1 |
commit: cecb7fe66611d6e51bec44507fdda4ef2fcc4808 |
2 |
Author: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Feb 6 21:18:02 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 6 21:18:02 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cecb7fe6 |
7 |
|
8 |
Update generated policy and doc files |
9 |
|
10 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
11 |
|
12 |
doc/policy.xml | 779 +++++++++++++++++++++-------------- |
13 |
policy/booleans.conf | 6 + |
14 |
policy/modules/kernel/corenetwork.te | 2 +- |
15 |
3 files changed, 484 insertions(+), 303 deletions(-) |
16 |
|
17 |
diff --git a/doc/policy.xml b/doc/policy.xml |
18 |
index 0537d461..3c0809a4 100644 |
19 |
--- a/doc/policy.xml |
20 |
+++ b/doc/policy.xml |
21 |
@@ -85508,7 +85508,17 @@ Domain allowed access. |
22 |
</summary> |
23 |
</param> |
24 |
</interface> |
25 |
-<interface name="kernel_mounton_proc" lineno="924"> |
26 |
+<interface name="kernel_dontaudit_getattr_proc" lineno="923"> |
27 |
+<summary> |
28 |
+Do not audit attempts to get the attributes of the proc filesystem. |
29 |
+</summary> |
30 |
+<param name="domain"> |
31 |
+<summary> |
32 |
+Domain to not audit. |
33 |
+</summary> |
34 |
+</param> |
35 |
+</interface> |
36 |
+<interface name="kernel_mounton_proc" lineno="942"> |
37 |
<summary> |
38 |
Mount on proc directories. |
39 |
</summary> |
40 |
@@ -85519,7 +85529,7 @@ Domain allowed access. |
41 |
</param> |
42 |
<rolecap/> |
43 |
</interface> |
44 |
-<interface name="kernel_dontaudit_setattr_proc_dirs" lineno="943"> |
45 |
+<interface name="kernel_dontaudit_setattr_proc_dirs" lineno="961"> |
46 |
<summary> |
47 |
Do not audit attempts to set the |
48 |
attributes of directories in /proc. |
49 |
@@ -85530,7 +85540,7 @@ Domain to not audit. |
50 |
</summary> |
51 |
</param> |
52 |
</interface> |
53 |
-<interface name="kernel_search_proc" lineno="961"> |
54 |
+<interface name="kernel_search_proc" lineno="979"> |
55 |
<summary> |
56 |
Search directories in /proc. |
57 |
</summary> |
58 |
@@ -85540,7 +85550,7 @@ Domain allowed access. |
59 |
</summary> |
60 |
</param> |
61 |
</interface> |
62 |
-<interface name="kernel_list_proc" lineno="979"> |
63 |
+<interface name="kernel_list_proc" lineno="997"> |
64 |
<summary> |
65 |
List the contents of directories in /proc. |
66 |
</summary> |
67 |
@@ -85550,7 +85560,7 @@ Domain allowed access. |
68 |
</summary> |
69 |
</param> |
70 |
</interface> |
71 |
-<interface name="kernel_dontaudit_list_proc" lineno="998"> |
72 |
+<interface name="kernel_dontaudit_list_proc" lineno="1016"> |
73 |
<summary> |
74 |
Do not audit attempts to list the |
75 |
contents of directories in /proc. |
76 |
@@ -85561,7 +85571,7 @@ Domain to not audit. |
77 |
</summary> |
78 |
</param> |
79 |
</interface> |
80 |
-<interface name="kernel_dontaudit_write_proc_dirs" lineno="1017"> |
81 |
+<interface name="kernel_dontaudit_write_proc_dirs" lineno="1035"> |
82 |
<summary> |
83 |
Do not audit attempts to write the |
84 |
directories in /proc. |
85 |
@@ -85572,7 +85582,7 @@ Domain to not audit. |
86 |
</summary> |
87 |
</param> |
88 |
</interface> |
89 |
-<interface name="kernel_mounton_proc_dirs" lineno="1035"> |
90 |
+<interface name="kernel_mounton_proc_dirs" lineno="1053"> |
91 |
<summary> |
92 |
Mount the directories in /proc. |
93 |
</summary> |
94 |
@@ -85582,7 +85592,7 @@ Domain allowed access. |
95 |
</summary> |
96 |
</param> |
97 |
</interface> |
98 |
-<interface name="kernel_getattr_proc_files" lineno="1053"> |
99 |
+<interface name="kernel_getattr_proc_files" lineno="1071"> |
100 |
<summary> |
101 |
Get the attributes of files in /proc. |
102 |
</summary> |
103 |
@@ -85592,7 +85602,7 @@ Domain allowed access. |
104 |
</summary> |
105 |
</param> |
106 |
</interface> |
107 |
-<interface name="kernel_read_proc_symlinks" lineno="1080"> |
108 |
+<interface name="kernel_read_proc_symlinks" lineno="1098"> |
109 |
<summary> |
110 |
Read generic symbolic links in /proc. |
111 |
</summary> |
112 |
@@ -85611,7 +85621,7 @@ Domain allowed access. |
113 |
</param> |
114 |
<infoflow type="read" weight="10"/> |
115 |
</interface> |
116 |
-<interface name="kernel_read_system_state" lineno="1119"> |
117 |
+<interface name="kernel_read_system_state" lineno="1137"> |
118 |
<summary> |
119 |
Allows caller to read system state information in /proc. |
120 |
</summary> |
121 |
@@ -85642,7 +85652,7 @@ Domain allowed access. |
122 |
<infoflow type="read" weight="10"/> |
123 |
<rolecap/> |
124 |
</interface> |
125 |
-<interface name="kernel_write_proc_files" lineno="1145"> |
126 |
+<interface name="kernel_write_proc_files" lineno="1163"> |
127 |
<summary> |
128 |
Write to generic proc entries. |
129 |
</summary> |
130 |
@@ -85653,7 +85663,7 @@ Domain allowed access. |
131 |
</param> |
132 |
<rolecap/> |
133 |
</interface> |
134 |
-<interface name="kernel_dontaudit_read_system_state" lineno="1164"> |
135 |
+<interface name="kernel_dontaudit_read_system_state" lineno="1182"> |
136 |
<summary> |
137 |
Do not audit attempts by caller to |
138 |
read system state information in proc. |
139 |
@@ -85664,7 +85674,7 @@ Domain to not audit. |
140 |
</summary> |
141 |
</param> |
142 |
</interface> |
143 |
-<interface name="kernel_dontaudit_read_proc_symlinks" lineno="1183"> |
144 |
+<interface name="kernel_dontaudit_read_proc_symlinks" lineno="1201"> |
145 |
<summary> |
146 |
Do not audit attempts by caller to |
147 |
read symbolic links in proc. |
148 |
@@ -85675,7 +85685,7 @@ Domain to not audit. |
149 |
</summary> |
150 |
</param> |
151 |
</interface> |
152 |
-<interface name="kernel_rw_afs_state" lineno="1202"> |
153 |
+<interface name="kernel_rw_afs_state" lineno="1220"> |
154 |
<summary> |
155 |
Allow caller to read and write state information for AFS. |
156 |
</summary> |
157 |
@@ -85686,7 +85696,7 @@ Domain allowed access. |
158 |
</param> |
159 |
<rolecap/> |
160 |
</interface> |
161 |
-<interface name="kernel_read_software_raid_state" lineno="1222"> |
162 |
+<interface name="kernel_read_software_raid_state" lineno="1240"> |
163 |
<summary> |
164 |
Allow caller to read the state information for software raid. |
165 |
</summary> |
166 |
@@ -85697,7 +85707,7 @@ Domain allowed access. |
167 |
</param> |
168 |
<rolecap/> |
169 |
</interface> |
170 |
-<interface name="kernel_rw_software_raid_state" lineno="1242"> |
171 |
+<interface name="kernel_rw_software_raid_state" lineno="1260"> |
172 |
<summary> |
173 |
Allow caller to read and set the state information for software raid. |
174 |
</summary> |
175 |
@@ -85707,7 +85717,7 @@ Domain allowed access. |
176 |
</summary> |
177 |
</param> |
178 |
</interface> |
179 |
-<interface name="kernel_getattr_core_if" lineno="1262"> |
180 |
+<interface name="kernel_getattr_core_if" lineno="1280"> |
181 |
<summary> |
182 |
Allows caller to get attributes of core kernel interface. |
183 |
</summary> |
184 |
@@ -85717,7 +85727,7 @@ Domain allowed access. |
185 |
</summary> |
186 |
</param> |
187 |
</interface> |
188 |
-<interface name="kernel_dontaudit_getattr_core_if" lineno="1283"> |
189 |
+<interface name="kernel_dontaudit_getattr_core_if" lineno="1301"> |
190 |
<summary> |
191 |
Do not audit attempts to get the attributes of |
192 |
core kernel interfaces. |
193 |
@@ -85728,7 +85738,7 @@ Domain to not audit. |
194 |
</summary> |
195 |
</param> |
196 |
</interface> |
197 |
-<interface name="kernel_read_core_if" lineno="1301"> |
198 |
+<interface name="kernel_read_core_if" lineno="1319"> |
199 |
<summary> |
200 |
Allows caller to read the core kernel interface. |
201 |
</summary> |
202 |
@@ -85738,7 +85748,7 @@ Domain allowed access. |
203 |
</summary> |
204 |
</param> |
205 |
</interface> |
206 |
-<interface name="kernel_read_messages" lineno="1325"> |
207 |
+<interface name="kernel_read_messages" lineno="1343"> |
208 |
<summary> |
209 |
Allow caller to read kernel messages |
210 |
using the /proc/kmsg interface. |
211 |
@@ -85749,7 +85759,7 @@ Domain allowed access. |
212 |
</summary> |
213 |
</param> |
214 |
</interface> |
215 |
-<interface name="kernel_getattr_message_if" lineno="1347"> |
216 |
+<interface name="kernel_getattr_message_if" lineno="1365"> |
217 |
<summary> |
218 |
Allow caller to get the attributes of kernel message |
219 |
interface (/proc/kmsg). |
220 |
@@ -85760,7 +85770,7 @@ Domain allowed access. |
221 |
</summary> |
222 |
</param> |
223 |
</interface> |
224 |
-<interface name="kernel_dontaudit_getattr_message_if" lineno="1366"> |
225 |
+<interface name="kernel_dontaudit_getattr_message_if" lineno="1384"> |
226 |
<summary> |
227 |
Do not audit attempts by caller to get the attributes of kernel |
228 |
message interfaces. |
229 |
@@ -85771,7 +85781,7 @@ Domain to not audit. |
230 |
</summary> |
231 |
</param> |
232 |
</interface> |
233 |
-<interface name="kernel_mounton_message_if" lineno="1385"> |
234 |
+<interface name="kernel_mounton_message_if" lineno="1403"> |
235 |
<summary> |
236 |
Mount on kernel message interfaces files. |
237 |
</summary> |
238 |
@@ -85782,7 +85792,7 @@ Domain allowed access. |
239 |
</param> |
240 |
<rolecap/> |
241 |
</interface> |
242 |
-<interface name="kernel_dontaudit_search_network_state" lineno="1406"> |
243 |
+<interface name="kernel_dontaudit_search_network_state" lineno="1424"> |
244 |
<summary> |
245 |
Do not audit attempts to search the network |
246 |
state directory. |
247 |
@@ -85794,7 +85804,7 @@ Domain to not audit. |
248 |
</param> |
249 |
|
250 |
</interface> |
251 |
-<interface name="kernel_search_network_state" lineno="1425"> |
252 |
+<interface name="kernel_search_network_state" lineno="1443"> |
253 |
<summary> |
254 |
Allow searching of network state directory. |
255 |
</summary> |
256 |
@@ -85805,7 +85815,7 @@ Domain allowed access. |
257 |
</param> |
258 |
|
259 |
</interface> |
260 |
-<interface name="kernel_read_network_state" lineno="1455"> |
261 |
+<interface name="kernel_read_network_state" lineno="1473"> |
262 |
<summary> |
263 |
Read the network state information. |
264 |
</summary> |
265 |
@@ -85827,7 +85837,7 @@ Domain allowed access. |
266 |
<infoflow type="read" weight="10"/> |
267 |
<rolecap/> |
268 |
</interface> |
269 |
-<interface name="kernel_read_network_state_symlinks" lineno="1476"> |
270 |
+<interface name="kernel_read_network_state_symlinks" lineno="1494"> |
271 |
<summary> |
272 |
Allow caller to read the network state symbolic links. |
273 |
</summary> |
274 |
@@ -85837,7 +85847,7 @@ Domain allowed access. |
275 |
</summary> |
276 |
</param> |
277 |
</interface> |
278 |
-<interface name="kernel_search_xen_state" lineno="1497"> |
279 |
+<interface name="kernel_search_xen_state" lineno="1515"> |
280 |
<summary> |
281 |
Allow searching of xen state directory. |
282 |
</summary> |
283 |
@@ -85848,7 +85858,7 @@ Domain allowed access. |
284 |
</param> |
285 |
|
286 |
</interface> |
287 |
-<interface name="kernel_dontaudit_search_xen_state" lineno="1517"> |
288 |
+<interface name="kernel_dontaudit_search_xen_state" lineno="1535"> |
289 |
<summary> |
290 |
Do not audit attempts to search the xen |
291 |
state directory. |
292 |
@@ -85860,7 +85870,7 @@ Domain to not audit. |
293 |
</param> |
294 |
|
295 |
</interface> |
296 |
-<interface name="kernel_read_xen_state" lineno="1536"> |
297 |
+<interface name="kernel_read_xen_state" lineno="1554"> |
298 |
<summary> |
299 |
Allow caller to read the xen state information. |
300 |
</summary> |
301 |
@@ -85871,7 +85881,7 @@ Domain allowed access. |
302 |
</param> |
303 |
|
304 |
</interface> |
305 |
-<interface name="kernel_read_xen_state_symlinks" lineno="1558"> |
306 |
+<interface name="kernel_read_xen_state_symlinks" lineno="1576"> |
307 |
<summary> |
308 |
Allow caller to read the xen state symbolic links. |
309 |
</summary> |
310 |
@@ -85882,7 +85892,7 @@ Domain allowed access. |
311 |
</param> |
312 |
|
313 |
</interface> |
314 |
-<interface name="kernel_write_xen_state" lineno="1579"> |
315 |
+<interface name="kernel_write_xen_state" lineno="1597"> |
316 |
<summary> |
317 |
Allow caller to write xen state information. |
318 |
</summary> |
319 |
@@ -85893,7 +85903,7 @@ Domain allowed access. |
320 |
</param> |
321 |
|
322 |
</interface> |
323 |
-<interface name="kernel_list_all_proc" lineno="1597"> |
324 |
+<interface name="kernel_list_all_proc" lineno="1615"> |
325 |
<summary> |
326 |
Allow attempts to list all proc directories. |
327 |
</summary> |
328 |
@@ -85903,7 +85913,7 @@ Domain allowed access. |
329 |
</summary> |
330 |
</param> |
331 |
</interface> |
332 |
-<interface name="kernel_dontaudit_list_all_proc" lineno="1616"> |
333 |
+<interface name="kernel_dontaudit_list_all_proc" lineno="1634"> |
334 |
<summary> |
335 |
Do not audit attempts to list all proc directories. |
336 |
</summary> |
337 |
@@ -85913,7 +85923,7 @@ Domain to not audit. |
338 |
</summary> |
339 |
</param> |
340 |
</interface> |
341 |
-<interface name="kernel_dontaudit_search_sysctl" lineno="1637"> |
342 |
+<interface name="kernel_dontaudit_search_sysctl" lineno="1655"> |
343 |
<summary> |
344 |
Do not audit attempts by caller to search |
345 |
the base directory of sysctls. |
346 |
@@ -85925,7 +85935,7 @@ Domain to not audit. |
347 |
</param> |
348 |
|
349 |
</interface> |
350 |
-<interface name="kernel_mounton_sysctl_dirs" lineno="1656"> |
351 |
+<interface name="kernel_mounton_sysctl_dirs" lineno="1674"> |
352 |
<summary> |
353 |
Mount on sysctl_t dirs. |
354 |
</summary> |
355 |
@@ -85936,7 +85946,7 @@ Domain allowed access. |
356 |
</param> |
357 |
<rolecap/> |
358 |
</interface> |
359 |
-<interface name="kernel_read_sysctl" lineno="1676"> |
360 |
+<interface name="kernel_read_sysctl" lineno="1694"> |
361 |
<summary> |
362 |
Allow access to read sysctl directories. |
363 |
</summary> |
364 |
@@ -85947,7 +85957,7 @@ Domain allowed access. |
365 |
</param> |
366 |
|
367 |
</interface> |
368 |
-<interface name="kernel_mounton_sysctl_files" lineno="1696"> |
369 |
+<interface name="kernel_mounton_sysctl_files" lineno="1714"> |
370 |
<summary> |
371 |
Mount on sysctl files. |
372 |
</summary> |
373 |
@@ -85958,7 +85968,7 @@ Domain allowed access. |
374 |
</param> |
375 |
<rolecap/> |
376 |
</interface> |
377 |
-<interface name="kernel_read_device_sysctls" lineno="1716"> |
378 |
