <summary> Read a ssh server unnamed pipe. </summary> @@ -94417,7 +94853,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_rw_pipes" lineno="557"> +<interface name="ssh_rw_pipes" lineno="559"> <summary> Read and write a ssh server unnamed pipe. </summary> @@ -94427,7 +94863,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_rw_stream_sockets" lineno="575"> +<interface name="ssh_rw_stream_sockets" lineno="577"> <summary> Read and write ssh server unix domain stream sockets. </summary> @@ -94437,7 +94873,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_rw_tcp_sockets" lineno="593"> +<interface name="ssh_rw_tcp_sockets" lineno="595"> <summary> Read and write ssh server TCP sockets. </summary> @@ -94447,7 +94883,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="612"> +<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="614"> <summary> Do not audit attempts to read and write ssh server TCP sockets. @@ -94458,7 +94894,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="ssh_exec_sshd" lineno="630"> +<interface name="ssh_exec_sshd" lineno="632"> <summary> Execute the ssh daemon in the caller domain. </summary> @@ -94468,7 +94904,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_domtrans" lineno="649"> +<interface name="ssh_domtrans" lineno="651"> <summary> Execute the ssh daemon sshd domain. </summary> @@ -94478,7 +94914,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="ssh_client_domtrans" lineno="667"> +<interface name="ssh_client_domtrans" lineno="669"> <summary> Execute the ssh client in the ssh client domain. </summary> @@ -94488,7 +94924,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="ssh_exec" lineno="685"> +<interface name="ssh_exec" lineno="687"> <summary> Execute the ssh client in the caller domain. </summary> @@ -94498,7 +94934,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_setattr_key_files" lineno="704"> +<interface name="ssh_setattr_key_files" lineno="706"> <summary> Set the attributes of sshd key files. </summary> @@ -94508,7 +94944,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_agent_exec" lineno="723"> +<interface name="ssh_agent_exec" lineno="725"> <summary> Execute the ssh agent client in the caller domain. </summary> @@ -94518,7 +94954,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_setattr_home_dirs" lineno="742"> +<interface name="ssh_setattr_home_dirs" lineno="744"> <summary> Set the attributes of ssh home directory (~/.ssh) </summary> @@ -94528,7 +94964,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_create_home_dirs" lineno="760"> +<interface name="ssh_create_home_dirs" lineno="762"> <summary> Create ssh home directory (~/.ssh) </summary> @@ -94538,7 +94974,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_read_user_home_files" lineno="779"> +<interface name="ssh_read_user_home_files" lineno="781"> <summary> Read ssh home directory content </summary> @@ -94548,7 +94984,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_domtrans_keygen" lineno="800"> +<interface name="ssh_domtrans_keygen" lineno="802"> <summary> Execute the ssh key generator in the ssh keygen domain. </summary> @@ -94558,7 +94994,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="ssh_read_server_keys" lineno="818"> +<interface name="ssh_read_server_keys" lineno="820"> <summary> Read ssh server keys </summary> @@ -94568,7 +95004,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_dontaudit_read_server_keys" lineno="836"> +<interface name="ssh_dontaudit_read_server_keys" lineno="838"> <summary> Do not audit denials on reading ssh server keys </summary> @@ -94578,7 +95014,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="ssh_manage_home_files" lineno="854"> +<interface name="ssh_manage_home_files" lineno="856"> <summary> Manage ssh home directory content </summary> @@ -94588,7 +95024,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_delete_tmp" lineno="873"> +<interface name="ssh_delete_tmp" lineno="875"> <summary> Delete from the ssh temp files. </summary> @@ -94598,7 +95034,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_dontaudit_agent_tmp" lineno="892"> +<interface name="ssh_dontaudit_agent_tmp" lineno="894"> <summary> dontaudit access to ssh agent tmp dirs </summary> @@ -94858,6 +95294,13 @@ Role allowed access. <rolecap/> </interface> </module> +<module name="switcheroo" filename="policy/modules/services/switcheroo.if"> +<summary>switcheroo daemon</summary> + +<desc> +Daemon to control which apps use a integrated GPU and which use discrete +</desc> +</module> <module name="sympa" filename="policy/modules/services/sympa.if"> <summary>Sympa mailing list manager</summary> <desc> @@ -95321,6 +95764,13 @@ Role allowed access. <rolecap/> </interface> </module> +<module name="thunderbolt" filename="policy/modules/services/thunderbolt.if"> +<summary>thunderbolt daemon</summary> + +<desc> +Daemon to control authentication for Thunderbolt. +</desc> +</module> <module name="timidity" filename="policy/modules/services/timidity.if"> <summary>MIDI to WAV converter and player configured as a service.</summary> </module> @@ -97084,7 +97534,7 @@ Role allowed access </summary> </param> </template> -<template name="xserver_role" lineno="168"> +<template name="xserver_role" lineno="171"> <summary> Rules required for using the X Windows server and environment. @@ -97111,7 +97561,7 @@ Role allowed access </summary> </param> </template> -<interface name="xserver_ro_session" lineno="241"> +<interface name="xserver_ro_session" lineno="252"> <summary> Create sessions on the X server, with read-only access to the X server shared @@ -97128,11 +97578,11 @@ The type of the domain SYSV tmpfs files. </summary> </param> </interface> -<interface name="xserver_rw_session" lineno="283"> +<interface name="xserver_rw_session" lineno="294"> <summary> Create sessions on the X server, with read and write -access to the X server shared -memory segments. +access to the X server shared memory segments, but +do not bypass existing tunable policy logic. </summary> <param name="domain"> <summary> @@ -97145,7 +97595,7 @@ The type of the domain SYSV tmpfs files. </summary> </param> </interface> -<interface name="xserver_non_drawing_client" lineno="303"> +<interface name="xserver_non_drawing_client" lineno="320"> <summary> Create non-drawing client sessions on an X server. </summary> @@ -97155,7 +97605,7 @@ Domain allowed access. </summary> </param> </interface> -<template name="xserver_common_x_domain_template" lineno="342"> +<template name="xserver_common_x_domain_template" lineno="359"> <summary> Interface to provide X object permissions on a given X server to an X client domain. Provides the minimal set required by a basic @@ -97173,7 +97623,7 @@ Client domain allowed access. </summary> </param> </template> -<template name="xserver_object_types_template" lineno="401"> +<template name="xserver_object_types_template" lineno="418"> <summary> Template for creating the set of types used in an X windows domain. @@ -97185,7 +97635,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="xserver_user_x_domain_template" lineno="443"> +<template name="xserver_user_x_domain_template" lineno="460"> <summary> Interface to provide X object permissions on a given X server to an X client domain. Provides the minimal set required by a basic @@ -97208,7 +97658,7 @@ The type of the domain SYSV tmpfs files. </summary> </param> </template> -<interface name="xserver_use_user_fonts" lineno="510"> +<interface name="xserver_use_user_fonts" lineno="530"> <summary> Read user fonts, user font configuration, and manage the user font cache. @@ -97229,7 +97679,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_domtrans_xauth" lineno="542"> +<interface name="xserver_domtrans_xauth" lineno="562"> <summary> Transition to the Xauthority domain. </summary> @@ -97239,7 +97689,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="xserver_user_home_dir_filetrans_user_xauth" lineno="565"> +<interface name="xserver_user_home_dir_filetrans_user_xauth" lineno="585"> <summary> Create a Xauthority file in the user home directory. </summary> @@ -97254,7 +97704,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="xserver_user_home_dir_filetrans_user_iceauth" lineno="589"> +<interface name="xserver_user_home_dir_filetrans_user_iceauth" lineno="609"> <summary> Create a ICEauthority file in the user home directory. @@ -97270,7 +97720,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="xserver_user_home_dir_filetrans_user_xsession_log" lineno="608"> +<interface name="xserver_user_home_dir_filetrans_user_xsession_log" lineno="628"> <summary> Create a .xsession-errors log file in the user home directory. @@ -97281,7 +97731,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_read_user_xauth" lineno="626"> +<interface name="xserver_read_user_xauth" lineno="646"> <summary> Read all users .Xauthority. </summary> @@ -97291,7 +97741,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_read_user_dmrc" lineno="645"> +<interface name="xserver_read_user_dmrc" lineno="665"> <summary> Read all users .dmrc. </summary> @@ -97301,7 +97751,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_read_user_iceauth" lineno="664"> +<interface name="xserver_read_user_iceauth" lineno="684"> <summary> Read all users .ICEauthority. </summary> @@ -97311,7 +97761,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_setattr_console_pipes" lineno="683"> +<interface name="xserver_setattr_console_pipes" lineno="703"> <summary> Set the attributes of the X windows console named pipes. </summary> @@ -97321,7 +97771,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_rw_console" lineno="701"> +<interface name="xserver_rw_console" lineno="721"> <summary> Read and write the X windows console named pipe. </summary> @@ -97331,7 +97781,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_create_console_pipes" lineno="719"> +<interface name="xserver_create_console_pipes" lineno="739"> <summary> Create the X windows console named pipes. </summary> @@ -97341,7 +97791,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_relabel_console_pipes" lineno="737"> +<interface name="xserver_relabel_console_pipes" lineno="757"> <summary> relabel the X windows console named pipes. </summary> @@ -97351,7 +97801,32 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_use_xdm_fds" lineno="755"> +<interface name="xserver_xdm_auth_filetrans" lineno="790"> +<summary> +Create xdm authorization files +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<param name="file_type"> +<summary> +The type of the object to be created +</summary> +</param> +<param name="object_class"> +<summary> +The object class. +</summary> +</param> +<param name="name" optional="true"> +<summary> +The name of the object being created. +</summary> +</param> +</interface> +<interface name="xserver_use_xdm_fds" lineno="808"> <summary> Use file descriptors for xdm. </summary> @@ -97361,7 +97836,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_dontaudit_use_xdm_fds" lineno="774"> +<interface name="xserver_dontaudit_use_xdm_fds" lineno="827"> <summary> Do not audit attempts to inherit XDM file descriptors. @@ -97372,7 +97847,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="xserver_sigchld_xdm" lineno="792"> +<interface name="xserver_sigchld_xdm" lineno="845"> <summary> Allow domain to send sigchld to xdm_t </summary> @@ -97382,7 +97857,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_rw_xdm_pipes" lineno="810"> +<interface name="xserver_rw_xdm_pipes" lineno="863"> <summary> Read and write XDM unnamed pipes. </summary> @@ -97392,7 +97867,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_dontaudit_rw_xdm_pipes" lineno="829"> +<interface name="xserver_dontaudit_rw_xdm_pipes" lineno="882"> <summary> Do not audit attempts to read and write XDM unnamed pipes. @@ -97403,7 +97878,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="xserver_dbus_chat_xdm" lineno="849"> +<interface name="xserver_dbus_chat_xdm" lineno="902"> <summary> Send and receive messages from xdm over dbus. @@ -97414,7 +97889,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_read_xdm_state" lineno="869"> +<interface name="xserver_read_xdm_state" lineno="922"> <summary> Read xdm process state files. </summary> @@ -97424,7 +97899,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_setsched_xdm" lineno="891"> +<interface name="xserver_setsched_xdm" lineno="944"> <summary> Set the priority of the X Display Manager (XDM). @@ -97435,7 +97910,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_stream_connect_xdm" lineno="910"> +<interface name="xserver_stream_connect_xdm" lineno="963"> <summary> Connect to XDM over a unix domain stream socket. @@ -97446,7 +97921,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_read_xdm_rw_config" lineno="929"> +<interface name="xserver_read_xdm_rw_config" lineno="982"> <summary> Read xdm-writable configuration files. </summary> @@ -97456,7 +97931,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_setattr_xdm_tmp_dirs" lineno="948"> +<interface name="xserver_setattr_xdm_tmp_dirs" lineno="1001"> <summary> Set the attributes of XDM temporary directories. </summary> @@ -97466,7 +97941,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_create_xdm_tmp_sockets" lineno="967"> +<interface name="xserver_create_xdm_tmp_sockets" lineno="1020"> <summary> Create a named socket in a XDM temporary directory. @@ -97477,7 +97952,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_delete_xdm_tmp_sockets" lineno="988"> +<interface name="xserver_delete_xdm_tmp_sockets" lineno="1041"> <summary> Delete a named socket in a XDM temporary directory. @@ -97488,7 +97963,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_read_xdm_runtime_files" lineno="1007"> +<interface name="xserver_read_xdm_runtime_files" lineno="1060"> <summary> Read XDM runtime files. </summary> @@ -97498,7 +97973,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_read_xdm_lib_files" lineno="1026"> +<interface name="xserver_read_xdm_lib_files" lineno="1079"> <summary> Read XDM var lib files. </summary> @@ -97508,7 +97983,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_xsession_entry_type" lineno="1044"> +<interface name="xserver_xsession_entry_type" lineno="1097"> <summary> Make an X session script an entrypoint for the specified domain. </summary> @@ -97518,7 +97993,7 @@ The domain for which the shell is an entrypoint. </summary> </param> </interface> -<interface name="xserver_xsession_spec_domtrans" lineno="1081"> +<interface name="xserver_xsession_spec_domtrans" lineno="1134"> <summary> Execute an X session in the target domain. This is an explicit transition, requiring the @@ -97547,7 +98022,7 @@ The type of the shell process. </summary> </param> </interface> -<interface name="xserver_write_inherited_xsession_log" lineno="1100"> +<interface name="xserver_write_inherited_xsession_log" lineno="1153"> <summary> Write to inherited xsession log files such as .xsession-errors. @@ -97558,7 +98033,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_rw_xsession_log" lineno="1120"> +<interface name="xserver_rw_xsession_log" lineno="1173"> <summary> Read and write xsession log files such as .xsession-errors. @@ -97569,7 +98044,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_manage_xsession_log" lineno="1139"> +<interface name="xserver_manage_xsession_log" lineno="1192"> <summary> Manage xsession log files such as .xsession-errors. @@ -97580,7 +98055,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_write_inherited_log" lineno="1158"> +<interface name="xserver_write_inherited_log" lineno="1211"> <summary> Write to inherited X server log files like /var/log/lightdm/lightdm.log @@ -97591,7 +98066,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_getattr_log" lineno="1176"> +<interface name="xserver_getattr_log" lineno="1229"> <summary> Get the attributes of X server logs. </summary> @@ -97601,7 +98076,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_dontaudit_write_log" lineno="1196"> +<interface name="xserver_dontaudit_write_log" lineno="1249"> <summary> Do not audit attempts to write the X server log files. @@ -97612,7 +98087,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="xserver_delete_log" lineno="1214"> +<interface name="xserver_delete_log" lineno="1267"> <summary> Delete X server log files. </summary> @@ -97622,7 +98097,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_read_xkb_libs" lineno="1235"> +<interface name="xserver_read_xkb_libs" lineno="1288"> <summary> Read X keyboard extension libraries. </summary> @@ -97632,7 +98107,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_create_xdm_tmp_dirs" lineno="1256"> +<interface name="xserver_create_xdm_tmp_dirs" lineno="1310"> <summary> Create xdm temporary directories. </summary> @@ -97642,7 +98117,7 @@ Domain to allow access. </summary> </param> </interface> -<interface name="xserver_read_xdm_tmp_files" lineno="1274"> +<interface name="xserver_read_xdm_tmp_files" lineno="1328"> <summary> Read xdm temporary files. </summary> @@ -97652,7 +98127,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_dontaudit_read_xdm_tmp_files" lineno="1293"> +<interface name="xserver_dontaudit_read_xdm_tmp_files" lineno="1347"> <summary> Do not audit attempts to read xdm temporary files. </summary> @@ -97662,7 +98137,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="xserver_rw_xdm_tmp_files" lineno="1312"> +<interface name="xserver_rw_xdm_tmp_files" lineno="1366"> <summary> Read write xdm temporary files. </summary> @@ -97672,7 +98147,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_manage_xdm_tmp_files" lineno="1331"> +<interface name="xserver_manage_xdm_tmp_files" lineno="1385"> <summary> Create, read, write, and delete xdm temporary files. </summary> @@ -97682,7 +98157,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_dontaudit_getattr_xdm_tmp_sockets" lineno="1350"> +<interface name="xserver_dontaudit_getattr_xdm_tmp_sockets" lineno="1404"> <summary> Do not audit attempts to get the attributes of xdm temporary named sockets. @@ -97693,7 +98168,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="xserver_list_xdm_tmp" lineno="1368"> +<interface name="xserver_list_xdm_tmp" lineno="1422"> <summary> list xdm_tmp_t directories </summary> @@ -97703,7 +98178,7 @@ Domain to allow </summary> </param> </interface> -<interface name="xserver_domtrans" lineno="1386"> +<interface name="xserver_domtrans" lineno="1440"> <summary> Execute the X server in the X server domain. </summary> @@ -97713,7 +98188,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="xserver_signal" lineno="1405"> +<interface name="xserver_signal" lineno="1459"> <summary> Signal X servers </summary> @@ -97723,7 +98198,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_kill" lineno="1423"> +<interface name="xserver_kill" lineno="1477"> <summary> Kill X servers </summary> @@ -97733,7 +98208,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_read_state" lineno="1441"> +<interface name="xserver_read_state" lineno="1495"> <summary> Allow reading xserver_t files to get cgroup and sessionid </summary> @@ -97743,7 +98218,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_rw_shm" lineno="1461"> +<interface name="xserver_rw_shm" lineno="1515"> <summary> Read and write X server Sys V Shared memory segments. @@ -97754,7 +98229,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_dontaudit_rw_tcp_sockets" lineno="1480"> +<interface name="xserver_dontaudit_rw_tcp_sockets" lineno="1536"> <summary> Do not audit attempts to read and write to X server sockets. @@ -97765,7 +98240,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="xserver_dontaudit_rw_stream_sockets" lineno="1499"> +<interface name="xserver_dontaudit_rw_stream_sockets" lineno="1555"> <summary> Do not audit attempts to read and write X server unix domain stream sockets. @@ -97776,7 +98251,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="xserver_stream_connect" lineno="1518"> +<interface name="xserver_stream_connect" lineno="1574"> <summary> Connect to the X server over a unix domain stream socket. @@ -97787,7 +98262,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_read_tmp_files" lineno="1537"> +<interface name="xserver_read_tmp_files" lineno="1593"> <summary> Read X server temporary files. </summary> @@ -97797,7 +98272,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_dbus_chat" lineno="1556"> +<interface name="xserver_dbus_chat" lineno="1612"> <summary> talk to xserver_t by dbus </summary> @@ -97807,7 +98282,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_manage_core_devices" lineno="1578"> +<interface name="xserver_manage_core_devices" lineno="1634"> <summary> Interface to provide X object permissions on a given X server to an X client domain. Gives the domain permission to read the @@ -97819,7 +98294,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_unconfined" lineno="1601"> +<interface name="xserver_unconfined" lineno="1657"> <summary> Interface to provide X object permissions on a given X server to an X client domain. Gives the domain complete control over the @@ -97831,7 +98306,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_rw_xdm_keys" lineno="1621"> +<interface name="xserver_rw_xdm_keys" lineno="1677"> <summary> Manage keys for xdm. </summary> @@ -97841,7 +98316,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_link_xdm_keys" lineno="1639"> +<interface name="xserver_link_xdm_keys" lineno="1695"> <summary> Manage keys for xdm. </summary> @@ -97851,7 +98326,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_rw_mesa_shader_cache" lineno="1657"> +<interface name="xserver_rw_mesa_shader_cache" lineno="1713"> <summary> Read and write the mesa shader cache. </summary> @@ -97861,7 +98336,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="xserver_manage_mesa_shader_cache" lineno="1678"> +<interface name="xserver_manage_mesa_shader_cache" lineno="1734"> <summary> Manage the mesa shader cache. </summary> @@ -97871,6 +98346,29 @@ Domain allowed access. </summary> </param> </interface> +<tunable name="xserver_can_network" dftval="false"> +<desc> +<p> +Allows the X server to use TCP/IP +networking functionality (insecure). +</p> +</desc> +</tunable> +<tunable name="xserver_xdm_can_network" dftval="false"> +<desc> +<p> +Allows the X display manager to use +TCP/IP networking functionality (insecure). +</p> +</desc> +</tunable> +<tunable name="xdm_sysadm_login" dftval="false"> +<desc> +<p> +Allow xdm logins as sysadm +</p> +</desc> +</tunable> <tunable name="allow_write_xshm" dftval="false"> <desc> <p> @@ -97879,10 +98377,11 @@ memory segments. </p> </desc> </tunable> -<tunable name="xdm_sysadm_login" dftval="false"> +<tunable name="xserver_client_writes_xserver_tmpfs" dftval="false"> <desc> <p> -Allow xdm logins as sysadm +Allows clients to write to the X server tmpfs +files. </p> </desc> </tunable> @@ -98429,7 +98928,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_login_pgm_domain" lineno="145"> +<interface name="auth_read_pam_motd_dynamic" lineno="146"> +<summary> +Read the pam module motd with dynamic support during authentication. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="auth_login_pgm_domain" lineno="165"> <summary> Make the specified domain used for a login program. </summary> @@ -98439,7 +98948,7 @@ Domain type used for a login program domain. </summary> </param> </interface> -<interface name="auth_login_entry_type" lineno="232"> +<interface name="auth_login_entry_type" lineno="252"> <summary> Use the login program as an entry point program. </summary> @@ -98449,7 +98958,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_domtrans_login_program" lineno="255"> +<interface name="auth_domtrans_login_program" lineno="275"> <summary> Execute a login_program in the target domain. </summary> @@ -98464,7 +98973,7 @@ The type of the login_program process. </summary> </param> </interface> -<interface name="auth_ranged_domtrans_login_program" lineno="285"> +<interface name="auth_ranged_domtrans_login_program" lineno="305"> <summary> Execute a login_program in the target domain, with a range transition. @@ -98485,7 +98994,7 @@ Range of the login program. </summary> </param> </interface> -<interface name="auth_search_cache" lineno="311"> +<interface name="auth_search_cache" lineno="331"> <summary> Search authentication cache </summary> @@ -98495,7 +99004,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_cache" lineno="329"> +<interface name="auth_read_cache" lineno="349"> <summary> Read authentication cache </summary> @@ -98505,7 +99014,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_cache" lineno="347"> +<interface name="auth_rw_cache" lineno="367"> <summary> Read/Write authentication cache </summary> @@ -98515,7 +99024,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_cache" lineno="365"> +<interface name="auth_manage_cache" lineno="385"> <summary> Manage authentication cache </summary> @@ -98525,7 +99034,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_var_filetrans_cache" lineno="384"> +<interface name="auth_var_filetrans_cache" lineno="404"> <summary> Automatic transition from cache_t to cache. </summary> @@ -98535,7 +99044,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_domtrans_chk_passwd" lineno="402"> +<interface name="auth_domtrans_chk_passwd" lineno="422"> <summary> Run unix_chkpwd to check a password. </summary> @@ -98545,7 +99054,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_domtrans_chkpwd" lineno="446"> +<interface name="auth_domtrans_chkpwd" lineno="466"> <summary> Run unix_chkpwd to check a password. Stripped down version to be called within boolean @@ -98556,7 +99065,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_run_chk_passwd" lineno="468"> +<interface name="auth_run_chk_passwd" lineno="488"> <summary> Execute chkpwd programs in the chkpwd domain. </summary> @@ -98571,7 +99080,7 @@ The role to allow the chkpwd domain. </summary> </param> </interface> -<interface name="auth_domtrans_upd_passwd" lineno="487"> +<interface name="auth_domtrans_upd_passwd" lineno="507"> <summary> Execute a domain transition to run unix_update. </summary> @@ -98581,7 +99090,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_run_upd_passwd" lineno="512"> +<interface name="auth_run_upd_passwd" lineno="532"> <summary> Execute updpwd programs in the updpwd domain. </summary> @@ -98596,7 +99105,7 @@ The role to allow the updpwd domain. </summary> </param> </interface> -<interface name="auth_getattr_shadow" lineno="531"> +<interface name="auth_getattr_shadow" lineno="551"> <summary> Get the attributes of the shadow passwords file. </summary> @@ -98606,7 +99115,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_dontaudit_getattr_shadow" lineno="551"> +<interface name="auth_dontaudit_getattr_shadow" lineno="571"> <summary> Do not audit attempts to get the attributes of the shadow passwords file. @@ -98617,7 +99126,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_read_shadow" lineno="573"> +<interface name="auth_read_shadow" lineno="593"> <summary> Read the shadow passwords file (/etc/shadow) </summary> @@ -98627,7 +99136,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_map_shadow" lineno="588"> +<interface name="auth_map_shadow" lineno="609"> <summary> Map the shadow passwords file (/etc/shadow) </summary> @@ -98637,7 +99146,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_can_read_shadow_passwords" lineno="614"> +<interface name="auth_can_read_shadow_passwords" lineno="635"> <summary> Pass shadow assertion for reading. </summary> @@ -98656,7 +99165,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_tunable_read_shadow" lineno="640"> +<interface name="auth_tunable_read_shadow" lineno="661"> <summary> Read the shadow password file. </summary> @@ -98674,7 +99183,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_dontaudit_read_shadow" lineno="660"> +<interface name="auth_dontaudit_read_shadow" lineno="681"> <summary> Do not audit attempts to read the shadow password file (/etc/shadow). @@ -98685,7 +99194,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_rw_shadow" lineno="678"> +<interface name="auth_rw_shadow" lineno="699"> <summary> Read and write the shadow password file (/etc/shadow). </summary> @@ -98695,7 +99204,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_shadow" lineno="701"> +<interface name="auth_manage_shadow" lineno="722"> <summary> Create, read, write, and delete the shadow password file. @@ -98706,7 +99215,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_etc_filetrans_shadow" lineno="727"> +<interface name="auth_etc_filetrans_shadow" lineno="749"> <summary> Automatic transition from etc to shadow. </summary> @@ -98721,7 +99230,27 @@ The name of the object being created. </summary> </param> </interface> -<interface name="auth_relabelto_shadow" lineno="746"> +<interface name="auth_read_shadow_history" lineno="767"> +<summary> +Read the shadow history file. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="auth_manage_shadow_history" lineno="786"> +<summary> +Manage the shadow history file. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="auth_relabelto_shadow" lineno="806"> <summary> Relabel to the shadow password file type. @@ -98732,7 +99261,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_relabel_shadow" lineno="768"> +<interface name="auth_relabel_shadow" lineno="828"> <summary> Relabel from and to the shadow password file type. @@ -98743,7 +99272,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_shadow_lock" lineno="789"> +<interface name="auth_rw_shadow_lock" lineno="849"> <summary> Read/Write shadow lock files. </summary> @@ -98753,7 +99282,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_append_faillog" lineno="807"> +<interface name="auth_append_faillog" lineno="867"> <summary> Append to the login failure log. </summary> @@ -98763,7 +99292,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_create_faillog_files" lineno="826"> +<interface name="auth_create_faillog_files" lineno="886"> <summary> Create fail log lock (in /run/faillock). </summary> @@ -98773,7 +99302,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_faillog" lineno="844"> +<interface name="auth_rw_faillog" lineno="904"> <summary> Read and write the login failure log. </summary> @@ -98783,7 +99312,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_faillog" lineno="863"> +<interface name="auth_manage_faillog" lineno="923"> <summary> Manage the login failure logs. </summary> @@ -98793,7 +99322,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_setattr_faillog_files" lineno="882"> +<interface name="auth_setattr_faillog_files" lineno="942"> <summary> Setattr the login failure logs. </summary> @@ -98803,7 +99332,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_lastlog" lineno="901"> +<interface name="auth_read_lastlog" lineno="961"> <summary> Read the last logins log. </summary> @@ -98814,7 +99343,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="auth_append_lastlog" lineno="920"> +<interface name="auth_append_lastlog" lineno="980"> <summary> Append only to the last logins log. </summary> @@ -98824,7 +99353,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_relabel_lastlog" lineno="939"> +<interface name="auth_relabel_lastlog" lineno="999"> <summary> relabel the last logins log. </summary> @@ -98834,7 +99363,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_lastlog" lineno="958"> +<interface name="auth_rw_lastlog" lineno="1018"> <summary> Read and write to the last logins log. </summary> @@ -98844,7 +99373,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_lastlog" lineno="977"> +<interface name="auth_manage_lastlog" lineno="1037"> <summary> Manage the last logins log. </summary> @@ -98854,7 +99383,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_domtrans_pam" lineno="996"> +<interface name="auth_domtrans_pam" lineno="1056"> <summary> Execute pam programs in the pam domain. </summary> @@ -98864,7 +99393,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_signal_pam" lineno="1014"> +<interface name="auth_signal_pam" lineno="1074"> <summary> Send generic signals to pam processes. </summary> @@ -98874,7 +99403,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_run_pam" lineno="1037"> +<interface name="auth_run_pam" lineno="1097"> <summary> Execute pam programs in the PAM domain. </summary> @@ -98889,7 +99418,7 @@ The role to allow the PAM domain. </summary> </param> </interface> -<interface name="auth_exec_pam" lineno="1056"> +<interface name="auth_exec_pam" lineno="1116"> <summary> Execute the pam program. </summary> @@ -98899,7 +99428,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_var_auth" lineno="1075"> +<interface name="auth_read_var_auth" lineno="1135"> <summary> Read var auth files. Used by various other applications and pam applets etc. @@ -98910,7 +99439,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_var_auth" lineno="1095"> +<interface name="auth_rw_var_auth" lineno="1155"> <summary> Read and write var auth files. Used by various other applications and pam applets etc. @@ -98921,7 +99450,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_var_auth" lineno="1115"> +<interface name="auth_manage_var_auth" lineno="1175"> <summary> Manage var auth files. Used by various other applications and pam applets etc. @@ -98932,7 +99461,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_pam_runtime_dirs" lineno="1136"> +<interface name="auth_manage_pam_runtime_dirs" lineno="1196"> <summary> Manage pam runtime dirs. </summary> @@ -98942,7 +99471,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_runtime_filetrans_pam_runtime" lineno="1167"> +<interface name="auth_runtime_filetrans_pam_runtime" lineno="1227"> <summary> Create specified objects in pid directories with the pam runtime @@ -98964,7 +99493,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="auth_read_pam_runtime_files" lineno="1185"> +<interface name="auth_read_pam_runtime_files" lineno="1245"> <summary> Read PAM runtime files. </summary> @@ -98974,7 +99503,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1205"> +<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1265"> <summary> Do not audit attempts to read PAM runtime files. </summary> @@ -98984,7 +99513,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_delete_pam_runtime_files" lineno="1223"> +<interface name="auth_delete_pam_runtime_files" lineno="1283"> <summary> Delete pam runtime files. </summary> @@ -98994,7 +99523,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_pam_runtime_files" lineno="1242"> +<interface name="auth_manage_pam_runtime_files" lineno="1302"> <summary> Create, read, write, and delete pam runtime files. </summary> @@ -99004,7 +99533,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_domtrans_pam_console" lineno="1261"> +<interface name="auth_domtrans_pam_console" lineno="1321"> <summary> Execute pam_console with a domain transition. </summary> @@ -99014,7 +99543,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_search_pam_console_data" lineno="1280"> +<interface name="auth_search_pam_console_data" lineno="1340"> <summary> Search the contents of the pam_console data directory. @@ -99025,7 +99554,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_list_pam_console_data" lineno="1300"> +<interface name="auth_list_pam_console_data" lineno="1360"> <summary> List the contents of the pam_console data directory. @@ -99036,7 +99565,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_create_pam_console_data_dirs" lineno="1319"> +<interface name="auth_create_pam_console_data_dirs" lineno="1379"> <summary> Create pam var console pid directories. </summary> @@ -99046,7 +99575,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_relabel_pam_console_data_dirs" lineno="1338"> +<interface name="auth_relabel_pam_console_data_dirs" lineno="1398"> <summary> Relabel pam_console data directories. </summary> @@ -99056,7 +99585,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_pam_console_data" lineno="1356"> +<interface name="auth_read_pam_console_data" lineno="1416"> <summary> Read pam_console data files. </summary> @@ -99066,7 +99595,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_pam_console_data" lineno="1377"> +<interface name="auth_manage_pam_console_data" lineno="1437"> <summary> Create, read, write, and delete pam_console data files. @@ -99077,7 +99606,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_delete_pam_console_data" lineno="1397"> +<interface name="auth_delete_pam_console_data" lineno="1457"> <summary> Delete pam_console data. </summary> @@ -99087,7 +99616,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_runtime_filetrans_pam_var_console" lineno="1430"> +<interface name="auth_runtime_filetrans_pam_var_console" lineno="1490"> <summary> Create specified objects in generic runtime directories with the pam var @@ -99110,7 +99639,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="auth_domtrans_utempter" lineno="1448"> +<interface name="auth_domtrans_utempter" lineno="1508"> <summary> Execute utempter programs in the utempter domain. </summary> @@ -99120,7 +99649,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_run_utempter" lineno="1471"> +<interface name="auth_run_utempter" lineno="1531"> <summary> Execute utempter programs in the utempter domain. </summary> @@ -99135,7 +99664,7 @@ The role to allow the utempter domain. </summary> </param> </interface> -<interface name="auth_dontaudit_exec_utempter" lineno="1490"> +<interface name="auth_dontaudit_exec_utempter" lineno="1550"> <summary> Do not audit attempts to execute utempter executable. </summary> @@ -99145,7 +99674,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_setattr_login_records" lineno="1508"> +<interface name="auth_setattr_login_records" lineno="1568"> <summary> Set the attributes of login record files. </summary> @@ -99155,7 +99684,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_login_records" lineno="1528"> +<interface name="auth_read_login_records" lineno="1588"> <summary> Read login records files (/var/log/wtmp). </summary> @@ -99166,7 +99695,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="auth_dontaudit_read_login_records" lineno="1549"> +<interface name="auth_dontaudit_read_login_records" lineno="1609"> <summary> Do not audit attempts to read login records files (/var/log/wtmp). @@ -99178,7 +99707,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="auth_dontaudit_write_login_records" lineno="1568"> +<interface name="auth_dontaudit_write_login_records" lineno="1628"> <summary> Do not audit attempts to write to login records files. @@ -99189,7 +99718,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_append_login_records" lineno="1586"> +<interface name="auth_append_login_records" lineno="1646"> <summary> Append to login records (wtmp). </summary> @@ -99199,7 +99728,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_write_login_records" lineno="1605"> +<interface name="auth_write_login_records" lineno="1665"> <summary> Write to login records (wtmp). </summary> @@ -99209,7 +99738,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_login_records" lineno="1623"> +<interface name="auth_rw_login_records" lineno="1683"> <summary> Read and write login records. </summary> @@ -99219,7 +99748,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_log_filetrans_login_records" lineno="1643"> +<interface name="auth_log_filetrans_login_records" lineno="1703"> <summary> Create a login records in the log directory using a type transition. @@ -99230,7 +99759,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_login_records" lineno="1662"> +<interface name="auth_manage_login_records" lineno="1722"> <summary> Create, read, write, and delete login records files. @@ -99241,7 +99770,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_relabel_login_records" lineno="1681"> +<interface name="auth_relabel_login_records" lineno="1741"> <summary> Relabel login record files. </summary> @@ -99251,7 +99780,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_use_nsswitch" lineno="1709"> +<interface name="auth_use_nsswitch" lineno="1769"> <summary> Use nsswitch to look up user, password, group, or host information. @@ -99271,7 +99800,7 @@ Domain allowed access. </param> <infoflow type="both" weight="10"/> </interface> -<interface name="auth_unconfined" lineno="1737"> +<interface name="auth_unconfined" lineno="1797"> <summary> Unconfined access to the authlogin module. </summary> @@ -99569,7 +100098,37 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fstools_relabelto_entry_files" lineno="132"> +<interface name="fstools_read_fsadm_db_files" lineno="131"> +<summary> +Read fsadm_db_t files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fstools_manage_fsadm_db_files" lineno="149"> +<summary> +Manage all fsadm_db_t files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fstools_watch_fsadm_db_dirs" lineno="169"> +<summary> +Watch fsadm_db_t directories. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fstools_relabelto_entry_files" lineno="188"> <summary> Relabel a file to the type used by the filesystem tools programs. @@ -99580,7 +100139,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fstools_manage_entry_files" lineno="151"> +<interface name="fstools_manage_entry_files" lineno="207"> <summary> Create, read, write, and delete a file used by the filesystem tools programs. @@ -99591,7 +100150,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fstools_write_log" lineno="169"> +<interface name="fstools_write_log" lineno="225"> <summary> Write to fsadm_log_t </summary> @@ -99601,7 +100160,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fstools_manage_runtime_files" lineno="188"> +<interface name="fstools_manage_runtime_files" lineno="244"> <summary> Create, read, write, and delete filesystem tools runtime files. @@ -99612,7 +100171,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fstools_getattr_swap_files" lineno="206"> +<interface name="fstools_getattr_swap_files" lineno="262"> <summary> Getattr swapfile </summary> @@ -99622,7 +100181,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fstools_dontaudit_getattr_swap_files" lineno="224"> +<interface name="fstools_dontaudit_getattr_swap_files" lineno="280"> <summary> Ignore access to a swapfile. </summary> @@ -99632,7 +100191,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fstools_relabelto_swap_files" lineno="242"> +<interface name="fstools_relabelto_swap_files" lineno="298"> <summary> Relabel to swapfile. </summary> @@ -99642,7 +100201,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fstools_manage_swap_files" lineno="260"> +<interface name="fstools_manage_swap_files" lineno="316"> <summary> Manage swapfile. </summary> @@ -99652,6 +100211,26 @@ Domain allowed access. </summary> </param> </interface> +<interface name="fstools_runtime_filetrans" lineno="344"> +<summary> +Create objects in the runtime directory with an automatic type transition to the fsadm runtime type. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<param name="object"> +<summary> +The object class of the object being created. +</summary> +</param> +<param name="name" optional="true"> +<summary> +The name of the object being created. +</summary> +</param> +</interface> </module> <module name="getty" filename="policy/modules/system/getty.if"> <summary>Manages physical or virtual terminals.</summary> @@ -100314,7 +100893,18 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_use_fds" lineno="1055"> +<interface name="init_unix_stream_socket_sendto" lineno="1016"> +<summary> +Send to init with a unix socket. +Without any additional permissions. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="init_use_fds" lineno="1074"> <summary> Inherit and use file descriptors from init. </summary> @@ -100364,7 +100954,7 @@ Domain allowed access. </param> <infoflow type="read" weight="1"/> </interface> -<interface name="init_dontaudit_use_fds" lineno="1074"> +<interface name="init_dontaudit_use_fds" lineno="1093"> <summary> Do not audit attempts to inherit file descriptors from init. @@ -100375,7 +100965,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_dgram_send" lineno="1093"> +<interface name="init_dgram_send" lineno="1112"> <summary> Send messages to init unix datagram sockets. </summary> @@ -100386,7 +100976,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_rw_inherited_stream_socket" lineno="1113"> +<interface name="init_rw_inherited_stream_socket" lineno="1132"> <summary> Read and write to inherited init unix streams. </summary> @@ -100396,7 +100986,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_stream_sockets" lineno="1132"> +<interface name="init_rw_stream_sockets" lineno="1151"> <summary> Allow the specified domain to read/write to init with unix domain stream sockets. @@ -100407,7 +100997,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_search_keys" lineno="1150"> +<interface name="init_dontaudit_search_keys" lineno="1169"> <summary> Do not audit attempts to search init keys. </summary> @@ -100417,7 +101007,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_start_system" lineno="1168"> +<interface name="init_start_system" lineno="1187"> <summary> start service (systemd). </summary> @@ -100427,7 +101017,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stop_system" lineno="1186"> +<interface name="init_stop_system" lineno="1205"> <summary> stop service (systemd). </summary> @@ -100437,7 +101027,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_get_system_status" lineno="1204"> +<interface name="init_get_system_status" lineno="1223"> <summary> Get all service status (systemd). </summary> @@ -100447,7 +101037,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_enable" lineno="1222"> +<interface name="init_enable" lineno="1241"> <summary> Enable all systemd services (systemd). </summary> @@ -100457,7 +101047,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_disable" lineno="1240"> +<interface name="init_disable" lineno="1259"> <summary> Disable all services (systemd). </summary> @@ -100467,7 +101057,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_reload" lineno="1258"> +<interface name="init_reload" lineno="1277"> <summary> Reload all services (systemd). </summary> @@ -100477,7 +101067,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_reboot_system" lineno="1276"> +<interface name="init_reboot_system" lineno="1295"> <summary> Reboot the system (systemd). </summary> @@ -100487,7 +101077,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_shutdown_system" lineno="1294"> +<interface name="init_shutdown_system" lineno="1313"> <summary> Shutdown (halt) the system (systemd). </summary> @@ -100497,7 +101087,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_service_status" lineno="1312"> +<interface name="init_service_status" lineno="1331"> <summary> Allow specified domain to get init status </summary> @@ -100507,7 +101097,7 @@ Domain to allow access. </summary> </param> </interface> -<interface name="init_service_start" lineno="1331"> +<interface name="init_service_start" lineno="1350"> <summary> Allow specified domain to get init start </summary> @@ -100517,7 +101107,7 @@ Domain to allow access. </summary> </param> </interface> -<interface name="init_dbus_chat" lineno="1351"> +<interface name="init_dbus_chat" lineno="1370"> <summary> Send and receive messages from systemd over dbus. @@ -100528,7 +101118,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_run_bpf" lineno="1371"> +<interface name="init_run_bpf" lineno="1390"> <summary> Run init BPF programs. </summary> @@ -100538,7 +101128,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_var_lib_links" lineno="1390"> +<interface name="init_read_var_lib_links" lineno="1409"> <summary> read/follow symlinks under /var/lib/systemd/ </summary> @@ -100548,7 +101138,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_search_var_lib_dirs" lineno="1409"> +<interface name="init_search_var_lib_dirs" lineno="1428"> <summary> Search /var/lib/systemd/ dirs </summary> @@ -100558,7 +101148,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_list_var_lib_dirs" lineno="1428"> +<interface name="init_list_var_lib_dirs" lineno="1447"> <summary> List /var/lib/systemd/ dir </summary> @@ -100568,7 +101158,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_relabel_var_lib_dirs" lineno="1446"> +<interface name="init_relabel_var_lib_dirs" lineno="1465"> <summary> Relabel dirs in /var/lib/systemd/. </summary> @@ -100578,7 +101168,20 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_var_lib_files" lineno="1464"> +<interface name="init_manage_random_seed" lineno="1486"> +<summary> +Create, read, write, and delete the +pseudorandom number generator seed +file in /var/lib or /var/run +directories. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="init_manage_var_lib_files" lineno="1507"> <summary> Manage files in /var/lib/systemd/. </summary> @@ -100588,7 +101191,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_var_lib_filetrans" lineno="1499"> +<interface name="init_var_lib_filetrans" lineno="1542"> <summary> Create files in /var/lib/systemd with an automatic type transition. @@ -100614,7 +101217,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="init_search_runtime" lineno="1518"> +<interface name="init_search_runtime" lineno="1561"> <summary> Search init runtime directories, e.g. /run/systemd. </summary> @@ -100624,7 +101227,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_list_runtime" lineno="1536"> +<interface name="init_list_runtime" lineno="1579"> <summary> List init runtime directories, e.g. /run/systemd. </summary> @@ -100634,7 +101237,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_runtime_dirs" lineno="1556"> +<interface name="init_manage_runtime_dirs" lineno="1599"> <summary> Create, read, write, and delete directories in the /run/systemd directory. @@ -100645,7 +101248,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_runtime_filetrans" lineno="1589"> +<interface name="init_runtime_filetrans" lineno="1632"> <summary> Create files in an init runtime directory with a private type. </summary> @@ -100670,7 +101273,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="init_write_runtime_files" lineno="1608"> +<interface name="init_write_runtime_files" lineno="1651"> <summary> Write init runtime files, e.g. in /run/systemd. </summary> @@ -100680,7 +101283,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_create_runtime_files" lineno="1626"> +<interface name="init_create_runtime_files" lineno="1669"> <summary> Create init runtime files, e.g. in /run/systemd. </summary> @@ -100690,7 +101293,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_runtime_symlinks" lineno="1644"> +<interface name="init_manage_runtime_symlinks" lineno="1687"> <summary> Create init runtime symbolic links, e.g. in /run/systemd. </summary> @@ -100700,7 +101303,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getattr_initctl" lineno="1662"> +<interface name="init_getattr_initctl" lineno="1705"> <summary> Get the attributes of initctl. </summary> @@ -100710,7 +101313,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_getattr_initctl" lineno="1683"> +<interface name="init_dontaudit_getattr_initctl" lineno="1726"> <summary> Do not audit attempts to get the attributes of initctl. @@ -100721,7 +101324,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_write_initctl" lineno="1701"> +<interface name="init_write_initctl" lineno="1744"> <summary> Write to initctl. </summary> @@ -100731,7 +101334,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_telinit" lineno="1722"> +<interface name="init_telinit" lineno="1765"> <summary> Use telinit (Read and write initctl). </summary> @@ -100742,7 +101345,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_rw_initctl" lineno="1755"> +<interface name="init_rw_initctl" lineno="1798"> <summary> Read and write initctl. </summary> @@ -100752,7 +101355,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_rw_initctl" lineno="1776"> +<interface name="init_dontaudit_rw_initctl" lineno="1819"> <summary> Do not audit attempts to read and write initctl. @@ -100763,7 +101366,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_script_file_entry_type" lineno="1795"> +<interface name="init_script_file_entry_type" lineno="1838"> <summary> Make init scripts an entry point for the specified domain. @@ -100774,7 +101377,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_spec_domtrans_script" lineno="1818"> +<interface name="init_spec_domtrans_script" lineno="1861"> <summary> Execute init scripts with a specified domain transition. </summary> @@ -100784,7 +101387,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_domtrans_script" lineno="1845"> +<interface name="init_domtrans_script" lineno="1888"> <summary> Execute init scripts with an automatic domain transition. </summary> @@ -100794,7 +101397,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_domtrans_labeled_script" lineno="1880"> +<interface name="init_domtrans_labeled_script" lineno="1923"> <summary> Execute labelled init scripts with an automatic domain transition. </summary> @@ -100804,7 +101407,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_script_file_domtrans" lineno="1926"> +<interface name="init_script_file_domtrans" lineno="1969"> <summary> Execute a init script in a specified domain. </summary> @@ -100829,7 +101432,7 @@ Domain to transition to. </summary> </param> </interface> -<interface name="init_kill_scripts" lineno="1945"> +<interface name="init_kill_scripts" lineno="1988"> <summary> Send a kill signal to init scripts. </summary> @@ -100839,7 +101442,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_script_service" lineno="1963"> +<interface name="init_manage_script_service" lineno="2006"> <summary> Allow manage service for initrc_exec_t scripts </summary> @@ -100849,7 +101452,7 @@ Target domain </summary> </param> </interface> -<interface name="init_labeled_script_domtrans" lineno="1988"> +<interface name="init_labeled_script_domtrans" lineno="2031"> <summary> Transition to the init script domain on a specified labeled init script. @@ -100865,7 +101468,7 @@ Labeled init script file. </summary> </param> </interface> -<interface name="init_all_labeled_script_domtrans" lineno="2010"> +<interface name="init_all_labeled_script_domtrans" lineno="2053"> <summary> Transition to the init script domain for all labeled init script types @@ -100876,7 +101479,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_get_script_status" lineno="2028"> +<interface name="init_get_script_status" lineno="2071"> <summary> Allow getting service status of initrc_exec_t scripts </summary> @@ -100886,7 +101489,7 @@ Target domain </summary> </param> </interface> -<interface name="init_startstop_service" lineno="2068"> +<interface name="init_startstop_service" lineno="2111"> <summary> Allow the role to start and stop labeled services. @@ -100917,7 +101520,7 @@ Systemd unit file type. </summary> </param> </interface> -<interface name="init_run_daemon" lineno="2124"> +<interface name="init_run_daemon" lineno="2167"> <summary> Start and stop daemon programs directly. </summary> @@ -100939,7 +101542,7 @@ The role to be performing this action. </summary> </param> </interface> -<interface name="init_startstop_all_script_services" lineno="2146"> +<interface name="init_startstop_all_script_services" lineno="2189"> <summary> Start and stop init_script_file_type services </summary> @@ -100949,7 +101552,7 @@ domain that can start and stop the services </summary> </param> </interface> -<interface name="init_read_state" lineno="2165"> +<interface name="init_read_state" lineno="2208"> <summary> Read the process state (/proc/pid) of init. </summary> @@ -100959,7 +101562,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_read_state" lineno="2185"> +<interface name="init_dontaudit_read_state" lineno="2228"> <summary> Dontaudit read the process state (/proc/pid) of init. </summary> @@ -100969,7 +101572,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_ptrace" lineno="2206"> +<interface name="init_ptrace" lineno="2249"> <summary> Ptrace init </summary> @@ -100980,7 +101583,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_getattr" lineno="2225"> +<interface name="init_getattr" lineno="2268"> <summary> get init process stats </summary> @@ -100991,7 +101594,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_read_script_pipes" lineno="2243"> +<interface name="init_read_script_pipes" lineno="2286"> <summary> Read an init script unnamed pipe. </summary> @@ -101001,7 +101604,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_write_script_pipes" lineno="2261"> +<interface name="init_write_script_pipes" lineno="2304"> <summary> Write an init script unnamed pipe. </summary> @@ -101011,7 +101614,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getattr_script_files" lineno="2279"> +<interface name="init_getattr_script_files" lineno="2322"> <summary> Get the attribute of init script entrypoint files. </summary> @@ -101021,7 +101624,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_script_files" lineno="2298"> +<interface name="init_read_script_files" lineno="2341"> <summary> Read init scripts. </summary> @@ -101031,7 +101634,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_exec_script_files" lineno="2317"> +<interface name="init_exec_script_files" lineno="2360"> <summary> Execute init scripts in the caller domain. </summary> @@ -101041,7 +101644,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getattr_all_script_files" lineno="2336"> +<interface name="init_getattr_all_script_files" lineno="2379"> <summary> Get the attribute of all init script entrypoint files. </summary> @@ -101051,7 +101654,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_all_script_files" lineno="2355"> +<interface name="init_read_all_script_files" lineno="2398"> <summary> Read all init script files. </summary> @@ -101061,7 +101664,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_read_all_script_files" lineno="2379"> +<interface name="init_dontaudit_read_all_script_files" lineno="2422"> <summary> Dontaudit read all init script files. </summary> @@ -101071,7 +101674,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_exec_all_script_files" lineno="2397"> +<interface name="init_exec_all_script_files" lineno="2440"> <summary> Execute all init scripts in the caller domain. </summary> @@ -101081,7 +101684,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_script_state" lineno="2416"> +<interface name="init_read_script_state" lineno="2459"> <summary> Read the process state (/proc/pid) of the init scripts. </summary> @@ -101091,7 +101694,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_use_script_fds" lineno="2435"> +<interface name="init_use_script_fds" lineno="2478"> <summary> Inherit and use init script file descriptors. </summary> @@ -101101,7 +101704,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_use_script_fds" lineno="2454"> +<interface name="init_dontaudit_use_script_fds" lineno="2497"> <summary> Do not audit attempts to inherit init script file descriptors. @@ -101112,7 +101715,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_search_script_keys" lineno="2472"> +<interface name="init_search_script_keys" lineno="2515"> <summary> Search init script keys. </summary> @@ -101122,7 +101725,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getpgid_script" lineno="2490"> +<interface name="init_getpgid_script" lineno="2533"> <summary> Get the process group ID of init scripts. </summary> @@ -101132,7 +101735,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_sigchld_script" lineno="2508"> +<interface name="init_sigchld_script" lineno="2551"> <summary> Send SIGCHLD signals to init scripts. </summary> @@ -101142,7 +101745,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_signal_script" lineno="2526"> +<interface name="init_signal_script" lineno="2569"> <summary> Send generic signals to init scripts. </summary> @@ -101152,7 +101755,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_signull_script" lineno="2544"> +<interface name="init_signull_script" lineno="2587"> <summary> Send null signals to init scripts. </summary> @@ -101162,7 +101765,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_script_pipes" lineno="2562"> +<interface name="init_rw_script_pipes" lineno="2605"> <summary> Read and write init script unnamed pipes. </summary> @@ -101172,7 +101775,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stream_connect_script" lineno="2581"> +<interface name="init_stream_connect_script" lineno="2624"> <summary> Allow the specified domain to connect to init scripts with a unix socket. @@ -101183,7 +101786,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_script_stream_sockets" lineno="2600"> +<interface name="init_rw_script_stream_sockets" lineno="2643"> <summary> Allow the specified domain to read/write to init scripts with a unix domain stream sockets. @@ -101194,7 +101797,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_stream_connect_script" lineno="2619"> +<interface name="init_dontaudit_stream_connect_script" lineno="2662"> <summary> Dont audit the specified domain connecting to init scripts with a unix domain stream socket. @@ -101205,7 +101808,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_dbus_send_script" lineno="2636"> +<interface name="init_dbus_send_script" lineno="2679"> <summary> Send messages to init scripts over dbus. </summary> @@ -101215,7 +101818,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dbus_chat_script" lineno="2656"> +<interface name="init_dbus_chat_script" lineno="2699"> <summary> Send and receive messages from init scripts over dbus. @@ -101226,7 +101829,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_use_script_ptys" lineno="2685"> +<interface name="init_use_script_ptys" lineno="2728"> <summary> Read and write the init script pty. </summary> @@ -101245,7 +101848,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_use_inherited_script_ptys" lineno="2704"> +<interface name="init_use_inherited_script_ptys" lineno="2747"> <summary> Read and write inherited init script ptys. </summary> @@ -101255,7 +101858,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_use_script_ptys" lineno="2726"> +<interface name="init_dontaudit_use_script_ptys" lineno="2769"> <summary> Do not audit attempts to read and write the init script pty. @@ -101266,7 +101869,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_getattr_script_status_files" lineno="2745"> +<interface name="init_getattr_script_status_files" lineno="2788"> <summary> Get the attributes of init script status files. @@ -101277,7 +101880,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_read_script_status_files" lineno="2764"> +<interface name="init_dontaudit_read_script_status_files" lineno="2807"> <summary> Do not audit attempts to read init script status files. @@ -101288,7 +101891,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_search_run" lineno="2783"> +<interface name="init_search_run" lineno="2826"> <summary> Search the /run/systemd directory. </summary> @@ -101298,7 +101901,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_script_tmp_files" lineno="2802"> +<interface name="init_read_script_tmp_files" lineno="2845"> <summary> Read init script temporary data. </summary> @@ -101308,7 +101911,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_inherited_script_tmp_files" lineno="2821"> +<interface name="init_rw_inherited_script_tmp_files" lineno="2864"> <summary> Read and write init script inherited temporary data. </summary> @@ -101318,7 +101921,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_script_tmp_files" lineno="2839"> +<interface name="init_rw_script_tmp_files" lineno="2882"> <summary> Read and write init script temporary data. </summary> @@ -101328,7 +101931,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_script_tmp_filetrans" lineno="2874"> +<interface name="init_script_tmp_filetrans" lineno="2917"> <summary> Create files in a init script temporary data directory. @@ -101354,7 +101957,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="init_getattr_utmp" lineno="2893"> +<interface name="init_getattr_utmp" lineno="2936"> <summary> Get the attributes of init script process id files. </summary> @@ -101364,7 +101967,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_utmp" lineno="2911"> +<interface name="init_read_utmp" lineno="2954"> <summary> Read utmp. </summary> @@ -101374,7 +101977,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_write_utmp" lineno="2930"> +<interface name="init_dontaudit_write_utmp" lineno="2973"> <summary> Do not audit attempts to write utmp. </summary> @@ -101384,7 +101987,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_write_utmp" lineno="2948"> +<interface name="init_write_utmp" lineno="2991"> <summary> Write to utmp. </summary> @@ -101394,7 +101997,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_lock_utmp" lineno="2968"> +<interface name="init_dontaudit_lock_utmp" lineno="3011"> <summary> Do not audit attempts to lock init script pid files. @@ -101405,7 +102008,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_rw_utmp" lineno="2986"> +<interface name="init_rw_utmp" lineno="3029"> <summary> Read and write utmp. </summary> @@ -101415,7 +102018,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_rw_utmp" lineno="3005"> +<interface name="init_dontaudit_rw_utmp" lineno="3048"> <summary> Do not audit attempts to read and write utmp. </summary> @@ -101425,7 +102028,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_manage_utmp" lineno="3023"> +<interface name="init_manage_utmp" lineno="3066"> <summary> Create, read, write, and delete utmp. </summary> @@ -101435,7 +102038,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_watch_utmp" lineno="3042"> +<interface name="init_watch_utmp" lineno="3085"> <summary> Add a watch on utmp. </summary> @@ -101445,7 +102048,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_relabel_utmp" lineno="3060"> +<interface name="init_relabel_utmp" lineno="3103"> <summary> Relabel utmp. </summary> @@ -101455,7 +102058,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_runtime_filetrans_utmp" lineno="3079"> +<interface name="init_runtime_filetrans_utmp" lineno="3122"> <summary> Create files in /var/run with the utmp file type. @@ -101466,7 +102069,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_create_runtime_dirs" lineno="3097"> +<interface name="init_create_runtime_dirs" lineno="3140"> <summary> Create a directory in the /run/systemd directory. </summary> @@ -101476,7 +102079,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_runtime_files" lineno="3116"> +<interface name="init_read_runtime_files" lineno="3159"> <summary> Read init_runtime_t files </summary> @@ -101486,7 +102089,7 @@ domain </summary> </param> </interface> -<interface name="init_rename_runtime_files" lineno="3134"> +<interface name="init_rename_runtime_files" lineno="3177"> <summary> Rename init_runtime_t files </summary> @@ -101496,7 +102099,7 @@ domain </summary> </param> </interface> -<interface name="init_setattr_runtime_files" lineno="3152"> +<interface name="init_setattr_runtime_files" lineno="3195"> <summary> Setattr init_runtime_t files </summary> @@ -101506,7 +102109,7 @@ domain </summary> </param> </interface> -<interface name="init_delete_runtime_files" lineno="3170"> +<interface name="init_delete_runtime_files" lineno="3213"> <summary> Delete init_runtime_t files </summary> @@ -101516,7 +102119,7 @@ domain </summary> </param> </interface> -<interface name="init_write_runtime_socket" lineno="3189"> +<interface name="init_write_runtime_socket" lineno="3232"> <summary> Allow the specified domain to write to init sock file. @@ -101527,7 +102130,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_write_runtime_socket" lineno="3208"> +<interface name="init_dontaudit_write_runtime_socket" lineno="3251"> <summary> Do not audit attempts to write to init sock files. @@ -101538,7 +102141,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_read_runtime_pipes" lineno="3226"> +<interface name="init_read_runtime_pipes" lineno="3269"> <summary> Read init unnamed pipes. </summary> @@ -101548,7 +102151,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_runtime_symlinks" lineno="3244"> +<interface name="init_read_runtime_symlinks" lineno="3287"> <summary> read systemd unit symlinks (usually under /run/systemd/units/) </summary> @@ -101558,7 +102161,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_tcp_recvfrom_all_daemons" lineno="3262"> +<interface name="init_tcp_recvfrom_all_daemons" lineno="3305"> <summary> Allow the specified domain to connect to daemon with a tcp socket </summary> @@ -101568,7 +102171,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_udp_recvfrom_all_daemons" lineno="3280"> +<interface name="init_udp_recvfrom_all_daemons" lineno="3323"> <summary> Allow the specified domain to connect to daemon with a udp socket </summary> @@ -101578,7 +102181,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_script_status_files" lineno="3299"> +<interface name="init_read_script_status_files" lineno="3342"> <summary> Allow reading the init script state files </summary> @@ -101588,7 +102191,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="init_relabelto_script_state" lineno="3317"> +<interface name="init_relabelto_script_state" lineno="3360"> <summary> Label to init script status files </summary> @@ -101598,7 +102201,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="init_script_readable_type" lineno="3336"> +<interface name="init_script_readable_type" lineno="3379"> <summary> Mark as a readable type for the initrc_t domain </summary> @@ -101608,7 +102211,7 @@ Type that initrc_t needs read access to </summary> </param> </interface> -<interface name="init_search_units" lineno="3354"> +<interface name="init_search_units" lineno="3397"> <summary> Search systemd unit dirs. </summary> @@ -101618,7 +102221,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_list_unit_dirs" lineno="3379"> +<interface name="init_list_unit_dirs" lineno="3422"> <summary> List systemd unit dirs. </summary> @@ -101628,7 +102231,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getattr_generic_units_files" lineno="3399"> +<interface name="init_getattr_generic_units_files" lineno="3442"> <summary> Get the attributes of systemd unit files </summary> @@ -101638,7 +102241,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_generic_units_files" lineno="3417"> +<interface name="init_read_generic_units_files" lineno="3460"> <summary> Read systemd unit files </summary> @@ -101648,7 +102251,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_generic_units_symlinks" lineno="3435"> +<interface name="init_read_generic_units_symlinks" lineno="3478"> <summary> Read systemd unit links </summary> @@ -101658,7 +102261,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_get_generic_units_status" lineno="3453"> +<interface name="init_get_generic_units_status" lineno="3496"> <summary> Get status of generic systemd units. </summary> @@ -101668,7 +102271,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_start_generic_units" lineno="3472"> +<interface name="init_start_generic_units" lineno="3515"> <summary> Start generic systemd units. </summary> @@ -101678,7 +102281,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stop_generic_units" lineno="3491"> +<interface name="init_stop_generic_units" lineno="3534"> <summary> Stop generic systemd units. </summary> @@ -101688,7 +102291,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_reload_generic_units" lineno="3510"> +<interface name="init_reload_generic_units" lineno="3553"> <summary> Reload generic systemd units. </summary> @@ -101698,7 +102301,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_get_runtime_units_status" lineno="3529"> +<interface name="init_get_runtime_units_status" lineno="3572"> <summary> Get the status of runtime systemd units. </summary> @@ -101708,7 +102311,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_start_runtime_units" lineno="3548"> +<interface name="init_start_runtime_units" lineno="3591"> <summary> Start runtime systemd units. </summary> @@ -101718,7 +102321,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stop_runtime_units" lineno="3567"> +<interface name="init_stop_runtime_units" lineno="3610"> <summary> Stop runtime systemd units. </summary> @@ -101728,7 +102331,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_get_transient_units_status" lineno="3586"> +<interface name="init_get_transient_units_status" lineno="3629"> <summary> Get status of transient systemd units. </summary> @@ -101738,7 +102341,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_start_transient_units" lineno="3605"> +<interface name="init_start_transient_units" lineno="3648"> <summary> Start transient systemd units. </summary> @@ -101748,7 +102351,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stop_transient_units" lineno="3624"> +<interface name="init_stop_transient_units" lineno="3667"> <summary> Stop transient systemd units. </summary> @@ -101758,7 +102361,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_reload_transient_units" lineno="3643"> +<interface name="init_reload_transient_units" lineno="3686"> <summary> Reload transient systemd units. </summary> @@ -101768,7 +102371,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_get_all_units_status" lineno="3663"> +<interface name="init_get_all_units_status" lineno="3706"> <summary> Get status of all systemd units. </summary> @@ -101778,7 +102381,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_all_units" lineno="3682"> +<interface name="init_manage_all_units" lineno="3725"> <summary> All perms on all systemd units. </summary> @@ -101788,7 +102391,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_start_all_units" lineno="3702"> +<interface name="init_start_all_units" lineno="3745"> <summary> Start all systemd units. </summary> @@ -101798,7 +102401,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stop_all_units" lineno="3721"> +<interface name="init_stop_all_units" lineno="3764"> <summary> Stop all systemd units. </summary> @@ -101808,7 +102411,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_reload_all_units" lineno="3740"> +<interface name="init_reload_all_units" lineno="3783"> <summary> Reload all systemd units. </summary> @@ -101818,7 +102421,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_all_unit_files" lineno="3759"> +<interface name="init_manage_all_unit_files" lineno="3802"> <summary> Manage systemd unit dirs and the files in them </summary> @@ -101828,7 +102431,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_linkable_keyring" lineno="3780"> +<interface name="init_linkable_keyring" lineno="3823"> <summary> Associate the specified domain to be a domain whose keyring init should be allowed to link. @@ -101839,7 +102442,7 @@ Domain whose keyring init should be allowed to link. </summary> </param> </interface> -<interface name="init_admin" lineno="3798"> +<interface name="init_admin" lineno="3841"> <summary> Allow unconfined access to send instructions to init </summary> @@ -101849,7 +102452,7 @@ Target domain </summary> </param> </interface> -<interface name="init_getrlimit" lineno="3830"> +<interface name="init_getrlimit" lineno="3873"> <summary> Allow getting init_t rlimit </summary> @@ -101859,6 +102462,16 @@ Source domain </summary> </param> </interface> +<interface name="init_search_keys" lineno="3891"> +<summary> +Allow searching init_t keys +</summary> +<param name="domain"> +<summary> +Source domain +</summary> +</param> +</interface> <tunable name="init_upstart" dftval="false"> <desc> <p> @@ -102656,7 +103269,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="libs_relabel_shared_libs" lineno="545"> +<interface name="libs_watch_shared_libs_dirs" lineno="543"> +<summary> +watch lib dirs +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="libs_relabel_shared_libs" lineno="563"> <summary> Relabel to and from the type used for shared libraries. @@ -102667,7 +103290,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="libs_generic_etc_filetrans_ld_so_cache" lineno="578"> +<interface name="libs_generic_etc_filetrans_ld_so_cache" lineno="596"> <summary> Create an object in etc with a type transition to the ld_so_cache_t type @@ -102690,7 +103313,7 @@ Name of the resource created for which a type transition occurs </summary> </param> </interface> -<interface name="libs_lib_filetrans" lineno="612"> +<interface name="libs_lib_filetrans" lineno="630"> <summary> Create an object in the generic lib location with a type transition to the provided type @@ -102716,7 +103339,7 @@ Name of the resource created for which a type transition should occur </summary> </param> </interface> -<interface name="libs_relabel_lib_dirs" lineno="633"> +<interface name="libs_relabel_lib_dirs" lineno="651"> <summary> Relabel to and from the type used for generic lib directories. @@ -103309,7 +103932,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_delete_devlog_socket" lineno="859"> +<interface name="logging_stream_connect_journald_varlink" lineno="858"> +<summary> +Connect syslog varlink socket files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="logging_delete_devlog_socket" lineno="878"> <summary> Delete the syslog socket files </summary> @@ -103320,7 +103953,7 @@ Domain allowed access </param> <rolecap/> </interface> -<interface name="logging_manage_runtime_sockets" lineno="877"> +<interface name="logging_manage_runtime_sockets" lineno="896"> <summary> Create, read, write, and delete syslog PID sockets. </summary> @@ -103330,7 +103963,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_search_logs" lineno="898"> +<interface name="logging_search_logs" lineno="917"> <summary> Allows the domain to open a file in the log directory, but does not allow the listing @@ -103342,7 +103975,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_dontaudit_search_logs" lineno="918"> +<interface name="logging_dontaudit_search_logs" lineno="937"> <summary> Do not audit attempts to search the var log directory. </summary> @@ -103352,7 +103985,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="logging_list_logs" lineno="936"> +<interface name="logging_list_logs" lineno="955"> <summary> List the contents of the generic log directory (/var/log). </summary> @@ -103362,7 +103995,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_rw_generic_log_dirs" lineno="956"> +<interface name="logging_rw_generic_log_dirs" lineno="975"> <summary> Read and write the generic log directory (/var/log). </summary> @@ -103372,7 +104005,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_search_all_logs" lineno="977"> +<interface name="logging_search_all_logs" lineno="996"> <summary> Search through all log dirs. </summary> @@ -103383,7 +104016,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_setattr_all_log_dirs" lineno="996"> +<interface name="logging_setattr_all_log_dirs" lineno="1015"> <summary> Set attributes on all log dirs. </summary> @@ -103394,7 +104027,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_dontaudit_getattr_all_logs" lineno="1015"> +<interface name="logging_dontaudit_getattr_all_logs" lineno="1034"> <summary> Do not audit attempts to get the attributes of any log files. @@ -103405,7 +104038,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="logging_getattr_all_logs" lineno="1033"> +<interface name="logging_getattr_all_logs" lineno="1052"> <summary> Read the attributes of any log file </summary> @@ -103415,7 +104048,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="logging_append_all_logs" lineno="1051"> +<interface name="logging_append_all_logs" lineno="1070"> <summary> Append to all log files. </summary> @@ -103425,7 +104058,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_append_all_inherited_logs" lineno="1072"> +<interface name="logging_append_all_inherited_logs" lineno="1091"> <summary> Append to all log files. </summary> @@ -103435,7 +104068,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_read_all_logs" lineno="1091"> +<interface name="logging_read_all_logs" lineno="1110"> <summary> Read all log files. </summary> @@ -103446,7 +104079,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_watch_all_logs" lineno="1112"> +<interface name="logging_watch_all_logs" lineno="1131"> <summary> Watch all log files. </summary> @@ -103457,17 +104090,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_exec_all_logs" lineno="1132"> -<summary> -Execute all log files in the caller domain. -</summary> -<param name="domain"> -<summary> -Domain allowed access. -</summary> -</param> -</interface> -<interface name="logging_rw_all_logs" lineno="1152"> +<interface name="logging_rw_all_logs" lineno="1149"> <summary> read/write to all log files. </summary> @@ -103477,7 +104100,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_manage_all_logs" lineno="1172"> +<interface name="logging_manage_all_logs" lineno="1169"> <summary> Create, read, write, and delete all log files. </summary> @@ -103488,7 +104111,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_manage_generic_log_dirs" lineno="1193"> +<interface name="logging_manage_generic_log_dirs" lineno="1190"> <summary> Create, read, write, and delete generic log directories. </summary> @@ -103499,7 +104122,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_relabel_generic_log_dirs" lineno="1213"> +<interface name="logging_relabel_generic_log_dirs" lineno="1210"> <summary> Relabel from and to generic log directory type. </summary> @@ -103510,7 +104133,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_read_generic_logs" lineno="1233"> +<interface name="logging_read_generic_logs" lineno="1230"> <summary> Read generic log files. </summary> @@ -103521,7 +104144,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_mmap_generic_logs" lineno="1254"> +<interface name="logging_mmap_generic_logs" lineno="1251"> <summary> Map generic log files. </summary> @@ -103532,7 +104155,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_write_generic_logs" lineno="1272"> +<interface name="logging_write_generic_logs" lineno="1269"> <summary> Write generic log files. </summary> @@ -103542,7 +104165,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_dontaudit_write_generic_logs" lineno="1293"> +<interface name="logging_dontaudit_write_generic_logs" lineno="1290"> <summary> Dontaudit Write generic log files. </summary> @@ -103552,7 +104175,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="logging_rw_generic_logs" lineno="1311"> +<interface name="logging_rw_generic_logs" lineno="1308"> <summary> Read and write generic log files. </summary> @@ -103562,7 +104185,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_manage_generic_logs" lineno="1334"> +<interface name="logging_manage_generic_logs" lineno="1331"> <summary> Create, read, write, and delete generic log files. @@ -103574,7 +104197,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="logging_watch_generic_logs_dir" lineno="1353"> +<interface name="logging_watch_generic_logs_dir" lineno="1350"> <summary> Watch generic log dirs. </summary> @@ -103584,7 +104207,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="logging_admin_audit" lineno="1378"> +<interface name="logging_admin_audit" lineno="1375"> <summary> All of the rules required to administrate the audit environment @@ -103601,7 +104224,7 @@ User role allowed access. </param> <rolecap/> </interface> -<interface name="logging_admin_syslog" lineno="1422"> +<interface name="logging_admin_syslog" lineno="1419"> <summary> All of the rules required to administrate the syslog environment @@ -103618,7 +104241,7 @@ User role allowed access. </param> <rolecap/> </interface> -<interface name="logging_admin" lineno="1478"> +<interface name="logging_admin" lineno="1475"> <summary> All of the rules required to administrate the logging environment @@ -103635,7 +104258,7 @@ User role allowed access. </param> <rolecap/> </interface> -<interface name="logging_syslog_managed_log_file" lineno="1501"> +<interface name="logging_syslog_managed_log_file" lineno="1498"> <summary> Mark the type as a syslog managed log file and introduce the proper file transition when @@ -103653,7 +104276,7 @@ Name to use for the file </summary> </param> </interface> -<interface name="logging_syslog_managed_log_dir" lineno="1540"> +<interface name="logging_syslog_managed_log_dir" lineno="1537"> <summary> Mark the type as a syslog managed log dir and introduce the proper file transition when @@ -103680,7 +104303,7 @@ Name to use for the directory </summary> </param> </interface> -<interface name="logging_mmap_journal" lineno="1562"> +<interface name="logging_mmap_journal" lineno="1559"> <summary> Map files in /run/log/journal/ directory. </summary> @@ -103690,6 +104313,14 @@ Domain allowed access. </summary> </param> </interface> +<tunable name="logging_syslog_can_network" dftval="false"> +<desc> +<p> +Allows syslogd internet domain sockets +functionality (dangerous). +</p> +</desc> +</tunable> </module> <module name="lvm" filename="policy/modules/system/lvm.if"> <summary>Policy for logical volume management programs.</summary> @@ -104599,7 +105230,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_read_state" lineno="82"> +<interface name="mount_read_state" lineno="79"> <summary> Read the process state (/proc/pid) of mount. </summary> @@ -104609,7 +105240,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_signal" lineno="100"> +<interface name="mount_signal" lineno="97"> <summary> Send a generic signal to mount. </summary> @@ -104619,7 +105250,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_use_fds" lineno="118"> +<interface name="mount_use_fds" lineno="115"> <summary> Use file descriptors for mount. </summary> @@ -104629,7 +105260,7 @@ The type of the process performing this action. </summary> </param> </interface> -<interface name="mount_domtrans_unconfined" lineno="136"> +<interface name="mount_domtrans_unconfined" lineno="133"> <summary> Execute mount in the unconfined mount domain. </summary> @@ -104639,7 +105270,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="mount_run_unconfined" lineno="162"> +<interface name="mount_run_unconfined" lineno="159"> <summary> Execute mount in the unconfined mount domain, and allow the specified role the unconfined mount domain, @@ -104657,7 +105288,7 @@ Role allowed access. </param> <rolecap/> </interface> -<interface name="mount_read_loopback_files" lineno="181"> +<interface name="mount_read_loopback_files" lineno="178"> <summary> Read loopback filesystem image files. </summary> @@ -104667,7 +105298,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_rw_loopback_files" lineno="199"> +<interface name="mount_rw_loopback_files" lineno="196"> <summary> Read and write loopback filesystem image files. </summary> @@ -104677,7 +105308,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_list_runtime" lineno="217"> +<interface name="mount_list_runtime" lineno="214"> <summary> List mount runtime files. </summary> @@ -104687,7 +105318,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_watch_runtime_dirs" lineno="235"> +<interface name="mount_watch_runtime_dirs" lineno="232"> <summary> Watch mount runtime dirs. </summary> @@ -104697,7 +105328,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_watch_runtime_files" lineno="253"> +<interface name="mount_watch_runtime_files" lineno="250"> <summary> Watch mount runtime files. </summary> @@ -104707,7 +105338,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_watch_reads_runtime_files" lineno="271"> +<interface name="mount_watch_reads_runtime_files" lineno="268"> <summary> Watch reads on mount runtime files. </summary> @@ -104717,7 +105348,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_getattr_runtime_files" lineno="289"> +<interface name="mount_getattr_runtime_files" lineno="286"> <summary> Getattr on mount_runtime_t files </summary> @@ -104727,7 +105358,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_read_runtime_files" lineno="307"> +<interface name="mount_read_runtime_files" lineno="304"> <summary> Read mount runtime files. </summary> @@ -104737,7 +105368,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_rw_runtime_files" lineno="325"> +<interface name="mount_rw_runtime_files" lineno="322"> <summary> Read and write mount runtime files. </summary> @@ -104747,7 +105378,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="mount_rw_pipes" lineno="345"> +<interface name="mount_rw_pipes" lineno="342"> <summary> Read and write