This module contains basic filesystem types and interfaces. This includes:
The concept of different file types including basic files, mount points, tmp files, etc.
Access to groups of files and all files.
Types and interfaces for the basic filesystem layout (/, /etc, /tmp, /usr, etc.).
This module is required to be included in all policies.
Allow the specified type to associate to a filesystem with the type of the temporary directory (/tmp).
Parameter: | Description: |
---|---|
file_type |
Type of the file to associate. |
Create a private type object in boot with an automatic type transition
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
private_type |
The type of the object to be created. |
object_class |
The object class of the object being created. |
Make the specified type a configuration file.
Parameter: | Description: |
---|---|
file_type |
Type to be used as a configuration file. |
Create directories in /boot
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create a boot flag.
Create a boot flag, such as /.autorelabel and /.autofsck.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Install a kernel into the /boot directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Install a system.map into the /boot directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete all lock files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete all process ID directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete all process IDs.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete system configuration files in /etc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete directories on new filesystems that have not yet been labeled.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete files on new filesystems that have not yet been labeled.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete a kernel from /boot.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete kernel module files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete a system.map in the /boot directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Remove entries from the root directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Remove entries from the tmp directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete generic directories in /usr in the caller domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete generic files in /usr in the caller domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to get the attributes of all directories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of all files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of all named pipes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of all named sockets.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of all symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of all tmp files.
Parameter: | Description: |
---|---|
domain |
Domain not to audit. |
Do not audit attempts to get the attributes of all tmp sock_file.
Parameter: | Description: |
---|---|
domain |
Domain not to audit. |
Do not audit attempts to get attributes of the /boot directory.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of directories with the default file type.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of files with the default file type.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of the home directories root (/home).
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of lost+found directories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of non security block devices.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of non security character devices.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of non security files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of non security named pipes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of non security named sockets.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of non security symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of the /var/run directory.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attributes of the tmp directory (/tmp).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to ioctl daemon runtime data files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to list contents of directories with the default file type.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to list home directories root (/home).
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to list all non-security directories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit listing of the tmp directory (/tmp).
Parameter: | Description: |
---|---|
domain |
Domain not to audit. |
Do not audit attempts to read all symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read files with the default file type.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read files in /etc that are dynamically created on boot, such as mtab.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read files in the root directory.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to read or write character device nodes in the root directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to write files in the root directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to read or write files in the root directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
dontaudit Add and remove entries from /usr directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to search the contents of any directories on extended attribute filesystems.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to search the /boot directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to search home directories root (/home).
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search directories on new filesystems that have not yet been labeled.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to search the locks directory (/var/lock).
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search /mnt.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search the /var/run directory.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search generic spool directories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search /usr/src.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search the tmp directory (/tmp).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to search the contents of /var.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to write to daemon runtime data files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to write generic files in /etc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
dontaudit write of /usr files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to write to /var.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Create objects in /etc with a private type using a type_transition.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
file_type |
Private file type. |
class |
Object classes to be created. |
Create, etc runtime objects with an automatic type transition.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
object |
The class of the object being created. |
Execute generic files in /etc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute generic programs in /usr in the caller domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute programs in /usr/src in the caller domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow shared library text relocations in all files.
Allow shared library text relocations in all files.
This is added to support WINE policy.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of all directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of all filesystems with the type of a file.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of all files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of all mount points.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of all named pipes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of all named sockets.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of all symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow attempts to get the attributes of all tmp files.
Parameter: | Description: |
---|---|
domain |
Domain not to audit. |
Get attributes of the /boot directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Getattr of directories with the default file type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of generic lock files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the home directories root (/home).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Getattr of directories on new filesystems that have not yet been labeled.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of kernel module files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of lost+found directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the tmp directory (/tmp).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of files in /usr.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of files in /usr/src.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of the /var/lib directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create objects in /home.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
home_type |
The private type. |
object |
The class of the object being created. |
Create objects in the kernel module directories with a private type via an automatic type transition.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
private_type |
The type of the object to be created. |
object_class |
The object class of the object being created. |
List the contents of all directories on extended attribute filesystems.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List contents of directories with the default file type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of /etc directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get listing of home directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of directories on new filesystems that have not yet been labeled.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of the kernel module directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of /mnt.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List all non-security directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of the runtime process ID directories (/var/run).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of the root directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of generic spool (/var/spool) directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the tmp directory (/tmp).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of generic directories in /usr.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of /var.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of the /var/lib directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List world-readable directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Make the specified type usable for lock files.
