diff options
author | Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:06:53 -0500 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:06:53 -0500 |
commit | 9a2384303ee211148b6a85974028743d5a482317 (patch) | |
tree | 6b88892504bd1aeeb8af5d2cff212aa056ea1921 /doc | |
parent | Merge upstream (diff) | |
download | hardened-refpolicy-9a2384303ee211148b6a85974028743d5a482317.tar.gz hardened-refpolicy-9a2384303ee211148b6a85974028743d5a482317.tar.bz2 hardened-refpolicy-9a2384303ee211148b6a85974028743d5a482317.zip |
Update generated policy and doc files2.20240226-r1
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/policy.xml | 4504 |
1 files changed, 2724 insertions, 1780 deletions
diff --git a/doc/policy.xml b/doc/policy.xml index 8ae22432..3966b118 100644 --- a/doc/policy.xml +++ b/doc/policy.xml @@ -942,7 +942,17 @@ Role allowed access. </module> <module name="cloudinit" filename="policy/modules/admin/cloudinit.if"> <summary>Init scripts for cloud VMs</summary> -<interface name="cloudinit_create_runtime_dirs" lineno="13"> +<interface name="cloudinit_rw_inherited_pipes" lineno="13"> +<summary> +Read and write inherited cloud-init pipes. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cloudinit_create_runtime_dirs" lineno="32"> <summary> Create cloud-init runtime directory. </summary> @@ -952,7 +962,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="cloudinit_write_runtime_files" lineno="32"> +<interface name="cloudinit_write_runtime_files" lineno="51"> <summary> Write cloud-init runtime files. </summary> @@ -962,7 +972,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="cloudinit_create_runtime_files" lineno="51"> +<interface name="cloudinit_rw_runtime_files" lineno="70"> +<summary> +Read and write cloud-init runtime files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cloudinit_create_runtime_files" lineno="89"> <summary> Create cloud-init runtime files. </summary> @@ -972,7 +992,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="cloudinit_filetrans_runtime" lineno="81"> +<interface name="cloudinit_filetrans_runtime" lineno="119"> <summary> Create files in /run with the type used for cloud-init runtime files. @@ -993,7 +1013,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="cloudinit_getattr_state_files" lineno="99"> +<interface name="cloudinit_getattr_state_files" lineno="137"> <summary> Get the attribute of cloud-init state files. </summary> @@ -1003,6 +1023,43 @@ Domain allowed access. </summary> </param> </interface> +<interface name="cloudinit_write_inherited_tmp_files" lineno="158"> +<summary> +Write inherited cloud-init temporary files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cloudinit_rw_tmp_files" lineno="177"> +<summary> +Read and write cloud-init temporary files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cloudinit_create_tmp_files" lineno="196"> +<summary> +Create cloud-init temporary files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<tunable name="cloudinit_manage_non_security" dftval="false"> +<desc> +<p> +Enable support for cloud-init to manage all non-security files. +</p> +</desc> +</tunable> </module> <module name="consoletype" filename="policy/modules/admin/consoletype.if"> <summary> @@ -3197,7 +3254,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpm_append_tmp_files" lineno="351"> +<interface name="rpm_read_tmp_files" lineno="351"> +<summary> +Read rpm temporary files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="rpm_append_tmp_files" lineno="371"> <summary> Append rpm temporary files. </summary> @@ -3207,7 +3274,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpm_manage_tmp_files" lineno="371"> +<interface name="rpm_manage_tmp_files" lineno="391"> <summary> Create, read, write, and delete rpm temporary files. @@ -3218,7 +3285,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpm_read_script_tmp_files" lineno="390"> +<interface name="rpm_read_script_tmp_files" lineno="410"> <summary> Read rpm script temporary files. </summary> @@ -3228,7 +3295,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpm_read_cache" lineno="410"> +<interface name="rpm_read_cache" lineno="430"> <summary> Read rpm cache content. </summary> @@ -3238,7 +3305,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpm_manage_cache" lineno="432"> +<interface name="rpm_manage_cache" lineno="452"> <summary> Create, read, write, and delete rpm cache content. @@ -3249,7 +3316,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpm_read_db" lineno="453"> +<interface name="rpm_read_db" lineno="473"> <summary> Read rpm lib content. </summary> @@ -3259,7 +3326,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpm_delete_db" lineno="475"> +<interface name="rpm_delete_db" lineno="495"> <summary> Delete rpm lib files. </summary> @@ -3269,7 +3336,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpm_manage_db" lineno="495"> +<interface name="rpm_manage_db" lineno="515"> <summary> Create, read, write, and delete rpm lib files. @@ -3280,7 +3347,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpm_dontaudit_manage_db" lineno="517"> +<interface name="rpm_dontaudit_manage_db" lineno="537"> <summary> Do not audit attempts to create, read, write, and delete rpm lib content. @@ -3291,7 +3358,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="rpm_manage_runtime_files" lineno="539"> +<interface name="rpm_manage_runtime_files" lineno="559"> <summary> Create, read, write, and delete rpm runtime files. @@ -3302,7 +3369,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpm_admin" lineno="565"> +<interface name="rpm_admin" lineno="585"> <summary> All of the rules required to administrate an rpm environment. @@ -3751,7 +3818,7 @@ The role associated with the user domain. </summary> </param> </template> -<template name="su_role_template" lineno="149"> +<template name="su_role_template" lineno="154"> <summary> The role template for the su module. </summary> @@ -3777,7 +3844,7 @@ Role allowed access </summary> </param> </template> -<interface name="su_exec" lineno="303"> +<interface name="su_exec" lineno="314"> <summary> Execute su in the caller domain. </summary> @@ -3833,7 +3900,7 @@ Role allowed access </summary> </param> </template> -<interface name="sudo_sigchld" lineno="232"> +<interface name="sudo_sigchld" lineno="233"> <summary> Send a SIGCHLD signal to the sudo domain. </summary> @@ -3843,6 +3910,16 @@ Domain allowed access. </summary> </param> </interface> +<interface name="sudo_exec" lineno="251"> +<summary> +Execute sudo in the caller domain. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> <tunable name="sudo_all_tcp_connect_http_port" dftval="false"> <desc> <p> @@ -4661,7 +4738,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="chromium_run" lineno="161"> +<interface name="chromium_run" lineno="160"> <summary> Execute chromium in the chromium domain and allow the specified role to access the chromium domain </summary> @@ -10451,7 +10528,18 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="corecmd_exec_all_executables" lineno="753"> +<interface name="corecmd_mmap_read_all_executables" lineno="753"> +<summary> +Mmap read-only all executable files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<rolecap/> +</interface> +<interface name="corecmd_exec_all_executables" lineno="773"> <summary> Execute all executable files. </summary> @@ -10462,7 +10550,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="corecmd_dontaudit_exec_all_executables" lineno="774"> +<interface name="corecmd_dontaudit_exec_all_executables" lineno="794"> <summary> Do not audit attempts to execute all executables. </summary> @@ -10472,7 +10560,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="corecmd_manage_all_executables" lineno="793"> +<interface name="corecmd_manage_all_executables" lineno="813"> <summary> Create, read, write, and all executable files. </summary> @@ -10483,7 +10571,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="corecmd_relabel_all_executables" lineno="815"> +<interface name="corecmd_relabel_all_executables" lineno="835"> <summary> Relabel to and from the bin type. </summary> @@ -10494,7 +10582,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="corecmd_mmap_all_executables" lineno="835"> +<interface name="corecmd_mmap_all_executables" lineno="855"> <summary> Mmap all executables as executable. </summary> @@ -10504,7 +10592,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="corecmd_relabel_bin_dirs" lineno="857"> +<interface name="corecmd_relabel_bin_dirs" lineno="877"> <summary> Relabel to and from the bin type. </summary> @@ -10514,7 +10602,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="corecmd_relabel_bin_lnk_files" lineno="875"> +<interface name="corecmd_relabel_bin_lnk_files" lineno="895"> <summary> Relabel to and from the bin type. </summary> @@ -56085,7 +56173,17 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_add_entry_generic_dirs" lineno="275"> +<interface name="dev_dontaudit_execute_dev_nodes" lineno="275"> +<summary> +Dontaudit attempts to execute device nodes. +</summary> +<param name="domain"> +<summary> +Domain to not audit. +</summary> +</param> +</interface> +<interface name="dev_add_entry_generic_dirs" lineno="293"> <summary> Add entries to directories in /dev. </summary> @@ -56095,7 +56193,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_remove_entry_generic_dirs" lineno="293"> +<interface name="dev_remove_entry_generic_dirs" lineno="311"> <summary> Remove entries from directories in /dev. </summary> @@ -56105,7 +56203,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_generic_dirs" lineno="311"> +<interface name="dev_create_generic_dirs" lineno="329"> <summary> Create a directory in the device directory. </summary> @@ -56115,7 +56213,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_delete_generic_dirs" lineno="330"> +<interface name="dev_delete_generic_dirs" lineno="348"> <summary> Delete a directory in the device directory. </summary> @@ -56125,7 +56223,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_generic_dirs" lineno="348"> +<interface name="dev_manage_generic_dirs" lineno="366"> <summary> Manage of directories in /dev. </summary> @@ -56135,7 +56233,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_generic_dev_dirs" lineno="366"> +<interface name="dev_relabel_generic_dev_dirs" lineno="384"> <summary> Allow full relabeling (to and from) of directories in /dev. </summary> @@ -56145,7 +56243,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_generic_files" lineno="384"> +<interface name="dev_dontaudit_getattr_generic_files" lineno="402"> <summary> dontaudit getattr generic files in /dev. </summary> @@ -56155,7 +56253,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_read_generic_files" lineno="402"> +<interface name="dev_read_generic_files" lineno="420"> <summary> Read generic files in /dev. </summary> @@ -56165,7 +56263,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_rw_generic_files" lineno="420"> +<interface name="dev_rw_generic_files" lineno="438"> <summary> Read and write generic files in /dev. </summary> @@ -56175,7 +56273,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_delete_generic_files" lineno="438"> +<interface name="dev_delete_generic_files" lineno="456"> <summary> Delete generic files in /dev. </summary> @@ -56185,7 +56283,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_generic_files" lineno="456"> +<interface name="dev_manage_generic_files" lineno="474"> <summary> Create a file in the device directory. </summary> @@ -56195,7 +56293,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_generic_pipes" lineno="474"> +<interface name="dev_dontaudit_getattr_generic_pipes" lineno="492"> <summary> Dontaudit getattr on generic pipes. </summary> @@ -56205,7 +56303,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_write_generic_sockets" lineno="492"> +<interface name="dev_write_generic_sockets" lineno="510"> <summary> Write generic socket files in /dev. </summary> @@ -56215,7 +56313,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_getattr_generic_blk_files" lineno="510"> +<interface name="dev_getattr_generic_blk_files" lineno="528"> <summary> Allow getattr on generic block devices. </summary> @@ -56225,7 +56323,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_generic_blk_files" lineno="528"> +<interface name="dev_dontaudit_getattr_generic_blk_files" lineno="546"> <summary> Dontaudit getattr on generic block devices. </summary> @@ -56235,7 +56333,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_setattr_generic_blk_files" lineno="547"> +<interface name="dev_setattr_generic_blk_files" lineno="565"> <summary> Set the attributes on generic block devices. @@ -56246,7 +56344,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_generic_blk_files" lineno="565"> +<interface name="dev_dontaudit_setattr_generic_blk_files" lineno="583"> <summary> Dontaudit setattr on generic block devices. </summary> @@ -56256,7 +56354,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_create_generic_blk_files" lineno="583"> +<interface name="dev_create_generic_blk_files" lineno="601"> <summary> Create generic block device files. </summary> @@ -56266,7 +56364,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_delete_generic_blk_files" lineno="601"> +<interface name="dev_delete_generic_blk_files" lineno="619"> <summary> Delete generic block device files. </summary> @@ -56276,7 +56374,18 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_generic_chr_files" lineno="619"> +<interface name="dev_dontaudit_relabelto_generic_blk_files" lineno="638"> +<summary> +Dontaudit relabelto the generic device +type on block files. +</summary> +<param name="domain"> +<summary> +Domain to not audit. +</summary> +</param> +</interface> +<interface name="dev_getattr_generic_chr_files" lineno="656"> <summary> Allow getattr for generic character device files. </summary> @@ -56286,7 +56395,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_generic_chr_files" lineno="637"> +<interface name="dev_dontaudit_getattr_generic_chr_files" lineno="674"> <summary> Dontaudit getattr for generic character device files. </summary> @@ -56296,7 +56405,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_setattr_generic_chr_files" lineno="656"> +<interface name="dev_setattr_generic_chr_files" lineno="693"> <summary> Set the attributes for generic character device files. @@ -56307,7 +56416,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_generic_chr_files" lineno="674"> +<interface name="dev_dontaudit_setattr_generic_chr_files" lineno="711"> <summary> Dontaudit setattr for generic character device files. </summary> @@ -56317,7 +56426,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_read_generic_chr_files" lineno="692"> +<interface name="dev_read_generic_chr_files" lineno="729"> <summary> Read generic character device files. </summary> @@ -56327,7 +56436,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_generic_chr_files" lineno="710"> +<interface name="dev_rw_generic_chr_files" lineno="747"> <summary> Read and write generic character device files. </summary> @@ -56337,7 +56446,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_generic_blk_files" lineno="728"> +<interface name="dev_rw_generic_blk_files" lineno="765"> <summary> Read and write generic block device files. </summary> @@ -56347,7 +56456,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_rw_generic_chr_files" lineno="746"> +<interface name="dev_dontaudit_rw_generic_chr_files" lineno="783"> <summary> Dontaudit attempts to read/write generic character device files. </summary> @@ -56357,7 +56466,7 @@ Domain to dontaudit access. </summary> </param> </interface> -<interface name="dev_create_generic_chr_files" lineno="764"> +<interface name="dev_create_generic_chr_files" lineno="801"> <summary> Create generic character device files. </summary> @@ -56367,7 +56476,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_delete_generic_chr_files" lineno="782"> +<interface name="dev_delete_generic_chr_files" lineno="819"> <summary> Delete generic character device files. </summary> @@ -56377,7 +56486,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabelfrom_generic_chr_files" lineno="800"> +<interface name="dev_relabelfrom_generic_chr_files" lineno="837"> <summary> Relabel from generic character device files. </summary> @@ -56387,7 +56496,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_generic_symlinks" lineno="819"> +<interface name="dev_dontaudit_setattr_generic_symlinks" lineno="856"> <summary> Do not audit attempts to set the attributes of symbolic links in device directories (/dev). @@ -56398,7 +56507,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_read_generic_symlinks" lineno="837"> +<interface name="dev_read_generic_symlinks" lineno="874"> <summary> Read symbolic links in device directories. </summary> @@ -56408,7 +56517,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_generic_symlinks" lineno="855"> +<interface name="dev_create_generic_symlinks" lineno="892"> <summary> Create symbolic links in device directories. </summary> @@ -56418,7 +56527,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_delete_generic_symlinks" lineno="873"> +<interface name="dev_delete_generic_symlinks" lineno="910"> <summary> Delete symbolic links in device directories. </summary> @@ -56428,7 +56537,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_generic_symlinks" lineno="891"> +<interface name="dev_manage_generic_symlinks" lineno="928"> <summary> Create, delete, read, and write symbolic links in device directories. </summary> @@ -56438,7 +56547,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_generic_symlinks" lineno="909"> +<interface name="dev_relabel_generic_symlinks" lineno="946"> <summary> Relabel symbolic links in device directories. </summary> @@ -56448,7 +56557,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_generic_sock_files" lineno="927"> +<interface name="dev_write_generic_sock_files" lineno="964"> <summary> Write generic sock files in /dev. </summary> @@ -56458,7 +56567,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_all_dev_nodes" lineno="945"> +<interface name="dev_manage_all_dev_nodes" lineno="982"> <summary> Create, delete, read, and write device nodes in device directories. </summary> @@ -56468,7 +56577,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_rw_generic_dev_nodes" lineno="986"> +<interface name="dev_dontaudit_rw_generic_dev_nodes" lineno="1023"> <summary> Dontaudit getattr for generic device files. </summary> @@ -56478,7 +56587,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_manage_generic_blk_files" lineno="1004"> +<interface name="dev_manage_generic_blk_files" lineno="1041"> <summary> Create, delete, read, and write block device files. </summary> @@ -56488,7 +56597,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_generic_chr_files" lineno="1022"> +<interface name="dev_manage_generic_chr_files" lineno="1059"> <summary> Create, delete, read, and write character device files. </summary> @@ -56498,7 +56607,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_filetrans" lineno="1057"> +<interface name="dev_filetrans" lineno="1094"> <summary> Create, read, and write device nodes. The node will be transitioned to the type provided. @@ -56525,7 +56634,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="dev_tmpfs_filetrans_dev" lineno="1092"> +<interface name="dev_tmpfs_filetrans_dev" lineno="1129"> <summary> Create, read, and write device nodes. The node will be transitioned to the type provided. This is @@ -56549,7 +56658,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="dev_getattr_all_blk_files" lineno="1111"> +<interface name="dev_getattr_all_blk_files" lineno="1148"> <summary> Getattr on all block file device nodes. </summary> @@ -56560,7 +56669,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="dev_dontaudit_getattr_all_blk_files" lineno="1130"> +<interface name="dev_dontaudit_getattr_all_blk_files" lineno="1167"> <summary> Dontaudit getattr on all block file device nodes. </summary> @@ -56570,7 +56679,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_getattr_all_chr_files" lineno="1150"> +<interface name="dev_getattr_all_chr_files" lineno="1187"> <summary> Getattr on all character file device nodes. </summary> @@ -56581,7 +56690,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="dev_dontaudit_getattr_all_chr_files" lineno="1169"> +<interface name="dev_dontaudit_getattr_all_chr_files" lineno="1206"> <summary> Dontaudit getattr on all character file device nodes. </summary> @@ -56591,7 +56700,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_setattr_all_blk_files" lineno="1189"> +<interface name="dev_setattr_all_blk_files" lineno="1226"> <summary> Setattr on all block file device nodes. </summary> @@ -56602,7 +56711,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="dev_setattr_all_chr_files" lineno="1209"> +<interface name="dev_setattr_all_chr_files" lineno="1246"> <summary> Setattr on all character file device nodes. </summary> @@ -56613,7 +56722,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="dev_dontaudit_read_all_blk_files" lineno="1228"> +<interface name="dev_dontaudit_read_all_blk_files" lineno="1265"> <summary> Dontaudit read on all block file device nodes. </summary> @@ -56623,7 +56732,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_dontaudit_write_all_blk_files" lineno="1246"> +<interface name="dev_dontaudit_write_all_blk_files" lineno="1283"> <summary> Dontaudit write on all block file device nodes. </summary> @@ -56633,7 +56742,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_dontaudit_read_all_chr_files" lineno="1264"> +<interface name="dev_dontaudit_read_all_chr_files" lineno="1301"> <summary> Dontaudit read on all character file device nodes. </summary> @@ -56643,7 +56752,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_dontaudit_write_all_chr_files" lineno="1282"> +<interface name="dev_dontaudit_write_all_chr_files" lineno="1319"> <summary> Dontaudit write on all character file device nodes. </summary> @@ -56653,7 +56762,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_create_all_blk_files" lineno="1300"> +<interface name="dev_create_all_blk_files" lineno="1337"> <summary> Create all block device files. </summary> @@ -56663,7 +56772,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_all_chr_files" lineno="1319"> +<interface name="dev_create_all_chr_files" lineno="1356"> <summary> Create all character device files. </summary> @@ -56673,7 +56782,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_delete_all_blk_files" lineno="1338"> +<interface name="dev_delete_all_blk_files" lineno="1375"> <summary> Delete all block device files. </summary> @@ -56683,7 +56792,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_delete_all_chr_files" lineno="1357"> +<interface name="dev_delete_all_chr_files" lineno="1394"> <summary> Delete all character device files. </summary> @@ -56693,7 +56802,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rename_all_blk_files" lineno="1376"> +<interface name="dev_rename_all_blk_files" lineno="1413"> <summary> Rename all block device files. </summary> @@ -56703,7 +56812,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rename_all_chr_files" lineno="1395"> +<interface name="dev_rename_all_chr_files" lineno="1432"> <summary> Rename all character device files. </summary> @@ -56713,7 +56822,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_all_blk_files" lineno="1414"> +<interface name="dev_manage_all_blk_files" lineno="1451"> <summary> Read, write, create, and delete all block device files. </summary> @@ -56723,7 +56832,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_all_chr_files" lineno="1439"> +<interface name="dev_manage_all_chr_files" lineno="1476"> <summary> Read, write, create, and delete all character device files. </summary> @@ -56733,7 +56842,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_acpi_bios_dev" lineno="1460"> +<interface name="dev_getattr_acpi_bios_dev" lineno="1497"> <summary> Get the attributes of the apm bios device node. </summary> @@ -56743,7 +56852,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_acpi_bios_dev" lineno="1479"> +<interface name="dev_dontaudit_getattr_acpi_bios_dev" lineno="1516"> <summary> Do not audit attempts to get the attributes of the apm bios device node. @@ -56754,7 +56863,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_setattr_acpi_bios_dev" lineno="1497"> +<interface name="dev_setattr_acpi_bios_dev" lineno="1534"> <summary> Set the attributes of the apm bios device node. </summary> @@ -56764,7 +56873,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_acpi_bios_dev" lineno="1516"> +<interface name="dev_dontaudit_setattr_acpi_bios_dev" lineno="1553"> <summary> Do not audit attempts to set the attributes of the apm bios device node. @@ -56775,7 +56884,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_rw_acpi_bios" lineno="1534"> +<interface name="dev_rw_acpi_bios" lineno="1571"> <summary> Read and write the apm bios. </summary> @@ -56785,7 +56894,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_agp_dev" lineno="1552"> +<interface name="dev_getattr_agp_dev" lineno="1589"> <summary> Getattr the agp devices. </summary> @@ -56795,7 +56904,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_agp" lineno="1570"> +<interface name="dev_rw_agp" lineno="1607"> <summary> Read and write the agp devices. </summary> @@ -56805,7 +56914,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_autofs_dev" lineno="1589"> +<interface name="dev_getattr_autofs_dev" lineno="1626"> <summary> Get the attributes of the autofs device node. </summary> @@ -56815,7 +56924,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_autofs_dev" lineno="1608"> +<interface name="dev_dontaudit_getattr_autofs_dev" lineno="1645"> <summary> Do not audit attempts to get the attributes of the autofs device node. @@ -56826,7 +56935,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_setattr_autofs_dev" lineno="1626"> +<interface name="dev_setattr_autofs_dev" lineno="1663"> <summary> Set the attributes of the autofs device node. </summary> @@ -56836,7 +56945,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_autofs_dev" lineno="1645"> +<interface name="dev_dontaudit_setattr_autofs_dev" lineno="1682"> <summary> Do not audit attempts to set the attributes of the autofs device node. @@ -56847,7 +56956,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_rw_autofs" lineno="1663"> +<interface name="dev_rw_autofs" lineno="1700"> <summary> Read and write the autofs device. </summary> @@ -56857,7 +56966,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_autofs_dev" lineno="1681"> +<interface name="dev_relabel_autofs_dev" lineno="1718"> <summary> Relabel the autofs device node. </summary> @@ -56867,7 +56976,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_cachefiles" lineno="1700"> +<interface name="dev_rw_cachefiles" lineno="1737"> <summary> Read and write cachefiles character device nodes. @@ -56878,7 +56987,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_cardmgr" lineno="1718"> +<interface name="dev_rw_cardmgr" lineno="1755"> <summary> Read and write the PCMCIA card manager device. </summary> @@ -56888,7 +56997,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_rw_cardmgr" lineno="1737"> +<interface name="dev_dontaudit_rw_cardmgr" lineno="1774"> <summary> Do not audit attempts to read and write the PCMCIA card manager device. @@ -56899,7 +57008,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_create_cardmgr_dev" lineno="1757"> +<interface name="dev_create_cardmgr_dev" lineno="1794"> <summary> Create, read, write, and delete the PCMCIA card manager device @@ -56911,7 +57020,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_cardmgr_dev" lineno="1777"> +<interface name="dev_manage_cardmgr_dev" lineno="1814"> <summary> Create, read, write, and delete the PCMCIA card manager device. @@ -56922,7 +57031,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_filetrans_cardmgr" lineno="1803"> +<interface name="dev_filetrans_cardmgr" lineno="1840"> <summary> Automatic type transition to the type for PCMCIA card manager device nodes when @@ -56939,7 +57048,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="dev_getattr_cpu_dev" lineno="1822"> +<interface name="dev_getattr_cpu_dev" lineno="1859"> <summary> Get the attributes of the CPU microcode and id interfaces. @@ -56950,7 +57059,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_cpu_dev" lineno="1841"> +<interface name="dev_setattr_cpu_dev" lineno="1878"> <summary> Set the attributes of the CPU microcode and id interfaces. @@ -56961,7 +57070,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_cpuid" lineno="1859"> +<interface name="dev_read_cpuid" lineno="1896"> <summary> Read the CPU identity. </summary> @@ -56971,7 +57080,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_cpu_microcode" lineno="1878"> +<interface name="dev_rw_cpu_microcode" lineno="1915"> <summary> Read and write the the CPU microcode device. This is required to load CPU microcode. @@ -56982,7 +57091,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_crash" lineno="1896"> +<interface name="dev_read_crash" lineno="1933"> <summary> Read the kernel crash device </summary> @@ -56992,7 +57101,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_crypto" lineno="1914"> +<interface name="dev_rw_crypto" lineno="1951"> <summary> Read and write the the hardware SSL accelerator. </summary> @@ -57002,7 +57111,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_dlm_control" lineno="1932"> +<interface name="dev_setattr_dlm_control" lineno="1969"> <summary> Set the attributes of the dlm control devices. </summary> @@ -57012,7 +57121,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_dlm_control" lineno="1950"> +<interface name="dev_rw_dlm_control" lineno="1987"> <summary> Read and write the the dlm control device </summary> @@ -57022,7 +57131,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_dri_dev" lineno="1968"> +<interface name="dev_getattr_dri_dev" lineno="2005"> <summary> getattr the dri devices. </summary> @@ -57032,7 +57141,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_dri_dev" lineno="1986"> +<interface name="dev_setattr_dri_dev" lineno="2023"> <summary> Setattr the dri devices. </summary> @@ -57042,7 +57151,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_ioctl_dri_dev" lineno="2004"> +<interface name="dev_ioctl_dri_dev" lineno="2041"> <summary> IOCTL the dri devices. </summary> @@ -57052,7 +57161,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_dri" lineno="2022"> +<interface name="dev_rw_dri" lineno="2059"> <summary> Read and write the dri devices. </summary> @@ -57062,7 +57171,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_rw_dri" lineno="2041"> +<interface name="dev_dontaudit_rw_dri" lineno="2078"> <summary> Dontaudit read and write on the dri devices. </summary> @@ -57072,7 +57181,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_manage_dri_dev" lineno="2059"> +<interface name="dev_manage_dri_dev" lineno="2096"> <summary> Create, read, write, and delete the dri devices. </summary> @@ -57082,7 +57191,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_filetrans_dri" lineno="2084"> +<interface name="dev_mounton_dri_dev" lineno="2115"> +<summary> +Mount on the dri devices. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="dev_filetrans_dri" lineno="2139"> <summary> Automatic type transition to the type for DRI device nodes when created in /dev. @@ -57098,7 +57217,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="dev_filetrans_input_dev" lineno="2108"> +<interface name="dev_filetrans_input_dev" lineno="2163"> <summary> Automatic type transition to the type for event device nodes when created in /dev. @@ -57114,7 +57233,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="dev_getattr_input_dev" lineno="2126"> +<interface name="dev_getattr_input_dev" lineno="2181"> <summary> Get the attributes of the event devices. </summary> @@ -57124,7 +57243,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_input_dev" lineno="2145"> +<interface name="dev_setattr_input_dev" lineno="2200"> <summary> Set the attributes of the event devices. </summary> @@ -57134,7 +57253,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_input" lineno="2164"> +<interface name="dev_read_input" lineno="2219"> <summary> Read input event devices (/dev/input). </summary> @@ -57144,7 +57263,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_input_dev" lineno="2182"> +<interface name="dev_rw_input_dev" lineno="2237"> <summary> Read and write input event devices (/dev/input). </summary> @@ -57154,7 +57273,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_input_dev" lineno="2200"> +<interface name="dev_manage_input_dev" lineno="2255"> <summary> Create, read, write, and delete input event devices (/dev/input). </summary> @@ -57164,7 +57283,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_ioctl_input_dev" lineno="2218"> +<interface name="dev_ioctl_input_dev" lineno="2273"> <summary> IOCTL the input event devices (/dev/input). </summary> @@ -57174,7 +57293,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_ipmi_dev" lineno="2236"> +<interface name="dev_rw_ipmi_dev" lineno="2291"> <summary> Read and write ipmi devices (/dev/ipmi*). </summary> @@ -57184,7 +57303,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_framebuffer_dev" lineno="2254"> +<interface name="dev_getattr_framebuffer_dev" lineno="2309"> <summary> Get the attributes of the framebuffer device node. </summary> @@ -57194,7 +57313,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_framebuffer_dev" lineno="2272"> +<interface name="dev_setattr_framebuffer_dev" lineno="2327"> <summary> Set the attributes of the framebuffer device node. </summary> @@ -57204,7 +57323,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_framebuffer_dev" lineno="2291"> +<interface name="dev_dontaudit_setattr_framebuffer_dev" lineno="2346"> <summary> Dot not audit attempts to set the attributes of the framebuffer device node. @@ -57215,7 +57334,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_read_framebuffer" lineno="2309"> +<interface name="dev_read_framebuffer" lineno="2364"> <summary> Read the framebuffer. </summary> @@ -57225,7 +57344,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_read_framebuffer" lineno="2327"> +<interface name="dev_dontaudit_read_framebuffer" lineno="2382"> <summary> Do not audit attempts to read the framebuffer. </summary> @@ -57235,7 +57354,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_write_framebuffer" lineno="2345"> +<interface name="dev_write_framebuffer" lineno="2400"> <summary> Write the framebuffer. </summary> @@ -57245,7 +57364,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_framebuffer" lineno="2363"> +<interface name="dev_rw_framebuffer" lineno="2418"> <summary> Read and write the framebuffer. </summary> @@ -57255,7 +57374,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_hyperv_kvp" lineno="2381"> +<interface name="dev_rw_hyperv_kvp" lineno="2436"> <summary> Allow read/write the hypervkvp device </summary> @@ -57265,7 +57384,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_hyperv_vss" lineno="2399"> +<interface name="dev_rw_hyperv_vss" lineno="2454"> <summary> Allow read/write the hypervvssd device </summary> @@ -57275,7 +57394,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_iio" lineno="2417"> +<interface name="dev_read_iio" lineno="2472"> <summary> Allow read/write access to InfiniBand devices. </summary> @@ -57285,7 +57404,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_infiniband" lineno="2435"> +<interface name="dev_rw_infiniband" lineno="2490"> <summary> Allow read/write access to InfiniBand devices. </summary> @@ -57295,7 +57414,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_kmsg" lineno="2453"> +<interface name="dev_read_kmsg" lineno="2508"> <summary> Read the kernel messages </summary> @@ -57305,7 +57424,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_read_kmsg" lineno="2471"> +<interface name="dev_dontaudit_read_kmsg" lineno="2526"> <summary> Do not audit attempts to read the kernel messages </summary> @@ -57315,7 +57434,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_write_kmsg" lineno="2489"> +<interface name="dev_write_kmsg" lineno="2544"> <summary> Write to the kernel messages device </summary> @@ -57325,7 +57444,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_kmsg" lineno="2507"> +<interface name="dev_rw_kmsg" lineno="2562"> <summary> Read and write to the kernel messages device </summary> @@ -57335,7 +57454,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_mounton_kmsg" lineno="2525"> +<interface name="dev_mounton_kmsg" lineno="2580"> <summary> Mount on the kernel messages device </summary> @@ -57345,7 +57464,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_ksm_dev" lineno="2543"> +<interface name="dev_getattr_ksm_dev" lineno="2598"> <summary> Get the attributes of the ksm devices. </summary> @@ -57355,7 +57474,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_ksm_dev" lineno="2561"> +<interface name="dev_setattr_ksm_dev" lineno="2616"> <summary> Set the attributes of the ksm devices. </summary> @@ -57365,7 +57484,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_ksm" lineno="2579"> +<interface name="dev_read_ksm" lineno="2634"> <summary> Read the ksm devices. </summary> @@ -57375,7 +57494,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_ksm" lineno="2597"> +<interface name="dev_rw_ksm" lineno="2652"> <summary> Read and write to ksm devices. </summary> @@ -57385,7 +57504,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_kvm_dev" lineno="2615"> +<interface name="dev_getattr_kvm_dev" lineno="2670"> <summary> Get the attributes of the kvm devices. </summary> @@ -57395,7 +57514,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_kvm_dev" lineno="2633"> +<interface name="dev_setattr_kvm_dev" lineno="2688"> <summary> Set the attributes of the kvm devices. </summary> @@ -57405,7 +57524,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_kvm" lineno="2651"> +<interface name="dev_read_kvm" lineno="2706"> <summary> Read the kvm devices. </summary> @@ -57415,7 +57534,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_kvm" lineno="2669"> +<interface name="dev_rw_kvm" lineno="2724"> <summary> Read and write to kvm devices. </summary> @@ -57425,7 +57544,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_lirc" lineno="2687"> +<interface name="dev_read_lirc" lineno="2742"> <summary> Read the lirc device. </summary> @@ -57435,7 +57554,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_lirc" lineno="2705"> +<interface name="dev_rw_lirc" lineno="2760"> <summary> Read and write the lirc device. </summary> @@ -57445,7 +57564,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_filetrans_lirc" lineno="2729"> +<interface name="dev_filetrans_lirc" lineno="2784"> <summary> Automatic type transition to the type for lirc device nodes when created in /dev. @@ -57461,7 +57580,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="dev_rw_loop_control" lineno="2747"> +<interface name="dev_rw_loop_control" lineno="2802"> <summary> Read and write the loop-control device. </summary> @@ -57471,7 +57590,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_lvm_control" lineno="2765"> +<interface name="dev_getattr_lvm_control" lineno="2820"> <summary> Get the attributes of the lvm comtrol device. </summary> @@ -57481,7 +57600,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_lvm_control" lineno="2783"> +<interface name="dev_read_lvm_control" lineno="2838"> <summary> Read the lvm comtrol device. </summary> @@ -57491,7 +57610,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_lvm_control" lineno="2801"> +<interface name="dev_rw_lvm_control" lineno="2856"> <summary> Read and write the lvm control device. </summary> @@ -57501,7 +57620,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_rw_lvm_control" lineno="2819"> +<interface name="dev_dontaudit_rw_lvm_control" lineno="2874"> <summary> Do not audit attempts to read and write lvm control device. </summary> @@ -57511,7 +57630,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_delete_lvm_control_dev" lineno="2837"> +<interface name="dev_delete_lvm_control_dev" lineno="2892"> <summary> Delete the lvm control device. </summary> @@ -57521,7 +57640,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_memory_dev" lineno="2855"> +<interface name="dev_dontaudit_getattr_memory_dev" lineno="2910"> <summary> dontaudit getattr raw memory devices (e.g. /dev/mem). </summary> @@ -57531,7 +57650,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_read_raw_memory" lineno="2876"> +<interface name="dev_read_raw_memory" lineno="2931"> <summary> Read raw memory devices (e.g. /dev/mem). This is extremely dangerous as it can bypass the @@ -57544,7 +57663,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_raw_memory_cond" lineno="2906"> +<interface name="dev_read_raw_memory_cond" lineno="2961"> <summary> Read raw memory devices (e.g. /dev/mem) if a tunable is set. This is extremely dangerous as it can bypass the @@ -57562,7 +57681,7 @@ Tunable to depend on </summary> </param> </interface> -<interface name="dev_dontaudit_read_raw_memory" lineno="2933"> +<interface name="dev_dontaudit_read_raw_memory" lineno="2988"> <summary> Do not audit attempts to read raw memory devices (e.g. /dev/mem). @@ -57576,7 +57695,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_write_raw_memory" lineno="2954"> +<interface name="dev_write_raw_memory" lineno="3009"> <summary> Write raw memory devices (e.g. /dev/mem). This is extremely dangerous as it can bypass the @@ -57589,7 +57708,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_raw_memory_cond" lineno="2984"> +<interface name="dev_write_raw_memory_cond" lineno="3039"> <summary> Write raw memory devices (e.g. /dev/mem) if a tunable is set. This is extremely dangerous as it can bypass the @@ -57607,7 +57726,7 @@ Tunable to depend on </summary> </param> </interface> -<interface name="dev_rx_raw_memory" lineno="3010"> +<interface name="dev_rx_raw_memory" lineno="3065"> <summary> Read and execute raw memory devices (e.g. /dev/mem). This is extremely dangerous as it can bypass the @@ -57620,7 +57739,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_wx_raw_memory" lineno="3032"> +<interface name="dev_wx_raw_memory" lineno="3087"> <summary> Write and execute raw memory devices (e.g. /dev/mem). This is extremely dangerous as it can bypass the @@ -57633,7 +57752,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_wx_raw_memory_cond" lineno="3059"> +<interface name="dev_wx_raw_memory_cond" lineno="3114"> <summary> Write and execute raw memory devices (e.g. /dev/mem) if a tunable is set. This is extremely dangerous as it can bypass the @@ -57651,7 +57770,7 @@ Tunable to depend on </summary> </param> </interface> -<interface name="dev_getattr_misc_dev" lineno="3082"> +<interface name="dev_getattr_misc_dev" lineno="3137"> <summary> Get the attributes of miscellaneous devices. </summary> @@ -57661,7 +57780,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_misc_dev" lineno="3101"> +<interface name="dev_dontaudit_getattr_misc_dev" lineno="3156"> <summary> Do not audit attempts to get the attributes of miscellaneous devices. @@ -57672,7 +57791,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_setattr_misc_dev" lineno="3119"> +<interface name="dev_setattr_misc_dev" lineno="3174"> <summary> Set the attributes of miscellaneous devices. </summary> @@ -57682,7 +57801,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_misc_dev" lineno="3138"> +<interface name="dev_dontaudit_setattr_misc_dev" lineno="3193"> <summary> Do not audit attempts to set the attributes of miscellaneous devices. @@ -57693,7 +57812,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_read_misc" lineno="3156"> +<interface name="dev_read_misc" lineno="3211"> <summary> Read miscellaneous devices. </summary> @@ -57703,7 +57822,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_misc" lineno="3174"> +<interface name="dev_write_misc" lineno="3229"> <summary> Write miscellaneous devices. </summary> @@ -57713,7 +57832,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_rw_misc" lineno="3192"> +<interface name="dev_dontaudit_rw_misc" lineno="3247"> <summary> Do not audit attempts to read and write miscellaneous devices. </summary> @@ -57723,7 +57842,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_modem_dev" lineno="3210"> +<interface name="dev_getattr_modem_dev" lineno="3265"> <summary> Get the attributes of the modem devices. </summary> @@ -57733,7 +57852,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_modem_dev" lineno="3228"> +<interface name="dev_setattr_modem_dev" lineno="3283"> <summary> Set the attributes of the modem devices. </summary> @@ -57743,7 +57862,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_modem" lineno="3246"> +<interface name="dev_read_modem" lineno="3301"> <summary> Read the modem devices. </summary> @@ -57753,7 +57872,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_modem" lineno="3264"> +<interface name="dev_rw_modem" lineno="3319"> <summary> Read and write to modem devices. </summary> @@ -57763,7 +57882,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_mouse_dev" lineno="3282"> +<interface name="dev_getattr_mouse_dev" lineno="3337"> <summary> Get the attributes of the mouse devices. </summary> @@ -57773,7 +57892,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_mouse_dev" lineno="3300"> +<interface name="dev_setattr_mouse_dev" lineno="3355"> <summary> Set the attributes of the mouse devices. </summary> @@ -57783,7 +57902,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_mouse" lineno="3318"> +<interface name="dev_delete_mouse_dev" lineno="3373"> +<summary> +Delete the mouse devices. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="dev_read_mouse" lineno="3391"> <summary> Read the mouse devices. </summary> @@ -57793,7 +57922,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_mouse" lineno="3336"> +<interface name="dev_rw_mouse" lineno="3409"> <summary> Read and write to mouse devices. </summary> @@ -57803,7 +57932,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_mtrr_dev" lineno="3355"> +<interface name="dev_getattr_mtrr_dev" lineno="3428"> <summary> Get the attributes of the memory type range registers (MTRR) device. @@ -57814,7 +57943,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_write_mtrr" lineno="3375"> +<interface name="dev_dontaudit_write_mtrr" lineno="3448"> <summary> Do not audit attempts to write the memory type range registers (MTRR). @@ -57825,7 +57954,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_rw_mtrr" lineno="3394"> +<interface name="dev_rw_mtrr" lineno="3467"> <summary> Read and write the memory type range registers (MTRR). </summary> @@ -57835,7 +57964,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_null_dev" lineno="3413"> +<interface name="dev_getattr_null_dev" lineno="3486"> <summary> Get the attributes of the null device nodes. </summary> @@ -57845,7 +57974,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_null_dev" lineno="3431"> +<interface name="dev_setattr_null_dev" lineno="3504"> <summary> Set the attributes of the null device nodes. </summary> @@ -57855,7 +57984,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_null_dev" lineno="3450"> +<interface name="dev_dontaudit_setattr_null_dev" lineno="3523"> <summary> Do not audit attempts to set the attributes of the null device nodes. @@ -57866,7 +57995,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_delete_null" lineno="3468"> +<interface name="dev_delete_null" lineno="3541"> <summary> Delete the null device (/dev/null). </summary> @@ -57876,7 +58005,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_null" lineno="3486"> +<interface name="dev_rw_null" lineno="3559"> <summary> Read and write to the null device (/dev/null). </summary> @@ -57886,7 +58015,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_null_dev" lineno="3504"> +<interface name="dev_create_null_dev" lineno="3577"> <summary> Create the null device (/dev/null). </summary> @@ -57896,7 +58025,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_null_service" lineno="3523"> +<interface name="dev_manage_null_service" lineno="3596"> <summary> Manage services with script type null_device_t for when /lib/systemd/system/something.service is a link to /dev/null @@ -57907,7 +58036,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_nvram_dev" lineno="3543"> +<interface name="dev_dontaudit_getattr_nvram_dev" lineno="3616"> <summary> Do not audit attempts to get the attributes of the BIOS non-volatile RAM device. @@ -57918,7 +58047,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_rw_nvram" lineno="3561"> +<interface name="dev_rw_nvram" lineno="3634"> <summary> Read and write BIOS non-volatile RAM. </summary> @@ -57928,7 +58057,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_printer_dev" lineno="3579"> +<interface name="dev_getattr_printer_dev" lineno="3652"> <summary> Get the attributes of the printer device nodes. </summary> @@ -57938,7 +58067,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_printer_dev" lineno="3597"> +<interface name="dev_setattr_printer_dev" lineno="3670"> <summary> Set the attributes of the printer device nodes. </summary> @@ -57948,7 +58077,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_append_printer" lineno="3616"> +<interface name="dev_append_printer" lineno="3689"> <summary> Append the printer device. </summary> @@ -57958,7 +58087,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_printer" lineno="3634"> +<interface name="dev_rw_printer" lineno="3707"> <summary> Read and write the printer device. </summary> @@ -57968,7 +58097,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_pmqos_dev" lineno="3652"> +<interface name="dev_getattr_pmqos_dev" lineno="3725"> <summary> Get the attributes of PM QoS devices </summary> @@ -57978,7 +58107,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_pmqos" lineno="3670"> +<interface name="dev_read_pmqos" lineno="3743"> <summary> Read the PM QoS devices. </summary> @@ -57988,7 +58117,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_pmqos" lineno="3688"> +<interface name="dev_rw_pmqos" lineno="3761"> <summary> Read and write the the PM QoS devices. </summary> @@ -57998,7 +58127,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_qemu_dev" lineno="3707"> +<interface name="dev_getattr_qemu_dev" lineno="3780"> <summary> Get the attributes of the QEMU microcode and id interfaces. @@ -58009,7 +58138,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_qemu_dev" lineno="3726"> +<interface name="dev_setattr_qemu_dev" lineno="3799"> <summary> Set the attributes of the QEMU microcode and id interfaces. @@ -58020,7 +58149,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_qemu" lineno="3744"> +<interface name="dev_read_qemu" lineno="3817"> <summary> Read the QEMU device </summary> @@ -58030,7 +58159,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_qemu" lineno="3762"> +<interface name="dev_rw_qemu" lineno="3835"> <summary> Read and write the the QEMU device. </summary> @@ -58040,7 +58169,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_rand" lineno="3796"> +<interface name="dev_read_rand" lineno="3869"> <summary> Read from random number generator devices (e.g., /dev/random). @@ -58066,7 +58195,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="dev_dontaudit_read_rand" lineno="3815"> +<interface name="dev_dontaudit_read_rand" lineno="3888"> <summary> Do not audit attempts to read from random number generator devices (e.g., /dev/random) @@ -58077,7 +58206,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_dontaudit_append_rand" lineno="3834"> +<interface name="dev_dontaudit_append_rand" lineno="3907"> <summary> Do not audit attempts to append to random number generator devices (e.g., /dev/random) @@ -58088,7 +58217,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_write_rand" lineno="3854"> +<interface name="dev_write_rand" lineno="3927"> <summary> Write to the random device (e.g., /dev/random). This adds entropy used to generate the random data read from the @@ -58100,7 +58229,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_rand_dev" lineno="3872"> +<interface name="dev_create_rand_dev" lineno="3945"> <summary> Create the random device (/dev/random). </summary> @@ -58110,7 +58239,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_realtime_clock" lineno="3890"> +<interface name="dev_read_realtime_clock" lineno="3963"> <summary> Read the realtime clock (/dev/rtc). </summary> @@ -58120,7 +58249,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_realtime_clock" lineno="3908"> +<interface name="dev_write_realtime_clock" lineno="3981"> <summary> Set the realtime clock (/dev/rtc). </summary> @@ -58130,7 +58259,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_realtime_clock" lineno="3928"> +<interface name="dev_rw_realtime_clock" lineno="4001"> <summary> Read and set the realtime clock (/dev/rtc). </summary> @@ -58140,7 +58269,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_scanner_dev" lineno="3943"> +<interface name="dev_getattr_scanner_dev" lineno="4016"> <summary> Get the attributes of the scanner device. </summary> @@ -58150,7 +58279,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_scanner_dev" lineno="3962"> +<interface name="dev_dontaudit_getattr_scanner_dev" lineno="4035"> <summary> Do not audit attempts to get the attributes of the scanner device. @@ -58161,7 +58290,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_setattr_scanner_dev" lineno="3980"> +<interface name="dev_setattr_scanner_dev" lineno="4053"> <summary> Set the attributes of the scanner device. </summary> @@ -58171,7 +58300,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_scanner_dev" lineno="3999"> +<interface name="dev_dontaudit_setattr_scanner_dev" lineno="4072"> <summary> Do not audit attempts to set the attributes of the scanner device. @@ -58182,7 +58311,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_rw_scanner" lineno="4017"> +<interface name="dev_rw_scanner" lineno="4090"> <summary> Read and write the scanner device. </summary> @@ -58192,7 +58321,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_sound_dev" lineno="4035"> +<interface name="dev_getattr_sound_dev" lineno="4108"> <summary> Get the attributes of the sound devices. </summary> @@ -58202,7 +58331,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_sound_dev" lineno="4053"> +<interface name="dev_setattr_sound_dev" lineno="4126"> <summary> Set the attributes of the sound devices. </summary> @@ -58212,7 +58341,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_sound" lineno="4071"> +<interface name="dev_read_sound" lineno="4144"> <summary> Read the sound devices. </summary> @@ -58222,7 +58351,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_sound" lineno="4090"> +<interface name="dev_write_sound" lineno="4163"> <summary> Write the sound devices. </summary> @@ -58232,7 +58361,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_sound_mixer" lineno="4109"> +<interface name="dev_read_sound_mixer" lineno="4182"> <summary> Read the sound mixer devices. </summary> @@ -58242,7 +58371,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_sound_mixer" lineno="4128"> +<interface name="dev_write_sound_mixer" lineno="4201"> <summary> Write the sound mixer devices. </summary> @@ -58252,7 +58381,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_power_mgmt_dev" lineno="4147"> +<interface name="dev_getattr_power_mgmt_dev" lineno="4220"> <summary> Get the attributes of the the power management device. </summary> @@ -58262,7 +58391,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_power_mgmt_dev" lineno="4165"> +<interface name="dev_setattr_power_mgmt_dev" lineno="4238"> <summary> Set the attributes of the the power management device. </summary> @@ -58272,7 +58401,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_power_management" lineno="4183"> +<interface name="dev_rw_power_management" lineno="4256"> <summary> Read and write the the power management device. </summary> @@ -58282,7 +58411,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_smartcard_dev" lineno="4201"> +<interface name="dev_getattr_smartcard_dev" lineno="4274"> <summary> Getattr on smartcard devices </summary> @@ -58292,7 +58421,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_smartcard_dev" lineno="4220"> +<interface name="dev_dontaudit_getattr_smartcard_dev" lineno="4293"> <summary> dontaudit getattr on smartcard devices </summary> @@ -58302,7 +58431,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_rw_smartcard" lineno="4239"> +<interface name="dev_rw_smartcard" lineno="4312"> <summary> Read and write smartcard devices. </summary> @@ -58312,7 +58441,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_smartcard" lineno="4257"> +<interface name="dev_manage_smartcard" lineno="4330"> <summary> Create, read, write, and delete smartcard devices. </summary> @@ -58322,7 +58451,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_sysdig" lineno="4275"> +<interface name="dev_rw_sysdig" lineno="4348"> <summary> Read, write and map the sysdig device. </summary> @@ -58332,7 +58461,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_mounton_sysfs" lineno="4294"> +<interface name="dev_mounton_sysfs" lineno="4367"> <summary> Mount a filesystem on sysfs. (Deprecated) </summary> @@ -58342,7 +58471,7 @@ Domain allow access. </summary> </param> </interface> -<interface name="dev_associate_sysfs" lineno="4309"> +<interface name="dev_associate_sysfs" lineno="4382"> <summary> Associate a file to a sysfs filesystem. </summary> @@ -58352,7 +58481,7 @@ The type of the file to be associated to sysfs. </summary> </param> </interface> -<interface name="dev_getattr_sysfs_dirs" lineno="4327"> +<interface name="dev_getattr_sysfs_dirs" lineno="4400"> <summary> Get the attributes of sysfs directories. </summary> @@ -58362,7 +58491,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_sysfs" lineno="4345"> +<interface name="dev_getattr_sysfs" lineno="4418"> <summary> Get the attributes of sysfs filesystem </summary> @@ -58372,7 +58501,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_mount_sysfs" lineno="4363"> +<interface name="dev_mount_sysfs" lineno="4436"> <summary> mount a sysfs filesystem </summary> @@ -58382,7 +58511,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_remount_sysfs" lineno="4381"> +<interface name="dev_remount_sysfs" lineno="4454"> <summary> Remount a sysfs filesystem. </summary> @@ -58392,7 +58521,7 @@ Domain allow access. </summary> </param> </interface> -<interface name="dev_unmount_sysfs" lineno="4399"> +<interface name="dev_unmount_sysfs" lineno="4472"> <summary> unmount a sysfs filesystem </summary> @@ -58402,7 +58531,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_sysfs" lineno="4417"> +<interface name="dev_dontaudit_getattr_sysfs" lineno="4490"> <summary> Do not audit getting the attributes of sysfs filesystem </summary> @@ -58412,7 +58541,7 @@ Domain to dontaudit access from </summary> </param> </interface> -<interface name="dev_dontaudit_read_sysfs" lineno="4435"> +<interface name="dev_dontaudit_read_sysfs" lineno="4508"> <summary> Dont audit attempts to read hardware state information </summary> @@ -58422,7 +58551,7 @@ Domain for which the attempts do not need to be audited </summary> </param> </interface> -<interface name="dev_mounton_sysfs_dirs" lineno="4455"> +<interface name="dev_mounton_sysfs_dirs" lineno="4528"> <summary> Mount on sysfs directories. </summary> @@ -58432,7 +58561,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_search_sysfs" lineno="4473"> +<interface name="dev_search_sysfs" lineno="4546"> <summary> Search the sysfs directories. </summary> @@ -58442,7 +58571,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_search_sysfs" lineno="4491"> +<interface name="dev_dontaudit_search_sysfs" lineno="4564"> <summary> Do not audit attempts to search sysfs. </summary> @@ -58452,7 +58581,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_list_sysfs" lineno="4509"> +<interface name="dev_list_sysfs" lineno="4582"> <summary> List the contents of the sysfs directories. </summary> @@ -58462,7 +58591,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_sysfs_dirs" lineno="4528"> +<interface name="dev_write_sysfs_dirs" lineno="4601"> <summary> Write in a sysfs directories. </summary> @@ -58472,7 +58601,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_write_sysfs_dirs" lineno="4546"> +<interface name="dev_dontaudit_write_sysfs_dirs" lineno="4619"> <summary> Do not audit attempts to write in a sysfs directory. </summary> @@ -58482,7 +58611,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_dontaudit_write_sysfs_files" lineno="4564"> +<interface name="dev_dontaudit_write_sysfs_files" lineno="4637"> <summary> Do not audit attempts to write to a sysfs file. </summary> @@ -58492,7 +58621,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_manage_sysfs_dirs" lineno="4583"> +<interface name="dev_manage_sysfs_dirs" lineno="4656"> <summary> Create, read, write, and delete sysfs directories. @@ -58503,7 +58632,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_sysfs" lineno="4610"> +<interface name="dev_read_sysfs" lineno="4683"> <summary> Read hardware state information. </summary> @@ -58522,7 +58651,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="dev_write_sysfs" lineno="4638"> +<interface name="dev_write_sysfs" lineno="4711"> <summary> Write to hardware state information. </summary> @@ -58539,7 +58668,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="dev_rw_sysfs" lineno="4657"> +<interface name="dev_rw_sysfs" lineno="4730"> <summary> Allow caller to modify hardware state information. </summary> @@ -58549,7 +58678,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_sysfs_files" lineno="4678"> +<interface name="dev_create_sysfs_files" lineno="4751"> <summary> Add a sysfs file </summary> @@ -58559,7 +58688,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_sysfs_dirs" lineno="4696"> +<interface name="dev_relabel_sysfs_dirs" lineno="4769"> <summary> Relabel hardware state directories. </summary> @@ -58569,7 +58698,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_all_sysfs" lineno="4714"> +<interface name="dev_relabel_all_sysfs" lineno="4787"> <summary> Relabel from/to all sysfs types. </summary> @@ -58579,7 +58708,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_all_sysfs" lineno="4734"> +<interface name="dev_setattr_all_sysfs" lineno="4807"> <summary> Set the attributes of sysfs files, directories and symlinks. </summary> @@ -58589,7 +58718,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_tpm" lineno="4754"> +<interface name="dev_rw_tpm" lineno="4827"> <summary> Read and write the TPM device. </summary> @@ -58599,7 +58728,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_urand" lineno="4795"> +<interface name="dev_read_urand" lineno="4868"> <summary> Read from pseudo random number generator devices (e.g., /dev/urandom). </summary> @@ -58632,7 +58761,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="dev_dontaudit_read_urand" lineno="4814"> +<interface name="dev_dontaudit_read_urand" lineno="4887"> <summary> Do not audit attempts to read from pseudo random devices (e.g., /dev/urandom) @@ -58643,7 +58772,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_write_urand" lineno="4833"> +<interface name="dev_write_urand" lineno="4906"> <summary> Write to the pseudo random device (e.g., /dev/urandom). This sets the random number generator seed. @@ -58654,7 +58783,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_urand_dev" lineno="4851"> +<interface name="dev_create_urand_dev" lineno="4924"> <summary> Create the urandom device (/dev/urandom). </summary> @@ -58664,7 +58793,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_urand_dev" lineno="4869"> +<interface name="dev_setattr_urand_dev" lineno="4942"> <summary> Set attributes on the urandom device (/dev/urandom). </summary> @@ -58674,7 +58803,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_generic_usb_dev" lineno="4887"> +<interface name="dev_getattr_generic_usb_dev" lineno="4960"> <summary> Getattr generic the USB devices. </summary> @@ -58684,7 +58813,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_generic_usb_dev" lineno="4905"> +<interface name="dev_setattr_generic_usb_dev" lineno="4978"> <summary> Setattr generic the USB devices. </summary> @@ -58694,7 +58823,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_generic_usb_dev" lineno="4923"> +<interface name="dev_read_generic_usb_dev" lineno="4996"> <summary> Read generic the USB devices. </summary> @@ -58704,7 +58833,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_generic_usb_dev" lineno="4941"> +<interface name="dev_rw_generic_usb_dev" lineno="5014"> <summary> Read and write generic the USB devices. </summary> @@ -58714,7 +58843,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_generic_usb_dev" lineno="4959"> +<interface name="dev_delete_generic_usb_dev" lineno="5032"> +<summary> +Delete the generic USB devices. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="dev_relabel_generic_usb_dev" lineno="5050"> <summary> Relabel generic the USB devices. </summary> @@ -58724,7 +58863,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_usbmon_dev" lineno="4977"> +<interface name="dev_read_usbmon_dev" lineno="5068"> <summary> Read USB monitor devices. </summary> @@ -58734,7 +58873,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_usbmon_dev" lineno="4995"> +<interface name="dev_write_usbmon_dev" lineno="5086"> <summary> Write USB monitor devices. </summary> @@ -58744,7 +58883,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_mount_usbfs" lineno="5013"> +<interface name="dev_mount_usbfs" lineno="5104"> <summary> Mount a usbfs filesystem. </summary> @@ -58754,7 +58893,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_associate_usbfs" lineno="5031"> +<interface name="dev_associate_usbfs" lineno="5122"> <summary> Associate a file to a usbfs filesystem. </summary> @@ -58764,7 +58903,7 @@ The type of the file to be associated to usbfs. </summary> </param> </interface> -<interface name="dev_getattr_usbfs_dirs" lineno="5049"> +<interface name="dev_getattr_usbfs_dirs" lineno="5140"> <summary> Get the attributes of a directory in the usb filesystem. </summary> @@ -58774,7 +58913,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_usbfs_dirs" lineno="5068"> +<interface name="dev_dontaudit_getattr_usbfs_dirs" lineno="5159"> <summary> Do not audit attempts to get the attributes of a directory in the usb filesystem. @@ -58785,7 +58924,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_search_usbfs" lineno="5086"> +<interface name="dev_search_usbfs" lineno="5177"> <summary> Search the directory containing USB hardware information. </summary> @@ -58795,7 +58934,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_list_usbfs" lineno="5104"> +<interface name="dev_list_usbfs" lineno="5195"> <summary> Allow caller to get a list of usb hardware. </summary> @@ -58805,7 +58944,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_usbfs_files" lineno="5125"> +<interface name="dev_setattr_usbfs_files" lineno="5216"> <summary> Set the attributes of usbfs filesystem. </summary> @@ -58815,7 +58954,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_usbfs" lineno="5145"> +<interface name="dev_read_usbfs" lineno="5236"> <summary> Read USB hardware information using the usbfs filesystem interface. @@ -58826,7 +58965,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_usbfs" lineno="5165"> +<interface name="dev_rw_usbfs" lineno="5256"> <summary> Allow caller to modify usb hardware configuration files. </summary> @@ -58836,7 +58975,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_getattr_video_dev" lineno="5185"> +<interface name="dev_getattr_video_dev" lineno="5276"> <summary> Get the attributes of video4linux devices. </summary> @@ -58846,7 +58985,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_userio_dev" lineno="5203"> +<interface name="dev_rw_userio_dev" lineno="5294"> <summary> Read and write userio device. </summary> @@ -58856,7 +58995,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_getattr_video_dev" lineno="5222"> +<interface name="dev_dontaudit_getattr_video_dev" lineno="5313"> <summary> Do not audit attempts to get the attributes of video4linux device nodes. @@ -58867,7 +59006,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_setattr_video_dev" lineno="5240"> +<interface name="dev_setattr_video_dev" lineno="5331"> <summary> Set the attributes of video4linux device nodes. </summary> @@ -58877,7 +59016,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_setattr_video_dev" lineno="5259"> +<interface name="dev_dontaudit_setattr_video_dev" lineno="5350"> <summary> Do not audit attempts to set the attributes of video4linux device nodes. @@ -58888,7 +59027,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dev_read_video_dev" lineno="5277"> +<interface name="dev_read_video_dev" lineno="5368"> <summary> Read the video4linux devices. </summary> @@ -58898,7 +59037,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_video_dev" lineno="5295"> +<interface name="dev_write_video_dev" lineno="5386"> <summary> Write the video4linux devices. </summary> @@ -58908,7 +59047,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_vfio_dev" lineno="5313"> +<interface name="dev_rw_vfio_dev" lineno="5404"> <summary> Read and write vfio devices. </summary> @@ -58918,7 +59057,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabelfrom_vfio_dev" lineno="5331"> +<interface name="dev_relabelfrom_vfio_dev" lineno="5422"> <summary> Relabel vfio devices. </summary> @@ -58928,7 +59067,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_vhost" lineno="5349"> +<interface name="dev_rw_vhost" lineno="5440"> <summary> Allow read/write the vhost devices </summary> @@ -58938,7 +59077,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_vmware" lineno="5367"> +<interface name="dev_rw_vmware" lineno="5458"> <summary> Read and write VMWare devices. </summary> @@ -58948,7 +59087,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rwx_vmware" lineno="5385"> +<interface name="dev_rwx_vmware" lineno="5476"> <summary> Read, write, and mmap VMWare devices. </summary> @@ -58958,7 +59097,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_watchdog" lineno="5404"> +<interface name="dev_read_watchdog" lineno="5495"> <summary> Read from watchdog devices. </summary> @@ -58968,7 +59107,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_write_watchdog" lineno="5422"> +<interface name="dev_write_watchdog" lineno="5513"> <summary> Write to watchdog devices. </summary> @@ -58978,7 +59117,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_wireless" lineno="5440"> +<interface name="dev_read_wireless" lineno="5531"> <summary> Read the wireless device. </summary> @@ -58988,7 +59127,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_wireless" lineno="5458"> +<interface name="dev_rw_wireless" lineno="5549"> <summary> Read and write the the wireless device. </summary> @@ -58998,7 +59137,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_wireless" lineno="5476"> +<interface name="dev_manage_wireless" lineno="5567"> <summary> manage the wireless device. </summary> @@ -59008,7 +59147,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_xen" lineno="5494"> +<interface name="dev_rw_xen" lineno="5585"> <summary> Read and write Xen devices. </summary> @@ -59018,7 +59157,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_manage_xen" lineno="5513"> +<interface name="dev_manage_xen" lineno="5604"> <summary> Create, read, write, and delete Xen devices. </summary> @@ -59028,7 +59167,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_filetrans_xen" lineno="5537"> +<interface name="dev_filetrans_xen" lineno="5628"> <summary> Automatic type transition to the type for xen device nodes when created in /dev. @@ -59044,7 +59183,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="dev_getattr_xserver_misc_dev" lineno="5555"> +<interface name="dev_getattr_xserver_misc_dev" lineno="5646"> <summary> Get the attributes of X server miscellaneous devices. </summary> @@ -59054,7 +59193,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_setattr_xserver_misc_dev" lineno="5573"> +<interface name="dev_setattr_xserver_misc_dev" lineno="5664"> <summary> Set the attributes of X server miscellaneous devices. </summary> @@ -59064,7 +59203,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_xserver_misc" lineno="5591"> +<interface name="dev_rw_xserver_misc" lineno="5682"> <summary> Read and write X server miscellaneous devices. </summary> @@ -59074,7 +59213,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_map_xserver_misc" lineno="5609"> +<interface name="dev_map_xserver_misc" lineno="5700"> <summary> Map X server miscellaneous devices. </summary> @@ -59084,7 +59223,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_zero" lineno="5627"> +<interface name="dev_rw_zero" lineno="5718"> <summary> Read and write to the zero device (/dev/zero). </summary> @@ -59094,7 +59233,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rwx_zero" lineno="5645"> +<interface name="dev_rwx_zero" lineno="5736"> <summary> Read, write, and execute the zero device (/dev/zero). </summary> @@ -59104,7 +59243,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_execmod_zero" lineno="5664"> +<interface name="dev_execmod_zero" lineno="5755"> <summary> Execmod the zero device (/dev/zero). </summary> @@ -59114,7 +59253,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_create_zero_dev" lineno="5683"> +<interface name="dev_create_zero_dev" lineno="5774"> <summary> Create the zero device (/dev/zero). </summary> @@ -59124,7 +59263,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_read_cpu_online" lineno="5706"> +<interface name="dev_read_cpu_online" lineno="5797"> <summary> Read cpu online hardware state information </summary> @@ -59139,7 +59278,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_rw_gpiochip" lineno="5726"> +<interface name="dev_rw_gpiochip" lineno="5817"> <summary> Read and write to the gpiochip device, /dev/gpiochip[0-9] </summary> @@ -59149,7 +59288,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_unconfined" lineno="5744"> +<interface name="dev_unconfined" lineno="5835"> <summary> Unconfined access to devices. </summary> @@ -59159,7 +59298,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_relabel_cpu_online" lineno="5764"> +<interface name="dev_relabel_cpu_online" lineno="5855"> <summary> Relabel cpu online hardware state information. </summary> @@ -59169,7 +59308,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dev_dontaudit_read_usbmon_dev" lineno="5783"> +<interface name="dev_dontaudit_read_usbmon_dev" lineno="5874"> <summary> Dont audit attempts to read usbmon devices </summary> @@ -61863,7 +62002,18 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_default_files" lineno="2943"> +<interface name="files_dontaudit_execute_default_files" lineno="2943"> +<summary> +Do not audit attempts to execute files +with the default file type. +</summary> +<param name="domain"> +<summary> +Domain to not audit. +</summary> +</param> +</interface> +<interface name="files_manage_default_files" lineno="2962"> <summary> Create, read, write, and delete files with the default file type. @@ -61874,7 +62024,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_default_symlinks" lineno="2961"> +<interface name="files_read_default_symlinks" lineno="2980"> <summary> Read symbolic links with the default file type. </summary> @@ -61884,7 +62034,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_default_sockets" lineno="2979"> +<interface name="files_read_default_sockets" lineno="2998"> <summary> Read sockets with the default file type. </summary> @@ -61894,7 +62044,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_default_pipes" lineno="2997"> +<interface name="files_read_default_pipes" lineno="3016"> <summary> Read named pipes with the default file type. </summary> @@ -61904,7 +62054,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_etc" lineno="3015"> +<interface name="files_search_etc" lineno="3034"> <summary> Search the contents of /etc directories. </summary> @@ -61914,7 +62064,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_etc_dirs" lineno="3033"> +<interface name="files_setattr_etc_dirs" lineno="3052"> <summary> Set the attributes of the /etc directories. </summary> @@ -61924,7 +62074,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_etc" lineno="3051"> +<interface name="files_list_etc" lineno="3070"> <summary> List the contents of /etc directories. </summary> @@ -61934,7 +62084,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_etc_dirs" lineno="3069"> +<interface name="files_dontaudit_write_etc_dirs" lineno="3088"> <summary> Do not audit attempts to write to /etc dirs. </summary> @@ -61944,7 +62094,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_rw_etc_dirs" lineno="3087"> +<interface name="files_rw_etc_dirs" lineno="3106"> <summary> Add and remove entries from /etc directories. </summary> @@ -61954,7 +62104,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_etc_dirs" lineno="3106"> +<interface name="files_manage_etc_dirs" lineno="3125"> <summary> Manage generic directories in /etc </summary> @@ -61965,7 +62115,7 @@ Domain allowed access </param> </interface> -<interface name="files_relabelto_etc_dirs" lineno="3124"> +<interface name="files_relabelto_etc_dirs" lineno="3143"> <summary> Relabel directories to etc_t. </summary> @@ -61975,7 +62125,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_etc_dirs" lineno="3143"> +<interface name="files_mounton_etc_dirs" lineno="3162"> <summary> Mount a filesystem on the etc directories. @@ -61986,7 +62136,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_remount_etc" lineno="3161"> +<interface name="files_remount_etc" lineno="3180"> <summary> Remount etc filesystems. </summary> @@ -61996,7 +62146,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_etc_dirs" lineno="3179"> +<interface name="files_watch_etc_dirs" lineno="3198"> <summary> Watch /etc directories </summary> @@ -62006,7 +62156,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_etc_files" lineno="3231"> +<interface name="files_read_etc_files" lineno="3250"> <summary> Read generic files in /etc. </summary> @@ -62050,7 +62200,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="files_map_etc_files" lineno="3263"> +<interface name="files_map_etc_files" lineno="3282"> <summary> Map generic files in /etc. </summary> @@ -62072,7 +62222,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="files_dontaudit_write_etc_files" lineno="3281"> +<interface name="files_dontaudit_write_etc_files" lineno="3300"> <summary> Do not audit attempts to write generic files in /etc. </summary> @@ -62082,7 +62232,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_etc_files" lineno="3300"> +<interface name="files_rw_etc_files" lineno="3319"> <summary> Read and write generic files in /etc. </summary> @@ -62093,7 +62243,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_etc_files" lineno="3322"> +<interface name="files_manage_etc_files" lineno="3341"> <summary> Create, read, write, and delete generic files in /etc. @@ -62105,7 +62255,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_dontaudit_manage_etc_files" lineno="3343"> +<interface name="files_dontaudit_manage_etc_files" lineno="3362"> <summary> Do not audit attempts to create, read, write, and delete generic files in /etc. @@ -62117,7 +62267,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="files_delete_etc_files" lineno="3361"> +<interface name="files_delete_etc_files" lineno="3380"> <summary> Delete system configuration files in /etc. </summary> @@ -62127,7 +62277,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_exec_etc_files" lineno="3379"> +<interface name="files_exec_etc_files" lineno="3398"> <summary> Execute generic files in /etc. </summary> @@ -62137,7 +62287,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_etc_files" lineno="3399"> +<interface name="files_watch_etc_files" lineno="3418"> <summary> Watch /etc files. </summary> @@ -62147,7 +62297,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_get_etc_unit_status" lineno="3417"> +<interface name="files_get_etc_unit_status" lineno="3436"> <summary> Get etc_t service status. </summary> @@ -62157,7 +62307,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_start_etc_service" lineno="3436"> +<interface name="files_start_etc_service" lineno="3455"> <summary> start etc_t service </summary> @@ -62167,7 +62317,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_stop_etc_service" lineno="3455"> +<interface name="files_stop_etc_service" lineno="3474"> <summary> stop etc_t service </summary> @@ -62177,7 +62327,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_etc_files" lineno="3474"> +<interface name="files_relabel_etc_files" lineno="3493"> <summary> Relabel from and to generic files in /etc. </summary> @@ -62187,7 +62337,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_etc_symlinks" lineno="3493"> +<interface name="files_read_etc_symlinks" lineno="3512"> <summary> Read symbolic links in /etc. </summary> @@ -62197,7 +62347,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_etc_symlinks" lineno="3511"> +<interface name="files_watch_etc_symlinks" lineno="3530"> <summary> Watch /etc symlinks </summary> @@ -62207,7 +62357,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_etc_symlinks" lineno="3529"> +<interface name="files_manage_etc_symlinks" lineno="3548"> <summary> Create, read, write, and delete symbolic links in /etc. </summary> @@ -62217,7 +62367,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_etc_filetrans" lineno="3563"> +<interface name="files_etc_filetrans" lineno="3582"> <summary> Create objects in /etc with a private type using a type_transition. @@ -62243,7 +62393,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_create_boot_flag" lineno="3593"> +<interface name="files_create_boot_flag" lineno="3612"> <summary> Create a boot flag. </summary> @@ -62265,7 +62415,7 @@ The name of the object being created. </param> <rolecap/> </interface> -<interface name="files_delete_boot_flag" lineno="3619"> +<interface name="files_delete_boot_flag" lineno="3638"> <summary> Delete a boot flag. </summary> @@ -62282,7 +62432,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_getattr_etc_runtime_dirs" lineno="3638"> +<interface name="files_getattr_etc_runtime_dirs" lineno="3657"> <summary> Get the attributes of the etc_runtime directories. @@ -62293,7 +62443,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_etc_runtime_dirs" lineno="3657"> +<interface name="files_mounton_etc_runtime_dirs" lineno="3676"> <summary> Mount a filesystem on the etc_runtime directories. @@ -62304,7 +62454,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelto_etc_runtime_dirs" lineno="3675"> +<interface name="files_relabelto_etc_runtime_dirs" lineno="3694"> <summary> Relabel to etc_runtime_t dirs. </summary> @@ -62314,7 +62464,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_setattr_etc_runtime_files" lineno="3693"> +<interface name="files_dontaudit_setattr_etc_runtime_files" lineno="3712"> <summary> Do not audit attempts to set the attributes of the etc_runtime files </summary> @@ -62324,7 +62474,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_read_etc_runtime_files" lineno="3731"> +<interface name="files_read_etc_runtime_files" lineno="3750"> <summary> Read files in /etc that are dynamically created on boot, such as mtab. @@ -62354,7 +62504,7 @@ Domain allowed access. <infoflow type="read" weight="10" /> <rolecap/> </interface> -<interface name="files_dontaudit_read_etc_runtime_files" lineno="3753"> +<interface name="files_dontaudit_read_etc_runtime_files" lineno="3772"> <summary> Do not audit attempts to read files in /etc that are dynamically @@ -62366,7 +62516,19 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_read_etc_files" lineno="3772"> +<interface name="files_dontaudit_execuite_etc_runtime_files" lineno="3792"> +<summary> +Do not audit attempts to execuite files +in /etc that are dynamically +created on boot, such as mtab. +</summary> +<param name="domain"> +<summary> +Domain to not audit. +</summary> +</param> +</interface> +<interface name="files_dontaudit_read_etc_files" lineno="3811"> <summary> Do not audit attempts to read files in /etc @@ -62377,7 +62539,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_write_etc_runtime_files" lineno="3791"> +<interface name="files_dontaudit_write_etc_runtime_files" lineno="3830"> <summary> Do not audit attempts to write etc runtime files. @@ -62388,7 +62550,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_rw_etc_runtime_files" lineno="3811"> +<interface name="files_rw_etc_runtime_files" lineno="3850"> <summary> Read and write files in /etc that are dynamically created on boot, such as mtab. @@ -62400,7 +62562,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_etc_runtime_files" lineno="3833"> +<interface name="files_manage_etc_runtime_files" lineno="3872"> <summary> Create, read, write, and delete files in /etc that are dynamically created on boot, @@ -62413,7 +62575,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_relabelto_etc_runtime_files" lineno="3851"> +<interface name="files_relabelto_etc_runtime_files" lineno="3890"> <summary> Relabel to etc_runtime_t files. </summary> @@ -62423,7 +62585,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_etc_filetrans_etc_runtime" lineno="3880"> +<interface name="files_etc_filetrans_etc_runtime" lineno="3919"> <summary> Create, etc runtime objects with an automatic type transition. @@ -62444,7 +62606,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_getattr_home_dir" lineno="3899"> +<interface name="files_getattr_home_dir" lineno="3938"> <summary> Get the attributes of the home directories root (/home). @@ -62455,7 +62617,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_home_dir" lineno="3920"> +<interface name="files_dontaudit_getattr_home_dir" lineno="3959"> <summary> Do not audit attempts to get the attributes of the home directories root @@ -62467,7 +62629,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_search_home" lineno="3939"> +<interface name="files_search_home" lineno="3978"> <summary> Search home directories root (/home). </summary> @@ -62477,7 +62639,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_home" lineno="3959"> +<interface name="files_dontaudit_search_home" lineno="3998"> <summary> Do not audit attempts to search home directories root (/home). @@ -62488,7 +62650,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_list_home" lineno="3979"> +<interface name="files_dontaudit_list_home" lineno="4018"> <summary> Do not audit attempts to list home directories root (/home). @@ -62499,7 +62661,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_home" lineno="3998"> +<interface name="files_list_home" lineno="4037"> <summary> Get listing of home directories. </summary> @@ -62509,7 +62671,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelto_home" lineno="4017"> +<interface name="files_relabelto_home" lineno="4056"> <summary> Relabel to user home root (/home). </summary> @@ -62519,7 +62681,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelfrom_home" lineno="4035"> +<interface name="files_relabelfrom_home" lineno="4074"> <summary> Relabel from user home root (/home). </summary> @@ -62529,7 +62691,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_home" lineno="4053"> +<interface name="files_watch_home" lineno="4092"> <summary> Watch the user home root (/home). </summary> @@ -62539,7 +62701,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_home_filetrans" lineno="4086"> +<interface name="files_home_filetrans" lineno="4125"> <summary> Create objects in /home. </summary> @@ -62564,7 +62726,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_getattr_lost_found_dirs" lineno="4104"> +<interface name="files_getattr_lost_found_dirs" lineno="4143"> <summary> Get the attributes of lost+found directories. </summary> @@ -62574,7 +62736,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_lost_found_dirs" lineno="4123"> +<interface name="files_dontaudit_getattr_lost_found_dirs" lineno="4162"> <summary> Do not audit attempts to get the attributes of lost+found directories. @@ -62585,7 +62747,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_lost_found" lineno="4141"> +<interface name="files_list_lost_found" lineno="4180"> <summary> List the contents of lost+found directories. </summary> @@ -62595,7 +62757,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_lost_found" lineno="4161"> +<interface name="files_manage_lost_found" lineno="4200"> <summary> Create, read, write, and delete objects in lost+found directories. @@ -62607,7 +62769,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_search_mnt" lineno="4183"> +<interface name="files_search_mnt" lineno="4222"> <summary> Search the contents of /mnt. </summary> @@ -62617,7 +62779,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_mnt" lineno="4201"> +<interface name="files_dontaudit_search_mnt" lineno="4240"> <summary> Do not audit attempts to search /mnt. </summary> @@ -62627,7 +62789,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_mnt" lineno="4219"> +<interface name="files_list_mnt" lineno="4258"> <summary> List the contents of /mnt. </summary> @@ -62637,7 +62799,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_mnt" lineno="4237"> +<interface name="files_dontaudit_list_mnt" lineno="4276"> <summary> Do not audit attempts to list the contents of /mnt. </summary> @@ -62647,7 +62809,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_mnt" lineno="4255"> +<interface name="files_mounton_mnt" lineno="4294"> <summary> Mount a filesystem on /mnt. </summary> @@ -62657,7 +62819,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_mnt_dirs" lineno="4274"> +<interface name="files_manage_mnt_dirs" lineno="4313"> <summary> Create, read, write, and delete directories in /mnt. </summary> @@ -62668,7 +62830,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_mnt_files" lineno="4292"> +<interface name="files_manage_mnt_files" lineno="4331"> <summary> Create, read, write, and delete files in /mnt. </summary> @@ -62678,7 +62840,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_mnt_files" lineno="4310"> +<interface name="files_read_mnt_files" lineno="4349"> <summary> read files in /mnt. </summary> @@ -62688,7 +62850,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_mnt_symlinks" lineno="4328"> +<interface name="files_read_mnt_symlinks" lineno="4367"> <summary> Read symbolic links in /mnt. </summary> @@ -62698,7 +62860,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_mnt_symlinks" lineno="4346"> +<interface name="files_manage_mnt_symlinks" lineno="4385"> <summary> Create, read, write, and delete symbolic links in /mnt. </summary> @@ -62708,7 +62870,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_kernel_modules" lineno="4364"> +<interface name="files_search_kernel_modules" lineno="4403"> <summary> Search the contents of the kernel module directories. </summary> @@ -62718,7 +62880,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_kernel_modules" lineno="4383"> +<interface name="files_list_kernel_modules" lineno="4422"> <summary> List the contents of the kernel module directories. </summary> @@ -62728,7 +62890,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_kernel_modules" lineno="4402"> +<interface name="files_getattr_kernel_modules" lineno="4441"> <summary> Get the attributes of kernel module files. </summary> @@ -62738,7 +62900,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_kernel_modules" lineno="4420"> +<interface name="files_read_kernel_modules" lineno="4459"> <summary> Read kernel module files. </summary> @@ -62748,7 +62910,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mmap_read_kernel_modules" lineno="4440"> +<interface name="files_mmap_read_kernel_modules" lineno="4479"> <summary> Read and mmap kernel module files. </summary> @@ -62758,7 +62920,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_write_kernel_modules" lineno="4461"> +<interface name="files_write_kernel_modules" lineno="4500"> <summary> Write kernel module files. </summary> @@ -62768,7 +62930,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_kernel_modules" lineno="4480"> +<interface name="files_delete_kernel_modules" lineno="4519"> <summary> Delete kernel module files. </summary> @@ -62778,7 +62940,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_kernel_modules" lineno="4500"> +<interface name="files_manage_kernel_modules" lineno="4539"> <summary> Create, read, write, and delete kernel module files. @@ -62790,7 +62952,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_relabel_kernel_modules" lineno="4520"> +<interface name="files_relabel_kernel_modules" lineno="4559"> <summary> Relabel from and to kernel module files. </summary> @@ -62800,7 +62962,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_kernel_modules_dirs" lineno="4539"> +<interface name="files_mounton_kernel_modules_dirs" lineno="4578"> <summary> Mount on kernel module directories. </summary> @@ -62810,7 +62972,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_kernel_modules_filetrans" lineno="4573"> +<interface name="files_kernel_modules_filetrans" lineno="4612"> <summary> Create objects in the kernel module directories with a private type via an automatic type transition. @@ -62836,7 +62998,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_load_kernel_modules" lineno="4591"> +<interface name="files_load_kernel_modules" lineno="4630"> <summary> Load kernel module files. </summary> @@ -62846,7 +63008,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_load_kernel_modules" lineno="4610"> +<interface name="files_dontaudit_load_kernel_modules" lineno="4649"> <summary> Load kernel module files. </summary> @@ -62856,7 +63018,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_world_readable" lineno="4630"> +<interface name="files_list_world_readable" lineno="4669"> <summary> List world-readable directories. </summary> @@ -62867,7 +63029,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_read_world_readable_files" lineno="4649"> +<interface name="files_read_world_readable_files" lineno="4688"> <summary> Read world-readable files. </summary> @@ -62878,7 +63040,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_read_world_readable_symlinks" lineno="4668"> +<interface name="files_read_world_readable_symlinks" lineno="4707"> <summary> Read world-readable symbolic links. </summary> @@ -62889,7 +63051,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_read_world_readable_pipes" lineno="4686"> +<interface name="files_read_world_readable_pipes" lineno="4725"> <summary> Read world-readable named pipes. </summary> @@ -62899,7 +63061,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_world_readable_sockets" lineno="4704"> +<interface name="files_read_world_readable_sockets" lineno="4743"> <summary> Read world-readable sockets. </summary> @@ -62909,7 +63071,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_associate_tmp" lineno="4724"> +<interface name="files_associate_tmp" lineno="4763"> <summary> Allow the specified type to associate to a filesystem with the type of the @@ -62921,7 +63083,7 @@ Type of the file to associate. </summary> </param> </interface> -<interface name="files_getattr_tmp_dirs" lineno="4742"> +<interface name="files_getattr_tmp_dirs" lineno="4781"> <summary> Get the attributes of the tmp directory (/tmp). </summary> @@ -62931,7 +63093,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_tmp_dirs" lineno="4761"> +<interface name="files_dontaudit_getattr_tmp_dirs" lineno="4800"> <summary> Do not audit attempts to get the attributes of the tmp directory (/tmp). @@ -62942,7 +63104,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_tmp" lineno="4779"> +<interface name="files_search_tmp" lineno="4818"> <summary> Search the tmp directory (/tmp). </summary> @@ -62952,7 +63114,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_tmp" lineno="4797"> +<interface name="files_dontaudit_search_tmp" lineno="4836"> <summary> Do not audit attempts to search the tmp directory (/tmp). </summary> @@ -62962,7 +63124,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_tmp" lineno="4815"> +<interface name="files_list_tmp" lineno="4854"> <summary> Read the tmp directory (/tmp). </summary> @@ -62972,7 +63134,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_tmp" lineno="4833"> +<interface name="files_dontaudit_list_tmp" lineno="4872"> <summary> Do not audit listing of the tmp directory (/tmp). </summary> @@ -62982,7 +63144,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="files_delete_tmp_dir_entry" lineno="4851"> +<interface name="files_delete_tmp_dir_entry" lineno="4890"> <summary> Remove entries from the tmp directory. </summary> @@ -62992,7 +63154,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_generic_tmp_files" lineno="4869"> +<interface name="files_read_generic_tmp_files" lineno="4908"> <summary> Read files in the tmp directory (/tmp). </summary> @@ -63002,7 +63164,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_tmp_dirs" lineno="4887"> +<interface name="files_manage_generic_tmp_dirs" lineno="4926"> <summary> Manage temporary directories in /tmp. </summary> @@ -63012,7 +63174,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_generic_tmp_dirs" lineno="4905"> +<interface name="files_relabel_generic_tmp_dirs" lineno="4944"> <summary> Relabel temporary directories in /tmp. </summary> @@ -63022,7 +63184,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_tmp_files" lineno="4923"> +<interface name="files_manage_generic_tmp_files" lineno="4962"> <summary> Manage temporary files and directories in /tmp. </summary> @@ -63032,7 +63194,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_generic_tmp_symlinks" lineno="4941"> +<interface name="files_read_generic_tmp_symlinks" lineno="4980"> <summary> Read symbolic links in the tmp directory (/tmp). </summary> @@ -63042,7 +63204,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_generic_tmp_sockets" lineno="4959"> +<interface name="files_rw_generic_tmp_sockets" lineno="4998"> <summary> Read and write generic named sockets in the tmp directory (/tmp). </summary> @@ -63052,7 +63214,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_tmp" lineno="4977"> +<interface name="files_mounton_tmp" lineno="5016"> <summary> Mount filesystems in the tmp directory (/tmp) </summary> @@ -63062,7 +63224,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_all_tmp_dirs" lineno="4995"> +<interface name="files_setattr_all_tmp_dirs" lineno="5034"> <summary> Set the attributes of all tmp directories. </summary> @@ -63072,7 +63234,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_all_tmp" lineno="5013"> +<interface name="files_list_all_tmp" lineno="5052"> <summary> List all tmp directories. </summary> @@ -63082,7 +63244,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_tmp_dirs" lineno="5033"> +<interface name="files_relabel_all_tmp_dirs" lineno="5072"> <summary> Relabel to and from all temporary directory types. @@ -63094,7 +63256,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_dontaudit_getattr_all_tmp_files" lineno="5054"> +<interface name="files_dontaudit_getattr_all_tmp_files" lineno="5093"> <summary> Do not audit attempts to get the attributes of all tmp files. @@ -63105,7 +63267,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="files_getattr_all_tmp_files" lineno="5073"> +<interface name="files_getattr_all_tmp_files" lineno="5112"> <summary> Allow attempts to get the attributes of all tmp files. @@ -63116,7 +63278,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_tmp_files" lineno="5093"> +<interface name="files_relabel_all_tmp_files" lineno="5132"> <summary> Relabel to and from all temporary file types. @@ -63128,7 +63290,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_dontaudit_getattr_all_tmp_sockets" lineno="5114"> +<interface name="files_dontaudit_getattr_all_tmp_sockets" lineno="5153"> <summary> Do not audit attempts to get the attributes of all tmp sock_file. @@ -63139,7 +63301,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="files_read_all_tmp_files" lineno="5132"> +<interface name="files_read_all_tmp_files" lineno="5171"> <summary> Read all tmp files. </summary> @@ -63149,7 +63311,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_tmp_filetrans" lineno="5166"> +<interface name="files_tmp_filetrans" lineno="5205"> <summary> Create an object in the tmp directories, with a private type using a type transition. @@ -63175,7 +63337,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_purge_tmp" lineno="5184"> +<interface name="files_purge_tmp" lineno="5223"> <summary> Delete the contents of /tmp. </summary> @@ -63185,7 +63347,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_all_tmpfs_files" lineno="5207"> +<interface name="files_getattr_all_tmpfs_files" lineno="5246"> <summary> Get the attributes of all tmpfs files. </summary> @@ -63195,7 +63357,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_usr_dirs" lineno="5226"> +<interface name="files_setattr_usr_dirs" lineno="5265"> <summary> Set the attributes of the /usr directory. </summary> @@ -63205,7 +63367,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_usr" lineno="5244"> +<interface name="files_search_usr" lineno="5283"> <summary> Search the content of /usr. </summary> @@ -63215,7 +63377,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_usr" lineno="5263"> +<interface name="files_list_usr" lineno="5302"> <summary> List the contents of generic directories in /usr. @@ -63226,7 +63388,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_usr_dirs" lineno="5281"> +<interface name="files_dontaudit_write_usr_dirs" lineno="5320"> <summary> Do not audit write of /usr dirs </summary> @@ -63236,7 +63398,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_rw_usr_dirs" lineno="5299"> +<interface name="files_rw_usr_dirs" lineno="5338"> <summary> Add and remove entries from /usr directories. </summary> @@ -63246,7 +63408,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_rw_usr_dirs" lineno="5318"> +<interface name="files_dontaudit_rw_usr_dirs" lineno="5357"> <summary> Do not audit attempts to add and remove entries from /usr directories. @@ -63257,7 +63419,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_delete_usr_dirs" lineno="5336"> +<interface name="files_delete_usr_dirs" lineno="5375"> <summary> Delete generic directories in /usr in the caller domain. </summary> @@ -63267,7 +63429,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_usr_dirs" lineno="5354"> +<interface name="files_watch_usr_dirs" lineno="5393"> <summary> Watch generic directories in /usr. </summary> @@ -63277,7 +63439,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_usr_files" lineno="5372"> +<interface name="files_delete_usr_files" lineno="5411"> <summary> Delete generic files in /usr in the caller domain. </summary> @@ -63287,7 +63449,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_getattr_usr_files" lineno="5390"> +<interface name="files_getattr_usr_files" lineno="5429"> <summary> Get the attributes of files in /usr. </summary> @@ -63297,7 +63459,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_map_usr_files" lineno="5409"> +<interface name="files_map_usr_files" lineno="5448"> <summary> Map generic files in /usr. </summary> @@ -63308,7 +63470,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="files_read_usr_files" lineno="5445"> +<interface name="files_read_usr_files" lineno="5484"> <summary> Read generic files in /usr. </summary> @@ -63336,7 +63498,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="files_exec_usr_files" lineno="5465"> +<interface name="files_exec_usr_files" lineno="5504"> <summary> Execute generic programs in /usr in the caller domain. </summary> @@ -63346,7 +63508,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_usr_files" lineno="5485"> +<interface name="files_dontaudit_write_usr_files" lineno="5524"> <summary> dontaudit write of /usr files </summary> @@ -63356,7 +63518,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_usr_files" lineno="5503"> +<interface name="files_manage_usr_files" lineno="5542"> <summary> Create, read, write, and delete files in the /usr directory. </summary> @@ -63366,7 +63528,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelto_usr_files" lineno="5521"> +<interface name="files_relabelto_usr_files" lineno="5560"> <summary> Relabel a file to the type used in /usr. </summary> @@ -63376,7 +63538,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabelfrom_usr_files" lineno="5539"> +<interface name="files_relabelfrom_usr_files" lineno="5578"> <summary> Relabel a file from the type used in /usr. </summary> @@ -63386,7 +63548,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_usr_symlinks" lineno="5557"> +<interface name="files_read_usr_symlinks" lineno="5596"> <summary> Read symbolic links in /usr. </summary> @@ -63396,7 +63558,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_usr_filetrans" lineno="5590"> +<interface name="files_usr_filetrans" lineno="5629"> <summary> Create objects in the /usr directory </summary> @@ -63421,7 +63583,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_search_src" lineno="5608"> +<interface name="files_search_src" lineno="5647"> <summary> Search directories in /usr/src. </summary> @@ -63431,7 +63593,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_src" lineno="5626"> +<interface name="files_dontaudit_search_src" lineno="5665"> <summary> Do not audit attempts to search /usr/src. </summary> @@ -63441,7 +63603,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_getattr_usr_src_files" lineno="5644"> +<interface name="files_getattr_usr_src_files" lineno="5683"> <summary> Get the attributes of files in /usr/src. </summary> @@ -63451,7 +63613,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_usr_src_files" lineno="5665"> +<interface name="files_read_usr_src_files" lineno="5704"> <summary> Read files in /usr/src. </summary> @@ -63461,7 +63623,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_exec_usr_src_files" lineno="5686"> +<interface name="files_exec_usr_src_files" lineno="5725"> <summary> Execute programs in /usr/src in the caller domain. </summary> @@ -63471,7 +63633,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_kernel_symbol_table" lineno="5706"> +<interface name="files_create_kernel_symbol_table" lineno="5745"> <summary> Install a system.map into the /boot directory. </summary> @@ -63481,7 +63643,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_kernel_symbol_table" lineno="5725"> +<interface name="files_read_kernel_symbol_table" lineno="5764"> <summary> Read system.map in the /boot directory. </summary> @@ -63491,7 +63653,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_kernel_symbol_table" lineno="5744"> +<interface name="files_delete_kernel_symbol_table" lineno="5783"> <summary> Delete a system.map in the /boot directory. </summary> @@ -63501,7 +63663,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_kernel_symbol_table" lineno="5763"> +<interface name="files_mounton_kernel_symbol_table" lineno="5802"> <summary> Mount on a system.map in the /boot directory (for bind mounts). </summary> @@ -63511,7 +63673,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_var" lineno="5782"> +<interface name="files_search_var" lineno="5821"> <summary> Search the contents of /var. </summary> @@ -63521,7 +63683,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_write_var_dirs" lineno="5800"> +<interface name="files_dontaudit_write_var_dirs" lineno="5839"> <summary> Do not audit attempts to write to /var. </summary> @@ -63531,7 +63693,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_write_var_dirs" lineno="5818"> +<interface name="files_write_var_dirs" lineno="5857"> <summary> Allow attempts to write to /var.dirs </summary> @@ -63541,7 +63703,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_var" lineno="5837"> +<interface name="files_dontaudit_search_var" lineno="5876"> <summary> Do not audit attempts to search the contents of /var. @@ -63552,7 +63714,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_var" lineno="5855"> +<interface name="files_list_var" lineno="5894"> <summary> List the contents of /var. </summary> @@ -63562,7 +63724,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_list_var" lineno="5874"> +<interface name="files_dontaudit_list_var" lineno="5913"> <summary> Do not audit attempts to list the contents of /var. @@ -63573,7 +63735,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_var_dirs" lineno="5893"> +<interface name="files_manage_var_dirs" lineno="5932"> <summary> Create, read, write, and delete directories in the /var directory. @@ -63584,7 +63746,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_var_dirs" lineno="5911"> +<interface name="files_relabel_var_dirs" lineno="5950"> <summary> relabelto/from var directories </summary> @@ -63594,7 +63756,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_var_files" lineno="5929"> +<interface name="files_read_var_files" lineno="5968"> <summary> Read files in the /var directory. </summary> @@ -63604,7 +63766,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_append_var_files" lineno="5947"> +<interface name="files_append_var_files" lineno="5986"> <summary> Append files in the /var directory. </summary> @@ -63614,7 +63776,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_var_files" lineno="5965"> +<interface name="files_rw_var_files" lineno="6004"> <summary> Read and write files in the /var directory. </summary> @@ -63624,7 +63786,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_rw_var_files" lineno="5984"> +<interface name="files_dontaudit_rw_var_files" lineno="6023"> <summary> Do not audit attempts to read and write files in the /var directory. @@ -63635,7 +63797,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_manage_var_files" lineno="6002"> +<interface name="files_manage_var_files" lineno="6041"> <summary> Create, read, write, and delete files in the /var directory. </summary> @@ -63645,7 +63807,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_var_symlinks" lineno="6020"> +<interface name="files_read_var_symlinks" lineno="6059"> <summary> Read symbolic links in the /var directory. </summary> @@ -63655,7 +63817,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_var_symlinks" lineno="6039"> +<interface name="files_manage_var_symlinks" lineno="6078"> <summary> Create, read, write, and delete symbolic links in the /var directory. @@ -63666,7 +63828,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_var_filetrans" lineno="6072"> +<interface name="files_var_filetrans" lineno="6111"> <summary> Create objects in the /var directory </summary> @@ -63691,7 +63853,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_getattr_var_lib_dirs" lineno="6090"> +<interface name="files_getattr_var_lib_dirs" lineno="6129"> <summary> Get the attributes of the /var/lib directory. </summary> @@ -63701,7 +63863,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_var_lib" lineno="6122"> +<interface name="files_search_var_lib" lineno="6161"> <summary> Search the /var/lib directory. </summary> @@ -63725,7 +63887,7 @@ Domain allowed access. </param> <infoflow type="read" weight="5"/> </interface> -<interface name="files_dontaudit_search_var_lib" lineno="6142"> +<interface name="files_dontaudit_search_var_lib" lineno="6181"> <summary> Do not audit attempts to search the contents of /var/lib. @@ -63737,7 +63899,7 @@ Domain to not audit. </param> <infoflow type="read" weight="5"/> </interface> -<interface name="files_list_var_lib" lineno="6160"> +<interface name="files_list_var_lib" lineno="6199"> <summary> List the contents of the /var/lib directory. </summary> @@ -63747,7 +63909,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_var_lib_dirs" lineno="6178"> +<interface name="files_rw_var_lib_dirs" lineno="6217"> <summary> Read-write /var/lib directories </summary> @@ -63757,7 +63919,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_var_lib_dirs" lineno="6196"> +<interface name="files_manage_var_lib_dirs" lineno="6235"> <summary> manage var_lib_t dirs </summary> @@ -63767,7 +63929,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_var_lib_dirs" lineno="6215"> +<interface name="files_relabel_var_lib_dirs" lineno="6254"> <summary> relabel var_lib_t dirs </summary> @@ -63777,7 +63939,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_var_lib_filetrans" lineno="6249"> +<interface name="files_var_lib_filetrans" lineno="6288"> <summary> Create objects in the /var/lib directory </summary> @@ -63802,7 +63964,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_read_var_lib_files" lineno="6268"> +<interface name="files_read_var_lib_files" lineno="6307"> <summary> Read generic files in /var/lib. </summary> @@ -63812,7 +63974,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_var_lib_symlinks" lineno="6287"> +<interface name="files_read_var_lib_symlinks" lineno="6326"> <summary> Read generic symbolic links in /var/lib </summary> @@ -63822,7 +63984,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_urandom_seed" lineno="6309"> +<interface name="files_manage_urandom_seed" lineno="6348"> <summary> Create, read, write, and delete the pseudorandom number generator seed. @@ -63833,7 +63995,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_mounttab" lineno="6328"> +<interface name="files_manage_mounttab" lineno="6367"> <summary> Allow domain to manage mount tables necessary for rpcd, nfsd, etc. @@ -63844,7 +64006,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_lock_dirs" lineno="6347"> +<interface name="files_setattr_lock_dirs" lineno="6386"> <summary> Set the attributes of the generic lock directories. </summary> @@ -63854,7 +64016,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_locks" lineno="6365"> +<interface name="files_search_locks" lineno="6404"> <summary> Search the locks directory (/var/lock). </summary> @@ -63864,7 +64026,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_locks" lineno="6385"> +<interface name="files_dontaudit_search_locks" lineno="6424"> <summary> Do not audit attempts to search the locks directory (/var/lock). @@ -63875,7 +64037,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_locks" lineno="6404"> +<interface name="files_list_locks" lineno="6443"> <summary> List generic lock directories. </summary> @@ -63885,7 +64047,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_check_write_lock_dirs" lineno="6423"> +<interface name="files_check_write_lock_dirs" lineno="6462"> <summary> Test write access on lock directories. </summary> @@ -63895,7 +64057,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_add_entry_lock_dirs" lineno="6442"> +<interface name="files_add_entry_lock_dirs" lineno="6481"> <summary> Add entries in the /var/lock directories. </summary> @@ -63905,7 +64067,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_lock_dirs" lineno="6462"> +<interface name="files_rw_lock_dirs" lineno="6501"> <summary> Add and remove entries in the /var/lock directories. @@ -63916,7 +64078,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_lock_dirs" lineno="6481"> +<interface name="files_create_lock_dirs" lineno="6520"> <summary> Create lock directories </summary> @@ -63926,7 +64088,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_relabel_all_lock_dirs" lineno="6502"> +<interface name="files_relabel_all_lock_dirs" lineno="6541"> <summary> Relabel to and from all lock directory types. </summary> @@ -63937,7 +64099,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_getattr_generic_locks" lineno="6523"> +<interface name="files_getattr_generic_locks" lineno="6562"> <summary> Get the attributes of generic lock files. </summary> @@ -63947,7 +64109,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_generic_locks" lineno="6544"> +<interface name="files_delete_generic_locks" lineno="6583"> <summary> Delete generic lock files. </summary> @@ -63957,7 +64119,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_locks" lineno="6565"> +<interface name="files_manage_generic_locks" lineno="6604"> <summary> Create, read, write, and delete generic lock files. @@ -63968,7 +64130,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_locks" lineno="6587"> +<interface name="files_delete_all_locks" lineno="6626"> <summary> Delete all lock files. </summary> @@ -63979,7 +64141,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_read_all_locks" lineno="6608"> +<interface name="files_read_all_locks" lineno="6647"> <summary> Read all lock files. </summary> @@ -63989,7 +64151,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_all_locks" lineno="6631"> +<interface name="files_manage_all_locks" lineno="6670"> <summary> manage all lock files. </summary> @@ -63999,7 +64161,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_locks" lineno="6654"> +<interface name="files_relabel_all_locks" lineno="6693"> <summary> Relabel from/to all lock files. </summary> @@ -64009,7 +64171,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_lock_filetrans" lineno="6693"> +<interface name="files_lock_filetrans" lineno="6732"> <summary> Create an object in the locks directory, with a private type using a type transition. @@ -64035,7 +64197,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_runtime_dirs" lineno="6714"> +<interface name="files_dontaudit_getattr_runtime_dirs" lineno="6753"> <summary> Do not audit attempts to get the attributes of the /var/run directory. @@ -64046,7 +64208,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_mounton_runtime_dirs" lineno="6733"> +<interface name="files_mounton_runtime_dirs" lineno="6772"> <summary> mounton a /var/run directory. </summary> @@ -64056,7 +64218,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_setattr_runtime_dirs" lineno="6751"> +<interface name="files_setattr_runtime_dirs" lineno="6790"> <summary> Set the attributes of the /var/run directory. </summary> @@ -64066,7 +64228,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_runtime" lineno="6771"> +<interface name="files_search_runtime" lineno="6810"> <summary> Search the contents of runtime process ID directories (/var/run). @@ -64077,7 +64239,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_runtime" lineno="6791"> +<interface name="files_dontaudit_search_runtime" lineno="6830"> <summary> Do not audit attempts to search the /var/run directory. @@ -64088,7 +64250,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_runtime" lineno="6811"> +<interface name="files_list_runtime" lineno="6850"> <summary> List the contents of the runtime process ID directories (/var/run). @@ -64099,7 +64261,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_check_write_runtime_dirs" lineno="6830"> +<interface name="files_check_write_runtime_dirs" lineno="6869"> <summary> Check write access on /var/run directories. </summary> @@ -64109,7 +64271,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_runtime_dirs" lineno="6848"> +<interface name="files_create_runtime_dirs" lineno="6887"> <summary> Create a /var/run directory. </summary> @@ -64119,7 +64281,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_runtime_dirs" lineno="6866"> +<interface name="files_rw_runtime_dirs" lineno="6905"> <summary> Read and write a /var/run directory. </summary> @@ -64129,7 +64291,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_watch_runtime_dirs" lineno="6884"> +<interface name="files_watch_var_lib_dirs" lineno="6923"> +<summary> +Watch /var/lib directories. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="files_watch_runtime_dirs" lineno="6941"> <summary> Watch /var/run directories. </summary> @@ -64139,7 +64311,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_runtime_files" lineno="6902"> +<interface name="files_watch_var_dirs" lineno="6959"> +<summary> +Watch /var directories. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="files_read_runtime_files" lineno="6977"> <summary> Read generic runtime files. </summary> @@ -64149,7 +64331,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_exec_runtime" lineno="6922"> +<interface name="files_exec_runtime" lineno="6997"> <summary> Execute generic programs in /var/run in the caller domain. </summary> @@ -64159,7 +64341,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_rw_runtime_files" lineno="6940"> +<interface name="files_dontaudit_exec_runtime" lineno="7015"> +<summary> +Dontaudit attempt to execute generic programs in /var/run in the caller domain. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="files_rw_runtime_files" lineno="7033"> <summary> Read and write generic runtime files. </summary> @@ -64169,7 +64361,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_runtime_symlinks" lineno="6960"> +<interface name="files_delete_runtime_symlinks" lineno="7053"> <summary> Delete generic runtime symlinks. </summary> @@ -64179,7 +64371,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_write_runtime_pipes" lineno="6978"> +<interface name="files_write_runtime_pipes" lineno="7071"> <summary> Write named generic runtime pipes. </summary> @@ -64189,7 +64381,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_runtime_dirs" lineno="6998"> +<interface name="files_delete_all_runtime_dirs" lineno="7091"> <summary> Delete all runtime dirs. </summary> @@ -64200,7 +64392,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_all_runtime_dirs" lineno="7016"> +<interface name="files_manage_all_runtime_dirs" lineno="7109"> <summary> Create, read, write, and delete all runtime directories. </summary> @@ -64210,7 +64402,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_runtime_dirs" lineno="7034"> +<interface name="files_relabel_all_runtime_dirs" lineno="7127"> <summary> Relabel all runtime directories. </summary> @@ -64220,7 +64412,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_getattr_all_runtime_files" lineno="7053"> +<interface name="files_dontaudit_getattr_all_runtime_files" lineno="7146"> <summary> Do not audit attempts to get the attributes of all runtime data files. @@ -64231,7 +64423,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_read_all_runtime_files" lineno="7074"> +<interface name="files_read_all_runtime_files" lineno="7167"> <summary> Read all runtime files. </summary> @@ -64242,7 +64434,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_dontaudit_ioctl_all_runtime_files" lineno="7095"> +<interface name="files_dontaudit_ioctl_all_runtime_files" lineno="7188"> <summary> Do not audit attempts to ioctl all runtime files. </summary> @@ -64252,7 +64444,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_dontaudit_write_all_runtime_files" lineno="7115"> +<interface name="files_dontaudit_write_all_runtime_files" lineno="7208"> <summary> Do not audit attempts to write to all runtime files. </summary> @@ -64262,7 +64454,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_delete_all_runtime_files" lineno="7136"> +<interface name="files_delete_all_runtime_files" lineno="7229"> <summary> Delete all runtime files. </summary> @@ -64273,7 +64465,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_all_runtime_files" lineno="7155"> +<interface name="files_manage_all_runtime_files" lineno="7248"> <summary> Create, read, write and delete all var_run (pid) files @@ -64284,7 +64476,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_runtime_files" lineno="7173"> +<interface name="files_relabel_all_runtime_files" lineno="7266"> <summary> Relabel all runtime files. </summary> @@ -64294,7 +64486,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_runtime_symlinks" lineno="7192"> +<interface name="files_delete_all_runtime_symlinks" lineno="7285"> <summary> Delete all runtime symlinks. </summary> @@ -64305,7 +64497,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_all_runtime_symlinks" lineno="7211"> +<interface name="files_manage_all_runtime_symlinks" lineno="7304"> <summary> Create, read, write and delete all var_run (pid) symbolic links. @@ -64316,7 +64508,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_runtime_symlinks" lineno="7229"> +<interface name="files_relabel_all_runtime_symlinks" lineno="7322"> <summary> Relabel all runtime symbolic links. </summary> @@ -64326,7 +64518,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_all_runtime_pipes" lineno="7247"> +<interface name="files_create_all_runtime_pipes" lineno="7340"> <summary> Create all runtime named pipes </summary> @@ -64336,7 +64528,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_runtime_pipes" lineno="7266"> +<interface name="files_delete_all_runtime_pipes" lineno="7359"> <summary> Delete all runtime named pipes </summary> @@ -64346,7 +64538,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_create_all_runtime_sockets" lineno="7285"> +<interface name="files_create_all_runtime_sockets" lineno="7378"> <summary> Create all runtime sockets. </summary> @@ -64356,7 +64548,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_runtime_sockets" lineno="7303"> +<interface name="files_delete_all_runtime_sockets" lineno="7396"> <summary> Delete all runtime sockets. </summary> @@ -64366,7 +64558,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_relabel_all_runtime_sockets" lineno="7321"> +<interface name="files_relabel_all_runtime_sockets" lineno="7414"> <summary> Relabel all runtime named sockets. </summary> @@ -64376,7 +64568,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_runtime_filetrans" lineno="7381"> +<interface name="files_runtime_filetrans" lineno="7474"> <summary> Create an object in the /run directory, with a private type. </summary> @@ -64428,7 +64620,7 @@ The name of the object being created. </param> <infoflow type="write" weight="10"/> </interface> -<interface name="files_runtime_filetrans_lock_dir" lineno="7406"> +<interface name="files_runtime_filetrans_lock_dir" lineno="7499"> <summary> Create a generic lock directory within the run directories. </summary> @@ -64443,7 +64635,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_create_all_spool_sockets" lineno="7424"> +<interface name="files_create_all_spool_sockets" lineno="7517"> <summary> Create all spool sockets </summary> @@ -64453,7 +64645,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_delete_all_spool_sockets" lineno="7442"> +<interface name="files_delete_all_spool_sockets" lineno="7535"> <summary> Delete all spool sockets </summary> @@ -64463,7 +64655,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_mounton_all_poly_members" lineno="7461"> +<interface name="files_mounton_all_poly_members" lineno="7554"> <summary> Mount filesystems on all polyinstantiation member directories. @@ -64474,7 +64666,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_search_spool" lineno="7480"> +<interface name="files_search_spool" lineno="7573"> <summary> Search the contents of generic spool directories (/var/spool). @@ -64485,7 +64677,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_dontaudit_search_spool" lineno="7499"> +<interface name="files_dontaudit_search_spool" lineno="7592"> <summary> Do not audit attempts to search generic spool directories. @@ -64496,7 +64688,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="files_list_spool" lineno="7518"> +<interface name="files_list_spool" lineno="7611"> <summary> List the contents of generic spool (/var/spool) directories. @@ -64507,7 +64699,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_spool_dirs" lineno="7537"> +<interface name="files_manage_generic_spool_dirs" lineno="7630"> <summary> Create, read, write, and delete generic spool directories (/var/spool). @@ -64518,7 +64710,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_read_generic_spool" lineno="7556"> +<interface name="files_read_generic_spool" lineno="7649"> <summary> Read generic spool files. </summary> @@ -64528,7 +64720,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_generic_spool" lineno="7576"> +<interface name="files_manage_generic_spool" lineno="7669"> <summary> Create, read, write, and delete generic spool files. @@ -64539,7 +64731,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_spool_filetrans" lineno="7612"> +<interface name="files_spool_filetrans" lineno="7705"> <summary> Create objects in the spool directory with a private type with a type transition. @@ -64566,7 +64758,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="files_polyinstantiate_all" lineno="7632"> +<interface name="files_polyinstantiate_all" lineno="7725"> <summary> Allow access to manage all polyinstantiated directories on the system. @@ -64577,7 +64769,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_unconfined" lineno="7686"> +<interface name="files_unconfined" lineno="7779"> <summary> Unconfined access to files. </summary> @@ -64587,7 +64779,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_manage_etc_runtime_lnk_files" lineno="7708"> +<interface name="files_manage_etc_runtime_lnk_files" lineno="7801"> <summary> Create, read, write, and delete symbolic links in /etc that are dynamically created on boot. @@ -64599,7 +64791,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_dontaudit_read_etc_runtime" lineno="7726"> +<interface name="files_dontaudit_read_etc_runtime" lineno="7819"> <summary> Do not audit attempts to read etc_runtime resources </summary> @@ -64609,7 +64801,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="files_list_src" lineno="7744"> +<interface name="files_list_src" lineno="7837"> <summary> List usr/src files </summary> @@ -64619,7 +64811,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_read_src_files" lineno="7762"> +<interface name="files_read_src_files" lineno="7855"> <summary> Read usr/src files </summary> @@ -64629,7 +64821,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_manage_src_files" lineno="7780"> +<interface name="files_manage_src_files" lineno="7873"> <summary> Manage /usr/src files </summary> @@ -64639,7 +64831,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_lib_filetrans_kernel_modules" lineno="7811"> +<interface name="files_lib_filetrans_kernel_modules" lineno="7904"> <summary> Create a resource in the generic lib location with an automatic type transition towards the kernel modules @@ -64661,7 +64853,7 @@ Optional name of the resource </summary> </param> </interface> -<interface name="files_read_etc_runtime" lineno="7829"> +<interface name="files_read_etc_runtime" lineno="7922"> <summary> Read etc runtime resources </summary> @@ -64671,7 +64863,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="files_relabel_all_non_security_file_types" lineno="7851"> +<interface name="files_relabel_all_non_security_file_types" lineno="7944"> <summary> Allow relabel from and to non-security types </summary> @@ -64682,7 +64874,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_manage_all_non_security_file_types" lineno="7881"> +<interface name="files_manage_all_non_security_file_types" lineno="7974"> <summary> Manage non-security-sensitive resource types </summary> @@ -64693,7 +64885,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="files_relabel_all_pidfiles" lineno="7903"> +<interface name="files_relabel_all_pidfiles" lineno="7996"> <summary> Allow relabeling from and to any pidfile associated type </summary> @@ -65073,7 +65265,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_binfmt_misc_dirs" lineno="616"> +<interface name="fs_getattr_binfmt_misc_fs" lineno="615"> +<summary> +Get the attributes of binfmt_misc filesystems. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_getattr_binfmt_misc_dirs" lineno="634"> <summary> Get the attributes of directories on binfmt_misc filesystems. @@ -65084,7 +65286,18 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_register_binary_executable_type" lineno="652"> +<interface name="fs_check_write_binfmt_misc_dirs" lineno="654"> +<summary> +Check for permissions using access(2) of directories on +binfmt_misc filesystems. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_register_binary_executable_type" lineno="689"> <summary> Register an interpreter for new binary file types, using the kernel binfmt_misc @@ -65111,7 +65324,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_mount_bpf" lineno="672"> +<interface name="fs_mount_bpf" lineno="709"> <summary> Mount a bpf filesystem. </summary> @@ -65121,7 +65334,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_create_bpf_dirs" lineno="690"> +<interface name="fs_create_bpf_dirs" lineno="727"> <summary> Create bpf directories. </summary> @@ -65131,7 +65344,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_bpf_files" lineno="708"> +<interface name="fs_manage_bpf_files" lineno="745"> <summary> Manage bpf files. </summary> @@ -65141,7 +65354,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_cgroup" lineno="726"> +<interface name="fs_manage_bpf_symlinks" lineno="763"> +<summary> +Manage bpf symlinks. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_mount_cgroup" lineno="781"> <summary> Mount cgroup filesystems. </summary> @@ -65151,7 +65374,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_cgroup" lineno="744"> +<interface name="fs_remount_cgroup" lineno="799"> <summary> Remount cgroup filesystems. </summary> @@ -65161,7 +65384,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_cgroup" lineno="762"> +<interface name="fs_unmount_cgroup" lineno="817"> <summary> Unmount cgroup filesystems. </summary> @@ -65171,7 +65394,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_cgroup" lineno="780"> +<interface name="fs_getattr_cgroup" lineno="835"> <summary> Get attributes of cgroup filesystems. </summary> @@ -65181,7 +65404,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_cgroup_dirs" lineno="798"> +<interface name="fs_search_cgroup_dirs" lineno="853"> <summary> Search cgroup directories. </summary> @@ -65191,7 +65414,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_cgroup_dirs" lineno="817"> +<interface name="fs_list_cgroup_dirs" lineno="872"> <summary> list cgroup directories. </summary> @@ -65201,7 +65424,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_ioctl_cgroup_dirs" lineno="836"> +<interface name="fs_ioctl_cgroup_dirs" lineno="891"> <summary> Ioctl cgroup directories. </summary> @@ -65211,7 +65434,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_create_cgroup_dirs" lineno="855"> +<interface name="fs_create_cgroup_dirs" lineno="910"> <summary> Create cgroup directories. </summary> @@ -65221,7 +65444,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_delete_cgroup_dirs" lineno="874"> +<interface name="fs_delete_cgroup_dirs" lineno="929"> <summary> Delete cgroup directories. </summary> @@ -65231,7 +65454,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_cgroup_dirs" lineno="893"> +<interface name="fs_manage_cgroup_dirs" lineno="948"> <summary> Manage cgroup directories. </summary> @@ -65241,7 +65464,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_cgroup_dirs" lineno="913"> +<interface name="fs_relabel_cgroup_dirs" lineno="968"> <summary> Relabel cgroup directories. </summary> @@ -65251,7 +65474,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_cgroup_files" lineno="931"> +<interface name="fs_getattr_cgroup_files" lineno="986"> <summary> Get attributes of cgroup files. </summary> @@ -65261,7 +65484,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_cgroup_files" lineno="951"> +<interface name="fs_read_cgroup_files" lineno="1006"> <summary> Read cgroup files. </summary> @@ -65271,7 +65494,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_create_cgroup_files" lineno="972"> +<interface name="fs_create_cgroup_files" lineno="1027"> <summary> Create cgroup files. </summary> @@ -65281,7 +65504,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_watch_cgroup_files" lineno="992"> +<interface name="fs_watch_cgroup_files" lineno="1047"> <summary> Watch cgroup files. </summary> @@ -65291,7 +65514,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_create_cgroup_links" lineno="1011"> +<interface name="fs_read_cgroup_symlinks" lineno="1066"> +<summary> +Read cgroup symlnks. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_create_cgroup_links" lineno="1085"> <summary> Create cgroup lnk_files. </summary> @@ -65301,7 +65534,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_write_cgroup_files" lineno="1031"> +<interface name="fs_write_cgroup_files" lineno="1105"> <summary> Write cgroup files. </summary> @@ -65311,7 +65544,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_cgroup_files" lineno="1050"> +<interface name="fs_rw_cgroup_files" lineno="1124"> <summary> Read and write cgroup files. </summary> @@ -65321,7 +65554,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_rw_cgroup_files" lineno="1072"> +<interface name="fs_dontaudit_rw_cgroup_files" lineno="1146"> <summary> Do not audit attempts to open, get attributes, read and write @@ -65333,7 +65566,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_cgroup_files" lineno="1090"> +<interface name="fs_manage_cgroup_files" lineno="1164"> <summary> Manage cgroup files. </summary> @@ -65343,7 +65576,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_cgroup_symlinks" lineno="1110"> +<interface name="fs_relabel_cgroup_symlinks" lineno="1184"> <summary> Relabel cgroup symbolic links. </summary> @@ -65353,7 +65586,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_watch_cgroup_dirs" lineno="1128"> +<interface name="fs_watch_cgroup_dirs" lineno="1202"> <summary> Watch cgroup directories. </summary> @@ -65363,7 +65596,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mounton_cgroup" lineno="1146"> +<interface name="fs_mounton_cgroup" lineno="1220"> <summary> Mount on cgroup directories. </summary> @@ -65373,7 +65606,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mounton_cgroup_files" lineno="1164"> +<interface name="fs_mounton_cgroup_files" lineno="1238"> <summary> Mount on cgroup files. </summary> @@ -65383,7 +65616,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_cgroup_filetrans" lineno="1198"> +<interface name="fs_cgroup_filetrans" lineno="1272"> <summary> Create an object in a cgroup tmpfs filesystem, with a private type using a type transition. @@ -65409,7 +65642,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="fs_cgroup_filetrans_memory_pressure" lineno="1229"> +<interface name="fs_cgroup_filetrans_memory_pressure" lineno="1303"> <summary> Create an object in a cgroup tmpfs filesystem, with the memory_pressure_t type using a type transition. @@ -65430,7 +65663,17 @@ The name of the object being created. </summary> </param> </interface> -<interface name="fs_watch_memory_pressure" lineno="1247"> +<interface name="fs_getattr_memory_pressure" lineno="1321"> +<summary> +Get the attributes of cgroup's memory.pressure files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_watch_memory_pressure" lineno="1339"> <summary> Allow managing a cgroup's memory.pressure file to get notifications </summary> @@ -65440,7 +65683,7 @@ Source domain </summary> </param> </interface> -<interface name="fs_dontaudit_list_cifs_dirs" lineno="1266"> +<interface name="fs_dontaudit_list_cifs_dirs" lineno="1358"> <summary> Do not audit attempts to read dirs on a CIFS or SMB filesystem. @@ -65451,7 +65694,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_mount_cifs" lineno="1284"> +<interface name="fs_mount_cifs" lineno="1376"> <summary> Mount a CIFS or SMB network filesystem. </summary> @@ -65461,7 +65704,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_cifs" lineno="1303"> +<interface name="fs_remount_cifs" lineno="1395"> <summary> Remount a CIFS or SMB network filesystem. This allows some mount options to be changed. @@ -65472,7 +65715,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_cifs" lineno="1321"> +<interface name="fs_unmount_cifs" lineno="1413"> <summary> Unmount a CIFS or SMB network filesystem. </summary> @@ -65482,7 +65725,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_cifs" lineno="1341"> +<interface name="fs_getattr_cifs" lineno="1433"> <summary> Get the attributes of a CIFS or SMB network filesystem. @@ -65494,7 +65737,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_search_cifs" lineno="1359"> +<interface name="fs_search_cifs" lineno="1451"> <summary> Search directories on a CIFS or SMB filesystem. </summary> @@ -65504,7 +65747,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_cifs" lineno="1378"> +<interface name="fs_list_cifs" lineno="1470"> <summary> List the contents of directories on a CIFS or SMB filesystem. @@ -65515,7 +65758,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_cifs" lineno="1397"> +<interface name="fs_dontaudit_list_cifs" lineno="1489"> <summary> Do not audit attempts to list the contents of directories on a CIFS or SMB filesystem. @@ -65526,7 +65769,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_mounton_cifs" lineno="1415"> +<interface name="fs_mounton_cifs" lineno="1507"> <summary> Mounton a CIFS filesystem. </summary> @@ -65536,7 +65779,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_cifs_files" lineno="1434"> +<interface name="fs_read_cifs_files" lineno="1526"> <summary> Read files on a CIFS or SMB filesystem. </summary> @@ -65547,7 +65790,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_read_all_inherited_image_files" lineno="1454"> +<interface name="fs_read_all_inherited_image_files" lineno="1546"> <summary> Read all inherited filesystem image files. </summary> @@ -65558,7 +65801,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_read_all_image_files" lineno="1473"> +<interface name="fs_read_all_image_files" lineno="1565"> <summary> Read all filesystem image files. </summary> @@ -65569,7 +65812,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_mmap_read_all_image_files" lineno="1492"> +<interface name="fs_mmap_read_all_image_files" lineno="1584"> <summary> Mmap-read all filesystem image files. </summary> @@ -65580,7 +65823,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_rw_all_image_files" lineno="1511"> +<interface name="fs_rw_all_image_files" lineno="1603"> <summary> Read and write all filesystem image files. </summary> @@ -65591,7 +65834,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_mmap_rw_all_image_files" lineno="1530"> +<interface name="fs_mmap_rw_all_image_files" lineno="1622"> <summary> Mmap-Read-write all filesystem image files. </summary> @@ -65602,7 +65845,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_write_all_image_files" lineno="1549"> +<interface name="fs_dontaudit_write_all_image_files" lineno="1641"> <summary> Do not audit attempts to write all filesystem image files. </summary> @@ -65613,7 +65856,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_noxattr_fs" lineno="1569"> +<interface name="fs_getattr_noxattr_fs" lineno="1661"> <summary> Get the attributes of filesystems that do not have extended attribute support. @@ -65625,7 +65868,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_list_noxattr_fs" lineno="1587"> +<interface name="fs_list_noxattr_fs" lineno="1679"> <summary> Read all noxattrfs directories. </summary> @@ -65635,7 +65878,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_noxattr_fs" lineno="1606"> +<interface name="fs_dontaudit_list_noxattr_fs" lineno="1698"> <summary> Do not audit attempts to list all noxattrfs directories. @@ -65646,7 +65889,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_noxattr_fs_dirs" lineno="1624"> +<interface name="fs_manage_noxattr_fs_dirs" lineno="1716"> <summary> Create, read, write, and delete all noxattrfs directories. </summary> @@ -65656,7 +65899,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_noxattr_fs_files" lineno="1642"> +<interface name="fs_read_noxattr_fs_files" lineno="1734"> <summary> Read all noxattrfs files. </summary> @@ -65666,7 +65909,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_noxattr_fs_files" lineno="1662"> +<interface name="fs_dontaudit_read_noxattr_fs_files" lineno="1754"> <summary> Do not audit attempts to read all noxattrfs files. @@ -65677,7 +65920,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_dontaudit_write_noxattr_fs_files" lineno="1680"> +<interface name="fs_dontaudit_write_noxattr_fs_files" lineno="1772"> <summary> Dont audit attempts to write to noxattrfs files. </summary> @@ -65687,7 +65930,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_noxattr_fs_files" lineno="1698"> +<interface name="fs_manage_noxattr_fs_files" lineno="1790"> <summary> Create, read, write, and delete all noxattrfs files. </summary> @@ -65697,7 +65940,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_noxattr_fs_symlinks" lineno="1717"> +<interface name="fs_read_noxattr_fs_symlinks" lineno="1809"> <summary> Read all noxattrfs symbolic links. </summary> @@ -65707,7 +65950,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_noxattr_fs_symlinks" lineno="1736"> +<interface name="fs_manage_noxattr_fs_symlinks" lineno="1828"> <summary> Manage all noxattrfs symbolic links. </summary> @@ -65717,7 +65960,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabelfrom_noxattr_fs" lineno="1756"> +<interface name="fs_relabelfrom_noxattr_fs" lineno="1848"> <summary> Relabel all objects from filesystems that do not support extended attributes. @@ -65728,7 +65971,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_cifs_files" lineno="1782"> +<interface name="fs_dontaudit_read_cifs_files" lineno="1874"> <summary> Do not audit attempts to read files on a CIFS or SMB filesystem. @@ -65739,7 +65982,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_append_cifs_files" lineno="1802"> +<interface name="fs_append_cifs_files" lineno="1894"> <summary> Append files on a CIFS filesystem. @@ -65751,7 +65994,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_append_cifs_files" lineno="1822"> +<interface name="fs_dontaudit_append_cifs_files" lineno="1914"> <summary> dontaudit Append files on a CIFS filesystem. @@ -65763,7 +66006,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_rw_cifs_files" lineno="1841"> +<interface name="fs_dontaudit_rw_cifs_files" lineno="1933"> <summary> Do not audit attempts to read or write files on a CIFS or SMB filesystem. @@ -65774,7 +66017,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_read_cifs_symlinks" lineno="1859"> +<interface name="fs_read_cifs_symlinks" lineno="1951"> <summary> Read symbolic links on a CIFS or SMB filesystem. </summary> @@ -65784,7 +66027,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_cifs_named_pipes" lineno="1879"> +<interface name="fs_read_cifs_named_pipes" lineno="1971"> <summary> Read named pipes on a CIFS or SMB network filesystem. @@ -65795,7 +66038,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_cifs_named_sockets" lineno="1898"> +<interface name="fs_read_cifs_named_sockets" lineno="1990"> <summary> Read named sockets on a CIFS or SMB network filesystem. @@ -65806,7 +66049,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_exec_cifs_files" lineno="1919"> +<interface name="fs_exec_cifs_files" lineno="2011"> <summary> Execute files on a CIFS or SMB network filesystem, in the caller @@ -65819,7 +66062,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_cifs_dirs" lineno="1940"> +<interface name="fs_manage_cifs_dirs" lineno="2032"> <summary> Create, read, write, and delete directories on a CIFS or SMB network filesystem. @@ -65831,7 +66074,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_cifs_dirs" lineno="1960"> +<interface name="fs_dontaudit_manage_cifs_dirs" lineno="2052"> <summary> Do not audit attempts to create, read, write, and delete directories @@ -65843,7 +66086,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_cifs_files" lineno="1980"> +<interface name="fs_manage_cifs_files" lineno="2072"> <summary> Create, read, write, and delete files on a CIFS or SMB network filesystem. @@ -65855,7 +66098,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_cifs_files" lineno="2000"> +<interface name="fs_dontaudit_manage_cifs_files" lineno="2092"> <summary> Do not audit attempts to create, read, write, and delete files @@ -65867,7 +66110,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_cifs_symlinks" lineno="2019"> +<interface name="fs_manage_cifs_symlinks" lineno="2111"> <summary> Create, read, write, and delete symbolic links on a CIFS or SMB network filesystem. @@ -65878,7 +66121,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_cifs_named_pipes" lineno="2038"> +<interface name="fs_manage_cifs_named_pipes" lineno="2130"> <summary> Create, read, write, and delete named pipes on a CIFS or SMB network filesystem. @@ -65889,7 +66132,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_cifs_named_sockets" lineno="2057"> +<interface name="fs_manage_cifs_named_sockets" lineno="2149"> <summary> Create, read, write, and delete named sockets on a CIFS or SMB network filesystem. @@ -65900,7 +66143,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_cifs_domtrans" lineno="2100"> +<interface name="fs_cifs_domtrans" lineno="2192"> <summary> Execute a file on a CIFS or SMB filesystem in the specified domain. @@ -65935,7 +66178,7 @@ The type of the new process. </summary> </param> </interface> -<interface name="fs_manage_configfs_dirs" lineno="2120"> +<interface name="fs_manage_configfs_dirs" lineno="2212"> <summary> Create, read, write, and delete dirs on a configfs filesystem. @@ -65946,7 +66189,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_configfs_files" lineno="2139"> +<interface name="fs_manage_configfs_files" lineno="2231"> <summary> Create, read, write, and delete files on a configfs filesystem. @@ -65957,7 +66200,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_dos_fs" lineno="2158"> +<interface name="fs_mount_dos_fs" lineno="2250"> <summary> Mount a DOS filesystem, such as FAT32 or NTFS. @@ -65968,7 +66211,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_dos_fs" lineno="2178"> +<interface name="fs_remount_dos_fs" lineno="2270"> <summary> Remount a DOS filesystem, such as FAT32 or NTFS. This allows @@ -65980,7 +66223,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_dos_fs" lineno="2197"> +<interface name="fs_unmount_dos_fs" lineno="2289"> <summary> Unmount a DOS filesystem, such as FAT32 or NTFS. @@ -65991,7 +66234,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_dos_fs" lineno="2217"> +<interface name="fs_getattr_dos_fs" lineno="2309"> <summary> Get the attributes of a DOS filesystem, such as FAT32 or NTFS. @@ -66003,7 +66246,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_relabelfrom_dos_fs" lineno="2236"> +<interface name="fs_relabelfrom_dos_fs" lineno="2328"> <summary> Allow changing of the label of a DOS filesystem using the context= mount option. @@ -66014,7 +66257,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_dos_dirs" lineno="2254"> +<interface name="fs_getattr_dos_dirs" lineno="2346"> <summary> Get attributes of directories on a dosfs filesystem. </summary> @@ -66024,7 +66267,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_dos" lineno="2272"> +<interface name="fs_search_dos" lineno="2364"> <summary> Search dosfs filesystem. </summary> @@ -66034,7 +66277,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_dos" lineno="2290"> +<interface name="fs_list_dos" lineno="2382"> <summary> List dirs DOS filesystem. </summary> @@ -66044,7 +66287,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_dos_dirs" lineno="2309"> +<interface name="fs_manage_dos_dirs" lineno="2401"> <summary> Create, read, write, and delete dirs on a DOS filesystem. @@ -66055,7 +66298,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_dos_files" lineno="2327"> +<interface name="fs_read_dos_files" lineno="2419"> <summary> Read files on a DOS filesystem. </summary> @@ -66065,7 +66308,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mmap_read_dos_files" lineno="2345"> +<interface name="fs_mmap_read_dos_files" lineno="2437"> <summary> Read and map files on a DOS filesystem. </summary> @@ -66075,7 +66318,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_dos_files" lineno="2365"> +<interface name="fs_manage_dos_files" lineno="2457"> <summary> Create, read, write, and delete files on a DOS filesystem. @@ -66086,7 +66329,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_ecryptfs" lineno="2383"> +<interface name="fs_list_ecryptfs" lineno="2475"> <summary> Read symbolic links on an eCryptfs filesystem. </summary> @@ -66096,7 +66339,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_ecryptfs_dirs" lineno="2404"> +<interface name="fs_manage_ecryptfs_dirs" lineno="2496"> <summary> Create, read, write, and delete directories on an eCryptfs filesystem. @@ -66108,7 +66351,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_ecryptfs_files" lineno="2424"> +<interface name="fs_manage_ecryptfs_files" lineno="2516"> <summary> Create, read, write, and delete files on an eCryptfs filesystem. @@ -66120,7 +66363,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_ecryptfs_named_sockets" lineno="2443"> +<interface name="fs_manage_ecryptfs_named_sockets" lineno="2535"> <summary> Create, read, write, and delete named sockets on an eCryptfs filesystem. @@ -66131,7 +66374,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_efivarfs" lineno="2461"> +<interface name="fs_getattr_efivarfs" lineno="2553"> <summary> Get the attributes of efivarfs filesystems. </summary> @@ -66141,7 +66384,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_efivars" lineno="2479"> +<interface name="fs_list_efivars" lineno="2571"> <summary> List dirs in efivarfs filesystem. </summary> @@ -66151,7 +66394,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_efivarfs_files" lineno="2499"> +<interface name="fs_read_efivarfs_files" lineno="2591"> <summary> Read files in efivarfs - contains Linux Kernel configuration options for UEFI systems @@ -66163,7 +66406,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_setattr_efivarfs_files" lineno="2519"> +<interface name="fs_setattr_efivarfs_files" lineno="2611"> <summary> Set the attributes of files in efivarfs - contains Linux Kernel configuration options for UEFI systems @@ -66175,7 +66418,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_efivarfs_files" lineno="2539"> +<interface name="fs_manage_efivarfs_files" lineno="2631"> <summary> Create, read, write, and delete files on a efivarfs filesystem. @@ -66187,7 +66430,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_fusefs" lineno="2557"> +<interface name="fs_getattr_fusefs" lineno="2649"> <summary> stat a FUSE filesystem </summary> @@ -66197,7 +66440,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_fusefs" lineno="2575"> +<interface name="fs_mount_fusefs" lineno="2667"> <summary> Mount a FUSE filesystem. </summary> @@ -66207,7 +66450,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_fusefs" lineno="2593"> +<interface name="fs_unmount_fusefs" lineno="2685"> <summary> Unmount a FUSE filesystem. </summary> @@ -66217,7 +66460,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_fusefs" lineno="2611"> +<interface name="fs_remount_fusefs" lineno="2703"> <summary> Remount a FUSE filesystem. </summary> @@ -66227,7 +66470,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mounton_fusefs" lineno="2629"> +<interface name="fs_mounton_fusefs" lineno="2721"> <summary> Mounton a FUSEFS filesystem. </summary> @@ -66237,7 +66480,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_fusefs_entry_type" lineno="2648"> +<interface name="fs_mounton_fusefs_files" lineno="2739"> +<summary> +Mount on files on a FUSEFS filesystem. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_fusefs_entry_type" lineno="2758"> <summary> Make FUSEFS files an entrypoint for the specified domain. @@ -66248,7 +66501,7 @@ The domain for which fusefs_t is an entrypoint. </summary> </param> </interface> -<interface name="fs_fusefs_domtrans" lineno="2681"> +<interface name="fs_fusefs_domtrans" lineno="2791"> <summary> Execute FUSEFS files in a specified domain. </summary> @@ -66273,7 +66526,7 @@ Domain to transition to. </summary> </param> </interface> -<interface name="fs_search_fusefs" lineno="2701"> +<interface name="fs_search_fusefs" lineno="2811"> <summary> Search directories on a FUSEFS filesystem. @@ -66285,7 +66538,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_list_fusefs" lineno="2721"> +<interface name="fs_list_fusefs" lineno="2831"> <summary> List the contents of directories on a FUSEFS filesystem. @@ -66297,7 +66550,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_list_fusefs" lineno="2740"> +<interface name="fs_dontaudit_list_fusefs" lineno="2850"> <summary> Do not audit attempts to list the contents of directories on a FUSEFS filesystem. @@ -66308,7 +66561,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_setattr_fusefs_dirs" lineno="2760"> +<interface name="fs_setattr_fusefs_dirs" lineno="2870"> <summary> Set the attributes of directories on a FUSEFS filesystem. @@ -66320,7 +66573,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_fusefs_dirs" lineno="2780"> +<interface name="fs_manage_fusefs_dirs" lineno="2890"> <summary> Create, read, write, and delete directories on a FUSEFS filesystem. @@ -66332,7 +66585,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_fusefs_dirs" lineno="2800"> +<interface name="fs_dontaudit_manage_fusefs_dirs" lineno="2910"> <summary> Do not audit attempts to create, read, write, and delete directories @@ -66344,7 +66597,17 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_fusefs_files" lineno="2820"> +<interface name="fs_watch_fusefs_dirs" lineno="2928"> +<summary> +Watch directories on a FUSEFS filesystem. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_getattr_fusefs_files" lineno="2948"> <summary> Get the attributes of files on a FUSEFS filesystem. @@ -66356,7 +66619,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_read_fusefs_files" lineno="2839"> +<interface name="fs_read_fusefs_files" lineno="2967"> <summary> Read, a FUSEFS filesystem. </summary> @@ -66367,7 +66630,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_exec_fusefs_files" lineno="2858"> +<interface name="fs_exec_fusefs_files" lineno="2986"> <summary> Execute files on a FUSEFS filesystem. </summary> @@ -66378,7 +66641,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_setattr_fusefs_files" lineno="2878"> +<interface name="fs_setattr_fusefs_files" lineno="3006"> <summary> Set the attributes of files on a FUSEFS filesystem. @@ -66390,7 +66653,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_fusefs_files" lineno="2898"> +<interface name="fs_manage_fusefs_files" lineno="3026"> <summary> Create, read, write, and delete files on a FUSEFS filesystem. @@ -66402,7 +66665,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_fusefs_files" lineno="2918"> +<interface name="fs_dontaudit_manage_fusefs_files" lineno="3046"> <summary> Do not audit attempts to create, read, write, and delete files @@ -66414,7 +66677,17 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_fusefs_symlinks" lineno="2938"> +<interface name="fs_watch_fusefs_files" lineno="3064"> +<summary> +Watch files on a FUSEFS filesystem. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="fs_getattr_fusefs_symlinks" lineno="3084"> <summary> Get the attributes of symlinks on a FUSEFS filesystem. @@ -66426,7 +66699,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_read_fusefs_symlinks" lineno="2956"> +<interface name="fs_read_fusefs_symlinks" lineno="3102"> <summary> Read symbolic links on a FUSEFS filesystem. </summary> @@ -66436,7 +66709,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_setattr_fusefs_symlinks" lineno="2977"> +<interface name="fs_setattr_fusefs_symlinks" lineno="3123"> <summary> Set the attributes of symlinks on a FUSEFS filesystem. @@ -66448,7 +66721,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_fusefs_symlinks" lineno="2996"> +<interface name="fs_manage_fusefs_symlinks" lineno="3142"> <summary> Manage symlinks on a FUSEFS filesystem. </summary> @@ -66459,7 +66732,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_fusefs_fifo_files" lineno="3016"> +<interface name="fs_getattr_fusefs_fifo_files" lineno="3162"> <summary> Get the attributes of named pipes on a FUSEFS filesystem. @@ -66471,7 +66744,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_setattr_fusefs_fifo_files" lineno="3036"> +<interface name="fs_setattr_fusefs_fifo_files" lineno="3182"> <summary> Set the attributes of named pipes on a FUSEFS filesystem. @@ -66483,7 +66756,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_fusefs_fifo_files" lineno="3056"> +<interface name="fs_manage_fusefs_fifo_files" lineno="3202"> <summary> Manage named pipes on a FUSEFS filesystem. @@ -66495,7 +66768,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_fusefs_sock_files" lineno="3076"> +<interface name="fs_getattr_fusefs_sock_files" lineno="3222"> <summary> Get the attributes of named sockets on a FUSEFS filesystem. @@ -66507,7 +66780,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_setattr_fusefs_sock_files" lineno="3096"> +<interface name="fs_setattr_fusefs_sock_files" lineno="3242"> <summary> Set the attributes of named sockets on a FUSEFS filesystem. @@ -66519,7 +66792,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_fusefs_sock_files" lineno="3116"> +<interface name="fs_manage_fusefs_sock_files" lineno="3262"> <summary> Manage named sockets on a FUSEFS filesystem. @@ -66531,7 +66804,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_fusefs_chr_files" lineno="3136"> +<interface name="fs_getattr_fusefs_chr_files" lineno="3282"> <summary> Get the attributes of character files on a FUSEFS filesystem. @@ -66543,7 +66816,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_setattr_fusefs_chr_files" lineno="3156"> +<interface name="fs_setattr_fusefs_chr_files" lineno="3302"> <summary> Set the attributes of character files on a FUSEFS filesystem. @@ -66555,7 +66828,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_fusefs_chr_files" lineno="3176"> +<interface name="fs_manage_fusefs_chr_files" lineno="3322"> <summary> Manage character files on a FUSEFS filesystem. @@ -66567,7 +66840,31 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_hugetlbfs" lineno="3195"> +<interface name="fs_create_fusefs_blk_files" lineno="3342"> +<summary> +Create block files on a FUSEFS +filesystem. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<rolecap/> +</interface> +<interface name="fs_setattr_fusefs_blk_files" lineno="3362"> +<summary> +Set the attributes of block files on +a FUSEFS filesystem. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<rolecap/> +</interface> +<interface name="fs_getattr_hugetlbfs" lineno="3381"> <summary> Get the attributes of an hugetlbfs filesystem. @@ -66578,7 +66875,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_hugetlbfs" lineno="3213"> +<interface name="fs_list_hugetlbfs" lineno="3399"> <summary> List hugetlbfs. </summary> @@ -66588,7 +66885,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_hugetlbfs_dirs" lineno="3231"> +<interface name="fs_manage_hugetlbfs_dirs" lineno="3417"> <summary> Manage hugetlbfs dirs. </summary> @@ -66598,7 +66895,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_inherited_hugetlbfs_files" lineno="3249"> +<interface name="fs_rw_inherited_hugetlbfs_files" lineno="3435"> <summary> Read and write inherited hugetlbfs files. </summary> @@ -66608,7 +66905,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_hugetlbfs_files" lineno="3267"> +<interface name="fs_rw_hugetlbfs_files" lineno="3453"> <summary> Read and write hugetlbfs files. </summary> @@ -66618,7 +66915,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mmap_rw_hugetlbfs_files" lineno="3285"> +<interface name="fs_mmap_rw_hugetlbfs_files" lineno="3471"> <summary> Read, map and write hugetlbfs files. </summary> @@ -66628,7 +66925,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_associate_hugetlbfs" lineno="3304"> +<interface name="fs_associate_hugetlbfs" lineno="3490"> <summary> Allow the type to associate to hugetlbfs filesystems. </summary> @@ -66638,7 +66935,7 @@ The type of the object to be associated. </summary> </param> </interface> -<interface name="fs_search_inotifyfs" lineno="3322"> +<interface name="fs_search_inotifyfs" lineno="3508"> <summary> Search inotifyfs filesystem. </summary> @@ -66648,7 +66945,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_inotifyfs" lineno="3340"> +<interface name="fs_list_inotifyfs" lineno="3526"> <summary> List inotifyfs filesystem. </summary> @@ -66658,7 +66955,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_inotifyfs" lineno="3358"> +<interface name="fs_dontaudit_list_inotifyfs" lineno="3544"> <summary> Dontaudit List inotifyfs filesystem. </summary> @@ -66668,7 +66965,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_hugetlbfs_filetrans" lineno="3392"> +<interface name="fs_hugetlbfs_filetrans" lineno="3578"> <summary> Create an object in a hugetlbfs filesystem, with a private type using a type transition. @@ -66694,7 +66991,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="fs_mount_iso9660_fs" lineno="3412"> +<interface name="fs_mount_iso9660_fs" lineno="3598"> <summary> Mount an iso9660 filesystem, which is usually used on CDs. @@ -66705,7 +67002,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_iso9660_fs" lineno="3432"> +<interface name="fs_remount_iso9660_fs" lineno="3618"> <summary> Remount an iso9660 filesystem, which is usually used on CDs. This allows @@ -66717,7 +67014,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabelfrom_iso9660_fs" lineno="3451"> +<interface name="fs_relabelfrom_iso9660_fs" lineno="3637"> <summary> Allow changing of the label of a filesystem with iso9660 type @@ -66728,7 +67025,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_iso9660_fs" lineno="3470"> +<interface name="fs_unmount_iso9660_fs" lineno="3656"> <summary> Unmount an iso9660 filesystem, which is usually used on CDs. @@ -66739,7 +67036,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_iso9660_fs" lineno="3490"> +<interface name="fs_getattr_iso9660_fs" lineno="3676"> <summary> Get the attributes of an iso9660 filesystem, which is usually used on CDs. @@ -66751,7 +67048,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_iso9660_files" lineno="3509"> +<interface name="fs_getattr_iso9660_files" lineno="3695"> <summary> Get the attributes of files on an iso9660 filesystem, which is usually used on CDs. @@ -66762,7 +67059,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_iso9660_files" lineno="3529"> +<interface name="fs_read_iso9660_files" lineno="3715"> <summary> Read files on an iso9660 filesystem, which is usually used on CDs. @@ -66773,7 +67070,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_nfs" lineno="3549"> +<interface name="fs_mount_nfs" lineno="3735"> <summary> Mount a NFS filesystem. </summary> @@ -66783,7 +67080,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_nfs" lineno="3568"> +<interface name="fs_remount_nfs" lineno="3754"> <summary> Remount a NFS filesystem. This allows some mount options to be changed. @@ -66794,7 +67091,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_nfs" lineno="3586"> +<interface name="fs_unmount_nfs" lineno="3772"> <summary> Unmount a NFS filesystem. </summary> @@ -66804,7 +67101,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_nfs" lineno="3605"> +<interface name="fs_getattr_nfs" lineno="3791"> <summary> Get the attributes of a NFS filesystem. </summary> @@ -66815,7 +67112,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_search_nfs" lineno="3623"> +<interface name="fs_search_nfs" lineno="3809"> <summary> Search directories on a NFS filesystem. </summary> @@ -66825,7 +67122,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_nfs" lineno="3641"> +<interface name="fs_list_nfs" lineno="3827"> <summary> List NFS filesystem. </summary> @@ -66835,7 +67132,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_nfs" lineno="3660"> +<interface name="fs_dontaudit_list_nfs" lineno="3846"> <summary> Do not audit attempts to list the contents of directories on a NFS filesystem. @@ -66846,7 +67143,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_watch_nfs_dirs" lineno="3679"> +<interface name="fs_watch_nfs_dirs" lineno="3865"> <summary> Add a watch on directories on an NFS filesystem. @@ -66857,7 +67154,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mounton_nfs" lineno="3697"> +<interface name="fs_mounton_nfs" lineno="3883"> <summary> Mounton a NFS filesystem. </summary> @@ -66867,7 +67164,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_nfs_files" lineno="3716"> +<interface name="fs_read_nfs_files" lineno="3902"> <summary> Read files on a NFS filesystem. </summary> @@ -66878,7 +67175,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_read_nfs_files" lineno="3736"> +<interface name="fs_dontaudit_read_nfs_files" lineno="3922"> <summary> Do not audit attempts to read files on a NFS filesystem. @@ -66889,7 +67186,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_write_nfs_files" lineno="3754"> +<interface name="fs_write_nfs_files" lineno="3940"> <summary> Read files on a NFS filesystem. </summary> @@ -66899,7 +67196,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_exec_nfs_files" lineno="3774"> +<interface name="fs_exec_nfs_files" lineno="3960"> <summary> Execute files on a NFS filesystem. </summary> @@ -66910,7 +67207,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_append_nfs_files" lineno="3795"> +<interface name="fs_append_nfs_files" lineno="3981"> <summary> Append files on a NFS filesystem. @@ -66922,7 +67219,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_append_nfs_files" lineno="3815"> +<interface name="fs_dontaudit_append_nfs_files" lineno="4001"> <summary> dontaudit Append files on a NFS filesystem. @@ -66934,7 +67231,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_rw_nfs_files" lineno="3834"> +<interface name="fs_dontaudit_rw_nfs_files" lineno="4020"> <summary> Do not audit attempts to read or write files on a NFS filesystem. @@ -66945,7 +67242,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_watch_nfs_files" lineno="3852"> +<interface name="fs_watch_nfs_files" lineno="4038"> <summary> Add a watch on files on an NFS filesystem. </summary> @@ -66955,7 +67252,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_nfs_symlinks" lineno="3870"> +<interface name="fs_read_nfs_symlinks" lineno="4056"> <summary> Read symbolic links on a NFS filesystem. </summary> @@ -66965,7 +67262,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_nfs_symlinks" lineno="3889"> +<interface name="fs_dontaudit_read_nfs_symlinks" lineno="4075"> <summary> Dontaudit read symbolic links on a NFS filesystem. </summary> @@ -66975,7 +67272,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_read_nfs_named_sockets" lineno="3907"> +<interface name="fs_read_nfs_named_sockets" lineno="4093"> <summary> Read named sockets on a NFS filesystem. </summary> @@ -66985,7 +67282,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_nfs_named_pipes" lineno="3926"> +<interface name="fs_read_nfs_named_pipes" lineno="4112"> <summary> Read named pipes on a NFS network filesystem. </summary> @@ -66996,7 +67293,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_getattr_rpc_dirs" lineno="3945"> +<interface name="fs_getattr_rpc_dirs" lineno="4131"> <summary> Get the attributes of directories of RPC file system pipes. @@ -67007,7 +67304,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_rpc" lineno="3964"> +<interface name="fs_search_rpc" lineno="4150"> <summary> Search directories of RPC file system pipes. </summary> @@ -67017,7 +67314,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_removable" lineno="3982"> +<interface name="fs_search_removable" lineno="4168"> <summary> Search removable storage directories. </summary> @@ -67027,7 +67324,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_removable" lineno="4000"> +<interface name="fs_dontaudit_list_removable" lineno="4186"> <summary> Do not audit attempts to list removable storage directories. </summary> @@ -67037,7 +67334,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="fs_read_removable_files" lineno="4018"> +<interface name="fs_read_removable_files" lineno="4204"> <summary> Read removable storage files. </summary> @@ -67047,7 +67344,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_removable_files" lineno="4036"> +<interface name="fs_dontaudit_read_removable_files" lineno="4222"> <summary> Do not audit attempts to read removable storage files. </summary> @@ -67057,7 +67354,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="fs_dontaudit_write_removable_files" lineno="4054"> +<interface name="fs_dontaudit_write_removable_files" lineno="4240"> <summary> Do not audit attempts to write removable storage files. </summary> @@ -67067,7 +67364,7 @@ Domain not to audit. </summary> </param> </interface> -<interface name="fs_read_removable_symlinks" lineno="4072"> +<interface name="fs_read_removable_symlinks" lineno="4258"> <summary> Read removable storage symbolic links. </summary> @@ -67077,7 +67374,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_removable_blk_files" lineno="4090"> +<interface name="fs_read_removable_blk_files" lineno="4276"> <summary> Read block nodes on removable filesystems. </summary> @@ -67087,7 +67384,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_removable_blk_files" lineno="4109"> +<interface name="fs_rw_removable_blk_files" lineno="4295"> <summary> Read and write block nodes on removable filesystems. </summary> @@ -67097,7 +67394,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_rpc" lineno="4128"> +<interface name="fs_list_rpc" lineno="4314"> <summary> Read directories of RPC file system pipes. </summary> @@ -67107,7 +67404,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_rpc_files" lineno="4146"> +<interface name="fs_read_rpc_files" lineno="4332"> <summary> Read files of RPC file system pipes. </summary> @@ -67117,7 +67414,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_rpc_symlinks" lineno="4164"> +<interface name="fs_read_rpc_symlinks" lineno="4350"> <summary> Read symbolic links of RPC file system pipes. </summary> @@ -67127,7 +67424,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_rpc_sockets" lineno="4182"> +<interface name="fs_read_rpc_sockets" lineno="4368"> <summary> Read sockets of RPC file system pipes. </summary> @@ -67137,7 +67434,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_rpc_sockets" lineno="4200"> +<interface name="fs_rw_rpc_sockets" lineno="4386"> <summary> Read and write sockets of RPC file system pipes. </summary> @@ -67147,7 +67444,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_nfs_dirs" lineno="4220"> +<interface name="fs_manage_nfs_dirs" lineno="4406"> <summary> Create, read, write, and delete directories on a NFS filesystem. @@ -67159,7 +67456,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_nfs_dirs" lineno="4240"> +<interface name="fs_dontaudit_manage_nfs_dirs" lineno="4426"> <summary> Do not audit attempts to create, read, write, and delete directories @@ -67171,7 +67468,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_nfs_files" lineno="4260"> +<interface name="fs_manage_nfs_files" lineno="4446"> <summary> Create, read, write, and delete files on a NFS filesystem. @@ -67183,7 +67480,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_nfs_files" lineno="4280"> +<interface name="fs_dontaudit_manage_nfs_files" lineno="4466"> <summary> Do not audit attempts to create, read, write, and delete files @@ -67195,7 +67492,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_nfs_symlinks" lineno="4300"> +<interface name="fs_manage_nfs_symlinks" lineno="4486"> <summary> Create, read, write, and delete symbolic links on a NFS network filesystem. @@ -67207,7 +67504,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_manage_nfs_named_pipes" lineno="4319"> +<interface name="fs_manage_nfs_named_pipes" lineno="4505"> <summary> Create, read, write, and delete named pipes on a NFS filesystem. @@ -67218,7 +67515,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_nfs_named_sockets" lineno="4338"> +<interface name="fs_manage_nfs_named_sockets" lineno="4524"> <summary> Create, read, write, and delete named sockets on a NFS filesystem. @@ -67229,7 +67526,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_nfs_domtrans" lineno="4381"> +<interface name="fs_nfs_domtrans" lineno="4567"> <summary> Execute a file on a NFS filesystem in the specified domain. @@ -67264,7 +67561,7 @@ The type of the new process. </summary> </param> </interface> -<interface name="fs_mount_nfsd_fs" lineno="4400"> +<interface name="fs_mount_nfsd_fs" lineno="4586"> <summary> Mount a NFS server pseudo filesystem. </summary> @@ -67274,7 +67571,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_nfsd_fs" lineno="4419"> +<interface name="fs_remount_nfsd_fs" lineno="4605"> <summary> Mount a NFS server pseudo filesystem. This allows some mount options to be changed. @@ -67285,7 +67582,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_nfsd_fs" lineno="4437"> +<interface name="fs_unmount_nfsd_fs" lineno="4623"> <summary> Unmount a NFS server pseudo filesystem. </summary> @@ -67295,7 +67592,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_nfsd_fs" lineno="4456"> +<interface name="fs_getattr_nfsd_fs" lineno="4642"> <summary> Get the attributes of a NFS server pseudo filesystem. @@ -67306,7 +67603,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_nfsd_fs" lineno="4474"> +<interface name="fs_search_nfsd_fs" lineno="4660"> <summary> Search NFS server directories. </summary> @@ -67316,7 +67613,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_nfsd_fs" lineno="4492"> +<interface name="fs_list_nfsd_fs" lineno="4678"> <summary> List NFS server directories. </summary> @@ -67326,7 +67623,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_watch_nfsd_dirs" lineno="4510"> +<interface name="fs_watch_nfsd_dirs" lineno="4696"> <summary> Watch NFS server directories. </summary> @@ -67336,7 +67633,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_nfsd_files" lineno="4528"> +<interface name="fs_getattr_nfsd_files" lineno="4714"> <summary> Getattr files on an nfsd filesystem </summary> @@ -67346,7 +67643,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_nfsd_fs" lineno="4546"> +<interface name="fs_rw_nfsd_fs" lineno="4732"> <summary> Read and write NFS server files. </summary> @@ -67356,7 +67653,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_nsfs_files" lineno="4564"> +<interface name="fs_getattr_nsfs_files" lineno="4750"> <summary> Get the attributes of nsfs inodes (e.g. /proc/pid/ns/uts) </summary> @@ -67366,7 +67663,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_nsfs_files" lineno="4582"> +<interface name="fs_read_nsfs_files" lineno="4768"> <summary> Read nsfs inodes (e.g. /proc/pid/ns/uts) </summary> @@ -67376,7 +67673,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_watch_nfsd_files" lineno="4600"> +<interface name="fs_watch_nfsd_files" lineno="4786"> <summary> Watch NFS server files. </summary> @@ -67386,7 +67683,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_nsfs" lineno="4618"> +<interface name="fs_getattr_nsfs" lineno="4804"> <summary> Get the attributes of an nsfs filesystem. </summary> @@ -67396,7 +67693,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_nsfs" lineno="4636"> +<interface name="fs_unmount_nsfs" lineno="4822"> <summary> Unmount an nsfs filesystem. </summary> @@ -67406,7 +67703,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_pstorefs" lineno="4654"> +<interface name="fs_getattr_pstorefs" lineno="4840"> <summary> Get the attributes of a pstore filesystem. </summary> @@ -67416,7 +67713,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_pstore_dirs" lineno="4673"> +<interface name="fs_getattr_pstore_dirs" lineno="4859"> <summary> Get the attributes of directories of a pstore filesystem. @@ -67427,7 +67724,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_create_pstore_dirs" lineno="4692"> +<interface name="fs_create_pstore_dirs" lineno="4878"> <summary> Create pstore directories. </summary> @@ -67437,7 +67734,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_pstore_dirs" lineno="4711"> +<interface name="fs_relabel_pstore_dirs" lineno="4897"> <summary> Relabel to/from pstore_t directories. </summary> @@ -67447,7 +67744,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_pstore_dirs" lineno="4730"> +<interface name="fs_list_pstore_dirs" lineno="4916"> <summary> List the directories of a pstore filesystem. @@ -67458,7 +67755,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_pstore_files" lineno="4749"> +<interface name="fs_read_pstore_files" lineno="4935"> <summary> Read pstore_t files </summary> @@ -67468,7 +67765,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_delete_pstore_files" lineno="4768"> +<interface name="fs_delete_pstore_files" lineno="4954"> <summary> Delete the files of a pstore filesystem. @@ -67479,7 +67776,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_associate_ramfs" lineno="4787"> +<interface name="fs_associate_ramfs" lineno="4973"> <summary> Allow the type to associate to ramfs filesystems. </summary> @@ -67489,7 +67786,7 @@ The type of the object to be associated. </summary> </param> </interface> -<interface name="fs_mount_ramfs" lineno="4805"> +<interface name="fs_mount_ramfs" lineno="4991"> <summary> Mount a RAM filesystem. </summary> @@ -67499,7 +67796,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_ramfs" lineno="4824"> +<interface name="fs_remount_ramfs" lineno="5010"> <summary> Remount a RAM filesystem. This allows some mount options to be changed. @@ -67510,7 +67807,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_ramfs" lineno="4842"> +<interface name="fs_unmount_ramfs" lineno="5028"> <summary> Unmount a RAM filesystem. </summary> @@ -67520,7 +67817,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_ramfs" lineno="4860"> +<interface name="fs_getattr_ramfs" lineno="5046"> <summary> Get the attributes of a RAM filesystem. </summary> @@ -67530,7 +67827,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_ramfs" lineno="4878"> +<interface name="fs_search_ramfs" lineno="5064"> <summary> Search directories on a ramfs </summary> @@ -67540,7 +67837,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_search_ramfs" lineno="4896"> +<interface name="fs_dontaudit_search_ramfs" lineno="5082"> <summary> Dontaudit Search directories on a ramfs </summary> @@ -67550,7 +67847,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_setattr_ramfs_dirs" lineno="4915"> +<interface name="fs_setattr_ramfs_dirs" lineno="5101"> <summary> Set the attributes of directories on a ramfs. @@ -67561,7 +67858,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_ramfs_dirs" lineno="4934"> +<interface name="fs_manage_ramfs_dirs" lineno="5120"> <summary> Create, read, write, and delete directories on a ramfs. @@ -67572,7 +67869,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_read_ramfs_files" lineno="4952"> +<interface name="fs_dontaudit_read_ramfs_files" lineno="5138"> <summary> Dontaudit read on a ramfs files. </summary> @@ -67582,7 +67879,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_dontaudit_read_ramfs_pipes" lineno="4970"> +<interface name="fs_dontaudit_read_ramfs_pipes" lineno="5156"> <summary> Dontaudit read on a ramfs fifo_files. </summary> @@ -67592,7 +67889,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_ramfs_files" lineno="4989"> +<interface name="fs_manage_ramfs_files" lineno="5175"> <summary> Create, read, write, and delete files on a ramfs filesystem. @@ -67603,7 +67900,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_write_ramfs_pipes" lineno="5007"> +<interface name="fs_write_ramfs_pipes" lineno="5193"> <summary> Write to named pipe on a ramfs filesystem. </summary> @@ -67613,7 +67910,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_write_ramfs_pipes" lineno="5026"> +<interface name="fs_dontaudit_write_ramfs_pipes" lineno="5212"> <summary> Do not audit attempts to write to named pipes on a ramfs filesystem. @@ -67624,7 +67921,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_rw_ramfs_pipes" lineno="5044"> +<interface name="fs_rw_ramfs_pipes" lineno="5230"> <summary> Read and write a named pipe on a ramfs filesystem. </summary> @@ -67634,7 +67931,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_ramfs_pipes" lineno="5063"> +<interface name="fs_manage_ramfs_pipes" lineno="5249"> <summary> Create, read, write, and delete named pipes on a ramfs filesystem. @@ -67645,7 +67942,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_write_ramfs_sockets" lineno="5081"> +<interface name="fs_write_ramfs_sockets" lineno="5267"> <summary> Write to named socket on a ramfs filesystem. </summary> @@ -67655,7 +67952,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_ramfs_sockets" lineno="5100"> +<interface name="fs_manage_ramfs_sockets" lineno="5286"> <summary> Create, read, write, and delete named sockets on a ramfs filesystem. @@ -67666,7 +67963,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_romfs" lineno="5118"> +<interface name="fs_mount_romfs" lineno="5304"> <summary> Mount a ROM filesystem. </summary> @@ -67676,7 +67973,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_romfs" lineno="5137"> +<interface name="fs_remount_romfs" lineno="5323"> <summary> Remount a ROM filesystem. This allows some mount options to be changed. @@ -67687,7 +67984,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_romfs" lineno="5155"> +<interface name="fs_unmount_romfs" lineno="5341"> <summary> Unmount a ROM filesystem. </summary> @@ -67697,7 +67994,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_romfs" lineno="5174"> +<interface name="fs_getattr_romfs" lineno="5360"> <summary> Get the attributes of a ROM filesystem. @@ -67708,7 +68005,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_rpc_pipefs" lineno="5192"> +<interface name="fs_mount_rpc_pipefs" lineno="5378"> <summary> Mount a RPC pipe filesystem. </summary> @@ -67718,7 +68015,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_rpc_pipefs" lineno="5211"> +<interface name="fs_remount_rpc_pipefs" lineno="5397"> <summary> Remount a RPC pipe filesystem. This allows some mount option to be changed. @@ -67729,7 +68026,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_rpc_pipefs" lineno="5229"> +<interface name="fs_unmount_rpc_pipefs" lineno="5415"> <summary> Unmount a RPC pipe filesystem. </summary> @@ -67739,7 +68036,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_rpc_pipefs" lineno="5248"> +<interface name="fs_getattr_rpc_pipefs" lineno="5434"> <summary> Get the attributes of a RPC pipe filesystem. @@ -67750,7 +68047,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_rpc_named_pipes" lineno="5266"> +<interface name="fs_rw_rpc_named_pipes" lineno="5452"> <summary> Read and write RPC pipe filesystem named pipes. </summary> @@ -67760,7 +68057,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_watch_rpc_pipefs_dirs" lineno="5284"> +<interface name="fs_watch_rpc_pipefs_dirs" lineno="5470"> <summary> Watch RPC pipe filesystem directories. </summary> @@ -67770,7 +68067,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_tmpfs" lineno="5302"> +<interface name="fs_mount_tmpfs" lineno="5488"> <summary> Mount a tmpfs filesystem. </summary> @@ -67780,7 +68077,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_tmpfs" lineno="5320"> +<interface name="fs_remount_tmpfs" lineno="5506"> <summary> Remount a tmpfs filesystem. </summary> @@ -67790,7 +68087,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_tmpfs" lineno="5338"> +<interface name="fs_unmount_tmpfs" lineno="5524"> <summary> Unmount a tmpfs filesystem. </summary> @@ -67800,7 +68097,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_tmpfs" lineno="5356"> +<interface name="fs_dontaudit_getattr_tmpfs" lineno="5542"> <summary> Do not audit getting the attributes of a tmpfs filesystem </summary> @@ -67810,7 +68107,7 @@ Domain to not audit </summary> </param> </interface> -<interface name="fs_getattr_tmpfs" lineno="5376"> +<interface name="fs_getattr_tmpfs" lineno="5562"> <summary> Get the attributes of a tmpfs filesystem. @@ -67822,7 +68119,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_associate_tmpfs" lineno="5394"> +<interface name="fs_associate_tmpfs" lineno="5580"> <summary> Allow the type to associate to tmpfs filesystems. </summary> @@ -67832,7 +68129,7 @@ The type of the object to be associated. </summary> </param> </interface> -<interface name="fs_relabelfrom_tmpfs" lineno="5412"> +<interface name="fs_relabelfrom_tmpfs" lineno="5598"> <summary> Relabel from tmpfs filesystem. </summary> @@ -67842,7 +68139,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_tmpfs_dirs" lineno="5430"> +<interface name="fs_getattr_tmpfs_dirs" lineno="5616"> <summary> Get the attributes of tmpfs directories. </summary> @@ -67852,7 +68149,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_tmpfs_dirs" lineno="5449"> +<interface name="fs_dontaudit_getattr_tmpfs_dirs" lineno="5635"> <summary> Do not audit attempts to get the attributes of tmpfs directories. @@ -67863,7 +68160,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_mounton_tmpfs" lineno="5467"> +<interface name="fs_mounton_tmpfs" lineno="5653"> <summary> Mount on tmpfs directories. </summary> @@ -67873,7 +68170,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mounton_tmpfs_files" lineno="5485"> +<interface name="fs_mounton_tmpfs_files" lineno="5671"> <summary> Mount on tmpfs files. </summary> @@ -67883,7 +68180,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_setattr_tmpfs_dirs" lineno="5503"> +<interface name="fs_setattr_tmpfs_dirs" lineno="5689"> <summary> Set the attributes of tmpfs directories. </summary> @@ -67893,7 +68190,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_tmpfs" lineno="5521"> +<interface name="fs_search_tmpfs" lineno="5707"> <summary> Search tmpfs directories. </summary> @@ -67903,7 +68200,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_tmpfs" lineno="5539"> +<interface name="fs_list_tmpfs" lineno="5725"> <summary> List the contents of generic tmpfs directories. </summary> @@ -67913,7 +68210,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_list_tmpfs" lineno="5558"> +<interface name="fs_dontaudit_list_tmpfs" lineno="5744"> <summary> Do not audit attempts to list the contents of generic tmpfs directories. @@ -67924,7 +68221,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_dirs" lineno="5577"> +<interface name="fs_manage_tmpfs_dirs" lineno="5763"> <summary> Create, read, write, and delete tmpfs directories @@ -67935,7 +68232,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_write_tmpfs_dirs" lineno="5596"> +<interface name="fs_dontaudit_write_tmpfs_dirs" lineno="5782"> <summary> Do not audit attempts to write tmpfs directories @@ -67946,7 +68243,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_relabelfrom_tmpfs_dirs" lineno="5614"> +<interface name="fs_relabelfrom_tmpfs_dirs" lineno="5800"> <summary> Relabel from tmpfs_t dir </summary> @@ -67956,7 +68253,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_tmpfs_dirs" lineno="5632"> +<interface name="fs_relabel_tmpfs_dirs" lineno="5818"> <summary> Relabel directory on tmpfs filesystems. </summary> @@ -67966,7 +68263,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_watch_tmpfs_dirs" lineno="5649"> +<interface name="fs_watch_tmpfs_dirs" lineno="5835"> <summary> Watch directories on tmpfs filesystems. </summary> @@ -67976,7 +68273,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_tmpfs_filetrans" lineno="5683"> +<interface name="fs_tmpfs_filetrans" lineno="5869"> <summary> Create an object in a tmpfs filesystem, with a private type using a type transition. @@ -68002,7 +68299,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_tmpfs_files" lineno="5703"> +<interface name="fs_dontaudit_getattr_tmpfs_files" lineno="5889"> <summary> Do not audit attempts to getattr generic tmpfs files. @@ -68013,7 +68310,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_dontaudit_rw_tmpfs_files" lineno="5722"> +<interface name="fs_dontaudit_rw_tmpfs_files" lineno="5908"> <summary> Do not audit attempts to read or write generic tmpfs files. @@ -68024,7 +68321,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_delete_tmpfs_symlinks" lineno="5740"> +<interface name="fs_delete_tmpfs_symlinks" lineno="5926"> <summary> Delete tmpfs symbolic links. </summary> @@ -68034,7 +68331,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_auto_mountpoints" lineno="5759"> +<interface name="fs_manage_auto_mountpoints" lineno="5945"> <summary> Create, read, write, and delete auto moutpoints. @@ -68045,7 +68342,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_tmpfs_files" lineno="5777"> +<interface name="fs_read_tmpfs_files" lineno="5963"> <summary> Read generic tmpfs files. </summary> @@ -68055,7 +68352,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_tmpfs_files" lineno="5795"> +<interface name="fs_rw_tmpfs_files" lineno="5981"> <summary> Read and write generic tmpfs files. </summary> @@ -68065,7 +68362,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_tmpfs_files" lineno="5813"> +<interface name="fs_relabel_tmpfs_files" lineno="5999"> <summary> Relabel files on tmpfs filesystems. </summary> @@ -68075,7 +68372,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_read_tmpfs_symlinks" lineno="5831"> +<interface name="fs_read_tmpfs_symlinks" lineno="6017"> <summary> Read tmpfs link files. </summary> @@ -68085,7 +68382,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabelfrom_tmpfs_sockets" lineno="5849"> +<interface name="fs_relabelfrom_tmpfs_sockets" lineno="6035"> <summary> Relabelfrom socket files on tmpfs filesystems. </summary> @@ -68095,7 +68392,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabelfrom_tmpfs_symlinks" lineno="5867"> +<interface name="fs_relabelfrom_tmpfs_symlinks" lineno="6053"> <summary> Relabelfrom tmpfs link files. </summary> @@ -68105,7 +68402,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_tmpfs_chr_files" lineno="5885"> +<interface name="fs_rw_tmpfs_chr_files" lineno="6071"> <summary> Read and write character nodes on tmpfs filesystems. </summary> @@ -68115,7 +68412,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_use_tmpfs_chr_dev" lineno="5904"> +<interface name="fs_dontaudit_use_tmpfs_chr_dev" lineno="6090"> <summary> dontaudit Read and write character nodes on tmpfs filesystems. </summary> @@ -68125,7 +68422,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_relabel_tmpfs_chr_files" lineno="5923"> +<interface name="fs_relabel_tmpfs_chr_files" lineno="6109"> <summary> Relabel character nodes on tmpfs filesystems. </summary> @@ -68135,7 +68432,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_tmpfs_blk_files" lineno="5942"> +<interface name="fs_rw_tmpfs_blk_files" lineno="6128"> <summary> Read and write block nodes on tmpfs filesystems. </summary> @@ -68145,7 +68442,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_tmpfs_blk_files" lineno="5961"> +<interface name="fs_relabel_tmpfs_blk_files" lineno="6147"> <summary> Relabel block nodes on tmpfs filesystems. </summary> @@ -68155,7 +68452,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_relabel_tmpfs_fifo_files" lineno="5980"> +<interface name="fs_relabel_tmpfs_fifo_files" lineno="6166"> <summary> Relabel named pipes on tmpfs filesystems. </summary> @@ -68165,7 +68462,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_files" lineno="6000"> +<interface name="fs_manage_tmpfs_files" lineno="6186"> <summary> Read and write, create and delete generic files on tmpfs filesystems. @@ -68176,7 +68473,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_symlinks" lineno="6019"> +<interface name="fs_manage_tmpfs_symlinks" lineno="6205"> <summary> Read and write, create and delete symbolic links on tmpfs filesystems. @@ -68187,7 +68484,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_sockets" lineno="6038"> +<interface name="fs_manage_tmpfs_sockets" lineno="6224"> <summary> Read and write, create and delete socket files on tmpfs filesystems. @@ -68198,7 +68495,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_chr_files" lineno="6057"> +<interface name="fs_manage_tmpfs_chr_files" lineno="6243"> <summary> Read and write, create and delete character nodes on tmpfs filesystems. @@ -68209,7 +68506,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_tmpfs_blk_files" lineno="6076"> +<interface name="fs_manage_tmpfs_blk_files" lineno="6262"> <summary> Read and write, create and delete block nodes on tmpfs filesystems. @@ -68220,7 +68517,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_tracefs" lineno="6094"> +<interface name="fs_getattr_tracefs" lineno="6280"> <summary> Get the attributes of a trace filesystem. </summary> @@ -68230,7 +68527,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_tracefs_dirs" lineno="6112"> +<interface name="fs_getattr_tracefs_dirs" lineno="6298"> <summary> Get attributes of dirs on tracefs filesystem. </summary> @@ -68240,7 +68537,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_tracefs" lineno="6130"> +<interface name="fs_search_tracefs" lineno="6316"> <summary> search directories on a tracefs filesystem </summary> @@ -68250,7 +68547,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_tracefs_files" lineno="6149"> +<interface name="fs_getattr_tracefs_files" lineno="6335"> <summary> Get the attributes of files on a trace filesystem. @@ -68261,7 +68558,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_rw_tracefs_files" lineno="6167"> +<interface name="fs_rw_tracefs_files" lineno="6353"> <summary> Read/write trace filesystem files </summary> @@ -68271,7 +68568,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_create_tracefs_dirs" lineno="6186"> +<interface name="fs_create_tracefs_dirs" lineno="6372"> <summary> create trace filesystem directories </summary> @@ -68281,7 +68578,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_mount_xenfs" lineno="6204"> +<interface name="fs_mount_xenfs" lineno="6390"> <summary> Mount a XENFS filesystem. </summary> @@ -68291,7 +68588,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_xenfs" lineno="6222"> +<interface name="fs_search_xenfs" lineno="6408"> <summary> Search the XENFS filesystem. </summary> @@ -68301,7 +68598,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_manage_xenfs_dirs" lineno="6242"> +<interface name="fs_manage_xenfs_dirs" lineno="6428"> <summary> Create, read, write, and delete directories on a XENFS filesystem. @@ -68313,7 +68610,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_dontaudit_manage_xenfs_dirs" lineno="6262"> +<interface name="fs_dontaudit_manage_xenfs_dirs" lineno="6448"> <summary> Do not audit attempts to create, read, write, and delete directories @@ -68325,7 +68622,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_manage_xenfs_files" lineno="6282"> +<interface name="fs_manage_xenfs_files" lineno="6468"> <summary> Create, read, write, and delete files on a XENFS filesystem. @@ -68337,7 +68634,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_mmap_xenfs_files" lineno="6300"> +<interface name="fs_mmap_xenfs_files" lineno="6486"> <summary> Map files a XENFS filesystem. </summary> @@ -68347,7 +68644,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_manage_xenfs_files" lineno="6320"> +<interface name="fs_dontaudit_manage_xenfs_files" lineno="6506"> <summary> Do not audit attempts to create, read, write, and delete files @@ -68359,7 +68656,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_mount_all_fs" lineno="6338"> +<interface name="fs_mount_all_fs" lineno="6524"> <summary> Mount all filesystems. </summary> @@ -68369,7 +68666,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_remount_all_fs" lineno="6357"> +<interface name="fs_remount_all_fs" lineno="6543"> <summary> Remount all filesystems. This allows some mount options to be changed. @@ -68380,7 +68677,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unmount_all_fs" lineno="6375"> +<interface name="fs_unmount_all_fs" lineno="6561"> <summary> Unmount all filesystems. </summary> @@ -68390,7 +68687,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_all_fs" lineno="6407"> +<interface name="fs_getattr_all_fs" lineno="6593"> <summary> Get the attributes of all filesystems. </summary> @@ -68414,7 +68711,7 @@ Domain allowed access. <infoflow type="read" weight="5"/> <rolecap/> </interface> -<interface name="fs_dontaudit_getattr_all_fs" lineno="6427"> +<interface name="fs_dontaudit_getattr_all_fs" lineno="6613"> <summary> Do not audit attempts to get the attributes all filesystems. @@ -68425,7 +68722,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_get_all_fs_quotas" lineno="6446"> +<interface name="fs_get_all_fs_quotas" lineno="6632"> <summary> Get the quotas of all filesystems. </summary> @@ -68436,7 +68733,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_set_all_quotas" lineno="6465"> +<interface name="fs_set_all_quotas" lineno="6651"> <summary> Set the quotas of all filesystems. </summary> @@ -68447,7 +68744,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="fs_relabelfrom_all_fs" lineno="6483"> +<interface name="fs_relabelfrom_all_fs" lineno="6669"> <summary> Relabelfrom all filesystems. </summary> @@ -68457,7 +68754,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_all_dirs" lineno="6502"> +<interface name="fs_getattr_all_dirs" lineno="6688"> <summary> Get the attributes of all directories with a filesystem type. @@ -68468,7 +68765,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_search_all" lineno="6520"> +<interface name="fs_search_all" lineno="6706"> <summary> Search all directories with a filesystem type. </summary> @@ -68478,7 +68775,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_list_all" lineno="6538"> +<interface name="fs_list_all" lineno="6724"> <summary> List all directories with a filesystem type. </summary> @@ -68488,7 +68785,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_all_files" lineno="6557"> +<interface name="fs_getattr_all_files" lineno="6743"> <summary> Get the attributes of all files with a filesystem type. @@ -68499,7 +68796,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_all_files" lineno="6576"> +<interface name="fs_dontaudit_getattr_all_files" lineno="6762"> <summary> Do not audit attempts to get the attributes of all files with a filesystem type. @@ -68510,7 +68807,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_all_symlinks" lineno="6595"> +<interface name="fs_getattr_all_symlinks" lineno="6781"> <summary> Get the attributes of all symbolic links with a filesystem type. @@ -68521,7 +68818,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_all_symlinks" lineno="6614"> +<interface name="fs_dontaudit_getattr_all_symlinks" lineno="6800"> <summary> Do not audit attempts to get the attributes of all symbolic links with a filesystem type. @@ -68532,7 +68829,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_all_pipes" lineno="6633"> +<interface name="fs_getattr_all_pipes" lineno="6819"> <summary> Get the attributes of all named pipes with a filesystem type. @@ -68543,7 +68840,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_all_pipes" lineno="6652"> +<interface name="fs_dontaudit_getattr_all_pipes" lineno="6838"> <summary> Do not audit attempts to get the attributes of all named pipes with a filesystem type. @@ -68554,7 +68851,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_all_sockets" lineno="6671"> +<interface name="fs_getattr_all_sockets" lineno="6857"> <summary> Get the attributes of all named sockets with a filesystem type. @@ -68565,7 +68862,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_dontaudit_getattr_all_sockets" lineno="6690"> +<interface name="fs_dontaudit_getattr_all_sockets" lineno="6876"> <summary> Do not audit attempts to get the attributes of all named sockets with a filesystem type. @@ -68576,7 +68873,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="fs_getattr_all_blk_files" lineno="6709"> +<interface name="fs_getattr_all_blk_files" lineno="6895"> <summary> Get the attributes of all block device nodes with a filesystem type. @@ -68587,7 +68884,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_getattr_all_chr_files" lineno="6728"> +<interface name="fs_getattr_all_chr_files" lineno="6914"> <summary> Get the attributes of all character device nodes with a filesystem type. @@ -68598,7 +68895,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="fs_unconfined" lineno="6746"> +<interface name="fs_unconfined" lineno="6932"> <summary> Unconfined access to filesystems </summary> @@ -69746,7 +70043,18 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_unix_sysctls" lineno="2032"> +<interface name="kernel_mounton_net_sysctl_dirs" lineno="2031"> +<summary> +Allow caller to mount on network sysctl directories. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<rolecap/> +</interface> +<interface name="kernel_read_unix_sysctls" lineno="2051"> <summary> Allow caller to read unix domain socket sysctls. @@ -69758,7 +70066,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_unix_sysctls" lineno="2054"> +<interface name="kernel_rw_unix_sysctls" lineno="2073"> <summary> Read and write unix domain socket sysctls. @@ -69770,7 +70078,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_hotplug_sysctls" lineno="2075"> +<interface name="kernel_read_hotplug_sysctls" lineno="2094"> <summary> Read the hotplug sysctl. </summary> @@ -69781,7 +70089,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_hotplug_sysctls" lineno="2096"> +<interface name="kernel_rw_hotplug_sysctls" lineno="2115"> <summary> Read and write the hotplug sysctl. </summary> @@ -69792,7 +70100,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_modprobe_sysctls" lineno="2117"> +<interface name="kernel_read_modprobe_sysctls" lineno="2136"> <summary> Read the modprobe sysctl. </summary> @@ -69803,7 +70111,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_modprobe_sysctls" lineno="2138"> +<interface name="kernel_rw_modprobe_sysctls" lineno="2157"> <summary> Read and write the modprobe sysctl. </summary> @@ -69814,7 +70122,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="2158"> +<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="2177"> <summary> Do not audit attempts to search generic kernel sysctls. </summary> @@ -69824,7 +70132,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_read_kernel_sysctl" lineno="2176"> +<interface name="kernel_dontaudit_read_kernel_sysctl" lineno="2195"> <summary> Do not audit attempted reading of kernel sysctls </summary> @@ -69834,7 +70142,18 @@ Domain to not audit accesses from </summary> </param> </interface> -<interface name="kernel_read_crypto_sysctls" lineno="2194"> +<interface name="kernel_mounton_kernel_sysctl_dirs" lineno="2214"> +<summary> +Allow caller to mount on kernel sysctl directories. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<rolecap/> +</interface> +<interface name="kernel_read_crypto_sysctls" lineno="2232"> <summary> Read generic crypto sysctls. </summary> @@ -69844,7 +70163,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_kernel_sysctls" lineno="2235"> +<interface name="kernel_read_kernel_sysctls" lineno="2273"> <summary> Read general kernel sysctls. </summary> @@ -69876,7 +70195,7 @@ Domain allowed access. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="2255"> +<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="2293"> <summary> Do not audit attempts to write generic kernel sysctls. </summary> @@ -69886,7 +70205,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_rw_kernel_sysctl" lineno="2274"> +<interface name="kernel_rw_kernel_sysctl" lineno="2312"> <summary> Read and write generic kernel sysctls. </summary> @@ -69897,7 +70216,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_mounton_kernel_sysctl_files" lineno="2295"> +<interface name="kernel_mounton_kernel_sysctl_files" lineno="2333"> <summary> Mount on kernel sysctl files. </summary> @@ -69908,7 +70227,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_kernel_ns_lastpid_sysctls" lineno="2315"> +<interface name="kernel_read_kernel_ns_lastpid_sysctls" lineno="2353"> <summary> Read kernel ns lastpid sysctls. </summary> @@ -69919,7 +70238,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_write_kernel_ns_lastpid_sysctl" lineno="2335"> +<interface name="kernel_dontaudit_write_kernel_ns_lastpid_sysctl" lineno="2373"> <summary> Do not audit attempts to write kernel ns lastpid sysctls. </summary> @@ -69929,7 +70248,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_rw_kernel_ns_lastpid_sysctl" lineno="2354"> +<interface name="kernel_rw_kernel_ns_lastpid_sysctl" lineno="2392"> <summary> Read and write kernel ns lastpid sysctls. </summary> @@ -69940,7 +70259,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_search_fs_sysctls" lineno="2375"> +<interface name="kernel_search_fs_sysctls" lineno="2413"> <summary> Search filesystem sysctl directories. </summary> @@ -69951,7 +70270,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_fs_sysctls" lineno="2394"> +<interface name="kernel_read_fs_sysctls" lineno="2432"> <summary> Read filesystem sysctls. </summary> @@ -69962,7 +70281,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_fs_sysctls" lineno="2415"> +<interface name="kernel_rw_fs_sysctls" lineno="2453"> <summary> Read and write filesystem sysctls. </summary> @@ -69973,7 +70292,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_irq_sysctls" lineno="2436"> +<interface name="kernel_read_irq_sysctls" lineno="2474"> <summary> Read IRQ sysctls. </summary> @@ -69984,7 +70303,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_search_fs_sysctls" lineno="2458"> +<interface name="kernel_dontaudit_search_fs_sysctls" lineno="2496"> <summary> Do not audit attempts to search filesystem sysctl directories. @@ -69996,7 +70315,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="kernel_rw_irq_sysctls" lineno="2477"> +<interface name="kernel_rw_irq_sysctls" lineno="2515"> <summary> Read and write IRQ sysctls. </summary> @@ -70007,7 +70326,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_read_rpc_sysctls" lineno="2498"> +<interface name="kernel_read_rpc_sysctls" lineno="2536"> <summary> Read RPC sysctls. </summary> @@ -70018,7 +70337,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_rpc_sysctls" lineno="2519"> +<interface name="kernel_rw_rpc_sysctls" lineno="2557"> <summary> Read and write RPC sysctls. </summary> @@ -70029,7 +70348,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_dontaudit_list_all_sysctls" lineno="2539"> +<interface name="kernel_dontaudit_list_all_sysctls" lineno="2577"> <summary> Do not audit attempts to list all sysctl directories. </summary> @@ -70039,7 +70358,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_read_all_sysctls" lineno="2559"> +<interface name="kernel_read_all_sysctls" lineno="2597"> <summary> Allow caller to read all sysctls. </summary> @@ -70050,7 +70369,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_all_sysctls" lineno="2582"> +<interface name="kernel_rw_all_sysctls" lineno="2620"> <summary> Read and write all sysctls. </summary> @@ -70061,7 +70380,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_associate_proc" lineno="2607"> +<interface name="kernel_associate_proc" lineno="2645"> <summary> Associate a file to proc_t (/proc) </summary> @@ -70072,7 +70391,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_kill_unlabeled" lineno="2624"> +<interface name="kernel_kill_unlabeled" lineno="2662"> <summary> Send a kill signal to unlabeled processes. </summary> @@ -70082,7 +70401,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_mount_unlabeled" lineno="2642"> +<interface name="kernel_mount_unlabeled" lineno="2680"> <summary> Mount a kernel unlabeled filesystem. </summary> @@ -70092,7 +70411,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_unmount_unlabeled" lineno="2660"> +<interface name="kernel_unmount_unlabeled" lineno="2698"> <summary> Unmount a kernel unlabeled filesystem. </summary> @@ -70102,7 +70421,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_signal_unlabeled" lineno="2678"> +<interface name="kernel_signal_unlabeled" lineno="2716"> <summary> Send general signals to unlabeled processes. </summary> @@ -70112,7 +70431,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_signull_unlabeled" lineno="2696"> +<interface name="kernel_signull_unlabeled" lineno="2734"> <summary> Send a null signal to unlabeled processes. </summary> @@ -70122,7 +70441,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_sigstop_unlabeled" lineno="2714"> +<interface name="kernel_sigstop_unlabeled" lineno="2752"> <summary> Send a stop signal to unlabeled processes. </summary> @@ -70132,7 +70451,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_sigchld_unlabeled" lineno="2732"> +<interface name="kernel_sigchld_unlabeled" lineno="2770"> <summary> Send a child terminated signal to unlabeled processes. </summary> @@ -70142,7 +70461,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_getattr_unlabeled_dirs" lineno="2750"> +<interface name="kernel_getattr_unlabeled_dirs" lineno="2788"> <summary> Get the attributes of unlabeled directories. </summary> @@ -70152,7 +70471,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_search_unlabeled" lineno="2768"> +<interface name="kernel_dontaudit_search_unlabeled" lineno="2806"> <summary> Do not audit attempts to search unlabeled directories. </summary> @@ -70162,7 +70481,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_list_unlabeled" lineno="2786"> +<interface name="kernel_list_unlabeled" lineno="2824"> <summary> List unlabeled directories. </summary> @@ -70172,7 +70491,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_unlabeled_state" lineno="2804"> +<interface name="kernel_read_unlabeled_state" lineno="2842"> <summary> Read the process state (/proc/pid) of all unlabeled_t. </summary> @@ -70182,7 +70501,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_list_unlabeled" lineno="2824"> +<interface name="kernel_dontaudit_list_unlabeled" lineno="2862"> <summary> Do not audit attempts to list unlabeled directories. </summary> @@ -70192,7 +70511,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_rw_unlabeled_dirs" lineno="2842"> +<interface name="kernel_rw_unlabeled_dirs" lineno="2880"> <summary> Read and write unlabeled directories. </summary> @@ -70202,7 +70521,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_dirs" lineno="2860"> +<interface name="kernel_delete_unlabeled_dirs" lineno="2898"> <summary> Delete unlabeled directories. </summary> @@ -70212,7 +70531,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_dirs" lineno="2878"> +<interface name="kernel_manage_unlabeled_dirs" lineno="2916"> <summary> Create, read, write, and delete unlabeled directories. </summary> @@ -70222,7 +70541,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_mounton_unlabeled_dirs" lineno="2896"> +<interface name="kernel_mounton_unlabeled_dirs" lineno="2934"> <summary> Mount a filesystem on an unlabeled directory. </summary> @@ -70232,7 +70551,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_unlabeled_files" lineno="2914"> +<interface name="kernel_read_unlabeled_files" lineno="2952"> <summary> Read unlabeled files. </summary> @@ -70242,7 +70561,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_rw_unlabeled_files" lineno="2932"> +<interface name="kernel_rw_unlabeled_files" lineno="2970"> <summary> Read and write unlabeled files. </summary> @@ -70252,7 +70571,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_files" lineno="2950"> +<interface name="kernel_delete_unlabeled_files" lineno="2988"> <summary> Delete unlabeled files. </summary> @@ -70262,7 +70581,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_files" lineno="2968"> +<interface name="kernel_manage_unlabeled_files" lineno="3006"> <summary> Create, read, write, and delete unlabeled files. </summary> @@ -70272,7 +70591,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="2987"> +<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="3025"> <summary> Do not audit attempts by caller to get the attributes of an unlabeled file. @@ -70283,7 +70602,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_read_unlabeled_files" lineno="3006"> +<interface name="kernel_dontaudit_read_unlabeled_files" lineno="3044"> <summary> Do not audit attempts by caller to read an unlabeled file. @@ -70294,7 +70613,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_unlabeled_filetrans" lineno="3040"> +<interface name="kernel_unlabeled_filetrans" lineno="3078"> <summary> Create an object in unlabeled directories with a private type. @@ -70320,7 +70639,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_symlinks" lineno="3058"> +<interface name="kernel_delete_unlabeled_symlinks" lineno="3096"> <summary> Delete unlabeled symbolic links. </summary> @@ -70330,7 +70649,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_symlinks" lineno="3076"> +<interface name="kernel_manage_unlabeled_symlinks" lineno="3114"> <summary> Create, read, write, and delete unlabeled symbolic links. </summary> @@ -70340,7 +70659,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="3095"> +<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="3133"> <summary> Do not audit attempts by caller to get the attributes of unlabeled symbolic links. @@ -70351,7 +70670,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="3114"> +<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="3152"> <summary> Do not audit attempts by caller to get the attributes of unlabeled named pipes. @@ -70362,7 +70681,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="3133"> +<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="3171"> <summary> Do not audit attempts by caller to get the attributes of unlabeled named sockets. @@ -70373,7 +70692,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="3152"> +<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="3190"> <summary> Do not audit attempts by caller to get attributes for unlabeled block devices. @@ -70384,7 +70703,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_rw_unlabeled_blk_files" lineno="3170"> +<interface name="kernel_rw_unlabeled_blk_files" lineno="3208"> <summary> Read and write unlabeled block device nodes. </summary> @@ -70394,7 +70713,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_blk_files" lineno="3188"> +<interface name="kernel_delete_unlabeled_blk_files" lineno="3226"> <summary> Delete unlabeled block device nodes. </summary> @@ -70404,7 +70723,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_blk_files" lineno="3206"> +<interface name="kernel_manage_unlabeled_blk_files" lineno="3244"> <summary> Create, read, write, and delete unlabeled block device nodes. </summary> @@ -70414,7 +70733,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3225"> +<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3263"> <summary> Do not audit attempts by caller to get attributes for unlabeled character devices. @@ -70425,7 +70744,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3244"> +<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3282"> <summary> Do not audit attempts to write unlabeled character devices. @@ -70436,7 +70755,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_chr_files" lineno="3262"> +<interface name="kernel_delete_unlabeled_chr_files" lineno="3300"> <summary> Delete unlabeled character device nodes. </summary> @@ -70446,7 +70765,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_manage_unlabeled_chr_files" lineno="3281"> +<interface name="kernel_manage_unlabeled_chr_files" lineno="3319"> <summary> Create, read, write, and delete unlabeled character device nodes. </summary> @@ -70456,7 +70775,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3299"> +<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3337"> <summary> Allow caller to relabel unlabeled directories. </summary> @@ -70466,7 +70785,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_files" lineno="3317"> +<interface name="kernel_relabelfrom_unlabeled_files" lineno="3355"> <summary> Allow caller to relabel unlabeled files. </summary> @@ -70476,7 +70795,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3336"> +<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3374"> <summary> Allow caller to relabel unlabeled symbolic links. </summary> @@ -70486,7 +70805,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3355"> +<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3393"> <summary> Allow caller to relabel unlabeled named pipes. </summary> @@ -70496,7 +70815,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_pipes" lineno="3374"> +<interface name="kernel_delete_unlabeled_pipes" lineno="3412"> <summary> Delete unlabeled named pipes </summary> @@ -70506,7 +70825,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3392"> +<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3430"> <summary> Allow caller to relabel unlabeled named sockets. </summary> @@ -70516,7 +70835,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_delete_unlabeled_sockets" lineno="3411"> +<interface name="kernel_delete_unlabeled_sockets" lineno="3449"> <summary> Delete unlabeled named sockets. </summary> @@ -70526,7 +70845,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3429"> +<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3467"> <summary> Allow caller to relabel from unlabeled block devices. </summary> @@ -70536,7 +70855,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3447"> +<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3485"> <summary> Allow caller to relabel from unlabeled character devices. </summary> @@ -70546,7 +70865,18 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_sendrecv_unlabeled_association" lineno="3480"> +<interface name="kernel_setattr_all_unlabeled" lineno="3504"> +<summary> +Allow caller set the attributes on all unlabeled +directory and file objects. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="kernel_sendrecv_unlabeled_association" lineno="3537"> <summary> Send and receive messages from an unlabeled IPSEC association. @@ -70571,7 +70901,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3513"> +<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3570"> <summary> Do not audit attempts to send and receive messages from an unlabeled IPSEC association. @@ -70596,7 +70926,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3540"> +<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3597"> <summary> Receive TCP packets from an unlabeled connection. </summary> @@ -70615,7 +70945,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3569"> +<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3626"> <summary> Do not audit attempts to receive TCP packets from an unlabeled connection. @@ -70636,7 +70966,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_udp_recvfrom_unlabeled" lineno="3596"> +<interface name="kernel_udp_recvfrom_unlabeled" lineno="3653"> <summary> Receive UDP packets from an unlabeled connection. </summary> @@ -70655,7 +70985,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3625"> +<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3682"> <summary> Do not audit attempts to receive UDP packets from an unlabeled connection. @@ -70676,7 +71006,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_raw_recvfrom_unlabeled" lineno="3652"> +<interface name="kernel_raw_recvfrom_unlabeled" lineno="3709"> <summary> Receive Raw IP packets from an unlabeled connection. </summary> @@ -70695,7 +71025,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3681"> +<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3738"> <summary> Do not audit attempts to receive Raw IP packets from an unlabeled connection. @@ -70716,7 +71046,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_sendrecv_unlabeled_packets" lineno="3711"> +<interface name="kernel_sendrecv_unlabeled_packets" lineno="3768"> <summary> Send and receive unlabeled packets. </summary> @@ -70738,7 +71068,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_recvfrom_unlabeled_peer" lineno="3739"> +<interface name="kernel_recvfrom_unlabeled_peer" lineno="3796"> <summary> Receive packets from an unlabeled peer. </summary> @@ -70758,7 +71088,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3767"> +<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3824"> <summary> Do not audit attempts to receive packets from an unlabeled peer. </summary> @@ -70778,7 +71108,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="kernel_relabelfrom_unlabeled_database" lineno="3785"> +<interface name="kernel_relabelfrom_unlabeled_database" lineno="3842"> <summary> Relabel from unlabeled database objects. </summary> @@ -70788,7 +71118,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_unconfined" lineno="3822"> +<interface name="kernel_unconfined" lineno="3879"> <summary> Unconfined access to kernel module resources. </summary> @@ -70798,7 +71128,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_read_vm_overcommit_sysctl" lineno="3842"> +<interface name="kernel_read_vm_overcommit_sysctl" lineno="3899"> <summary> Read virtual memory overcommit sysctl. </summary> @@ -70809,7 +71139,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3862"> +<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3919"> <summary> Read and write virtual memory overcommit sysctl. </summary> @@ -70820,7 +71150,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3881"> +<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3938"> <summary> Access unlabeled infiniband pkeys. </summary> @@ -70830,7 +71160,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3899"> +<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3956"> <summary> Manage subnet on unlabeled Infiniband endports. </summary> @@ -72269,7 +72599,18 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_setattr_scsi_generic_dev_dev" lineno="553"> +<interface name="storage_delete_scsi_generic_dev" lineno="553"> +<summary> +Allow the caller to delete the generic +SCSI interface device nodes. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="storage_setattr_scsi_generic_dev_dev" lineno="573"> <summary> Set attributes of the device nodes for the SCSI generic interface. @@ -72280,7 +72621,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_dontaudit_rw_scsi_generic" lineno="573"> +<interface name="storage_dontaudit_rw_scsi_generic" lineno="593"> <summary> Do not audit attempts to read or write SCSI generic device interfaces. @@ -72291,7 +72632,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_getattr_removable_dev" lineno="592"> +<interface name="storage_getattr_removable_dev" lineno="612"> <summary> Allow the caller to get the attributes of removable devices device nodes. @@ -72302,7 +72643,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_dontaudit_getattr_removable_dev" lineno="612"> +<interface name="storage_dontaudit_getattr_removable_dev" lineno="632"> <summary> Do not audit attempts made by the caller to get the attributes of removable devices device nodes. @@ -72313,7 +72654,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_dontaudit_read_removable_device" lineno="631"> +<interface name="storage_dontaudit_read_removable_device" lineno="651"> <summary> Do not audit attempts made by the caller to read removable devices device nodes. @@ -72324,7 +72665,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_dontaudit_write_removable_device" lineno="651"> +<interface name="storage_dontaudit_write_removable_device" lineno="671"> <summary> Do not audit attempts made by the caller to write removable devices device nodes. @@ -72335,7 +72676,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_setattr_removable_dev" lineno="670"> +<interface name="storage_setattr_removable_dev" lineno="690"> <summary> Allow the caller to set the attributes of removable devices device nodes. @@ -72346,7 +72687,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_dontaudit_setattr_removable_dev" lineno="690"> +<interface name="storage_dontaudit_setattr_removable_dev" lineno="710"> <summary> Do not audit attempts made by the caller to set the attributes of removable devices device nodes. @@ -72357,7 +72698,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_raw_read_removable_device" lineno="712"> +<interface name="storage_raw_read_removable_device" lineno="732"> <summary> Allow the caller to directly read from a removable device. @@ -72371,7 +72712,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_dontaudit_raw_read_removable_device" lineno="731"> +<interface name="storage_dontaudit_raw_read_removable_device" lineno="751"> <summary> Do not audit attempts to directly read removable devices. </summary> @@ -72381,7 +72722,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_raw_write_removable_device" lineno="753"> +<interface name="storage_raw_write_removable_device" lineno="773"> <summary> Allow the caller to directly write to a removable device. @@ -72395,7 +72736,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_dontaudit_raw_write_removable_device" lineno="772"> +<interface name="storage_dontaudit_raw_write_removable_device" lineno="792"> <summary> Do not audit attempts to directly write removable devices. </summary> @@ -72405,7 +72746,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="storage_read_tape" lineno="791"> +<interface name="storage_read_tape" lineno="811"> <summary> Allow the caller to directly read a tape device. @@ -72416,7 +72757,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_write_tape" lineno="811"> +<interface name="storage_write_tape" lineno="831"> <summary> Allow the caller to directly write a tape device. @@ -72427,7 +72768,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_getattr_tape_dev" lineno="831"> +<interface name="storage_getattr_tape_dev" lineno="851"> <summary> Allow the caller to get the attributes of device nodes of tape devices. @@ -72438,7 +72779,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_setattr_tape_dev" lineno="851"> +<interface name="storage_setattr_tape_dev" lineno="871"> <summary> Allow the caller to set the attributes of device nodes of tape devices. @@ -72449,7 +72790,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="storage_unconfined" lineno="870"> +<interface name="storage_unconfined" lineno="890"> <summary> Unconfined access to storage devices. </summary> @@ -77067,7 +77408,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="chronyd_startstop" lineno="273"> +<interface name="chronyd_startstop" lineno="274"> <summary> Allow specified domain to start and stop chronyd unit </summary> @@ -77077,7 +77418,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="chronyd_status" lineno="292"> +<interface name="chronyd_status" lineno="294"> <summary> Allow specified domain to get status of chronyd unit </summary> @@ -77087,7 +77428,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="chronyd_dgram_send_cli" lineno="312"> +<interface name="chronyd_dgram_send_cli" lineno="314"> <summary> Send to chronyd command line interface using a unix domain datagram socket. @@ -77098,7 +77439,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="chronyd_admin" lineno="338"> +<interface name="chronyd_admin" lineno="340"> <summary> All of the rules required to administrate an chronyd environment. @@ -77515,6 +77856,194 @@ nfs file systems. </desc> </tunable> </module> +<module name="cockpit" filename="policy/modules/services/cockpit.if"> +<summary>Cockpit web management system for Linux</summary> + +<desc> +Cockpit is a web console that enables users to administer Linux servers +via a web browser. +see https://cockpit-project.org/ + +For linux logins that are allowed access they must be associated with a +SELinux user that uses ssh_role_template (sysadm, system). To be able +to alter system settings the must be allowed sudo access. +</desc> +<template name="cockpit_role_template" lineno="46"> +<summary> +The role template for the cockpit module. +</summary> +<desc> +<p> +This template creates a derived domain which is allowed +to change the linux user id, to run commands as a different +user. +</p> +</desc> +<param name="role_prefix"> +<summary> +The prefix of the user role (e.g., user +is the prefix for user_r). +</summary> +</param> +<param name="user_domain"> +<summary> +User domain for the role. +</summary> +</param> +<param name="user_exec_domain"> +<summary> +User exec domain for execute access. +</summary> +</param> +<param name="role"> +<summary> +Role allowed access +</summary> +</param> +</template> +<interface name="cockpit_domtrans_session" lineno="84"> +<summary> +Transition to the cockpit session domain. +</summary> +<param name="domain"> +<summary> +Domain allowed to transition. +</summary> +</param> +</interface> +<interface name="cockpit_get_service_status" lineno="103"> +<summary> +Allow specified domain to get status of cockpit service +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cockpit_enabledisable" lineno="122"> +<summary> +Allow specified domain to enable cockpit units +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cockpit_startstop" lineno="142"> +<summary> +Allow specified domain to start cockpit units +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cockpit_manage_runtime_symlnks" lineno="162"> +<summary> +Create, read, write, and delete the cockpick runtime symlink files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cockpit_use_session_fds" lineno="181"> +<summary> +Inherit and use cockpit session file descriptors. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cockpit_rw_session_pipes" lineno="199"> +<summary> +Read and write cockpit session unnamed pipes. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cockpit_use_ws_fds" lineno="217"> +<summary> +Inherit and use cockpit web service file descriptors. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cockpit_rw_ws_stream_sockets" lineno="235"> +<summary> +Read and write cockpit web service stream socket +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cockpit_manage_cert_files" lineno="253"> +<summary> +Manage the cockpit certificate files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cockpit_read_cert_files" lineno="271"> +<summary> +Read cockpit certificate files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cockpit_delete_cert_files" lineno="291"> +<summary> +Delete cockpit certificate files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="cockpit_send_signal" lineno="311"> +<summary> +Allow cockpit to send signals to another domain. +</summary> +<param name="domain"> +<summary> +Domain allowed to send to, +</summary> +</param> +</interface> +<interface name="cockpit_admin" lineno="331"> +<summary> +All of the rules required to administrate +an cockpit environment +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<rolecap/> +</interface> +</module> <module name="collectd" filename="policy/modules/services/collectd.if"> <summary>Statistics collection daemon for filling RRD files.</summary> <interface name="collectd_admin" lineno="20"> @@ -78056,7 +78585,19 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="container_stream_connect_system_engine" lineno="681"> +<interface name="container_fusefs_domtrans_spc" lineno="682"> +<summary> +Execute FUSEFS files with a type +transition to the super privileged +container type. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="container_stream_connect_system_engine" lineno="701"> <summary> Connect to a system container engine domain over a unix stream socket. @@ -78067,7 +78608,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_stream_connect_system_containers" lineno="703"> +<interface name="container_stream_connect_system_containers" lineno="723"> <summary> Connect to a system container domain over a unix stream socket. @@ -78078,7 +78619,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_stream_connect_user_containers" lineno="725"> +<interface name="container_stream_connect_user_containers" lineno="745"> <summary> Connect to a user container domain over a unix stream socket. @@ -78089,7 +78630,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_stream_connect_spc" lineno="747"> +<interface name="container_stream_connect_spc" lineno="767"> <summary> Connect to super privileged containers over a unix stream socket. @@ -78100,7 +78641,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_rw_spc_tcp_sockets" lineno="769"> +<interface name="container_rw_spc_tcp_sockets" lineno="789"> <summary> Read and write super privileged container TCP sockets. @@ -78111,7 +78652,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_stream_connect_all_containers" lineno="788"> +<interface name="container_stream_connect_all_containers" lineno="808"> <summary> Connect to a container domain over a unix stream socket. @@ -78122,7 +78663,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_stream_connect_spec_container" lineno="810"> +<interface name="container_stream_connect_spec_container" lineno="830"> <summary> Connect to the specified container domain over a unix stream socket. @@ -78133,7 +78674,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_kill_all_containers" lineno="831"> +<interface name="container_kill_all_containers" lineno="851"> <summary> Allow the specified domain to send a kill signal to all containers. @@ -78144,7 +78685,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="container_signal_all_containers" lineno="851"> +<interface name="container_signal_all_containers" lineno="871"> <summary> Allow the specified domain to send all signals to a container @@ -78156,7 +78697,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="container_dev_filetrans" lineno="880"> +<interface name="container_dev_filetrans" lineno="900"> <summary> Create objects in /dev with an automatic transition to the container device type. @@ -78177,7 +78718,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="container_rw_device_files" lineno="898"> +<interface name="container_rw_device_files" lineno="918"> <summary> Read and write container device files. </summary> @@ -78187,7 +78728,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_device_files" lineno="916"> +<interface name="container_manage_device_files" lineno="936"> <summary> Manage container device files. </summary> @@ -78197,7 +78738,28 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_mounton_all_devices" lineno="934"> +<interface name="container_getattr_device_blk_files" lineno="955"> +<summary> +Get the attributes of container device +block files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="container_read_device_blk_files" lineno="973"> +<summary> +Read container device block files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="container_mounton_all_devices" lineno="991"> <summary> Mount on all container devices. </summary> @@ -78207,7 +78769,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_setattr_container_ptys" lineno="952"> +<interface name="container_setattr_container_ptys" lineno="1009"> <summary> Set the attributes of container ptys. </summary> @@ -78217,7 +78779,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_use_container_ptys" lineno="970"> +<interface name="container_use_container_ptys" lineno="1027"> <summary> Read and write container ptys. </summary> @@ -78227,7 +78789,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_mountpoint" lineno="989"> +<interface name="container_mountpoint" lineno="1046"> <summary> Make the specified type usable as a mountpoint for containers. @@ -78238,7 +78800,7 @@ Type to be used as a mountpoint. </summary> </param> </interface> -<interface name="container_list_plugin_dirs" lineno="1009"> +<interface name="container_list_plugin_dirs" lineno="1066"> <summary> Allow the specified domain to list the contents of container @@ -78250,7 +78812,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_watch_plugin_dirs" lineno="1029"> +<interface name="container_watch_plugin_dirs" lineno="1086"> <summary> Allow the specified domain to add a watch on container plugin @@ -78262,7 +78824,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_plugin_files" lineno="1048"> +<interface name="container_manage_plugin_files" lineno="1105"> <summary> Allow the specified domain to manage container plugin files. @@ -78273,7 +78835,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_exec_plugins" lineno="1067"> +<interface name="container_exec_plugins" lineno="1124"> <summary> Allow the specified domain to execute container plugins. @@ -78284,7 +78846,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_search_config" lineno="1087"> +<interface name="container_search_config" lineno="1144"> <summary> Allow the specified domain to search container config directories. @@ -78295,7 +78857,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_read_config" lineno="1107"> +<interface name="container_read_config" lineno="1164"> <summary> Allow the specified domain to read container config files. @@ -78306,7 +78868,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_watch_config_dirs" lineno="1127"> +<interface name="container_watch_config_dirs" lineno="1184"> <summary> Allow the specified domain to watch container config directories. @@ -78317,7 +78879,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_create_config_files" lineno="1146"> +<interface name="container_create_config_files" lineno="1203"> <summary> Allow the specified domain to create container config files. @@ -78328,7 +78890,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_rw_config_files" lineno="1165"> +<interface name="container_rw_config_files" lineno="1222"> <summary> Allow the specified domain to read and write container config files. @@ -78339,7 +78901,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_config_files" lineno="1184"> +<interface name="container_manage_config_files" lineno="1241"> <summary> Allow the specified domain to manage container config files. @@ -78350,7 +78912,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_file_root_filetrans" lineno="1205"> +<interface name="container_file_root_filetrans" lineno="1262"> <summary> Allow the specified domain to create container files in the @@ -78363,7 +78925,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_dirs" lineno="1224"> +<interface name="container_manage_dirs" lineno="1281"> <summary> Allow the specified domain to manage container file directories. @@ -78374,7 +78936,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_watch_dirs" lineno="1243"> +<interface name="container_watch_dirs" lineno="1300"> <summary> Allow the specified domain to watch container file directories. @@ -78385,7 +78947,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_files" lineno="1262"> +<interface name="container_manage_files" lineno="1319"> <summary> Allow the specified domain to manage container files. @@ -78396,7 +78958,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_dontaudit_relabel_dirs" lineno="1281"> +<interface name="container_dontaudit_relabel_dirs" lineno="1338"> <summary> Do not audit attempts to relabel container file directories. @@ -78407,7 +78969,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="container_dontaudit_relabel_files" lineno="1300"> +<interface name="container_dontaudit_relabel_files" lineno="1357"> <summary> Do not audit attempts to relabel container files. @@ -78418,7 +78980,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="container_manage_lnk_files" lineno="1319"> +<interface name="container_manage_lnk_files" lineno="1376"> <summary> Allow the specified domain to manage container lnk files. @@ -78429,7 +78991,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_rw_fifo_files" lineno="1338"> +<interface name="container_rw_fifo_files" lineno="1395"> <summary> Allow the specified domain to read and write container fifo files. @@ -78440,7 +79002,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_fifo_files" lineno="1357"> +<interface name="container_manage_fifo_files" lineno="1414"> <summary> Allow the specified domain to manage container fifo files. @@ -78451,7 +79013,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_sock_files" lineno="1376"> +<interface name="container_manage_sock_files" lineno="1433"> <summary> Allow the specified domain to manage container sock files. @@ -78462,7 +79024,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_rw_chr_files" lineno="1395"> +<interface name="container_rw_chr_files" lineno="1452"> <summary> Allow the specified domain to read and write container chr files. @@ -78473,7 +79035,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_dontaudit_rw_chr_files" lineno="1414"> +<interface name="container_dontaudit_rw_chr_files" lineno="1471"> <summary> Do not audit attempts to read and write container chr files. @@ -78484,7 +79046,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_chr_files" lineno="1433"> +<interface name="container_manage_chr_files" lineno="1490"> <summary> Allow the specified domain to manage container chr files. @@ -78495,7 +79057,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_spec_filetrans_file" lineno="1469"> +<interface name="container_spec_filetrans_file" lineno="1526"> <summary> Allow the specified domain to create objects in specified directories with @@ -78523,7 +79085,19 @@ The name of the object being created. </summary> </param> </interface> -<interface name="container_list_ro_dirs" lineno="1489"> +<interface name="container_getattr_all_files" lineno="1546"> +<summary> +Allow the specified domain to get +the attributes of all container +file objects. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="container_list_ro_dirs" lineno="1566"> <summary> Allow the specified domain to list the contents of read-only container @@ -78535,7 +79109,29 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_home_config" lineno="1508"> +<interface name="container_getattr_all_ro_files" lineno="1586"> +<summary> +Allow the specified domain to get +the attributes of all read-only +container file objects. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="container_read_home_config" lineno="1604"> +<summary> +Read container config home content. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="container_manage_home_config" lineno="1625"> <summary> Allow the specified domain to manage container config home content. @@ -78546,7 +79142,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_config_home_filetrans" lineno="1540"> +<interface name="container_config_home_filetrans" lineno="1657"> <summary> Allow the specified domain to create objects in an xdg_config directory @@ -78569,7 +79165,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="container_manage_home_data_files" lineno="1560"> +<interface name="container_manage_home_data_files" lineno="1677"> <summary> Allow the specified domain to manage container data home files. @@ -78580,7 +79176,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_home_data_fifo_files" lineno="1580"> +<interface name="container_manage_home_data_fifo_files" lineno="1697"> <summary> Allow the specified domain to manage container data home named @@ -78592,7 +79188,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_home_data_sock_files" lineno="1600"> +<interface name="container_manage_home_data_sock_files" lineno="1717"> <summary> Allow the specified domain to manage container data home named @@ -78604,7 +79200,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_admin_all_files" lineno="1618"> +<interface name="container_admin_all_files" lineno="1735"> <summary> Administrate all container files. </summary> @@ -78614,7 +79210,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_admin_all_ro_files" lineno="1638"> +<interface name="container_admin_all_ro_files" lineno="1755"> <summary> Administrate all container read-only files. </summary> @@ -78624,7 +79220,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_admin_all_user_runtime_content" lineno="1660"> +<interface name="container_admin_all_user_runtime_content" lineno="1777"> <summary> All of the rules necessary for a user to manage user container runtime data @@ -78636,7 +79232,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_all_home_content" lineno="1680"> +<interface name="container_manage_all_home_content" lineno="1797"> <summary> All of the rules necessary for a user to manage container data in their home @@ -78648,7 +79244,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_relabel_all_content" lineno="1724"> +<interface name="container_relabel_all_content" lineno="1841"> <summary> Allow the specified domain to relabel container files and @@ -78660,7 +79256,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_remount_fs" lineno="1743"> +<interface name="container_remount_fs" lineno="1860"> <summary> Allow the specified domain to remount container filesystems. @@ -78671,7 +79267,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_relabel_fs" lineno="1762"> +<interface name="container_relabel_fs" lineno="1879"> <summary> Allow the specified domain to relabel container filesystems. @@ -78682,7 +79278,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_getattr_fs" lineno="1782"> +<interface name="container_getattr_fs" lineno="1899"> <summary> Allow the specified domain to get the attributes of container @@ -78694,7 +79290,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_search_runtime" lineno="1801"> +<interface name="container_search_runtime" lineno="1918"> <summary> Allow the specified domain to search runtime container directories. @@ -78705,7 +79301,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_read_runtime_files" lineno="1821"> +<interface name="container_read_runtime_files" lineno="1938"> <summary> Allow the specified domain to read runtime container files. @@ -78716,7 +79312,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_getattr_runtime_sock_files" lineno="1842"> +<interface name="container_getattr_runtime_sock_files" lineno="1959"> <summary> Allow the specified domain to get the attributes runtime container of @@ -78728,7 +79324,18 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_runtime_files" lineno="1861"> +<interface name="container_create_runtime_dirs" lineno="1978"> +<summary> +Allow the specified domain to create +runtime container directories. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="container_manage_runtime_files" lineno="1997"> <summary> Allow the specified domain to manage runtime container files. @@ -78739,7 +79346,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_runtime_fifo_files" lineno="1880"> +<interface name="container_manage_runtime_fifo_files" lineno="2016"> <summary> Allow the specified domain to manage runtime container named pipes. @@ -78750,7 +79357,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_runtime_lnk_files" lineno="1899"> +<interface name="container_manage_runtime_lnk_files" lineno="2035"> <summary> Allow the specified domain to manage runtime container symlinks. @@ -78761,7 +79368,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_runtime_sock_files" lineno="1918"> +<interface name="container_manage_runtime_sock_files" lineno="2054"> <summary> Allow the specified domain to manage runtime container named sockets. @@ -78772,7 +79379,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_user_runtime_files" lineno="1937"> +<interface name="container_manage_user_runtime_files" lineno="2073"> <summary> Allow the specified domain to manage user runtime container files. @@ -78783,7 +79390,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_rw_user_runtime_sock_files" lineno="1956"> +<interface name="container_rw_user_runtime_sock_files" lineno="2092"> <summary> Allow the specified domain to read and write user runtime container named sockets. @@ -78794,7 +79401,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_search_var_lib" lineno="1975"> +<interface name="container_search_var_lib" lineno="2111"> <summary> Allow the specified domain to search container directories in /var/lib. @@ -78805,7 +79412,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_list_var_lib" lineno="1996"> +<interface name="container_list_var_lib" lineno="2132"> <summary> Allow the specified domain to list the contents of container directories @@ -78817,7 +79424,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_var_lib_dirs" lineno="2016"> +<interface name="container_manage_var_lib_dirs" lineno="2152"> <summary> Allow the specified domain to manage container file directories in /var/lib. @@ -78828,7 +79435,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_read_var_lib_files" lineno="2035"> +<interface name="container_read_var_lib_files" lineno="2171"> <summary> Allow the specified domain to read container files in /var/lib. @@ -78839,7 +79446,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_var_lib_files" lineno="2054"> +<interface name="container_manage_var_lib_files" lineno="2190"> <summary> Allow the specified domain to manage container files in /var/lib. @@ -78850,7 +79457,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_map_var_lib_files" lineno="2073"> +<interface name="container_map_var_lib_files" lineno="2209"> <summary> Allow the specified domain to memory map container files in /var/lib. @@ -78861,7 +79468,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_var_lib_fifo_files" lineno="2092"> +<interface name="container_manage_var_lib_fifo_files" lineno="2228"> <summary> Allow the specified domain to manage container named pipes in /var/lib. @@ -78872,7 +79479,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_var_lib_lnk_files" lineno="2111"> +<interface name="container_manage_var_lib_lnk_files" lineno="2247"> <summary> Allow the specified domain to manage container symlinks in /var/lib. @@ -78883,7 +79490,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_var_lib_sock_files" lineno="2130"> +<interface name="container_manage_var_lib_sock_files" lineno="2266"> <summary> Allow the specified domain to manage container named sockets in /var/lib. @@ -78894,7 +79501,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_var_lib_filetrans" lineno="2160"> +<interface name="container_var_lib_filetrans" lineno="2296"> <summary> Allow the specified domain to create objects in /var/lib with an automatic @@ -78916,7 +79523,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="container_var_lib_filetrans_file" lineno="2190"> +<interface name="container_var_lib_filetrans_file" lineno="2326"> <summary> Allow the specified domain to create objects in /var/lib with an automatic @@ -78938,7 +79545,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="container_filetrans_var_lib_file" lineno="2221"> +<interface name="container_filetrans_var_lib_file" lineno="2357"> <summary> Allow the specified domain to create objects in container /var/lib directories @@ -78961,7 +79568,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="container_unlabeled_var_lib_filetrans" lineno="2253"> +<interface name="container_unlabeled_var_lib_filetrans" lineno="2389"> <summary> Allow the specified domain to create objects in unlabeled directories with @@ -78984,7 +79591,19 @@ The name of the object being created. </summary> </param> </interface> -<interface name="container_search_logs" lineno="2274"> +<interface name="container_getattr_all_var_lib_files" lineno="2411"> +<summary> +Allow the specified domain to get +the attributes of all container +var lib objects. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="container_search_logs" lineno="2430"> <summary> Allow the specified domain to search container log file directories. @@ -78995,7 +79614,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_list_log_dirs" lineno="2294"> +<interface name="container_list_log_dirs" lineno="2450"> <summary> Allow the specified domain to list the contents of container log directories. @@ -79006,7 +79625,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_create_log_dirs" lineno="2313"> +<interface name="container_create_log_dirs" lineno="2469"> <summary> Allow the specified domain to create container log file directories. @@ -79017,7 +79636,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_log_dirs" lineno="2332"> +<interface name="container_manage_log_dirs" lineno="2488"> <summary> Allow the specified domain to manage container log file directories. @@ -79028,7 +79647,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_watch_log_dirs" lineno="2351"> +<interface name="container_watch_log_dirs" lineno="2507"> <summary> Allow the specified domain to watch container log file directories. @@ -79039,7 +79658,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_create_log_files" lineno="2370"> +<interface name="container_create_log_files" lineno="2526"> <summary> Allow the specified domain to create container log files. @@ -79050,7 +79669,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_append_log_files" lineno="2389"> +<interface name="container_append_log_files" lineno="2545"> <summary> Allow the specified domain to append data to container log files. @@ -79061,7 +79680,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_manage_log_files" lineno="2408"> +<interface name="container_manage_log_files" lineno="2564"> <summary> Allow the specified domain to manage container log files. @@ -79072,7 +79691,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_watch_log_files" lineno="2427"> +<interface name="container_watch_log_files" lineno="2583"> <summary> Allow the specified domain to watch container log files. @@ -79083,7 +79702,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_log_filetrans" lineno="2458"> +<interface name="container_log_filetrans" lineno="2614"> <summary> Allow the specified domain to create objects in log directories with an @@ -79106,7 +79725,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="container_manage_log_symlinks" lineno="2478"> +<interface name="container_manage_log_symlinks" lineno="2634"> <summary> Allow the specified domain to manage container log symlinks. @@ -79117,7 +79736,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_start_units" lineno="2497"> +<interface name="container_start_units" lineno="2653"> <summary> Allow the specified domain to start systemd units for containers. @@ -79128,7 +79747,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="container_admin" lineno="2524"> +<interface name="container_admin" lineno="2680"> <summary> All of the rules required to administrate a container @@ -80574,7 +81193,7 @@ User domain for the role </summary> </param> </template> -<interface name="dbus_system_bus_client" lineno="140"> +<interface name="dbus_system_bus_client" lineno="155"> <summary> Template for creating connections to the system bus. @@ -80585,7 +81204,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_connect_all_session_bus" lineno="181"> +<interface name="dbus_connect_all_session_bus" lineno="196"> <summary> Acquire service on all DBUS session busses. @@ -80596,7 +81215,7 @@ Domain allowed access. </summary> </param> </interface> -<template name="dbus_connect_spec_session_bus" lineno="207"> +<template name="dbus_connect_spec_session_bus" lineno="222"> <summary> Acquire service on specified DBUS session bus. @@ -80613,7 +81232,7 @@ Domain allowed access. </summary> </param> </template> -<interface name="dbus_all_session_bus_client" lineno="227"> +<interface name="dbus_all_session_bus_client" lineno="242"> <summary> Creating connections to all DBUS session busses. @@ -80624,7 +81243,7 @@ Domain allowed access. </summary> </param> </interface> -<template name="dbus_spec_session_bus_client" lineno="261"> +<template name="dbus_spec_session_bus_client" lineno="276"> <summary> Creating connections to specified DBUS session bus. @@ -80641,7 +81260,7 @@ Domain allowed access. </summary> </param> </template> -<interface name="dbus_send_all_session_bus" lineno="288"> +<interface name="dbus_send_all_session_bus" lineno="303"> <summary> Send messages to all DBUS session busses. @@ -80652,7 +81271,7 @@ Domain allowed access. </summary> </param> </interface> -<template name="dbus_send_spec_session_bus" lineno="314"> +<template name="dbus_send_spec_session_bus" lineno="329"> <summary> Send messages to specified DBUS session busses. @@ -80669,7 +81288,7 @@ Domain allowed access. </summary> </param> </template> -<interface name="dbus_getattr_session_runtime_socket" lineno="334"> +<interface name="dbus_getattr_session_runtime_socket" lineno="349"> <summary> Allow the specified domain to get the attributes of the session dbus sock file. @@ -80680,7 +81299,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_write_session_runtime_socket" lineno="353"> +<interface name="dbus_write_session_runtime_socket" lineno="368"> <summary> Allow the specified domain to write to the session dbus sock file. @@ -80691,7 +81310,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_read_config" lineno="371"> +<interface name="dbus_read_config" lineno="386"> <summary> Read dbus configuration content. </summary> @@ -80701,7 +81320,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_read_lib_files" lineno="390"> +<interface name="dbus_read_lib_files" lineno="405"> <summary> Read system dbus lib files. </summary> @@ -80711,7 +81330,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_relabel_lib_dirs" lineno="410"> +<interface name="dbus_relabel_lib_dirs" lineno="425"> <summary> Relabel system dbus lib directory. </summary> @@ -80721,7 +81340,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_manage_lib_files" lineno="430"> +<interface name="dbus_manage_lib_files" lineno="445"> <summary> Create, read, write, and delete system dbus lib files. @@ -80732,7 +81351,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_all_session_domain" lineno="456"> +<interface name="dbus_all_session_domain" lineno="471"> <summary> Allow a application domain to be started by the specified session bus. @@ -80749,7 +81368,7 @@ entry point to this domain. </summary> </param> </interface> -<template name="dbus_spec_session_domain" lineno="490"> +<template name="dbus_spec_session_domain" lineno="505"> <summary> Allow a application domain to be started by the specified session bus. @@ -80772,7 +81391,7 @@ entry point to this domain. </summary> </param> </template> -<interface name="dbus_connect_system_bus" lineno="511"> +<interface name="dbus_connect_system_bus" lineno="526"> <summary> Acquire service on the DBUS system bus. </summary> @@ -80782,7 +81401,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_send_system_bus" lineno="530"> +<interface name="dbus_send_system_bus" lineno="545"> <summary> Send messages to the DBUS system bus. </summary> @@ -80792,7 +81411,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_system_bus_unconfined" lineno="549"> +<interface name="dbus_system_bus_unconfined" lineno="564"> <summary> Unconfined access to DBUS system bus. </summary> @@ -80802,7 +81421,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_system_domain" lineno="574"> +<interface name="dbus_system_domain" lineno="589"> <summary> Create a domain for processes which can be started by the DBUS system bus. @@ -80818,7 +81437,7 @@ Type of the program to be used as an entry point to this domain. </summary> </param> </interface> -<interface name="dbus_use_system_bus_fds" lineno="612"> +<interface name="dbus_use_system_bus_fds" lineno="627"> <summary> Use and inherit DBUS system bus file descriptors. @@ -80829,7 +81448,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="631"> +<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="646"> <summary> Do not audit attempts to read and write DBUS system bus TCP sockets. @@ -80840,7 +81459,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dbus_watch_system_bus_runtime_dirs" lineno="649"> +<interface name="dbus_watch_system_bus_runtime_dirs" lineno="664"> <summary> Watch system bus runtime directories. </summary> @@ -80850,7 +81469,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_read_system_bus_runtime_files" lineno="667"> +<interface name="dbus_read_system_bus_runtime_files" lineno="682"> <summary> Read system bus runtime files. </summary> @@ -80860,7 +81479,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_list_system_bus_runtime" lineno="686"> +<interface name="dbus_list_system_bus_runtime" lineno="701"> <summary> List system bus runtime directories. </summary> @@ -80870,7 +81489,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_watch_system_bus_runtime_named_sockets" lineno="704"> +<interface name="dbus_watch_system_bus_runtime_named_sockets" lineno="719"> <summary> Watch system bus runtime named sockets. </summary> @@ -80880,7 +81499,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_read_system_bus_runtime_named_sockets" lineno="722"> +<interface name="dbus_read_system_bus_runtime_named_sockets" lineno="737"> <summary> Read system bus runtime named sockets. </summary> @@ -80890,7 +81509,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_dontaudit_write_system_bus_runtime_named_sockets" lineno="741"> +<interface name="dbus_dontaudit_write_system_bus_runtime_named_sockets" lineno="756"> <summary> Do not audit attempts to write to system bus runtime named sockets. @@ -80901,7 +81520,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="dbus_rw_session_tmp_sockets" lineno="759"> +<interface name="dbus_rw_session_tmp_sockets" lineno="774"> <summary> Read and write session named sockets in the tmp directory (/tmp). </summary> @@ -80911,7 +81530,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_unconfined" lineno="777"> +<interface name="dbus_unconfined" lineno="792"> <summary> Unconfined access to DBUS. </summary> @@ -80921,7 +81540,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="dbus_generic_pid_filetrans_system_dbusd_var_run" lineno="807"> +<interface name="dbus_generic_pid_filetrans_system_dbusd_var_run" lineno="822"> <summary> Create resources in /run or /var/run with the system_dbusd_runtime_t label. This method is deprecated in favor of the init_daemon_run_dir @@ -80943,7 +81562,7 @@ Optional file name used for the resource </summary> </param> </interface> -<interface name="dbus_create_system_dbusd_var_run_dirs" lineno="821"> +<interface name="dbus_create_system_dbusd_var_run_dirs" lineno="836"> <summary> Create directories with the system_dbusd_runtime_t label </summary> @@ -82994,6 +83613,17 @@ Role allowed access. </param> <rolecap/> </interface> +<tunable name="glusterfs_manage_unlabeled" dftval="false"> +<desc> +<p> +Allow the gluster daemon to manage unlabeled +objects. This could happen if the underlying +gluster brick experiences data corruption +and you want to allow gluster to handle +files with corrupted or missing xattrs. +</p> +</desc> +</tunable> <tunable name="glusterfs_modify_policy" dftval="false"> <desc> <p> @@ -84725,7 +85355,29 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_getpgid_containers" lineno="315"> +<interface name="kubernetes_read_container_engine_state" lineno="314"> +<summary> +Read the process state (/proc/pid) of +kubernetes container engines. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="kubernetes_dontaudit_search_engine_keys" lineno="333"> +<summary> +Do not audit attempts to search +kubernetes container engine keys. +</summary> +<param name="domain"> +<summary> +Domain to not audit. +</summary> +</param> +</interface> +<interface name="kubernetes_getpgid_containers" lineno="353"> <summary> Allow the specified domain to get the process group ID of all @@ -84737,7 +85389,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="kubernetes_run_engine_bpf" lineno="334"> +<interface name="kubernetes_run_engine_bpf" lineno="372"> <summary> Run kubernetes container engine bpf programs. @@ -84748,7 +85400,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_search_config" lineno="352"> +<interface name="kubernetes_search_config" lineno="390"> <summary> Search kubernetes config directories. </summary> @@ -84758,7 +85410,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_read_config" lineno="371"> +<interface name="kubernetes_read_config" lineno="409"> <summary> Read kubernetes config files and symlinks. </summary> @@ -84768,7 +85420,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_mounton_config_dirs" lineno="391"> +<interface name="kubernetes_mounton_config_dirs" lineno="429"> <summary> Mount on kubernetes config directories. </summary> @@ -84778,7 +85430,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_watch_config_dirs" lineno="410"> +<interface name="kubernetes_watch_config_dirs" lineno="448"> <summary> Allow the specified domain to watch kubernetes config directories. @@ -84789,7 +85441,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_manage_config_files" lineno="428"> +<interface name="kubernetes_manage_config_files" lineno="466"> <summary> Manage kubernetes config files. </summary> @@ -84799,7 +85451,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_mounton_config_files" lineno="446"> +<interface name="kubernetes_mounton_config_files" lineno="484"> <summary> Mount on kubernetes config files. </summary> @@ -84809,7 +85461,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_watch_config_files" lineno="465"> +<interface name="kubernetes_watch_config_files" lineno="503"> <summary> Allow the specified domain to watch kubernetes config files. @@ -84820,7 +85472,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_search_plugin_dirs" lineno="485"> +<interface name="kubernetes_search_plugin_dirs" lineno="523"> <summary> Allow the specified domain to search through the contents of kubernetes plugin @@ -84832,7 +85484,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_list_plugins" lineno="506"> +<interface name="kubernetes_list_plugins" lineno="544"> <summary> Allow the specified domain to list the contents of kubernetes plugin @@ -84844,7 +85496,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_watch_plugin_dirs" lineno="525"> +<interface name="kubernetes_watch_plugin_dirs" lineno="563"> <summary> Allow the specified domain to watch kubernetes plugin directories. @@ -84855,7 +85507,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_manage_plugin_files" lineno="544"> +<interface name="kubernetes_manage_plugin_files" lineno="582"> <summary> Allow the specified domain to manage kubernetes plugin files. @@ -84866,7 +85518,77 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_list_tmpfs" lineno="563"> +<interface name="kubernetes_manage_runtime_dirs" lineno="600"> +<summary> +Manage kubernetes runtime directories. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="kubernetes_mounton_runtime_dirs" lineno="618"> +<summary> +Mount on kubernetes runtime directories. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="kubernetes_manage_runtime_files" lineno="636"> +<summary> +Manage kubernetes runtime files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="kubernetes_map_runtime_files" lineno="654"> +<summary> +Memory map kubernetes runtime files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="kubernetes_watch_runtime_files" lineno="672"> +<summary> +Watch kubernetes runtime files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="kubernetes_manage_runtime_symlinks" lineno="690"> +<summary> +Manage kubernetes runtime symlinks. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="kubernetes_manage_runtime_sock_files" lineno="708"> +<summary> +Manage kubernetes runtime sock files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="kubernetes_list_tmpfs" lineno="727"> <summary> List the contents of kubernetes tmpfs directories. @@ -84877,7 +85599,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_manage_tmpfs_dirs" lineno="581"> +<interface name="kubernetes_manage_tmpfs_dirs" lineno="745"> <summary> Manage kubernetes tmpfs directories. </summary> @@ -84887,7 +85609,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_watch_tmpfs_dirs" lineno="599"> +<interface name="kubernetes_watch_tmpfs_dirs" lineno="763"> <summary> Watch kubernetes tmpfs directories. </summary> @@ -84897,7 +85619,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_read_tmpfs_files" lineno="617"> +<interface name="kubernetes_read_tmpfs_files" lineno="781"> <summary> Read kubernetes tmpfs files. </summary> @@ -84907,7 +85629,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_manage_tmpfs_files" lineno="635"> +<interface name="kubernetes_manage_tmpfs_files" lineno="799"> <summary> Manage kubernetes tmpfs files. </summary> @@ -84917,7 +85639,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_watch_tmpfs_files" lineno="653"> +<interface name="kubernetes_watch_tmpfs_files" lineno="817"> <summary> Watch kubernetes tmpfs files. </summary> @@ -84927,7 +85649,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_read_tmpfs_symlinks" lineno="671"> +<interface name="kubernetes_read_tmpfs_symlinks" lineno="835"> <summary> Read kubernetes tmpfs symlinks. </summary> @@ -84937,7 +85659,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_manage_tmpfs_symlinks" lineno="689"> +<interface name="kubernetes_manage_tmpfs_symlinks" lineno="853"> <summary> Manage kubernetes tmpfs symlinks. </summary> @@ -84947,7 +85669,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_relabelfrom_tmpfs_dirs" lineno="708"> +<interface name="kubernetes_relabelfrom_tmpfs_dirs" lineno="872"> <summary> Relabel directories from the kubernetes tmpfs type. @@ -84958,7 +85680,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_relabelfrom_tmpfs_files" lineno="726"> +<interface name="kubernetes_relabelfrom_tmpfs_files" lineno="890"> <summary> Relabel files from the kubernetes tmpfs type. </summary> @@ -84968,7 +85690,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_relabelfrom_tmpfs_symlinks" lineno="744"> +<interface name="kubernetes_relabelfrom_tmpfs_symlinks" lineno="908"> <summary> Relabel symlinks from the kubernetes tmpfs type. </summary> @@ -84978,7 +85700,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_get_unit_status" lineno="762"> +<interface name="kubernetes_get_unit_status" lineno="926"> <summary> Get the status of kubernetes systemd units. </summary> @@ -84988,7 +85710,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_start_unit" lineno="781"> +<interface name="kubernetes_start_unit" lineno="945"> <summary> Start kubernetes systemd units. </summary> @@ -84998,7 +85720,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_stop_unit" lineno="800"> +<interface name="kubernetes_stop_unit" lineno="964"> <summary> Stop kubernetes systemd units. </summary> @@ -85008,7 +85730,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_reload_unit" lineno="819"> +<interface name="kubernetes_reload_unit" lineno="983"> <summary> Reload kubernetes systemd units. </summary> @@ -85018,7 +85740,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="kubernetes_admin" lineno="845"> +<interface name="kubernetes_admin" lineno="1009"> <summary> All of the rules required to administrate a kubernetes environment. @@ -90437,7 +91159,7 @@ Role allowed access </summary> </param> </template> -<interface name="postgresql_loadable_module" lineno="125"> +<interface name="postgresql_loadable_module" lineno="123"> <summary> Marks as a SE-PostgreSQL loadable shared library module </summary> @@ -90447,7 +91169,7 @@ Type marked as a database object type. </summary> </param> </interface> -<interface name="postgresql_database_object" lineno="143"> +<interface name="postgresql_database_object" lineno="141"> <summary> Marks as a SE-PostgreSQL database object type </summary> @@ -90457,7 +91179,7 @@ Type marked as a database object type. </summary> </param> </interface> -<interface name="postgresql_schema_object" lineno="161"> +<interface name="postgresql_schema_object" lineno="159"> <summary> Marks as a SE-PostgreSQL schema object type </summary> @@ -90467,7 +91189,7 @@ Type marked as a schema object type. </summary> </param> </interface> -<interface name="postgresql_table_object" lineno="179"> +<interface name="postgresql_table_object" lineno="177"> <summary> Marks as a SE-PostgreSQL table/column/tuple object type </summary> @@ -90477,7 +91199,7 @@ Type marked as a table/column/tuple object type. </summary> </param> </interface> -<interface name="postgresql_system_table_object" lineno="197"> +<interface name="postgresql_system_table_object" lineno="195"> <summary> Marks as a SE-PostgreSQL system table/column/tuple object type </summary> @@ -90487,7 +91209,7 @@ Type marked as a table/column/tuple object type. </summary> </param> </interface> -<interface name="postgresql_sequence_object" lineno="216"> +<interface name="postgresql_sequence_object" lineno="214"> <summary> Marks as a SE-PostgreSQL sequence type </summary> @@ -90497,7 +91219,7 @@ Type marked as a sequence type. </summary> </param> </interface> -<interface name="postgresql_view_object" lineno="234"> +<interface name="postgresql_view_object" lineno="232"> <summary> Marks as a SE-PostgreSQL view object type </summary> @@ -90507,7 +91229,7 @@ Type marked as a view object type. </summary> </param> </interface> -<interface name="postgresql_procedure_object" lineno="252"> +<interface name="postgresql_procedure_object" lineno="250"> <summary> Marks as a SE-PostgreSQL procedure object type </summary> @@ -90517,7 +91239,7 @@ Type marked as a procedure object type. </summary> </param> </interface> -<interface name="postgresql_trusted_procedure_object" lineno="270"> +<interface name="postgresql_trusted_procedure_object" lineno="268"> <summary> Marks as a SE-PostgreSQL trusted procedure object type </summary> @@ -90527,7 +91249,7 @@ Type marked as a trusted procedure object type. </summary> </param> </interface> -<interface name="postgresql_language_object" lineno="290"> +<interface name="postgresql_language_object" lineno="288"> <summary> Marks as a SE-PostgreSQL procedural language object type </summary> @@ -90537,7 +91259,7 @@ Type marked as a procedural language object type. </summary> </param> </interface> -<interface name="postgresql_blob_object" lineno="308"> +<interface name="postgresql_blob_object" lineno="306"> <summary> Marks as a SE-PostgreSQL binary large object type </summary> @@ -90547,7 +91269,7 @@ Type marked as a database binary large object type. </summary> </param> </interface> -<interface name="postgresql_search_db" lineno="326"> +<interface name="postgresql_search_db" lineno="324"> <summary> Allow the specified domain to search postgresql's database directory. </summary> @@ -90557,7 +91279,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postgresql_manage_db" lineno="343"> +<interface name="postgresql_manage_db" lineno="341"> <summary> Allow the specified domain to manage postgresql's database. </summary> @@ -90567,7 +91289,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postgresql_exec" lineno="363"> +<interface name="postgresql_exec" lineno="361"> <summary> Execute postgresql in the calling domain. </summary> @@ -90577,7 +91299,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="postgresql_domtrans" lineno="381"> +<interface name="postgresql_domtrans" lineno="379"> <summary> Execute postgresql in the postgresql domain. </summary> @@ -90587,7 +91309,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="postgresql_signal" lineno="399"> +<interface name="postgresql_signal" lineno="397"> <summary> Allow domain to signal postgresql </summary> @@ -90597,7 +91319,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postgresql_read_config" lineno="417"> +<interface name="postgresql_read_config" lineno="415"> <summary> Allow the specified domain to read postgresql's etc. </summary> @@ -90608,7 +91330,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="postgresql_tcp_connect" lineno="438"> +<interface name="postgresql_tcp_connect" lineno="436"> <summary> Allow the specified domain to connect to postgresql with a tcp socket. </summary> @@ -90618,7 +91340,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postgresql_stream_connect" lineno="459"> +<interface name="postgresql_stream_connect" lineno="457"> <summary> Allow the specified domain to connect to postgresql with a unix socket. </summary> @@ -90629,7 +91351,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="postgresql_unpriv_client" lineno="481"> +<interface name="postgresql_unpriv_client" lineno="479"> <summary> Allow the specified domain unprivileged accesses to unifined database objects managed by SE-PostgreSQL, @@ -90640,7 +91362,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postgresql_unconfined" lineno="573"> +<interface name="postgresql_unconfined" lineno="569"> <summary> Allow the specified domain unconfined accesses to any database objects managed by SE-PostgreSQL, @@ -90651,7 +91373,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="postgresql_admin" lineno="597"> +<interface name="postgresql_admin" lineno="593"> <summary> All of the rules required to administrate an postgresql environment </summary> @@ -92290,7 +93012,17 @@ Domain prefix to be used. </summary> </param> </template> -<interface name="rpc_dontaudit_getattr_exports" lineno="64"> +<interface name="rpc_list_exports" lineno="63"> +<summary> +List export files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="rpc_dontaudit_getattr_exports" lineno="82"> <summary> Do not audit attempts to get attributes of export files. @@ -92301,7 +93033,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="rpc_read_exports" lineno="82"> +<interface name="rpc_read_exports" lineno="100"> <summary> Read export files. </summary> @@ -92311,7 +93043,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpc_write_exports" lineno="100"> +<interface name="rpc_create_exports" lineno="118"> +<summary> +Create export files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="rpc_write_exports" lineno="136"> <summary> Write export files. </summary> @@ -92321,7 +93063,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpc_domtrans_nfsd" lineno="118"> +<interface name="rpc_domtrans_nfsd" lineno="154"> <summary> Execute nfsd in the nfsd domain. </summary> @@ -92331,7 +93073,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="rpc_initrc_domtrans_nfsd" lineno="138"> +<interface name="rpc_initrc_domtrans_nfsd" lineno="174"> <summary> Execute nfsd init scripts in the initrc domain. @@ -92342,7 +93084,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="rpc_domtrans_rpcd" lineno="156"> +<interface name="rpc_domtrans_rpcd" lineno="192"> <summary> Execute rpcd in the rpcd domain. </summary> @@ -92352,7 +93094,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="rpc_initrc_domtrans_rpcd" lineno="176"> +<interface name="rpc_initrc_domtrans_rpcd" lineno="212"> <summary> Execute rpcd init scripts in the initrc domain. @@ -92363,7 +93105,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="rpc_read_rpcd_state" lineno="195"> +<interface name="rpc_read_rpcd_state" lineno="231"> <summary> Read the process state (/proc/pid) of rpcd. @@ -92374,7 +93116,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpc_use_nfsd_fds" lineno="214"> +<interface name="rpc_use_nfsd_fds" lineno="250"> <summary> Inherit and use file descriptors from nfsd. @@ -92385,7 +93127,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpc_read_nfs_content" lineno="233"> +<interface name="rpc_read_nfs_content" lineno="269"> <summary> Read nfs exported content. </summary> @@ -92396,7 +93138,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="rpc_manage_nfs_rw_content" lineno="255"> +<interface name="rpc_manage_nfs_rw_content" lineno="291"> <summary> Create, read, write, and delete nfs exported read write content. @@ -92408,7 +93150,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="rpc_manage_nfs_ro_content" lineno="277"> +<interface name="rpc_manage_nfs_ro_content" lineno="313"> <summary> Create, read, write, and delete nfs exported read only content. @@ -92420,7 +93162,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="rpc_tcp_rw_nfs_sockets" lineno="297"> +<interface name="rpc_tcp_rw_nfs_sockets" lineno="333"> <summary> Read and write to nfsd tcp sockets. </summary> @@ -92430,7 +93172,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpc_udp_rw_nfs_sockets" lineno="315"> +<interface name="rpc_udp_rw_nfs_sockets" lineno="351"> <summary> Read and write to nfsd udp sockets. </summary> @@ -92440,7 +93182,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpc_search_nfs_state_data" lineno="333"> +<interface name="rpc_search_nfs_state_data" lineno="369"> <summary> Search nfs lib directories. </summary> @@ -92450,7 +93192,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpc_create_nfs_state_data_dirs" lineno="352"> +<interface name="rpc_create_nfs_state_data_dirs" lineno="388"> <summary> Create nfs lib directories. </summary> @@ -92460,7 +93202,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpc_read_nfs_state_data" lineno="371"> +<interface name="rpc_read_nfs_state_data" lineno="407"> <summary> Read nfs lib files. </summary> @@ -92470,7 +93212,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpc_manage_nfs_state_data" lineno="391"> +<interface name="rpc_manage_nfs_state_data" lineno="427"> <summary> Create, read, write, and delete nfs lib files. @@ -92481,7 +93223,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="rpc_admin" lineno="421"> +<interface name="rpc_admin" lineno="457"> <summary> All of the rules required to administrate an rpc environment. @@ -94843,7 +95585,7 @@ Role allowed access </summary> </param> </template> -<interface name="ssh_sigchld" lineno="488"> +<interface name="ssh_sigchld" lineno="494"> <summary> Send a SIGCHLD signal to the ssh server. </summary> @@ -94853,7 +95595,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_signal" lineno="506"> +<interface name="ssh_signal" lineno="512"> <summary> Send a generic signal to the ssh server. </summary> @@ -94863,7 +95605,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_signull" lineno="524"> +<interface name="ssh_signull" lineno="530"> <summary> Send a null signal to sshd processes. </summary> @@ -94873,7 +95615,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_read_pipes" lineno="542"> +<interface name="ssh_read_pipes" lineno="548"> <summary> Read a ssh server unnamed pipe. </summary> @@ -94883,7 +95625,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_rw_pipes" lineno="559"> +<interface name="ssh_rw_pipes" lineno="565"> <summary> Read and write a ssh server unnamed pipe. </summary> @@ -94893,7 +95635,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_rw_stream_sockets" lineno="577"> +<interface name="ssh_rw_stream_sockets" lineno="583"> <summary> Read and write ssh server unix domain stream sockets. </summary> @@ -94903,7 +95645,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_rw_tcp_sockets" lineno="595"> +<interface name="ssh_rw_tcp_sockets" lineno="601"> <summary> Read and write ssh server TCP sockets. </summary> @@ -94913,7 +95655,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="614"> +<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="620"> <summary> Do not audit attempts to read and write ssh server TCP sockets. @@ -94924,7 +95666,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="ssh_exec_sshd" lineno="632"> +<interface name="ssh_exec_sshd" lineno="638"> <summary> Execute the ssh daemon in the caller domain. </summary> @@ -94934,7 +95676,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_domtrans" lineno="651"> +<interface name="ssh_domtrans" lineno="657"> <summary> Execute the ssh daemon sshd domain. </summary> @@ -94944,7 +95686,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="ssh_client_domtrans" lineno="669"> +<interface name="ssh_client_domtrans" lineno="675"> <summary> Execute the ssh client in the ssh client domain. </summary> @@ -94954,7 +95696,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="ssh_exec" lineno="687"> +<interface name="ssh_exec" lineno="693"> <summary> Execute the ssh client in the caller domain. </summary> @@ -94964,7 +95706,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_setattr_key_files" lineno="706"> +<interface name="ssh_setattr_key_files" lineno="712"> <summary> Set the attributes of sshd key files. </summary> @@ -94974,7 +95716,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_agent_exec" lineno="725"> +<interface name="ssh_agent_exec" lineno="731"> <summary> Execute the ssh agent client in the caller domain. </summary> @@ -94984,7 +95726,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_setattr_home_dirs" lineno="744"> +<interface name="ssh_setattr_home_dirs" lineno="750"> <summary> Set the attributes of ssh home directory (~/.ssh) </summary> @@ -94994,7 +95736,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_create_home_dirs" lineno="762"> +<interface name="ssh_create_home_dirs" lineno="768"> <summary> Create ssh home directory (~/.ssh) </summary> @@ -95004,7 +95746,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_read_user_home_files" lineno="781"> +<interface name="ssh_read_user_home_files" lineno="787"> <summary> Read ssh home directory content </summary> @@ -95014,7 +95756,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_domtrans_keygen" lineno="802"> +<interface name="ssh_domtrans_keygen" lineno="808"> <summary> Execute the ssh key generator in the ssh keygen domain. </summary> @@ -95024,7 +95766,23 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="ssh_read_server_keys" lineno="820"> +<interface name="ssh_run_keygen" lineno="832"> +<summary> +Execute the ssh key generator in the ssh keygen domain, +and allow the specified role the ssh keygen domain. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<param name="role"> +<summary> +Role allowed access. +</summary> +</param> +</interface> +<interface name="ssh_read_server_keys" lineno="851"> <summary> Read ssh server keys </summary> @@ -95034,7 +95792,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_dontaudit_read_server_keys" lineno="838"> +<interface name="ssh_dontaudit_read_server_keys" lineno="869"> <summary> Do not audit denials on reading ssh server keys </summary> @@ -95044,7 +95802,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="ssh_manage_home_files" lineno="856"> +<interface name="ssh_manage_home_files" lineno="887"> <summary> Manage ssh home directory content </summary> @@ -95054,7 +95812,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_delete_tmp" lineno="875"> +<interface name="ssh_delete_tmp" lineno="906"> <summary> Delete from the ssh temp files. </summary> @@ -95064,7 +95822,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="ssh_dontaudit_agent_tmp" lineno="894"> +<interface name="ssh_dontaudit_agent_tmp" lineno="925"> <summary> dontaudit access to ssh agent tmp dirs </summary> @@ -98946,7 +99704,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_use_pam_motd_dynamic" lineno="121"> +<interface name="auth_use_pam_motd_dynamic" lineno="122"> <summary> Use the pam module motd with dynamic support during authentication. This module comes from Ubuntu (https://bugs.launchpad.net/ubuntu/+source/pam/+bug/399071) @@ -98958,7 +99716,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_pam_motd_dynamic" lineno="146"> +<interface name="auth_read_pam_motd_dynamic" lineno="147"> <summary> Read the pam module motd with dynamic support during authentication. </summary> @@ -98968,7 +99726,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_login_pgm_domain" lineno="165"> +<interface name="auth_login_pgm_domain" lineno="166"> <summary> Make the specified domain used for a login program. </summary> @@ -98978,7 +99736,7 @@ Domain type used for a login program domain. </summary> </param> </interface> -<interface name="auth_login_entry_type" lineno="252"> +<interface name="auth_login_entry_type" lineno="253"> <summary> Use the login program as an entry point program. </summary> @@ -98988,7 +99746,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_domtrans_login_program" lineno="275"> +<interface name="auth_domtrans_login_program" lineno="276"> <summary> Execute a login_program in the target domain. </summary> @@ -99003,7 +99761,7 @@ The type of the login_program process. </summary> </param> </interface> -<interface name="auth_ranged_domtrans_login_program" lineno="305"> +<interface name="auth_ranged_domtrans_login_program" lineno="306"> <summary> Execute a login_program in the target domain, with a range transition. @@ -99024,7 +99782,7 @@ Range of the login program. </summary> </param> </interface> -<interface name="auth_search_cache" lineno="331"> +<interface name="auth_search_cache" lineno="332"> <summary> Search authentication cache </summary> @@ -99034,7 +99792,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_cache" lineno="349"> +<interface name="auth_read_cache" lineno="350"> <summary> Read authentication cache </summary> @@ -99044,7 +99802,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_cache" lineno="367"> +<interface name="auth_rw_cache" lineno="368"> <summary> Read/Write authentication cache </summary> @@ -99054,7 +99812,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_cache" lineno="385"> +<interface name="auth_manage_cache" lineno="386"> <summary> Manage authentication cache </summary> @@ -99064,7 +99822,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_var_filetrans_cache" lineno="404"> +<interface name="auth_var_filetrans_cache" lineno="405"> <summary> Automatic transition from cache_t to cache. </summary> @@ -99074,7 +99832,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_domtrans_chk_passwd" lineno="422"> +<interface name="auth_domtrans_chk_passwd" lineno="423"> <summary> Run unix_chkpwd to check a password. </summary> @@ -99084,7 +99842,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_domtrans_chkpwd" lineno="466"> +<interface name="auth_domtrans_chkpwd" lineno="467"> <summary> Run unix_chkpwd to check a password. Stripped down version to be called within boolean @@ -99095,7 +99853,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_run_chk_passwd" lineno="488"> +<interface name="auth_run_chk_passwd" lineno="489"> <summary> Execute chkpwd programs in the chkpwd domain. </summary> @@ -99110,7 +99868,7 @@ The role to allow the chkpwd domain. </summary> </param> </interface> -<interface name="auth_domtrans_upd_passwd" lineno="507"> +<interface name="auth_domtrans_upd_passwd" lineno="508"> <summary> Execute a domain transition to run unix_update. </summary> @@ -99120,7 +99878,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_run_upd_passwd" lineno="532"> +<interface name="auth_run_upd_passwd" lineno="533"> <summary> Execute updpwd programs in the updpwd domain. </summary> @@ -99135,7 +99893,7 @@ The role to allow the updpwd domain. </summary> </param> </interface> -<interface name="auth_getattr_shadow" lineno="551"> +<interface name="auth_getattr_shadow" lineno="552"> <summary> Get the attributes of the shadow passwords file. </summary> @@ -99145,7 +99903,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_dontaudit_getattr_shadow" lineno="571"> +<interface name="auth_dontaudit_getattr_shadow" lineno="572"> <summary> Do not audit attempts to get the attributes of the shadow passwords file. @@ -99156,7 +99914,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_read_shadow" lineno="593"> +<interface name="auth_read_shadow" lineno="594"> <summary> Read the shadow passwords file (/etc/shadow) </summary> @@ -99166,7 +99924,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_map_shadow" lineno="609"> +<interface name="auth_map_shadow" lineno="610"> <summary> Map the shadow passwords file (/etc/shadow) </summary> @@ -99176,7 +99934,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_can_read_shadow_passwords" lineno="635"> +<interface name="auth_can_read_shadow_passwords" lineno="636"> <summary> Pass shadow assertion for reading. </summary> @@ -99195,7 +99953,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_tunable_read_shadow" lineno="661"> +<interface name="auth_tunable_read_shadow" lineno="662"> <summary> Read the shadow password file. </summary> @@ -99213,7 +99971,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_dontaudit_read_shadow" lineno="681"> +<interface name="auth_dontaudit_read_shadow" lineno="682"> <summary> Do not audit attempts to read the shadow password file (/etc/shadow). @@ -99224,7 +99982,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_rw_shadow" lineno="699"> +<interface name="auth_rw_shadow" lineno="700"> <summary> Read and write the shadow password file (/etc/shadow). </summary> @@ -99234,7 +99992,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_shadow" lineno="722"> +<interface name="auth_manage_shadow" lineno="723"> <summary> Create, read, write, and delete the shadow password file. @@ -99245,7 +100003,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_etc_filetrans_shadow" lineno="749"> +<interface name="auth_etc_filetrans_shadow" lineno="751"> <summary> Automatic transition from etc to shadow. </summary> @@ -99260,7 +100018,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="auth_read_shadow_history" lineno="767"> +<interface name="auth_read_shadow_history" lineno="769"> <summary> Read the shadow history file. </summary> @@ -99270,7 +100028,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_shadow_history" lineno="786"> +<interface name="auth_manage_shadow_history" lineno="788"> <summary> Manage the shadow history file. </summary> @@ -99280,7 +100038,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_relabelto_shadow" lineno="806"> +<interface name="auth_relabelto_shadow" lineno="808"> <summary> Relabel to the shadow password file type. @@ -99291,7 +100049,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_relabel_shadow" lineno="828"> +<interface name="auth_relabel_shadow" lineno="830"> <summary> Relabel from and to the shadow password file type. @@ -99302,7 +100060,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_shadow_lock" lineno="849"> +<interface name="auth_rw_shadow_lock" lineno="851"> <summary> Read/Write shadow lock files. </summary> @@ -99312,7 +100070,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_append_faillog" lineno="867"> +<interface name="auth_append_faillog" lineno="869"> <summary> Append to the login failure log. </summary> @@ -99322,7 +100080,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_create_faillog_files" lineno="886"> +<interface name="auth_create_faillog_files" lineno="888"> <summary> Create fail log lock (in /run/faillock). </summary> @@ -99332,7 +100090,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_faillog" lineno="904"> +<interface name="auth_rw_faillog" lineno="906"> <summary> Read and write the login failure log. </summary> @@ -99342,7 +100100,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_faillog" lineno="923"> +<interface name="auth_manage_faillog" lineno="925"> <summary> Manage the login failure logs. </summary> @@ -99352,7 +100110,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_setattr_faillog_files" lineno="942"> +<interface name="auth_setattr_faillog_files" lineno="944"> <summary> Setattr the login failure logs. </summary> @@ -99362,7 +100120,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_lastlog" lineno="961"> +<interface name="auth_read_lastlog" lineno="963"> <summary> Read the last logins log. </summary> @@ -99373,7 +100131,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="auth_append_lastlog" lineno="980"> +<interface name="auth_append_lastlog" lineno="982"> <summary> Append only to the last logins log. </summary> @@ -99383,7 +100141,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_relabel_lastlog" lineno="999"> +<interface name="auth_relabel_lastlog" lineno="1001"> <summary> relabel the last logins log. </summary> @@ -99393,7 +100151,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_lastlog" lineno="1018"> +<interface name="auth_rw_lastlog" lineno="1020"> <summary> Read and write to the last logins log. </summary> @@ -99403,7 +100161,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_lastlog" lineno="1037"> +<interface name="auth_manage_lastlog" lineno="1039"> <summary> Manage the last logins log. </summary> @@ -99413,7 +100171,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_domtrans_pam" lineno="1056"> +<interface name="auth_domtrans_pam" lineno="1058"> <summary> Execute pam programs in the pam domain. </summary> @@ -99423,7 +100181,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_signal_pam" lineno="1074"> +<interface name="auth_signal_pam" lineno="1076"> <summary> Send generic signals to pam processes. </summary> @@ -99433,7 +100191,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_run_pam" lineno="1097"> +<interface name="auth_run_pam" lineno="1099"> <summary> Execute pam programs in the PAM domain. </summary> @@ -99448,7 +100206,7 @@ The role to allow the PAM domain. </summary> </param> </interface> -<interface name="auth_exec_pam" lineno="1116"> +<interface name="auth_exec_pam" lineno="1118"> <summary> Execute the pam program. </summary> @@ -99458,7 +100216,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_var_auth" lineno="1135"> +<interface name="auth_read_var_auth" lineno="1137"> <summary> Read var auth files. Used by various other applications and pam applets etc. @@ -99469,7 +100227,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_var_auth" lineno="1155"> +<interface name="auth_rw_var_auth" lineno="1157"> <summary> Read and write var auth files. Used by various other applications and pam applets etc. @@ -99480,7 +100238,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_var_auth" lineno="1175"> +<interface name="auth_manage_var_auth" lineno="1177"> <summary> Manage var auth files. Used by various other applications and pam applets etc. @@ -99491,7 +100249,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_pam_runtime_dirs" lineno="1196"> +<interface name="auth_manage_pam_runtime_dirs" lineno="1198"> <summary> Manage pam runtime dirs. </summary> @@ -99501,7 +100259,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_runtime_filetrans_pam_runtime" lineno="1227"> +<interface name="auth_runtime_filetrans_pam_runtime" lineno="1229"> <summary> Create specified objects in pid directories with the pam runtime @@ -99523,7 +100281,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="auth_read_pam_runtime_files" lineno="1245"> +<interface name="auth_read_pam_runtime_files" lineno="1247"> <summary> Read PAM runtime files. </summary> @@ -99533,7 +100291,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1265"> +<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1267"> <summary> Do not audit attempts to read PAM runtime files. </summary> @@ -99543,7 +100301,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_delete_pam_runtime_files" lineno="1283"> +<interface name="auth_delete_pam_runtime_files" lineno="1285"> <summary> Delete pam runtime files. </summary> @@ -99553,7 +100311,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_pam_runtime_files" lineno="1302"> +<interface name="auth_manage_pam_runtime_files" lineno="1304"> <summary> Create, read, write, and delete pam runtime files. </summary> @@ -99563,7 +100321,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_domtrans_pam_console" lineno="1321"> +<interface name="auth_domtrans_pam_console" lineno="1323"> <summary> Execute pam_console with a domain transition. </summary> @@ -99573,7 +100331,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_search_pam_console_data" lineno="1340"> +<interface name="auth_search_pam_console_data" lineno="1342"> <summary> Search the contents of the pam_console data directory. @@ -99584,7 +100342,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_list_pam_console_data" lineno="1360"> +<interface name="auth_list_pam_console_data" lineno="1362"> <summary> List the contents of the pam_console data directory. @@ -99595,7 +100353,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_create_pam_console_data_dirs" lineno="1379"> +<interface name="auth_create_pam_console_data_dirs" lineno="1381"> <summary> Create pam var console pid directories. </summary> @@ -99605,7 +100363,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_relabel_pam_console_data_dirs" lineno="1398"> +<interface name="auth_relabel_pam_console_data_dirs" lineno="1400"> <summary> Relabel pam_console data directories. </summary> @@ -99615,7 +100373,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_pam_console_data" lineno="1416"> +<interface name="auth_read_pam_console_data" lineno="1418"> <summary> Read pam_console data files. </summary> @@ -99625,7 +100383,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_pam_console_data" lineno="1437"> +<interface name="auth_manage_pam_console_data" lineno="1439"> <summary> Create, read, write, and delete pam_console data files. @@ -99636,7 +100394,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_delete_pam_console_data" lineno="1457"> +<interface name="auth_delete_pam_console_data" lineno="1459"> <summary> Delete pam_console data. </summary> @@ -99646,7 +100404,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_runtime_filetrans_pam_var_console" lineno="1490"> +<interface name="auth_runtime_filetrans_pam_var_console" lineno="1492"> <summary> Create specified objects in generic runtime directories with the pam var @@ -99669,7 +100427,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="auth_domtrans_utempter" lineno="1508"> +<interface name="auth_domtrans_utempter" lineno="1510"> <summary> Execute utempter programs in the utempter domain. </summary> @@ -99679,7 +100437,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="auth_run_utempter" lineno="1531"> +<interface name="auth_run_utempter" lineno="1533"> <summary> Execute utempter programs in the utempter domain. </summary> @@ -99694,7 +100452,7 @@ The role to allow the utempter domain. </summary> </param> </interface> -<interface name="auth_dontaudit_exec_utempter" lineno="1550"> +<interface name="auth_dontaudit_exec_utempter" lineno="1552"> <summary> Do not audit attempts to execute utempter executable. </summary> @@ -99704,7 +100462,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_setattr_login_records" lineno="1568"> +<interface name="auth_setattr_login_records" lineno="1570"> <summary> Set the attributes of login record files. </summary> @@ -99714,7 +100472,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_read_login_records" lineno="1588"> +<interface name="auth_read_login_records" lineno="1590"> <summary> Read login records files (/var/log/wtmp). </summary> @@ -99725,7 +100483,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="auth_dontaudit_read_login_records" lineno="1609"> +<interface name="auth_dontaudit_read_login_records" lineno="1611"> <summary> Do not audit attempts to read login records files (/var/log/wtmp). @@ -99737,7 +100495,7 @@ Domain to not audit. </param> <rolecap/> </interface> -<interface name="auth_dontaudit_write_login_records" lineno="1628"> +<interface name="auth_dontaudit_write_login_records" lineno="1630"> <summary> Do not audit attempts to write to login records files. @@ -99748,7 +100506,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="auth_append_login_records" lineno="1646"> +<interface name="auth_append_login_records" lineno="1648"> <summary> Append to login records (wtmp). </summary> @@ -99758,7 +100516,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_write_login_records" lineno="1665"> +<interface name="auth_write_login_records" lineno="1667"> <summary> Write to login records (wtmp). </summary> @@ -99768,7 +100526,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_rw_login_records" lineno="1683"> +<interface name="auth_rw_login_records" lineno="1685"> <summary> Read and write login records. </summary> @@ -99778,7 +100536,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_log_filetrans_login_records" lineno="1703"> +<interface name="auth_log_filetrans_login_records" lineno="1705"> <summary> Create a login records in the log directory using a type transition. @@ -99789,7 +100547,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_manage_login_records" lineno="1722"> +<interface name="auth_manage_login_records" lineno="1724"> <summary> Create, read, write, and delete login records files. @@ -99800,7 +100558,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_relabel_login_records" lineno="1741"> +<interface name="auth_relabel_login_records" lineno="1743"> <summary> Relabel login record files. </summary> @@ -99810,7 +100568,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="auth_use_nsswitch" lineno="1769"> +<interface name="auth_use_nsswitch" lineno="1771"> <summary> Use nsswitch to look up user, password, group, or host information. @@ -99830,7 +100588,7 @@ Domain allowed access. </param> <infoflow type="both" weight="10"/> </interface> -<interface name="auth_unconfined" lineno="1797"> +<interface name="auth_unconfined" lineno="1799"> <summary> Unconfined access to the authlogin module. </summary> @@ -100551,7 +101309,7 @@ Type of the program to be used as an entry point to this domain. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="init_ranged_daemon_domain" lineno="433"> +<interface name="init_ranged_daemon_domain" lineno="437"> <summary> Create a domain for long running processes (daemons/services) which are started by init scripts, @@ -100593,7 +101351,7 @@ MLS/MCS range for the domain. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="init_abstract_socket_activation" lineno="464"> +<interface name="init_abstract_socket_activation" lineno="468"> <summary> Abstract socket service activation (systemd). </summary> @@ -100603,7 +101361,7 @@ The domain to be started by systemd socket activation. </summary> </param> </interface> -<interface name="init_named_socket_activation" lineno="489"> +<interface name="init_named_socket_activation" lineno="493"> <summary> Named socket service activation (systemd). </summary> @@ -100618,7 +101376,7 @@ The domain socket file type. </summary> </param> </interface> -<interface name="init_system_domain" lineno="540"> +<interface name="init_system_domain" lineno="544"> <summary> Create a domain for short running processes which are started by init scripts. @@ -100655,7 +101413,7 @@ Type of the program to be used as an entry point to this domain. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="init_ranged_system_domain" lineno="602"> +<interface name="init_ranged_system_domain" lineno="608"> <summary> Create a domain for short running processes which are started by init scripts. @@ -100698,7 +101456,7 @@ Range for the domain. </param> <infoflow type="read" weight="10"/> </interface> -<interface name="init_dyntrans" lineno="633"> +<interface name="init_dyntrans" lineno="639"> <summary> Allow domain dyntransition to init_t domain. </summary> @@ -100708,7 +101466,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_daemon_runtime_file" lineno="662"> +<interface name="init_daemon_runtime_file" lineno="668"> <summary> Mark the file type as a daemon runtime file, allowing initrc_t to create it @@ -100729,7 +101487,7 @@ Filename of the file that the init script creates </summary> </param> </interface> -<interface name="init_daemon_lock_file" lineno="695"> +<interface name="init_daemon_lock_file" lineno="701"> <summary> Mark the file type as a daemon lock file, allowing initrc_t to create it @@ -100750,7 +101508,7 @@ Filename of the file that the init script creates </summary> </param> </interface> -<interface name="init_domtrans" lineno="717"> +<interface name="init_domtrans" lineno="723"> <summary> Execute init (/sbin/init) with a domain transition. </summary> @@ -100760,7 +101518,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_pgm_spec_user_daemon_domain" lineno="741"> +<interface name="init_pgm_spec_user_daemon_domain" lineno="747"> <summary> Execute init (/sbin/init) with a domain transition to the provided domain. @@ -100776,7 +101534,7 @@ The type to be used as a systemd --user domain. </summary> </param> </interface> -<interface name="init_exec" lineno="769"> +<interface name="init_exec" lineno="775"> <summary> Execute the init program in the caller domain. </summary> @@ -100787,7 +101545,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_pgm_entrypoint" lineno="790"> +<interface name="init_pgm_entrypoint" lineno="796"> <summary> Allow the init program to be an entrypoint for the specified domain. @@ -100799,7 +101557,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_exec_rc" lineno="819"> +<interface name="init_exec_rc" lineno="825"> <summary> Execute the rc application in the caller domain. </summary> @@ -100820,7 +101578,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getpgid" lineno="838"> +<interface name="init_getpgid" lineno="844"> <summary> Get the process group of init. </summary> @@ -100830,7 +101588,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_signal" lineno="856"> +<interface name="init_signal" lineno="862"> <summary> Send init a generic signal. </summary> @@ -100840,7 +101598,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_signull" lineno="874"> +<interface name="init_signull" lineno="880"> <summary> Send init a null signal. </summary> @@ -100850,7 +101608,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_sigchld" lineno="892"> +<interface name="init_sigchld" lineno="898"> <summary> Send init a SIGCHLD signal. </summary> @@ -100860,7 +101618,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_setsched" lineno="910"> +<interface name="init_setsched" lineno="916"> <summary> Set the nice level of init. </summary> @@ -100870,7 +101628,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_write_mountpoint_files" lineno="934"> +<interface name="init_write_mountpoint_files" lineno="940"> <summary> Write systemd mountpoint files. </summary> @@ -100886,7 +101644,7 @@ must be negated by the caller. </summary> </param> </interface> -<interface name="init_create_mountpoint_files" lineno="958"> +<interface name="init_create_mountpoint_files" lineno="964"> <summary> Create systemd mountpoint files. </summary> @@ -100902,7 +101660,7 @@ must be negated by the caller. </summary> </param> </interface> -<interface name="init_stream_connect" lineno="976"> +<interface name="init_stream_connect" lineno="982"> <summary> Connect to init with a unix socket. </summary> @@ -100912,7 +101670,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_unix_stream_socket_connectto" lineno="997"> +<interface name="init_unix_stream_socket_connectto" lineno="1003"> <summary> Connect to init with a unix socket. Without any additional permissions. @@ -100923,7 +101681,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_unix_stream_socket_sendto" lineno="1016"> +<interface name="init_unix_stream_socket_sendto" lineno="1022"> <summary> Send to init with a unix socket. Without any additional permissions. @@ -100934,7 +101692,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_use_fds" lineno="1074"> +<interface name="init_use_fds" lineno="1080"> <summary> Inherit and use file descriptors from init. </summary> @@ -100984,7 +101742,7 @@ Domain allowed access. </param> <infoflow type="read" weight="1"/> </interface> -<interface name="init_dontaudit_use_fds" lineno="1093"> +<interface name="init_dontaudit_use_fds" lineno="1099"> <summary> Do not audit attempts to inherit file descriptors from init. @@ -100995,7 +101753,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_dgram_send" lineno="1112"> +<interface name="init_dgram_send" lineno="1118"> <summary> Send messages to init unix datagram sockets. </summary> @@ -101006,7 +101764,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_rw_inherited_stream_socket" lineno="1132"> +<interface name="init_rw_inherited_stream_socket" lineno="1138"> <summary> Read and write to inherited init unix streams. </summary> @@ -101016,7 +101774,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_stream_sockets" lineno="1151"> +<interface name="init_rw_stream_sockets" lineno="1157"> <summary> Allow the specified domain to read/write to init with unix domain stream sockets. @@ -101027,7 +101785,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_search_keys" lineno="1169"> +<interface name="init_dontaudit_search_keys" lineno="1175"> <summary> Do not audit attempts to search init keys. </summary> @@ -101037,7 +101795,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_start_system" lineno="1187"> +<interface name="init_start_system" lineno="1193"> <summary> start service (systemd). </summary> @@ -101047,7 +101805,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stop_system" lineno="1205"> +<interface name="init_stop_system" lineno="1212"> <summary> stop service (systemd). </summary> @@ -101057,7 +101815,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_get_system_status" lineno="1223"> +<interface name="init_get_system_status" lineno="1231"> <summary> Get all service status (systemd). </summary> @@ -101067,7 +101825,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_enable" lineno="1241"> +<interface name="init_enable" lineno="1250"> <summary> Enable all systemd services (systemd). </summary> @@ -101077,7 +101835,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_disable" lineno="1259"> +<interface name="init_disable" lineno="1269"> <summary> Disable all services (systemd). </summary> @@ -101087,7 +101845,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_reload" lineno="1277"> +<interface name="init_reload" lineno="1288"> <summary> Reload all services (systemd). </summary> @@ -101097,7 +101855,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_reboot_system" lineno="1295"> +<interface name="init_reboot_system" lineno="1307"> <summary> Reboot the system (systemd). </summary> @@ -101107,7 +101865,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_shutdown_system" lineno="1313"> +<interface name="init_shutdown_system" lineno="1326"> <summary> Shutdown (halt) the system (systemd). </summary> @@ -101117,7 +101875,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_service_status" lineno="1331"> +<interface name="init_service_status" lineno="1345"> <summary> Allow specified domain to get init status </summary> @@ -101127,7 +101885,7 @@ Domain to allow access. </summary> </param> </interface> -<interface name="init_service_start" lineno="1350"> +<interface name="init_service_start" lineno="1364"> <summary> Allow specified domain to get init start </summary> @@ -101137,7 +101895,7 @@ Domain to allow access. </summary> </param> </interface> -<interface name="init_dbus_chat" lineno="1370"> +<interface name="init_dbus_chat" lineno="1384"> <summary> Send and receive messages from systemd over dbus. @@ -101148,7 +101906,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_run_bpf" lineno="1390"> +<interface name="init_run_bpf" lineno="1404"> <summary> Run init BPF programs. </summary> @@ -101158,7 +101916,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_var_lib_links" lineno="1409"> +<interface name="init_read_var_lib_links" lineno="1422"> <summary> read/follow symlinks under /var/lib/systemd/ </summary> @@ -101168,7 +101926,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_search_var_lib_dirs" lineno="1428"> +<interface name="init_search_var_lib_dirs" lineno="1441"> <summary> Search /var/lib/systemd/ dirs </summary> @@ -101178,7 +101936,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_list_var_lib_dirs" lineno="1447"> +<interface name="init_list_var_lib_dirs" lineno="1460"> <summary> List /var/lib/systemd/ dir </summary> @@ -101188,7 +101946,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_relabel_var_lib_dirs" lineno="1465"> +<interface name="init_relabel_var_lib_dirs" lineno="1478"> <summary> Relabel dirs in /var/lib/systemd/. </summary> @@ -101198,7 +101956,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_random_seed" lineno="1486"> +<interface name="init_manage_random_seed" lineno="1499"> <summary> Create, read, write, and delete the pseudorandom number generator seed @@ -101211,7 +101969,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_var_lib_files" lineno="1507"> +<interface name="init_manage_var_lib_files" lineno="1520"> <summary> Manage files in /var/lib/systemd/. </summary> @@ -101221,7 +101979,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_var_lib_filetrans" lineno="1542"> +<interface name="init_var_lib_filetrans" lineno="1555"> <summary> Create files in /var/lib/systemd with an automatic type transition. @@ -101247,7 +102005,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="init_search_runtime" lineno="1561"> +<interface name="init_search_runtime" lineno="1574"> <summary> Search init runtime directories, e.g. /run/systemd. </summary> @@ -101257,7 +102015,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_list_runtime" lineno="1579"> +<interface name="init_list_runtime" lineno="1592"> <summary> List init runtime directories, e.g. /run/systemd. </summary> @@ -101267,7 +102025,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_runtime_dirs" lineno="1599"> +<interface name="init_manage_runtime_dirs" lineno="1612"> <summary> Create, read, write, and delete directories in the /run/systemd directory. @@ -101278,7 +102036,18 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_runtime_filetrans" lineno="1632"> +<interface name="init_manage_runtime_files" lineno="1631"> +<summary> +Create, read, write, and delete +files in the /run/systemd directory. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="init_runtime_filetrans" lineno="1664"> <summary> Create files in an init runtime directory with a private type. </summary> @@ -101303,7 +102072,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="init_write_runtime_files" lineno="1651"> +<interface name="init_write_runtime_files" lineno="1683"> <summary> Write init runtime files, e.g. in /run/systemd. </summary> @@ -101313,7 +102082,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_create_runtime_files" lineno="1669"> +<interface name="init_create_runtime_files" lineno="1701"> <summary> Create init runtime files, e.g. in /run/systemd. </summary> @@ -101323,7 +102092,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_runtime_symlinks" lineno="1687"> +<interface name="init_manage_runtime_symlinks" lineno="1719"> <summary> Create init runtime symbolic links, e.g. in /run/systemd. </summary> @@ -101333,7 +102102,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getattr_initctl" lineno="1705"> +<interface name="init_getattr_initctl" lineno="1737"> <summary> Get the attributes of initctl. </summary> @@ -101343,7 +102112,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_getattr_initctl" lineno="1726"> +<interface name="init_dontaudit_getattr_initctl" lineno="1758"> <summary> Do not audit attempts to get the attributes of initctl. @@ -101354,7 +102123,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_write_initctl" lineno="1744"> +<interface name="init_write_initctl" lineno="1776"> <summary> Write to initctl. </summary> @@ -101364,7 +102133,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_telinit" lineno="1765"> +<interface name="init_telinit" lineno="1797"> <summary> Use telinit (Read and write initctl). </summary> @@ -101375,7 +102144,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_rw_initctl" lineno="1798"> +<interface name="init_rw_initctl" lineno="1830"> <summary> Read and write initctl. </summary> @@ -101385,7 +102154,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_rw_initctl" lineno="1819"> +<interface name="init_dontaudit_rw_initctl" lineno="1851"> <summary> Do not audit attempts to read and write initctl. @@ -101396,7 +102165,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_script_file_entry_type" lineno="1838"> +<interface name="init_script_file_entry_type" lineno="1870"> <summary> Make init scripts an entry point for the specified domain. @@ -101407,7 +102176,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_spec_domtrans_script" lineno="1861"> +<interface name="init_spec_domtrans_script" lineno="1893"> <summary> Execute init scripts with a specified domain transition. </summary> @@ -101417,7 +102186,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_domtrans_script" lineno="1888"> +<interface name="init_domtrans_script" lineno="1920"> <summary> Execute init scripts with an automatic domain transition. </summary> @@ -101427,7 +102196,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_domtrans_labeled_script" lineno="1923"> +<interface name="init_domtrans_labeled_script" lineno="1955"> <summary> Execute labelled init scripts with an automatic domain transition. </summary> @@ -101437,7 +102206,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_script_file_domtrans" lineno="1969"> +<interface name="init_script_file_domtrans" lineno="2001"> <summary> Execute a init script in a specified domain. </summary> @@ -101462,7 +102231,7 @@ Domain to transition to. </summary> </param> </interface> -<interface name="init_kill_scripts" lineno="1988"> +<interface name="init_kill_scripts" lineno="2020"> <summary> Send a kill signal to init scripts. </summary> @@ -101472,7 +102241,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_script_service" lineno="2006"> +<interface name="init_manage_script_service" lineno="2038"> <summary> Allow manage service for initrc_exec_t scripts </summary> @@ -101482,7 +102251,7 @@ Target domain </summary> </param> </interface> -<interface name="init_labeled_script_domtrans" lineno="2031"> +<interface name="init_labeled_script_domtrans" lineno="2063"> <summary> Transition to the init script domain on a specified labeled init script. @@ -101498,7 +102267,7 @@ Labeled init script file. </summary> </param> </interface> -<interface name="init_all_labeled_script_domtrans" lineno="2053"> +<interface name="init_all_labeled_script_domtrans" lineno="2085"> <summary> Transition to the init script domain for all labeled init script types @@ -101509,7 +102278,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="init_get_script_status" lineno="2071"> +<interface name="init_get_script_status" lineno="2103"> <summary> Allow getting service status of initrc_exec_t scripts </summary> @@ -101519,7 +102288,7 @@ Target domain </summary> </param> </interface> -<interface name="init_startstop_service" lineno="2111"> +<interface name="init_startstop_service" lineno="2143"> <summary> Allow the role to start and stop labeled services. @@ -101550,7 +102319,7 @@ Systemd unit file type. </summary> </param> </interface> -<interface name="init_run_daemon" lineno="2167"> +<interface name="init_run_daemon" lineno="2199"> <summary> Start and stop daemon programs directly. </summary> @@ -101572,7 +102341,7 @@ The role to be performing this action. </summary> </param> </interface> -<interface name="init_startstop_all_script_services" lineno="2189"> +<interface name="init_startstop_all_script_services" lineno="2221"> <summary> Start and stop init_script_file_type services </summary> @@ -101582,7 +102351,7 @@ domain that can start and stop the services </summary> </param> </interface> -<interface name="init_read_state" lineno="2208"> +<interface name="init_read_state" lineno="2240"> <summary> Read the process state (/proc/pid) of init. </summary> @@ -101592,7 +102361,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_read_state" lineno="2228"> +<interface name="init_dontaudit_read_state" lineno="2260"> <summary> Dontaudit read the process state (/proc/pid) of init. </summary> @@ -101602,7 +102371,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_ptrace" lineno="2249"> +<interface name="init_ptrace" lineno="2281"> <summary> Ptrace init </summary> @@ -101613,7 +102382,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_getattr" lineno="2268"> +<interface name="init_getattr" lineno="2300"> <summary> get init process stats </summary> @@ -101624,7 +102393,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="init_read_script_pipes" lineno="2286"> +<interface name="init_read_script_pipes" lineno="2318"> <summary> Read an init script unnamed pipe. </summary> @@ -101634,7 +102403,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_write_script_pipes" lineno="2304"> +<interface name="init_write_script_pipes" lineno="2336"> <summary> Write an init script unnamed pipe. </summary> @@ -101644,7 +102413,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getattr_script_files" lineno="2322"> +<interface name="init_getattr_script_files" lineno="2354"> <summary> Get the attribute of init script entrypoint files. </summary> @@ -101654,7 +102423,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_script_files" lineno="2341"> +<interface name="init_read_script_files" lineno="2373"> <summary> Read init scripts. </summary> @@ -101664,7 +102433,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_exec_script_files" lineno="2360"> +<interface name="init_exec_script_files" lineno="2392"> <summary> Execute init scripts in the caller domain. </summary> @@ -101674,7 +102443,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getattr_all_script_files" lineno="2379"> +<interface name="init_getattr_all_script_files" lineno="2411"> <summary> Get the attribute of all init script entrypoint files. </summary> @@ -101684,7 +102453,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_all_script_files" lineno="2398"> +<interface name="init_read_all_script_files" lineno="2430"> <summary> Read all init script files. </summary> @@ -101694,7 +102463,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_read_all_script_files" lineno="2422"> +<interface name="init_dontaudit_read_all_script_files" lineno="2454"> <summary> Dontaudit read all init script files. </summary> @@ -101704,7 +102473,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_exec_all_script_files" lineno="2440"> +<interface name="init_exec_all_script_files" lineno="2472"> <summary> Execute all init scripts in the caller domain. </summary> @@ -101714,7 +102483,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_script_state" lineno="2459"> +<interface name="init_read_script_state" lineno="2491"> <summary> Read the process state (/proc/pid) of the init scripts. </summary> @@ -101724,7 +102493,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_use_script_fds" lineno="2478"> +<interface name="init_use_script_fds" lineno="2510"> <summary> Inherit and use init script file descriptors. </summary> @@ -101734,7 +102503,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_use_script_fds" lineno="2497"> +<interface name="init_dontaudit_use_script_fds" lineno="2529"> <summary> Do not audit attempts to inherit init script file descriptors. @@ -101745,7 +102514,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_search_script_keys" lineno="2515"> +<interface name="init_search_script_keys" lineno="2547"> <summary> Search init script keys. </summary> @@ -101755,7 +102524,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getpgid_script" lineno="2533"> +<interface name="init_getpgid_script" lineno="2565"> <summary> Get the process group ID of init scripts. </summary> @@ -101765,7 +102534,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_sigchld_script" lineno="2551"> +<interface name="init_sigchld_script" lineno="2583"> <summary> Send SIGCHLD signals to init scripts. </summary> @@ -101775,7 +102544,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_signal_script" lineno="2569"> +<interface name="init_signal_script" lineno="2601"> <summary> Send generic signals to init scripts. </summary> @@ -101785,7 +102554,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_signull_script" lineno="2587"> +<interface name="init_signull_script" lineno="2619"> <summary> Send null signals to init scripts. </summary> @@ -101795,7 +102564,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_script_pipes" lineno="2605"> +<interface name="init_rw_script_pipes" lineno="2637"> <summary> Read and write init script unnamed pipes. </summary> @@ -101805,7 +102574,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stream_connect_script" lineno="2624"> +<interface name="init_stream_connect_script" lineno="2656"> <summary> Allow the specified domain to connect to init scripts with a unix socket. @@ -101816,7 +102585,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_script_stream_sockets" lineno="2643"> +<interface name="init_rw_script_stream_sockets" lineno="2675"> <summary> Allow the specified domain to read/write to init scripts with a unix domain stream sockets. @@ -101827,7 +102596,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_stream_connect_script" lineno="2662"> +<interface name="init_dontaudit_stream_connect_script" lineno="2694"> <summary> Dont audit the specified domain connecting to init scripts with a unix domain stream socket. @@ -101838,7 +102607,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_dbus_send_script" lineno="2679"> +<interface name="init_dbus_send_script" lineno="2711"> <summary> Send messages to init scripts over dbus. </summary> @@ -101848,7 +102617,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dbus_chat_script" lineno="2699"> +<interface name="init_dbus_chat_script" lineno="2731"> <summary> Send and receive messages from init scripts over dbus. @@ -101859,7 +102628,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_use_script_ptys" lineno="2728"> +<interface name="init_use_script_ptys" lineno="2760"> <summary> Read and write the init script pty. </summary> @@ -101878,7 +102647,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_use_inherited_script_ptys" lineno="2747"> +<interface name="init_use_inherited_script_ptys" lineno="2779"> <summary> Read and write inherited init script ptys. </summary> @@ -101888,7 +102657,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_use_script_ptys" lineno="2769"> +<interface name="init_dontaudit_use_script_ptys" lineno="2801"> <summary> Do not audit attempts to read and write the init script pty. @@ -101899,7 +102668,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_getattr_script_status_files" lineno="2788"> +<interface name="init_getattr_script_status_files" lineno="2820"> <summary> Get the attributes of init script status files. @@ -101910,7 +102679,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_read_script_status_files" lineno="2807"> +<interface name="init_dontaudit_read_script_status_files" lineno="2839"> <summary> Do not audit attempts to read init script status files. @@ -101921,7 +102690,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_search_run" lineno="2826"> +<interface name="init_search_run" lineno="2858"> <summary> Search the /run/systemd directory. </summary> @@ -101931,7 +102700,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_script_tmp_files" lineno="2845"> +<interface name="init_read_script_tmp_files" lineno="2877"> <summary> Read init script temporary data. </summary> @@ -101941,7 +102710,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_inherited_script_tmp_files" lineno="2864"> +<interface name="init_rw_inherited_script_tmp_files" lineno="2896"> <summary> Read and write init script inherited temporary data. </summary> @@ -101951,7 +102720,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_rw_script_tmp_files" lineno="2882"> +<interface name="init_rw_script_tmp_files" lineno="2914"> <summary> Read and write init script temporary data. </summary> @@ -101961,7 +102730,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_script_tmp_filetrans" lineno="2917"> +<interface name="init_script_tmp_filetrans" lineno="2949"> <summary> Create files in a init script temporary data directory. @@ -101987,7 +102756,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="init_getattr_utmp" lineno="2936"> +<interface name="init_getattr_utmp" lineno="2968"> <summary> Get the attributes of init script process id files. </summary> @@ -101997,7 +102766,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_utmp" lineno="2954"> +<interface name="init_read_utmp" lineno="2986"> <summary> Read utmp. </summary> @@ -102007,7 +102776,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_write_utmp" lineno="2973"> +<interface name="init_dontaudit_write_utmp" lineno="3005"> <summary> Do not audit attempts to write utmp. </summary> @@ -102017,7 +102786,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_write_utmp" lineno="2991"> +<interface name="init_write_utmp" lineno="3023"> <summary> Write to utmp. </summary> @@ -102027,7 +102796,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_lock_utmp" lineno="3011"> +<interface name="init_dontaudit_lock_utmp" lineno="3043"> <summary> Do not audit attempts to lock init script pid files. @@ -102038,7 +102807,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_rw_utmp" lineno="3029"> +<interface name="init_rw_utmp" lineno="3061"> <summary> Read and write utmp. </summary> @@ -102048,7 +102817,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_rw_utmp" lineno="3048"> +<interface name="init_dontaudit_rw_utmp" lineno="3080"> <summary> Do not audit attempts to read and write utmp. </summary> @@ -102058,7 +102827,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_manage_utmp" lineno="3066"> +<interface name="init_manage_utmp" lineno="3098"> <summary> Create, read, write, and delete utmp. </summary> @@ -102068,7 +102837,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_watch_utmp" lineno="3085"> +<interface name="init_watch_runtime_dirs" lineno="3117"> +<summary> +Add a watch on init runtime +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="init_watch_utmp" lineno="3135"> <summary> Add a watch on utmp. </summary> @@ -102078,7 +102857,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_relabel_utmp" lineno="3103"> +<interface name="init_relabel_utmp" lineno="3153"> <summary> Relabel utmp. </summary> @@ -102088,7 +102867,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_runtime_filetrans_utmp" lineno="3122"> +<interface name="init_runtime_filetrans_utmp" lineno="3172"> <summary> Create files in /var/run with the utmp file type. @@ -102099,7 +102878,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_create_runtime_dirs" lineno="3140"> +<interface name="init_create_runtime_dirs" lineno="3190"> <summary> Create a directory in the /run/systemd directory. </summary> @@ -102109,7 +102888,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_runtime_files" lineno="3159"> +<interface name="init_read_runtime_files" lineno="3209"> <summary> Read init_runtime_t files </summary> @@ -102119,7 +102898,7 @@ domain </summary> </param> </interface> -<interface name="init_rename_runtime_files" lineno="3177"> +<interface name="init_rename_runtime_files" lineno="3227"> <summary> Rename init_runtime_t files </summary> @@ -102129,7 +102908,7 @@ domain </summary> </param> </interface> -<interface name="init_setattr_runtime_files" lineno="3195"> +<interface name="init_setattr_runtime_files" lineno="3245"> <summary> Setattr init_runtime_t files </summary> @@ -102139,7 +102918,7 @@ domain </summary> </param> </interface> -<interface name="init_delete_runtime_files" lineno="3213"> +<interface name="init_delete_runtime_files" lineno="3263"> <summary> Delete init_runtime_t files </summary> @@ -102149,7 +102928,7 @@ domain </summary> </param> </interface> -<interface name="init_write_runtime_socket" lineno="3232"> +<interface name="init_write_runtime_socket" lineno="3282"> <summary> Allow the specified domain to write to init sock file. @@ -102160,7 +102939,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_dontaudit_write_runtime_socket" lineno="3251"> +<interface name="init_dontaudit_write_runtime_socket" lineno="3301"> <summary> Do not audit attempts to write to init sock files. @@ -102171,7 +102950,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_read_runtime_pipes" lineno="3269"> +<interface name="init_read_runtime_pipes" lineno="3319"> <summary> Read init unnamed pipes. </summary> @@ -102181,7 +102960,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_runtime_symlinks" lineno="3287"> +<interface name="init_read_runtime_symlinks" lineno="3337"> <summary> read systemd unit symlinks (usually under /run/systemd/units/) </summary> @@ -102191,7 +102970,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_tcp_recvfrom_all_daemons" lineno="3305"> +<interface name="init_tcp_recvfrom_all_daemons" lineno="3355"> <summary> Allow the specified domain to connect to daemon with a tcp socket </summary> @@ -102201,7 +102980,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_udp_recvfrom_all_daemons" lineno="3323"> +<interface name="init_udp_recvfrom_all_daemons" lineno="3373"> <summary> Allow the specified domain to connect to daemon with a udp socket </summary> @@ -102211,7 +102990,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_script_status_files" lineno="3342"> +<interface name="init_read_script_status_files" lineno="3392"> <summary> Allow reading the init script state files </summary> @@ -102221,7 +103000,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="init_relabelto_script_state" lineno="3360"> +<interface name="init_relabelto_script_state" lineno="3410"> <summary> Label to init script status files </summary> @@ -102231,7 +103010,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="init_script_readable_type" lineno="3379"> +<interface name="init_script_readable_type" lineno="3429"> <summary> Mark as a readable type for the initrc_t domain </summary> @@ -102241,7 +103020,7 @@ Type that initrc_t needs read access to </summary> </param> </interface> -<interface name="init_search_units" lineno="3397"> +<interface name="init_search_units" lineno="3447"> <summary> Search systemd unit dirs. </summary> @@ -102251,7 +103030,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_list_unit_dirs" lineno="3422"> +<interface name="init_list_unit_dirs" lineno="3472"> <summary> List systemd unit dirs. </summary> @@ -102261,7 +103040,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_getattr_generic_units_files" lineno="3442"> +<interface name="init_getattr_generic_units_files" lineno="3492"> <summary> Get the attributes of systemd unit files </summary> @@ -102271,7 +103050,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_generic_units_files" lineno="3460"> +<interface name="init_read_generic_units_files" lineno="3510"> <summary> Read systemd unit files </summary> @@ -102281,7 +103060,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_read_generic_units_symlinks" lineno="3478"> +<interface name="init_read_generic_units_symlinks" lineno="3528"> <summary> Read systemd unit links </summary> @@ -102291,7 +103070,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_get_generic_units_status" lineno="3496"> +<interface name="init_get_generic_units_status" lineno="3546"> <summary> Get status of generic systemd units. </summary> @@ -102301,7 +103080,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_start_generic_units" lineno="3515"> +<interface name="init_start_generic_units" lineno="3565"> <summary> Start generic systemd units. </summary> @@ -102311,7 +103090,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stop_generic_units" lineno="3534"> +<interface name="init_stop_generic_units" lineno="3584"> <summary> Stop generic systemd units. </summary> @@ -102321,7 +103100,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_reload_generic_units" lineno="3553"> +<interface name="init_reload_generic_units" lineno="3603"> <summary> Reload generic systemd units. </summary> @@ -102331,7 +103110,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_get_runtime_units_status" lineno="3572"> +<interface name="init_get_runtime_units_status" lineno="3622"> <summary> Get the status of runtime systemd units. </summary> @@ -102341,7 +103120,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_start_runtime_units" lineno="3591"> +<interface name="init_start_runtime_units" lineno="3641"> <summary> Start runtime systemd units. </summary> @@ -102351,7 +103130,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stop_runtime_units" lineno="3610"> +<interface name="init_stop_runtime_units" lineno="3660"> <summary> Stop runtime systemd units. </summary> @@ -102361,7 +103140,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_get_transient_units_status" lineno="3629"> +<interface name="init_get_transient_units_status" lineno="3679"> <summary> Get status of transient systemd units. </summary> @@ -102371,7 +103150,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_start_transient_units" lineno="3648"> +<interface name="init_start_transient_units" lineno="3698"> <summary> Start transient systemd units. </summary> @@ -102381,7 +103160,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stop_transient_units" lineno="3667"> +<interface name="init_stop_transient_units" lineno="3717"> <summary> Stop transient systemd units. </summary> @@ -102391,7 +103170,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_reload_transient_units" lineno="3686"> +<interface name="init_reload_transient_units" lineno="3736"> <summary> Reload transient systemd units. </summary> @@ -102401,7 +103180,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_get_all_units_status" lineno="3706"> +<interface name="init_get_all_units_status" lineno="3756"> <summary> Get status of all systemd units. </summary> @@ -102411,7 +103190,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_all_units" lineno="3725"> +<interface name="init_manage_all_units" lineno="3775"> <summary> All perms on all systemd units. </summary> @@ -102421,7 +103200,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_start_all_units" lineno="3745"> +<interface name="init_start_all_units" lineno="3795"> <summary> Start all systemd units. </summary> @@ -102431,7 +103210,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_stop_all_units" lineno="3764"> +<interface name="init_stop_all_units" lineno="3814"> <summary> Stop all systemd units. </summary> @@ -102441,7 +103220,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="init_reload_all_units" lineno="3783"> +<interface name="init_reload_all_units" lineno="3833"> <summary> Reload all systemd units. </summary> @@ -102451,7 +103230,27 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_manage_all_unit_files" lineno="3802"> +<interface name="init_list_all_units" lineno="3852"> +<summary> +List systemd unit dirs and the files in them +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="init_getattr_all_unit_files" lineno="3871"> +<summary> +Get the attributes of systemd unit directories and the files in them. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="init_manage_all_unit_files" lineno="3891"> <summary> Manage systemd unit dirs and the files in them </summary> @@ -102461,7 +103260,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="init_linkable_keyring" lineno="3823"> +<interface name="init_relabel_all_unit_files" lineno="3911"> +<summary> +Relabel from and to systemd unit types. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="init_linkable_keyring" lineno="3932"> <summary> Associate the specified domain to be a domain whose keyring init should be allowed to link. @@ -102472,7 +103281,7 @@ Domain whose keyring init should be allowed to link. </summary> </param> </interface> -<interface name="init_admin" lineno="3841"> +<interface name="init_admin" lineno="3950"> <summary> Allow unconfined access to send instructions to init </summary> @@ -102482,7 +103291,7 @@ Target domain </summary> </param> </interface> -<interface name="init_getrlimit" lineno="3873"> +<interface name="init_getrlimit" lineno="3982"> <summary> Allow getting init_t rlimit </summary> @@ -102492,7 +103301,7 @@ Source domain </summary> </param> </interface> -<interface name="init_search_keys" lineno="3891"> +<interface name="init_search_keys" lineno="4000"> <summary> Allow searching init_t keys </summary> @@ -104454,7 +105263,29 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="lvm_admin" lineno="191"> +<interface name="lvm_manage_lock_files" lineno="186"> +<summary> +Manage lvm_lock_t files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<rolecap/> +</interface> +<interface name="lvm_manage_runtime_files" lineno="205"> +<summary> +Manage LVM runtime files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<rolecap/> +</interface> +<interface name="lvm_admin" lineno="229"> <summary> All of the rules required to administrate an lvm environment. @@ -105418,6 +106249,16 @@ Domain allowed access. </summary> </param> </interface> +<interface name="mount_manage_runtime_files" lineno="359"> +<summary> +Manage mount runtime files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> <tunable name="allow_mount_anyfile" dftval="false"> <desc> <p> @@ -106534,7 +107375,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_relabel_config" lineno="505"> +<interface name="sysnet_relabel_config" lineno="506"> <summary> Relabel network config files. </summary> @@ -106544,7 +107385,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_etc_filetrans_config" lineno="530"> +<interface name="sysnet_etc_filetrans_config" lineno="531"> <summary> Create files in /etc with the type used for the network config files. @@ -106560,7 +107401,28 @@ The name of the object being created. </summary> </param> </interface> -<interface name="sysnet_manage_config" lineno="548"> +<interface name="sysnet_runtime_filetrans_config" lineno="560"> +<summary> +Create files in /run with the type used for +the network config files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +<param name="object"> +<summary> +The object class of the object being created. +</summary> +</param> +<param name="name" optional="true"> +<summary> +The name of the object being created. +</summary> +</param> +</interface> +<interface name="sysnet_manage_config" lineno="578"> <summary> Create, read, write, and delete network config files. </summary> @@ -106570,7 +107432,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_watch_config_dirs" lineno="580"> +<interface name="sysnet_watch_config_dirs" lineno="610"> <summary> Watch a network config dir </summary> @@ -106580,7 +107442,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_read_dhcpc_runtime_files" lineno="598"> +<interface name="sysnet_read_dhcpc_runtime_files" lineno="628"> <summary> Read dhcp client runtime files. </summary> @@ -106590,7 +107452,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_delete_dhcpc_runtime_files" lineno="617"> +<interface name="sysnet_delete_dhcpc_runtime_files" lineno="647"> <summary> Delete the dhcp client runtime files. </summary> @@ -106600,7 +107462,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_manage_dhcpc_runtime_files" lineno="635"> +<interface name="sysnet_manage_dhcpc_runtime_files" lineno="665"> <summary> Create, read, write, and delete dhcp client runtime files. </summary> @@ -106610,7 +107472,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_domtrans_ifconfig" lineno="653"> +<interface name="sysnet_domtrans_ifconfig" lineno="683"> <summary> Execute ifconfig in the ifconfig domain. </summary> @@ -106620,7 +107482,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="sysnet_run_ifconfig" lineno="680"> +<interface name="sysnet_run_ifconfig" lineno="710"> <summary> Execute ifconfig in the ifconfig domain, and allow the specified role the ifconfig domain, @@ -106638,7 +107500,7 @@ Role allowed access. </param> <rolecap/> </interface> -<interface name="sysnet_exec_ifconfig" lineno="700"> +<interface name="sysnet_exec_ifconfig" lineno="730"> <summary> Execute ifconfig in the caller domain. </summary> @@ -106648,7 +107510,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_signal_ifconfig" lineno="720"> +<interface name="sysnet_signal_ifconfig" lineno="750"> <summary> Send a generic signal to ifconfig. </summary> @@ -106659,7 +107521,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="sysnet_signull_ifconfig" lineno="739"> +<interface name="sysnet_signull_ifconfig" lineno="769"> <summary> Send null signals to ifconfig. </summary> @@ -106670,7 +107532,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="sysnet_create_netns_dirs" lineno="758"> +<interface name="sysnet_create_netns_dirs" lineno="788"> <summary> Create the /run/netns directory with an automatic type transition. @@ -106681,7 +107543,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_netns_filetrans" lineno="792"> +<interface name="sysnet_netns_filetrans" lineno="822"> <summary> Create an object in the /run/netns directory with a private type. @@ -106707,7 +107569,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="sysnet_read_dhcp_config" lineno="813"> +<interface name="sysnet_read_dhcp_config" lineno="843"> <summary> Read the DHCP configuration files. </summary> @@ -106717,7 +107579,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_search_dhcp_state" lineno="833"> +<interface name="sysnet_search_dhcp_state" lineno="863"> <summary> Search the DHCP state data directory. </summary> @@ -106727,7 +107589,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_dhcp_state_filetrans" lineno="877"> +<interface name="sysnet_dhcp_state_filetrans" lineno="907"> <summary> Create DHCP state data. </summary> @@ -106762,7 +107624,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="sysnet_dns_name_resolve" lineno="897"> +<interface name="sysnet_dns_name_resolve" lineno="927"> <summary> Perform a DNS name resolution. </summary> @@ -106773,7 +107635,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="sysnet_use_ldap" lineno="948"> +<interface name="sysnet_use_ldap" lineno="978"> <summary> Connect and use a LDAP server. </summary> @@ -106783,7 +107645,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_use_portmap" lineno="975"> +<interface name="sysnet_use_portmap" lineno="1005"> <summary> Connect and use remote port mappers. </summary> @@ -106793,7 +107655,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="sysnet_dhcpc_script_entry" lineno="1009"> +<interface name="sysnet_dhcpc_script_entry" lineno="1039"> <summary> Make the specified program domain accessable from the DHCP hooks/scripts. @@ -106840,7 +107702,7 @@ The user domain for the role. </summary> </param> </template> -<template name="systemd_user_daemon_domain" lineno="223"> +<template name="systemd_user_daemon_domain" lineno="252"> <summary> Allow the specified domain to be started as a daemon by the specified systemd user instance. @@ -106861,7 +107723,7 @@ Domain to allow the systemd user domain to run. </summary> </param> </template> -<interface name="systemd_user_activated_sock_file" lineno="244"> +<interface name="systemd_user_activated_sock_file" lineno="273"> <summary> Associate the specified file type to be a type whose sock files can be managed by systemd user instances for socket activation. @@ -106872,7 +107734,7 @@ File type to be associated. </summary> </param> </interface> -<interface name="systemd_user_unix_stream_activated_socket" lineno="269"> +<interface name="systemd_user_unix_stream_activated_socket" lineno="298"> <summary> Associate the specified domain to be a domain whose unix stream sockets and sock files can be managed by systemd user instances @@ -106889,7 +107751,7 @@ File type of the domain's sock files to be associated. </summary> </param> </interface> -<interface name="systemd_write_notify_socket" lineno="289"> +<interface name="systemd_write_notify_socket" lineno="318"> <summary> Allow the specified domain to write to systemd-notify socket @@ -106900,7 +107762,7 @@ Domain allowed access. </summary> </param> </interface> -<template name="systemd_user_send_systemd_notify" lineno="316"> +<template name="systemd_user_send_systemd_notify" lineno="345"> <summary> Allow the target domain the permissions necessary to use systemd notify when started by the specified @@ -106917,7 +107779,7 @@ Domain to be allowed systemd notify permissions. </summary> </param> </template> -<template name="systemd_user_app_status" lineno="344"> +<template name="systemd_user_app_status" lineno="373"> <summary> Allow the target domain to be monitored and have its output captured by the specified systemd user instance domain. @@ -106933,7 +107795,7 @@ Domain to allow the systemd user instance to monitor. </summary> </param> </template> -<template name="systemd_read_user_manager_state" lineno="384"> +<template name="systemd_read_user_manager_state" lineno="413"> <summary> Read the process state (/proc/pid) of the specified systemd user instance. @@ -106949,7 +107811,7 @@ Domain allowed access. </summary> </param> </template> -<template name="systemd_user_manager_system_start" lineno="408"> +<template name="systemd_user_manager_system_start" lineno="437"> <summary> Send a start request to the specified systemd user instance system object. @@ -106965,7 +107827,7 @@ Domain allowed access. </summary> </param> </template> -<template name="systemd_user_manager_system_stop" lineno="432"> +<template name="systemd_user_manager_system_stop" lineno="462"> <summary> Send a stop request to the specified systemd user instance system object. @@ -106981,7 +107843,7 @@ Domain allowed access. </summary> </param> </template> -<template name="systemd_user_manager_system_status" lineno="456"> +<template name="systemd_user_manager_system_status" lineno="487"> <summary> Get the status of the specified systemd user instance system object. @@ -106997,7 +107859,7 @@ Domain allowed access. </summary> </param> </template> -<template name="systemd_user_manager_dbus_chat" lineno="480"> +<template name="systemd_user_manager_dbus_chat" lineno="512"> <summary> Send and receive messages from the specified systemd user instance over dbus. @@ -107013,7 +107875,7 @@ Domain allowed access. </summary> </param> </template> -<interface name="systemd_search_conf_home_content" lineno="501"> +<interface name="systemd_search_conf_home_content" lineno="533"> <summary> Allow the specified domain to search systemd config home content. @@ -107024,7 +107886,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_conf_home_content" lineno="520"> +<interface name="systemd_manage_conf_home_content" lineno="552"> <summary> Allow the specified domain to manage systemd config home content. @@ -107035,7 +107897,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabel_conf_home_content" lineno="541"> +<interface name="systemd_relabel_conf_home_content" lineno="573"> <summary> Allow the specified domain to relabel systemd config home content. @@ -107046,7 +107908,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_search_data_home_content" lineno="562"> +<interface name="systemd_search_data_home_content" lineno="594"> <summary> Allow the specified domain to search systemd data home content. @@ -107057,7 +107919,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_data_home_content" lineno="581"> +<interface name="systemd_manage_data_home_content" lineno="613"> <summary> Allow the specified domain to manage systemd data home content. @@ -107068,7 +107930,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabel_data_home_content" lineno="602"> +<interface name="systemd_relabel_data_home_content" lineno="634"> <summary> Allow the specified domain to relabel systemd data home content. @@ -107079,7 +107941,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_search_user_runtime" lineno="623"> +<interface name="systemd_search_user_runtime" lineno="655"> <summary> Allow the specified domain to search systemd user runtime content. @@ -107090,7 +107952,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_user_runtime_files" lineno="641"> +<interface name="systemd_read_user_runtime_files" lineno="673"> <summary> Allow the specified domain to read systemd user runtime files. </summary> @@ -107100,7 +107962,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_user_runtime_lnk_files" lineno="659"> +<interface name="systemd_read_user_runtime_lnk_files" lineno="691"> <summary> Allow the specified domain to read systemd user runtime lnk files. </summary> @@ -107110,7 +107972,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_user_runtime_socket" lineno="678"> +<interface name="systemd_write_user_runtime_socket" lineno="710"> <summary> Allow the specified domain to write to the systemd user runtime named socket. @@ -107121,7 +107983,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_user_unit_files" lineno="697"> +<interface name="systemd_read_user_unit_files" lineno="729"> <summary> Allow the specified domain to read system-wide systemd user unit files. (Deprecated) @@ -107132,7 +107994,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_user_units_files" lineno="713"> +<interface name="systemd_read_user_units_files" lineno="745"> <summary> Allow the specified domain to read system-wide systemd user unit files. @@ -107143,7 +108005,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_user_runtime_units" lineno="733"> +<interface name="systemd_read_user_runtime_units" lineno="765"> <summary> Allow the specified domain to read systemd user runtime unit files. (Deprecated) </summary> @@ -107153,7 +108015,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_user_runtime_units_files" lineno="748"> +<interface name="systemd_read_user_runtime_units_files" lineno="780"> <summary> Allow the specified domain to read systemd user runtime unit files. </summary> @@ -107163,7 +108025,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_search_user_runtime_unit_dirs" lineno="768"> +<interface name="systemd_search_user_runtime_unit_dirs" lineno="800"> <summary> Allow the specified domain to search systemd user runtime unit directories. @@ -107174,7 +108036,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_list_user_runtime_unit_dirs" lineno="787"> +<interface name="systemd_list_user_runtime_unit_dirs" lineno="819"> <summary> Allow the specified domain to list the contents of systemd user runtime unit directories. @@ -107185,7 +108047,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_status_user_runtime_units" lineno="805"> +<interface name="systemd_status_user_runtime_units" lineno="837"> <summary> Allow the specified domain to get the status of systemd user runtime units. (Deprecated) </summary> @@ -107195,7 +108057,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_get_user_runtime_units_status" lineno="820"> +<interface name="systemd_get_user_runtime_units_status" lineno="852"> <summary> Allow the specified domain to get the status of systemd user runtime units. </summary> @@ -107205,7 +108067,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_start_user_runtime_units" lineno="839"> +<interface name="systemd_start_user_runtime_units" lineno="871"> <summary> Allow the specified domain to start systemd user runtime units. </summary> @@ -107215,7 +108077,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_stop_user_runtime_units" lineno="858"> +<interface name="systemd_stop_user_runtime_units" lineno="890"> <summary> Allow the specified domain to stop systemd user runtime units. </summary> @@ -107225,7 +108087,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_reload_user_runtime_units" lineno="877"> +<interface name="systemd_reload_user_runtime_units" lineno="909"> <summary> Allow the specified domain to reload systemd user runtime units. </summary> @@ -107235,7 +108097,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_user_transient_units_files" lineno="896"> +<interface name="systemd_read_user_transient_units_files" lineno="928"> <summary> Allow the specified domain to read systemd user transient unit files. </summary> @@ -107245,7 +108107,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_search_user_transient_unit_dirs" lineno="916"> +<interface name="systemd_search_user_transient_unit_dirs" lineno="948"> <summary> Allow the specified domain to search systemd user transient unit directories. @@ -107256,7 +108118,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_list_user_transient_unit_dirs" lineno="935"> +<interface name="systemd_list_user_transient_unit_dirs" lineno="967"> <summary> Allow the specified domain to list the contents of systemd user transient unit directories. @@ -107267,7 +108129,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_get_user_transient_units_status" lineno="953"> +<interface name="systemd_get_user_transient_units_status" lineno="985"> <summary> Allow the specified domain to get the status of systemd user transient units. </summary> @@ -107277,7 +108139,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_start_user_transient_units" lineno="972"> +<interface name="systemd_start_user_transient_units" lineno="1004"> <summary> Allow the specified domain to start systemd user transient units. </summary> @@ -107287,7 +108149,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_stop_user_transient_units" lineno="991"> +<interface name="systemd_stop_user_transient_units" lineno="1023"> <summary> Allow the specified domain to stop systemd user transient units. </summary> @@ -107297,7 +108159,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_reload_user_transient_units" lineno="1010"> +<interface name="systemd_reload_user_transient_units" lineno="1042"> <summary> Allow the specified domain to reload systemd user transient units. </summary> @@ -107307,7 +108169,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_log_parse_environment" lineno="1030"> +<interface name="systemd_log_parse_environment" lineno="1062"> <summary> Make the specified type usable as an log parse environment type. @@ -107318,7 +108180,7 @@ Type to be used as a log parse environment type. </summary> </param> </interface> -<interface name="systemd_use_nss" lineno="1050"> +<interface name="systemd_use_nss" lineno="1082"> <summary> Allow domain to use systemd's Name Service Switch (NSS) module. This module provides UNIX user and group name resolution for dynamic users @@ -107330,7 +108192,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="systemd_PrivateDevices" lineno="1077"> +<interface name="systemd_PrivateDevices" lineno="1109"> <summary> Allow domain to be used as a systemd service with a unit that uses PrivateDevices=yes in section [Service]. @@ -107341,7 +108203,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="systemd_rw_homework_semaphores" lineno="1094"> +<interface name="systemd_rw_homework_semaphores" lineno="1126"> <summary> Read and write systemd-homework semaphores. </summary> @@ -107351,7 +108213,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="systemd_read_hwdb" lineno="1112"> +<interface name="systemd_read_hwdb" lineno="1144"> <summary> Allow domain to read udev hwdb file </summary> @@ -107361,7 +108223,7 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_map_hwdb" lineno="1130"> +<interface name="systemd_map_hwdb" lineno="1162"> <summary> Allow domain to map udev hwdb file </summary> @@ -107371,7 +108233,59 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_watch_logind_runtime_dirs" lineno="1148"> +<interface name="systemd_list_log_dirs" lineno="1180"> +<summary> +List files in /var/log/systemd. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_create_log_files" lineno="1199"> +<summary> +Create files in /var/log/systemd. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_write_log_files" lineno="1218"> +<summary> +Write to files in /var/log/systemd. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_setattr_log_files" lineno="1238"> +<summary> +Set the attributes of files in +/var/log/systemd. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_create_log_dirs" lineno="1257"> +<summary> +Create the /var/log/systemd directory +with an automatic type transition. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="systemd_watch_logind_runtime_dirs" lineno="1276"> <summary> Watch systemd-logind runtime dirs. </summary> @@ -107381,7 +108295,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_logind_runtime_files" lineno="1167"> +<interface name="systemd_read_logind_runtime_files" lineno="1295"> <summary> Read systemd-logind runtime files. </summary> @@ -107391,7 +108305,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_logind_runtime_pipes" lineno="1187"> +<interface name="systemd_manage_logind_runtime_pipes" lineno="1315"> <summary> Manage systemd-logind runtime pipes. </summary> @@ -107401,7 +108315,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_logind_runtime_pipes" lineno="1206"> +<interface name="systemd_write_logind_runtime_pipes" lineno="1334"> <summary> Write systemd-logind runtime named pipe. </summary> @@ -107411,7 +108325,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_use_logind_fds" lineno="1227"> +<interface name="systemd_use_logind_fds" lineno="1355"> <summary> Use inherited systemd logind file descriptors. @@ -107422,7 +108336,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_watch_logind_sessions_dirs" lineno="1245"> +<interface name="systemd_watch_logind_sessions_dirs" lineno="1373"> <summary> Watch logind sessions dirs. </summary> @@ -107432,7 +108346,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_logind_sessions_files" lineno="1264"> +<interface name="systemd_read_logind_sessions_files" lineno="1392"> <summary> Read logind sessions files. </summary> @@ -107442,7 +108356,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="1285"> +<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="1413"> <summary> Write inherited logind sessions pipes. </summary> @@ -107452,7 +108366,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="1305"> +<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="1433"> <summary> Write inherited logind inhibit pipes. </summary> @@ -107462,7 +108376,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_dbus_chat_logind" lineno="1326"> +<interface name="systemd_dbus_chat_logind" lineno="1454"> <summary> Send and receive messages from systemd logind over dbus. @@ -107473,7 +108387,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_status_logind" lineno="1346"> +<interface name="systemd_status_logind" lineno="1474"> <summary> Get the system status information from systemd_login </summary> @@ -107483,7 +108397,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_signull_logind" lineno="1365"> +<interface name="systemd_signull_logind" lineno="1493"> <summary> Send systemd_login a null signal. </summary> @@ -107493,7 +108407,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_list_userdb_runtime_dirs" lineno="1383"> +<interface name="systemd_list_userdb_runtime_dirs" lineno="1511"> <summary> List the contents of systemd userdb runtime directories. </summary> @@ -107503,7 +108417,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_userdb_runtime_dirs" lineno="1401"> +<interface name="systemd_manage_userdb_runtime_dirs" lineno="1529"> <summary> Manage systemd userdb runtime directories. </summary> @@ -107513,7 +108427,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_userdb_runtime_files" lineno="1419"> +<interface name="systemd_read_userdb_runtime_files" lineno="1547"> <summary> Read systemd userdb runtime files. </summary> @@ -107523,7 +108437,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_userdb_runtime_symlinks" lineno="1437"> +<interface name="systemd_manage_userdb_runtime_symlinks" lineno="1565"> <summary> Manage symbolic links under /run/systemd/userdb. </summary> @@ -107533,7 +108447,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_userdb_runtime_sock_files" lineno="1455"> +<interface name="systemd_manage_userdb_runtime_sock_files" lineno="1583"> <summary> Manage socket files under /run/systemd/userdb . </summary> @@ -107543,7 +108457,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_stream_connect_userdb" lineno="1473"> +<interface name="systemd_stream_connect_userdb" lineno="1601"> <summary> Connect to /run/systemd/userdb/io.systemd.DynamicUser . </summary> @@ -107553,7 +108467,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_machines" lineno="1495"> +<interface name="systemd_read_machines" lineno="1623"> <summary> Allow reading /run/systemd/machines </summary> @@ -107563,7 +108477,7 @@ Domain that can access the machines files </summary> </param> </interface> -<interface name="systemd_watch_machines_dirs" lineno="1514"> +<interface name="systemd_watch_machines_dirs" lineno="1642"> <summary> Allow watching /run/systemd/machines </summary> @@ -107573,7 +108487,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_connect_machined" lineno="1532"> +<interface name="systemd_connect_machined" lineno="1660"> <summary> Allow connecting to /run/systemd/userdb/io.systemd.Machine socket </summary> @@ -107583,7 +108497,7 @@ Domain that can access the socket </summary> </param> </interface> -<interface name="systemd_dontaudit_connect_machined" lineno="1550"> +<interface name="systemd_dontaudit_connect_machined" lineno="1678"> <summary> dontaudit connecting to /run/systemd/userdb/io.systemd.Machine socket </summary> @@ -107593,7 +108507,7 @@ Domain that can access the socket </summary> </param> </interface> -<interface name="systemd_dbus_chat_machined" lineno="1569"> +<interface name="systemd_dbus_chat_machined" lineno="1697"> <summary> Send and receive messages from systemd machined over dbus. @@ -107604,7 +108518,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_dbus_chat_hostnamed" lineno="1590"> +<interface name="systemd_dbus_chat_hostnamed" lineno="1718"> <summary> Send and receive messages from systemd hostnamed over dbus. @@ -107615,7 +108529,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_use_passwd_agent_fds" lineno="1610"> +<interface name="systemd_use_passwd_agent_fds" lineno="1738"> <summary> allow systemd_passwd_agent to inherit fds </summary> @@ -107625,7 +108539,7 @@ Domain that owns the fds </summary> </param> </interface> -<interface name="systemd_run_passwd_agent" lineno="1633"> +<interface name="systemd_run_passwd_agent" lineno="1761"> <summary> allow systemd_passwd_agent to be run by admin </summary> @@ -107640,7 +108554,7 @@ role that it runs in </summary> </param> </interface> -<interface name="systemd_use_passwd_agent" lineno="1654"> +<interface name="systemd_use_passwd_agent" lineno="1782"> <summary> Allow a systemd_passwd_agent_t process to interact with a daemon that needs a password from the sysadmin. @@ -107651,7 +108565,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="1678"> +<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="1806"> <summary> Transition to systemd_passwd_runtime_t when creating dirs </summary> @@ -107661,7 +108575,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="1699"> +<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="1827"> <summary> Transition to systemd_userdbd_runtime_t when creating the userdb directory inside an init runtime @@ -107673,7 +108587,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_passwd_runtime_symlinks" lineno="1717"> +<interface name="systemd_manage_passwd_runtime_symlinks" lineno="1845"> <summary> Allow to domain to create systemd-passwd symlink </summary> @@ -107683,7 +108597,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_watch_passwd_runtime_dirs" lineno="1735"> +<interface name="systemd_watch_passwd_runtime_dirs" lineno="1863"> <summary> Allow a domain to watch systemd-passwd runtime dirs. </summary> @@ -107693,7 +108607,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_list_journal_dirs" lineno="1753"> +<interface name="systemd_list_journal_dirs" lineno="1881"> <summary> Allow domain to list the contents of systemd_journal_t dirs </summary> @@ -107703,7 +108617,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_journal_files" lineno="1771"> +<interface name="systemd_read_journal_files" lineno="1899"> <summary> Allow domain to read systemd_journal_t files </summary> @@ -107713,7 +108627,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_journal_files" lineno="1790"> +<interface name="systemd_manage_journal_files" lineno="1918"> <summary> Allow domain to create/manage systemd_journal_t files </summary> @@ -107723,7 +108637,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_watch_journal_dirs" lineno="1810"> +<interface name="systemd_watch_journal_dirs" lineno="1938"> <summary> Allow domain to add a watch on systemd_journal_t directories </summary> @@ -107733,7 +108647,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelfrom_journal_files" lineno="1828"> +<interface name="systemd_relabelfrom_journal_files" lineno="1956"> <summary> Relabel from systemd-journald file type. </summary> @@ -107743,7 +108657,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelto_journal_dirs" lineno="1846"> +<interface name="systemd_relabelto_journal_dirs" lineno="1974"> <summary> Relabel to systemd-journald directory type. </summary> @@ -107753,7 +108667,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelto_journal_files" lineno="1865"> +<interface name="systemd_relabelto_journal_files" lineno="1993"> <summary> Relabel to systemd-journald file type. </summary> @@ -107763,7 +108677,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_networkd_units" lineno="1885"> +<interface name="systemd_read_networkd_units" lineno="2013"> <summary> Allow domain to read systemd_networkd_t unit files </summary> @@ -107773,7 +108687,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_manage_networkd_units" lineno="1905"> +<interface name="systemd_manage_networkd_units" lineno="2033"> <summary> Allow domain to create/manage systemd_networkd_t unit files </summary> @@ -107783,7 +108697,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_enabledisable_networkd" lineno="1925"> +<interface name="systemd_enabledisable_networkd" lineno="2053"> <summary> Allow specified domain to enable systemd-networkd units </summary> @@ -107793,7 +108707,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_startstop_networkd" lineno="1944"> +<interface name="systemd_startstop_networkd" lineno="2072"> <summary> Allow specified domain to start systemd-networkd units </summary> @@ -107803,7 +108717,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_dbus_chat_networkd" lineno="1964"> +<interface name="systemd_dbus_chat_networkd" lineno="2092"> <summary> Send and receive messages from systemd networkd over dbus. @@ -107814,7 +108728,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_status_networkd" lineno="1984"> +<interface name="systemd_status_networkd" lineno="2112"> <summary> Allow specified domain to get status of systemd-networkd </summary> @@ -107824,7 +108738,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="2003"> +<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="2131"> <summary> Relabel systemd_networkd tun socket. </summary> @@ -107834,7 +108748,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="2021"> +<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="2149"> <summary> Read/Write from systemd_networkd netlink route socket. </summary> @@ -107844,7 +108758,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_list_networkd_runtime" lineno="2039"> +<interface name="systemd_list_networkd_runtime" lineno="2167"> <summary> Allow domain to list dirs under /run/systemd/netif </summary> @@ -107854,7 +108768,7 @@ domain permitted the access </summary> </param> </interface> -<interface name="systemd_watch_networkd_runtime_dirs" lineno="2058"> +<interface name="systemd_watch_networkd_runtime_dirs" lineno="2186"> <summary> Watch directories under /run/systemd/netif </summary> @@ -107864,7 +108778,7 @@ Domain permitted the access </summary> </param> </interface> -<interface name="systemd_read_networkd_runtime" lineno="2077"> +<interface name="systemd_read_networkd_runtime" lineno="2205"> <summary> Allow domain to read files generated by systemd_networkd </summary> @@ -107874,7 +108788,7 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_read_logind_state" lineno="2096"> +<interface name="systemd_read_logind_state" lineno="2224"> <summary> Allow systemd_logind_t to read process state for cgroup file </summary> @@ -107884,7 +108798,7 @@ Domain systemd_logind_t may access. </summary> </param> </interface> -<interface name="systemd_create_logind_linger_dir" lineno="2117"> +<interface name="systemd_create_logind_linger_dir" lineno="2245"> <summary> Allow the specified domain to create the systemd-logind linger directory with @@ -107896,7 +108810,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_start_user_manager_units" lineno="2137"> +<interface name="systemd_start_user_manager_units" lineno="2265"> <summary> Allow the specified domain to start systemd user manager units (systemd --user). @@ -107907,7 +108821,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_stop_user_manager_units" lineno="2157"> +<interface name="systemd_stop_user_manager_units" lineno="2285"> <summary> Allow the specified domain to stop systemd user manager units (systemd --user). @@ -107918,7 +108832,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_reload_user_manager_units" lineno="2177"> +<interface name="systemd_reload_user_manager_units" lineno="2305"> <summary> Allow the specified domain to reload systemd user manager units (systemd --user). @@ -107929,7 +108843,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_get_user_manager_units_status" lineno="2197"> +<interface name="systemd_get_user_manager_units_status" lineno="2325"> <summary> Get the status of systemd user manager units (systemd --user). @@ -107940,7 +108854,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_start_power_units" lineno="2216"> +<interface name="systemd_start_power_units" lineno="2344"> <summary> Allow specified domain to start power units </summary> @@ -107950,7 +108864,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="systemd_status_power_units" lineno="2235"> +<interface name="systemd_status_power_units" lineno="2363"> <summary> Get the system status information about power units </summary> @@ -107960,7 +108874,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_stream_connect_socket_proxyd" lineno="2254"> +<interface name="systemd_stream_connect_socket_proxyd" lineno="2382"> <summary> Allows connections to the systemd-socket-proxyd's socket. </summary> @@ -107970,7 +108884,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_tmpfiles_conf_file" lineno="2273"> +<interface name="systemd_tmpfiles_conf_file" lineno="2401"> <summary> Make the specified type usable for systemd tmpfiles config files. @@ -107981,7 +108895,7 @@ Type to be used for systemd tmpfiles config files. </summary> </param> </interface> -<interface name="systemd_tmpfiles_creator" lineno="2294"> +<interface name="systemd_tmpfiles_creator" lineno="2422"> <summary> Allow the specified domain to create the tmpfiles config directory with @@ -107993,7 +108907,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_tmpfiles_conf_filetrans" lineno="2330"> +<interface name="systemd_tmpfiles_conf_filetrans" lineno="2458"> <summary> Create an object in the systemd tmpfiles config directory, with a private type @@ -108020,7 +108934,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="systemd_list_tmpfiles_conf" lineno="2349"> +<interface name="systemd_list_tmpfiles_conf" lineno="2477"> <summary> Allow domain to list systemd tmpfiles config directory </summary> @@ -108030,7 +108944,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="2367"> +<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="2495"> <summary> Allow domain to relabel to systemd tmpfiles config directory </summary> @@ -108040,7 +108954,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="2385"> +<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="2513"> <summary> Allow domain to relabel to systemd tmpfiles config files </summary> @@ -108050,7 +108964,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_tmpfilesd_managed" lineno="2403"> +<interface name="systemd_tmpfilesd_managed" lineno="2531"> <summary> Allow systemd_tmpfiles_t to manage filesystem objects </summary> @@ -108060,7 +108974,7 @@ Type of object to manage </summary> </param> </interface> -<interface name="systemd_stream_connect_resolved" lineno="2430"> +<interface name="systemd_stream_connect_resolved" lineno="2558"> <summary> Connect to systemd resolved over /run/systemd/resolve/io.systemd.Resolve . @@ -108071,7 +108985,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_dbus_chat_resolved" lineno="2451"> +<interface name="systemd_dbus_chat_resolved" lineno="2579"> <summary> Send and receive messages from systemd resolved over dbus. @@ -108082,7 +108996,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_read_resolved_runtime" lineno="2471"> +<interface name="systemd_read_resolved_runtime" lineno="2599"> <summary> Allow domain to read resolv.conf file generated by systemd_resolved </summary> @@ -108092,7 +109006,7 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_exec_systemctl" lineno="2493"> +<interface name="systemd_exec_systemctl" lineno="2621"> <summary> Execute the systemctl program. </summary> @@ -108102,7 +109016,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_getattr_updated_runtime" lineno="2524"> +<interface name="systemd_getattr_updated_runtime" lineno="2654"> <summary> Allow domain to getattr on .updated file (generated by systemd-update-done </summary> @@ -108112,7 +109026,7 @@ domain allowed access </summary> </param> </interface> -<interface name="systemd_search_all_user_keys" lineno="2542"> +<interface name="systemd_search_all_user_keys" lineno="2672"> <summary> Search keys for the all systemd --user domains. </summary> @@ -108122,7 +109036,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_create_all_user_keys" lineno="2560"> +<interface name="systemd_create_all_user_keys" lineno="2690"> <summary> Create keys for the all systemd --user domains. </summary> @@ -108132,7 +109046,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_write_all_user_keys" lineno="2578"> +<interface name="systemd_write_all_user_keys" lineno="2708"> <summary> Write keys for the all systemd --user domains. </summary> @@ -108142,7 +109056,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_domtrans_sysusers" lineno="2597"> +<interface name="systemd_domtrans_sysusers" lineno="2727"> <summary> Execute systemd-sysusers in the systemd sysusers domain. @@ -108153,7 +109067,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="systemd_run_sysusers" lineno="2622"> +<interface name="systemd_run_sysusers" lineno="2752"> <summary> Run systemd-sysusers with a domain transition. </summary> @@ -108169,7 +109083,7 @@ Role allowed access. </param> <rolecap/> </interface> -<interface name="systemd_use_inherited_machined_ptys" lineno="2642"> +<interface name="systemd_use_inherited_machined_ptys" lineno="2772"> <summary> receive and use a systemd_machined_devpts_t file handle </summary> @@ -108820,7 +109734,7 @@ Domain to make unconfined. </summary> </param> </interface> -<interface name="unconfined_domain" lineno="154"> +<interface name="unconfined_domain" lineno="153"> <summary> Make the specified domain unconfined and audit executable heap usage. @@ -108848,7 +109762,7 @@ Domain to make unconfined. </summary> </param> </interface> -<interface name="unconfined_domtrans" lineno="172"> +<interface name="unconfined_domtrans" lineno="171"> <summary> Transition to the unconfined domain. </summary> @@ -108858,7 +109772,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="unconfined_run" lineno="195"> +<interface name="unconfined_run" lineno="194"> <summary> Execute specified programs in the unconfined domain. </summary> @@ -108873,7 +109787,7 @@ The role to allow the unconfined domain. </summary> </param> </interface> -<interface name="unconfined_shell_domtrans" lineno="214"> +<interface name="unconfined_shell_domtrans" lineno="213"> <summary> Transition to the unconfined domain by executing a shell. </summary> @@ -108883,7 +109797,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="unconfined_domtrans_to" lineno="252"> +<interface name="unconfined_domtrans_to" lineno="251"> <summary> Allow unconfined to execute the specified program in the specified domain. @@ -108910,7 +109824,7 @@ Domain entry point file. </summary> </param> </interface> -<interface name="unconfined_run_to" lineno="289"> +<interface name="unconfined_run_to" lineno="288"> <summary> Allow unconfined to execute the specified program in the specified domain. Allow the specified domain the @@ -108939,7 +109853,7 @@ Domain entry point file. </summary> </param> </interface> -<interface name="unconfined_use_fds" lineno="310"> +<interface name="unconfined_use_fds" lineno="309"> <summary> Inherit file descriptors from the unconfined domain. </summary> @@ -108949,7 +109863,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="unconfined_sigchld" lineno="328"> +<interface name="unconfined_sigchld" lineno="327"> <summary> Send a SIGCHLD signal to the unconfined domain. </summary> @@ -108959,7 +109873,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="unconfined_signull" lineno="346"> +<interface name="unconfined_signull" lineno="345"> <summary> Send a SIGNULL signal to the unconfined domain. </summary> @@ -108969,7 +109883,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="unconfined_signal" lineno="364"> +<interface name="unconfined_signal" lineno="363"> <summary> Send generic signals to the unconfined domain. </summary> @@ -108979,7 +109893,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="unconfined_read_pipes" lineno="382"> +<interface name="unconfined_read_pipes" lineno="381"> +<summary> +Read unconfined domain unnamed pipes. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="unconfined_write_inherited_pipes" lineno="399"> <summary> Read unconfined domain unnamed pipes. </summary> @@ -108989,7 +109913,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="unconfined_dontaudit_read_pipes" lineno="400"> +<interface name="unconfined_dontaudit_read_pipes" lineno="418"> <summary> Do not audit attempts to read unconfined domain unnamed pipes. </summary> @@ -108999,7 +109923,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="unconfined_rw_pipes" lineno="418"> +<interface name="unconfined_rw_pipes" lineno="436"> <summary> Read and write unconfined domain unnamed pipes. </summary> @@ -109009,7 +109933,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="unconfined_dontaudit_rw_pipes" lineno="437"> +<interface name="unconfined_dontaudit_rw_pipes" lineno="455"> <summary> Do not audit attempts to read and write unconfined domain unnamed pipes. @@ -109020,7 +109944,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="unconfined_stream_connect" lineno="456"> +<interface name="unconfined_stream_connect" lineno="474"> <summary> Connect to the unconfined domain using a unix domain stream socket. @@ -109031,7 +109955,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="unconfined_dontaudit_rw_stream_sockets" lineno="475"> +<interface name="unconfined_dontaudit_rw_stream_sockets" lineno="493"> <summary> Do not audit attempts to read and write unconfined domain stream. @@ -109042,7 +109966,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="unconfined_dontaudit_rw_tcp_sockets" lineno="504"> +<interface name="unconfined_dontaudit_rw_tcp_sockets" lineno="522"> <summary> Do not audit attempts to read or write unconfined domain tcp sockets. @@ -109063,7 +109987,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="unconfined_search_keys" lineno="522"> +<interface name="unconfined_search_keys" lineno="540"> <summary> Search keys for the unconfined domain. </summary> @@ -109073,7 +109997,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="unconfined_create_keys" lineno="540"> +<interface name="unconfined_create_keys" lineno="558"> <summary> Create keys for the unconfined domain. </summary> @@ -109083,7 +110007,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="unconfined_write_keys" lineno="558"> +<interface name="unconfined_write_keys" lineno="576"> <summary> Write keys for the unconfined domain. </summary> @@ -109093,7 +110017,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="unconfined_dbus_send" lineno="576"> +<interface name="unconfined_dbus_send" lineno="594"> <summary> Send messages to the unconfined domain over dbus. </summary> @@ -109103,7 +110027,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="unconfined_dbus_chat" lineno="596"> +<interface name="unconfined_dbus_chat" lineno="614"> <summary> Send and receive messages from unconfined_t over dbus. @@ -109114,7 +110038,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="unconfined_dbus_connect" lineno="617"> +<interface name="unconfined_dbus_connect" lineno="635"> <summary> Connect to the the unconfined DBUS for service (acquire_svc). @@ -109346,7 +110270,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_login_user_template" lineno="965"> +<template name="userdom_login_user_template" lineno="969"> <summary> The template for creating a login user. </summary> @@ -109364,7 +110288,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_restricted_user_template" lineno="1089"> +<template name="userdom_restricted_user_template" lineno="1093"> <summary> The template for creating a unprivileged login user. </summary> @@ -109382,7 +110306,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_restricted_xwindows_user_template" lineno="1130"> +<template name="userdom_restricted_xwindows_user_template" lineno="1134"> <summary> The template for creating a unprivileged xwindows login user. </summary> @@ -109403,7 +110327,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_unpriv_user_template" lineno="1211"> +<template name="userdom_unpriv_user_template" lineno="1219"> <summary> The template for creating a unprivileged user roughly equivalent to a regular linux user. @@ -109426,7 +110350,7 @@ is the prefix for user_t). </summary> </param> </template> -<template name="userdom_admin_user_template" lineno="1331"> +<template name="userdom_admin_user_template" lineno="1339"> <summary> The template for creating an administrative user. </summary> @@ -109455,7 +110379,7 @@ is the prefix for sysadm_t). </summary> </param> </template> -<interface name="userdom_security_admin_template" lineno="1512"> +<interface name="userdom_security_admin_template" lineno="1521"> <summary> Allow user to run as a secadm </summary> @@ -109481,7 +110405,7 @@ The role of the object to create. </summary> </param> </interface> -<template name="userdom_xdg_user_template" lineno="1615"> +<template name="userdom_xdg_user_template" lineno="1624"> <summary> Allow user to interact with xdg content types </summary> @@ -109502,7 +110426,7 @@ Domain allowed access. </summary> </param> </template> -<interface name="userdom_user_application_type" lineno="1664"> +<interface name="userdom_user_application_type" lineno="1673"> <summary> Make the specified type usable as a user application domain type. @@ -109513,7 +110437,7 @@ Type to be used as a user application domain. </summary> </param> </interface> -<interface name="userdom_user_application_domain" lineno="1685"> +<interface name="userdom_user_application_domain" lineno="1694"> <summary> Make the specified type usable as a user application domain. @@ -109529,7 +110453,7 @@ Type to be used as the domain entry point. </summary> </param> </interface> -<interface name="userdom_user_home_content" lineno="1702"> +<interface name="userdom_user_home_content" lineno="1711"> <summary> Make the specified type usable in a user home directory. @@ -109541,7 +110465,7 @@ user home directory. </summary> </param> </interface> -<interface name="userdom_user_tmp_file" lineno="1728"> +<interface name="userdom_user_tmp_file" lineno="1737"> <summary> Make the specified type usable as a user temporary file. @@ -109553,7 +110477,7 @@ temporary directories. </summary> </param> </interface> -<interface name="userdom_user_tmpfs_file" lineno="1745"> +<interface name="userdom_user_tmpfs_file" lineno="1754"> <summary> Make the specified type usable as a user tmpfs file. @@ -109565,7 +110489,7 @@ tmpfs directories. </summary> </param> </interface> -<interface name="userdom_attach_admin_tun_iface" lineno="1760"> +<interface name="userdom_attach_admin_tun_iface" lineno="1769"> <summary> Allow domain to attach to TUN devices created by administrative users. </summary> @@ -109575,7 +110499,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_setattr_user_ptys" lineno="1779"> +<interface name="userdom_setattr_user_ptys" lineno="1788"> <summary> Set the attributes of a user pty. </summary> @@ -109585,7 +110509,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_create_user_pty" lineno="1797"> +<interface name="userdom_create_user_pty" lineno="1806"> <summary> Create a user pty. </summary> @@ -109595,7 +110519,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_getattr_user_home_dirs" lineno="1815"> +<interface name="userdom_getattr_user_home_dirs" lineno="1824"> <summary> Get the attributes of user home directories. </summary> @@ -109605,7 +110529,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_getattr_user_home_dirs" lineno="1834"> +<interface name="userdom_dontaudit_getattr_user_home_dirs" lineno="1843"> <summary> Do not audit attempts to get the attributes of user home directories. </summary> @@ -109615,7 +110539,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_search_user_home_dirs" lineno="1852"> +<interface name="userdom_search_user_home_dirs" lineno="1861"> <summary> Search user home directories. </summary> @@ -109625,7 +110549,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_search_user_home_dirs" lineno="1879"> +<interface name="userdom_dontaudit_search_user_home_dirs" lineno="1888"> <summary> Do not audit attempts to search user home directories. </summary> @@ -109643,7 +110567,7 @@ Domain to not audit. </param> <infoflow type="none"/> </interface> -<interface name="userdom_list_user_home_dirs" lineno="1897"> +<interface name="userdom_list_user_home_dirs" lineno="1906"> <summary> List user home directories. </summary> @@ -109653,7 +110577,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_list_user_home_dirs" lineno="1916"> +<interface name="userdom_dontaudit_list_user_home_dirs" lineno="1925"> <summary> Do not audit attempts to list user home subdirectories. </summary> @@ -109663,7 +110587,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_create_user_home_dirs" lineno="1934"> +<interface name="userdom_create_user_home_dirs" lineno="1943"> <summary> Create user home directories. </summary> @@ -109673,7 +110597,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_home_dirs" lineno="1952"> +<interface name="userdom_manage_user_home_dirs" lineno="1961"> <summary> Manage user home directories. </summary> @@ -109683,7 +110607,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_manage_user_home_dirs" lineno="1971"> +<interface name="userdom_dontaudit_manage_user_home_dirs" lineno="1980"> <summary> Do not audit attempts to manage user home directories. @@ -109694,7 +110618,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_relabelto_user_home_dirs" lineno="1989"> +<interface name="userdom_relabelto_user_home_dirs" lineno="1998"> <summary> Relabel to user home directories. </summary> @@ -109704,7 +110628,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_home_filetrans_user_home_dir" lineno="2013"> +<interface name="userdom_home_filetrans_user_home_dir" lineno="2022"> <summary> Create directories in the home dir root with the user home directory type. @@ -109720,7 +110644,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_home_domtrans" lineno="2050"> +<interface name="userdom_user_home_domtrans" lineno="2059"> <summary> Do a domain transition to the specified domain when executing a program in the @@ -109749,7 +110673,7 @@ Domain to transition to. </summary> </param> </interface> -<interface name="userdom_dontaudit_search_user_home_content" lineno="2070"> +<interface name="userdom_dontaudit_search_user_home_content" lineno="2079"> <summary> Do not audit attempts to search user home content directories. </summary> @@ -109759,7 +110683,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_list_all_user_home_content" lineno="2088"> +<interface name="userdom_list_all_user_home_content" lineno="2097"> <summary> List all users home content directories. </summary> @@ -109769,7 +110693,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_list_user_home_content" lineno="2107"> +<interface name="userdom_list_user_home_content" lineno="2116"> <summary> List contents of users home directory. </summary> @@ -109779,7 +110703,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_dirs" lineno="2126"> +<interface name="userdom_manage_user_home_content_dirs" lineno="2135"> <summary> Create, read, write, and delete directories in a user home subdirectory. @@ -109790,7 +110714,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_home_content_dirs" lineno="2145"> +<interface name="userdom_delete_all_user_home_content_dirs" lineno="2154"> <summary> Delete all user home content directories. </summary> @@ -109800,7 +110724,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_home_content_dirs" lineno="2165"> +<interface name="userdom_delete_user_home_content_dirs" lineno="2174"> <summary> Delete directories in a user home subdirectory. </summary> @@ -109810,7 +110734,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_setattr_all_user_home_content_dirs" lineno="2183"> +<interface name="userdom_setattr_all_user_home_content_dirs" lineno="2192"> <summary> Set attributes of all user home content directories. </summary> @@ -109820,7 +110744,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_setattr_user_home_content_files" lineno="2203"> +<interface name="userdom_dontaudit_setattr_user_home_content_files" lineno="2212"> <summary> Do not audit attempts to set the attributes of user home files. @@ -109831,7 +110755,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_map_user_home_content_files" lineno="2221"> +<interface name="userdom_map_user_home_content_files" lineno="2230"> <summary> Map user home files. </summary> @@ -109841,7 +110765,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_mmap_user_home_content_files" lineno="2239"> +<interface name="userdom_mmap_user_home_content_files" lineno="2248"> <summary> Mmap user home files. </summary> @@ -109851,7 +110775,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_read_user_home_content_files" lineno="2258"> +<interface name="userdom_read_user_home_content_files" lineno="2267"> <summary> Read user home files. </summary> @@ -109861,7 +110785,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_read_user_home_content_files" lineno="2277"> +<interface name="userdom_dontaudit_read_user_home_content_files" lineno="2286"> <summary> Do not audit attempts to read user home files. </summary> @@ -109871,7 +110795,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_all_user_home_content" lineno="2296"> +<interface name="userdom_read_all_user_home_content" lineno="2305"> <summary> Read all user home content, including application-specific resources. </summary> @@ -109881,7 +110805,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="userdom_manage_all_user_home_content" lineno="2318"> +<interface name="userdom_manage_all_user_home_content" lineno="2327"> <summary> Manage all user home content, including application-specific resources. </summary> @@ -109891,7 +110815,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="userdom_map_all_user_home_content_files" lineno="2340"> +<interface name="userdom_map_all_user_home_content_files" lineno="2349"> <summary> Map all user home content, including application-specific resources. </summary> @@ -109901,7 +110825,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="userdom_dontaudit_append_user_home_content_files" lineno="2358"> +<interface name="userdom_dontaudit_append_user_home_content_files" lineno="2367"> <summary> Do not audit attempts to append user home files. </summary> @@ -109911,7 +110835,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_dontaudit_write_user_home_content_files" lineno="2376"> +<interface name="userdom_dontaudit_write_user_home_content_files" lineno="2385"> <summary> Do not audit attempts to write user home files. </summary> @@ -109921,7 +110845,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_delete_all_user_home_content_files" lineno="2394"> +<interface name="userdom_delete_all_user_home_content_files" lineno="2403"> <summary> Delete all user home content files. </summary> @@ -109931,7 +110855,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_home_content_files" lineno="2414"> +<interface name="userdom_delete_user_home_content_files" lineno="2423"> <summary> Delete files in a user home subdirectory. </summary> @@ -109941,7 +110865,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_generic_user_home_dirs" lineno="2432"> +<interface name="userdom_relabel_generic_user_home_dirs" lineno="2441"> <summary> Relabel generic user home dirs. </summary> @@ -109951,7 +110875,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_generic_user_home_files" lineno="2450"> +<interface name="userdom_relabel_generic_user_home_files" lineno="2459"> <summary> Relabel generic user home files. </summary> @@ -109961,7 +110885,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_relabel_user_home_content_files" lineno="2468"> +<interface name="userdom_dontaudit_relabel_user_home_content_files" lineno="2477"> <summary> Do not audit attempts to relabel user home files. </summary> @@ -109971,7 +110895,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_user_home_content_symlinks" lineno="2486"> +<interface name="userdom_read_user_home_content_symlinks" lineno="2495"> <summary> Read user home subdirectory symbolic links. </summary> @@ -109981,7 +110905,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_exec_user_home_content_files" lineno="2506"> +<interface name="userdom_exec_user_home_content_files" lineno="2515"> <summary> Execute user home files. </summary> @@ -109992,7 +110916,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="userdom_dontaudit_exec_user_home_content_files" lineno="2533"> +<interface name="userdom_dontaudit_exec_user_home_content_files" lineno="2542"> <summary> Do not audit attempts to execute user home files. </summary> @@ -110002,7 +110926,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_files" lineno="2552"> +<interface name="userdom_manage_user_home_content_files" lineno="2561"> <summary> Create, read, write, and delete files in a user home subdirectory. @@ -110013,7 +110937,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_manage_user_home_content_dirs" lineno="2573"> +<interface name="userdom_dontaudit_manage_user_home_content_dirs" lineno="2582"> <summary> Do not audit attempts to create, read, write, and delete directories in a user home subdirectory. @@ -110024,7 +110948,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_symlinks" lineno="2592"> +<interface name="userdom_manage_user_home_content_symlinks" lineno="2601"> <summary> Create, read, write, and delete symbolic links in a user home subdirectory. @@ -110035,7 +110959,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_home_content_symlinks" lineno="2612"> +<interface name="userdom_delete_all_user_home_content_symlinks" lineno="2621"> <summary> Delete all user home content symbolic links. </summary> @@ -110045,7 +110969,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_home_content_symlinks" lineno="2632"> +<interface name="userdom_delete_user_home_content_symlinks" lineno="2641"> <summary> Delete symbolic links in a user home directory. </summary> @@ -110055,7 +110979,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_pipes" lineno="2651"> +<interface name="userdom_manage_user_home_content_pipes" lineno="2660"> <summary> Create, read, write, and delete named pipes in a user home subdirectory. @@ -110066,7 +110990,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_home_content_sockets" lineno="2672"> +<interface name="userdom_manage_user_home_content_sockets" lineno="2681"> <summary> Create, read, write, and delete named sockets in a user home subdirectory. @@ -110077,7 +111001,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_user_home_dir_filetrans" lineno="2709"> +<interface name="userdom_user_home_dir_filetrans" lineno="2718"> <summary> Create objects in a user home directory with an automatic type transition to @@ -110104,7 +111028,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_home_content_filetrans" lineno="2746"> +<interface name="userdom_user_home_content_filetrans" lineno="2755"> <summary> Create objects in a directory located in a user home directory with an @@ -110132,7 +111056,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_home_dir_filetrans_user_cert" lineno="2777"> +<interface name="userdom_user_home_dir_filetrans_user_cert" lineno="2786"> <summary> Automatically use the user_cert_t label for selected resources created in a users home directory @@ -110153,7 +111077,7 @@ Name of the resource that is being created </summary> </param> </interface> -<interface name="userdom_user_home_dir_filetrans_user_home_content" lineno="2807"> +<interface name="userdom_user_home_dir_filetrans_user_home_content" lineno="2816"> <summary> Create objects in a user home directory with an automatic type transition to @@ -110175,7 +111099,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_exec_user_bin_files" lineno="2826"> +<interface name="userdom_exec_user_bin_files" lineno="2835"> <summary> Execute user executable files. </summary> @@ -110185,7 +111109,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_bin" lineno="2846"> +<interface name="userdom_manage_user_bin" lineno="2855"> <summary> Manage user executable files. </summary> @@ -110195,7 +111119,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_read_user_certs" lineno="2868"> +<interface name="userdom_read_user_certs" lineno="2877"> <summary> Read user SSL certificates. </summary> @@ -110206,7 +111130,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="userdom_dontaudit_manage_user_certs" lineno="2891"> +<interface name="userdom_dontaudit_manage_user_certs" lineno="2900"> <summary> Do not audit attempts to manage the user SSL certificates. @@ -110218,7 +111142,7 @@ Domain allowed access. </param> <rolecap/> </interface> -<interface name="userdom_manage_user_certs" lineno="2911"> +<interface name="userdom_manage_user_certs" lineno="2920"> <summary> Manage user SSL certificates. </summary> @@ -110228,7 +111152,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_write_user_tmp_sockets" lineno="2932"> +<interface name="userdom_write_user_tmp_sockets" lineno="2941"> <summary> Write to user temporary named sockets. </summary> @@ -110238,7 +111162,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_list_user_tmp" lineno="2952"> +<interface name="userdom_list_user_tmp" lineno="2961"> <summary> List user temporary directories. </summary> @@ -110248,7 +111172,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_list_user_tmp" lineno="2974"> +<interface name="userdom_dontaudit_list_user_tmp" lineno="2983"> <summary> Do not audit attempts to list user temporary directories. @@ -110259,7 +111183,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_dirs" lineno="2992"> +<interface name="userdom_delete_user_tmp_dirs" lineno="3001"> <summary> Delete users temporary directories. </summary> @@ -110269,7 +111193,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_manage_user_tmp_dirs" lineno="3011"> +<interface name="userdom_dontaudit_manage_user_tmp_dirs" lineno="3020"> <summary> Do not audit attempts to manage users temporary directories. @@ -110280,7 +111204,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_user_tmp_files" lineno="3029"> +<interface name="userdom_read_user_tmp_files" lineno="3038"> <summary> Read user temporary files. </summary> @@ -110290,7 +111214,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_map_user_tmp_files" lineno="3050"> +<interface name="userdom_map_user_tmp_files" lineno="3059"> <summary> Map user temporary files. </summary> @@ -110300,7 +111224,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_read_user_tmp_files" lineno="3069"> +<interface name="userdom_dontaudit_read_user_tmp_files" lineno="3078"> <summary> Do not audit attempts to read users temporary files. @@ -110311,7 +111235,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_dontaudit_append_user_tmp_files" lineno="3088"> +<interface name="userdom_dontaudit_append_user_tmp_files" lineno="3097"> <summary> Do not audit attempts to append users temporary files. @@ -110322,7 +111246,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_rw_user_tmp_files" lineno="3106"> +<interface name="userdom_rw_user_tmp_files" lineno="3115"> <summary> Read and write user temporary files. </summary> @@ -110332,7 +111256,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_files" lineno="3127"> +<interface name="userdom_delete_user_tmp_files" lineno="3136"> <summary> Delete users temporary files. </summary> @@ -110342,7 +111266,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_manage_user_tmp_files" lineno="3146"> +<interface name="userdom_dontaudit_manage_user_tmp_files" lineno="3155"> <summary> Do not audit attempts to manage users temporary files. @@ -110353,7 +111277,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_user_tmp_symlinks" lineno="3164"> +<interface name="userdom_read_user_tmp_symlinks" lineno="3173"> <summary> Read user temporary symbolic links. </summary> @@ -110363,7 +111287,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_symlinks" lineno="3185"> +<interface name="userdom_delete_user_tmp_symlinks" lineno="3194"> <summary> Delete users temporary symbolic links. </summary> @@ -110373,7 +111297,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_dirs" lineno="3204"> +<interface name="userdom_manage_user_tmp_dirs" lineno="3213"> <summary> Create, read, write, and delete user temporary directories. @@ -110384,7 +111308,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_named_pipes" lineno="3224"> +<interface name="userdom_delete_user_tmp_named_pipes" lineno="3233"> <summary> Delete users temporary named pipes. </summary> @@ -110394,7 +111318,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_files" lineno="3243"> +<interface name="userdom_manage_user_tmp_files" lineno="3252"> <summary> Create, read, write, and delete user temporary files. @@ -110405,7 +111329,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmp_named_sockets" lineno="3263"> +<interface name="userdom_delete_user_tmp_named_sockets" lineno="3272"> <summary> Delete users temporary named sockets. </summary> @@ -110415,7 +111339,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_symlinks" lineno="3282"> +<interface name="userdom_manage_user_tmp_symlinks" lineno="3291"> <summary> Create, read, write, and delete user temporary symbolic links. @@ -110426,7 +111350,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_rw_user_tmp_pipes" lineno="3303"> +<interface name="userdom_dontaudit_rw_user_tmp_pipes" lineno="3312"> <summary> Do not audit attempts to read and write temporary pipes. @@ -110437,7 +111361,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_pipes" lineno="3322"> +<interface name="userdom_manage_user_tmp_pipes" lineno="3331"> <summary> Create, read, write, and delete user temporary named pipes. @@ -110448,7 +111372,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_sockets" lineno="3343"> +<interface name="userdom_manage_user_tmp_sockets" lineno="3352"> <summary> Create, read, write, and delete user temporary named sockets. @@ -110459,7 +111383,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_user_tmp_filetrans" lineno="3380"> +<interface name="userdom_user_tmp_filetrans" lineno="3389"> <summary> Create objects in a user temporary directory with an automatic type transition to @@ -110486,7 +111410,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_tmp_filetrans_user_tmp" lineno="3412"> +<interface name="userdom_tmp_filetrans_user_tmp" lineno="3421"> <summary> Create objects in the temporary directory with an automatic type transition to @@ -110508,7 +111432,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_map_user_tmpfs_files" lineno="3430"> +<interface name="userdom_map_user_tmpfs_files" lineno="3439"> <summary> Map user tmpfs files. </summary> @@ -110518,7 +111442,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_read_user_tmpfs_files" lineno="3448"> +<interface name="userdom_read_user_tmpfs_files" lineno="3457"> <summary> Read user tmpfs files. </summary> @@ -110528,7 +111452,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_read_user_tmpfs_files" lineno="3468"> +<interface name="userdom_dontaudit_read_user_tmpfs_files" lineno="3477"> <summary> dontaudit Read attempts of user tmpfs files. </summary> @@ -110538,7 +111462,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_user_tmpfs_dirs" lineno="3487"> +<interface name="userdom_dontaudit_execute_user_tmpfs_files" lineno="3496"> +<summary> +dontaudit Execution attempts of user tmpfs files. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="userdom_relabel_user_tmpfs_dirs" lineno="3514"> <summary> relabel to/from user tmpfs dirs </summary> @@ -110548,7 +111482,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_user_tmpfs_files" lineno="3506"> +<interface name="userdom_relabel_user_tmpfs_files" lineno="3533"> <summary> relabel to/from user tmpfs files </summary> @@ -110558,7 +111492,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_user_runtime_content" lineno="3528"> +<interface name="userdom_user_runtime_content" lineno="3555"> <summary> Make the specified type usable in the directory /run/user/%{USERID}/. @@ -110570,7 +111504,7 @@ user_runtime_content_dir_t. </summary> </param> </interface> -<interface name="userdom_search_user_runtime" lineno="3548"> +<interface name="userdom_search_user_runtime" lineno="3575"> <summary> Search users runtime directories. </summary> @@ -110580,7 +111514,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_search_user_runtime_root" lineno="3567"> +<interface name="userdom_search_user_runtime_root" lineno="3594"> <summary> Search user runtime root directories. </summary> @@ -110590,7 +111524,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_search_user_runtime_root" lineno="3587"> +<interface name="userdom_dontaudit_search_user_runtime_root" lineno="3614"> <summary> Do not audit attempts to search user runtime root directories. @@ -110601,7 +111535,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_manage_user_runtime_root_dirs" lineno="3606"> +<interface name="userdom_manage_user_runtime_root_dirs" lineno="3633"> <summary> Create, read, write, and delete user runtime root dirs. @@ -110612,7 +111546,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_user_runtime_root_dirs" lineno="3625"> +<interface name="userdom_relabel_user_runtime_root_dirs" lineno="3652"> <summary> Relabel to and from user runtime root dirs. </summary> @@ -110622,7 +111556,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_runtime_dirs" lineno="3644"> +<interface name="userdom_manage_user_runtime_dirs" lineno="3671"> <summary> Create, read, write, and delete user runtime dirs. @@ -110633,7 +111567,17 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_mounton_user_runtime_dirs" lineno="3664"> +<interface name="userdom_watch_user_runtime_dirs" lineno="3690"> +<summary> +Watch user runtime dirs. +</summary> +<param name="domain"> +<summary> +Domain allowed access. +</summary> +</param> +</interface> +<interface name="userdom_mounton_user_runtime_dirs" lineno="3710"> <summary> Mount a filesystem on user runtime dir directories. @@ -110644,7 +111588,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabelto_user_runtime_dirs" lineno="3682"> +<interface name="userdom_relabelto_user_runtime_dirs" lineno="3728"> <summary> Relabel to user runtime directories. </summary> @@ -110654,7 +111598,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabelfrom_user_runtime_dirs" lineno="3700"> +<interface name="userdom_relabelfrom_user_runtime_dirs" lineno="3746"> <summary> Relabel from user runtime directories. </summary> @@ -110664,7 +111608,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_write_all_user_runtime_named_sockets" lineno="3718"> +<interface name="userdom_write_all_user_runtime_named_sockets" lineno="3764"> <summary> write user runtime socket files </summary> @@ -110674,7 +111618,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_runtime_files" lineno="3737"> +<interface name="userdom_delete_user_runtime_files" lineno="3783"> <summary> delete user runtime files </summary> @@ -110684,7 +111628,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_search_all_user_runtime" lineno="3756"> +<interface name="userdom_search_all_user_runtime" lineno="3802"> <summary> Search users runtime directories. </summary> @@ -110694,7 +111638,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_list_all_user_runtime" lineno="3775"> +<interface name="userdom_list_all_user_runtime" lineno="3821"> <summary> List user runtime directories. </summary> @@ -110704,7 +111648,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_dirs" lineno="3794"> +<interface name="userdom_delete_all_user_runtime_dirs" lineno="3840"> <summary> delete user runtime directories </summary> @@ -110714,7 +111658,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_files" lineno="3812"> +<interface name="userdom_delete_all_user_runtime_files" lineno="3858"> <summary> delete user runtime files </summary> @@ -110724,7 +111668,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_symlinks" lineno="3830"> +<interface name="userdom_delete_all_user_runtime_symlinks" lineno="3876"> <summary> delete user runtime symlink files </summary> @@ -110734,7 +111678,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_named_pipes" lineno="3848"> +<interface name="userdom_delete_all_user_runtime_named_pipes" lineno="3894"> <summary> delete user runtime fifo files </summary> @@ -110744,7 +111688,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_named_sockets" lineno="3866"> +<interface name="userdom_delete_all_user_runtime_named_sockets" lineno="3912"> <summary> delete user runtime socket files </summary> @@ -110754,7 +111698,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_blk_files" lineno="3884"> +<interface name="userdom_delete_all_user_runtime_blk_files" lineno="3930"> <summary> delete user runtime blk files </summary> @@ -110764,7 +111708,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_all_user_runtime_chr_files" lineno="3902"> +<interface name="userdom_delete_all_user_runtime_chr_files" lineno="3948"> <summary> delete user runtime chr files </summary> @@ -110774,7 +111718,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_runtime_filetrans_user_runtime_root" lineno="3932"> +<interface name="userdom_runtime_filetrans_user_runtime_root" lineno="3978"> <summary> Create objects in the runtime directory with an automatic type transition to @@ -110796,7 +111740,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_runtime_filetrans" lineno="3968"> +<interface name="userdom_user_runtime_filetrans" lineno="4014"> <summary> Create objects in a user runtime directory with an automatic type @@ -110824,7 +111768,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_runtime_filetrans_user_tmp" lineno="3999"> +<interface name="userdom_user_runtime_filetrans_user_tmp" lineno="4045"> <summary> Create objects in the user runtime directory with an automatic type transition to @@ -110846,7 +111790,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_runtime_root_filetrans_user_runtime" lineno="4029"> +<interface name="userdom_user_runtime_root_filetrans_user_runtime" lineno="4075"> <summary> Create objects in the user runtime root directory with an automatic type transition @@ -110868,7 +111812,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_user_run_filetrans_user_runtime" lineno="4060"> +<interface name="userdom_user_run_filetrans_user_runtime" lineno="4106"> <summary> Create objects in the user runtime root directory with an automatic type transition @@ -110890,7 +111834,7 @@ The name of the object being created. </summary> </param> </interface> -<interface name="userdom_rw_user_tmpfs_files" lineno="4078"> +<interface name="userdom_rw_user_tmpfs_files" lineno="4124"> <summary> Read and write user tmpfs files. </summary> @@ -110900,7 +111844,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_delete_user_tmpfs_files" lineno="4099"> +<interface name="userdom_delete_user_tmpfs_files" lineno="4145"> <summary> Delete user tmpfs files. </summary> @@ -110910,7 +111854,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmpfs_files" lineno="4118"> +<interface name="userdom_manage_user_tmpfs_files" lineno="4164"> <summary> Create, read, write, and delete user tmpfs files. </summary> @@ -110920,7 +111864,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_getattr_user_ttys" lineno="4138"> +<interface name="userdom_getattr_user_ttys" lineno="4184"> <summary> Get the attributes of a user domain tty. </summary> @@ -110930,7 +111874,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_getattr_user_ttys" lineno="4156"> +<interface name="userdom_dontaudit_getattr_user_ttys" lineno="4202"> <summary> Do not audit attempts to get the attributes of a user domain tty. </summary> @@ -110940,7 +111884,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_setattr_user_ttys" lineno="4174"> +<interface name="userdom_setattr_user_ttys" lineno="4220"> <summary> Set the attributes of a user domain tty. </summary> @@ -110950,7 +111894,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_setattr_user_ttys" lineno="4192"> +<interface name="userdom_dontaudit_setattr_user_ttys" lineno="4238"> <summary> Do not audit attempts to set the attributes of a user domain tty. </summary> @@ -110960,7 +111904,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_use_user_ttys" lineno="4210"> +<interface name="userdom_use_user_ttys" lineno="4256"> <summary> Read and write a user domain tty. </summary> @@ -110970,7 +111914,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_use_user_ptys" lineno="4228"> +<interface name="userdom_use_user_ptys" lineno="4274"> <summary> Read and write a user domain pty. </summary> @@ -110980,7 +111924,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_use_inherited_user_terminals" lineno="4263"> +<interface name="userdom_use_inherited_user_terminals" lineno="4309"> <summary> Read and write a user TTYs and PTYs. </summary> @@ -111006,7 +111950,7 @@ Domain allowed access. </param> <infoflow type="both" weight="10"/> </interface> -<interface name="userdom_use_user_terminals" lineno="4304"> +<interface name="userdom_use_user_terminals" lineno="4350"> <summary> Read, write and open a user TTYs and PTYs. </summary> @@ -111038,7 +111982,7 @@ Domain allowed access. </param> <infoflow type="both" weight="10"/> </interface> -<interface name="userdom_dontaudit_use_user_terminals" lineno="4320"> +<interface name="userdom_dontaudit_use_user_terminals" lineno="4366"> <summary> Do not audit attempts to read and write a user domain tty and pty. @@ -111049,7 +111993,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_lock_user_terminals" lineno="4339"> +<interface name="userdom_lock_user_terminals" lineno="4385"> <summary> Lock user TTYs and PTYs. </summary> @@ -111059,7 +112003,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_spec_domtrans_all_users" lineno="4360"> +<interface name="userdom_spec_domtrans_all_users" lineno="4406"> <summary> Execute a shell in all user domains. This is an explicit transition, requiring the @@ -111071,7 +112015,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_xsession_spec_domtrans_all_users" lineno="4383"> +<interface name="userdom_xsession_spec_domtrans_all_users" lineno="4429"> <summary> Execute an Xserver session in all user domains. This is an explicit transition, requiring the @@ -111083,7 +112027,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_spec_domtrans_unpriv_users" lineno="4406"> +<interface name="userdom_spec_domtrans_unpriv_users" lineno="4452"> <summary> Execute a shell in all unprivileged user domains. This is an explicit transition, requiring the @@ -111095,7 +112039,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_xsession_spec_domtrans_unpriv_users" lineno="4429"> +<interface name="userdom_xsession_spec_domtrans_unpriv_users" lineno="4475"> <summary> Execute an Xserver session in all unprivileged user domains. This is an explicit transition, requiring the @@ -111107,7 +112051,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_rw_unpriv_user_semaphores" lineno="4450"> +<interface name="userdom_rw_unpriv_user_semaphores" lineno="4496"> <summary> Read and write unpriviledged user SysV sempaphores. </summary> @@ -111117,7 +112061,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_unpriv_user_semaphores" lineno="4468"> +<interface name="userdom_manage_unpriv_user_semaphores" lineno="4514"> <summary> Manage unpriviledged user SysV sempaphores. </summary> @@ -111127,7 +112071,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_rw_unpriv_user_shared_mem" lineno="4487"> +<interface name="userdom_rw_unpriv_user_shared_mem" lineno="4533"> <summary> Read and write unpriviledged user SysV shared memory segments. @@ -111138,7 +112082,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_unpriv_user_shared_mem" lineno="4506"> +<interface name="userdom_manage_unpriv_user_shared_mem" lineno="4552"> <summary> Manage unpriviledged user SysV shared memory segments. @@ -111149,7 +112093,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_bin_spec_domtrans_unpriv_users" lineno="4526"> +<interface name="userdom_bin_spec_domtrans_unpriv_users" lineno="4572"> <summary> Execute bin_t in the unprivileged user domains. This is an explicit transition, requiring the @@ -111161,7 +112105,7 @@ Domain allowed to transition. </summary> </param> </interface> -<interface name="userdom_entry_spec_domtrans_unpriv_users" lineno="4549"> +<interface name="userdom_entry_spec_domtrans_unpriv_users" lineno="4595"> <summary> Execute all entrypoint files in unprivileged user domains. This is an explicit transition, requiring the @@ -111173,7 +112117,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_search_user_home_content" lineno="4570"> +<interface name="userdom_search_user_home_content" lineno="4616"> <summary> Search users home directories. </summary> @@ -111183,7 +112127,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_watch_user_home_dirs" lineno="4589"> +<interface name="userdom_watch_user_home_dirs" lineno="4635"> <summary> watch users home directories. </summary> @@ -111193,7 +112137,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_signull_unpriv_users" lineno="4607"> +<interface name="userdom_signull_unpriv_users" lineno="4653"> <summary> Send signull to unprivileged user domains. </summary> @@ -111203,7 +112147,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_signal_unpriv_users" lineno="4625"> +<interface name="userdom_signal_unpriv_users" lineno="4671"> <summary> Send general signals to unprivileged user domains. </summary> @@ -111213,7 +112157,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_use_unpriv_users_fds" lineno="4643"> +<interface name="userdom_use_unpriv_users_fds" lineno="4689"> <summary> Inherit the file descriptors from unprivileged user domains. </summary> @@ -111223,7 +112167,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_use_unpriv_user_fds" lineno="4671"> +<interface name="userdom_dontaudit_use_unpriv_user_fds" lineno="4717"> <summary> Do not audit attempts to inherit the file descriptors from unprivileged user domains. @@ -111243,7 +112187,7 @@ Domain to not audit. </param> <infoflow type="none"/> </interface> -<interface name="userdom_dontaudit_use_user_ptys" lineno="4689"> +<interface name="userdom_dontaudit_use_user_ptys" lineno="4735"> <summary> Do not audit attempts to use user ptys. </summary> @@ -111253,7 +112197,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_relabelto_user_ptys" lineno="4707"> +<interface name="userdom_relabelto_user_ptys" lineno="4753"> <summary> Relabel files to unprivileged user pty types. </summary> @@ -111263,7 +112207,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_relabelfrom_user_ptys" lineno="4726"> +<interface name="userdom_dontaudit_relabelfrom_user_ptys" lineno="4772"> <summary> Do not audit attempts to relabel files from user pty types. @@ -111274,7 +112218,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_write_user_tmp_files" lineno="4744"> +<interface name="userdom_write_user_tmp_files" lineno="4790"> <summary> Write all users files in /tmp </summary> @@ -111284,7 +112228,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_write_user_tmp_files" lineno="4763"> +<interface name="userdom_dontaudit_write_user_tmp_files" lineno="4809"> <summary> Do not audit attempts to write users temporary files. @@ -111295,7 +112239,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_dontaudit_use_user_ttys" lineno="4781"> +<interface name="userdom_dontaudit_use_user_ttys" lineno="4827"> <summary> Do not audit attempts to use user ttys. </summary> @@ -111305,7 +112249,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_read_all_users_state" lineno="4799"> +<interface name="userdom_read_all_users_state" lineno="4845"> <summary> Read the process state of all user domains. </summary> @@ -111315,7 +112259,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_getattr_all_users" lineno="4819"> +<interface name="userdom_getattr_all_users" lineno="4865"> <summary> Get the attributes of all user domains. </summary> @@ -111325,7 +112269,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_use_all_users_fds" lineno="4837"> +<interface name="userdom_use_all_users_fds" lineno="4883"> <summary> Inherit the file descriptors from all user domains </summary> @@ -111335,7 +112279,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dontaudit_use_all_users_fds" lineno="4856"> +<interface name="userdom_dontaudit_use_all_users_fds" lineno="4902"> <summary> Do not audit attempts to inherit the file descriptors from any user domains. @@ -111346,7 +112290,7 @@ Domain to not audit. </summary> </param> </interface> -<interface name="userdom_signal_all_users" lineno="4874"> +<interface name="userdom_signal_all_users" lineno="4920"> <summary> Send general signals to all user domains. </summary> @@ -111356,7 +112300,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_sigchld_all_users" lineno="4892"> +<interface name="userdom_sigchld_all_users" lineno="4938"> <summary> Send a SIGCHLD signal to all user domains. </summary> @@ -111366,7 +112310,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_read_all_users_keys" lineno="4910"> +<interface name="userdom_read_all_users_keys" lineno="4956"> <summary> Read keys for all user domains. </summary> @@ -111376,7 +112320,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_write_all_users_keys" lineno="4928"> +<interface name="userdom_write_all_users_keys" lineno="4974"> <summary> Write keys for all user domains. </summary> @@ -111386,7 +112330,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_rw_all_users_keys" lineno="4946"> +<interface name="userdom_rw_all_users_keys" lineno="4992"> <summary> Read and write keys for all user domains. </summary> @@ -111396,7 +112340,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_create_all_users_keys" lineno="4964"> +<interface name="userdom_create_all_users_keys" lineno="5010"> <summary> Create keys for all user domains. </summary> @@ -111406,7 +112350,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_all_users_keys" lineno="4982"> +<interface name="userdom_manage_all_users_keys" lineno="5028"> <summary> Manage keys for all user domains. </summary> @@ -111416,7 +112360,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_dbus_send_all_users" lineno="5000"> +<interface name="userdom_dbus_send_all_users" lineno="5046"> <summary> Send a dbus message to all user domains. </summary> @@ -111426,7 +112370,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_manage_user_tmp_chr_files" lineno="5022"> +<interface name="userdom_manage_user_tmp_chr_files" lineno="5068"> <summary> Create, read, write, and delete user temporary character files. @@ -111437,7 +112381,7 @@ Domain allowed access. </summary> </param> </interface> -<interface name="userdom_relabel_user_certs" lineno="5043"> +<interface name="userdom_relabel_user_certs" lineno="5089"> <summary> Allow relabeling resources to user_cert_t </summary> @@ -111447,7 +112391,7 @@ Domain allowed access </summary> </param> </interface> -<interface name="userdom_dontaudit_rw_all_users_stream_sockets" lineno="5066"> +<interface name="userdom_dontaudit_rw_all_users_stream_sockets" lineno="5112"> <summary> Do not audit attempts to read and write unserdomain stream. |