mount unnamed pipes </summary> @@ -105909,7 +106540,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_read_dhcpc_runtime_files" lineno="580"> +<interface name="sysnet_watch_config_dirs" lineno="580"> +<summary> +Watch a network config dir +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="sysnet_read_dhcpc_runtime_files" lineno="598"> <summary> Read dhcp client runtime files. </summary> @@ -105919,7 +106560,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_delete_dhcpc_runtime_files" lineno="599"> +<interface name="sysnet_delete_dhcpc_runtime_files" lineno="617"> <summary> Delete the dhcp client runtime files. </summary> @@ -105929,7 +106570,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_manage_dhcpc_runtime_files" lineno="617"> +<interface name="sysnet_manage_dhcpc_runtime_files" lineno="635"> <summary> Create, read, write, and delete dhcp client runtime files. </summary> @@ -105939,7 +106580,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_domtrans_ifconfig" lineno="635"> +<interface name="sysnet_domtrans_ifconfig" lineno="653"> <summary> Execute ifconfig in the ifconfig domain. </summary> @@ -105949,7 +106590,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="sysnet_run_ifconfig" lineno="662"> +<interface name="sysnet_run_ifconfig" lineno="680"> <summary> Execute ifconfig in the ifconfig domain, and allow the specified role the ifconfig domain, @@ -105967,7 +106608,7 @@ Role allowed access. </param> <rolecap/> </interface> -<interface name="sysnet_exec_ifconfig" lineno="682"> +<interface name="sysnet_exec_ifconfig" lineno="700"> <summary> Execute ifconfig in the caller domain. </summary> @@ -105977,7 +106618,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_signal_ifconfig" lineno="702"> +<interface name="sysnet_signal_ifconfig" lineno="720"> <summary> Send a generic signal to ifconfig. </summary> @@ -105988,7 +106629,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="sysnet_signull_ifconfig" lineno="721"> +<interface name="sysnet_signull_ifconfig" lineno="739"> <summary> Send null signals to ifconfig. </summary> @@ -105999,7 +106640,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="sysnet_create_netns_dirs" lineno="740"> +<interface name="sysnet_create_netns_dirs" lineno="758"> <summary> Create the /run/netns directory with an automatic type transition. @@ -106010,7 +106651,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_netns_filetrans" lineno="774"> +<interface name="sysnet_netns_filetrans" lineno="792"> <summary> Create an object in the /run/netns directory with a private type. @@ -106036,7 +106677,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="sysnet_read_dhcp_config" lineno="795"> +<interface name="sysnet_read_dhcp_config" lineno="813"> <summary> Read the DHCP configuration files. </summary> @@ -106046,7 +106687,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_search_dhcp_state" lineno="815"> +<interface name="sysnet_search_dhcp_state" lineno="833"> <summary> Search the DHCP state data directory. </summary> @@ -106056,7 +106697,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_dhcp_state_filetrans" lineno="859"> +<interface name="sysnet_dhcp_state_filetrans" lineno="877"> <summary> Create DHCP state data. </summary> @@ -106091,7 +106732,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="sysnet_dns_name_resolve" lineno="879"> +<interface name="sysnet_dns_name_resolve" lineno="897"> <summary> Perform a DNS name resolution. </summary> @@ -106102,7 +106743,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="sysnet_use_ldap" lineno="930"> +<interface name="sysnet_use_ldap" lineno="948"> <summary> Connect and use a LDAP server. </summary> @@ -106112,7 +106753,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_use_portmap" lineno="957"> +<interface name="sysnet_use_portmap" lineno="975"> <summary> Connect and use remote port mappers. </summary> @@ -106122,7 +106763,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_dhcpc_script_entry" lineno="991"> +<interface name="sysnet_dhcpc_script_entry" lineno="1009"> <summary> Make the specified program domain accessable from the DHCP hooks/scripts. @@ -106149,7 +106790,7 @@ can manage samba </module> <module name="systemd" filename="policy/modules/system/systemd.if"> <summary>Systemd components (not PID 1)</summary> -<template name="systemd_role_template" lineno="28"> +<template name="systemd_role_template" lineno="23"> <summary> Template for systemd --user per-role domains. </summary> @@ -106168,13 +106809,8 @@ The user role. The user domain for the role. </summary> </param> -<param name="pty_type"> -<summary> -The type for the user pty -</summary> -</param> </template> -<template name="systemd_user_daemon_domain" lineno="222"> +<template name="systemd_user_daemon_domain" lineno="225"> <summary> Allow the specified domain to be started as a daemon by the specified systemd user instance. @@ -106195,7 +106831,7 @@ Domain to allow the systemd user domain to run. </summary> </param> </template> -<interface name="systemd_user_activated_sock_file" lineno="243"> +<interface name="systemd_user_activated_sock_file" lineno="246"> <summary> Associate the specified file type to be a type whose sock files can be managed by systemd user instances for socket activation. @@ -106206,7 +106842,7 @@ File type to be associated. </summary> </param> </interface> -<interface name="systemd_user_unix_stream_activated_socket" lineno="268"> +<interface name="systemd_user_unix_stream_activated_socket" lineno="271"> <summary> Associate the specified domain to be a domain whose unix stream sockets and sock files can be managed by systemd user instances @@ -106223,7 +106859,18 @@ File type of the domain's sock files to be associated. </summary> </param> </interface> -<template name="systemd_user_send_systemd_notify" lineno="294"> +<interface name="systemd_write_notify_socket" lineno="291"> +<summary> +Allow the specified domain to write to +systemd-notify socket +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<template name="systemd_user_send_systemd_notify" lineno="318"> <summary> Allow the target domain the permissions necessary to use systemd notify when started by the specified @@ -106240,7 +106887,7 @@ Domain to be allowed systemd notify permissions. </summary> </param> </template> -<template name="systemd_user_app_status" lineno="322"> +<template name="systemd_user_app_status" lineno="346"> <summary> Allow the target domain to be monitored and have its output captured by the specified systemd user instance domain. @@ -106256,7 +106903,7 @@ Domain to allow the systemd user instance to monitor. </summary> </param> </template> -<template name="systemd_read_user_manager_state" lineno="362"> +<template name="systemd_read_user_manager_state" lineno="386"> <summary> Read the process state (/proc/pid) of the specified systemd user instance. @@ -106272,7 +106919,7 @@ Domain allowed access. </summary> </param> </template> -<template name="systemd_user_manager_system_start" lineno="386"> +<template name="systemd_user_manager_system_start" lineno="410"> <summary> Send a start request to the specified systemd user instance system object. @@ -106288,7 +106935,7 @@ Domain allowed access. </summary> </param> </template> -<template name="systemd_user_manager_system_stop" lineno="410"> +<template name="systemd_user_manager_system_stop" lineno="434"> <summary> Send a stop request to the specified systemd user instance system object. @@ -106304,7 +106951,7 @@ Domain allowed access. </summary> </param> </template> -<template name="systemd_user_manager_system_status" lineno="434"> +<template name="systemd_user_manager_system_status" lineno="458"> <summary> Get the status of the specified systemd user instance system object. @@ -106320,7 +106967,7 @@ Domain allowed access. </summary> </param> </template> -<template name="systemd_user_manager_dbus_chat" lineno="458"> +<template name="systemd_user_manager_dbus_chat" lineno="482"> <summary> Send and receive messages from the specified systemd user instance over dbus. @@ -106336,7 +106983,7 @@ Domain allowed access. </summary> </param> </template> -<interface name="systemd_search_conf_home_content" lineno="479"> +<interface name="systemd_search_conf_home_content" lineno="503"> <summary> Allow the specified domain to search systemd config home content. @@ -106347,7 +106994,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_conf_home_content" lineno="498"> +<interface name="systemd_manage_conf_home_content" lineno="522"> <summary> Allow the specified domain to manage systemd config home content. @@ -106358,7 +107005,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabel_conf_home_content" lineno="519"> +<interface name="systemd_relabel_conf_home_content" lineno="543"> <summary> Allow the specified domain to relabel systemd config home content. @@ -106369,7 +107016,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_search_data_home_content" lineno="540"> +<interface name="systemd_search_data_home_content" lineno="564"> <summary> Allow the specified domain to search systemd data home content. @@ -106380,7 +107027,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_data_home_content" lineno="559"> +<interface name="systemd_manage_data_home_content" lineno="583"> <summary> Allow the specified domain to manage systemd data home content. @@ -106391,7 +107038,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabel_data_home_content" lineno="580"> +<interface name="systemd_relabel_data_home_content" lineno="604"> <summary> Allow the specified domain to relabel systemd data home content. @@ -106402,7 +107049,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_search_user_runtime" lineno="601"> +<interface name="systemd_search_user_runtime" lineno="625"> <summary> Allow the specified domain to search systemd user runtime content. @@ -106413,7 +107060,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_user_runtime_files" lineno="619"> +<interface name="systemd_read_user_runtime_files" lineno="643"> <summary> Allow the specified domain to read systemd user runtime files. </summary> @@ -106423,7 +107070,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_user_runtime_lnk_files" lineno="637"> +<interface name="systemd_read_user_runtime_lnk_files" lineno="661"> <summary> Allow the specified domain to read systemd user runtime lnk files. </summary> @@ -106433,7 +107080,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_user_runtime_socket" lineno="656"> +<interface name="systemd_write_user_runtime_socket" lineno="680"> <summary> Allow the specified domain to write to the systemd user runtime named socket. @@ -106444,7 +107091,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_user_unit_files" lineno="675"> +<interface name="systemd_read_user_unit_files" lineno="699"> <summary> Allow the specified domain to read system-wide systemd user unit files. (Deprecated) @@ -106455,7 +107102,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_user_units_files" lineno="691"> +<interface name="systemd_read_user_units_files" lineno="715"> <summary> Allow the specified domain to read system-wide systemd user unit files. @@ -106466,7 +107113,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_user_runtime_units" lineno="711"> +<interface name="systemd_read_user_runtime_units" lineno="735"> <summary> Allow the specified domain to read systemd user runtime unit files. (Deprecated) </summary> @@ -106476,7 +107123,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_user_runtime_units_files" lineno="726"> +<interface name="systemd_read_user_runtime_units_files" lineno="750"> <summary> Allow the specified domain to read systemd user runtime unit files. </summary> @@ -106486,7 +107133,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_search_user_runtime_unit_dirs" lineno="746"> +<interface name="systemd_search_user_runtime_unit_dirs" lineno="770"> <summary> Allow the specified domain to search systemd user runtime unit directories. @@ -106497,7 +107144,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_list_user_runtime_unit_dirs" lineno="765"> +<interface name="systemd_list_user_runtime_unit_dirs" lineno="789"> <summary> Allow the specified domain to list the contents of systemd user runtime unit directories. @@ -106508,7 +107155,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_status_user_runtime_units" lineno="783"> +<interface name="systemd_status_user_runtime_units" lineno="807"> <summary> Allow the specified domain to get the status of systemd user runtime units. (Deprecated) </summary> @@ -106518,7 +107165,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_get_user_runtime_units_status" lineno="798"> +<interface name="systemd_get_user_runtime_units_status" lineno="822"> <summary> Allow the specified domain to get the status of systemd user runtime units. </summary> @@ -106528,7 +107175,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_start_user_runtime_units" lineno="817"> +<interface name="systemd_start_user_runtime_units" lineno="841"> <summary> Allow the specified domain to start systemd user runtime units. </summary> @@ -106538,7 +107185,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_stop_user_runtime_units" lineno="836"> +<interface name="systemd_stop_user_runtime_units" lineno="860"> <summary> Allow the specified domain to stop systemd user runtime units. </summary> @@ -106548,7 +107195,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_reload_user_runtime_units" lineno="855"> +<interface name="systemd_reload_user_runtime_units" lineno="879"> <summary> Allow the specified domain to reload systemd user runtime units. </summary> @@ -106558,7 +107205,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_user_transient_units_files" lineno="874"> +<interface name="systemd_read_user_transient_units_files" lineno="898"> <summary> Allow the specified domain to read systemd user transient unit files. </summary> @@ -106568,7 +107215,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_search_user_transient_unit_dirs" lineno="894"> +<interface name="systemd_search_user_transient_unit_dirs" lineno="918"> <summary> Allow the specified domain to search systemd user transient unit directories. @@ -106579,7 +107226,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_list_user_transient_unit_dirs" lineno="913"> +<interface name="systemd_list_user_transient_unit_dirs" lineno="937"> <summary> Allow the specified domain to list the contents of systemd user transient unit directories. @@ -106590,7 +107237,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_get_user_transient_units_status" lineno="931"> +<interface name="systemd_get_user_transient_units_status" lineno="955"> <summary> Allow the specified domain to get the status of systemd user transient units. </summary> @@ -106600,7 +107247,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_start_user_transient_units" lineno="950"> +<interface name="systemd_start_user_transient_units" lineno="974"> <summary> Allow the specified domain to start systemd user transient units. </summary> @@ -106610,7 +107257,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_stop_user_transient_units" lineno="969"> +<interface name="systemd_stop_user_transient_units" lineno="993"> <summary> Allow the specified domain to stop systemd user transient units. </summary> @@ -106620,7 +107267,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_reload_user_transient_units" lineno="988"> +<interface name="systemd_reload_user_transient_units" lineno="1012"> <summary> Allow the specified domain to reload systemd user transient units. </summary> @@ -106630,7 +107277,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_log_parse_environment" lineno="1008"> +<interface name="systemd_log_parse_environment" lineno="1032"> <summary> Make the specified type usable as an log parse environment type. @@ -106641,7 +107288,7 @@ Type to be used as a log parse environment type. </summary> </param> </interface> -<interface name="systemd_use_nss" lineno="1028"> +<interface name="systemd_use_nss" lineno="1052"> <summary> Allow domain to use systemd's Name Service Switch (NSS) module. This module provides UNIX user and group name resolution for dynamic users @@ -106653,7 +107300,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="systemd_PrivateDevices" lineno="1055"> +<interface name="systemd_PrivateDevices" lineno="1079"> <summary> Allow domain to be used as a systemd service with a unit that uses PrivateDevices=yes in section [Service]. @@ -106664,7 +107311,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="systemd_rw_homework_semaphores" lineno="1072"> +<interface name="systemd_rw_homework_semaphores" lineno="1096"> <summary> Read and write systemd-homework semaphores. </summary> @@ -106674,7 +107321,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="systemd_read_hwdb" lineno="1090"> +<interface name="systemd_read_hwdb" lineno="1114"> <summary> Allow domain to read udev hwdb file </summary> @@ -106684,7 +107331,7 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_map_hwdb" lineno="1108"> +<interface name="systemd_map_hwdb" lineno="1132"> <summary> Allow domain to map udev hwdb file </summary> @@ -106694,7 +107341,7 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_watch_logind_runtime_dirs" lineno="1126"> +<interface name="systemd_watch_logind_runtime_dirs" lineno="1150"> <summary> Watch systemd-logind runtime dirs. </summary> @@ -106704,7 +107351,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_logind_runtime_files" lineno="1145"> +<interface name="systemd_read_logind_runtime_files" lineno="1169"> <summary> Read systemd-logind runtime files. </summary> @@ -106714,7 +107361,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_logind_runtime_pipes" lineno="1165"> +<interface name="systemd_manage_logind_runtime_pipes" lineno="1189"> <summary> Manage systemd-logind runtime pipes. </summary> @@ -106724,7 +107371,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_logind_runtime_pipes" lineno="1184"> +<interface name="systemd_write_logind_runtime_pipes" lineno="1208"> <summary> Write systemd-logind runtime named pipe. </summary> @@ -106734,7 +107381,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_use_logind_fds" lineno="1205"> +<interface name="systemd_use_logind_fds" lineno="1229"> <summary> Use inherited systemd logind file descriptors. @@ -106745,7 +107392,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_watch_logind_sessions_dirs" lineno="1223"> +<interface name="systemd_watch_logind_sessions_dirs" lineno="1247"> <summary> Watch logind sessions dirs. </summary> @@ -106755,7 +107402,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_logind_sessions_files" lineno="1242"> +<interface name="systemd_read_logind_sessions_files" lineno="1266"> <summary> Read logind sessions files. </summary> @@ -106765,7 +107412,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="1263"> +<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="1287"> <summary> Write inherited logind sessions pipes. </summary> @@ -106775,7 +107422,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="1283"> +<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="1307"> <summary> Write inherited logind inhibit pipes. </summary> @@ -106785,7 +107432,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_dbus_chat_logind" lineno="1304"> +<interface name="systemd_dbus_chat_logind" lineno="1328"> <summary> Send and receive messages from systemd logind over dbus. @@ -106796,7 +107443,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_status_logind" lineno="1324"> +<interface name="systemd_status_logind" lineno="1348"> <summary> Get the system status information from systemd_login </summary> @@ -106806,7 +107453,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_signull_logind" lineno="1343"> +<interface name="systemd_signull_logind" lineno="1367"> <summary> Send systemd_login a null signal. </summary> @@ -106816,7 +107463,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_list_userdb_runtime_dirs" lineno="1361"> +<interface name="systemd_list_userdb_runtime_dirs" lineno="1385"> <summary> List the contents of systemd userdb runtime directories. </summary> @@ -106826,7 +107473,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_userdb_runtime_dirs" lineno="1379"> +<interface name="systemd_manage_userdb_runtime_dirs" lineno="1403"> <summary> Manage systemd userdb runtime directories. </summary> @@ -106836,7 +107483,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_userdb_runtime_files" lineno="1397"> +<interface name="systemd_read_userdb_runtime_files" lineno="1421"> <summary> Read systemd userdb runtime files. </summary> @@ -106846,7 +107493,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_userdb_runtime_symlinks" lineno="1415"> +<interface name="systemd_manage_userdb_runtime_symlinks" lineno="1439"> <summary> Manage symbolic links under /run/systemd/userdb. </summary> @@ -106856,7 +107503,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_userdb_runtime_sock_files" lineno="1433"> +<interface name="systemd_manage_userdb_runtime_sock_files" lineno="1457"> <summary> Manage socket files under /run/systemd/userdb . </summary> @@ -106866,7 +107513,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_stream_connect_userdb" lineno="1451"> +<interface name="systemd_stream_connect_userdb" lineno="1475"> <summary> Connect to /run/systemd/userdb/io.systemd.DynamicUser . </summary> @@ -106876,7 +107523,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_machines" lineno="1473"> +<interface name="systemd_read_machines" lineno="1497"> <summary> Allow reading /run/systemd/machines </summary> @@ -106886,7 +107533,7 @@ Domain that can access the machines files </summary> </param> </interface> -<interface name="systemd_watch_machines_dirs" lineno="1492"> +<interface name="systemd_watch_machines_dirs" lineno="1516"> <summary> Allow watching /run/systemd/machines </summary> @@ -106896,7 +107543,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_connect_machined" lineno="1510"> +<interface name="systemd_connect_machined" lineno="1534"> <summary> Allow connecting to /run/systemd/userdb/io.systemd.Machine socket </summary> @@ -106906,7 +107553,17 @@ Domain that can access the socket </summary> </param> </interface> -<interface name="systemd_dbus_chat_machined" lineno="1529"> +<interface name="systemd_dontaudit_connect_machined" lineno="1552"> +<summary> +dontaudit connecting to /run/systemd/userdb/io.systemd.Machine socket +</summary> +<param name="domain"> +<summary> +Domain that can access the socket +</summary> +</param> +</interface> +<interface name="systemd_dbus_chat_machined" lineno="1571"> <summary> Send and receive messages from systemd machined over dbus. @@ -106917,7 +107574,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_dbus_chat_hostnamed" lineno="1550"> +<interface name="systemd_dbus_chat_hostnamed" lineno="1592"> <summary> Send and receive messages from systemd hostnamed over dbus. @@ -106928,7 +107585,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_use_passwd_agent_fds" lineno="1570"> +<interface name="systemd_use_passwd_agent_fds" lineno="1612"> <summary> allow systemd_passwd_agent to inherit fds </summary> @@ -106938,7 +107595,7 @@ Domain that owns the fds </summary> </param> </interface> -<interface name="systemd_run_passwd_agent" lineno="1593"> +<interface name="systemd_run_passwd_agent" lineno="1635"> <summary> allow systemd_passwd_agent to be run by admin </summary> @@ -106953,7 +107610,7 @@ role that it runs in </summary> </param> </interface> -<interface name="systemd_use_passwd_agent" lineno="1614"> +<interface name="systemd_use_passwd_agent" lineno="1656"> <summary> Allow a systemd_passwd_agent_t process to interact with a daemon that needs a password from the sysadmin. @@ -106964,7 +107621,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="1638"> +<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="1680"> <summary> Transition to systemd_passwd_runtime_t when creating dirs </summary> @@ -106974,7 +107631,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="1659"> +<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="1701"> <summary> Transition to systemd_userdbd_runtime_t when creating the userdb directory inside an init runtime @@ -106986,7 +107643,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_passwd_runtime_symlinks" lineno="1677"> +<interface name="systemd_manage_passwd_runtime_symlinks" lineno="1719"> <summary> Allow to domain to create systemd-passwd symlink </summary> @@ -106996,7 +107653,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_watch_passwd_runtime_dirs" lineno="1695"> +<interface name="systemd_watch_passwd_runtime_dirs" lineno="1737"> <summary> Allow a domain to watch systemd-passwd runtime dirs. </summary> @@ -107006,7 +107663,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_list_journal_dirs" lineno="1713"> +<interface name="systemd_list_journal_dirs" lineno="1755"> <summary> Allow domain to list the contents of systemd_journal_t dirs </summary> @@ -107016,7 +107673,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_journal_files" lineno="1731"> +<interface name="systemd_read_journal_files" lineno="1773"> <summary> Allow domain to read systemd_journal_t files </summary> @@ -107026,7 +107683,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_journal_files" lineno="1750"> +<interface name="systemd_manage_journal_files" lineno="1792"> <summary> Allow domain to create/manage systemd_journal_t files </summary> @@ -107036,7 +107693,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_watch_journal_dirs" lineno="1770"> +<interface name="systemd_watch_journal_dirs" lineno="1812"> <summary> Allow domain to add a watch on systemd_journal_t directories </summary> @@ -107046,7 +107703,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelfrom_journal_files" lineno="1788"> +<interface name="systemd_relabelfrom_journal_files" lineno="1830"> <summary> Relabel from systemd-journald file type. </summary> @@ -107056,7 +107713,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelto_journal_dirs" lineno="1806"> +<interface name="systemd_relabelto_journal_dirs" lineno="1848"> <summary> Relabel to systemd-journald directory type. </summary> @@ -107066,7 +107723,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelto_journal_files" lineno="1825"> +<interface name="systemd_relabelto_journal_files" lineno="1867"> <summary> Relabel to systemd-journald file type. </summary> @@ -107076,7 +107733,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_networkd_units" lineno="1845"> +<interface name="systemd_read_networkd_units" lineno="1887"> <summary> Allow domain to read systemd_networkd_t unit files </summary> @@ -107086,7 +107743,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_networkd_units" lineno="1865"> +<interface name="systemd_manage_networkd_units" lineno="1907"> <summary> Allow domain to create/manage systemd_networkd_t unit files </summary> @@ -107096,7 +107753,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_enabledisable_networkd" lineno="1885"> +<interface name="systemd_enabledisable_networkd" lineno="1927"> <summary> Allow specified domain to enable systemd-networkd units </summary> @@ -107106,7 +107763,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_startstop_networkd" lineno="1904"> +<interface name="systemd_startstop_networkd" lineno="1946"> <summary> Allow specified domain to start systemd-networkd units </summary> @@ -107116,7 +107773,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_dbus_chat_networkd" lineno="1924"> +<interface name="systemd_dbus_chat_networkd" lineno="1966"> <summary> Send and receive messages from systemd networkd over dbus. @@ -107127,7 +107784,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_status_networkd" lineno="1944"> +<interface name="systemd_status_networkd" lineno="1986"> <summary> Allow specified domain to get status of systemd-networkd </summary> @@ -107137,7 +107794,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="1963"> +<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="2005"> <summary> Relabel systemd_networkd tun socket. </summary> @@ -107147,7 +107804,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="1981"> +<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="2023"> <summary> Read/Write from systemd_networkd netlink route socket. </summary> @@ -107157,7 +107814,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_list_networkd_runtime" lineno="1999"> +<interface name="systemd_list_networkd_runtime" lineno="2041"> <summary> Allow domain to list dirs under /run/systemd/netif </summary> @@ -107167,7 +107824,7 @@ domain permitted the access </summary> </param> </interface> -<interface name="systemd_watch_networkd_runtime_dirs" lineno="2018"> +<interface name="systemd_watch_networkd_runtime_dirs" lineno="2060"> <summary> Watch directories under /run/systemd/netif </summary> @@ -107177,7 +107834,7 @@ Domain permitted the access </summary> </param> </interface> -<interface name="systemd_read_networkd_runtime" lineno="2037"> +<interface name="systemd_read_networkd_runtime" lineno="2079"> <summary> Allow domain to read files generated by systemd_networkd </summary> @@ -107187,7 +107844,7 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_read_logind_state" lineno="2056"> +<interface name="systemd_read_logind_state" lineno="2098"> <summary> Allow systemd_logind_t to read process state for cgroup file </summary> @@ -107197,7 +107854,7 @@ Domain systemd_logind_t may access. </summary> </param> </interface> -<interface name="systemd_create_logind_linger_dir" lineno="2077"> +<interface name="systemd_create_logind_linger_dir" lineno="2119"> <summary> Allow the specified domain to create the systemd-logind linger directory with @@ -107209,7 +107866,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_start_user_manager_units" lineno="2097"> +<interface name="systemd_start_user_manager_units" lineno="2139"> <summary> Allow the specified domain to start systemd user manager units (systemd --user). @@ -107220,7 +107877,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_stop_user_manager_units" lineno="2117"> +<interface name="systemd_stop_user_manager_units" lineno="2159"> <summary> Allow the specified domain to stop systemd user manager units (systemd --user). @@ -107231,7 +107888,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_reload_user_manager_units" lineno="2137"> +<interface name="systemd_reload_user_manager_units" lineno="2179"> <summary> Allow the specified domain to reload systemd user manager units (systemd --user). @@ -107242,7 +107899,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_get_user_manager_units_status" lineno="2157"> +<interface name="systemd_get_user_manager_units_status" lineno="2199"> <summary> Get the status of systemd user manager units (systemd --user). @@ -107253,7 +107910,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_start_power_units" lineno="2176"> +<interface name="systemd_start_power_units" lineno="2218"> <summary> Allow specified domain to start power units </summary> @@ -107263,7 +107920,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="systemd_status_power_units" lineno="2195"> +<interface name="systemd_status_power_units" lineno="2237"> <summary> Get the system status information about power units </summary> @@ -107273,7 +107930,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_stream_connect_socket_proxyd" lineno="2214"> +<interface name="systemd_stream_connect_socket_proxyd" lineno="2256"> <summary> Allows connections to the systemd-socket-proxyd's socket. </summary> @@ -107283,7 +107940,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_tmpfiles_conf_file" lineno="2233"> +<interface name="systemd_tmpfiles_conf_file" lineno="2275"> <summary> Make the specified type usable for systemd tmpfiles config files. @@ -107294,7 +107951,7 @@ Type to be used for systemd tmpfiles config files. </summary> </param> </interface> -<interface name="systemd_tmpfiles_creator" lineno="2254"> +<interface name="systemd_tmpfiles_creator" lineno="2296"> <summary> Allow the specified domain to create the tmpfiles config directory with @@ -107306,7 +107963,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_tmpfiles_conf_filetrans" lineno="2290"> +<interface name="systemd_tmpfiles_conf_filetrans" lineno="2332"> <summary> Create an object in the systemd tmpfiles config directory, with a private type @@ -107333,7 +107990,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="systemd_list_tmpfiles_conf" lineno="2309"> +<interface name="systemd_list_tmpfiles_conf" lineno="2351"> <summary> Allow domain to list systemd tmpfiles config directory </summary> @@ -107343,7 +108000,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="2327"> +<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="2369"> <summary> Allow domain to relabel to systemd tmpfiles config directory </summary> @@ -107353,7 +108010,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="2345"> +<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="2387"> <summary> Allow domain to relabel to systemd tmpfiles config files </summary> @@ -107363,7 +108020,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_tmpfilesd_managed" lineno="2363"> +<interface name="systemd_tmpfilesd_managed" lineno="2405"> <summary> Allow systemd_tmpfiles_t to manage filesystem objects </summary> @@ -107373,7 +108030,7 @@ Type of object to manage </summary> </param> </interface> -<interface name="systemd_stream_connect_resolved" lineno="2390"> +<interface name="systemd_stream_connect_resolved" lineno="2432"> <summary> Connect to systemd resolved over /run/systemd/resolve/io.systemd.Resolve . @@ -107384,7 +108041,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_dbus_chat_resolved" lineno="2411"> +<interface name="systemd_dbus_chat_resolved" lineno="2453"> <summary> Send and receive messages from systemd resolved over dbus. @@ -107395,7 +108052,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_resolved_runtime" lineno="2431"> +<interface name="systemd_read_resolved_runtime" lineno="2473"> <summary> Allow domain to read resolv.conf file generated by systemd_resolved </summary> @@ -107405,7 +108062,7 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_exec_systemctl" lineno="2453"> +<interface name="systemd_exec_systemctl" lineno="2495"> <summary> Execute the systemctl program. </summary> @@ -107415,7 +108072,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_getattr_updated_runtime" lineno="2484"> +<interface name="systemd_getattr_updated_runtime" lineno="2526"> <summary> Allow domain to getattr on .updated file (generated by systemd-update-done </summary> @@ -107425,7 +108082,7 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_search_all_user_keys" lineno="2502"> +<interface name="systemd_search_all_user_keys" lineno="2544"> <summary> Search keys for the all systemd --user domains. </summary> @@ -107435,7 +108092,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_create_all_user_keys" lineno="2520"> +<interface name="systemd_create_all_user_keys" lineno="2562"> <summary> Create keys for the all systemd --user domains. </summary> @@ -107445,7 +108102,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_all_user_keys" lineno="2538"> +<interface name="systemd_write_all_user_keys" lineno="2580"> <summary> Write keys for the all systemd --user domains. </summary> @@ -107455,7 +108112,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_domtrans_sysusers" lineno="2557"> +<interface name="systemd_domtrans_sysusers" lineno="2599"> <summary> Execute systemd-sysusers in the systemd sysusers domain. @@ -107466,7 +108123,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_run_sysusers" lineno="2582"> +<interface name="systemd_run_sysusers" lineno="2624"> <summary> Run systemd-sysusers with a domain transition. </summary> @@ -107482,7 +108139,7 @@ Role allowed access. </param> <rolecap/> </interface> -<interface name="systemd_use_inherited_machined_ptys" lineno="2602"> +<interface name="systemd_use_inherited_machined_ptys" lineno="2644"> <summary> receive and use a systemd_machined_devpts_t file handle </summary> @@ -108462,7 +109119,7 @@ is the prefix for user_t). </param> <rolebase/> </template> -<template name="userdom_user_content_access_template" lineno="181"> +<template name="userdom_user_content_access_template" lineno="188"> <summary> Template for handling user content through standard tunables </summary> @@ -108491,7 +109148,7 @@ The application domain which is granted the necessary privileges </param> <rolebase/> </template> -<interface name="userdom_application_exec_domain" lineno="266"> +<interface name="userdom_application_exec_domain" lineno="273"> <summary> Associate the specified domain to be a domain capable of executing other @@ -108511,7 +109168,7 @@ is the prefix for user_t). </param> <rolebase/> </interface> -<interface name="userdom_ro_home_role" lineno="300"> +<interface name="userdom_ro_home_role" lineno="307"> <summary> Allow a home directory for which the role has read-only access. @@ -108537,7 +109194,7 @@ The user domain </param> <rolebase/> </interface> -<interface name="userdom_manage_home_role" lineno="377"> +<interface name="userdom_manage_home_role" lineno="384"> <summary> Allow a home directory for which the role has full access. @@ -108563,7 +109220,7 @@ The user domain </param> <rolebase/> </interface> -<interface name="userdom_manage_tmp_role" lineno="472"> +<interface name="userdom_manage_tmp_role" lineno="479"> <summary> Manage user temporary files </summary> @@ -108579,7 +109236,7 @@ Domain allowed access. </param> <rolebase/> </interface> -<interface name="userdom_exec_user_tmp_files" lineno="499"> +<interface name="userdom_exec_user_tmp_files" lineno="506"> <summary> The execute access user temporary files. </summary> @@ -108590,7 +109247,7 @@ Domain allowed access. </param> <rolebase/> </interface> -<interface name="userdom_manage_tmpfs_role" lineno="535"> +<interface name="userdom_manage_tmpfs_role" lineno="542"> <summary> Role access for the user tmpfs type that the user has full access. @@ -108616,7 +109273,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<template name="userdom_basic_networking_template" lineno="561"> +<template name="userdom_basic_networking_template" lineno="568"> <summary> The template allowing the user basic network permissions @@ -108629,7 +109286,7 @@ is the prefix for user_t). </param> <rolebase/> </template> -<template name="userdom_change_password_template" lineno="601"> +<template name="userdom_change_password_template" lineno="608"> <summary> The template for allowing the user to change passwords. </summary> @@ -108641,7 +109298,7 @@ is the prefix for user_t). </param> <rolebase/> </template> -<template name="userdom_common_user_template" lineno="631"> +<template name="userdom_common_user_template" lineno="638"> <summary> The template containing rules common to unprivileged users and administrative users. @@ -108659,7 +109316,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_login_user_template" lineno="958"> +<template name="userdom_login_user_template" lineno="965"> <summary> The template for creating a login user. </summary> @@ -108677,7 +109334,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_restricted_user_template" lineno="1081"> +<template name="userdom_restricted_user_template" lineno="1089"> <summary> The template for creating a unprivileged login user. </summary> @@ -108695,7 +109352,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_restricted_xwindows_user_template" lineno="1122"> +<template name="userdom_restricted_xwindows_user_template" lineno="1130"> <summary> The template for creating a unprivileged xwindows login user. </summary> @@ -108716,7 +109373,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_unpriv_user_template" lineno="1205"> +<template name="userdom_unpriv_user_template" lineno="1211"> <summary> The template for creating a unprivileged user roughly equivalent to a regular linux user. @@ -108739,7 +109396,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_admin_user_template" lineno="1325"> +<template name="userdom_admin_user_template" lineno="1331"> <summary> The template for creating an administrative user. </summary> @@ -108768,7 +109425,7 @@ is the prefix for sysadm_t). </summary> </param> </template> -<interface name="userdom_security_admin_template" lineno="1506"> +<interface name="userdom_security_admin_template" lineno="1512"> <summary> Allow user to run as a secadm </summary> @@ -108794,7 +109451,7 @@ The role of the object to create. </summary> </param> </interface> -<template name="userdom_xdg_user_template" lineno="1609"> +<template name="userdom_xdg_user_template" lineno="1615"> <summary> Allow user to interact with xdg content types </summary> @@ -108815,7 +109472,7 @@ Domain allowed access. </summary> </param> </template> -<interface name="userdom_user_application_type" lineno="1658"> +<interface name="userdom_user_application_type" lineno="1664"> <summary> Make the specified type usable as a user application domain type. @@ -108826,7 +109483,7 @@ Type to be used as a user application domain. </summary> </param> </interface> -<interface name="userdom_user_application_domain" lineno="1679"> +<interface name="userdom_user_application_domain" lineno="1685"> <summary> Make the specified type usable as a user application domain. @@ -108842,7 +109499,7 @@ Type to be used as the domain entry point. </summary> </param> </interface> -<interface name="userdom_user_home_content" lineno="1696"> +<interface name="userdom_user_home_content" lineno="1702"> <summary> Make the specified type usable in a user home directory. @@ -108854,7 +109511,7 @@ user home directory. </summary> </param> </interface> -<interface name="userdom_user_tmp_file" lineno="1722"> +<interface name="userdom_user_tmp_file" lineno="1728"> <summary> Make the specified type usable as a user temporary file. @@ -108866,7 +109523,7 @@ temporary directories. </summary> </param> </interface> -<interface name="userdom_user_tmpfs_file" lineno="1739"> +<interface name="userdom_user_tmpfs_file" lineno="1745"> <summary> Make the specified type usable as a user tmpfs file. @@ -108878,7 +109535,7 @@ tmpfs directories. </summary> </param> </interface> -<interface name="userdom_attach_admin_tun_iface" lineno="1754"> +<interface name="userdom_attach_admin_tun_iface" lineno="1760"> <summary> Allow domain to attach to TUN devices created by administrative users. </summary> @@ -108888,7 +109545,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_setattr_user_ptys" lineno="1773"> +<interface name="userdom_setattr_user_ptys" lineno="1779"> <summary> Set the attributes of a user pty. </summary> @@ -108898,7 +109555,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_create_user_pty" lineno="1791"> +<interface name="userdom_create_user_pty" lineno="1797"> <summary> Create a user pty. </summary> @@ -108908,7 +109565,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_getattr_user_home_dirs" lineno="1809"> +<interface name="userdom_getattr_user_home_dirs" lineno="1815"> <summary> Get the attributes of user home directories. </summary> @@ -108918,7 +109575,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_getattr_user_home_dirs" lineno="1828"> +<interface name="userdom_dontaudit_getattr_user_home_dirs" lineno="1834"> <summary> Do not audit attempts to get the attributes of user home directories. </summary> @@ -108928,7 +109585,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_search_user_home_dirs" lineno="1846"> +<interface name="userdom_search_user_home_dirs" lineno="1852"> <summary> Search user home directories. </summary> @@ -108938,7 +109595,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_search_user_home_dirs" lineno="1873"> +<interface name="userdom_dontaudit_search_user_home_dirs" lineno="1879"> <summary> Do not audit attempts to search user home directories. </summary> @@ -108956,7 +109613,7 @@ Domain to not audit. </param> <infoflow type="none"/> </interface> -<interface name="userdom_list_user_home_dirs" lineno="1891"> +<interface name="userdom_list_user_home_dirs" lineno="1897"> <summary> List user home directories. </summary> @@ -108966,7 +109623,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_list_user_home_dirs" lineno="1910"> +<interface name="userdom_dontaudit_list_user_home_dirs" lineno="1916"> <summary> Do not audit attempts to list user home subdirectories. </summary> @@ -108976,7 +109633,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_create_user_home_dirs" lineno="1928"> +<interface name="userdom_create_user_home_dirs" lineno="1934"> <summary> Create user home directories. </summary> @@ -108986,7 +109643,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_home_dirs" lineno="1946"> +<interface name="userdom_manage_user_home_dirs" lineno="1952"> <summary> Manage user home directories. </summary> @@ -108996,7 +109653,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_manage_user_home_dirs" lineno="1965"> +<interface name="userdom_dontaudit_manage_user_home_dirs" lineno="1971"> <summary> Do not audit attempts to manage user home directories. @@ -109007,7 +109664,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_relabelto_user_home_dirs" lineno="1983"> +<interface name="userdom_relabelto_user_home_dirs" lineno="1989"> <summary> Relabel to user home directories. </summary> @@ -109017,7 +109674,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_home_filetrans_user_home_dir" lineno="2007"> +<interface name="userdom_home_filetrans_user_home_dir" lineno="2013"> <summary> Create directories in the home dir root with the user home directory type. @@ -109033,7 +109690,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_home_domtrans" lineno="2044"> +<interface name="userdom_user_home_domtrans" lineno="2050"> <summary> Do a domain transition to the specified domain when executing a program in the @@ -109062,7 +109719,7 @@ Domain to transition to. </summary> </param> </interface> -<interface name="userdom_dontaudit_search_user_home_content" lineno="2064"> +<interface name="userdom_dontaudit_search_user_home_content" lineno="2070"> <summary> Do not audit attempts to search user home content directories. </summary> @@ -109072,7 +109729,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_list_all_user_home_content" lineno="2082"> +<interface name="userdom_list_all_user_home_content" lineno="2088"> <summary> List all users home content directories. </summary> @@ -109082,7 +109739,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_list_user_home_content" lineno="2101"> +<interface name="userdom_list_user_home_content" lineno="2107"> <summary> List contents of users home directory. </summary> @@ -109092,7 +109749,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_dirs" lineno="2120"> +<interface name="userdom_manage_user_home_content_dirs" lineno="2126"> <summary> Create, read, write, and delete directories in a user home subdirectory. @@ -109103,7 +109760,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_home_content_dirs" lineno="2139"> +<interface name="userdom_delete_all_user_home_content_dirs" lineno="2145"> <summary> Delete all user home content directories. </summary> @@ -109113,7 +109770,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_home_content_dirs" lineno="2159"> +<interface name="userdom_delete_user_home_content_dirs" lineno="2165"> <summary> Delete directories in a user home subdirectory. </summary> @@ -109123,7 +109780,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_setattr_all_user_home_content_dirs" lineno="2177"> +<interface name="userdom_setattr_all_user_home_content_dirs" lineno="2183"> <summary> Set attributes of all user home content directories. </summary> @@ -109133,7 +109790,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_setattr_user_home_content_files" lineno="2197"> +<interface name="userdom_dontaudit_setattr_user_home_content_files" lineno="2203"> <summary> Do not audit attempts to set the attributes of user home files. @@ -109144,7 +109801,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_map_user_home_content_files" lineno="2215"> +<interface name="userdom_map_user_home_content_files" lineno="2221"> <summary> Map user home files. </summary> @@ -109154,7 +109811,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_mmap_user_home_content_files" lineno="2233"> +<interface name="userdom_mmap_user_home_content_files" lineno="2239"> <summary> Mmap user home files. </summary> @@ -109164,7 +109821,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_read_user_home_content_files" lineno="2252"> +<interface name="userdom_read_user_home_content_files" lineno="2258"> <summary> Read user home files. </summary> @@ -109174,7 +109831,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_read_user_home_content_files" lineno="2271"> +<interface name="userdom_dontaudit_read_user_home_content_files" lineno="2277"> <summary> Do not audit attempts to read user home files. </summary> @@ -109184,7 +109841,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_all_user_home_content" lineno="2290"> +<interface name="userdom_read_all_user_home_content" lineno="2296"> <summary> Read all user home content, including application-specific resources. </summary> @@ -109194,7 +109851,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="userdom_manage_all_user_home_content" lineno="2312"> +<interface name="userdom_manage_all_user_home_content" lineno="2318"> <summary> Manage all user home content, including application-specific resources. </summary> @@ -109204,7 +109861,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="userdom_map_all_user_home_content_files" lineno="2334"> +<interface name="userdom_map_all_user_home_content_files" lineno="2340"> <summary> Map all user home content, including application-specific resources. </summary> @@ -109214,7 +109871,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="userdom_dontaudit_append_user_home_content_files" lineno="2352"> +<interface name="userdom_dontaudit_append_user_home_content_files" lineno="2358"> <summary> Do not audit attempts to append user home files. </summary> @@ -109224,7 +109881,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_dontaudit_write_user_home_content_files" lineno="2370"> +<interface name="userdom_dontaudit_write_user_home_content_files" lineno="2376"> <summary> Do not audit attempts to write user home files. </summary> @@ -109234,7 +109891,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_delete_all_user_home_content_files" lineno="2388"> +<interface name="userdom_delete_all_user_home_content_files" lineno="2394"> <summary> Delete all user home content files. </summary> @@ -109244,7 +109901,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_home_content_files" lineno="2408"> +<interface name="userdom_delete_user_home_content_files" lineno="2414"> <summary> Delete files in a user home subdirectory. </summary> @@ -109254,7 +109911,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_generic_user_home_dirs" lineno="2426"> +<interface name="userdom_relabel_generic_user_home_dirs" lineno="2432"> <summary> Relabel generic user home dirs. </summary> @@ -109264,7 +109921,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_generic_user_home_files" lineno="2444"> +<interface name="userdom_relabel_generic_user_home_files" lineno="2450"> <summary> Relabel generic user home files. </summary> @@ -109274,7 +109931,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_relabel_user_home_content_files" lineno="2462"> +<interface name="userdom_dontaudit_relabel_user_home_content_files" lineno="2468"> <summary> Do not audit attempts to relabel user home files. </summary> @@ -109284,7 +109941,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_user_home_content_symlinks" lineno="2480"> +<interface name="userdom_read_user_home_content_symlinks" lineno="2486"> <summary> Read user home subdirectory symbolic links. </summary> @@ -109294,7 +109951,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_exec_user_home_content_files" lineno="2500"> +<interface name="userdom_exec_user_home_content_files" lineno="2506"> <summary> Execute user home files. </summary> @@ -109305,7 +109962,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="userdom_dontaudit_exec_user_home_content_files" lineno="2527"> +<interface name="userdom_dontaudit_exec_user_home_content_files" lineno="2533"> <summary> Do not audit attempts to execute user home files. </summary> @@ -109315,7 +109972,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_files" lineno="2546"> +<interface name="userdom_manage_user_home_content_files" lineno="2552"> <summary> Create, read, write, and delete files in a user home subdirectory. @@ -109326,7 +109983,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_manage_user_home_content_dirs" lineno="2567"> +<interface name="userdom_dontaudit_manage_user_home_content_dirs" lineno="2573"> <summary> Do not audit attempts to create, read, write, and delete directories in a user home subdirectory. @@ -109337,7 +109994,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_symlinks" lineno="2586"> +<interface name="userdom_manage_user_home_content_symlinks" lineno="2592"> <summary> Create, read, write, and delete symbolic links in a user home subdirectory. @@ -109348,7 +110005,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_home_content_symlinks" lineno="2606"> +<interface name="userdom_delete_all_user_home_content_symlinks" lineno="2612"> <summary> Delete all user home content symbolic links. </summary> @@ -109358,7 +110015,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_home_content_symlinks" lineno="2626"> +<interface name="userdom_delete_user_home_content_symlinks" lineno="2632"> <summary> Delete symbolic links in a user home directory. </summary> @@ -109368,7 +110025,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_pipes" lineno="2645"> +<interface name="userdom_manage_user_home_content_pipes" lineno="2651"> <summary> Create, read, write, and delete named pipes in a user home subdirectory. @@ -109379,7 +110036,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_sockets" lineno="2666"> +<interface name="userdom_manage_user_home_content_sockets" lineno="2672"> <summary> Create, read, write, and delete named sockets in a user home subdirectory. @@ -109390,7 +110047,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_user_home_dir_filetrans" lineno="2703"> +<interface name="userdom_user_home_dir_filetrans" lineno="2709"> <summary> Create objects in a user home directory with an automatic type transition to @@ -109417,7 +110074,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_home_content_filetrans" lineno="2740"> +<interface name="userdom_user_home_content_filetrans" lineno="2746"> <summary> Create objects in a directory located in a user home directory with an @@ -109445,7 +110102,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_home_dir_filetrans_user_cert" lineno="2771"> +<interface name="userdom_user_home_dir_filetrans_user_cert" lineno="2777"> <summary> Automatically use the user_cert_t label for selected resources created in a users home directory @@ -109466,7 +110123,7 @@ Name of the resource that is being created </summary> </param> </interface> -<interface name="userdom_user_home_dir_filetrans_user_home_content" lineno="2801"> +<interface name="userdom_user_home_dir_filetrans_user_home_content" lineno="2807"> <summary> Create objects in a user home directory with an automatic type transition to @@ -109488,7 +110145,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_exec_user_bin_files" lineno="2820"> +<interface name="userdom_exec_user_bin_files" lineno="2826"> <summary> Execute user executable files. </summary> @@ -109498,7 +110155,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_bin" lineno="2840"> +<interface name="userdom_manage_user_bin" lineno="2846"> <summary> Manage user executable files. </summary> @@ -109508,7 +110165,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_read_user_certs" lineno="2862"> +<interface name="userdom_read_user_certs" lineno="2868"> <summary> Read user SSL certificates. </summary> @@ -109519,7 +110176,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="userdom_dontaudit_manage_user_certs" lineno="2885"> +<interface name="userdom_dontaudit_manage_user_certs" lineno="2891"> <summary> Do not audit attempts to manage the user SSL certificates. @@ -109531,7 +110188,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="userdom_manage_user_certs" lineno="2905"> +<interface name="userdom_manage_user_certs" lineno="2911"> <summary> Manage user SSL certificates. </summary> @@ -109541,7 +110198,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_write_user_tmp_sockets" lineno="2926"> +<interface name="userdom_write_user_tmp_sockets" lineno="2932"> <summary> Write to user temporary named sockets. </summary> @@ -109551,7 +110208,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_list_user_tmp" lineno="2946"> +<interface name="userdom_list_user_tmp" lineno="2952"> <summary> List user temporary directories. </summary> @@ -109561,7 +110218,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_list_user_tmp" lineno="2968"> +<interface name="userdom_dontaudit_list_user_tmp" lineno="2974"> <summary> Do not audit attempts to list user temporary directories. @@ -109572,7 +110229,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_dirs" lineno="2986"> +<interface name="userdom_delete_user_tmp_dirs" lineno="2992"> <summary> Delete users temporary directories. </summary> @@ -109582,7 +110239,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_manage_user_tmp_dirs" lineno="3005"> +<interface name="userdom_dontaudit_manage_user_tmp_dirs" lineno="3011"> <summary> Do not audit attempts to manage users temporary directories. @@ -109593,7 +110250,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_user_tmp_files" lineno="3023"> +<interface name="userdom_read_user_tmp_files" lineno="3029"> <summary> Read user temporary files. </summary> @@ -109603,7 +110260,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_map_user_tmp_files" lineno="3044"> +<interface name="userdom_map_user_tmp_files" lineno="3050"> <summary> Map user temporary files. </summary> @@ -109613,7 +110270,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_read_user_tmp_files" lineno="3063"> +<interface name="userdom_dontaudit_read_user_tmp_files" lineno="3069"> <summary> Do not audit attempts to read users temporary files. @@ -109624,7 +110281,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_dontaudit_append_user_tmp_files" lineno="3082"> +<interface name="userdom_dontaudit_append_user_tmp_files" lineno="3088"> <summary> Do not audit attempts to append users temporary files. @@ -109635,7 +110292,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_rw_user_tmp_files" lineno="3100"> +<interface name="userdom_rw_user_tmp_files" lineno="3106"> <summary> Read and write user temporary files. </summary> @@ -109645,7 +110302,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_files" lineno="3121"> +<interface name="userdom_delete_user_tmp_files" lineno="3127"> <summary> Delete users temporary files. </summary> @@ -109655,7 +110312,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_manage_user_tmp_files" lineno="3140"> +<interface name="userdom_dontaudit_manage_user_tmp_files" lineno="3146"> <summary> Do not audit attempts to manage users temporary files. @@ -109666,7 +110323,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_user_tmp_symlinks" lineno="3158"> +<interface name="userdom_read_user_tmp_symlinks" lineno="3164"> <summary> Read user temporary symbolic links. </summary> @@ -109676,7 +110333,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_symlinks" lineno="3179"> +<interface name="userdom_delete_user_tmp_symlinks" lineno="3185"> <summary> Delete users temporary symbolic links. </summary> @@ -109686,7 +110343,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_dirs" lineno="3198"> +<interface name="userdom_manage_user_tmp_dirs" lineno="3204"> <summary> Create, read, write, and delete user temporary directories. @@ -109697,7 +110354,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_named_pipes" lineno="3218"> +<interface name="userdom_delete_user_tmp_named_pipes" lineno="3224"> <summary> Delete users temporary named pipes. </summary> @@ -109707,7 +110364,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_files" lineno="3237"> +<interface name="userdom_manage_user_tmp_files" lineno="3243"> <summary> Create, read, write, and delete user temporary files. @@ -109718,7 +110375,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_named_sockets" lineno="3257"> +<interface name="userdom_delete_user_tmp_named_sockets" lineno="3263"> <summary> Delete users temporary named sockets. </summary> @@ -109728,7 +110385,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_symlinks" lineno="3276"> +<interface name="userdom_manage_user_tmp_symlinks" lineno="3282"> <summary> Create, read, write, and delete user temporary symbolic links. @@ -109739,7 +110396,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_rw_user_tmp_pipes" lineno="3297"> +<interface name="userdom_dontaudit_rw_user_tmp_pipes" lineno="3303"> <summary> Do not audit attempts to read and write temporary pipes. @@ -109750,7 +110407,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_pipes" lineno="3316"> +<interface name="userdom_manage_user_tmp_pipes" lineno="3322"> <summary> Create, read, write, and delete user temporary named pipes. @@ -109761,7 +110418,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_sockets" lineno="3337"> +<interface name="userdom_manage_user_tmp_sockets" lineno="3343"> <summary> Create, read, write, and delete user temporary named sockets. @@ -109772,7 +110429,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_user_tmp_filetrans" lineno="3374"> +<interface name="userdom_user_tmp_filetrans" lineno="3380"> <summary> Create objects in a user temporary directory with an automatic type transition to @@ -109799,7 +110456,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_tmp_filetrans_user_tmp" lineno="3406"> +<interface name="userdom_tmp_filetrans_user_tmp" lineno="3412"> <summary> Create objects in the temporary directory with an automatic type transition to @@ -109821,7 +110478,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_map_user_tmpfs_files" lineno="3424"> +<interface name="userdom_map_user_tmpfs_files" lineno="3430"> <summary> Map user tmpfs files. </summary> @@ -109831,7 +110488,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_read_user_tmpfs_files" lineno="3442"> +<interface name="userdom_read_user_tmpfs_files" lineno="3448"> <summary> Read user tmpfs files. </summary> @@ -109841,7 +110498,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_read_user_tmpfs_files" lineno="3462"> +<interface name="userdom_dontaudit_read_user_tmpfs_files" lineno="3468"> <summary> dontaudit Read attempts of user tmpfs files. </summary> @@ -109851,7 +110508,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_user_tmpfs_dirs" lineno="3481"> +<interface name="userdom_relabel_user_tmpfs_dirs" lineno="3487"> <summary> relabel to/from user tmpfs dirs </summary> @@ -109861,7 +110518,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_user_tmpfs_files" lineno="3500"> +<interface name="userdom_relabel_user_tmpfs_files" lineno="3506"> <summary> relabel to/from user tmpfs files </summary> @@ -109871,7 +110528,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_user_runtime_content" lineno="3522"> +<interface name="userdom_user_runtime_content" lineno="3528"> <summary> Make the specified type usable in the directory /run/user/%{USERID}/. @@ -109883,7 +110540,7 @@ user_runtime_content_dir_t. </summary> </param> </interface> -<interface name="userdom_search_user_runtime" lineno="3542"> +<interface name="userdom_search_user_runtime" lineno="3548"> <summary> Search users runtime directories. </summary> @@ -109893,7 +110550,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_search_user_runtime_root" lineno="3561"> +<interface name="userdom_search_user_runtime_root" lineno="3567"> <summary> Search user runtime root directories. </summary> @@ -109903,7 +110560,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_search_user_runtime_root" lineno="3581"> +<interface name="userdom_dontaudit_search_user_runtime_root" lineno="3587"> <summary> Do not audit attempts to search user runtime root directories. @@ -109914,7 +110571,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_manage_user_runtime_root_dirs" lineno="3600"> +<interface name="userdom_manage_user_runtime_root_dirs" lineno="3606"> <summary> Create, read, write, and delete user runtime root dirs. @@ -109925,7 +110582,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_user_runtime_root_dirs" lineno="3619"> +<interface name="userdom_relabel_user_runtime_root_dirs" lineno="3625"> <summary> Relabel to and from user runtime root dirs. </summary> @@ -109935,7 +110592,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_runtime_dirs" lineno="3638"> +<interface name="userdom_manage_user_runtime_dirs" lineno="3644"> <summary> Create, read, write, and delete user runtime dirs. @@ -109946,7 +110603,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_mounton_user_runtime_dirs" lineno="3658"> +<interface name="userdom_mounton_user_runtime_dirs" lineno="3664"> <summary> Mount a filesystem on user runtime dir directories. @@ -109957,7 +110614,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabelto_user_runtime_dirs" lineno="3676"> +<interface name="userdom_relabelto_user_runtime_dirs" lineno="3682"> <summary> Relabel to user runtime directories. </summary> @@ -109967,7 +110624,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabelfrom_user_runtime_dirs" lineno="3694"> +<interface name="userdom_relabelfrom_user_runtime_dirs" lineno="3700"> <summary> Relabel from user runtime directories. </summary> @@ -109977,7 +110634,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_runtime_files" lineno="3712"> +<interface name="userdom_write_all_user_runtime_named_sockets" lineno="3718"> +<summary> +write user runtime socket files +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="userdom_delete_user_runtime_files" lineno="3737"> <summary> delete user runtime files </summary> @@ -109987,7 +110654,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_search_all_user_runtime" lineno="3731"> +<interface name="userdom_search_all_user_runtime" lineno="3756"> <summary> Search users runtime directories. </summary> @@ -109997,7 +110664,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_list_all_user_runtime" lineno="3750"> +<interface name="userdom_list_all_user_runtime" lineno="3775"> <summary> List user runtime directories. </summary> @@ -110007,7 +110674,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_dirs" lineno="3769"> +<interface name="userdom_delete_all_user_runtime_dirs" lineno="3794"> <summary> delete user runtime directories </summary> @@ -110017,7 +110684,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_files" lineno="3787"> +<interface name="userdom_delete_all_user_runtime_files" lineno="3812"> <summary> delete user runtime files </summary> @@ -110027,7 +110694,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_symlinks" lineno="3805"> +<interface name="userdom_delete_all_user_runtime_symlinks" lineno="3830"> <summary> delete user runtime symlink files </summary> @@ -110037,7 +110704,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_named_pipes" lineno="3823"> +<interface name="userdom_delete_all_user_runtime_named_pipes" lineno="3848"> <summary> delete user runtime fifo files </summary> @@ -110047,7 +110714,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_named_sockets" lineno="3841"> +<interface name="userdom_delete_all_user_runtime_named_sockets" lineno="3866"> <summary> delete user runtime socket files </summary> @@ -110057,7 +110724,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_blk_files" lineno="3859"> +<interface name="userdom_delete_all_user_runtime_blk_files" lineno="3884"> <summary> delete user runtime blk files </summary> @@ -110067,7 +110734,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_chr_files" lineno="3877"> +<interface name="userdom_delete_all_user_runtime_chr_files" lineno="3902"> <summary> delete user runtime chr files </summary> @@ -110077,7 +110744,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_runtime_filetrans_user_runtime_root" lineno="3907"> +<interface name="userdom_runtime_filetrans_user_runtime_root" lineno="3932"> <summary> Create objects in the runtime directory with an automatic type transition to @@ -110099,7 +110766,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_runtime_filetrans" lineno="3943"> +<interface name="userdom_user_runtime_filetrans" lineno="3968"> <summary> Create objects in a user runtime directory with an automatic type @@ -110127,7 +110794,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_runtime_filetrans_user_tmp" lineno="3974"> +<interface name="userdom_user_runtime_filetrans_user_tmp" lineno="3999"> <summary> Create objects in the user runtime directory with an automatic type transition to @@ -110149,7 +110816,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_runtime_root_filetrans_user_runtime" lineno="4004"> +<interface name="userdom_user_runtime_root_filetrans_user_runtime" lineno="4029"> <summary> Create objects in the user runtime root directory with an automatic type transition @@ -110171,7 +110838,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_run_filetrans_user_runtime" lineno="4035"> +<interface name="userdom_user_run_filetrans_user_runtime" lineno="4060"> <summary> Create objects in the user runtime root directory with an automatic type transition @@ -110193,7 +110860,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_rw_user_tmpfs_files" lineno="4053"> +<interface name="userdom_rw_user_tmpfs_files" lineno="4078"> <summary> Read and write user tmpfs files. </summary> @@ -110203,7 +110870,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmpfs_files" lineno="4074"> +<interface name="userdom_delete_user_tmpfs_files" lineno="4099"> <summary> Delete user tmpfs files. </summary> @@ -110213,7 +110880,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmpfs_files" lineno="4093"> +<interface name="userdom_manage_user_tmpfs_files" lineno="4118"> <summary> Create, read, write, and delete user tmpfs files. </summary> @@ -110223,7 +110890,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_getattr_user_ttys" lineno="4113"> +<interface name="userdom_getattr_user_ttys" lineno="4138"> <summary> Get the attributes of a user domain tty. </summary> @@ -110233,7 +110900,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_getattr_user_ttys" lineno="4131"> +<interface name="userdom_dontaudit_getattr_user_ttys" lineno="4156"> <summary> Do not audit attempts to get the attributes of a user domain tty. </summary> @@ -110243,7 +110910,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_setattr_user_ttys" lineno="4149"> +<interface name="userdom_setattr_user_ttys" lineno="4174"> <summary> Set the attributes of a user domain tty. </summary> @@ -110253,7 +110920,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_setattr_user_ttys" lineno="4167"> +<interface name="userdom_dontaudit_setattr_user_ttys" lineno="4192"> <summary> Do not audit attempts to set the attributes of a user domain tty. </summary> @@ -110263,7 +110930,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_use_user_ttys" lineno="4185"> +<interface name="userdom_use_user_ttys" lineno="4210"> <summary> Read and write a user domain tty. </summary> @@ -110273,7 +110940,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_use_user_ptys" lineno="4203"> +<interface name="userdom_use_user_ptys" lineno="4228"> <summary> Read and write a user domain pty. </summary> @@ -110283,7 +110950,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_use_inherited_user_terminals" lineno="4238"> +<interface name="userdom_use_inherited_user_terminals" lineno="4263"> <summary> Read and write a user TTYs and PTYs. </summary> @@ -110309,7 +110976,7 @@ Domain allowed access. </param> <infoflow type="both" weight="10"/> </interface> -<interface name="userdom_use_user_terminals" lineno="4279"> +<interface name="userdom_use_user_terminals" lineno="4304"> <summary> Read, write and open a user TTYs and PTYs. </summary> @@ -110341,7 +111008,7 @@ Domain allowed access. </param> <infoflow type="both" weight="10"/> </interface> -<interface name="userdom_dontaudit_use_user_terminals" lineno="4295"> +<interface name="userdom_dontaudit_use_user_terminals" lineno="4320"> <summary> Do not audit attempts to read and write a user domain tty and pty. @@ -110352,7 +111019,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_lock_user_terminals" lineno="4314"> +<interface name="userdom_lock_user_terminals" lineno="4339"> <summary> Lock user TTYs and PTYs. </summary> @@ -110362,7 +111029,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_spec_domtrans_all_users" lineno="4335"> +<interface name="userdom_spec_domtrans_all_users" lineno="4360"> <summary> Execute a shell in all user domains. This is an explicit transition, requiring the @@ -110374,7 +111041,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_xsession_spec_domtrans_all_users" lineno="4358"> +<interface name="userdom_xsession_spec_domtrans_all_users" lineno="4383"> <summary> Execute an Xserver session in all user domains. This is an explicit transition, requiring the @@ -110386,7 +111053,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_spec_domtrans_unpriv_users" lineno="4381"> +<interface name="userdom_spec_domtrans_unpriv_users" lineno="4406"> <summary> Execute a shell in all unprivileged user domains. This is an explicit transition, requiring the @@ -110398,7 +111065,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_xsession_spec_domtrans_unpriv_users" lineno="4404"> +<interface name="userdom_xsession_spec_domtrans_unpriv_users" lineno="4429"> <summary> Execute an Xserver session in all unprivileged user domains. This is an explicit transition, requiring the @@ -110410,7 +111077,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_rw_unpriv_user_semaphores" lineno="4425"> +<interface name="userdom_rw_unpriv_user_semaphores" lineno="4450"> <summary> Read and write unpriviledged user SysV sempaphores. </summary> @@ -110420,7 +111087,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_unpriv_user_semaphores" lineno="4443"> +<interface name="userdom_manage_unpriv_user_semaphores" lineno="4468"> <summary> Manage unpriviledged user SysV sempaphores. </summary> @@ -110430,7 +111097,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_rw_unpriv_user_shared_mem" lineno="4462"> +<interface name="userdom_rw_unpriv_user_shared_mem" lineno="4487"> <summary> Read and write unpriviledged user SysV shared memory segments. @@ -110441,7 +111108,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_unpriv_user_shared_mem" lineno="4481"> +<interface name="userdom_manage_unpriv_user_shared_mem" lineno="4506"> <summary> Manage unpriviledged user SysV shared memory segments. @@ -110452,7 +111119,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_bin_spec_domtrans_unpriv_users" lineno="4501"> +<interface name="userdom_bin_spec_domtrans_unpriv_users" lineno="4526"> <summary> Execute bin_t in the unprivileged user domains. This is an explicit transition, requiring the @@ -110464,7 +111131,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_entry_spec_domtrans_unpriv_users" lineno="4524"> +<interface name="userdom_entry_spec_domtrans_unpriv_users" lineno="4549"> <summary> Execute all entrypoint files in unprivileged user domains. This is an explicit transition, requiring the @@ -110476,7 +111143,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_search_user_home_content" lineno="4545"> +<interface name="userdom_search_user_home_content" lineno="4570"> <summary> Search users home directories. </summary> @@ -110486,7 +111153,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_signull_unpriv_users" lineno="4564"> +<interface name="userdom_watch_user_home_dirs" lineno="4589"> +<summary> +watch users home directories. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="userdom_signull_unpriv_users" lineno="4607"> <summary> Send signull to unprivileged user domains. </summary> @@ -110496,7 +111173,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_signal_unpriv_users" lineno="4582"> +<interface name="userdom_signal_unpriv_users" lineno="4625"> <summary> Send general signals to unprivileged user domains. </summary> @@ -110506,7 +111183,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_use_unpriv_users_fds" lineno="4600"> +<interface name="userdom_use_unpriv_users_fds" lineno="4643"> <summary> Inherit the file descriptors from unprivileged user domains. </summary> @@ -110516,7 +111193,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_use_unpriv_user_fds" lineno="4628"> +<interface name="userdom_dontaudit_use_unpriv_user_fds" lineno="4671"> <summary> Do not audit attempts to inherit the file descriptors from unprivileged user domains. @@ -110536,7 +111213,7 @@ Domain to not audit. </param> <infoflow type="none"/> </interface> -<interface name="userdom_dontaudit_use_user_ptys" lineno="4646"> +<interface name="userdom_dontaudit_use_user_ptys" lineno="4689"> <summary> Do not audit attempts to use user ptys. </summary> @@ -110546,7 +111223,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_relabelto_user_ptys" lineno="4664"> +<interface name="userdom_relabelto_user_ptys" lineno="4707"> <summary> Relabel files to unprivileged user pty types. </summary> @@ -110556,7 +111233,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_relabelfrom_user_ptys" lineno="4683"> +<interface name="userdom_dontaudit_relabelfrom_user_ptys" lineno="4726"> <summary> Do not audit attempts to relabel files from user pty types. @@ -110567,7 +111244,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_write_user_tmp_files" lineno="4701"> +<interface name="userdom_write_user_tmp_files" lineno="4744"> <summary> Write all users files in /tmp </summary> @@ -110577,7 +111254,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_write_user_tmp_files" lineno="4720"> +<interface name="userdom_dontaudit_write_user_tmp_files" lineno="4763"> <summary> Do not audit attempts to write users temporary files. @@ -110588,7 +111265,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_dontaudit_use_user_ttys" lineno="4738"> +<interface name="userdom_dontaudit_use_user_ttys" lineno="4781"> <summary> Do not audit attempts to use user ttys. </summary> @@ -110598,7 +111275,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_all_users_state" lineno="4756"> +<interface name="userdom_read_all_users_state" lineno="4799"> <summary> Read the process state of all user domains. </summary> @@ -110608,7 +111285,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_getattr_all_users" lineno="4776"> +<interface name="userdom_getattr_all_users" lineno="4819"> <summary> Get the attributes of all user domains. </summary> @@ -110618,7 +111295,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_use_all_users_fds" lineno="4794"> +<interface name="userdom_use_all_users_fds" lineno="4837"> <summary> Inherit the file descriptors from all user domains </summary> @@ -110628,7 +111305,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_use_all_users_fds" lineno="4813"> +<interface name="userdom_dontaudit_use_all_users_fds" lineno="4856"> <summary> Do not audit attempts to inherit the file descriptors from any user domains. @@ -110639,7 +111316,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_signal_all_users" lineno="4831"> +<interface name="userdom_signal_all_users" lineno="4874"> <summary> Send general signals to all user domains. </summary> @@ -110649,7 +111326,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_sigchld_all_users" lineno="4849"> +<interface name="userdom_sigchld_all_users" lineno="4892"> <summary> Send a SIGCHLD signal to all user domains. </summary> @@ -110659,7 +111336,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_read_all_users_keys" lineno="4867"> +<interface name="userdom_read_all_users_keys" lineno="4910"> <summary> Read keys for all user domains. </summary> @@ -110669,7 +111346,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_write_all_users_keys" lineno="4885"> +<interface name="userdom_write_all_users_keys" lineno="4928"> <summary> Write keys for all user domains. </summary> @@ -110679,7 +111356,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_rw_all_users_keys" lineno="4903"> +<interface name="userdom_rw_all_users_keys" lineno="4946"> <summary> Read and write keys for all user domains. </summary> @@ -110689,7 +111366,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_create_all_users_keys" lineno="4921"> +<interface name="userdom_create_all_users_keys" lineno="4964"> <summary> Create keys for all user domains. </summary> @@ -110699,7 +111376,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_all_users_keys" lineno="4939"> +<interface name="userdom_manage_all_users_keys" lineno="4982"> <summary> Manage keys for all user domains. </summary> @@ -110709,7 +111386,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dbus_send_all_users" lineno="4957"> +<interface name="userdom_dbus_send_all_users" lineno="5000"> <summary> Send a dbus message to all user domains. </summary> @@ -110719,7 +111396,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_chr_files" lineno="4979"> +<interface name="userdom_manage_user_tmp_chr_files" lineno="5022"> <summary> Create, read, write, and delete user temporary character files. @@ -110730,7 +111407,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_user_certs" lineno="5000"> +<interface name="userdom_relabel_user_certs" lineno="5043"> <summary> Allow relabeling resources to user_cert_t </summary> @@ -110740,7 +111417,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="userdom_dontaudit_rw_all_users_stream_sockets" lineno="5023"> +<interface name="userdom_dontaudit_rw_all_users_stream_sockets" lineno="5066"> <summary> Do not audit attempts to read and write unserdomain stream. @@ -110765,6 +111442,13 @@ Allow users to connect to PostgreSQL </p> </desc> </tunable> +<tunable name="user_all_users_send_syslog" dftval="true"> +<desc> +<p> +Allow all users to send syslog messages +</p> +</desc> +</tunable> <tunable name="user_direct_mouse" dftval="false"> <desc> <p> diff --git a/policy/booleans.conf b/policy/booleans.conf index 7ef0cb2d..f244d9c5 100644 --- a/policy/booleans.conf +++ b/policy/booleans.conf @@ -552,6 +552,12 @@ openoffice_manage_all_user_content = false pulseaudio_execmem = false # +# Determine whether pulseaudio +# can use the network. +# +pulseaudio_can_network = false + +# # Determine whether qemu has full # access to the network. # @@ -1261,11 +1267,24 @@ container_use_dri = false container_use_ecryptfs = false # +# Allow containers to use all capabilities in a +# non-namespaced context for various privileged operations +# directly on the host. +# +container_use_host_all_caps = false + +# # Allow containers to use huge pages. # container_use_hugetlbfs = false # +# Allow containers to use the mknod syscall, e.g. for +# creating special device files. +# +container_use_mknod = false + +# # Allow containers to use NFS filesystems. # container_use_nfs = false @@ -1276,6 +1295,33 @@ container_use_nfs = false container_use_samba = false # +# Allow containers to use the sysadmin capability, e.g. +# for mounting filesystems. +# +container_use_sysadmin = false + +# +# Allow containers to use all capabilities in a +# namespaced context for various privileged operations +# within the container itself. +# +container_use_userns_all_caps = false + +# +# Allow containers to use the mknod syscall in a +# namespaced context, e.g. for creating special device +# files within the container itself. +# +container_use_userns_mknod = false + +# +# Allow containers to use the sysadmin capability in a +# namespaced context, e.g. for mounting filesystems +# within the container itself. +# +container_use_userns_sysadmin = false + +# # Determine whether system cron jobs # can relabel filesystem for # restoring file contexts. @@ -1330,6 +1376,14 @@ allow_cvs_read_shadow = false allow_httpd_cvs_script_anon_write = false # +# Determine whether the dbus server +# can use the network (insecure +# except than in the case of the +# loopback interface). +# +dbus_can_network = false + +# # Allow dbus-daemon system bus to access /dev/net/tun # which is needed to pass tun/tap device file descriptors # over D-Bus. This is needed by openvpn3-linux. @@ -1913,7 +1967,8 @@ allow_httpd_smokeping_cgi_script_anon_write = false # # Determine whether spamassassin -# clients can use the network. +# daemon or clients can use the +# network. # spamassassin_can_network = false @@ -1924,12 +1979,25 @@ spamassassin_can_network = false spamd_enable_home_dirs = false # +# Determine whether spamassassin +# can update the rules using the +# network. +# +spamassassin_network_update = true + +# # Determine whether extra rules should # be enabled to support rspamd. # rspamd_spamd = false # +# Determine whether execmem should be allowed +# Needed if LUA JIT is enabled for rspamd +# +spamd_execmem = false + +# # Determine whether squid can # connect to all TCP ports. # @@ -2058,15 +2126,33 @@ virt_use_vfio = false virt_use_evdev = false # +# Allows the X server to use TCP/IP +# networking functionality (insecure). +# +xserver_can_network = false + +# +# Allows the X display manager to use +# TCP/IP networking functionality (insecure). +# +xserver_xdm_can_network = false + +# +# Allow xdm logins as sysadm +# +xdm_sysadm_login = false + +# # Allows clients to write to the X server shared # memory segments. # allow_write_xshm = false # -# Allow xdm logins as sysadm +# Allows clients to write to the X server tmpfs +# files. # -xdm_sysadm_login = false +xserver_client_writes_xserver_tmpfs = false # # Use gnome-shell in gdm mode as the @@ -2132,6 +2218,12 @@ init_mounton_non_security = false racoon_read_shadow = false # +# Allows syslogd internet domain sockets +# functionality (dangerous). +# +logging_syslog_can_network = false + +# # Allow the mount command to mount any directory or file. # allow_mount_anyfile = false @@ -2196,6 +2288,11 @@ allow_user_mysql_connect = false allow_user_postgresql_connect = false # +# Allow all users to send syslog messages +# +user_all_users_send_syslog = true + +# # Allow regular users direct mouse access # user_direct_mouse = false diff --git a/policy/modules.conf b/policy/modules.conf index 055d20fa..8741c1eb 100644 --- a/policy/modules.conf +++ b/policy/modules.conf @@ -1513,6 +1513,13 @@ dovecot = module drbd = module # Layer: services +# Module: eg25manager +# +# Manager daemon for the Quectel EG25 modem +# +eg25manager = module + +# Layer: services # Module: entropyd # # Generate entropy from audio input. @@ -1695,6 +1702,13 @@ icecast = module ifplugd = module # Layer: services +# Module: iiosensorproxy +# +# IIO sensors to D-Bus proxy +# +iiosensorproxy = module + +# Layer: services # Module: inetd # # Internet services daemon. @@ -1821,6 +1835,13 @@ lircd = module lldpad = module # Layer: services +# Module: lowmemorymonitor +# +# low memory monitor daemon +# +lowmemorymonitor = module + +# Layer: services # Module: lpd # # Line printer daemon. @@ -2241,6 +2262,13 @@ postgresql = module postgrey = module # Layer: services +# Module: powerprofiles +# +# power profiles daemon +# +powerprofiles = module + +# Layer: services # Module: ppp # # Point to Point Protocol daemon creates links in ppp networks. @@ -2346,6 +2374,13 @@ radius = module radvd = module # Layer: services +# Module: rasdaemon +# +# RAS (Reliability, Availability and Serviceability) logging tool +# +rasdaemon = module + +# Layer: services # Module: razor # # A distributed, collaborative, spam detection and filtering network. @@ -2612,6 +2647,13 @@ stunnel = module svnserve = module # Layer: services +# Module: switcheroo +# +# switcheroo daemon +# +switcheroo = module + +# Layer: services # Module: sympa # # Sympa mailing list manager @@ -2668,6 +2710,13 @@ tftp = module tgtd = module # Layer: services +# Module: thunderbolt +# +# thunderbolt daemon +# +thunderbolt = module + +# Layer: services # Module: timidity # # MIDI to WAV converter and player configured as a service. |