Parameter: | Description: |
---|---|
type |
Type to be used for lock files. |
Create an object in the locks directory, with a private type using a type transition.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
private type |
The type of the object to be created. |
object |
The object class of the object being created. |
Manage all files on the filesystem, except the listed exceptions.
Parameter: | Description: |
---|---|
domain |
The type of the domain perfoming this action. |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. |
manage all lock files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete files in the /boot directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete symbolic links in the /boot directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete generic files in /etc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete files in /etc that are dynamically created on boot, such as mtab.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete symbolic links in /etc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete generic lock files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete generic spool files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete generic spool directories (/var/spool).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage temporary directories in /tmp.
Parameter: | Description: |
---|---|
domain |
The type of the process performing this action. |
Manage temporary files and directories in /tmp.
Parameter: | Description: |
---|---|
domain |
The type of the process performing this action. |
Create, read, write, and delete block device nodes on new filesystems that have not yet been labeled.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete character device nodes on new filesystems that have not yet been labeled.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete directories on new filesystems that have not yet been labeled.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete files on new filesystems that have not yet been labeled.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete symbolic links on new filesystems that have not yet been labeled.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete kernel module files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete objects in lost+found directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete directories in /mnt.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete files in /mnt.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete symbolic links in /mnt.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow domain to manage mount tables necessary for rpcd, nfsd, etc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow attempts to manage non-security directories
Parameter: | Description: |
---|---|
domain |
Domain to allow |
Create directories under /var/run
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete the pseudorandom number generator seed.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete files in the /usr directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete directories in the /var directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete files in the /var directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete symbolic links in the /var directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mount all filesystems with the type of a file.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mount a filesystem on all mount points.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mount filesystems on all polyinstantiation member directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mount a filesystem on a directory with the default file type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mount a filesystem on a directory on new filesystems that has not yet been labeled.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mount a filesystem on /mnt.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mount a filesystem on all non-security directories and files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Make the specified type usable for filesystem mount points.
Parameter: | Description: |
---|---|
type |
Type to be used for mount points. |
Make the specified type usable for runtime process ID files.
Parameter: | Description: |
---|---|
type |
Type to be used for PID files. |
Create an object in the process ID directory, with a private type using a type transition.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
private type |
The type of the object to be created. |
object |
The object class of the object being created. |
Make the specified type a polyinstantiated directory.
Parameter: | Description: |
---|---|
file_type |
Type of the file to be used as a polyinstantiated directory. |
Make the specified type a polyinstantiation member directory.
Parameter: | Description: |
---|---|
file_type |
Type of the file to be used as a member directory. |
Make the domain use the specified type of polyinstantiated directory.
Parameter: | Description: |
---|---|
domain |
Domain using the polyinstantiated directory. |
file_type |
Type of the file to be used as a member directory. |
Make the specified type a parent of a polyinstantiated directory.
Parameter: | Description: |
---|---|
file_type |
Type of the file to be used as a parent directory. |
Allow access to manage all polyinstantiated directories on the system.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Delete the contents of /tmp.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read all block nodes with file types.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read all character nodes with file types.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read all directories on the filesystem, except the listed exceptions.
Parameter: | Description: |
---|---|
domain |
The type of the domain perfoming this action. |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. |
Read all files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read all files on the filesystem, except the listed exceptions.
Parameter: | Description: |
---|---|
domain |
The type of the domain perfoming this action. |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. |
Read all lock files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read all process ID files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read all symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read all symbolic links on the filesystem, except the listed exceptions.