+<interface name="kernel_read_device_sysctls" lineno="1734"> |
379 |
<summary> |
380 |
Allow caller to read the device sysctls. |
381 |
</summary> |
382 |
@@ -85969,7 +85979,7 @@ Domain allowed access. |
383 |
</param> |
384 |
<rolecap/> |
385 |
</interface> |
386 |
-<interface name="kernel_rw_device_sysctls" lineno="1737"> |
387 |
+<interface name="kernel_rw_device_sysctls" lineno="1755"> |
388 |
<summary> |
389 |
Read and write device sysctls. |
390 |
</summary> |
391 |
@@ -85980,7 +85990,7 @@ Domain allowed access. |
392 |
</param> |
393 |
<rolecap/> |
394 |
</interface> |
395 |
-<interface name="kernel_search_vm_sysctl" lineno="1757"> |
396 |
+<interface name="kernel_search_vm_sysctl" lineno="1775"> |
397 |
<summary> |
398 |
Allow caller to search virtual memory sysctls. |
399 |
</summary> |
400 |
@@ -85990,7 +86000,7 @@ Domain allowed access. |
401 |
</summary> |
402 |
</param> |
403 |
</interface> |
404 |
-<interface name="kernel_read_vm_sysctls" lineno="1776"> |
405 |
+<interface name="kernel_read_vm_sysctls" lineno="1794"> |
406 |
<summary> |
407 |
Allow caller to read virtual memory sysctls. |
408 |
</summary> |
409 |
@@ -86001,7 +86011,7 @@ Domain allowed access. |
410 |
</param> |
411 |
<rolecap/> |
412 |
</interface> |
413 |
-<interface name="kernel_rw_vm_sysctls" lineno="1797"> |
414 |
+<interface name="kernel_rw_vm_sysctls" lineno="1815"> |
415 |
<summary> |
416 |
Read and write virtual memory sysctls. |
417 |
</summary> |
418 |
@@ -86012,7 +86022,7 @@ Domain allowed access. |
419 |
</param> |
420 |
<rolecap/> |
421 |
</interface> |
422 |
-<interface name="kernel_search_network_sysctl" lineno="1819"> |
423 |
+<interface name="kernel_search_network_sysctl" lineno="1837"> |
424 |
<summary> |
425 |
Search network sysctl directories. |
426 |
</summary> |
427 |
@@ -86022,7 +86032,7 @@ Domain allowed access. |
428 |
</summary> |
429 |
</param> |
430 |
</interface> |
431 |
-<interface name="kernel_dontaudit_search_network_sysctl" lineno="1837"> |
432 |
+<interface name="kernel_dontaudit_search_network_sysctl" lineno="1855"> |
433 |
<summary> |
434 |
Do not audit attempts by caller to search network sysctl directories. |
435 |
</summary> |
436 |
@@ -86032,7 +86042,7 @@ Domain to not audit. |
437 |
</summary> |
438 |
</param> |
439 |
</interface> |
440 |
-<interface name="kernel_read_net_sysctls" lineno="1856"> |
441 |
+<interface name="kernel_read_net_sysctls" lineno="1874"> |
442 |
<summary> |
443 |
Allow caller to read network sysctls. |
444 |
</summary> |
445 |
@@ -86043,7 +86053,7 @@ Domain allowed access. |
446 |
</param> |
447 |
<rolecap/> |
448 |
</interface> |
449 |
-<interface name="kernel_rw_net_sysctls" lineno="1877"> |
450 |
+<interface name="kernel_rw_net_sysctls" lineno="1895"> |
451 |
<summary> |
452 |
Allow caller to modiry contents of sysctl network files. |
453 |
</summary> |
454 |
@@ -86054,7 +86064,7 @@ Domain allowed access. |
455 |
</param> |
456 |
<rolecap/> |
457 |
</interface> |
458 |
-<interface name="kernel_read_unix_sysctls" lineno="1899"> |
459 |
+<interface name="kernel_read_unix_sysctls" lineno="1917"> |
460 |
<summary> |
461 |
Allow caller to read unix domain |
462 |
socket sysctls. |
463 |
@@ -86066,7 +86076,7 @@ Domain allowed access. |
464 |
</param> |
465 |
<rolecap/> |
466 |
</interface> |
467 |
-<interface name="kernel_rw_unix_sysctls" lineno="1921"> |
468 |
+<interface name="kernel_rw_unix_sysctls" lineno="1939"> |
469 |
<summary> |
470 |
Read and write unix domain |
471 |
socket sysctls. |
472 |
@@ -86078,7 +86088,7 @@ Domain allowed access. |
473 |
</param> |
474 |
<rolecap/> |
475 |
</interface> |
476 |
-<interface name="kernel_read_hotplug_sysctls" lineno="1942"> |
477 |
+<interface name="kernel_read_hotplug_sysctls" lineno="1960"> |
478 |
<summary> |
479 |
Read the hotplug sysctl. |
480 |
</summary> |
481 |
@@ -86089,7 +86099,7 @@ Domain allowed access. |
482 |
</param> |
483 |
<rolecap/> |
484 |
</interface> |
485 |
-<interface name="kernel_rw_hotplug_sysctls" lineno="1963"> |
486 |
+<interface name="kernel_rw_hotplug_sysctls" lineno="1981"> |
487 |
<summary> |
488 |
Read and write the hotplug sysctl. |
489 |
</summary> |
490 |
@@ -86100,7 +86110,7 @@ Domain allowed access. |
491 |
</param> |
492 |
<rolecap/> |
493 |
</interface> |
494 |
-<interface name="kernel_read_modprobe_sysctls" lineno="1984"> |
495 |
+<interface name="kernel_read_modprobe_sysctls" lineno="2002"> |
496 |
<summary> |
497 |
Read the modprobe sysctl. |
498 |
</summary> |
499 |
@@ -86111,7 +86121,7 @@ Domain allowed access. |
500 |
</param> |
501 |
<rolecap/> |
502 |
</interface> |
503 |
-<interface name="kernel_rw_modprobe_sysctls" lineno="2005"> |
504 |
+<interface name="kernel_rw_modprobe_sysctls" lineno="2023"> |
505 |
<summary> |
506 |
Read and write the modprobe sysctl. |
507 |
</summary> |
508 |
@@ -86122,7 +86132,7 @@ Domain allowed access. |
509 |
</param> |
510 |
<rolecap/> |
511 |
</interface> |
512 |
-<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="2025"> |
513 |
+<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="2043"> |
514 |
<summary> |
515 |
Do not audit attempts to search generic kernel sysctls. |
516 |
</summary> |
517 |
@@ -86132,7 +86142,7 @@ Domain to not audit. |
518 |
</summary> |
519 |
</param> |
520 |
</interface> |
521 |
-<interface name="kernel_dontaudit_read_kernel_sysctl" lineno="2043"> |
522 |
+<interface name="kernel_dontaudit_read_kernel_sysctl" lineno="2061"> |
523 |
<summary> |
524 |
Do not audit attempted reading of kernel sysctls |
525 |
</summary> |
526 |
@@ -86142,7 +86152,7 @@ Domain to not audit accesses from |
527 |
</summary> |
528 |
</param> |
529 |
</interface> |
530 |
-<interface name="kernel_read_crypto_sysctls" lineno="2061"> |
531 |
+<interface name="kernel_read_crypto_sysctls" lineno="2079"> |
532 |
<summary> |
533 |
Read generic crypto sysctls. |
534 |
</summary> |
535 |
@@ -86152,7 +86162,7 @@ Domain allowed access. |
536 |
</summary> |
537 |
</param> |
538 |
</interface> |
539 |
-<interface name="kernel_read_kernel_sysctls" lineno="2102"> |
540 |
+<interface name="kernel_read_kernel_sysctls" lineno="2120"> |
541 |
<summary> |
542 |
Read general kernel sysctls. |
543 |
</summary> |
544 |
@@ -86184,7 +86194,7 @@ Domain allowed access. |
545 |
</param> |
546 |
<infoflow type="read" weight="10"/> |
547 |
</interface> |
548 |
-<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="2122"> |
549 |
+<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="2140"> |
550 |
<summary> |
551 |
Do not audit attempts to write generic kernel sysctls. |
552 |
</summary> |
553 |
@@ -86194,7 +86204,7 @@ Domain to not audit. |
554 |
</summary> |
555 |
</param> |
556 |
</interface> |
557 |
-<interface name="kernel_rw_kernel_sysctl" lineno="2141"> |
558 |
+<interface name="kernel_rw_kernel_sysctl" lineno="2159"> |
559 |
<summary> |
560 |
Read and write generic kernel sysctls. |
561 |
</summary> |
562 |
@@ -86205,7 +86215,7 @@ Domain allowed access. |
563 |
</param> |
564 |
<rolecap/> |
565 |
</interface> |
566 |
-<interface name="kernel_mounton_kernel_sysctl_files" lineno="2162"> |
567 |
+<interface name="kernel_mounton_kernel_sysctl_files" lineno="2180"> |
568 |
<summary> |
569 |
Mount on kernel sysctl files. |
570 |
</summary> |
571 |
@@ -86216,7 +86226,7 @@ Domain allowed access. |
572 |
</param> |
573 |
<rolecap/> |
574 |
</interface> |
575 |
-<interface name="kernel_read_kernel_ns_lastpid_sysctls" lineno="2182"> |
576 |
+<interface name="kernel_read_kernel_ns_lastpid_sysctls" lineno="2200"> |
577 |
<summary> |
578 |
Read kernel ns lastpid sysctls. |
579 |
</summary> |
580 |
@@ -86227,7 +86237,7 @@ Domain allowed access. |
581 |
</param> |
582 |
<rolecap/> |
583 |
</interface> |
584 |
-<interface name="kernel_dontaudit_write_kernel_ns_lastpid_sysctl" lineno="2202"> |
585 |
+<interface name="kernel_dontaudit_write_kernel_ns_lastpid_sysctl" lineno="2220"> |
586 |
<summary> |
587 |
Do not audit attempts to write kernel ns lastpid sysctls. |
588 |
</summary> |
589 |
@@ -86237,7 +86247,7 @@ Domain to not audit. |
590 |
</summary> |
591 |
</param> |
592 |
</interface> |
593 |
-<interface name="kernel_rw_kernel_ns_lastpid_sysctl" lineno="2221"> |
594 |
+<interface name="kernel_rw_kernel_ns_lastpid_sysctl" lineno="2239"> |
595 |
<summary> |
596 |
Read and write kernel ns lastpid sysctls. |
597 |
</summary> |
598 |
@@ -86248,7 +86258,7 @@ Domain allowed access. |
599 |
</param> |
600 |
<rolecap/> |
601 |
</interface> |
602 |
-<interface name="kernel_search_fs_sysctls" lineno="2242"> |
603 |
+<interface name="kernel_search_fs_sysctls" lineno="2260"> |
604 |
<summary> |
605 |
Search filesystem sysctl directories. |
606 |
</summary> |
607 |
@@ -86259,7 +86269,7 @@ Domain allowed access. |
608 |
</param> |
609 |
<rolecap/> |
610 |
</interface> |
611 |
-<interface name="kernel_read_fs_sysctls" lineno="2261"> |
612 |
+<interface name="kernel_read_fs_sysctls" lineno="2279"> |
613 |
<summary> |
614 |
Read filesystem sysctls. |
615 |
</summary> |
616 |
@@ -86270,7 +86280,7 @@ Domain allowed access. |
617 |
</param> |
618 |
<rolecap/> |
619 |
</interface> |
620 |
-<interface name="kernel_rw_fs_sysctls" lineno="2282"> |
621 |
+<interface name="kernel_rw_fs_sysctls" lineno="2300"> |
622 |
<summary> |
623 |
Read and write filesystem sysctls. |
624 |
</summary> |
625 |
@@ -86281,7 +86291,7 @@ Domain allowed access. |
626 |
</param> |
627 |
<rolecap/> |
628 |
</interface> |
629 |
-<interface name="kernel_read_irq_sysctls" lineno="2303"> |
630 |
+<interface name="kernel_read_irq_sysctls" lineno="2321"> |
631 |
<summary> |
632 |
Read IRQ sysctls. |
633 |
</summary> |
634 |
@@ -86292,7 +86302,7 @@ Domain allowed access. |
635 |
</param> |
636 |
<rolecap/> |
637 |
</interface> |
638 |
-<interface name="kernel_rw_irq_sysctls" lineno="2324"> |
639 |
+<interface name="kernel_rw_irq_sysctls" lineno="2342"> |
640 |
<summary> |
641 |
Read and write IRQ sysctls. |
642 |
</summary> |
643 |
@@ -86303,7 +86313,7 @@ Domain allowed access. |
644 |
</param> |
645 |
<rolecap/> |
646 |
</interface> |
647 |
-<interface name="kernel_read_rpc_sysctls" lineno="2345"> |
648 |
+<interface name="kernel_read_rpc_sysctls" lineno="2363"> |
649 |
<summary> |
650 |
Read RPC sysctls. |
651 |
</summary> |
652 |
@@ -86314,7 +86324,7 @@ Domain allowed access. |
653 |
</param> |
654 |
<rolecap/> |
655 |
</interface> |
656 |
-<interface name="kernel_rw_rpc_sysctls" lineno="2366"> |
657 |
+<interface name="kernel_rw_rpc_sysctls" lineno="2384"> |
658 |
<summary> |
659 |
Read and write RPC sysctls. |
660 |
</summary> |
661 |
@@ -86325,7 +86335,7 @@ Domain allowed access. |
662 |
</param> |
663 |
<rolecap/> |
664 |
</interface> |
665 |
-<interface name="kernel_dontaudit_list_all_sysctls" lineno="2386"> |
666 |
+<interface name="kernel_dontaudit_list_all_sysctls" lineno="2404"> |
667 |
<summary> |
668 |
Do not audit attempts to list all sysctl directories. |
669 |
</summary> |
670 |
@@ -86335,7 +86345,7 @@ Domain to not audit. |
671 |
</summary> |
672 |
</param> |
673 |
</interface> |
674 |
-<interface name="kernel_read_all_sysctls" lineno="2406"> |
675 |
+<interface name="kernel_read_all_sysctls" lineno="2424"> |
676 |
<summary> |
677 |
Allow caller to read all sysctls. |
678 |
</summary> |
679 |
@@ -86346,7 +86356,7 @@ Domain allowed access. |
680 |
</param> |
681 |
<rolecap/> |
682 |
</interface> |
683 |
-<interface name="kernel_rw_all_sysctls" lineno="2429"> |
684 |
+<interface name="kernel_rw_all_sysctls" lineno="2447"> |
685 |
<summary> |
686 |
Read and write all sysctls. |
687 |
</summary> |
688 |
@@ -86357,7 +86367,7 @@ Domain allowed access. |
689 |
</param> |
690 |
<rolecap/> |
691 |
</interface> |
692 |
-<interface name="kernel_associate_proc" lineno="2454"> |
693 |
+<interface name="kernel_associate_proc" lineno="2472"> |
694 |
<summary> |
695 |
Associate a file to proc_t (/proc) |
696 |
</summary> |
697 |
@@ -86368,7 +86378,7 @@ Domain allowed access. |
698 |
</param> |
699 |
<rolecap/> |
700 |
</interface> |
701 |
-<interface name="kernel_kill_unlabeled" lineno="2471"> |
702 |
+<interface name="kernel_kill_unlabeled" lineno="2489"> |
703 |
<summary> |
704 |
Send a kill signal to unlabeled processes. |
705 |
</summary> |
706 |
@@ -86378,7 +86388,7 @@ Domain allowed access. |
707 |
</summary> |
708 |
</param> |
709 |
</interface> |
710 |
-<interface name="kernel_mount_unlabeled" lineno="2489"> |
711 |
+<interface name="kernel_mount_unlabeled" lineno="2507"> |
712 |
<summary> |
713 |
Mount a kernel unlabeled filesystem. |
714 |
</summary> |
715 |
@@ -86388,7 +86398,7 @@ Domain allowed access. |
716 |
</summary> |
717 |
</param> |
718 |
</interface> |
719 |
-<interface name="kernel_unmount_unlabeled" lineno="2507"> |
720 |
+<interface name="kernel_unmount_unlabeled" lineno="2525"> |
721 |
<summary> |
722 |
Unmount a kernel unlabeled filesystem. |
723 |
</summary> |
724 |
@@ -86398,7 +86408,7 @@ Domain allowed access. |
725 |
</summary> |
726 |
</param> |
727 |
</interface> |
728 |
-<interface name="kernel_signal_unlabeled" lineno="2525"> |
729 |
+<interface name="kernel_signal_unlabeled" lineno="2543"> |
730 |
<summary> |
731 |
Send general signals to unlabeled processes. |
732 |
</summary> |
733 |
@@ -86408,7 +86418,7 @@ Domain allowed access. |
734 |
</summary> |
735 |
</param> |
736 |
</interface> |
737 |
-<interface name="kernel_signull_unlabeled" lineno="2543"> |
738 |
+<interface name="kernel_signull_unlabeled" lineno="2561"> |
739 |
<summary> |
740 |
Send a null signal to unlabeled processes. |
741 |
</summary> |
742 |
@@ -86418,7 +86428,7 @@ Domain allowed access. |
743 |
</summary> |
744 |
</param> |
745 |
</interface> |
746 |
-<interface name="kernel_sigstop_unlabeled" lineno="2561"> |
747 |
+<interface name="kernel_sigstop_unlabeled" lineno="2579"> |
748 |
<summary> |
749 |
Send a stop signal to unlabeled processes. |
750 |
</summary> |
751 |
@@ -86428,7 +86438,7 @@ Domain allowed access. |
752 |
</summary> |
753 |
</param> |
754 |
</interface> |
755 |
-<interface name="kernel_sigchld_unlabeled" lineno="2579"> |
756 |
+<interface name="kernel_sigchld_unlabeled" lineno="2597"> |
757 |
<summary> |
758 |
Send a child terminated signal to unlabeled processes. |
759 |
</summary> |
760 |
@@ -86438,7 +86448,7 @@ Domain allowed access. |
761 |
</summary> |
762 |
</param> |
763 |
</interface> |
764 |
-<interface name="kernel_getattr_unlabeled_dirs" lineno="2597"> |
765 |
+<interface name="kernel_getattr_unlabeled_dirs" lineno="2615"> |
766 |
<summary> |
767 |
Get the attributes of unlabeled directories. |
768 |
</summary> |
769 |
@@ -86448,7 +86458,7 @@ Domain allowed access. |
770 |
</summary> |
771 |
</param> |
772 |
</interface> |
773 |
-<interface name="kernel_dontaudit_search_unlabeled" lineno="2615"> |
774 |
+<interface name="kernel_dontaudit_search_unlabeled" lineno="2633"> |
775 |
<summary> |
776 |
Do not audit attempts to search unlabeled directories. |
777 |
</summary> |
778 |
@@ -86458,7 +86468,7 @@ Domain to not audit. |
779 |
</summary> |
780 |
</param> |
781 |
</interface> |
782 |
-<interface name="kernel_list_unlabeled" lineno="2633"> |
783 |
+<interface name="kernel_list_unlabeled" lineno="2651"> |
784 |
<summary> |
785 |
List unlabeled directories. |
786 |
</summary> |
787 |
@@ -86468,7 +86478,7 @@ Domain allowed access. |
788 |
</summary> |
789 |
</param> |
790 |
</interface> |
791 |
-<interface name="kernel_read_unlabeled_state" lineno="2651"> |
792 |
+<interface name="kernel_read_unlabeled_state" lineno="2669"> |
793 |
<summary> |
794 |
Read the process state (/proc/pid) of all unlabeled_t. |
795 |
</summary> |
796 |
@@ -86478,7 +86488,7 @@ Domain allowed access. |
797 |
</summary> |
798 |
</param> |
799 |
</interface> |
800 |
-<interface name="kernel_dontaudit_list_unlabeled" lineno="2671"> |
801 |
+<interface name="kernel_dontaudit_list_unlabeled" lineno="2689"> |
802 |
<summary> |
803 |
Do not audit attempts to list unlabeled directories. |
804 |
</summary> |
805 |
@@ -86488,7 +86498,7 @@ Domain allowed access. |
806 |
</summary> |
807 |
</param> |
808 |
</interface> |
809 |
-<interface name="kernel_rw_unlabeled_dirs" lineno="2689"> |
810 |
+<interface name="kernel_rw_unlabeled_dirs" lineno="2707"> |
811 |
<summary> |
812 |
Read and write unlabeled directories. |
813 |
</summary> |
814 |
@@ -86498,7 +86508,7 @@ Domain allowed access. |
815 |
</summary> |
816 |
</param> |
817 |
</interface> |
818 |
-<interface name="kernel_delete_unlabeled_dirs" lineno="2707"> |
819 |
+<interface name="kernel_delete_unlabeled_dirs" lineno="2725"> |
820 |
<summary> |
821 |
Delete unlabeled directories. |
822 |
</summary> |
823 |
@@ -86508,7 +86518,7 @@ Domain allowed access. |
824 |
</summary> |
825 |
</param> |
826 |
</interface> |
827 |
-<interface name="kernel_manage_unlabeled_dirs" lineno="2725"> |
828 |
+<interface name="kernel_manage_unlabeled_dirs" lineno="2743"> |
829 |
<summary> |
830 |
Create, read, write, and delete unlabeled directories. |
831 |
</summary> |
832 |
@@ -86518,7 +86528,7 @@ Domain allowed access. |
833 |
</summary> |
834 |
</param> |
835 |
</interface> |
836 |
-<interface name="kernel_mounton_unlabeled_dirs" lineno="2743"> |
837 |
+<interface name="kernel_mounton_unlabeled_dirs" lineno="2761"> |
838 |
<summary> |
839 |
Mount a filesystem on an unlabeled directory. |
840 |
</summary> |
841 |
@@ -86528,7 +86538,7 @@ Domain allowed access. |
842 |
</summary> |
843 |
</param> |
844 |
</interface> |
845 |
-<interface name="kernel_read_unlabeled_files" lineno="2761"> |
846 |
+<interface name="kernel_read_unlabeled_files" lineno="2779"> |
847 |
<summary> |
848 |
Read unlabeled files. |
849 |
</summary> |
850 |
@@ -86538,7 +86548,7 @@ Domain allowed access. |
851 |
</summary> |
852 |
</param> |
853 |
</interface> |
854 |
-<interface name="kernel_rw_unlabeled_files" lineno="2779"> |
855 |
+<interface name="kernel_rw_unlabeled_files" lineno="2797"> |
856 |
<summary> |
857 |
Read and write unlabeled files. |
858 |
</summary> |
859 |
@@ -86548,7 +86558,7 @@ Domain allowed access. |
860 |
</summary> |
861 |
</param> |
862 |
</interface> |
863 |
-<interface name="kernel_delete_unlabeled_files" lineno="2797"> |
864 |
+<interface name="kernel_delete_unlabeled_files" lineno="2815"> |
865 |
<summary> |
866 |
Delete unlabeled files. |
867 |
</summary> |
868 |
@@ -86558,7 +86568,7 @@ Domain allowed access. |
869 |
</summary> |
870 |
</param> |
871 |
</interface> |
872 |
-<interface name="kernel_manage_unlabeled_files" lineno="2815"> |
873 |
+<interface name="kernel_manage_unlabeled_files" lineno="2833"> |
874 |
<summary> |
875 |
Create, read, write, and delete unlabeled files. |
876 |
</summary> |
877 |
@@ -86568,7 +86578,7 @@ Domain allowed access. |
878 |
</summary> |
879 |
</param> |
880 |
</interface> |
881 |
-<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="2834"> |
882 |
+<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="2852"> |
883 |
<summary> |
884 |
Do not audit attempts by caller to get the |
885 |
attributes of an unlabeled file. |
886 |
@@ -86579,7 +86589,7 @@ Domain to not audit. |
887 |
</summary> |
888 |
</param> |
889 |
</interface> |
890 |
-<interface name="kernel_dontaudit_read_unlabeled_files" lineno="2853"> |
891 |
+<interface name="kernel_dontaudit_read_unlabeled_files" lineno="2871"> |
892 |
<summary> |
893 |
Do not audit attempts by caller to |
894 |
read an unlabeled file. |
895 |
@@ -86590,7 +86600,7 @@ Domain to not audit. |
896 |
</summary> |
897 |
</param> |
898 |
</interface> |
899 |
-<interface name="kernel_delete_unlabeled_symlinks" lineno="2871"> |
900 |
+<interface name="kernel_delete_unlabeled_symlinks" lineno="2889"> |
901 |
<summary> |
902 |
Delete unlabeled symbolic links. |
903 |
</summary> |
904 |
@@ -86600,7 +86610,7 @@ Domain allowed access. |
905 |
</summary> |
906 |
</param> |
907 |
</interface> |
908 |
-<interface name="kernel_manage_unlabeled_symlinks" lineno="2889"> |
909 |
+<interface name="kernel_manage_unlabeled_symlinks" lineno="2907"> |
910 |
<summary> |
911 |
Create, read, write, and delete unlabeled symbolic links. |
912 |
</summary> |
913 |
@@ -86610,7 +86620,7 @@ Domain allowed access. |
914 |
</summary> |
915 |
</param> |
916 |
</interface> |
917 |
-<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="2908"> |
918 |
+<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="2926"> |
919 |
<summary> |
920 |
Do not audit attempts by caller to get the |
921 |
attributes of unlabeled symbolic links. |
922 |
@@ -86621,7 +86631,7 @@ Domain to not audit. |
923 |
</summary> |
924 |
</param> |
925 |
</interface> |
926 |
-<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="2927"> |
927 |
+<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="2945"> |
928 |
<summary> |
929 |
Do not audit attempts by caller to get the |
930 |
attributes of unlabeled named pipes. |
931 |
@@ -86632,7 +86642,7 @@ Domain to not audit. |
932 |
</summary> |
933 |
</param> |
934 |
</interface> |
935 |
-<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="2946"> |
936 |
+<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="2964"> |
937 |
<summary> |
938 |
Do not audit attempts by caller to get the |
939 |
attributes of unlabeled named sockets. |
940 |
@@ -86643,7 +86653,7 @@ Domain to not audit. |
941 |
</summary> |
942 |
</param> |
943 |
</interface> |
944 |
-<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="2965"> |
945 |
+<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="2983"> |
946 |
<summary> |
947 |
Do not audit attempts by caller to get attributes for |
948 |
unlabeled block devices. |
949 |
@@ -86654,7 +86664,7 @@ Domain to not audit. |
950 |
</summary> |
951 |
</param> |
952 |
</interface> |
953 |
-<interface name="kernel_rw_unlabeled_blk_files" lineno="2983"> |
954 |
+<interface name="kernel_rw_unlabeled_blk_files" lineno="3001"> |
955 |
<summary> |
956 |
Read and write unlabeled block device nodes. |
957 |
</summary> |
958 |
@@ -86664,7 +86674,7 @@ Domain allowed access. |
959 |
</summary> |
960 |
</param> |
961 |
</interface> |
962 |
-<interface name="kernel_delete_unlabeled_blk_files" lineno="3001"> |
963 |
+<interface name="kernel_delete_unlabeled_blk_files" lineno="3019"> |
964 |
<summary> |
965 |
Delete unlabeled block device nodes. |
966 |
</summary> |
967 |
@@ -86674,7 +86684,7 @@ Domain allowed access. |
968 |
</summary> |
969 |
</param> |
970 |
</interface> |
971 |
-<interface name="kernel_manage_unlabeled_blk_files" lineno="3019"> |
972 |
+<interface name="kernel_manage_unlabeled_blk_files" lineno="3037"> |
973 |
<summary> |
974 |
Create, read, write, and delete unlabeled block device nodes. |
975 |
</summary> |
976 |
@@ -86684,7 +86694,7 @@ Domain allowed access. |
977 |
</summary> |
978 |
</param> |
979 |
</interface> |
980 |
-<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3038"> |
981 |
+<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3056"> |
982 |
<summary> |
983 |
Do not audit attempts by caller to get attributes for |
984 |
unlabeled character devices. |
985 |
@@ -86695,7 +86705,7 @@ Domain to not audit. |
986 |
</summary> |
987 |
</param> |
988 |
</interface> |
989 |
-<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3057"> |
990 |
+<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3075"> |
991 |
<summary> |
992 |
Do not audit attempts to |
993 |
write unlabeled character devices. |
994 |
@@ -86706,7 +86716,7 @@ Domain to not audit. |
995 |
</summary> |
996 |
</param> |
997 |
</interface> |
998 |
-<interface name="kernel_delete_unlabeled_chr_files" lineno="3075"> |
999 |
+<interface name="kernel_delete_unlabeled_chr_files" lineno="3093"> |
1000 |
<summary> |
1001 |
Delete unlabeled character device nodes. |
1002 |
</summary> |
1003 |
@@ -86716,7 +86726,7 @@ Domain allowed access. |
1004 |
</summary> |
1005 |
</param> |
1006 |
</interface> |
1007 |
-<interface name="kernel_manage_unlabeled_chr_files" lineno="3094"> |
1008 |
+<interface name="kernel_manage_unlabeled_chr_files" lineno="3112"> |
1009 |
<summary> |
1010 |
Create, read, write, and delete unlabeled character device nodes. |
1011 |
</summary> |
1012 |
@@ -86726,7 +86736,7 @@ Domain allowed access. |
1013 |
</summary> |
1014 |
</param> |
1015 |
</interface> |
1016 |
-<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3112"> |
1017 |
+<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3130"> |
1018 |
<summary> |
1019 |
Allow caller to relabel unlabeled directories. |
1020 |
</summary> |
1021 |
@@ -86736,7 +86746,7 @@ Domain allowed access. |
1022 |
</summary> |
1023 |
</param> |
1024 |
</interface> |
1025 |
-<interface name="kernel_relabelfrom_unlabeled_files" lineno="3130"> |
1026 |
+<interface name="kernel_relabelfrom_unlabeled_files" lineno="3148"> |
1027 |
<summary> |
1028 |
Allow caller to relabel unlabeled files. |
1029 |
</summary> |
1030 |
@@ -86746,7 +86756,7 @@ Domain allowed access. |
1031 |
</summary> |
1032 |
</param> |
1033 |
</interface> |
1034 |
-<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3149"> |
1035 |
+<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3167"> |
1036 |
<summary> |
1037 |
Allow caller to relabel unlabeled symbolic links. |
1038 |
</summary> |
1039 |
@@ -86756,7 +86766,7 @@ Domain allowed access. |
1040 |
</summary> |
1041 |
</param> |
1042 |
</interface> |
1043 |
-<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3168"> |
1044 |
+<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3186"> |
1045 |
<summary> |
1046 |
Allow caller to relabel unlabeled named pipes. |
1047 |
</summary> |
1048 |
@@ -86766,7 +86776,7 @@ Domain allowed access. |
1049 |
</summary> |
1050 |
</param> |
1051 |
</interface> |
1052 |
-<interface name="kernel_delete_unlabeled_pipes" lineno="3187"> |
1053 |
+<interface name="kernel_delete_unlabeled_pipes" lineno="3205"> |
1054 |
<summary> |
1055 |
Delete unlabeled named pipes |
1056 |
</summary> |
1057 |
@@ -86776,7 +86786,7 @@ Domain allowed access. |
1058 |
</summary> |
1059 |
</param> |
1060 |
</interface> |
1061 |
-<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3205"> |
1062 |
+<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3223"> |
1063 |
<summary> |
1064 |
Allow caller to relabel unlabeled named sockets. |
1065 |
</summary> |
1066 |
@@ -86786,7 +86796,7 @@ Domain allowed access. |
1067 |
</summary> |
1068 |
</param> |
1069 |
</interface> |
1070 |
-<interface name="kernel_delete_unlabeled_sockets" lineno="3224"> |
1071 |
+<interface name="kernel_delete_unlabeled_sockets" lineno="3242"> |
1072 |
<summary> |
1073 |
Delete unlabeled named sockets. |
1074 |
</summary> |
1075 |
@@ -86796,7 +86806,7 @@ Domain allowed access. |
1076 |
</summary> |
1077 |
</param> |
1078 |
</interface> |
1079 |
-<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3242"> |
1080 |
+<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3260"> |
1081 |
<summary> |
1082 |
Allow caller to relabel from unlabeled block devices. |
1083 |
</summary> |
1084 |
@@ -86806,7 +86816,7 @@ Domain allowed access. |
1085 |
</summary> |
1086 |
</param> |
1087 |
</interface> |
1088 |
-<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3260"> |
1089 |
+<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3278"> |
1090 |
<summary> |
1091 |
Allow caller to relabel from unlabeled character devices. |
1092 |
</summary> |
1093 |
@@ -86816,7 +86826,7 @@ Domain allowed access. |
1094 |
</summary> |
1095 |
</param> |
1096 |
</interface> |
1097 |
-<interface name="kernel_sendrecv_unlabeled_association" lineno="3293"> |
1098 |
+<interface name="kernel_sendrecv_unlabeled_association" lineno="3311"> |
1099 |
<summary> |
1100 |
Send and receive messages from an |
1101 |
unlabeled IPSEC association. |
1102 |
@@ -86841,7 +86851,7 @@ Domain allowed access. |
1103 |
</summary> |
1104 |
</param> |
1105 |
</interface> |
1106 |
-<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3326"> |
1107 |
+<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3344"> |
1108 |
<summary> |
1109 |
Do not audit attempts to send and receive messages |
1110 |
from an unlabeled IPSEC association. |
1111 |
@@ -86866,7 +86876,7 @@ Domain to not audit. |
1112 |
</summary> |
1113 |
</param> |
1114 |
</interface> |
1115 |
-<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3353"> |
1116 |
+<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3371"> |
1117 |
<summary> |
1118 |
Receive TCP packets from an unlabeled connection. |
1119 |
</summary> |
1120 |
@@ -86885,7 +86895,7 @@ Domain allowed access. |
1121 |
</summary> |
1122 |
</param> |
1123 |
</interface> |
1124 |
-<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3382"> |
1125 |
+<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3400"> |
1126 |
<summary> |
1127 |
Do not audit attempts to receive TCP packets from an unlabeled |
1128 |
connection. |
1129 |
@@ -86906,7 +86916,7 @@ Domain to not audit. |
1130 |
</summary> |
1131 |
</param> |
1132 |
</interface> |
1133 |
-<interface name="kernel_udp_recvfrom_unlabeled" lineno="3409"> |
1134 |
+<interface name="kernel_udp_recvfrom_unlabeled" lineno="3427"> |
1135 |
<summary> |
1136 |
Receive UDP packets from an unlabeled connection. |
1137 |
</summary> |
1138 |
@@ -86925,7 +86935,7 @@ Domain allowed access. |
1139 |
</summary> |
1140 |
</param> |
1141 |
</interface> |
1142 |
-<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3438"> |
1143 |
+<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3456"> |
1144 |
<summary> |
1145 |
Do not audit attempts to receive UDP packets from an unlabeled |
1146 |
connection. |
1147 |
@@ -86946,7 +86956,7 @@ Domain to not audit. |
1148 |
</summary> |
1149 |
</param> |
1150 |
</interface> |
1151 |
-<interface name="kernel_raw_recvfrom_unlabeled" lineno="3465"> |
1152 |
+<interface name="kernel_raw_recvfrom_unlabeled" lineno="3483"> |
1153 |
<summary> |
1154 |
Receive Raw IP packets from an unlabeled connection. |
1155 |
</summary> |
1156 |
@@ -86965,7 +86975,7 @@ Domain allowed access. |
1157 |
</summary> |
1158 |
</param> |
1159 |
</interface> |
1160 |
-<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3494"> |
1161 |
+<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3512"> |
1162 |
<summary> |
1163 |
Do not audit attempts to receive Raw IP packets from an unlabeled |
1164 |
connection. |
1165 |
@@ -86986,7 +86996,7 @@ Domain to not audit. |
1166 |
</summary> |
1167 |
</param> |
1168 |
</interface> |
1169 |
-<interface name="kernel_sendrecv_unlabeled_packets" lineno="3524"> |
1170 |
+<interface name="kernel_sendrecv_unlabeled_packets" lineno="3542"> |
1171 |
<summary> |
1172 |
Send and receive unlabeled packets. |
1173 |
</summary> |
1174 |
@@ -87008,7 +87018,7 @@ Domain allowed access. |
1175 |
</summary> |
1176 |
</param> |
1177 |
</interface> |
1178 |
-<interface name="kernel_recvfrom_unlabeled_peer" lineno="3552"> |
1179 |
+<interface name="kernel_recvfrom_unlabeled_peer" lineno="3570"> |
1180 |
<summary> |
1181 |
Receive packets from an unlabeled peer. |
1182 |
</summary> |
1183 |
@@ -87028,7 +87038,7 @@ Domain allowed access. |
1184 |
</summary> |
1185 |
</param> |
1186 |
</interface> |
1187 |
-<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3580"> |
1188 |
+<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3598"> |
1189 |
<summary> |
1190 |
Do not audit attempts to receive packets from an unlabeled peer. |
1191 |
</summary> |
1192 |
@@ -87048,7 +87058,7 @@ Domain to not audit. |
1193 |
</summary> |
1194 |
</param> |
1195 |
</interface> |
1196 |
-<interface name="kernel_relabelfrom_unlabeled_database" lineno="3598"> |
1197 |
+<interface name="kernel_relabelfrom_unlabeled_database" lineno="3616"> |
1198 |
<summary> |
1199 |
Relabel from unlabeled database objects. |
1200 |
</summary> |
1201 |
@@ -87058,7 +87068,7 @@ Domain allowed access. |
1202 |
</summary> |
1203 |
</param> |
1204 |
</interface> |
1205 |
-<interface name="kernel_unconfined" lineno="3635"> |
1206 |
+<interface name="kernel_unconfined" lineno="3653"> |
1207 |
<summary> |
1208 |
Unconfined access to kernel module resources. |
1209 |
</summary> |
1210 |
@@ -87068,7 +87078,7 @@ Domain allowed access. |
1211 |
</summary> |
1212 |
</param> |
1213 |
</interface> |
1214 |
-<interface name="kernel_read_vm_overcommit_sysctl" lineno="3655"> |
1215 |
+<interface name="kernel_read_vm_overcommit_sysctl" lineno="3673"> |
1216 |
<summary> |
1217 |
Read virtual memory overcommit sysctl. |
1218 |
</summary> |
1219 |
@@ -87079,7 +87089,7 @@ Domain allowed access. |
1220 |
</param> |
1221 |
<rolecap/> |
1222 |
</interface> |
1223 |
-<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3675"> |
1224 |
+<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3693"> |
1225 |
<summary> |
1226 |
Read and write virtual memory overcommit sysctl. |
1227 |
</summary> |
1228 |
@@ -87090,7 +87100,7 @@ Domain allowed access. |
1229 |
</param> |
1230 |
<rolecap/> |
1231 |
</interface> |
1232 |
-<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3694"> |
1233 |
+<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3712"> |
1234 |
<summary> |
1235 |
Access unlabeled infiniband pkeys. |
1236 |
</summary> |
1237 |
@@ -87100,7 +87110,7 @@ Domain allowed access. |
1238 |
</summary> |
1239 |
</param> |
1240 |
</interface> |
1241 |
-<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3712"> |
1242 |
+<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3730"> |
1243 |
<summary> |
1244 |
Manage subnet on unlabeled Infiniband endports. |
1245 |
</summary> |
1246 |
@@ -91982,6 +91992,36 @@ Domain allowed access. |
1247 |
</summary> |
1248 |
</param> |
1249 |
</interface> |
1250 |
+<interface name="aptcacher_filetrans_log_dir" lineno="77"> |
1251 |
+<summary> |
1252 |
+create /var/log/apt-cacher-ng |
1253 |
+</summary> |
1254 |
+<param name="domain"> |
1255 |
+<summary> |
1256 |
+Domain allowed access. |
1257 |
+</summary> |
1258 |
+</param> |
1259 |
+</interface> |
1260 |
+<interface name="aptcacher_filetrans_cache_dir" lineno="95"> |
1261 |
+<summary> |
1262 |
+create /var/cache/apt-cacher-ng |
1263 |
+</summary> |
1264 |
+<param name="domain"> |
1265 |
+<summary> |
1266 |
+Domain allowed access. |
1267 |
+</summary> |
1268 |
+</param> |
1269 |
+</interface> |
1270 |
+<interface name="aptcacher_etc_filetrans_conf_dir" lineno="113"> |
1271 |
+<summary> |
1272 |
+create /etc/apt-cacher-ng |
1273 |
+</summary> |
1274 |
+<param name="domain"> |
1275 |
+<summary> |
1276 |
+Domain allowed access. |
1277 |
+</summary> |
1278 |
+</param> |
1279 |
+</interface> |
1280 |
</module> |
1281 |
<module name="arpwatch" filename="policy/modules/services/arpwatch.if"> |
1282 |
<summary>Ethernet activity monitor.</summary> |
1283 |
@@ -93058,6 +93098,14 @@ Role allowed access. |
1284 |
</summary> |
1285 |
</param> |
1286 |
</interface> |
1287 |
+<tunable name="certbot_acmesh" dftval="false"> |
1288 |
+<desc> |
1289 |
+<p> |
1290 |
+Determine whether additional rules |
1291 |
+should be enabled to support acme.sh |
1292 |
+</p> |
1293 |
+</desc> |
1294 |
+</tunable> |
1295 |
</module> |
1296 |
<module name="certmaster" filename="policy/modules/services/certmaster.if"> |
1297 |
<summary>Remote certificate distribution framework.</summary> |
1298 |
@@ -93787,6 +93835,26 @@ Role allowed access. |
1299 |
</param> |
1300 |
<rolecap/> |
1301 |
</interface> |
1302 |
+<interface name="clamav_filetrans_log" lineno="444"> |
1303 |
+<summary> |
1304 |
+specified domain creates /var/log/clamav/freshclam.log with correct type |
1305 |
+</summary> |
1306 |
+<param name="domain"> |
1307 |
+<summary> |
1308 |
+Domain allowed access. |
1309 |
+</summary> |
1310 |
+</param> |
1311 |
+</interface> |
1312 |
+<interface name="clamav_filetrans_runtime_dir" lineno="462"> |
1313 |
+<summary> |
1314 |
+specified domain creates /run/clamav with correct type |
1315 |
+</summary> |
1316 |
+<param name="domain"> |
1317 |
+<summary> |
1318 |
+Domain allowed access. |
1319 |
+</summary> |
1320 |
+</param> |
1321 |
+</interface> |
1322 |
<tunable name="clamav_read_user_content_files_clamscan" dftval="false"> |
1323 |
<desc> |
1324 |
<p> |
1325 |
@@ -96650,7 +96718,18 @@ Domain allowed to transition. |
1326 |
</summary> |
1327 |
</param> |
1328 |
</interface> |
1329 |
-<interface name="dovecot_manage_spool" lineno="75"> |
1330 |
+<interface name="dovecot_read_config" lineno="75"> |
1331 |
+<summary> |
1332 |
+Read dovecot configuration content. |
1333 |
+</summary> |
1334 |
+<param name="domain"> |
1335 |
+<summary> |
1336 |
+Domain allowed access. |
1337 |
+</summary> |
1338 |
+</param> |
1339 |
+<rolecap/> |
1340 |
+</interface> |
1341 |
+<interface name="dovecot_manage_spool" lineno="97"> |
1342 |
<summary> |
1343 |
Create, read, write, and delete |
1344 |
dovecot spool files. |
1345 |
@@ -96661,7 +96740,7 @@ Domain allowed access. |
1346 |
</summary> |
1347 |
</param> |
1348 |
</interface> |
1349 |
-<interface name="dovecot_dontaudit_unlink_lib_files" lineno="97"> |
1350 |
+<interface name="dovecot_dontaudit_unlink_lib_files" lineno="119"> |
1351 |
<summary> |
1352 |
Do not audit attempts to delete |
1353 |
dovecot lib files. |
1354 |
@@ -96672,7 +96751,7 @@ Domain to not audit. |
1355 |
</summary> |
1356 |
</param> |
1357 |
</interface> |
1358 |
-<interface name="dovecot_write_inherited_tmp_files" lineno="115"> |
1359 |
+<interface name="dovecot_write_inherited_tmp_files" lineno="137"> |
1360 |
<summary> |
1361 |
Write inherited dovecot tmp files. |
1362 |
</summary> |
1363 |
@@ -96682,7 +96761,7 @@ Domain to not audit. |
1364 |
</summary> |
1365 |
</param> |
1366 |
</interface> |
1367 |
-<interface name="dovecot_admin" lineno="140"> |
1368 |
+<interface name="dovecot_admin" lineno="162"> |
1369 |
<summary> |
1370 |
All of the rules required to |
1371 |
administrate an dovecot environment. |
1372 |
@@ -97418,6 +97497,16 @@ Role allowed access. |
1373 |
</param> |
1374 |
<rolecap/> |
1375 |
</interface> |
1376 |
+<interface name="ftp_filetrans_pure_ftpd_runtime" lineno="203"> |
1377 |
+<summary> |
1378 |
+create /run/pure-ftpd |
1379 |
+</summary> |
1380 |
+<param name="domain"> |
1381 |
+<summary> |
1382 |
+Domain allowed access. |
1383 |
+</summary> |
1384 |
+</param> |
1385 |
+</interface> |
1386 |
<tunable name="allow_ftpd_anon_write" dftval="false"> |
1387 |
<desc> |
1388 |
<p> |
1389 |
@@ -100192,7 +100281,17 @@ Domain allowed access. |
1390 |
</summary> |
1391 |
</param> |
1392 |
</interface> |
1393 |
-<interface name="milter_getattr_data_dir" lineno="111"> |
1394 |
+<interface name="milter_var_lib_filetrans_spamass_state" lineno="111"> |
1395 |
+<summary> |
1396 |
+create spamass milter state dir |
1397 |
+</summary> |
1398 |
+<param name="domain"> |
1399 |
+<summary> |
1400 |
+Domain allowed access. |
1401 |
+</summary> |
1402 |
+</param> |
1403 |
+</interface> |
1404 |
+<interface name="milter_getattr_data_dir" lineno="129"> |
1405 |
<summary> |
1406 |
Get the attributes of the spamassissin milter data dir. |
1407 |
</summary> |
1408 |
@@ -101188,7 +101287,17 @@ Domain allowed access. |
1409 |
</summary> |
1410 |
</param> |
1411 |
</interface> |
1412 |
-<interface name="mta_queue_filetrans" lineno="1021"> |
1413 |
+<interface name="mta_watch_spool" lineno="1004"> |
1414 |
+<summary> |
1415 |
+Watch mail spool content. |
1416 |
+</summary> |
1417 |
+<param name="domain"> |
1418 |
+<summary> |
1419 |
+Domain allowed access. |
1420 |
+</summary> |
1421 |
+</param> |
1422 |
+</interface> |
1423 |
+<interface name="mta_queue_filetrans" lineno="1039"> |
1424 |
<summary> |
1425 |
Create specified objects in the |
1426 |
mail queue spool directory with a |
1427 |
@@ -101215,7 +101324,7 @@ The name of the object being created. |
1428 |
</summary> |
1429 |
</param> |
1430 |
</interface> |
1431 |
-<interface name="mta_search_queue" lineno="1040"> |
1432 |
+<interface name="mta_search_queue" lineno="1058"> |
1433 |
<summary> |
1434 |
Search mail queue directories. |
1435 |
</summary> |
1436 |
@@ -101225,7 +101334,7 @@ Domain allowed access. |
1437 |
</summary> |
1438 |
</param> |
1439 |
</interface> |
1440 |
-<interface name="mta_list_queue" lineno="1059"> |
1441 |
+<interface name="mta_list_queue" lineno="1077"> |
1442 |
<summary> |
1443 |
List mail queue directories. |
1444 |
</summary> |
1445 |
@@ -101235,7 +101344,7 @@ Domain allowed access. |
1446 |
</summary> |
1447 |
</param> |
1448 |
</interface> |
1449 |
-<interface name="mta_read_queue" lineno="1078"> |
1450 |
+<interface name="mta_read_queue" lineno="1096"> |
1451 |
<summary> |
1452 |
Read mail queue files. |
1453 |
</summary> |
1454 |
@@ -101245,7 +101354,7 @@ Domain allowed access. |
1455 |
</summary> |
1456 |
</param> |
1457 |
</interface> |
1458 |
-<interface name="mta_dontaudit_rw_queue" lineno="1098"> |
1459 |
+<interface name="mta_dontaudit_rw_queue" lineno="1116"> |
1460 |
<summary> |
1461 |
Do not audit attempts to read and |
1462 |
write mail queue content. |
1463 |
@@ -101256,7 +101365,7 @@ Domain to not audit. |
1464 |
</summary> |
1465 |
</param> |
1466 |
</interface> |
1467 |
-<interface name="mta_manage_queue" lineno="1118"> |
1468 |
+<interface name="mta_manage_queue" lineno="1136"> |
1469 |
<summary> |
1470 |
Create, read, write, and delete |
1471 |
mail queue content. |
1472 |
@@ -101267,7 +101376,7 @@ Domain allowed access. |
1473 |
</summary> |
1474 |
</param> |
1475 |
</interface> |
1476 |
-<interface name="mta_read_sendmail_bin" lineno="1138"> |
1477 |
+<interface name="mta_read_sendmail_bin" lineno="1156"> |
1478 |
<summary> |
1479 |
Read sendmail binary. |
1480 |
</summary> |
1481 |
@@ -101277,7 +101386,7 @@ Domain allowed access. |
1482 |
</summary> |
1483 |
</param> |
1484 |
</interface> |
1485 |
-<interface name="mta_rw_user_mail_stream_sockets" lineno="1157"> |
1486 |
+<interface name="mta_rw_user_mail_stream_sockets" lineno="1175"> |
1487 |
<summary> |
1488 |
Read and write unix domain stream |
1489 |
sockets of all base mail domains. |
1490 |
@@ -101515,7 +101624,17 @@ Domain allowed access. |
1491 |
</summary> |
1492 |
</param> |
1493 |
</interface> |
1494 |
-<interface name="mysql_manage_mysqld_home_files" lineno="255"> |
1495 |
+<interface name="mysql_var_lib_filetrans_db_dir" lineno="254"> |
1496 |
+<summary> |
1497 |
+create mysqld db dir. |
1498 |
+</summary> |
1499 |
+<param name="domain"> |
1500 |
+<summary> |
1501 |
+Domain allowed access. |
1502 |
+</summary> |
1503 |
+</param> |
1504 |
+</interface> |
1505 |
+<interface name="mysql_manage_mysqld_home_files" lineno="273"> |
1506 |
<summary> |
1507 |
Create, read, write, and delete |
1508 |
mysqld home files. |
1509 |
@@ -101526,7 +101645,7 @@ Domain allowed access. |
1510 |
</summary> |
1511 |
</param> |
1512 |
</interface> |
1513 |
-<interface name="mysql_relabel_mysqld_home_files" lineno="274"> |
1514 |
+<interface name="mysql_relabel_mysqld_home_files" lineno="292"> |
1515 |
<summary> |
1516 |
Relabel mysqld home files. |
1517 |
</summary> |
1518 |
@@ -101536,7 +101655,7 @@ Domain allowed access. |
1519 |
</summary> |
1520 |
</param> |
1521 |
</interface> |
1522 |
-<interface name="mysql_home_filetrans_mysqld_home" lineno="304"> |
1523 |
+<interface name="mysql_home_filetrans_mysqld_home" lineno="322"> |
1524 |
<summary> |
1525 |
Create objects in user home |
1526 |
directories with the mysqld home type. |
1527 |
@@ -101557,7 +101676,7 @@ The name of the object being created. |
1528 |
</summary> |
1529 |
</param> |
1530 |
</interface> |
1531 |
-<interface name="mysql_write_log" lineno="322"> |
1532 |
+<interface name="mysql_write_log" lineno="340"> |
1533 |
<summary> |
1534 |
Write mysqld log files. |
1535 |
</summary> |
1536 |
@@ -101567,7 +101686,17 @@ Domain allowed access. |
1537 |
</summary> |
1538 |
</param> |
1539 |
</interface> |
1540 |
-<interface name="mysql_domtrans_mysql_safe" lineno="342"> |
1541 |
+<interface name="mysql_log_filetrans_log_dir" lineno="360"> |
1542 |
+<summary> |
1543 |
+create mysqld log dir. |
1544 |
+</summary> |
1545 |
+<param name="domain"> |
1546 |
+<summary> |
1547 |
+Domain allowed access. |
1548 |
+</summary> |
1549 |
+</param> |
1550 |
+</interface> |
1551 |
+<interface name="mysql_domtrans_mysql_safe" lineno="380"> |
1552 |
<summary> |
1553 |
Execute mysqld safe in the |
1554 |
mysqld safe domain. |
1555 |
@@ -101578,7 +101707,7 @@ Domain allowed to transition. |
1556 |
</summary> |
1557 |
</param> |
1558 |
</interface> |
1559 |
-<interface name="mysql_read_pid_files" lineno="361"> |
1560 |
+<interface name="mysql_read_pid_files" lineno="399"> |
1561 |
<summary> |
1562 |
Read mysqld pid files. (Deprecated) |
1563 |
</summary> |
1564 |
@@ -101588,7 +101717,7 @@ Domain allowed access. |
1565 |
</summary> |
1566 |
</param> |
1567 |
</interface> |
1568 |
-<interface name="mysql_search_pid_files" lineno="376"> |
1569 |
+<interface name="mysql_search_pid_files" lineno="414"> |
1570 |
<summary> |
1571 |
Search mysqld pid files. (Deprecated) |
1572 |
</summary> |
1573 |
@@ -101599,7 +101728,7 @@ Domain allowed access. |
1574 |
</param> |
1575 |
|
1576 |
</interface> |
1577 |
-<interface name="mysql_admin" lineno="397"> |
1578 |
+<interface name="mysql_admin" lineno="435"> |
1579 |
<summary> |
1580 |
All of the rules required to |
1581 |
administrate an mysqld environment. |
1582 |
@@ -101616,7 +101745,7 @@ Role allowed access. |
1583 |
</param> |
1584 |
<rolecap/> |
1585 |
</interface> |
1586 |
-<interface name="mysql_setattr_run_dirs" lineno="439"> |
1587 |
+<interface name="mysql_setattr_run_dirs" lineno="477"> |
1588 |
<summary> |
1589 |
Set the attributes of the MySQL run directories |
1590 |
</summary> |
1591 |
@@ -101626,7 +101755,7 @@ Domain allowed access |
1592 |
</summary> |
1593 |
</param> |
1594 |
</interface> |
1595 |
-<interface name="mysql_create_run_dirs" lineno="457"> |
1596 |
+<interface name="mysql_create_run_dirs" lineno="495"> |
1597 |
<summary> |
1598 |
Create MySQL run directories |
1599 |
</summary> |
1600 |
@@ -101636,7 +101765,7 @@ Domain allowed access |
1601 |
</summary> |
1602 |
</param> |
1603 |
</interface> |
1604 |
-<interface name="mysql_generic_run_filetrans_run" lineno="488"> |
1605 |
+<interface name="mysql_generic_run_filetrans_run" lineno="526"> |
1606 |
<summary> |
1607 |
Automatically use the MySQL run label for created resources in generic |
1608 |
run locations. This method is deprecated in favor of the |
1609 |
@@ -113234,7 +113363,7 @@ Domain allowed access. |
1610 |
</summary> |
1611 |
</param> |
1612 |
</interface> |
1613 |
-<interface name="auth_use_pam_motd_dynamic" lineno="116"> |
1614 |
+<interface name="auth_use_pam_motd_dynamic" lineno="117"> |
1615 |
<summary> |
1616 |
Use the pam module motd with dynamic support during authentication. |
1617 |
This module comes from Ubuntu (https://bugs.launchpad.net/ubuntu/+source/pam/+bug/399071) |
1618 |
@@ -113246,7 +113375,7 @@ Domain allowed access. |
1619 |
</summary> |
1620 |
</param> |
1621 |
</interface> |
1622 |
-<interface name="auth_login_pgm_domain" lineno="140"> |
1623 |
+<interface name="auth_login_pgm_domain" lineno="141"> |
1624 |
<summary> |
1625 |
Make the specified domain used for a login program. |
1626 |
</summary> |
1627 |
@@ -113256,7 +113385,7 @@ Domain type used for a login program domain. |
1628 |
</summary> |
1629 |
</param> |
1630 |
</interface> |
1631 |
-<interface name="auth_login_entry_type" lineno="227"> |
1632 |
+<interface name="auth_login_entry_type" lineno="228"> |
1633 |
<summary> |
1634 |
Use the login program as an entry point program. |
1635 |
</summary> |
1636 |
@@ -113266,7 +113395,7 @@ Domain allowed access. |
1637 |
</summary> |
1638 |
</param> |
1639 |
</interface> |
1640 |
-<interface name="auth_domtrans_login_program" lineno="250"> |
1641 |
+<interface name="auth_domtrans_login_program" lineno="251"> |
1642 |
<summary> |
1643 |
Execute a login_program in the target domain. |
1644 |
</summary> |
1645 |
@@ -113281,7 +113410,7 @@ The type of the login_program process. |
1646 |
</summary> |
1647 |
</param> |
1648 |
</interface> |
1649 |
-<interface name="auth_ranged_domtrans_login_program" lineno="280"> |
1650 |
+<interface name="auth_ranged_domtrans_login_program" lineno="281"> |
1651 |
<summary> |
1652 |
Execute a login_program in the target domain, |
1653 |
with a range transition. |
1654 |
@@ -113302,7 +113431,7 @@ Range of the login program. |
1655 |
</summary> |
1656 |
</param> |
1657 |
</interface> |
1658 |
-<interface name="auth_search_cache" lineno="306"> |
1659 |
+<interface name="auth_search_cache" lineno="307"> |
1660 |
<summary> |
1661 |
Search authentication cache |
1662 |
</summary> |
1663 |
@@ -113312,7 +113441,7 @@ Domain allowed access. |
1664 |
</summary> |
1665 |
</param> |
1666 |
</interface> |
1667 |
-<interface name="auth_read_cache" lineno="324"> |
1668 |
+<interface name="auth_read_cache" lineno="325"> |
1669 |
<summary> |
1670 |
Read authentication cache |
1671 |
</summary> |
1672 |
@@ -113322,7 +113451,7 @@ Domain allowed access. |
1673 |
</summary> |
1674 |
</param> |
1675 |
</interface> |
1676 |
-<interface name="auth_rw_cache" lineno="342"> |
1677 |
+<interface name="auth_rw_cache" lineno="343"> |
1678 |
<summary> |
1679 |
Read/Write authentication cache |
1680 |
</summary> |
1681 |
@@ -113332,7 +113461,7 @@ Domain allowed access. |
1682 |
</summary> |
1683 |
</param> |
1684 |
</interface> |
1685 |
-<interface name="auth_manage_cache" lineno="360"> |
1686 |
+<interface name="auth_manage_cache" lineno="361"> |
1687 |
<summary> |
1688 |
Manage authentication cache |
1689 |
</summary> |
1690 |
@@ -113342,7 +113471,7 @@ Domain allowed access. |
1691 |
</summary> |
1692 |
</param> |
1693 |
</interface> |
1694 |
-<interface name="auth_var_filetrans_cache" lineno="379"> |
1695 |
+<interface name="auth_var_filetrans_cache" lineno="380"> |
1696 |
<summary> |
1697 |
Automatic transition from cache_t to cache. |
1698 |
</summary> |
1699 |
@@ -113352,7 +113481,7 @@ Domain allowed access. |
1700 |
</summary> |
1701 |
</param> |
1702 |
</interface> |
1703 |
-<interface name="auth_domtrans_chk_passwd" lineno="397"> |
1704 |
+<interface name="auth_domtrans_chk_passwd" lineno="398"> |
1705 |
<summary> |
1706 |
Run unix_chkpwd to check a password. |
1707 |
</summary> |
1708 |
@@ -113362,7 +113491,7 @@ Domain allowed to transition. |
1709 |
</summary> |
1710 |
</param> |
1711 |
</interface> |
1712 |
-<interface name="auth_domtrans_chkpwd" lineno="445"> |
1713 |
+<interface name="auth_domtrans_chkpwd" lineno="446"> |
1714 |
<summary> |
1715 |
Run unix_chkpwd to check a password. |
1716 |
Stripped down version to be called within boolean |
1717 |
@@ -113373,7 +113502,7 @@ Domain allowed to transition. |
1718 |
</summary> |
1719 |
</param> |
1720 |
</interface> |
1721 |
-<interface name="auth_run_chk_passwd" lineno="471"> |
1722 |
+<interface name="auth_run_chk_passwd" lineno="472"> |
1723 |
<summary> |
1724 |
Execute chkpwd programs in the chkpwd domain. |
1725 |
</summary> |
1726 |
@@ -113388,7 +113517,7 @@ The role to allow the chkpwd domain. |
1727 |
</summary> |
1728 |
</param> |
1729 |
</interface> |
1730 |
-<interface name="auth_domtrans_upd_passwd" lineno="490"> |
1731 |
+<interface name="auth_domtrans_upd_passwd" lineno="491"> |
1732 |
<summary> |
1733 |
Execute a domain transition to run unix_update. |
1734 |
</summary> |
1735 |
@@ -113398,7 +113527,7 @@ Domain allowed to transition. |
1736 |
</summary> |
1737 |
</param> |
1738 |
</interface> |
1739 |
-<interface name="auth_run_upd_passwd" lineno="515"> |
1740 |
+<interface name="auth_run_upd_passwd" lineno="516"> |
1741 |
<summary> |
1742 |
Execute updpwd programs in the updpwd domain. |
1743 |
</summary> |
1744 |
@@ -113413,7 +113542,7 @@ The role to allow the updpwd domain. |
1745 |
</summary> |
1746 |
</param> |
1747 |
</interface> |
1748 |
-<interface name="auth_getattr_shadow" lineno="534"> |
1749 |
+<interface name="auth_getattr_shadow" lineno="535"> |
1750 |
<summary> |
1751 |
Get the attributes of the shadow passwords file. |
1752 |
</summary> |
1753 |
@@ -113423,7 +113552,7 @@ Domain allowed access. |
1754 |
</summary> |
1755 |
</param> |
1756 |
</interface> |
1757 |
-<interface name="auth_dontaudit_getattr_shadow" lineno="554"> |
1758 |
+<interface name="auth_dontaudit_getattr_shadow" lineno="555"> |
1759 |
<summary> |
1760 |
Do not audit attempts to get the attributes |
1761 |
of the shadow passwords file. |
1762 |
@@ -113434,7 +113563,7 @@ Domain to not audit. |
1763 |
</summary> |
1764 |
</param> |
1765 |
</interface> |
1766 |
-<interface name="auth_read_shadow" lineno="576"> |
1767 |
+<interface name="auth_read_shadow" lineno="577"> |
1768 |
<summary> |
1769 |
Read the shadow passwords file (/etc/shadow) |
1770 |
</summary> |
1771 |
@@ -113444,7 +113573,7 @@ Domain allowed access. |
1772 |
</summary> |
1773 |
</param> |
1774 |
</interface> |
1775 |
-<interface name="auth_map_shadow" lineno="591"> |
1776 |
+<interface name="auth_map_shadow" lineno="592"> |
1777 |
<summary> |
1778 |
Map the shadow passwords file (/etc/shadow) |
1779 |
</summary> |
1780 |
@@ -113454,7 +113583,7 @@ Domain allowed access. |
1781 |
</summary> |
1782 |
</param> |
1783 |
</interface> |
1784 |
-<interface name="auth_can_read_shadow_passwords" lineno="617"> |
1785 |
+<interface name="auth_can_read_shadow_passwords" lineno="618"> |
1786 |
<summary> |
1787 |
Pass shadow assertion for reading. |
1788 |
</summary> |
1789 |
@@ -113473,7 +113602,7 @@ Domain allowed access. |
1790 |
</summary> |
1791 |
</param> |
1792 |
</interface> |
1793 |
-<interface name="auth_tunable_read_shadow" lineno="643"> |
1794 |
+<interface name="auth_tunable_read_shadow" lineno="644"> |
1795 |
<summary> |
1796 |
Read the shadow password file. |
1797 |
</summary> |
1798 |
@@ -113491,7 +113620,7 @@ Domain allowed access. |
1799 |
</summary> |
1800 |
</param> |
1801 |
</interface> |
1802 |
-<interface name="auth_dontaudit_read_shadow" lineno="663"> |
1803 |
+<interface name="auth_dontaudit_read_shadow" lineno="664"> |
1804 |
<summary> |
1805 |
Do not audit attempts to read the shadow |
1806 |
password file (/etc/shadow). |
1807 |
@@ -113502,7 +113631,7 @@ Domain to not audit. |
1808 |
</summary> |
1809 |
</param> |
1810 |
</interface> |
1811 |
-<interface name="auth_rw_shadow" lineno="681"> |
1812 |
+<interface name="auth_rw_shadow" lineno="682"> |
1813 |
<summary> |
1814 |
Read and write the shadow password file (/etc/shadow). |
1815 |
</summary> |
1816 |
@@ -113512,7 +113641,7 @@ Domain allowed access. |
1817 |
</summary> |
1818 |
</param> |
1819 |
</interface> |
1820 |
-<interface name="auth_manage_shadow" lineno="703"> |
1821 |
+<interface name="auth_manage_shadow" lineno="704"> |
1822 |
<summary> |
1823 |
Create, read, write, and delete the shadow |
1824 |
password file. |
1825 |
@@ -113523,7 +113652,7 @@ Domain allowed access. |
1826 |
</summary> |
1827 |
</param> |
1828 |
</interface> |
1829 |
-<interface name="auth_etc_filetrans_shadow" lineno="723"> |
1830 |
+<interface name="auth_etc_filetrans_shadow" lineno="729"> |
1831 |
<summary> |
1832 |
Automatic transition from etc to shadow. |
1833 |
</summary> |
1834 |
@@ -113532,8 +113661,13 @@ Automatic transition from etc to shadow. |
1835 |
Domain allowed access. |
1836 |
</summary> |
1837 |
</param> |
1838 |
+<param name="name" optional="true"> |
1839 |
+<summary> |
1840 |
+The name of the object being created. |
1841 |
+</summary> |
1842 |
+</param> |
1843 |
</interface> |
1844 |
-<interface name="auth_relabelto_shadow" lineno="742"> |
1845 |
+<interface name="auth_relabelto_shadow" lineno="748"> |
1846 |
<summary> |
1847 |
Relabel to the shadow |
1848 |
password file type. |
1849 |
@@ -113544,7 +113678,7 @@ Domain allowed access. |
1850 |
</summary> |
1851 |
</param> |
1852 |
</interface> |
1853 |
-<interface name="auth_relabel_shadow" lineno="764"> |
1854 |
+<interface name="auth_relabel_shadow" lineno="770"> |
1855 |
<summary> |
1856 |
Relabel from and to the shadow |
1857 |
password file type. |
1858 |
@@ -113555,7 +113689,7 @@ Domain allowed access. |
1859 |
</summary> |
1860 |
</param> |
1861 |
</interface> |
1862 |
-<interface name="auth_append_faillog" lineno="785"> |
1863 |
+<interface name="auth_append_faillog" lineno="791"> |
1864 |
<summary> |
1865 |
Append to the login failure log. |
1866 |
</summary> |
1867 |
@@ -113565,7 +113699,7 @@ Domain allowed access. |
1868 |
</summary> |
1869 |
</param> |
1870 |
</interface> |
1871 |
-<interface name="auth_create_faillog_files" lineno="804"> |
1872 |
+<interface name="auth_create_faillog_files" lineno="810"> |
1873 |
<summary> |
1874 |
Create fail log lock (in /run/faillock). |
1875 |
</summary> |
1876 |
@@ -113575,7 +113709,7 @@ Domain allowed access. |
1877 |
</summary> |
1878 |
</param> |
1879 |
</interface> |
1880 |
-<interface name="auth_rw_faillog" lineno="822"> |
1881 |
+<interface name="auth_rw_faillog" lineno="828"> |
1882 |
<summary> |
1883 |
Read and write the login failure log. |
1884 |
</summary> |
1885 |
@@ -113585,7 +113719,7 @@ Domain allowed access. |
1886 |
</summary> |
1887 |
</param> |
1888 |
</interface> |
1889 |
-<interface name="auth_manage_faillog" lineno="841"> |
1890 |
+<interface name="auth_manage_faillog" lineno="847"> |
1891 |
<summary> |
1892 |
Manage the login failure logs. |
1893 |
</summary> |
1894 |
@@ -113595,7 +113729,7 @@ Domain allowed access. |
1895 |
</summary> |
1896 |
</param> |
1897 |
</interface> |
1898 |
-<interface name="auth_setattr_faillog_files" lineno="860"> |
1899 |
+<interface name="auth_setattr_faillog_files" lineno="866"> |
1900 |
<summary> |
1901 |
Setattr the login failure logs. |
1902 |
</summary> |
1903 |
@@ -113605,7 +113739,7 @@ Domain allowed access. |
1904 |
</summary> |
1905 |
</param> |
1906 |
</interface> |
1907 |
-<interface name="auth_read_lastlog" lineno="879"> |
1908 |
+<interface name="auth_read_lastlog" lineno="885"> |
1909 |
<summary> |
1910 |
Read the last logins log. |
1911 |
</summary> |
1912 |
@@ -113616,7 +113750,7 @@ Domain allowed access. |
1913 |
</param> |
1914 |
<rolecap/> |
1915 |
</interface> |
1916 |
-<interface name="auth_append_lastlog" lineno="898"> |
1917 |
+<interface name="auth_append_lastlog" lineno="904"> |
1918 |
<summary> |
1919 |
Append only to the last logins log. |
1920 |
</summary> |
1921 |
@@ -113626,7 +113760,7 @@ Domain allowed access. |
1922 |
</summary> |
1923 |
</param> |
1924 |
</interface> |
1925 |
-<interface name="auth_relabel_lastlog" lineno="917"> |
1926 |
+<interface name="auth_relabel_lastlog" lineno="923"> |
1927 |
<summary> |
1928 |
relabel the last logins log. |
1929 |
</summary> |
1930 |
@@ -113636,7 +113770,7 @@ Domain allowed access. |
1931 |
</summary> |
1932 |
</param> |
1933 |
</interface> |
1934 |
-<interface name="auth_rw_lastlog" lineno="936"> |
1935 |
+<interface name="auth_rw_lastlog" lineno="942"> |
1936 |
<summary> |
1937 |
Read and write to the last logins log. |
1938 |
</summary> |
1939 |
@@ -113646,7 +113780,7 @@ Domain allowed access. |
1940 |
</summary> |
1941 |
</param> |
1942 |
</interface> |
1943 |
-<interface name="auth_manage_lastlog" lineno="955"> |
1944 |
+<interface name="auth_manage_lastlog" lineno="961"> |
1945 |
<summary> |
1946 |
Manage the last logins log. |
1947 |
</summary> |
1948 |
@@ -113656,7 +113790,7 @@ Domain allowed access. |
1949 |
</summary> |
1950 |
</param> |
1951 |
</interface> |
1952 |
-<interface name="auth_domtrans_pam" lineno="974"> |
1953 |
+<interface name="auth_domtrans_pam" lineno="980"> |
1954 |
<summary> |
1955 |
Execute pam programs in the pam domain. |
1956 |
</summary> |
1957 |
@@ -113666,7 +113800,7 @@ Domain allowed to transition. |
1958 |
</summary> |
1959 |
</param> |
1960 |
</interface> |
1961 |
-<interface name="auth_signal_pam" lineno="992"> |
1962 |
+<interface name="auth_signal_pam" lineno="998"> |
1963 |
<summary> |
1964 |
Send generic signals to pam processes. |
1965 |
</summary> |
1966 |
@@ -113676,7 +113810,7 @@ Domain allowed access. |
1967 |
</summary> |
1968 |
</param> |
1969 |
</interface> |
1970 |
-<interface name="auth_run_pam" lineno="1015"> |
1971 |
+<interface name="auth_run_pam" lineno="1021"> |
1972 |
<summary> |
1973 |
Execute pam programs in the PAM domain. |
1974 |
</summary> |
1975 |
@@ -113691,7 +113825,7 @@ The role to allow the PAM domain. |
1976 |
</summary> |
1977 |
</param> |
1978 |
</interface> |
1979 |
-<interface name="auth_exec_pam" lineno="1034"> |
1980 |
+<interface name="auth_exec_pam" lineno="1040"> |
1981 |
<summary> |
1982 |
Execute the pam program. |
1983 |
</summary> |
1984 |
@@ -113701,7 +113835,7 @@ Domain allowed access. |
1985 |
</summary> |
1986 |
</param> |
1987 |
</interface> |
1988 |
-<interface name="auth_read_var_auth" lineno="1053"> |
1989 |
+<interface name="auth_read_var_auth" lineno="1059"> |
1990 |
<summary> |
1991 |
Read var auth files. Used by various other applications |
1992 |
and pam applets etc. |
1993 |
@@ -113712,7 +113846,7 @@ Domain allowed access. |
1994 |
</summary> |
1995 |
</param> |
1996 |
</interface> |
1997 |
-<interface name="auth_rw_var_auth" lineno="1073"> |
1998 |
+<interface name="auth_rw_var_auth" lineno="1079"> |
1999 |
<summary> |
2000 |
Read and write var auth files. Used by various other applications |
2001 |
and pam applets etc. |
2002 |
@@ -113723,7 +113857,7 @@ Domain allowed access. |
2003 |
</summary> |
2004 |
</param> |
2005 |
</interface> |
2006 |
-<interface name="auth_manage_var_auth" lineno="1093"> |
2007 |
+<interface name="auth_manage_var_auth" lineno="1099"> |
2008 |
<summary> |
2009 |
Manage var auth files. Used by various other applications |
2010 |
and pam applets etc. |
2011 |
@@ -113734,7 +113868,7 @@ Domain allowed access. |
2012 |
</summary> |
2013 |
</param> |
2014 |
</interface> |
2015 |
-<interface name="auth_read_pam_pid" lineno="1114"> |
2016 |
+<interface name="auth_read_pam_pid" lineno="1120"> |
2017 |
<summary> |
2018 |
Read PAM PID files. (Deprecated) |
2019 |
</summary> |
2020 |
@@ -113744,7 +113878,7 @@ Domain allowed access. |
2021 |
</summary> |
2022 |
</param> |
2023 |
</interface> |
2024 |
-<interface name="auth_dontaudit_read_pam_pid" lineno="1129"> |
2025 |
+<interface name="auth_dontaudit_read_pam_pid" lineno="1135"> |
2026 |
<summary> |
2027 |
Do not audit attempts to read PAM PID files. (Deprecated) |
2028 |
</summary> |
2029 |
@@ -113754,7 +113888,7 @@ Domain to not audit. |
2030 |
</summary> |
2031 |
</param> |
2032 |
</interface> |
2033 |
-<interface name="auth_pid_filetrans_pam_var_run" lineno="1157"> |
2034 |
+<interface name="auth_pid_filetrans_pam_var_run" lineno="1163"> |
2035 |
<summary> |
2036 |
Create specified objects in |
2037 |
pid directories with the pam var |
2038 |
@@ -113777,7 +113911,7 @@ The name of the object being created. |
2039 |
</summary> |
2040 |
</param> |
2041 |
</interface> |
2042 |
-<interface name="auth_delete_pam_pid" lineno="1172"> |
2043 |
+<interface name="auth_delete_pam_pid" lineno="1178"> |
2044 |
<summary> |
2045 |
Delete pam PID files. (Deprecated) |
2046 |
</summary> |
2047 |
@@ -113787,7 +113921,7 @@ Domain allowed access. |
2048 |
</summary> |
2049 |
</param> |
2050 |
</interface> |
2051 |
-<interface name="auth_manage_pam_pid" lineno="1187"> |
2052 |
+<interface name="auth_manage_pam_pid" lineno="1193"> |
2053 |
<summary> |
2054 |
Manage pam PID files. (Deprecated) |
2055 |
</summary> |
2056 |
@@ -113797,7 +113931,7 @@ Domain allowed access. |
2057 |
</summary> |
2058 |
</param> |
2059 |
</interface> |
2060 |
-<interface name="auth_manage_pam_runtime_dirs" lineno="1203"> |
2061 |
+<interface name="auth_manage_pam_runtime_dirs" lineno="1209"> |
2062 |
<summary> |
2063 |
Manage pam runtime dirs. |
2064 |
</summary> |
2065 |
@@ -113807,7 +113941,7 @@ Domain allowed access. |
2066 |
</summary> |
2067 |
</param> |
2068 |
</interface> |
2069 |
-<interface name="auth_runtime_filetrans_pam_runtime" lineno="1234"> |
2070 |
+<interface name="auth_runtime_filetrans_pam_runtime" lineno="1240"> |
2071 |
<summary> |
2072 |
Create specified objects in |
2073 |
pid directories with the pam runtime |
2074 |
@@ -113829,7 +113963,7 @@ The name of the object being created. |
2075 |
</summary> |
2076 |
</param> |
2077 |
</interface> |
2078 |
-<interface name="auth_read_pam_runtime_files" lineno="1252"> |
2079 |
+<interface name="auth_read_pam_runtime_files" lineno="1258"> |
2080 |
<summary> |
2081 |
Read PAM runtime files. |
2082 |
</summary> |
2083 |
@@ -113839,7 +113973,7 @@ Domain allowed access. |
2084 |
</summary> |
2085 |
</param> |
2086 |
</interface> |
2087 |
-<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1272"> |
2088 |
+<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1278"> |
2089 |
<summary> |
2090 |
Do not audit attempts to read PAM runtime files. |
2091 |
</summary> |
2092 |
@@ -113849,7 +113983,7 @@ Domain to not audit. |
2093 |
</summary> |
2094 |
</param> |
2095 |
</interface> |
2096 |
-<interface name="auth_delete_pam_runtime_files" lineno="1290"> |
2097 |
+<interface name="auth_delete_pam_runtime_files" lineno="1296"> |
2098 |
<summary> |
2099 |
Delete pam runtime files. |
2100 |
</summary> |
2101 |
@@ -113859,7 +113993,7 @@ Domain allowed access. |
2102 |
</summary> |
2103 |
</param> |
2104 |
</interface> |
2105 |
-<interface name="auth_manage_pam_runtime_files" lineno="1309"> |
2106 |
+<interface name="auth_manage_pam_runtime_files" lineno="1315"> |
2107 |
<summary> |
2108 |
Create, read, write, and delete pam runtime files. |
2109 |
</summary> |
2110 |
@@ -113869,7 +114003,7 @@ Domain allowed access. |
2111 |
</summary> |
2112 |
</param> |
2113 |
</interface> |
2114 |
-<interface name="auth_domtrans_pam_console" lineno="1328"> |
2115 |
+<interface name="auth_domtrans_pam_console" lineno="1334"> |
2116 |
<summary> |
2117 |
Execute pam_console with a domain transition. |
2118 |
</summary> |
2119 |
@@ -113879,7 +114013,7 @@ Domain allowed to transition. |
2120 |
</summary> |
2121 |
</param> |
2122 |
</interface> |
2123 |
-<interface name="auth_search_pam_console_data" lineno="1347"> |
2124 |
+<interface name="auth_search_pam_console_data" lineno="1353"> |
2125 |
<summary> |
2126 |
Search the contents of the |
2127 |
pam_console data directory. |
2128 |
@@ -113890,7 +114024,7 @@ Domain allowed access. |
2129 |
</summary> |
2130 |
</param> |
2131 |
</interface> |
2132 |
-<interface name="auth_list_pam_console_data" lineno="1367"> |
2133 |
+<interface name="auth_list_pam_console_data" lineno="1373"> |
2134 |
<summary> |
2135 |
List the contents of the pam_console |
2136 |
data directory. |
2137 |
@@ -113901,7 +114035,7 @@ Domain allowed access. |
2138 |
</summary> |
2139 |
</param> |
2140 |
</interface> |
2141 |
-<interface name="auth_create_pam_console_data_dirs" lineno="1386"> |
2142 |
+<interface name="auth_create_pam_console_data_dirs" lineno="1392"> |
2143 |
<summary> |
2144 |
Create pam var console pid directories. |
2145 |
</summary> |
2146 |
@@ -113911,7 +114045,7 @@ Domain allowed access. |
2147 |
</summary> |
2148 |
</param> |
2149 |
</interface> |
2150 |
-<interface name="auth_relabel_pam_console_data_dirs" lineno="1405"> |
2151 |
+<interface name="auth_relabel_pam_console_data_dirs" lineno="1411"> |
2152 |
<summary> |
2153 |
Relabel pam_console data directories. |
2154 |
</summary> |
2155 |
@@ -113921,7 +114055,7 @@ Domain allowed access. |
2156 |
</summary> |
2157 |
</param> |
2158 |
</interface> |
2159 |
-<interface name="auth_read_pam_console_data" lineno="1423"> |
2160 |
+<interface name="auth_read_pam_console_data" lineno="1429"> |
2161 |
<summary> |
2162 |
Read pam_console data files. |
2163 |
</summary> |
2164 |
@@ -113931,7 +114065,7 @@ Domain allowed access. |
2165 |
</summary> |
2166 |
</param> |
2167 |
</interface> |
2168 |
-<interface name="auth_manage_pam_console_data" lineno="1444"> |
2169 |
+<interface name="auth_manage_pam_console_data" lineno="1450"> |
2170 |
<summary> |
2171 |
Create, read, write, and delete |
2172 |
pam_console data files. |
2173 |
@@ -113942,7 +114076,7 @@ Domain allowed access. |
2174 |
</summary> |
2175 |
</param> |
2176 |
</interface> |
2177 |
-<interface name="auth_delete_pam_console_data" lineno="1464"> |
2178 |
+<interface name="auth_delete_pam_console_data" lineno="1470"> |
2179 |
<summary> |
2180 |
Delete pam_console data. |
2181 |
</summary> |
2182 |
@@ -113952,7 +114086,7 @@ Domain allowed access. |
2183 |
</summary> |
2184 |
</param> |
2185 |
</interface> |
2186 |
-<interface name="auth_pid_filetrans_pam_var_console" lineno="1497"> |
2187 |
+<interface name="auth_pid_filetrans_pam_var_console" lineno="1503"> |
2188 |
<summary> |
2189 |
Create specified objects in |
2190 |
pid directories with the pam var |
2191 |
@@ -113975,7 +114109,7 @@ The name of the object being created. |
2192 |
</summary> |
2193 |
</param> |
2194 |
</interface> |
2195 |
-<interface name="auth_runtime_filetrans_pam_var_console" lineno="1525"> |
2196 |
+<interface name="auth_runtime_filetrans_pam_var_console" lineno="1531"> |
2197 |
<summary> |
2198 |
Create specified objects in generic |
2199 |
runtime directories with the pam var |
2200 |
@@ -113998,7 +114132,7 @@ The name of the object being created. |
2201 |
</summary> |
2202 |
</param> |
2203 |
</interface> |
2204 |
-<interface name="auth_domtrans_utempter" lineno="1543"> |
2205 |
+<interface name="auth_domtrans_utempter" lineno="1549"> |
2206 |
<summary> |
2207 |
Execute utempter programs in the utempter domain. |
2208 |
</summary> |
2209 |
@@ -114008,7 +114142,7 @@ Domain allowed to transition. |
2210 |
</summary> |
2211 |
</param> |
2212 |
</interface> |
2213 |
-<interface name="auth_run_utempter" lineno="1566"> |
2214 |
+<interface name="auth_run_utempter" lineno="1572"> |
2215 |
<summary> |
2216 |
Execute utempter programs in the utempter domain. |
2217 |
</summary> |
2218 |
@@ -114023,7 +114157,7 @@ The role to allow the utempter domain. |
2219 |
</summary> |
2220 |
</param> |
2221 |
</interface> |
2222 |
-<interface name="auth_dontaudit_exec_utempter" lineno="1585"> |
2223 |
+<interface name="auth_dontaudit_exec_utempter" lineno="1591"> |
2224 |
<summary> |
2225 |
Do not audit attempts to execute utempter executable. |
2226 |
</summary> |
2227 |
@@ -114033,7 +114167,7 @@ Domain to not audit. |
2228 |
</summary> |
2229 |
</param> |
2230 |
</interface> |
2231 |
-<interface name="auth_setattr_login_records" lineno="1603"> |
2232 |
+<interface name="auth_setattr_login_records" lineno="1609"> |
2233 |
<summary> |
2234 |
Set the attributes of login record files. |
2235 |
</summary> |
2236 |
@@ -114043,7 +114177,7 @@ Domain allowed access. |
2237 |
</summary> |
2238 |
</param> |
2239 |
</interface> |
2240 |
-<interface name="auth_read_login_records" lineno="1623"> |
2241 |
+<interface name="auth_read_login_records" lineno="1629"> |
2242 |
<summary> |
2243 |
Read login records files (/var/log/wtmp). |
2244 |
</summary> |
2245 |
@@ -114054,7 +114188,7 @@ Domain allowed access. |
2246 |
</param> |
2247 |
<rolecap/> |
2248 |
</interface> |
2249 |
-<interface name="auth_dontaudit_read_login_records" lineno="1644"> |
2250 |
+<interface name="auth_dontaudit_read_login_records" lineno="1650"> |
2251 |
<summary> |
2252 |
Do not audit attempts to read login records |
2253 |
files (/var/log/wtmp). |
2254 |
@@ -114066,7 +114200,7 @@ Domain to not audit. |
2255 |
</param> |
2256 |
<rolecap/> |
2257 |
</interface> |
2258 |
-<interface name="auth_dontaudit_write_login_records" lineno="1663"> |
2259 |
+<interface name="auth_dontaudit_write_login_records" lineno="1669"> |
2260 |
<summary> |
2261 |
Do not audit attempts to write to |
2262 |
login records files. |
2263 |
@@ -114077,7 +114211,7 @@ Domain to not audit. |
2264 |
</summary> |
2265 |
</param> |
2266 |
</interface> |
2267 |
-<interface name="auth_append_login_records" lineno="1681"> |
2268 |
+<interface name="auth_append_login_records" lineno="1687"> |
2269 |
<summary> |
2270 |
Append to login records (wtmp). |
2271 |
</summary> |
2272 |
@@ -114087,7 +114221,7 @@ Domain allowed access. |
2273 |
</summary> |
2274 |
</param> |
2275 |
</interface> |
2276 |
-<interface name="auth_write_login_records" lineno="1700"> |
2277 |
+<interface name="auth_write_login_records" lineno="1706"> |
2278 |
<summary> |
2279 |
Write to login records (wtmp). |
2280 |
</summary> |
2281 |
@@ -114097,7 +114231,7 @@ Domain allowed access. |
2282 |
</summary> |
2283 |
</param> |
2284 |
</interface> |
2285 |
-<interface name="auth_rw_login_records" lineno="1718"> |
2286 |
+<interface name="auth_rw_login_records" lineno="1724"> |
2287 |
<summary> |
2288 |
Read and write login records. |
2289 |
</summary> |
2290 |
@@ -114107,7 +114241,7 @@ Domain allowed access. |
2291 |
</summary> |
2292 |
</param> |
2293 |
</interface> |
2294 |
-<interface name="auth_log_filetrans_login_records" lineno="1738"> |
2295 |
+<interface name="auth_log_filetrans_login_records" lineno="1744"> |
2296 |
<summary> |
2297 |
Create a login records in the log directory |
2298 |
using a type transition. |
2299 |
@@ -114118,7 +114252,7 @@ Domain allowed access. |
2300 |
</summary> |
2301 |
</param> |
2302 |
</interface> |
2303 |
-<interface name="auth_manage_login_records" lineno="1757"> |
2304 |
+<interface name="auth_manage_login_records" lineno="1763"> |
2305 |
<summary> |
2306 |
Create, read, write, and delete login |
2307 |
records files. |
2308 |
@@ -114129,7 +114263,7 @@ Domain allowed access. |
2309 |
</summary> |
2310 |
</param> |
2311 |
</interface> |
2312 |
-<interface name="auth_relabel_login_records" lineno="1776"> |
2313 |
+<interface name="auth_relabel_login_records" lineno="1782"> |
2314 |
<summary> |
2315 |
Relabel login record files. |
2316 |
</summary> |
2317 |
@@ -114139,7 +114273,7 @@ Domain allowed access. |
2318 |
</summary> |
2319 |
</param> |
2320 |
</interface> |
2321 |
-<interface name="auth_use_nsswitch" lineno="1804"> |
2322 |
+<interface name="auth_use_nsswitch" lineno="1810"> |
2323 |
<summary> |
2324 |
Use nsswitch to look up user, password, group, or |
2325 |
host information. |
2326 |
@@ -114159,7 +114293,7 @@ Domain allowed access. |
2327 |
</param> |
2328 |
<infoflow type="both" weight="10"/> |
2329 |
</interface> |
2330 |
-<interface name="auth_unconfined" lineno="1832"> |
2331 |
+<interface name="auth_unconfined" lineno="1838"> |
2332 |
<summary> |
2333 |
Unconfined access to the authlogin module. |
2334 |
</summary> |
2335 |
@@ -120757,7 +120891,7 @@ can manage samba |
2336 |
</module> |
2337 |
<module name="systemd" filename="policy/modules/system/systemd.if"> |
2338 |
<summary>Systemd components (not PID 1)</summary> |
2339 |
-<template name="systemd_role_template" lineno="23"> |
2340 |
+<template name="systemd_role_template" lineno="28"> |
2341 |
<summary> |
2342 |
Template for systemd --user per-role domains. |
2343 |
</summary> |
2344 |
@@ -120776,8 +120910,13 @@ The user role. |
2345 |
The user domain for the role. |
2346 |
</summary> |
2347 |
</param> |
2348 |
+<param name="pty_type"> |
2349 |
+<summary> |
2350 |
+The type for the user pty |
2351 |
+</summary> |
2352 |
+</param> |
2353 |
</template> |
2354 |
-<interface name="systemd_log_parse_environment" lineno="82"> |
2355 |
+<interface name="systemd_log_parse_environment" lineno="96"> |
2356 |
<summary> |
2357 |
Make the specified type usable as an |
2358 |
log parse environment type. |
2359 |
@@ -120788,7 +120927,7 @@ Type to be used as a log parse environment type. |
2360 |
</summary> |
2361 |
</param> |
2362 |
</interface> |
2363 |
-<interface name="systemd_use_nss" lineno="102"> |
2364 |
+<interface name="systemd_use_nss" lineno="116"> |
2365 |
<summary> |
2366 |
Allow domain to use systemd's Name Service Switch (NSS) module. |
2367 |
This module provides UNIX user and group name resolution for dynamic users |
2368 |
@@ -120800,7 +120939,7 @@ Domain allowed access |
2369 |
</summary> |
2370 |
</param> |
2371 |
</interface> |
2372 |
-<interface name="systemd_PrivateDevices" lineno="129"> |
2373 |
+<interface name="systemd_PrivateDevices" lineno="143"> |
2374 |
<summary> |
2375 |
Allow domain to be used as a systemd service with a unit |
2376 |
that uses PrivateDevices=yes in section [Service]. |
2377 |
@@ -120811,7 +120950,7 @@ Domain allowed access |
2378 |
</summary> |
2379 |
</param> |
2380 |
</interface> |
2381 |
-<interface name="systemd_read_hwdb" lineno="146"> |
2382 |
+<interface name="systemd_read_hwdb" lineno="160"> |
2383 |
<summary> |
2384 |
Allow domain to read udev hwdb file |
2385 |
</summary> |
2386 |
@@ -120821,7 +120960,7 @@ domain allowed access |
2387 |
</summary> |
2388 |
</param> |
2389 |
</interface> |
2390 |
-<interface name="systemd_map_hwdb" lineno="164"> |
2391 |
+<interface name="systemd_map_hwdb" lineno="178"> |
2392 |
<summary> |
2393 |
Allow domain to map udev hwdb file |
2394 |
</summary> |
2395 |
@@ -120831,7 +120970,7 @@ domain allowed access |
2396 |
</summary> |
2397 |
</param> |
2398 |
</interface> |
2399 |
-<interface name="systemd_read_logind_pids" lineno="182"> |
2400 |
+<interface name="systemd_read_logind_pids" lineno="196"> |
2401 |
<summary> |
2402 |
Read systemd_login PID files. (Deprecated) |
2403 |
</summary> |
2404 |
@@ -120841,7 +120980,7 @@ Domain allowed access. |
2405 |
</summary> |
2406 |
</param> |
2407 |
</interface> |
2408 |
-<interface name="systemd_manage_logind_pid_pipes" lineno="197"> |
2409 |
+<interface name="systemd_manage_logind_pid_pipes" lineno="211"> |
2410 |
<summary> |
2411 |
Manage systemd_login PID pipes. (Deprecated) |
2412 |
</summary> |
2413 |
@@ -120851,7 +120990,7 @@ Domain allowed access. |
2414 |
</summary> |
2415 |
</param> |
2416 |
</interface> |
2417 |
-<interface name="systemd_write_logind_pid_pipes" lineno="212"> |
2418 |
+<interface name="systemd_write_logind_pid_pipes" lineno="226"> |
2419 |
<summary> |
2420 |
Write systemd_login named pipe. (Deprecated) |
2421 |
</summary> |
2422 |
@@ -120861,7 +121000,7 @@ Domain allowed access. |
2423 |
</summary> |
2424 |
</param> |
2425 |
</interface> |
2426 |
-<interface name="systemd_read_logind_runtime_files" lineno="227"> |
2427 |
+<interface name="systemd_read_logind_runtime_files" lineno="241"> |
2428 |
<summary> |
2429 |
Read systemd-logind runtime files. |
2430 |
</summary> |
2431 |
@@ -120871,7 +121010,7 @@ Domain allowed access. |
2432 |
</summary> |
2433 |
</param> |
2434 |
</interface> |
2435 |
-<interface name="systemd_manage_logind_runtime_pipes" lineno="247"> |
2436 |
+<interface name="systemd_manage_logind_runtime_pipes" lineno="261"> |
2437 |
<summary> |
2438 |
Manage systemd-logind runtime pipes. |
2439 |
</summary> |
2440 |
@@ -120881,7 +121020,7 @@ Domain allowed access. |
2441 |
</summary> |
2442 |
</param> |
2443 |
</interface> |
2444 |
-<interface name="systemd_write_logind_runtime_pipes" lineno="266"> |
2445 |
+<interface name="systemd_write_logind_runtime_pipes" lineno="280"> |
2446 |
<summary> |
2447 |
Write systemd-logind runtime named pipe. |
2448 |
</summary> |
2449 |
@@ -120891,7 +121030,7 @@ Domain allowed access. |
2450 |
</summary> |
2451 |
</param> |
2452 |
</interface> |
2453 |
-<interface name="systemd_use_logind_fds" lineno="287"> |
2454 |
+<interface name="systemd_use_logind_fds" lineno="301"> |
2455 |
<summary> |
2456 |
Use inherited systemd |
2457 |
logind file descriptors. |
2458 |
@@ -120902,7 +121041,7 @@ Domain allowed access. |
2459 |
</summary> |
2460 |
</param> |
2461 |
</interface> |
2462 |
-<interface name="systemd_read_logind_sessions_files" lineno="305"> |
2463 |
+<interface name="systemd_read_logind_sessions_files" lineno="319"> |
2464 |
<summary> |
2465 |
Read logind sessions files. |
2466 |
</summary> |
2467 |
@@ -120912,7 +121051,7 @@ Domain allowed access. |
2468 |
</summary> |
2469 |
</param> |
2470 |
</interface> |
2471 |
-<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="326"> |
2472 |
+<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="340"> |
2473 |
<summary> |
2474 |
Write inherited logind sessions pipes. |
2475 |
</summary> |
2476 |
@@ -120922,7 +121061,7 @@ Domain allowed access. |
2477 |
</summary> |
2478 |
</param> |
2479 |
</interface> |
2480 |
-<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="346"> |
2481 |
+<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="360"> |
2482 |
<summary> |
2483 |
Write inherited logind inhibit pipes. |
2484 |
</summary> |
2485 |
@@ -120932,7 +121071,7 @@ Domain allowed access. |
2486 |
</summary> |
2487 |
</param> |
2488 |
</interface> |
2489 |
-<interface name="systemd_dbus_chat_logind" lineno="367"> |
2490 |
+<interface name="systemd_dbus_chat_logind" lineno="381"> |
2491 |
<summary> |
2492 |
Send and receive messages from |
2493 |
systemd logind over dbus. |
2494 |
@@ -120943,7 +121082,7 @@ Domain allowed access. |
2495 |
</summary> |
2496 |
</param> |
2497 |
</interface> |
2498 |
-<interface name="systemd_status_logind" lineno="387"> |
2499 |
+<interface name="systemd_status_logind" lineno="401"> |
2500 |
<summary> |
2501 |
Get the system status information from systemd_login |
2502 |
</summary> |
2503 |
@@ -120953,7 +121092,7 @@ Domain allowed access. |
2504 |
</summary> |
2505 |
</param> |
2506 |
</interface> |
2507 |
-<interface name="systemd_signull_logind" lineno="406"> |
2508 |
+<interface name="systemd_signull_logind" lineno="420"> |
2509 |
<summary> |
2510 |
Send systemd_login a null signal. |
2511 |
</summary> |
2512 |
@@ -120963,7 +121102,7 @@ Domain allowed access. |
2513 |
</summary> |
2514 |
</param> |
2515 |
</interface> |
2516 |
-<interface name="systemd_manage_userdb_runtime_dirs" lineno="424"> |
2517 |
+<interface name="systemd_manage_userdb_runtime_dirs" lineno="438"> |
2518 |
<summary> |
2519 |
Manage systemd userdb runtime directories. |
2520 |
</summary> |
2521 |
@@ -120973,7 +121112,7 @@ Domain allowed access. |
2522 |
</summary> |
2523 |
</param> |
2524 |
</interface> |
2525 |
-<interface name="systemd_manage_userdb_runtime_sock_files" lineno="442"> |
2526 |
+<interface name="systemd_manage_userdb_runtime_sock_files" lineno="456"> |
2527 |
<summary> |
2528 |
Manage socket files under /run/systemd/userdb . |
2529 |
</summary> |
2530 |
@@ -120983,7 +121122,7 @@ Domain allowed access. |
2531 |
</summary> |
2532 |
</param> |
2533 |
</interface> |
2534 |
-<interface name="systemd_stream_connect_userdb" lineno="460"> |
2535 |
+<interface name="systemd_stream_connect_userdb" lineno="474"> |
2536 |
<summary> |
2537 |
Connect to /run/systemd/userdb/io.systemd.DynamicUser . |
2538 |
</summary> |
2539 |
@@ -120993,7 +121132,7 @@ Domain allowed access. |
2540 |
</summary> |
2541 |
</param> |
2542 |
</interface> |
2543 |
-<interface name="systemd_read_machines" lineno="481"> |
2544 |
+<interface name="systemd_read_machines" lineno="495"> |
2545 |
<summary> |
2546 |
Allow reading /run/systemd/machines |
2547 |
</summary> |
2548 |
@@ -121003,7 +121142,17 @@ Domain that can access the machines files |
2549 |
</summary> |
2550 |
</param> |
2551 |
</interface> |
2552 |
-<interface name="systemd_dbus_chat_hostnamed" lineno="501"> |
2553 |
+<interface name="systemd_connect_machined" lineno="514"> |
2554 |
+<summary> |
2555 |
+Allow connecting to /run/systemd/userdb/io.systemd.Machine socket |
2556 |
+</summary> |
2557 |
+<param name="domain"> |
2558 |
+<summary> |
2559 |
+Domain that can access the socket |
2560 |
+</summary> |
2561 |
+</param> |
2562 |
+</interface> |
2563 |
+<interface name="systemd_dbus_chat_hostnamed" lineno="533"> |
2564 |
<summary> |
2565 |
Send and receive messages from |
2566 |
systemd hostnamed over dbus. |
2567 |
@@ -121014,7 +121163,7 @@ Domain allowed access. |
2568 |
</summary> |
2569 |
</param> |
2570 |
</interface> |
2571 |
-<interface name="systemd_use_passwd_agent_fds" lineno="521"> |
2572 |
+<interface name="systemd_use_passwd_agent_fds" lineno="553"> |
2573 |
<summary> |
2574 |
allow systemd_passwd_agent to inherit fds |
2575 |
</summary> |
2576 |
@@ -121024,7 +121173,22 @@ Domain that owns the fds |
2577 |
</summary> |
2578 |
</param> |
2579 |
</interface> |
2580 |
-<interface name="systemd_use_passwd_agent" lineno="540"> |
2581 |
+<interface name="systemd_run_passwd_agent" lineno="576"> |
2582 |
+<summary> |
2583 |
+allow systemd_passwd_agent to be run by admin |
2584 |
+</summary> |
2585 |
+<param name="domain"> |
2586 |
+<summary> |
2587 |
+Domain that runs it |
2588 |
+</summary> |
2589 |
+</param> |
2590 |
+<param name="role"> |
2591 |
+<summary> |
2592 |
+role that it runs in |
2593 |
+</summary> |
2594 |
+</param> |
2595 |
+</interface> |
2596 |
+<interface name="systemd_use_passwd_agent" lineno="597"> |
2597 |
<summary> |
2598 |
Allow a systemd_passwd_agent_t process to interact with a daemon |
2599 |
that needs a password from the sysadmin. |
2600 |
@@ -121035,7 +121199,7 @@ Domain allowed access. |
2601 |
</summary> |
2602 |
</param> |
2603 |
</interface> |
2604 |
-<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="564"> |
2605 |
+<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="621"> |
2606 |
<summary> |
2607 |
Transition to systemd_passwd_runtime_t when creating dirs |
2608 |
</summary> |
2609 |
@@ -121045,7 +121209,7 @@ Domain allowed access. |
2610 |
</summary> |
2611 |
</param> |
2612 |
</interface> |
2613 |
-<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="585"> |
2614 |
+<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="642"> |
2615 |
<summary> |
2616 |
Transition to systemd_userdb_runtime_t when |
2617 |
creating the userdb directory inside an init runtime |
2618 |
@@ -121057,7 +121221,7 @@ Domain allowed access. |
2619 |
</summary> |
2620 |
</param> |
2621 |
</interface> |
2622 |
-<interface name="systemd_manage_passwd_runtime_symlinks" lineno="603"> |
2623 |
+<interface name="systemd_manage_passwd_runtime_symlinks" lineno="660"> |
2624 |
<summary> |
2625 |
Allow to domain to create systemd-passwd symlink |
2626 |
</summary> |
2627 |
@@ -121067,7 +121231,7 @@ Domain allowed access. |
2628 |
</summary> |
2629 |
</param> |
2630 |
</interface> |
2631 |
-<interface name="systemd_manage_all_units" lineno="621"> |
2632 |
+<interface name="systemd_manage_all_units" lineno="678"> |
2633 |
<summary> |
2634 |
manage systemd unit dirs and the files in them (Deprecated) |
2635 |
</summary> |
2636 |
@@ -121077,7 +121241,7 @@ Domain allowed access. |
2637 |
</summary> |
2638 |
</param> |
2639 |
</interface> |
2640 |
-<interface name="systemd_read_journal_files" lineno="636"> |
2641 |
+<interface name="systemd_read_journal_files" lineno="693"> |
2642 |
<summary> |
2643 |
Allow domain to read systemd_journal_t files |
2644 |
</summary> |
2645 |
@@ -121087,7 +121251,7 @@ Domain allowed access. |
2646 |
</summary> |
2647 |
</param> |
2648 |
</interface> |
2649 |
-<interface name="systemd_manage_journal_files" lineno="655"> |
2650 |
+<interface name="systemd_manage_journal_files" lineno="712"> |
2651 |
<summary> |
2652 |
Allow domain to create/manage systemd_journal_t files |
2653 |
</summary> |
2654 |
@@ -121097,7 +121261,7 @@ Domain allowed access. |
2655 |
</summary> |
2656 |
</param> |
2657 |
</interface> |
2658 |
-<interface name="systemd_relabelto_journal_dirs" lineno="675"> |
2659 |
+<interface name="systemd_relabelto_journal_dirs" lineno="732"> |
2660 |
<summary> |
2661 |
Relabel to systemd-journald directory type. |
2662 |
</summary> |
2663 |
@@ -121107,7 +121271,7 @@ Domain allowed access. |
2664 |
</summary> |
2665 |
</param> |
2666 |
</interface> |
2667 |
-<interface name="systemd_relabelto_journal_files" lineno="694"> |
2668 |
+<interface name="systemd_relabelto_journal_files" lineno="751"> |
2669 |
<summary> |
2670 |
Relabel to systemd-journald file type. |
2671 |
</summary> |
2672 |
@@ -121117,7 +121281,7 @@ Domain allowed access. |
2673 |
</summary> |
2674 |
</param> |
2675 |
</interface> |
2676 |
-<interface name="systemd_read_networkd_units" lineno="714"> |
2677 |
+<interface name="systemd_read_networkd_units" lineno="771"> |
2678 |
<summary> |
2679 |
Allow domain to read systemd_networkd_t unit files |
2680 |
</summary> |
2681 |
@@ -121127,7 +121291,7 @@ Domain allowed access. |
2682 |
</summary> |
2683 |
</param> |
2684 |
</interface> |
2685 |
-<interface name="systemd_manage_networkd_units" lineno="734"> |
2686 |
+<interface name="systemd_manage_networkd_units" lineno="791"> |
2687 |
<summary> |
2688 |
Allow domain to create/manage systemd_networkd_t unit files |
2689 |
</summary> |
2690 |
@@ -121137,7 +121301,7 @@ Domain allowed access. |
2691 |
</summary> |
2692 |
</param> |
2693 |
</interface> |
2694 |
-<interface name="systemd_enabledisable_networkd" lineno="754"> |
2695 |
+<interface name="systemd_enabledisable_networkd" lineno="811"> |
2696 |
<summary> |
2697 |
Allow specified domain to enable systemd-networkd units |
2698 |
</summary> |
2699 |
@@ -121147,7 +121311,7 @@ Domain allowed access. |
2700 |
</summary> |
2701 |
</param> |
2702 |
</interface> |
2703 |
-<interface name="systemd_startstop_networkd" lineno="773"> |
2704 |
+<interface name="systemd_startstop_networkd" lineno="830"> |
2705 |
<summary> |
2706 |
Allow specified domain to start systemd-networkd units |
2707 |
</summary> |
2708 |
@@ -121157,7 +121321,7 @@ Domain allowed access. |
2709 |
</summary> |
2710 |
</param> |
2711 |
</interface> |
2712 |
-<interface name="systemd_status_networkd" lineno="792"> |
2713 |
+<interface name="systemd_status_networkd" lineno="849"> |
2714 |
<summary> |
2715 |
Allow specified domain to get status of systemd-networkd |
2716 |
</summary> |
2717 |
@@ -121167,7 +121331,7 @@ Domain allowed access. |
2718 |
</summary> |
2719 |
</param> |
2720 |
</interface> |
2721 |
-<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="811"> |
2722 |
+<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="868"> |
2723 |
<summary> |
2724 |
Relabel systemd_networkd tun socket. |
2725 |
</summary> |
2726 |
@@ -121177,7 +121341,7 @@ Domain allowed access. |
2727 |
</summary> |
2728 |
</param> |
2729 |
</interface> |
2730 |
-<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="829"> |
2731 |
+<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="886"> |
2732 |
<summary> |
2733 |
Read/Write from systemd_networkd netlink route socket. |
2734 |
</summary> |
2735 |
@@ -121187,7 +121351,7 @@ Domain allowed access. |
2736 |
</summary> |
2737 |
</param> |
2738 |
</interface> |
2739 |
-<interface name="systemd_list_networkd_runtime" lineno="847"> |
2740 |
+<interface name="systemd_list_networkd_runtime" lineno="904"> |
2741 |
<summary> |
2742 |
Allow domain to list dirs under /run/systemd/netif |
2743 |
</summary> |
2744 |
@@ -121197,7 +121361,7 @@ domain permitted the access |
2745 |
</summary> |
2746 |
</param> |
2747 |
</interface> |
2748 |
-<interface name="systemd_watch_networkd_runtime_dirs" lineno="866"> |
2749 |
+<interface name="systemd_watch_networkd_runtime_dirs" lineno="923"> |
2750 |
<summary> |
2751 |
Watch directories under /run/systemd/netif |
2752 |
</summary> |
2753 |
@@ -121207,7 +121371,7 @@ Domain permitted the access |
2754 |
</summary> |
2755 |
</param> |
2756 |
</interface> |
2757 |
-<interface name="systemd_read_networkd_runtime" lineno="885"> |
2758 |
+<interface name="systemd_read_networkd_runtime" lineno="942"> |
2759 |
<summary> |
2760 |
Allow domain to read files generated by systemd_networkd |
2761 |
</summary> |
2762 |
@@ -121217,7 +121381,7 @@ domain allowed access |
2763 |
</summary> |
2764 |
</param> |
2765 |
</interface> |
2766 |
-<interface name="systemd_read_logind_state" lineno="904"> |
2767 |
+<interface name="systemd_read_logind_state" lineno="961"> |
2768 |
<summary> |
2769 |
Allow systemd_logind_t to read process state for cgroup file |
2770 |
</summary> |
2771 |
@@ -121227,7 +121391,7 @@ Domain systemd_logind_t may access. |
2772 |
</summary> |
2773 |
</param> |
2774 |
</interface> |
2775 |
-<interface name="systemd_start_power_units" lineno="923"> |
2776 |
+<interface name="systemd_start_power_units" lineno="980"> |
2777 |
<summary> |
2778 |
Allow specified domain to start power units |
2779 |
</summary> |
2780 |
@@ -121237,7 +121401,7 @@ Domain to not audit. |
2781 |
</summary> |
2782 |
</param> |
2783 |
</interface> |
2784 |
-<interface name="systemd_status_power_units" lineno="942"> |
2785 |
+<interface name="systemd_status_power_units" lineno="999"> |
2786 |
<summary> |
2787 |
Get the system status information about power units |
2788 |
</summary> |
2789 |
@@ -121247,7 +121411,7 @@ Domain allowed access. |
2790 |
</summary> |
2791 |
</param> |
2792 |
</interface> |
2793 |
-<interface name="systemd_stream_connect_socket_proxyd" lineno="961"> |
2794 |
+<interface name="systemd_stream_connect_socket_proxyd" lineno="1018"> |
2795 |
<summary> |
2796 |
Allows connections to the systemd-socket-proxyd's socket. |
2797 |
</summary> |
2798 |
@@ -121257,7 +121421,7 @@ Domain allowed access. |
2799 |
</summary> |
2800 |
</param> |
2801 |
</interface> |
2802 |
-<interface name="systemd_tmpfiles_conf_file" lineno="980"> |
2803 |
+<interface name="systemd_tmpfiles_conf_file" lineno="1037"> |
2804 |
<summary> |
2805 |
Make the specified type usable for |
2806 |
systemd tmpfiles config files. |
2807 |
@@ -121268,7 +121432,7 @@ Type to be used for systemd tmpfiles config files. |
2808 |
</summary> |
2809 |
</param> |
2810 |
</interface> |
2811 |
-<interface name="systemd_tmpfiles_creator" lineno="1001"> |
2812 |
+<interface name="systemd_tmpfiles_creator" lineno="1058"> |
2813 |
<summary> |
2814 |
Allow the specified domain to create |
2815 |
the tmpfiles config directory with |
2816 |
@@ -121280,7 +121444,7 @@ Domain allowed access. |
2817 |
</summary> |
2818 |
</param> |
2819 |
</interface> |
2820 |
-<interface name="systemd_tmpfiles_conf_filetrans" lineno="1037"> |
2821 |
+<interface name="systemd_tmpfiles_conf_filetrans" lineno="1094"> |
2822 |
<summary> |
2823 |
Create an object in the systemd tmpfiles config |
2824 |
directory, with a private type |
2825 |
@@ -121307,7 +121471,7 @@ The name of the object being created. |
2826 |
</summary> |
2827 |
</param> |
2828 |
</interface> |
2829 |
-<interface name="systemd_list_tmpfiles_conf" lineno="1056"> |
2830 |
+<interface name="systemd_list_tmpfiles_conf" lineno="1113"> |
2831 |
<summary> |
2832 |
Allow domain to list systemd tmpfiles config directory |
2833 |
</summary> |
2834 |
@@ -121317,7 +121481,7 @@ Domain allowed access. |
2835 |
</summary> |
2836 |
</param> |
2837 |
</interface> |
2838 |
-<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="1074"> |
2839 |
+<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="1131"> |
2840 |
<summary> |
2841 |
Allow domain to relabel to systemd tmpfiles config directory |
2842 |
</summary> |
2843 |
@@ -121327,7 +121491,7 @@ Domain allowed access. |
2844 |
</summary> |
2845 |
</param> |
2846 |
</interface> |
2847 |
-<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="1092"> |
2848 |
+<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="1149"> |
2849 |
<summary> |
2850 |
Allow domain to relabel to systemd tmpfiles config files |
2851 |
</summary> |
2852 |
@@ -121337,7 +121501,7 @@ Domain allowed access. |
2853 |
</summary> |
2854 |
</param> |
2855 |
</interface> |
2856 |
-<interface name="systemd_tmpfilesd_managed" lineno="1115"> |
2857 |
+<interface name="systemd_tmpfilesd_managed" lineno="1172"> |
2858 |
<summary> |
2859 |
Allow systemd_tmpfiles_t to manage filesystem objects |
2860 |
</summary> |
2861 |
@@ -121352,7 +121516,7 @@ object class to manage |
2862 |
</summary> |
2863 |
</param> |
2864 |
</interface> |
2865 |
-<interface name="systemd_dbus_chat_resolved" lineno="1134"> |
2866 |
+<interface name="systemd_dbus_chat_resolved" lineno="1191"> |
2867 |
<summary> |
2868 |
Send and receive messages from |
2869 |
systemd resolved over dbus. |
2870 |
@@ -121363,7 +121527,7 @@ Domain allowed access. |
2871 |
</summary> |
2872 |
</param> |
2873 |
</interface> |
2874 |
-<interface name="systemd_read_resolved_runtime" lineno="1154"> |
2875 |
+<interface name="systemd_read_resolved_runtime" lineno="1211"> |
2876 |
<summary> |
2877 |
Allow domain to read resolv.conf file generated by systemd_resolved |
2878 |
</summary> |
2879 |
@@ -121373,7 +121537,7 @@ domain allowed access |
2880 |
</summary> |
2881 |
</param> |
2882 |
</interface> |
2883 |
-<interface name="systemd_getattr_updated_runtime" lineno="1172"> |
2884 |
+<interface name="systemd_getattr_updated_runtime" lineno="1229"> |
2885 |
<summary> |
2886 |
Allow domain to getattr on .updated file (generated by systemd-update-done |
2887 |
</summary> |
2888 |
@@ -121383,7 +121547,7 @@ domain allowed access |
2889 |
</summary> |
2890 |
</param> |
2891 |
</interface> |
2892 |
-<interface name="systemd_search_all_user_keys" lineno="1190"> |
2893 |
+<interface name="systemd_search_all_user_keys" lineno="1247"> |
2894 |
<summary> |
2895 |
Search keys for the all systemd --user domains. |
2896 |
</summary> |
2897 |
@@ -121393,7 +121557,7 @@ Domain allowed access. |
2898 |
</summary> |
2899 |
</param> |
2900 |
</interface> |
2901 |
-<interface name="systemd_create_all_user_keys" lineno="1208"> |
2902 |
+<interface name="systemd_create_all_user_keys" lineno="1265"> |
2903 |
<summary> |
2904 |
Create keys for the all systemd --user domains. |
2905 |
</summary> |
2906 |
@@ -121403,7 +121567,7 @@ Domain allowed access. |
2907 |
</summary> |
2908 |
</param> |
2909 |
</interface> |
2910 |
-<interface name="systemd_write_all_user_keys" lineno="1226"> |
2911 |
+<interface name="systemd_write_all_user_keys" lineno="1283"> |
2912 |
<summary> |
2913 |
Write keys for the all systemd --user domains. |
2914 |
</summary> |
2915 |
@@ -121413,7 +121577,7 @@ Domain allowed access. |
2916 |
</summary> |
2917 |
</param> |
2918 |
</interface> |
2919 |
-<interface name="systemd_domtrans_sysusers" lineno="1245"> |
2920 |
+<interface name="systemd_domtrans_sysusers" lineno="1302"> |
2921 |
<summary> |
2922 |
Execute systemd-sysusers in the |
2923 |
systemd sysusers domain. |
2924 |
@@ -121424,7 +121588,7 @@ Domain allowed access. |
2925 |
</summary> |
2926 |
</param> |
2927 |
</interface> |
2928 |
-<interface name="systemd_run_sysusers" lineno="1270"> |
2929 |
+<interface name="systemd_run_sysusers" lineno="1327"> |
2930 |
<summary> |
2931 |
Run systemd-sysusers with a domain transition. |
2932 |
</summary> |
2933 |
@@ -121440,6 +121604,17 @@ Role allowed access. |
2934 |
</param> |
2935 |
<rolecap/> |
2936 |
</interface> |
2937 |
+<interface name="systemd_use_inherited_machined_ptys" lineno="1347"> |
2938 |
+<summary> |
2939 |
+receive and use a systemd_machined_devpts_t file handle |
2940 |
+</summary> |
2941 |
+<param name="domain"> |
2942 |
+<summary> |
2943 |
+Domain allowed access. |
2944 |
+</summary> |
2945 |
+</param> |
2946 |
+<rolecap/> |
2947 |
+</interface> |
2948 |
<tunable name="systemd_tmpfiles_manage_all" dftval="false"> |
2949 |
<desc> |
2950 |
<p> |
2951 |
|
2952 |
diff --git a/policy/booleans.conf b/policy/booleans.conf |
2953 |
index 4b1ccd81..38a4ea50 100644 |
2954 |
--- a/policy/booleans.conf |
2955 |
+++ b/policy/booleans.conf |
2956 |
@@ -1079,6 +1079,12 @@ boinc_execmem = true |
2957 |
# |
2958 |
allow_httpd_bugzilla_script_anon_write = false |
2959 |
|
2960 |
+# |
2961 |
+# Determine whether additional rules |
2962 |
+# should be enabled to support acme.sh |
2963 |
+# |
2964 |
+certbot_acmesh = false |
2965 |
+ |
2966 |
# |
2967 |
# Determine whether clamscan can |
2968 |
# read user content files. |
2969 |
|
2970 |
diff --git a/policy/modules/kernel/corenetwork.te b/policy/modules/kernel/corenetwork.te |
2971 |
index 1d0367c8..372deb5b 100644 |
2972 |
--- a/policy/modules/kernel/corenetwork.te |
2973 |
+++ b/policy/modules/kernel/corenetwork.te |
2974 |
@@ -2,7 +2,7 @@ |
2975 |
# This is a generated file! Instead of modifying this file, the |
2976 |
# corenetwork.te.in or corenetwork.te.m4 file should be modified. |
2977 |
# |
2978 |
-policy_module(corenetwork, 1.28.1) |
2979 |
+policy_module(corenetwork, 1.29.0) |
2980 |
|
2981 |
######################################## |
2982 |
# |