Parameter: | Description: |
---|---|
domain |
The type of the domain perfoming this action. |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. |
Read all tmp files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read files with the default file type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read named pipes with the default file type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read sockets with the default file type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read symbolic links with the default file type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read generic files in /etc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read files in /etc that are dynamically created on boot, such as mtab.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read symbolic links in /etc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read generic process ID files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read generic spool files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read files in the tmp directory (/tmp).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read symbolic links in the tmp directory (/tmp).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read files on new filesystems that have not yet been labeled.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read kernel files in the /boot directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read kernel module files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read system.map in the /boot directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
read files in /mnt.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read all non-security files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read generic files in /usr.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read files in /usr/src.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read symbolic links in /usr.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read files in the /var directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read generic files in /var/lib.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read generic symbolic links in /var/lib
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read symbolic links in the /var directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read world-readable files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read world-readable named pipes.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read world-readable sockets.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read world-readable symbolic links.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel a filesystem to the type of a file.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel all files on the filesystem, except the listed exceptions.
Parameter: | Description: |
---|---|
domain |
The type of the domain perfoming this action. |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. |
Relabel from and to generic files in /etc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel from and to kernel module files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel from files in the /boot directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel a file from the type used in /usr.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel a filesystem to the type of a file.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel a file to the type used in /usr.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create an object in the root directory, with a private type using a type transition.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
private type |
The type of the object to be created. |
object |
The object class of the object being created. |
rw all files on the filesystem, except the listed exceptions.
Parameter: | Description: |
---|---|
domain |
The type of the domain perfoming this action. |
exception_types |
The types to be excluded. Each type or attribute must be negated by the caller. |
Read and write symbolic links in the /boot directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Add and remove entries from /etc directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write generic files in /etc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write files in /etc that are dynamically created on boot, such as mtab.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write generic process ID files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write generic named sockets in the tmp directory (/tmp).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write block device nodes on new filesystems that have not yet been labeled.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write directories on new filesystems that have not yet been labeled.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Add and remove entries in the /var/lock directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Add and remove entries from /usr directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write files in the /var directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the contents of all directories on extended attribute filesystems.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search all mount points.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the /boot directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the contents of directories with the default file type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the contents of /etc directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search home directories root (/home).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the contents of the kernel module directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the locks directory (/var/lock).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the contents of /mnt.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the contents of runtime process ID directories (/var/run).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the contents of generic spool directories (/var/spool).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the tmp directory (/tmp).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the content of /etc.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the contents of /var.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the /var/lib directory.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Make the specified type a file that should not be dontaudited from browsing from user domains.
Parameter: | Description: |
---|---|
file_type |
Type of the file to be used as a member directory. |
Make the specified type usable for security file filesystem mount points.
Parameter: | Description: |
---|---|
type |
Type to be used for mount points. |
Set the attributes of all tmp directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Set the attributes of the /etc directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create objects in the spool directory with a private type with a type transition.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
file |
Type to which the created node will be transitioned. |
class |
Object class(es) (single or set including {}) for which this the transition will occur. |
Make the specified type a file used for temporary files.
Parameter: | Description: |
---|---|
file_type |
Type of the file to be used as a temporary file. |
Create an object in the tmp directories, with a private type using a type transition.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
private type |
The type of the object to be created. |
object |
The object class of the object being created. |
Transform the type into a file, for use on a virtual memory filesystem (tmpfs).
Parameter: | Description: |
---|---|
type |
The type to be transformed. |
Make the specified type usable for files in a filesystem.
Parameter: | Description: |
---|---|
type |
Type to be used for files. |
Unconfined access to files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Unmount all filesystems with the type of a file.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Unmount a rootfs filesystem.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create objects in the /usr directory
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
file_type |
The type of the object to be created |
object_class |
The object class. |
Create objects in the /var directory
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
file_type |
The type of the object to be created |
object_class |
The object class. |
Create objects in the /var/lib directory
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
file_type |
The type of the object to be created |
object_class |
The object class. |
Write kernel module files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow attempts to modify any directory
Parameter: | Description: |
---|---|
domain |
Domain to allow |
Allow attempts to write to /var.dirs
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |