Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, doc/, policy/
Date: Sun, 07 Feb 2021 03:21:22
Message-Id: 1612646282.cecb7fe66611d6e51bec44507fdda4ef2fcc4808.perfinion@gentoo
1 commit: cecb7fe66611d6e51bec44507fdda4ef2fcc4808
2 Author: Jason Zaman <perfinion <AT> gentoo <DOT> org>
3 AuthorDate: Sat Feb 6 21:18:02 2021 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sat Feb 6 21:18:02 2021 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cecb7fe6
7
8 Update generated policy and doc files
9
10 Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
11
12 doc/policy.xml | 779 +++++++++++++++++++++--------------
13 policy/booleans.conf | 6 +
14 policy/modules/kernel/corenetwork.te | 2 +-
15 3 files changed, 484 insertions(+), 303 deletions(-)
16
17 diff --git a/doc/policy.xml b/doc/policy.xml
18 index 0537d461..3c0809a4 100644
19 --- a/doc/policy.xml
20 +++ b/doc/policy.xml
21 @@ -85508,7 +85508,17 @@ Domain allowed access.
22 </summary>
23 </param>
24 </interface>
25 -<interface name="kernel_mounton_proc" lineno="924">
26 +<interface name="kernel_dontaudit_getattr_proc" lineno="923">
27 +<summary>
28 +Do not audit attempts to get the attributes of the proc filesystem.
29 +</summary>
30 +<param name="domain">
31 +<summary>
32 +Domain to not audit.
33 +</summary>
34 +</param>
35 +</interface>
36 +<interface name="kernel_mounton_proc" lineno="942">
37 <summary>
38 Mount on proc directories.
39 </summary>
40 @@ -85519,7 +85529,7 @@ Domain allowed access.
41 </param>
42 <rolecap/>
43 </interface>
44 -<interface name="kernel_dontaudit_setattr_proc_dirs" lineno="943">
45 +<interface name="kernel_dontaudit_setattr_proc_dirs" lineno="961">
46 <summary>
47 Do not audit attempts to set the
48 attributes of directories in /proc.
49 @@ -85530,7 +85540,7 @@ Domain to not audit.
50 </summary>
51 </param>
52 </interface>
53 -<interface name="kernel_search_proc" lineno="961">
54 +<interface name="kernel_search_proc" lineno="979">
55 <summary>
56 Search directories in /proc.
57 </summary>
58 @@ -85540,7 +85550,7 @@ Domain allowed access.
59 </summary>
60 </param>
61 </interface>
62 -<interface name="kernel_list_proc" lineno="979">
63 +<interface name="kernel_list_proc" lineno="997">
64 <summary>
65 List the contents of directories in /proc.
66 </summary>
67 @@ -85550,7 +85560,7 @@ Domain allowed access.
68 </summary>
69 </param>
70 </interface>
71 -<interface name="kernel_dontaudit_list_proc" lineno="998">
72 +<interface name="kernel_dontaudit_list_proc" lineno="1016">
73 <summary>
74 Do not audit attempts to list the
75 contents of directories in /proc.
76 @@ -85561,7 +85571,7 @@ Domain to not audit.
77 </summary>
78 </param>
79 </interface>
80 -<interface name="kernel_dontaudit_write_proc_dirs" lineno="1017">
81 +<interface name="kernel_dontaudit_write_proc_dirs" lineno="1035">
82 <summary>
83 Do not audit attempts to write the
84 directories in /proc.
85 @@ -85572,7 +85582,7 @@ Domain to not audit.
86 </summary>
87 </param>
88 </interface>
89 -<interface name="kernel_mounton_proc_dirs" lineno="1035">
90 +<interface name="kernel_mounton_proc_dirs" lineno="1053">
91 <summary>
92 Mount the directories in /proc.
93 </summary>
94 @@ -85582,7 +85592,7 @@ Domain allowed access.
95 </summary>
96 </param>
97 </interface>
98 -<interface name="kernel_getattr_proc_files" lineno="1053">
99 +<interface name="kernel_getattr_proc_files" lineno="1071">
100 <summary>
101 Get the attributes of files in /proc.
102 </summary>
103 @@ -85592,7 +85602,7 @@ Domain allowed access.
104 </summary>
105 </param>
106 </interface>
107 -<interface name="kernel_read_proc_symlinks" lineno="1080">
108 +<interface name="kernel_read_proc_symlinks" lineno="1098">
109 <summary>
110 Read generic symbolic links in /proc.
111 </summary>
112 @@ -85611,7 +85621,7 @@ Domain allowed access.
113 </param>
114 <infoflow type="read" weight="10"/>
115 </interface>
116 -<interface name="kernel_read_system_state" lineno="1119">
117 +<interface name="kernel_read_system_state" lineno="1137">
118 <summary>
119 Allows caller to read system state information in /proc.
120 </summary>
121 @@ -85642,7 +85652,7 @@ Domain allowed access.
122 <infoflow type="read" weight="10"/>
123 <rolecap/>
124 </interface>
125 -<interface name="kernel_write_proc_files" lineno="1145">
126 +<interface name="kernel_write_proc_files" lineno="1163">
127 <summary>
128 Write to generic proc entries.
129 </summary>
130 @@ -85653,7 +85663,7 @@ Domain allowed access.
131 </param>
132 <rolecap/>
133 </interface>
134 -<interface name="kernel_dontaudit_read_system_state" lineno="1164">
135 +<interface name="kernel_dontaudit_read_system_state" lineno="1182">
136 <summary>
137 Do not audit attempts by caller to
138 read system state information in proc.
139 @@ -85664,7 +85674,7 @@ Domain to not audit.
140 </summary>
141 </param>
142 </interface>
143 -<interface name="kernel_dontaudit_read_proc_symlinks" lineno="1183">
144 +<interface name="kernel_dontaudit_read_proc_symlinks" lineno="1201">
145 <summary>
146 Do not audit attempts by caller to
147 read symbolic links in proc.
148 @@ -85675,7 +85685,7 @@ Domain to not audit.
149 </summary>
150 </param>
151 </interface>
152 -<interface name="kernel_rw_afs_state" lineno="1202">
153 +<interface name="kernel_rw_afs_state" lineno="1220">
154 <summary>
155 Allow caller to read and write state information for AFS.
156 </summary>
157 @@ -85686,7 +85696,7 @@ Domain allowed access.
158 </param>
159 <rolecap/>
160 </interface>
161 -<interface name="kernel_read_software_raid_state" lineno="1222">
162 +<interface name="kernel_read_software_raid_state" lineno="1240">
163 <summary>
164 Allow caller to read the state information for software raid.
165 </summary>
166 @@ -85697,7 +85707,7 @@ Domain allowed access.
167 </param>
168 <rolecap/>
169 </interface>
170 -<interface name="kernel_rw_software_raid_state" lineno="1242">
171 +<interface name="kernel_rw_software_raid_state" lineno="1260">
172 <summary>
173 Allow caller to read and set the state information for software raid.
174 </summary>
175 @@ -85707,7 +85717,7 @@ Domain allowed access.
176 </summary>
177 </param>
178 </interface>
179 -<interface name="kernel_getattr_core_if" lineno="1262">
180 +<interface name="kernel_getattr_core_if" lineno="1280">
181 <summary>
182 Allows caller to get attributes of core kernel interface.
183 </summary>
184 @@ -85717,7 +85727,7 @@ Domain allowed access.
185 </summary>
186 </param>
187 </interface>
188 -<interface name="kernel_dontaudit_getattr_core_if" lineno="1283">
189 +<interface name="kernel_dontaudit_getattr_core_if" lineno="1301">
190 <summary>
191 Do not audit attempts to get the attributes of
192 core kernel interfaces.
193 @@ -85728,7 +85738,7 @@ Domain to not audit.
194 </summary>
195 </param>
196 </interface>
197 -<interface name="kernel_read_core_if" lineno="1301">
198 +<interface name="kernel_read_core_if" lineno="1319">
199 <summary>
200 Allows caller to read the core kernel interface.
201 </summary>
202 @@ -85738,7 +85748,7 @@ Domain allowed access.
203 </summary>
204 </param>
205 </interface>
206 -<interface name="kernel_read_messages" lineno="1325">
207 +<interface name="kernel_read_messages" lineno="1343">
208 <summary>
209 Allow caller to read kernel messages
210 using the /proc/kmsg interface.
211 @@ -85749,7 +85759,7 @@ Domain allowed access.
212 </summary>
213 </param>
214 </interface>
215 -<interface name="kernel_getattr_message_if" lineno="1347">
216 +<interface name="kernel_getattr_message_if" lineno="1365">
217 <summary>
218 Allow caller to get the attributes of kernel message
219 interface (/proc/kmsg).
220 @@ -85760,7 +85770,7 @@ Domain allowed access.
221 </summary>
222 </param>
223 </interface>
224 -<interface name="kernel_dontaudit_getattr_message_if" lineno="1366">
225 +<interface name="kernel_dontaudit_getattr_message_if" lineno="1384">
226 <summary>
227 Do not audit attempts by caller to get the attributes of kernel
228 message interfaces.
229 @@ -85771,7 +85781,7 @@ Domain to not audit.
230 </summary>
231 </param>
232 </interface>
233 -<interface name="kernel_mounton_message_if" lineno="1385">
234 +<interface name="kernel_mounton_message_if" lineno="1403">
235 <summary>
236 Mount on kernel message interfaces files.
237 </summary>
238 @@ -85782,7 +85792,7 @@ Domain allowed access.
239 </param>
240 <rolecap/>
241 </interface>
242 -<interface name="kernel_dontaudit_search_network_state" lineno="1406">
243 +<interface name="kernel_dontaudit_search_network_state" lineno="1424">
244 <summary>
245 Do not audit attempts to search the network
246 state directory.
247 @@ -85794,7 +85804,7 @@ Domain to not audit.
248 </param>
249
250 </interface>
251 -<interface name="kernel_search_network_state" lineno="1425">
252 +<interface name="kernel_search_network_state" lineno="1443">
253 <summary>
254 Allow searching of network state directory.
255 </summary>
256 @@ -85805,7 +85815,7 @@ Domain allowed access.
257 </param>
258
259 </interface>
260 -<interface name="kernel_read_network_state" lineno="1455">
261 +<interface name="kernel_read_network_state" lineno="1473">
262 <summary>
263 Read the network state information.
264 </summary>
265 @@ -85827,7 +85837,7 @@ Domain allowed access.
266 <infoflow type="read" weight="10"/>
267 <rolecap/>
268 </interface>
269 -<interface name="kernel_read_network_state_symlinks" lineno="1476">
270 +<interface name="kernel_read_network_state_symlinks" lineno="1494">
271 <summary>
272 Allow caller to read the network state symbolic links.
273 </summary>
274 @@ -85837,7 +85847,7 @@ Domain allowed access.
275 </summary>
276 </param>
277 </interface>
278 -<interface name="kernel_search_xen_state" lineno="1497">
279 +<interface name="kernel_search_xen_state" lineno="1515">
280 <summary>
281 Allow searching of xen state directory.
282 </summary>
283 @@ -85848,7 +85858,7 @@ Domain allowed access.
284 </param>
285
286 </interface>
287 -<interface name="kernel_dontaudit_search_xen_state" lineno="1517">
288 +<interface name="kernel_dontaudit_search_xen_state" lineno="1535">
289 <summary>
290 Do not audit attempts to search the xen
291 state directory.
292 @@ -85860,7 +85870,7 @@ Domain to not audit.
293 </param>
294
295 </interface>
296 -<interface name="kernel_read_xen_state" lineno="1536">
297 +<interface name="kernel_read_xen_state" lineno="1554">
298 <summary>
299 Allow caller to read the xen state information.
300 </summary>
301 @@ -85871,7 +85881,7 @@ Domain allowed access.
302 </param>
303
304 </interface>
305 -<interface name="kernel_read_xen_state_symlinks" lineno="1558">
306 +<interface name="kernel_read_xen_state_symlinks" lineno="1576">
307 <summary>
308 Allow caller to read the xen state symbolic links.
309 </summary>
310 @@ -85882,7 +85892,7 @@ Domain allowed access.
311 </param>
312
313 </interface>
314 -<interface name="kernel_write_xen_state" lineno="1579">
315 +<interface name="kernel_write_xen_state" lineno="1597">
316 <summary>
317 Allow caller to write xen state information.
318 </summary>
319 @@ -85893,7 +85903,7 @@ Domain allowed access.
320 </param>
321
322 </interface>
323 -<interface name="kernel_list_all_proc" lineno="1597">
324 +<interface name="kernel_list_all_proc" lineno="1615">
325 <summary>
326 Allow attempts to list all proc directories.
327 </summary>
328 @@ -85903,7 +85913,7 @@ Domain allowed access.
329 </summary>
330 </param>
331 </interface>
332 -<interface name="kernel_dontaudit_list_all_proc" lineno="1616">
333 +<interface name="kernel_dontaudit_list_all_proc" lineno="1634">
334 <summary>
335 Do not audit attempts to list all proc directories.
336 </summary>
337 @@ -85913,7 +85923,7 @@ Domain to not audit.
338 </summary>
339 </param>
340 </interface>
341 -<interface name="kernel_dontaudit_search_sysctl" lineno="1637">
342 +<interface name="kernel_dontaudit_search_sysctl" lineno="1655">
343 <summary>
344 Do not audit attempts by caller to search
345 the base directory of sysctls.
346 @@ -85925,7 +85935,7 @@ Domain to not audit.
347 </param>
348
349 </interface>
350 -<interface name="kernel_mounton_sysctl_dirs" lineno="1656">
351 +<interface name="kernel_mounton_sysctl_dirs" lineno="1674">
352 <summary>
353 Mount on sysctl_t dirs.
354 </summary>
355 @@ -85936,7 +85946,7 @@ Domain allowed access.
356 </param>
357 <rolecap/>
358 </interface>
359 -<interface name="kernel_read_sysctl" lineno="1676">
360 +<interface name="kernel_read_sysctl" lineno="1694">
361 <summary>
362 Allow access to read sysctl directories.
363 </summary>
364 @@ -85947,7 +85957,7 @@ Domain allowed access.
365 </param>
366
367 </interface>
368 -<interface name="kernel_mounton_sysctl_files" lineno="1696">
369 +<interface name="kernel_mounton_sysctl_files" lineno="1714">
370 <summary>
371 Mount on sysctl files.
372 </summary>
373 @@ -85958,7 +85968,7 @@ Domain allowed access.
374 </param>
375 <rolecap/>
376 </interface>
377 -<interface name="kernel_read_device_sysctls" lineno="1716">
378 +<interface name="kernel_read_device_sysctls" lineno="1734">
379 <summary>
380 Allow caller to read the device sysctls.
381 </summary>
382 @@ -85969,7 +85979,7 @@ Domain allowed access.
383 </param>
384 <rolecap/>
385 </interface>
386 -<interface name="kernel_rw_device_sysctls" lineno="1737">
387 +<interface name="kernel_rw_device_sysctls" lineno="1755">
388 <summary>
389 Read and write device sysctls.
390 </summary>
391 @@ -85980,7 +85990,7 @@ Domain allowed access.
392 </param>
393 <rolecap/>
394 </interface>
395 -<interface name="kernel_search_vm_sysctl" lineno="1757">
396 +<interface name="kernel_search_vm_sysctl" lineno="1775">
397 <summary>
398 Allow caller to search virtual memory sysctls.
399 </summary>
400 @@ -85990,7 +86000,7 @@ Domain allowed access.
401 </summary>
402 </param>
403 </interface>
404 -<interface name="kernel_read_vm_sysctls" lineno="1776">
405 +<interface name="kernel_read_vm_sysctls" lineno="1794">
406 <summary>
407 Allow caller to read virtual memory sysctls.
408 </summary>
409 @@ -86001,7 +86011,7 @@ Domain allowed access.
410 </param>
411 <rolecap/>
412 </interface>
413 -<interface name="kernel_rw_vm_sysctls" lineno="1797">
414 +<interface name="kernel_rw_vm_sysctls" lineno="1815">
415 <summary>
416 Read and write virtual memory sysctls.
417 </summary>
418 @@ -86012,7 +86022,7 @@ Domain allowed access.
419 </param>
420 <rolecap/>
421 </interface>
422 -<interface name="kernel_search_network_sysctl" lineno="1819">
423 +<interface name="kernel_search_network_sysctl" lineno="1837">
424 <summary>
425 Search network sysctl directories.
426 </summary>
427 @@ -86022,7 +86032,7 @@ Domain allowed access.
428 </summary>
429 </param>
430 </interface>
431 -<interface name="kernel_dontaudit_search_network_sysctl" lineno="1837">
432 +<interface name="kernel_dontaudit_search_network_sysctl" lineno="1855">
433 <summary>
434 Do not audit attempts by caller to search network sysctl directories.
435 </summary>
436 @@ -86032,7 +86042,7 @@ Domain to not audit.
437 </summary>
438 </param>
439 </interface>
440 -<interface name="kernel_read_net_sysctls" lineno="1856">
441 +<interface name="kernel_read_net_sysctls" lineno="1874">
442 <summary>
443 Allow caller to read network sysctls.
444 </summary>
445 @@ -86043,7 +86053,7 @@ Domain allowed access.
446 </param>
447 <rolecap/>
448 </interface>
449 -<interface name="kernel_rw_net_sysctls" lineno="1877">
450 +<interface name="kernel_rw_net_sysctls" lineno="1895">
451 <summary>
452 Allow caller to modiry contents of sysctl network files.
453 </summary>
454 @@ -86054,7 +86064,7 @@ Domain allowed access.
455 </param>
456 <rolecap/>
457 </interface>
458 -<interface name="kernel_read_unix_sysctls" lineno="1899">
459 +<interface name="kernel_read_unix_sysctls" lineno="1917">
460 <summary>
461 Allow caller to read unix domain
462 socket sysctls.
463 @@ -86066,7 +86076,7 @@ Domain allowed access.
464 </param>
465 <rolecap/>
466 </interface>
467 -<interface name="kernel_rw_unix_sysctls" lineno="1921">
468 +<interface name="kernel_rw_unix_sysctls" lineno="1939">
469 <summary>
470 Read and write unix domain
471 socket sysctls.
472 @@ -86078,7 +86088,7 @@ Domain allowed access.
473 </param>
474 <rolecap/>
475 </interface>
476 -<interface name="kernel_read_hotplug_sysctls" lineno="1942">
477 +<interface name="kernel_read_hotplug_sysctls" lineno="1960">
478 <summary>
479 Read the hotplug sysctl.
480 </summary>
481 @@ -86089,7 +86099,7 @@ Domain allowed access.
482 </param>
483 <rolecap/>
484 </interface>
485 -<interface name="kernel_rw_hotplug_sysctls" lineno="1963">
486 +<interface name="kernel_rw_hotplug_sysctls" lineno="1981">
487 <summary>
488 Read and write the hotplug sysctl.
489 </summary>
490 @@ -86100,7 +86110,7 @@ Domain allowed access.
491 </param>
492 <rolecap/>
493 </interface>
494 -<interface name="kernel_read_modprobe_sysctls" lineno="1984">
495 +<interface name="kernel_read_modprobe_sysctls" lineno="2002">
496 <summary>
497 Read the modprobe sysctl.
498 </summary>
499 @@ -86111,7 +86121,7 @@ Domain allowed access.
500 </param>
501 <rolecap/>
502 </interface>
503 -<interface name="kernel_rw_modprobe_sysctls" lineno="2005">
504 +<interface name="kernel_rw_modprobe_sysctls" lineno="2023">
505 <summary>
506 Read and write the modprobe sysctl.
507 </summary>
508 @@ -86122,7 +86132,7 @@ Domain allowed access.
509 </param>
510 <rolecap/>
511 </interface>
512 -<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="2025">
513 +<interface name="kernel_dontaudit_search_kernel_sysctl" lineno="2043">
514 <summary>
515 Do not audit attempts to search generic kernel sysctls.
516 </summary>
517 @@ -86132,7 +86142,7 @@ Domain to not audit.
518 </summary>
519 </param>
520 </interface>
521 -<interface name="kernel_dontaudit_read_kernel_sysctl" lineno="2043">
522 +<interface name="kernel_dontaudit_read_kernel_sysctl" lineno="2061">
523 <summary>
524 Do not audit attempted reading of kernel sysctls
525 </summary>
526 @@ -86142,7 +86152,7 @@ Domain to not audit accesses from
527 </summary>
528 </param>
529 </interface>
530 -<interface name="kernel_read_crypto_sysctls" lineno="2061">
531 +<interface name="kernel_read_crypto_sysctls" lineno="2079">
532 <summary>
533 Read generic crypto sysctls.
534 </summary>
535 @@ -86152,7 +86162,7 @@ Domain allowed access.
536 </summary>
537 </param>
538 </interface>
539 -<interface name="kernel_read_kernel_sysctls" lineno="2102">
540 +<interface name="kernel_read_kernel_sysctls" lineno="2120">
541 <summary>
542 Read general kernel sysctls.
543 </summary>
544 @@ -86184,7 +86194,7 @@ Domain allowed access.
545 </param>
546 <infoflow type="read" weight="10"/>
547 </interface>
548 -<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="2122">
549 +<interface name="kernel_dontaudit_write_kernel_sysctl" lineno="2140">
550 <summary>
551 Do not audit attempts to write generic kernel sysctls.
552 </summary>
553 @@ -86194,7 +86204,7 @@ Domain to not audit.
554 </summary>
555 </param>
556 </interface>
557 -<interface name="kernel_rw_kernel_sysctl" lineno="2141">
558 +<interface name="kernel_rw_kernel_sysctl" lineno="2159">
559 <summary>
560 Read and write generic kernel sysctls.
561 </summary>
562 @@ -86205,7 +86215,7 @@ Domain allowed access.
563 </param>
564 <rolecap/>
565 </interface>
566 -<interface name="kernel_mounton_kernel_sysctl_files" lineno="2162">
567 +<interface name="kernel_mounton_kernel_sysctl_files" lineno="2180">
568 <summary>
569 Mount on kernel sysctl files.
570 </summary>
571 @@ -86216,7 +86226,7 @@ Domain allowed access.
572 </param>
573 <rolecap/>
574 </interface>
575 -<interface name="kernel_read_kernel_ns_lastpid_sysctls" lineno="2182">
576 +<interface name="kernel_read_kernel_ns_lastpid_sysctls" lineno="2200">
577 <summary>
578 Read kernel ns lastpid sysctls.
579 </summary>
580 @@ -86227,7 +86237,7 @@ Domain allowed access.
581 </param>
582 <rolecap/>
583 </interface>
584 -<interface name="kernel_dontaudit_write_kernel_ns_lastpid_sysctl" lineno="2202">
585 +<interface name="kernel_dontaudit_write_kernel_ns_lastpid_sysctl" lineno="2220">
586 <summary>
587 Do not audit attempts to write kernel ns lastpid sysctls.
588 </summary>
589 @@ -86237,7 +86247,7 @@ Domain to not audit.
590 </summary>
591 </param>
592 </interface>
593 -<interface name="kernel_rw_kernel_ns_lastpid_sysctl" lineno="2221">
594 +<interface name="kernel_rw_kernel_ns_lastpid_sysctl" lineno="2239">
595 <summary>
596 Read and write kernel ns lastpid sysctls.
597 </summary>
598 @@ -86248,7 +86258,7 @@ Domain allowed access.
599 </param>
600 <rolecap/>
601 </interface>
602 -<interface name="kernel_search_fs_sysctls" lineno="2242">
603 +<interface name="kernel_search_fs_sysctls" lineno="2260">
604 <summary>
605 Search filesystem sysctl directories.
606 </summary>
607 @@ -86259,7 +86269,7 @@ Domain allowed access.
608 </param>
609 <rolecap/>
610 </interface>
611 -<interface name="kernel_read_fs_sysctls" lineno="2261">
612 +<interface name="kernel_read_fs_sysctls" lineno="2279">
613 <summary>
614 Read filesystem sysctls.
615 </summary>
616 @@ -86270,7 +86280,7 @@ Domain allowed access.
617 </param>
618 <rolecap/>
619 </interface>
620 -<interface name="kernel_rw_fs_sysctls" lineno="2282">
621 +<interface name="kernel_rw_fs_sysctls" lineno="2300">
622 <summary>
623 Read and write filesystem sysctls.
624 </summary>
625 @@ -86281,7 +86291,7 @@ Domain allowed access.
626 </param>
627 <rolecap/>
628 </interface>
629 -<interface name="kernel_read_irq_sysctls" lineno="2303">
630 +<interface name="kernel_read_irq_sysctls" lineno="2321">
631 <summary>
632 Read IRQ sysctls.
633 </summary>
634 @@ -86292,7 +86302,7 @@ Domain allowed access.
635 </param>
636 <rolecap/>
637 </interface>
638 -<interface name="kernel_rw_irq_sysctls" lineno="2324">
639 +<interface name="kernel_rw_irq_sysctls" lineno="2342">
640 <summary>
641 Read and write IRQ sysctls.
642 </summary>
643 @@ -86303,7 +86313,7 @@ Domain allowed access.
644 </param>
645 <rolecap/>
646 </interface>
647 -<interface name="kernel_read_rpc_sysctls" lineno="2345">
648 +<interface name="kernel_read_rpc_sysctls" lineno="2363">
649 <summary>
650 Read RPC sysctls.
651 </summary>
652 @@ -86314,7 +86324,7 @@ Domain allowed access.
653 </param>
654 <rolecap/>
655 </interface>
656 -<interface name="kernel_rw_rpc_sysctls" lineno="2366">
657 +<interface name="kernel_rw_rpc_sysctls" lineno="2384">
658 <summary>
659 Read and write RPC sysctls.
660 </summary>
661 @@ -86325,7 +86335,7 @@ Domain allowed access.
662 </param>
663 <rolecap/>
664 </interface>
665 -<interface name="kernel_dontaudit_list_all_sysctls" lineno="2386">
666 +<interface name="kernel_dontaudit_list_all_sysctls" lineno="2404">
667 <summary>
668 Do not audit attempts to list all sysctl directories.
669 </summary>
670 @@ -86335,7 +86345,7 @@ Domain to not audit.
671 </summary>
672 </param>
673 </interface>
674 -<interface name="kernel_read_all_sysctls" lineno="2406">
675 +<interface name="kernel_read_all_sysctls" lineno="2424">
676 <summary>
677 Allow caller to read all sysctls.
678 </summary>
679 @@ -86346,7 +86356,7 @@ Domain allowed access.
680 </param>
681 <rolecap/>
682 </interface>
683 -<interface name="kernel_rw_all_sysctls" lineno="2429">
684 +<interface name="kernel_rw_all_sysctls" lineno="2447">
685 <summary>
686 Read and write all sysctls.
687 </summary>
688 @@ -86357,7 +86367,7 @@ Domain allowed access.
689 </param>
690 <rolecap/>
691 </interface>
692 -<interface name="kernel_associate_proc" lineno="2454">
693 +<interface name="kernel_associate_proc" lineno="2472">
694 <summary>
695 Associate a file to proc_t (/proc)
696 </summary>
697 @@ -86368,7 +86378,7 @@ Domain allowed access.
698 </param>
699 <rolecap/>
700 </interface>
701 -<interface name="kernel_kill_unlabeled" lineno="2471">
702 +<interface name="kernel_kill_unlabeled" lineno="2489">
703 <summary>
704 Send a kill signal to unlabeled processes.
705 </summary>
706 @@ -86378,7 +86388,7 @@ Domain allowed access.
707 </summary>
708 </param>
709 </interface>
710 -<interface name="kernel_mount_unlabeled" lineno="2489">
711 +<interface name="kernel_mount_unlabeled" lineno="2507">
712 <summary>
713 Mount a kernel unlabeled filesystem.
714 </summary>
715 @@ -86388,7 +86398,7 @@ Domain allowed access.
716 </summary>
717 </param>
718 </interface>
719 -<interface name="kernel_unmount_unlabeled" lineno="2507">
720 +<interface name="kernel_unmount_unlabeled" lineno="2525">
721 <summary>
722 Unmount a kernel unlabeled filesystem.
723 </summary>
724 @@ -86398,7 +86408,7 @@ Domain allowed access.
725 </summary>
726 </param>
727 </interface>
728 -<interface name="kernel_signal_unlabeled" lineno="2525">
729 +<interface name="kernel_signal_unlabeled" lineno="2543">
730 <summary>
731 Send general signals to unlabeled processes.
732 </summary>
733 @@ -86408,7 +86418,7 @@ Domain allowed access.
734 </summary>
735 </param>
736 </interface>
737 -<interface name="kernel_signull_unlabeled" lineno="2543">
738 +<interface name="kernel_signull_unlabeled" lineno="2561">
739 <summary>
740 Send a null signal to unlabeled processes.
741 </summary>
742 @@ -86418,7 +86428,7 @@ Domain allowed access.
743 </summary>
744 </param>
745 </interface>
746 -<interface name="kernel_sigstop_unlabeled" lineno="2561">
747 +<interface name="kernel_sigstop_unlabeled" lineno="2579">
748 <summary>
749 Send a stop signal to unlabeled processes.
750 </summary>
751 @@ -86428,7 +86438,7 @@ Domain allowed access.
752 </summary>
753 </param>
754 </interface>
755 -<interface name="kernel_sigchld_unlabeled" lineno="2579">
756 +<interface name="kernel_sigchld_unlabeled" lineno="2597">
757 <summary>
758 Send a child terminated signal to unlabeled processes.
759 </summary>
760 @@ -86438,7 +86448,7 @@ Domain allowed access.
761 </summary>
762 </param>
763 </interface>
764 -<interface name="kernel_getattr_unlabeled_dirs" lineno="2597">
765 +<interface name="kernel_getattr_unlabeled_dirs" lineno="2615">
766 <summary>
767 Get the attributes of unlabeled directories.
768 </summary>
769 @@ -86448,7 +86458,7 @@ Domain allowed access.
770 </summary>
771 </param>
772 </interface>
773 -<interface name="kernel_dontaudit_search_unlabeled" lineno="2615">
774 +<interface name="kernel_dontaudit_search_unlabeled" lineno="2633">
775 <summary>
776 Do not audit attempts to search unlabeled directories.
777 </summary>
778 @@ -86458,7 +86468,7 @@ Domain to not audit.
779 </summary>
780 </param>
781 </interface>
782 -<interface name="kernel_list_unlabeled" lineno="2633">
783 +<interface name="kernel_list_unlabeled" lineno="2651">
784 <summary>
785 List unlabeled directories.
786 </summary>
787 @@ -86468,7 +86478,7 @@ Domain allowed access.
788 </summary>
789 </param>
790 </interface>
791 -<interface name="kernel_read_unlabeled_state" lineno="2651">
792 +<interface name="kernel_read_unlabeled_state" lineno="2669">
793 <summary>
794 Read the process state (/proc/pid) of all unlabeled_t.
795 </summary>
796 @@ -86478,7 +86488,7 @@ Domain allowed access.
797 </summary>
798 </param>
799 </interface>
800 -<interface name="kernel_dontaudit_list_unlabeled" lineno="2671">
801 +<interface name="kernel_dontaudit_list_unlabeled" lineno="2689">
802 <summary>
803 Do not audit attempts to list unlabeled directories.
804 </summary>
805 @@ -86488,7 +86498,7 @@ Domain allowed access.
806 </summary>
807 </param>
808 </interface>
809 -<interface name="kernel_rw_unlabeled_dirs" lineno="2689">
810 +<interface name="kernel_rw_unlabeled_dirs" lineno="2707">
811 <summary>
812 Read and write unlabeled directories.
813 </summary>
814 @@ -86498,7 +86508,7 @@ Domain allowed access.
815 </summary>
816 </param>
817 </interface>
818 -<interface name="kernel_delete_unlabeled_dirs" lineno="2707">
819 +<interface name="kernel_delete_unlabeled_dirs" lineno="2725">
820 <summary>
821 Delete unlabeled directories.
822 </summary>
823 @@ -86508,7 +86518,7 @@ Domain allowed access.
824 </summary>
825 </param>
826 </interface>
827 -<interface name="kernel_manage_unlabeled_dirs" lineno="2725">
828 +<interface name="kernel_manage_unlabeled_dirs" lineno="2743">
829 <summary>
830 Create, read, write, and delete unlabeled directories.
831 </summary>
832 @@ -86518,7 +86528,7 @@ Domain allowed access.
833 </summary>
834 </param>
835 </interface>
836 -<interface name="kernel_mounton_unlabeled_dirs" lineno="2743">
837 +<interface name="kernel_mounton_unlabeled_dirs" lineno="2761">
838 <summary>
839 Mount a filesystem on an unlabeled directory.
840 </summary>
841 @@ -86528,7 +86538,7 @@ Domain allowed access.
842 </summary>
843 </param>
844 </interface>
845 -<interface name="kernel_read_unlabeled_files" lineno="2761">
846 +<interface name="kernel_read_unlabeled_files" lineno="2779">
847 <summary>
848 Read unlabeled files.
849 </summary>
850 @@ -86538,7 +86548,7 @@ Domain allowed access.
851 </summary>
852 </param>
853 </interface>
854 -<interface name="kernel_rw_unlabeled_files" lineno="2779">
855 +<interface name="kernel_rw_unlabeled_files" lineno="2797">
856 <summary>
857 Read and write unlabeled files.
858 </summary>
859 @@ -86548,7 +86558,7 @@ Domain allowed access.
860 </summary>
861 </param>
862 </interface>
863 -<interface name="kernel_delete_unlabeled_files" lineno="2797">
864 +<interface name="kernel_delete_unlabeled_files" lineno="2815">
865 <summary>
866 Delete unlabeled files.
867 </summary>
868 @@ -86558,7 +86568,7 @@ Domain allowed access.
869 </summary>
870 </param>
871 </interface>
872 -<interface name="kernel_manage_unlabeled_files" lineno="2815">
873 +<interface name="kernel_manage_unlabeled_files" lineno="2833">
874 <summary>
875 Create, read, write, and delete unlabeled files.
876 </summary>
877 @@ -86568,7 +86578,7 @@ Domain allowed access.
878 </summary>
879 </param>
880 </interface>
881 -<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="2834">
882 +<interface name="kernel_dontaudit_getattr_unlabeled_files" lineno="2852">
883 <summary>
884 Do not audit attempts by caller to get the
885 attributes of an unlabeled file.
886 @@ -86579,7 +86589,7 @@ Domain to not audit.
887 </summary>
888 </param>
889 </interface>
890 -<interface name="kernel_dontaudit_read_unlabeled_files" lineno="2853">
891 +<interface name="kernel_dontaudit_read_unlabeled_files" lineno="2871">
892 <summary>
893 Do not audit attempts by caller to
894 read an unlabeled file.
895 @@ -86590,7 +86600,7 @@ Domain to not audit.
896 </summary>
897 </param>
898 </interface>
899 -<interface name="kernel_delete_unlabeled_symlinks" lineno="2871">
900 +<interface name="kernel_delete_unlabeled_symlinks" lineno="2889">
901 <summary>
902 Delete unlabeled symbolic links.
903 </summary>
904 @@ -86600,7 +86610,7 @@ Domain allowed access.
905 </summary>
906 </param>
907 </interface>
908 -<interface name="kernel_manage_unlabeled_symlinks" lineno="2889">
909 +<interface name="kernel_manage_unlabeled_symlinks" lineno="2907">
910 <summary>
911 Create, read, write, and delete unlabeled symbolic links.
912 </summary>
913 @@ -86610,7 +86620,7 @@ Domain allowed access.
914 </summary>
915 </param>
916 </interface>
917 -<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="2908">
918 +<interface name="kernel_dontaudit_getattr_unlabeled_symlinks" lineno="2926">
919 <summary>
920 Do not audit attempts by caller to get the
921 attributes of unlabeled symbolic links.
922 @@ -86621,7 +86631,7 @@ Domain to not audit.
923 </summary>
924 </param>
925 </interface>
926 -<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="2927">
927 +<interface name="kernel_dontaudit_getattr_unlabeled_pipes" lineno="2945">
928 <summary>
929 Do not audit attempts by caller to get the
930 attributes of unlabeled named pipes.
931 @@ -86632,7 +86642,7 @@ Domain to not audit.
932 </summary>
933 </param>
934 </interface>
935 -<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="2946">
936 +<interface name="kernel_dontaudit_getattr_unlabeled_sockets" lineno="2964">
937 <summary>
938 Do not audit attempts by caller to get the
939 attributes of unlabeled named sockets.
940 @@ -86643,7 +86653,7 @@ Domain to not audit.
941 </summary>
942 </param>
943 </interface>
944 -<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="2965">
945 +<interface name="kernel_dontaudit_getattr_unlabeled_blk_files" lineno="2983">
946 <summary>
947 Do not audit attempts by caller to get attributes for
948 unlabeled block devices.
949 @@ -86654,7 +86664,7 @@ Domain to not audit.
950 </summary>
951 </param>
952 </interface>
953 -<interface name="kernel_rw_unlabeled_blk_files" lineno="2983">
954 +<interface name="kernel_rw_unlabeled_blk_files" lineno="3001">
955 <summary>
956 Read and write unlabeled block device nodes.
957 </summary>
958 @@ -86664,7 +86674,7 @@ Domain allowed access.
959 </summary>
960 </param>
961 </interface>
962 -<interface name="kernel_delete_unlabeled_blk_files" lineno="3001">
963 +<interface name="kernel_delete_unlabeled_blk_files" lineno="3019">
964 <summary>
965 Delete unlabeled block device nodes.
966 </summary>
967 @@ -86674,7 +86684,7 @@ Domain allowed access.
968 </summary>
969 </param>
970 </interface>
971 -<interface name="kernel_manage_unlabeled_blk_files" lineno="3019">
972 +<interface name="kernel_manage_unlabeled_blk_files" lineno="3037">
973 <summary>
974 Create, read, write, and delete unlabeled block device nodes.
975 </summary>
976 @@ -86684,7 +86694,7 @@ Domain allowed access.
977 </summary>
978 </param>
979 </interface>
980 -<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3038">
981 +<interface name="kernel_dontaudit_getattr_unlabeled_chr_files" lineno="3056">
982 <summary>
983 Do not audit attempts by caller to get attributes for
984 unlabeled character devices.
985 @@ -86695,7 +86705,7 @@ Domain to not audit.
986 </summary>
987 </param>
988 </interface>
989 -<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3057">
990 +<interface name="kernel_dontaudit_write_unlabeled_chr_files" lineno="3075">
991 <summary>
992 Do not audit attempts to
993 write unlabeled character devices.
994 @@ -86706,7 +86716,7 @@ Domain to not audit.
995 </summary>
996 </param>
997 </interface>
998 -<interface name="kernel_delete_unlabeled_chr_files" lineno="3075">
999 +<interface name="kernel_delete_unlabeled_chr_files" lineno="3093">
1000 <summary>
1001 Delete unlabeled character device nodes.
1002 </summary>
1003 @@ -86716,7 +86726,7 @@ Domain allowed access.
1004 </summary>
1005 </param>
1006 </interface>
1007 -<interface name="kernel_manage_unlabeled_chr_files" lineno="3094">
1008 +<interface name="kernel_manage_unlabeled_chr_files" lineno="3112">
1009 <summary>
1010 Create, read, write, and delete unlabeled character device nodes.
1011 </summary>
1012 @@ -86726,7 +86736,7 @@ Domain allowed access.
1013 </summary>
1014 </param>
1015 </interface>
1016 -<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3112">
1017 +<interface name="kernel_relabelfrom_unlabeled_dirs" lineno="3130">
1018 <summary>
1019 Allow caller to relabel unlabeled directories.
1020 </summary>
1021 @@ -86736,7 +86746,7 @@ Domain allowed access.
1022 </summary>
1023 </param>
1024 </interface>
1025 -<interface name="kernel_relabelfrom_unlabeled_files" lineno="3130">
1026 +<interface name="kernel_relabelfrom_unlabeled_files" lineno="3148">
1027 <summary>
1028 Allow caller to relabel unlabeled files.
1029 </summary>
1030 @@ -86746,7 +86756,7 @@ Domain allowed access.
1031 </summary>
1032 </param>
1033 </interface>
1034 -<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3149">
1035 +<interface name="kernel_relabelfrom_unlabeled_symlinks" lineno="3167">
1036 <summary>
1037 Allow caller to relabel unlabeled symbolic links.
1038 </summary>
1039 @@ -86756,7 +86766,7 @@ Domain allowed access.
1040 </summary>
1041 </param>
1042 </interface>
1043 -<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3168">
1044 +<interface name="kernel_relabelfrom_unlabeled_pipes" lineno="3186">
1045 <summary>
1046 Allow caller to relabel unlabeled named pipes.
1047 </summary>
1048 @@ -86766,7 +86776,7 @@ Domain allowed access.
1049 </summary>
1050 </param>
1051 </interface>
1052 -<interface name="kernel_delete_unlabeled_pipes" lineno="3187">
1053 +<interface name="kernel_delete_unlabeled_pipes" lineno="3205">
1054 <summary>
1055 Delete unlabeled named pipes
1056 </summary>
1057 @@ -86776,7 +86786,7 @@ Domain allowed access.
1058 </summary>
1059 </param>
1060 </interface>
1061 -<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3205">
1062 +<interface name="kernel_relabelfrom_unlabeled_sockets" lineno="3223">
1063 <summary>
1064 Allow caller to relabel unlabeled named sockets.
1065 </summary>
1066 @@ -86786,7 +86796,7 @@ Domain allowed access.
1067 </summary>
1068 </param>
1069 </interface>
1070 -<interface name="kernel_delete_unlabeled_sockets" lineno="3224">
1071 +<interface name="kernel_delete_unlabeled_sockets" lineno="3242">
1072 <summary>
1073 Delete unlabeled named sockets.
1074 </summary>
1075 @@ -86796,7 +86806,7 @@ Domain allowed access.
1076 </summary>
1077 </param>
1078 </interface>
1079 -<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3242">
1080 +<interface name="kernel_relabelfrom_unlabeled_blk_devs" lineno="3260">
1081 <summary>
1082 Allow caller to relabel from unlabeled block devices.
1083 </summary>
1084 @@ -86806,7 +86816,7 @@ Domain allowed access.
1085 </summary>
1086 </param>
1087 </interface>
1088 -<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3260">
1089 +<interface name="kernel_relabelfrom_unlabeled_chr_devs" lineno="3278">
1090 <summary>
1091 Allow caller to relabel from unlabeled character devices.
1092 </summary>
1093 @@ -86816,7 +86826,7 @@ Domain allowed access.
1094 </summary>
1095 </param>
1096 </interface>
1097 -<interface name="kernel_sendrecv_unlabeled_association" lineno="3293">
1098 +<interface name="kernel_sendrecv_unlabeled_association" lineno="3311">
1099 <summary>
1100 Send and receive messages from an
1101 unlabeled IPSEC association.
1102 @@ -86841,7 +86851,7 @@ Domain allowed access.
1103 </summary>
1104 </param>
1105 </interface>
1106 -<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3326">
1107 +<interface name="kernel_dontaudit_sendrecv_unlabeled_association" lineno="3344">
1108 <summary>
1109 Do not audit attempts to send and receive messages
1110 from an unlabeled IPSEC association.
1111 @@ -86866,7 +86876,7 @@ Domain to not audit.
1112 </summary>
1113 </param>
1114 </interface>
1115 -<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3353">
1116 +<interface name="kernel_tcp_recvfrom_unlabeled" lineno="3371">
1117 <summary>
1118 Receive TCP packets from an unlabeled connection.
1119 </summary>
1120 @@ -86885,7 +86895,7 @@ Domain allowed access.
1121 </summary>
1122 </param>
1123 </interface>
1124 -<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3382">
1125 +<interface name="kernel_dontaudit_tcp_recvfrom_unlabeled" lineno="3400">
1126 <summary>
1127 Do not audit attempts to receive TCP packets from an unlabeled
1128 connection.
1129 @@ -86906,7 +86916,7 @@ Domain to not audit.
1130 </summary>
1131 </param>
1132 </interface>
1133 -<interface name="kernel_udp_recvfrom_unlabeled" lineno="3409">
1134 +<interface name="kernel_udp_recvfrom_unlabeled" lineno="3427">
1135 <summary>
1136 Receive UDP packets from an unlabeled connection.
1137 </summary>
1138 @@ -86925,7 +86935,7 @@ Domain allowed access.
1139 </summary>
1140 </param>
1141 </interface>
1142 -<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3438">
1143 +<interface name="kernel_dontaudit_udp_recvfrom_unlabeled" lineno="3456">
1144 <summary>
1145 Do not audit attempts to receive UDP packets from an unlabeled
1146 connection.
1147 @@ -86946,7 +86956,7 @@ Domain to not audit.
1148 </summary>
1149 </param>
1150 </interface>
1151 -<interface name="kernel_raw_recvfrom_unlabeled" lineno="3465">
1152 +<interface name="kernel_raw_recvfrom_unlabeled" lineno="3483">
1153 <summary>
1154 Receive Raw IP packets from an unlabeled connection.
1155 </summary>
1156 @@ -86965,7 +86975,7 @@ Domain allowed access.
1157 </summary>
1158 </param>
1159 </interface>
1160 -<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3494">
1161 +<interface name="kernel_dontaudit_raw_recvfrom_unlabeled" lineno="3512">
1162 <summary>
1163 Do not audit attempts to receive Raw IP packets from an unlabeled
1164 connection.
1165 @@ -86986,7 +86996,7 @@ Domain to not audit.
1166 </summary>
1167 </param>
1168 </interface>
1169 -<interface name="kernel_sendrecv_unlabeled_packets" lineno="3524">
1170 +<interface name="kernel_sendrecv_unlabeled_packets" lineno="3542">
1171 <summary>
1172 Send and receive unlabeled packets.
1173 </summary>
1174 @@ -87008,7 +87018,7 @@ Domain allowed access.
1175 </summary>
1176 </param>
1177 </interface>
1178 -<interface name="kernel_recvfrom_unlabeled_peer" lineno="3552">
1179 +<interface name="kernel_recvfrom_unlabeled_peer" lineno="3570">
1180 <summary>
1181 Receive packets from an unlabeled peer.
1182 </summary>
1183 @@ -87028,7 +87038,7 @@ Domain allowed access.
1184 </summary>
1185 </param>
1186 </interface>
1187 -<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3580">
1188 +<interface name="kernel_dontaudit_recvfrom_unlabeled_peer" lineno="3598">
1189 <summary>
1190 Do not audit attempts to receive packets from an unlabeled peer.
1191 </summary>
1192 @@ -87048,7 +87058,7 @@ Domain to not audit.
1193 </summary>
1194 </param>
1195 </interface>
1196 -<interface name="kernel_relabelfrom_unlabeled_database" lineno="3598">
1197 +<interface name="kernel_relabelfrom_unlabeled_database" lineno="3616">
1198 <summary>
1199 Relabel from unlabeled database objects.
1200 </summary>
1201 @@ -87058,7 +87068,7 @@ Domain allowed access.
1202 </summary>
1203 </param>
1204 </interface>
1205 -<interface name="kernel_unconfined" lineno="3635">
1206 +<interface name="kernel_unconfined" lineno="3653">
1207 <summary>
1208 Unconfined access to kernel module resources.
1209 </summary>
1210 @@ -87068,7 +87078,7 @@ Domain allowed access.
1211 </summary>
1212 </param>
1213 </interface>
1214 -<interface name="kernel_read_vm_overcommit_sysctl" lineno="3655">
1215 +<interface name="kernel_read_vm_overcommit_sysctl" lineno="3673">
1216 <summary>
1217 Read virtual memory overcommit sysctl.
1218 </summary>
1219 @@ -87079,7 +87089,7 @@ Domain allowed access.
1220 </param>
1221 <rolecap/>
1222 </interface>
1223 -<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3675">
1224 +<interface name="kernel_rw_vm_overcommit_sysctl" lineno="3693">
1225 <summary>
1226 Read and write virtual memory overcommit sysctl.
1227 </summary>
1228 @@ -87090,7 +87100,7 @@ Domain allowed access.
1229 </param>
1230 <rolecap/>
1231 </interface>
1232 -<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3694">
1233 +<interface name="kernel_ib_access_unlabeled_pkeys" lineno="3712">
1234 <summary>
1235 Access unlabeled infiniband pkeys.
1236 </summary>
1237 @@ -87100,7 +87110,7 @@ Domain allowed access.
1238 </summary>
1239 </param>
1240 </interface>
1241 -<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3712">
1242 +<interface name="kernel_ib_manage_subnet_unlabeled_endports" lineno="3730">
1243 <summary>
1244 Manage subnet on unlabeled Infiniband endports.
1245 </summary>
1246 @@ -91982,6 +91992,36 @@ Domain allowed access.
1247 </summary>
1248 </param>
1249 </interface>
1250 +<interface name="aptcacher_filetrans_log_dir" lineno="77">
1251 +<summary>
1252 +create /var/log/apt-cacher-ng
1253 +</summary>
1254 +<param name="domain">
1255 +<summary>
1256 +Domain allowed access.
1257 +</summary>
1258 +</param>
1259 +</interface>
1260 +<interface name="aptcacher_filetrans_cache_dir" lineno="95">
1261 +<summary>
1262 +create /var/cache/apt-cacher-ng
1263 +</summary>
1264 +<param name="domain">
1265 +<summary>
1266 +Domain allowed access.
1267 +</summary>
1268 +</param>
1269 +</interface>
1270 +<interface name="aptcacher_etc_filetrans_conf_dir" lineno="113">
1271 +<summary>
1272 +create /etc/apt-cacher-ng
1273 +</summary>
1274 +<param name="domain">
1275 +<summary>
1276 +Domain allowed access.
1277 +</summary>
1278 +</param>
1279 +</interface>
1280 </module>
1281 <module name="arpwatch" filename="policy/modules/services/arpwatch.if">
1282 <summary>Ethernet activity monitor.</summary>
1283 @@ -93058,6 +93098,14 @@ Role allowed access.
1284 </summary>
1285 </param>
1286 </interface>
1287 +<tunable name="certbot_acmesh" dftval="false">
1288 +<desc>
1289 +<p>
1290 +Determine whether additional rules
1291 +should be enabled to support acme.sh
1292 +</p>
1293 +</desc>
1294 +</tunable>
1295 </module>
1296 <module name="certmaster" filename="policy/modules/services/certmaster.if">
1297 <summary>Remote certificate distribution framework.</summary>
1298 @@ -93787,6 +93835,26 @@ Role allowed access.
1299 </param>
1300 <rolecap/>
1301 </interface>
1302 +<interface name="clamav_filetrans_log" lineno="444">
1303 +<summary>
1304 +specified domain creates /var/log/clamav/freshclam.log with correct type
1305 +</summary>
1306 +<param name="domain">
1307 +<summary>
1308 +Domain allowed access.
1309 +</summary>
1310 +</param>
1311 +</interface>
1312 +<interface name="clamav_filetrans_runtime_dir" lineno="462">
1313 +<summary>
1314 +specified domain creates /run/clamav with correct type
1315 +</summary>
1316 +<param name="domain">
1317 +<summary>
1318 +Domain allowed access.
1319 +</summary>
1320 +</param>
1321 +</interface>
1322 <tunable name="clamav_read_user_content_files_clamscan" dftval="false">
1323 <desc>
1324 <p>
1325 @@ -96650,7 +96718,18 @@ Domain allowed to transition.
1326 </summary>
1327 </param>
1328 </interface>
1329 -<interface name="dovecot_manage_spool" lineno="75">
1330 +<interface name="dovecot_read_config" lineno="75">
1331 +<summary>
1332 +Read dovecot configuration content.
1333 +</summary>
1334 +<param name="domain">
1335 +<summary>
1336 +Domain allowed access.
1337 +</summary>
1338 +</param>
1339 +<rolecap/>
1340 +</interface>
1341 +<interface name="dovecot_manage_spool" lineno="97">
1342 <summary>
1343 Create, read, write, and delete
1344 dovecot spool files.
1345 @@ -96661,7 +96740,7 @@ Domain allowed access.
1346 </summary>
1347 </param>
1348 </interface>
1349 -<interface name="dovecot_dontaudit_unlink_lib_files" lineno="97">
1350 +<interface name="dovecot_dontaudit_unlink_lib_files" lineno="119">
1351 <summary>
1352 Do not audit attempts to delete
1353 dovecot lib files.
1354 @@ -96672,7 +96751,7 @@ Domain to not audit.
1355 </summary>
1356 </param>
1357 </interface>
1358 -<interface name="dovecot_write_inherited_tmp_files" lineno="115">
1359 +<interface name="dovecot_write_inherited_tmp_files" lineno="137">
1360 <summary>
1361 Write inherited dovecot tmp files.
1362 </summary>
1363 @@ -96682,7 +96761,7 @@ Domain to not audit.
1364 </summary>
1365 </param>
1366 </interface>
1367 -<interface name="dovecot_admin" lineno="140">
1368 +<interface name="dovecot_admin" lineno="162">
1369 <summary>
1370 All of the rules required to
1371 administrate an dovecot environment.
1372 @@ -97418,6 +97497,16 @@ Role allowed access.
1373 </param>
1374 <rolecap/>
1375 </interface>
1376 +<interface name="ftp_filetrans_pure_ftpd_runtime" lineno="203">
1377 +<summary>
1378 +create /run/pure-ftpd
1379 +</summary>
1380 +<param name="domain">
1381 +<summary>
1382 +Domain allowed access.
1383 +</summary>
1384 +</param>
1385 +</interface>
1386 <tunable name="allow_ftpd_anon_write" dftval="false">
1387 <desc>
1388 <p>
1389 @@ -100192,7 +100281,17 @@ Domain allowed access.
1390 </summary>
1391 </param>
1392 </interface>
1393 -<interface name="milter_getattr_data_dir" lineno="111">
1394 +<interface name="milter_var_lib_filetrans_spamass_state" lineno="111">
1395 +<summary>
1396 +create spamass milter state dir
1397 +</summary>
1398 +<param name="domain">
1399 +<summary>
1400 +Domain allowed access.
1401 +</summary>
1402 +</param>
1403 +</interface>
1404 +<interface name="milter_getattr_data_dir" lineno="129">
1405 <summary>
1406 Get the attributes of the spamassissin milter data dir.
1407 </summary>
1408 @@ -101188,7 +101287,17 @@ Domain allowed access.
1409 </summary>
1410 </param>
1411 </interface>
1412 -<interface name="mta_queue_filetrans" lineno="1021">
1413 +<interface name="mta_watch_spool" lineno="1004">
1414 +<summary>
1415 +Watch mail spool content.
1416 +</summary>
1417 +<param name="domain">
1418 +<summary>
1419 +Domain allowed access.
1420 +</summary>
1421 +</param>
1422 +</interface>
1423 +<interface name="mta_queue_filetrans" lineno="1039">
1424 <summary>
1425 Create specified objects in the
1426 mail queue spool directory with a
1427 @@ -101215,7 +101324,7 @@ The name of the object being created.
1428 </summary>
1429 </param>
1430 </interface>
1431 -<interface name="mta_search_queue" lineno="1040">
1432 +<interface name="mta_search_queue" lineno="1058">
1433 <summary>
1434 Search mail queue directories.
1435 </summary>
1436 @@ -101225,7 +101334,7 @@ Domain allowed access.
1437 </summary>
1438 </param>
1439 </interface>
1440 -<interface name="mta_list_queue" lineno="1059">
1441 +<interface name="mta_list_queue" lineno="1077">
1442 <summary>
1443 List mail queue directories.
1444 </summary>
1445 @@ -101235,7 +101344,7 @@ Domain allowed access.
1446 </summary>
1447 </param>
1448 </interface>
1449 -<interface name="mta_read_queue" lineno="1078">
1450 +<interface name="mta_read_queue" lineno="1096">
1451 <summary>
1452 Read mail queue files.
1453 </summary>
1454 @@ -101245,7 +101354,7 @@ Domain allowed access.
1455 </summary>
1456 </param>
1457 </interface>
1458 -<interface name="mta_dontaudit_rw_queue" lineno="1098">
1459 +<interface name="mta_dontaudit_rw_queue" lineno="1116">
1460 <summary>
1461 Do not audit attempts to read and
1462 write mail queue content.
1463 @@ -101256,7 +101365,7 @@ Domain to not audit.
1464 </summary>
1465 </param>
1466 </interface>
1467 -<interface name="mta_manage_queue" lineno="1118">
1468 +<interface name="mta_manage_queue" lineno="1136">
1469 <summary>
1470 Create, read, write, and delete
1471 mail queue content.
1472 @@ -101267,7 +101376,7 @@ Domain allowed access.
1473 </summary>
1474 </param>
1475 </interface>
1476 -<interface name="mta_read_sendmail_bin" lineno="1138">
1477 +<interface name="mta_read_sendmail_bin" lineno="1156">
1478 <summary>
1479 Read sendmail binary.
1480 </summary>
1481 @@ -101277,7 +101386,7 @@ Domain allowed access.
1482 </summary>
1483 </param>
1484 </interface>
1485 -<interface name="mta_rw_user_mail_stream_sockets" lineno="1157">
1486 +<interface name="mta_rw_user_mail_stream_sockets" lineno="1175">
1487 <summary>
1488 Read and write unix domain stream
1489 sockets of all base mail domains.
1490 @@ -101515,7 +101624,17 @@ Domain allowed access.
1491 </summary>
1492 </param>
1493 </interface>
1494 -<interface name="mysql_manage_mysqld_home_files" lineno="255">
1495 +<interface name="mysql_var_lib_filetrans_db_dir" lineno="254">
1496 +<summary>
1497 +create mysqld db dir.
1498 +</summary>
1499 +<param name="domain">
1500 +<summary>
1501 +Domain allowed access.
1502 +</summary>
1503 +</param>
1504 +</interface>
1505 +<interface name="mysql_manage_mysqld_home_files" lineno="273">
1506 <summary>
1507 Create, read, write, and delete
1508 mysqld home files.
1509 @@ -101526,7 +101645,7 @@ Domain allowed access.
1510 </summary>
1511 </param>
1512 </interface>
1513 -<interface name="mysql_relabel_mysqld_home_files" lineno="274">
1514 +<interface name="mysql_relabel_mysqld_home_files" lineno="292">
1515 <summary>
1516 Relabel mysqld home files.
1517 </summary>
1518 @@ -101536,7 +101655,7 @@ Domain allowed access.
1519 </summary>
1520 </param>
1521 </interface>
1522 -<interface name="mysql_home_filetrans_mysqld_home" lineno="304">
1523 +<interface name="mysql_home_filetrans_mysqld_home" lineno="322">
1524 <summary>
1525 Create objects in user home
1526 directories with the mysqld home type.
1527 @@ -101557,7 +101676,7 @@ The name of the object being created.
1528 </summary>
1529 </param>
1530 </interface>
1531 -<interface name="mysql_write_log" lineno="322">
1532 +<interface name="mysql_write_log" lineno="340">
1533 <summary>
1534 Write mysqld log files.
1535 </summary>
1536 @@ -101567,7 +101686,17 @@ Domain allowed access.
1537 </summary>
1538 </param>
1539 </interface>
1540 -<interface name="mysql_domtrans_mysql_safe" lineno="342">
1541 +<interface name="mysql_log_filetrans_log_dir" lineno="360">
1542 +<summary>
1543 +create mysqld log dir.
1544 +</summary>
1545 +<param name="domain">
1546 +<summary>
1547 +Domain allowed access.
1548 +</summary>
1549 +</param>
1550 +</interface>
1551 +<interface name="mysql_domtrans_mysql_safe" lineno="380">
1552 <summary>
1553 Execute mysqld safe in the
1554 mysqld safe domain.
1555 @@ -101578,7 +101707,7 @@ Domain allowed to transition.
1556 </summary>
1557 </param>
1558 </interface>
1559 -<interface name="mysql_read_pid_files" lineno="361">
1560 +<interface name="mysql_read_pid_files" lineno="399">
1561 <summary>
1562 Read mysqld pid files. (Deprecated)
1563 </summary>
1564 @@ -101588,7 +101717,7 @@ Domain allowed access.
1565 </summary>
1566 </param>
1567 </interface>
1568 -<interface name="mysql_search_pid_files" lineno="376">
1569 +<interface name="mysql_search_pid_files" lineno="414">
1570 <summary>
1571 Search mysqld pid files. (Deprecated)
1572 </summary>
1573 @@ -101599,7 +101728,7 @@ Domain allowed access.
1574 </param>
1575
1576 </interface>
1577 -<interface name="mysql_admin" lineno="397">
1578 +<interface name="mysql_admin" lineno="435">
1579 <summary>
1580 All of the rules required to
1581 administrate an mysqld environment.
1582 @@ -101616,7 +101745,7 @@ Role allowed access.
1583 </param>
1584 <rolecap/>
1585 </interface>
1586 -<interface name="mysql_setattr_run_dirs" lineno="439">
1587 +<interface name="mysql_setattr_run_dirs" lineno="477">
1588 <summary>
1589 Set the attributes of the MySQL run directories
1590 </summary>
1591 @@ -101626,7 +101755,7 @@ Domain allowed access
1592 </summary>
1593 </param>
1594 </interface>
1595 -<interface name="mysql_create_run_dirs" lineno="457">
1596 +<interface name="mysql_create_run_dirs" lineno="495">
1597 <summary>
1598 Create MySQL run directories
1599 </summary>
1600 @@ -101636,7 +101765,7 @@ Domain allowed access
1601 </summary>
1602 </param>
1603 </interface>
1604 -<interface name="mysql_generic_run_filetrans_run" lineno="488">
1605 +<interface name="mysql_generic_run_filetrans_run" lineno="526">
1606 <summary>
1607 Automatically use the MySQL run label for created resources in generic
1608 run locations. This method is deprecated in favor of the
1609 @@ -113234,7 +113363,7 @@ Domain allowed access.
1610 </summary>
1611 </param>
1612 </interface>
1613 -<interface name="auth_use_pam_motd_dynamic" lineno="116">
1614 +<interface name="auth_use_pam_motd_dynamic" lineno="117">
1615 <summary>
1616 Use the pam module motd with dynamic support during authentication.
1617 This module comes from Ubuntu (https://bugs.launchpad.net/ubuntu/+source/pam/+bug/399071)
1618 @@ -113246,7 +113375,7 @@ Domain allowed access.
1619 </summary>
1620 </param>
1621 </interface>
1622 -<interface name="auth_login_pgm_domain" lineno="140">
1623 +<interface name="auth_login_pgm_domain" lineno="141">
1624 <summary>
1625 Make the specified domain used for a login program.
1626 </summary>
1627 @@ -113256,7 +113385,7 @@ Domain type used for a login program domain.
1628 </summary>
1629 </param>
1630 </interface>
1631 -<interface name="auth_login_entry_type" lineno="227">
1632 +<interface name="auth_login_entry_type" lineno="228">
1633 <summary>
1634 Use the login program as an entry point program.
1635 </summary>
1636 @@ -113266,7 +113395,7 @@ Domain allowed access.
1637 </summary>
1638 </param>
1639 </interface>
1640 -<interface name="auth_domtrans_login_program" lineno="250">
1641 +<interface name="auth_domtrans_login_program" lineno="251">
1642 <summary>
1643 Execute a login_program in the target domain.
1644 </summary>
1645 @@ -113281,7 +113410,7 @@ The type of the login_program process.
1646 </summary>
1647 </param>
1648 </interface>
1649 -<interface name="auth_ranged_domtrans_login_program" lineno="280">
1650 +<interface name="auth_ranged_domtrans_login_program" lineno="281">
1651 <summary>
1652 Execute a login_program in the target domain,
1653 with a range transition.
1654 @@ -113302,7 +113431,7 @@ Range of the login program.
1655 </summary>
1656 </param>
1657 </interface>
1658 -<interface name="auth_search_cache" lineno="306">
1659 +<interface name="auth_search_cache" lineno="307">
1660 <summary>
1661 Search authentication cache
1662 </summary>
1663 @@ -113312,7 +113441,7 @@ Domain allowed access.
1664 </summary>
1665 </param>
1666 </interface>
1667 -<interface name="auth_read_cache" lineno="324">
1668 +<interface name="auth_read_cache" lineno="325">
1669 <summary>
1670 Read authentication cache
1671 </summary>
1672 @@ -113322,7 +113451,7 @@ Domain allowed access.
1673 </summary>
1674 </param>
1675 </interface>
1676 -<interface name="auth_rw_cache" lineno="342">
1677 +<interface name="auth_rw_cache" lineno="343">
1678 <summary>
1679 Read/Write authentication cache
1680 </summary>
1681 @@ -113332,7 +113461,7 @@ Domain allowed access.
1682 </summary>
1683 </param>
1684 </interface>
1685 -<interface name="auth_manage_cache" lineno="360">
1686 +<interface name="auth_manage_cache" lineno="361">
1687 <summary>
1688 Manage authentication cache
1689 </summary>
1690 @@ -113342,7 +113471,7 @@ Domain allowed access.
1691 </summary>
1692 </param>
1693 </interface>
1694 -<interface name="auth_var_filetrans_cache" lineno="379">
1695 +<interface name="auth_var_filetrans_cache" lineno="380">
1696 <summary>
1697 Automatic transition from cache_t to cache.
1698 </summary>
1699 @@ -113352,7 +113481,7 @@ Domain allowed access.
1700 </summary>
1701 </param>
1702 </interface>
1703 -<interface name="auth_domtrans_chk_passwd" lineno="397">
1704 +<interface name="auth_domtrans_chk_passwd" lineno="398">
1705 <summary>
1706 Run unix_chkpwd to check a password.
1707 </summary>
1708 @@ -113362,7 +113491,7 @@ Domain allowed to transition.
1709 </summary>
1710 </param>
1711 </interface>
1712 -<interface name="auth_domtrans_chkpwd" lineno="445">
1713 +<interface name="auth_domtrans_chkpwd" lineno="446">
1714 <summary>
1715 Run unix_chkpwd to check a password.
1716 Stripped down version to be called within boolean
1717 @@ -113373,7 +113502,7 @@ Domain allowed to transition.
1718 </summary>
1719 </param>
1720 </interface>
1721 -<interface name="auth_run_chk_passwd" lineno="471">
1722 +<interface name="auth_run_chk_passwd" lineno="472">
1723 <summary>
1724 Execute chkpwd programs in the chkpwd domain.
1725 </summary>
1726 @@ -113388,7 +113517,7 @@ The role to allow the chkpwd domain.
1727 </summary>
1728 </param>
1729 </interface>
1730 -<interface name="auth_domtrans_upd_passwd" lineno="490">
1731 +<interface name="auth_domtrans_upd_passwd" lineno="491">
1732 <summary>
1733 Execute a domain transition to run unix_update.
1734 </summary>
1735 @@ -113398,7 +113527,7 @@ Domain allowed to transition.
1736 </summary>
1737 </param>
1738 </interface>
1739 -<interface name="auth_run_upd_passwd" lineno="515">
1740 +<interface name="auth_run_upd_passwd" lineno="516">
1741 <summary>
1742 Execute updpwd programs in the updpwd domain.
1743 </summary>
1744 @@ -113413,7 +113542,7 @@ The role to allow the updpwd domain.
1745 </summary>
1746 </param>
1747 </interface>
1748 -<interface name="auth_getattr_shadow" lineno="534">
1749 +<interface name="auth_getattr_shadow" lineno="535">
1750 <summary>
1751 Get the attributes of the shadow passwords file.
1752 </summary>
1753 @@ -113423,7 +113552,7 @@ Domain allowed access.
1754 </summary>
1755 </param>
1756 </interface>
1757 -<interface name="auth_dontaudit_getattr_shadow" lineno="554">
1758 +<interface name="auth_dontaudit_getattr_shadow" lineno="555">
1759 <summary>
1760 Do not audit attempts to get the attributes
1761 of the shadow passwords file.
1762 @@ -113434,7 +113563,7 @@ Domain to not audit.
1763 </summary>
1764 </param>
1765 </interface>
1766 -<interface name="auth_read_shadow" lineno="576">
1767 +<interface name="auth_read_shadow" lineno="577">
1768 <summary>
1769 Read the shadow passwords file (/etc/shadow)
1770 </summary>
1771 @@ -113444,7 +113573,7 @@ Domain allowed access.
1772 </summary>
1773 </param>
1774 </interface>
1775 -<interface name="auth_map_shadow" lineno="591">
1776 +<interface name="auth_map_shadow" lineno="592">
1777 <summary>
1778 Map the shadow passwords file (/etc/shadow)
1779 </summary>
1780 @@ -113454,7 +113583,7 @@ Domain allowed access.
1781 </summary>
1782 </param>
1783 </interface>
1784 -<interface name="auth_can_read_shadow_passwords" lineno="617">
1785 +<interface name="auth_can_read_shadow_passwords" lineno="618">
1786 <summary>
1787 Pass shadow assertion for reading.
1788 </summary>
1789 @@ -113473,7 +113602,7 @@ Domain allowed access.
1790 </summary>
1791 </param>
1792 </interface>
1793 -<interface name="auth_tunable_read_shadow" lineno="643">
1794 +<interface name="auth_tunable_read_shadow" lineno="644">
1795 <summary>
1796 Read the shadow password file.
1797 </summary>
1798 @@ -113491,7 +113620,7 @@ Domain allowed access.
1799 </summary>
1800 </param>
1801 </interface>
1802 -<interface name="auth_dontaudit_read_shadow" lineno="663">
1803 +<interface name="auth_dontaudit_read_shadow" lineno="664">
1804 <summary>
1805 Do not audit attempts to read the shadow
1806 password file (/etc/shadow).
1807 @@ -113502,7 +113631,7 @@ Domain to not audit.
1808 </summary>
1809 </param>
1810 </interface>
1811 -<interface name="auth_rw_shadow" lineno="681">
1812 +<interface name="auth_rw_shadow" lineno="682">
1813 <summary>
1814 Read and write the shadow password file (/etc/shadow).
1815 </summary>
1816 @@ -113512,7 +113641,7 @@ Domain allowed access.
1817 </summary>
1818 </param>
1819 </interface>
1820 -<interface name="auth_manage_shadow" lineno="703">
1821 +<interface name="auth_manage_shadow" lineno="704">
1822 <summary>
1823 Create, read, write, and delete the shadow
1824 password file.
1825 @@ -113523,7 +113652,7 @@ Domain allowed access.
1826 </summary>
1827 </param>
1828 </interface>
1829 -<interface name="auth_etc_filetrans_shadow" lineno="723">
1830 +<interface name="auth_etc_filetrans_shadow" lineno="729">
1831 <summary>
1832 Automatic transition from etc to shadow.
1833 </summary>
1834 @@ -113532,8 +113661,13 @@ Automatic transition from etc to shadow.
1835 Domain allowed access.
1836 </summary>
1837 </param>
1838 +<param name="name" optional="true">
1839 +<summary>
1840 +The name of the object being created.
1841 +</summary>
1842 +</param>
1843 </interface>
1844 -<interface name="auth_relabelto_shadow" lineno="742">
1845 +<interface name="auth_relabelto_shadow" lineno="748">
1846 <summary>
1847 Relabel to the shadow
1848 password file type.
1849 @@ -113544,7 +113678,7 @@ Domain allowed access.
1850 </summary>
1851 </param>
1852 </interface>
1853 -<interface name="auth_relabel_shadow" lineno="764">
1854 +<interface name="auth_relabel_shadow" lineno="770">
1855 <summary>
1856 Relabel from and to the shadow
1857 password file type.
1858 @@ -113555,7 +113689,7 @@ Domain allowed access.
1859 </summary>
1860 </param>
1861 </interface>
1862 -<interface name="auth_append_faillog" lineno="785">
1863 +<interface name="auth_append_faillog" lineno="791">
1864 <summary>
1865 Append to the login failure log.
1866 </summary>
1867 @@ -113565,7 +113699,7 @@ Domain allowed access.
1868 </summary>
1869 </param>
1870 </interface>
1871 -<interface name="auth_create_faillog_files" lineno="804">
1872 +<interface name="auth_create_faillog_files" lineno="810">
1873 <summary>
1874 Create fail log lock (in /run/faillock).
1875 </summary>
1876 @@ -113575,7 +113709,7 @@ Domain allowed access.
1877 </summary>
1878 </param>
1879 </interface>
1880 -<interface name="auth_rw_faillog" lineno="822">
1881 +<interface name="auth_rw_faillog" lineno="828">
1882 <summary>
1883 Read and write the login failure log.
1884 </summary>
1885 @@ -113585,7 +113719,7 @@ Domain allowed access.
1886 </summary>
1887 </param>
1888 </interface>
1889 -<interface name="auth_manage_faillog" lineno="841">
1890 +<interface name="auth_manage_faillog" lineno="847">
1891 <summary>
1892 Manage the login failure logs.
1893 </summary>
1894 @@ -113595,7 +113729,7 @@ Domain allowed access.
1895 </summary>
1896 </param>
1897 </interface>
1898 -<interface name="auth_setattr_faillog_files" lineno="860">
1899 +<interface name="auth_setattr_faillog_files" lineno="866">
1900 <summary>
1901 Setattr the login failure logs.
1902 </summary>
1903 @@ -113605,7 +113739,7 @@ Domain allowed access.
1904 </summary>
1905 </param>
1906 </interface>
1907 -<interface name="auth_read_lastlog" lineno="879">
1908 +<interface name="auth_read_lastlog" lineno="885">
1909 <summary>
1910 Read the last logins log.
1911 </summary>
1912 @@ -113616,7 +113750,7 @@ Domain allowed access.
1913 </param>
1914 <rolecap/>
1915 </interface>
1916 -<interface name="auth_append_lastlog" lineno="898">
1917 +<interface name="auth_append_lastlog" lineno="904">
1918 <summary>
1919 Append only to the last logins log.
1920 </summary>
1921 @@ -113626,7 +113760,7 @@ Domain allowed access.
1922 </summary>
1923 </param>
1924 </interface>
1925 -<interface name="auth_relabel_lastlog" lineno="917">
1926 +<interface name="auth_relabel_lastlog" lineno="923">
1927 <summary>
1928 relabel the last logins log.
1929 </summary>
1930 @@ -113636,7 +113770,7 @@ Domain allowed access.
1931 </summary>
1932 </param>
1933 </interface>
1934 -<interface name="auth_rw_lastlog" lineno="936">
1935 +<interface name="auth_rw_lastlog" lineno="942">
1936 <summary>
1937 Read and write to the last logins log.
1938 </summary>
1939 @@ -113646,7 +113780,7 @@ Domain allowed access.
1940 </summary>
1941 </param>
1942 </interface>
1943 -<interface name="auth_manage_lastlog" lineno="955">
1944 +<interface name="auth_manage_lastlog" lineno="961">
1945 <summary>
1946 Manage the last logins log.
1947 </summary>
1948 @@ -113656,7 +113790,7 @@ Domain allowed access.
1949 </summary>
1950 </param>
1951 </interface>
1952 -<interface name="auth_domtrans_pam" lineno="974">
1953 +<interface name="auth_domtrans_pam" lineno="980">
1954 <summary>
1955 Execute pam programs in the pam domain.
1956 </summary>
1957 @@ -113666,7 +113800,7 @@ Domain allowed to transition.
1958 </summary>
1959 </param>
1960 </interface>
1961 -<interface name="auth_signal_pam" lineno="992">
1962 +<interface name="auth_signal_pam" lineno="998">
1963 <summary>
1964 Send generic signals to pam processes.
1965 </summary>
1966 @@ -113676,7 +113810,7 @@ Domain allowed access.
1967 </summary>
1968 </param>
1969 </interface>
1970 -<interface name="auth_run_pam" lineno="1015">
1971 +<interface name="auth_run_pam" lineno="1021">
1972 <summary>
1973 Execute pam programs in the PAM domain.
1974 </summary>
1975 @@ -113691,7 +113825,7 @@ The role to allow the PAM domain.
1976 </summary>
1977 </param>
1978 </interface>
1979 -<interface name="auth_exec_pam" lineno="1034">
1980 +<interface name="auth_exec_pam" lineno="1040">
1981 <summary>
1982 Execute the pam program.
1983 </summary>
1984 @@ -113701,7 +113835,7 @@ Domain allowed access.
1985 </summary>
1986 </param>
1987 </interface>
1988 -<interface name="auth_read_var_auth" lineno="1053">
1989 +<interface name="auth_read_var_auth" lineno="1059">
1990 <summary>
1991 Read var auth files. Used by various other applications
1992 and pam applets etc.
1993 @@ -113712,7 +113846,7 @@ Domain allowed access.
1994 </summary>
1995 </param>
1996 </interface>
1997 -<interface name="auth_rw_var_auth" lineno="1073">
1998 +<interface name="auth_rw_var_auth" lineno="1079">
1999 <summary>
2000 Read and write var auth files. Used by various other applications
2001 and pam applets etc.
2002 @@ -113723,7 +113857,7 @@ Domain allowed access.
2003 </summary>
2004 </param>
2005 </interface>
2006 -<interface name="auth_manage_var_auth" lineno="1093">
2007 +<interface name="auth_manage_var_auth" lineno="1099">
2008 <summary>
2009 Manage var auth files. Used by various other applications
2010 and pam applets etc.
2011 @@ -113734,7 +113868,7 @@ Domain allowed access.
2012 </summary>
2013 </param>
2014 </interface>
2015 -<interface name="auth_read_pam_pid" lineno="1114">
2016 +<interface name="auth_read_pam_pid" lineno="1120">
2017 <summary>
2018 Read PAM PID files. (Deprecated)
2019 </summary>
2020 @@ -113744,7 +113878,7 @@ Domain allowed access.
2021 </summary>
2022 </param>
2023 </interface>
2024 -<interface name="auth_dontaudit_read_pam_pid" lineno="1129">
2025 +<interface name="auth_dontaudit_read_pam_pid" lineno="1135">
2026 <summary>
2027 Do not audit attempts to read PAM PID files. (Deprecated)
2028 </summary>
2029 @@ -113754,7 +113888,7 @@ Domain to not audit.
2030 </summary>
2031 </param>
2032 </interface>
2033 -<interface name="auth_pid_filetrans_pam_var_run" lineno="1157">
2034 +<interface name="auth_pid_filetrans_pam_var_run" lineno="1163">
2035 <summary>
2036 Create specified objects in
2037 pid directories with the pam var
2038 @@ -113777,7 +113911,7 @@ The name of the object being created.
2039 </summary>
2040 </param>
2041 </interface>
2042 -<interface name="auth_delete_pam_pid" lineno="1172">
2043 +<interface name="auth_delete_pam_pid" lineno="1178">
2044 <summary>
2045 Delete pam PID files. (Deprecated)
2046 </summary>
2047 @@ -113787,7 +113921,7 @@ Domain allowed access.
2048 </summary>
2049 </param>
2050 </interface>
2051 -<interface name="auth_manage_pam_pid" lineno="1187">
2052 +<interface name="auth_manage_pam_pid" lineno="1193">
2053 <summary>
2054 Manage pam PID files. (Deprecated)
2055 </summary>
2056 @@ -113797,7 +113931,7 @@ Domain allowed access.
2057 </summary>
2058 </param>
2059 </interface>
2060 -<interface name="auth_manage_pam_runtime_dirs" lineno="1203">
2061 +<interface name="auth_manage_pam_runtime_dirs" lineno="1209">
2062 <summary>
2063 Manage pam runtime dirs.
2064 </summary>
2065 @@ -113807,7 +113941,7 @@ Domain allowed access.
2066 </summary>
2067 </param>
2068 </interface>
2069 -<interface name="auth_runtime_filetrans_pam_runtime" lineno="1234">
2070 +<interface name="auth_runtime_filetrans_pam_runtime" lineno="1240">
2071 <summary>
2072 Create specified objects in
2073 pid directories with the pam runtime
2074 @@ -113829,7 +113963,7 @@ The name of the object being created.
2075 </summary>
2076 </param>
2077 </interface>
2078 -<interface name="auth_read_pam_runtime_files" lineno="1252">
2079 +<interface name="auth_read_pam_runtime_files" lineno="1258">
2080 <summary>
2081 Read PAM runtime files.
2082 </summary>
2083 @@ -113839,7 +113973,7 @@ Domain allowed access.
2084 </summary>
2085 </param>
2086 </interface>
2087 -<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1272">
2088 +<interface name="auth_dontaudit_read_pam_runtime_files" lineno="1278">
2089 <summary>
2090 Do not audit attempts to read PAM runtime files.
2091 </summary>
2092 @@ -113849,7 +113983,7 @@ Domain to not audit.
2093 </summary>
2094 </param>
2095 </interface>
2096 -<interface name="auth_delete_pam_runtime_files" lineno="1290">
2097 +<interface name="auth_delete_pam_runtime_files" lineno="1296">
2098 <summary>
2099 Delete pam runtime files.
2100 </summary>
2101 @@ -113859,7 +113993,7 @@ Domain allowed access.
2102 </summary>
2103 </param>
2104 </interface>
2105 -<interface name="auth_manage_pam_runtime_files" lineno="1309">
2106 +<interface name="auth_manage_pam_runtime_files" lineno="1315">
2107 <summary>
2108 Create, read, write, and delete pam runtime files.
2109 </summary>
2110 @@ -113869,7 +114003,7 @@ Domain allowed access.
2111 </summary>
2112 </param>
2113 </interface>
2114 -<interface name="auth_domtrans_pam_console" lineno="1328">
2115 +<interface name="auth_domtrans_pam_console" lineno="1334">
2116 <summary>
2117 Execute pam_console with a domain transition.
2118 </summary>
2119 @@ -113879,7 +114013,7 @@ Domain allowed to transition.
2120 </summary>
2121 </param>
2122 </interface>
2123 -<interface name="auth_search_pam_console_data" lineno="1347">
2124 +<interface name="auth_search_pam_console_data" lineno="1353">
2125 <summary>
2126 Search the contents of the
2127 pam_console data directory.
2128 @@ -113890,7 +114024,7 @@ Domain allowed access.
2129 </summary>
2130 </param>
2131 </interface>
2132 -<interface name="auth_list_pam_console_data" lineno="1367">
2133 +<interface name="auth_list_pam_console_data" lineno="1373">
2134 <summary>
2135 List the contents of the pam_console
2136 data directory.
2137 @@ -113901,7 +114035,7 @@ Domain allowed access.
2138 </summary>
2139 </param>
2140 </interface>
2141 -<interface name="auth_create_pam_console_data_dirs" lineno="1386">
2142 +<interface name="auth_create_pam_console_data_dirs" lineno="1392">
2143 <summary>
2144 Create pam var console pid directories.
2145 </summary>
2146 @@ -113911,7 +114045,7 @@ Domain allowed access.
2147 </summary>
2148 </param>
2149 </interface>
2150 -<interface name="auth_relabel_pam_console_data_dirs" lineno="1405">
2151 +<interface name="auth_relabel_pam_console_data_dirs" lineno="1411">
2152 <summary>
2153 Relabel pam_console data directories.
2154 </summary>
2155 @@ -113921,7 +114055,7 @@ Domain allowed access.
2156 </summary>
2157 </param>
2158 </interface>
2159 -<interface name="auth_read_pam_console_data" lineno="1423">
2160 +<interface name="auth_read_pam_console_data" lineno="1429">
2161 <summary>
2162 Read pam_console data files.
2163 </summary>
2164 @@ -113931,7 +114065,7 @@ Domain allowed access.
2165 </summary>
2166 </param>
2167 </interface>
2168 -<interface name="auth_manage_pam_console_data" lineno="1444">
2169 +<interface name="auth_manage_pam_console_data" lineno="1450">
2170 <summary>
2171 Create, read, write, and delete
2172 pam_console data files.
2173 @@ -113942,7 +114076,7 @@ Domain allowed access.
2174 </summary>
2175 </param>
2176 </interface>
2177 -<interface name="auth_delete_pam_console_data" lineno="1464">
2178 +<interface name="auth_delete_pam_console_data" lineno="1470">
2179 <summary>
2180 Delete pam_console data.
2181 </summary>
2182 @@ -113952,7 +114086,7 @@ Domain allowed access.
2183 </summary>
2184 </param>
2185 </interface>
2186 -<interface name="auth_pid_filetrans_pam_var_console" lineno="1497">
2187 +<interface name="auth_pid_filetrans_pam_var_console" lineno="1503">
2188 <summary>
2189 Create specified objects in
2190 pid directories with the pam var
2191 @@ -113975,7 +114109,7 @@ The name of the object being created.
2192 </summary>
2193 </param>
2194 </interface>
2195 -<interface name="auth_runtime_filetrans_pam_var_console" lineno="1525">
2196 +<interface name="auth_runtime_filetrans_pam_var_console" lineno="1531">
2197 <summary>
2198 Create specified objects in generic
2199 runtime directories with the pam var
2200 @@ -113998,7 +114132,7 @@ The name of the object being created.
2201 </summary>
2202 </param>
2203 </interface>
2204 -<interface name="auth_domtrans_utempter" lineno="1543">
2205 +<interface name="auth_domtrans_utempter" lineno="1549">
2206 <summary>
2207 Execute utempter programs in the utempter domain.
2208 </summary>
2209 @@ -114008,7 +114142,7 @@ Domain allowed to transition.
2210 </summary>
2211 </param>
2212 </interface>
2213 -<interface name="auth_run_utempter" lineno="1566">
2214 +<interface name="auth_run_utempter" lineno="1572">
2215 <summary>
2216 Execute utempter programs in the utempter domain.
2217 </summary>
2218 @@ -114023,7 +114157,7 @@ The role to allow the utempter domain.
2219 </summary>
2220 </param>
2221 </interface>
2222 -<interface name="auth_dontaudit_exec_utempter" lineno="1585">
2223 +<interface name="auth_dontaudit_exec_utempter" lineno="1591">
2224 <summary>
2225 Do not audit attempts to execute utempter executable.
2226 </summary>
2227 @@ -114033,7 +114167,7 @@ Domain to not audit.
2228 </summary>
2229 </param>
2230 </interface>
2231 -<interface name="auth_setattr_login_records" lineno="1603">
2232 +<interface name="auth_setattr_login_records" lineno="1609">
2233 <summary>
2234 Set the attributes of login record files.
2235 </summary>
2236 @@ -114043,7 +114177,7 @@ Domain allowed access.
2237 </summary>
2238 </param>
2239 </interface>
2240 -<interface name="auth_read_login_records" lineno="1623">
2241 +<interface name="auth_read_login_records" lineno="1629">
2242 <summary>
2243 Read login records files (/var/log/wtmp).
2244 </summary>
2245 @@ -114054,7 +114188,7 @@ Domain allowed access.
2246 </param>
2247 <rolecap/>
2248 </interface>
2249 -<interface name="auth_dontaudit_read_login_records" lineno="1644">
2250 +<interface name="auth_dontaudit_read_login_records" lineno="1650">
2251 <summary>
2252 Do not audit attempts to read login records
2253 files (/var/log/wtmp).
2254 @@ -114066,7 +114200,7 @@ Domain to not audit.
2255 </param>
2256 <rolecap/>
2257 </interface>
2258 -<interface name="auth_dontaudit_write_login_records" lineno="1663">
2259 +<interface name="auth_dontaudit_write_login_records" lineno="1669">
2260 <summary>
2261 Do not audit attempts to write to
2262 login records files.
2263 @@ -114077,7 +114211,7 @@ Domain to not audit.
2264 </summary>
2265 </param>
2266 </interface>
2267 -<interface name="auth_append_login_records" lineno="1681">
2268 +<interface name="auth_append_login_records" lineno="1687">
2269 <summary>
2270 Append to login records (wtmp).
2271 </summary>
2272 @@ -114087,7 +114221,7 @@ Domain allowed access.
2273 </summary>
2274 </param>
2275 </interface>
2276 -<interface name="auth_write_login_records" lineno="1700">
2277 +<interface name="auth_write_login_records" lineno="1706">
2278 <summary>
2279 Write to login records (wtmp).
2280 </summary>
2281 @@ -114097,7 +114231,7 @@ Domain allowed access.
2282 </summary>
2283 </param>
2284 </interface>
2285 -<interface name="auth_rw_login_records" lineno="1718">
2286 +<interface name="auth_rw_login_records" lineno="1724">
2287 <summary>
2288 Read and write login records.
2289 </summary>
2290 @@ -114107,7 +114241,7 @@ Domain allowed access.
2291 </summary>
2292 </param>
2293 </interface>
2294 -<interface name="auth_log_filetrans_login_records" lineno="1738">
2295 +<interface name="auth_log_filetrans_login_records" lineno="1744">
2296 <summary>
2297 Create a login records in the log directory
2298 using a type transition.
2299 @@ -114118,7 +114252,7 @@ Domain allowed access.
2300 </summary>
2301 </param>
2302 </interface>
2303 -<interface name="auth_manage_login_records" lineno="1757">
2304 +<interface name="auth_manage_login_records" lineno="1763">
2305 <summary>
2306 Create, read, write, and delete login
2307 records files.
2308 @@ -114129,7 +114263,7 @@ Domain allowed access.
2309 </summary>
2310 </param>
2311 </interface>
2312 -<interface name="auth_relabel_login_records" lineno="1776">
2313 +<interface name="auth_relabel_login_records" lineno="1782">
2314 <summary>
2315 Relabel login record files.
2316 </summary>
2317 @@ -114139,7 +114273,7 @@ Domain allowed access.
2318 </summary>
2319 </param>
2320 </interface>
2321 -<interface name="auth_use_nsswitch" lineno="1804">
2322 +<interface name="auth_use_nsswitch" lineno="1810">
2323 <summary>
2324 Use nsswitch to look up user, password, group, or
2325 host information.
2326 @@ -114159,7 +114293,7 @@ Domain allowed access.
2327 </param>
2328 <infoflow type="both" weight="10"/>
2329 </interface>
2330 -<interface name="auth_unconfined" lineno="1832">
2331 +<interface name="auth_unconfined" lineno="1838">
2332 <summary>
2333 Unconfined access to the authlogin module.
2334 </summary>
2335 @@ -120757,7 +120891,7 @@ can manage samba
2336 </module>
2337 <module name="systemd" filename="policy/modules/system/systemd.if">
2338 <summary>Systemd components (not PID 1)</summary>
2339 -<template name="systemd_role_template" lineno="23">
2340 +<template name="systemd_role_template" lineno="28">
2341 <summary>
2342 Template for systemd --user per-role domains.
2343 </summary>
2344 @@ -120776,8 +120910,13 @@ The user role.
2345 The user domain for the role.
2346 </summary>
2347 </param>
2348 +<param name="pty_type">
2349 +<summary>
2350 +The type for the user pty
2351 +</summary>
2352 +</param>
2353 </template>
2354 -<interface name="systemd_log_parse_environment" lineno="82">
2355 +<interface name="systemd_log_parse_environment" lineno="96">
2356 <summary>
2357 Make the specified type usable as an
2358 log parse environment type.
2359 @@ -120788,7 +120927,7 @@ Type to be used as a log parse environment type.
2360 </summary>
2361 </param>
2362 </interface>
2363 -<interface name="systemd_use_nss" lineno="102">
2364 +<interface name="systemd_use_nss" lineno="116">
2365 <summary>
2366 Allow domain to use systemd's Name Service Switch (NSS) module.
2367 This module provides UNIX user and group name resolution for dynamic users
2368 @@ -120800,7 +120939,7 @@ Domain allowed access
2369 </summary>
2370 </param>
2371 </interface>
2372 -<interface name="systemd_PrivateDevices" lineno="129">
2373 +<interface name="systemd_PrivateDevices" lineno="143">
2374 <summary>
2375 Allow domain to be used as a systemd service with a unit
2376 that uses PrivateDevices=yes in section [Service].
2377 @@ -120811,7 +120950,7 @@ Domain allowed access
2378 </summary>
2379 </param>
2380 </interface>
2381 -<interface name="systemd_read_hwdb" lineno="146">
2382 +<interface name="systemd_read_hwdb" lineno="160">
2383 <summary>
2384 Allow domain to read udev hwdb file
2385 </summary>
2386 @@ -120821,7 +120960,7 @@ domain allowed access
2387 </summary>
2388 </param>
2389 </interface>
2390 -<interface name="systemd_map_hwdb" lineno="164">
2391 +<interface name="systemd_map_hwdb" lineno="178">
2392 <summary>
2393 Allow domain to map udev hwdb file
2394 </summary>
2395 @@ -120831,7 +120970,7 @@ domain allowed access
2396 </summary>
2397 </param>
2398 </interface>
2399 -<interface name="systemd_read_logind_pids" lineno="182">
2400 +<interface name="systemd_read_logind_pids" lineno="196">
2401 <summary>
2402 Read systemd_login PID files. (Deprecated)
2403 </summary>
2404 @@ -120841,7 +120980,7 @@ Domain allowed access.
2405 </summary>
2406 </param>
2407 </interface>
2408 -<interface name="systemd_manage_logind_pid_pipes" lineno="197">
2409 +<interface name="systemd_manage_logind_pid_pipes" lineno="211">
2410 <summary>
2411 Manage systemd_login PID pipes. (Deprecated)
2412 </summary>
2413 @@ -120851,7 +120990,7 @@ Domain allowed access.
2414 </summary>
2415 </param>
2416 </interface>
2417 -<interface name="systemd_write_logind_pid_pipes" lineno="212">
2418 +<interface name="systemd_write_logind_pid_pipes" lineno="226">
2419 <summary>
2420 Write systemd_login named pipe. (Deprecated)
2421 </summary>
2422 @@ -120861,7 +121000,7 @@ Domain allowed access.
2423 </summary>
2424 </param>
2425 </interface>
2426 -<interface name="systemd_read_logind_runtime_files" lineno="227">
2427 +<interface name="systemd_read_logind_runtime_files" lineno="241">
2428 <summary>
2429 Read systemd-logind runtime files.
2430 </summary>
2431 @@ -120871,7 +121010,7 @@ Domain allowed access.
2432 </summary>
2433 </param>
2434 </interface>
2435 -<interface name="systemd_manage_logind_runtime_pipes" lineno="247">
2436 +<interface name="systemd_manage_logind_runtime_pipes" lineno="261">
2437 <summary>
2438 Manage systemd-logind runtime pipes.
2439 </summary>
2440 @@ -120881,7 +121020,7 @@ Domain allowed access.
2441 </summary>
2442 </param>
2443 </interface>
2444 -<interface name="systemd_write_logind_runtime_pipes" lineno="266">
2445 +<interface name="systemd_write_logind_runtime_pipes" lineno="280">
2446 <summary>
2447 Write systemd-logind runtime named pipe.
2448 </summary>
2449 @@ -120891,7 +121030,7 @@ Domain allowed access.
2450 </summary>
2451 </param>
2452 </interface>
2453 -<interface name="systemd_use_logind_fds" lineno="287">
2454 +<interface name="systemd_use_logind_fds" lineno="301">
2455 <summary>
2456 Use inherited systemd
2457 logind file descriptors.
2458 @@ -120902,7 +121041,7 @@ Domain allowed access.
2459 </summary>
2460 </param>
2461 </interface>
2462 -<interface name="systemd_read_logind_sessions_files" lineno="305">
2463 +<interface name="systemd_read_logind_sessions_files" lineno="319">
2464 <summary>
2465 Read logind sessions files.
2466 </summary>
2467 @@ -120912,7 +121051,7 @@ Domain allowed access.
2468 </summary>
2469 </param>
2470 </interface>
2471 -<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="326">
2472 +<interface name="systemd_write_inherited_logind_sessions_pipes" lineno="340">
2473 <summary>
2474 Write inherited logind sessions pipes.
2475 </summary>
2476 @@ -120922,7 +121061,7 @@ Domain allowed access.
2477 </summary>
2478 </param>
2479 </interface>
2480 -<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="346">
2481 +<interface name="systemd_write_inherited_logind_inhibit_pipes" lineno="360">
2482 <summary>
2483 Write inherited logind inhibit pipes.
2484 </summary>
2485 @@ -120932,7 +121071,7 @@ Domain allowed access.
2486 </summary>
2487 </param>
2488 </interface>
2489 -<interface name="systemd_dbus_chat_logind" lineno="367">
2490 +<interface name="systemd_dbus_chat_logind" lineno="381">
2491 <summary>
2492 Send and receive messages from
2493 systemd logind over dbus.
2494 @@ -120943,7 +121082,7 @@ Domain allowed access.
2495 </summary>
2496 </param>
2497 </interface>
2498 -<interface name="systemd_status_logind" lineno="387">
2499 +<interface name="systemd_status_logind" lineno="401">
2500 <summary>
2501 Get the system status information from systemd_login
2502 </summary>
2503 @@ -120953,7 +121092,7 @@ Domain allowed access.
2504 </summary>
2505 </param>
2506 </interface>
2507 -<interface name="systemd_signull_logind" lineno="406">
2508 +<interface name="systemd_signull_logind" lineno="420">
2509 <summary>
2510 Send systemd_login a null signal.
2511 </summary>
2512 @@ -120963,7 +121102,7 @@ Domain allowed access.
2513 </summary>
2514 </param>
2515 </interface>
2516 -<interface name="systemd_manage_userdb_runtime_dirs" lineno="424">
2517 +<interface name="systemd_manage_userdb_runtime_dirs" lineno="438">
2518 <summary>
2519 Manage systemd userdb runtime directories.
2520 </summary>
2521 @@ -120973,7 +121112,7 @@ Domain allowed access.
2522 </summary>
2523 </param>
2524 </interface>
2525 -<interface name="systemd_manage_userdb_runtime_sock_files" lineno="442">
2526 +<interface name="systemd_manage_userdb_runtime_sock_files" lineno="456">
2527 <summary>
2528 Manage socket files under /run/systemd/userdb .
2529 </summary>
2530 @@ -120983,7 +121122,7 @@ Domain allowed access.
2531 </summary>
2532 </param>
2533 </interface>
2534 -<interface name="systemd_stream_connect_userdb" lineno="460">
2535 +<interface name="systemd_stream_connect_userdb" lineno="474">
2536 <summary>
2537 Connect to /run/systemd/userdb/io.systemd.DynamicUser .
2538 </summary>
2539 @@ -120993,7 +121132,7 @@ Domain allowed access.
2540 </summary>
2541 </param>
2542 </interface>
2543 -<interface name="systemd_read_machines" lineno="481">
2544 +<interface name="systemd_read_machines" lineno="495">
2545 <summary>
2546 Allow reading /run/systemd/machines
2547 </summary>
2548 @@ -121003,7 +121142,17 @@ Domain that can access the machines files
2549 </summary>
2550 </param>
2551 </interface>
2552 -<interface name="systemd_dbus_chat_hostnamed" lineno="501">
2553 +<interface name="systemd_connect_machined" lineno="514">
2554 +<summary>
2555 +Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
2556 +</summary>
2557 +<param name="domain">
2558 +<summary>
2559 +Domain that can access the socket
2560 +</summary>
2561 +</param>
2562 +</interface>
2563 +<interface name="systemd_dbus_chat_hostnamed" lineno="533">
2564 <summary>
2565 Send and receive messages from
2566 systemd hostnamed over dbus.
2567 @@ -121014,7 +121163,7 @@ Domain allowed access.
2568 </summary>
2569 </param>
2570 </interface>
2571 -<interface name="systemd_use_passwd_agent_fds" lineno="521">
2572 +<interface name="systemd_use_passwd_agent_fds" lineno="553">
2573 <summary>
2574 allow systemd_passwd_agent to inherit fds
2575 </summary>
2576 @@ -121024,7 +121173,22 @@ Domain that owns the fds
2577 </summary>
2578 </param>
2579 </interface>
2580 -<interface name="systemd_use_passwd_agent" lineno="540">
2581 +<interface name="systemd_run_passwd_agent" lineno="576">
2582 +<summary>
2583 +allow systemd_passwd_agent to be run by admin
2584 +</summary>
2585 +<param name="domain">
2586 +<summary>
2587 +Domain that runs it
2588 +</summary>
2589 +</param>
2590 +<param name="role">
2591 +<summary>
2592 +role that it runs in
2593 +</summary>
2594 +</param>
2595 +</interface>
2596 +<interface name="systemd_use_passwd_agent" lineno="597">
2597 <summary>
2598 Allow a systemd_passwd_agent_t process to interact with a daemon
2599 that needs a password from the sysadmin.
2600 @@ -121035,7 +121199,7 @@ Domain allowed access.
2601 </summary>
2602 </param>
2603 </interface>
2604 -<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="564">
2605 +<interface name="systemd_filetrans_passwd_runtime_dirs" lineno="621">
2606 <summary>
2607 Transition to systemd_passwd_runtime_t when creating dirs
2608 </summary>
2609 @@ -121045,7 +121209,7 @@ Domain allowed access.
2610 </summary>
2611 </param>
2612 </interface>
2613 -<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="585">
2614 +<interface name="systemd_filetrans_userdb_runtime_dirs" lineno="642">
2615 <summary>
2616 Transition to systemd_userdb_runtime_t when
2617 creating the userdb directory inside an init runtime
2618 @@ -121057,7 +121221,7 @@ Domain allowed access.
2619 </summary>
2620 </param>
2621 </interface>
2622 -<interface name="systemd_manage_passwd_runtime_symlinks" lineno="603">
2623 +<interface name="systemd_manage_passwd_runtime_symlinks" lineno="660">
2624 <summary>
2625 Allow to domain to create systemd-passwd symlink
2626 </summary>
2627 @@ -121067,7 +121231,7 @@ Domain allowed access.
2628 </summary>
2629 </param>
2630 </interface>
2631 -<interface name="systemd_manage_all_units" lineno="621">
2632 +<interface name="systemd_manage_all_units" lineno="678">
2633 <summary>
2634 manage systemd unit dirs and the files in them (Deprecated)
2635 </summary>
2636 @@ -121077,7 +121241,7 @@ Domain allowed access.
2637 </summary>
2638 </param>
2639 </interface>
2640 -<interface name="systemd_read_journal_files" lineno="636">
2641 +<interface name="systemd_read_journal_files" lineno="693">
2642 <summary>
2643 Allow domain to read systemd_journal_t files
2644 </summary>
2645 @@ -121087,7 +121251,7 @@ Domain allowed access.
2646 </summary>
2647 </param>
2648 </interface>
2649 -<interface name="systemd_manage_journal_files" lineno="655">
2650 +<interface name="systemd_manage_journal_files" lineno="712">
2651 <summary>
2652 Allow domain to create/manage systemd_journal_t files
2653 </summary>
2654 @@ -121097,7 +121261,7 @@ Domain allowed access.
2655 </summary>
2656 </param>
2657 </interface>
2658 -<interface name="systemd_relabelto_journal_dirs" lineno="675">
2659 +<interface name="systemd_relabelto_journal_dirs" lineno="732">
2660 <summary>
2661 Relabel to systemd-journald directory type.
2662 </summary>
2663 @@ -121107,7 +121271,7 @@ Domain allowed access.
2664 </summary>
2665 </param>
2666 </interface>
2667 -<interface name="systemd_relabelto_journal_files" lineno="694">
2668 +<interface name="systemd_relabelto_journal_files" lineno="751">
2669 <summary>
2670 Relabel to systemd-journald file type.
2671 </summary>
2672 @@ -121117,7 +121281,7 @@ Domain allowed access.
2673 </summary>
2674 </param>
2675 </interface>
2676 -<interface name="systemd_read_networkd_units" lineno="714">
2677 +<interface name="systemd_read_networkd_units" lineno="771">
2678 <summary>
2679 Allow domain to read systemd_networkd_t unit files
2680 </summary>
2681 @@ -121127,7 +121291,7 @@ Domain allowed access.
2682 </summary>
2683 </param>
2684 </interface>
2685 -<interface name="systemd_manage_networkd_units" lineno="734">
2686 +<interface name="systemd_manage_networkd_units" lineno="791">
2687 <summary>
2688 Allow domain to create/manage systemd_networkd_t unit files
2689 </summary>
2690 @@ -121137,7 +121301,7 @@ Domain allowed access.
2691 </summary>
2692 </param>
2693 </interface>
2694 -<interface name="systemd_enabledisable_networkd" lineno="754">
2695 +<interface name="systemd_enabledisable_networkd" lineno="811">
2696 <summary>
2697 Allow specified domain to enable systemd-networkd units
2698 </summary>
2699 @@ -121147,7 +121311,7 @@ Domain allowed access.
2700 </summary>
2701 </param>
2702 </interface>
2703 -<interface name="systemd_startstop_networkd" lineno="773">
2704 +<interface name="systemd_startstop_networkd" lineno="830">
2705 <summary>
2706 Allow specified domain to start systemd-networkd units
2707 </summary>
2708 @@ -121157,7 +121321,7 @@ Domain allowed access.
2709 </summary>
2710 </param>
2711 </interface>
2712 -<interface name="systemd_status_networkd" lineno="792">
2713 +<interface name="systemd_status_networkd" lineno="849">
2714 <summary>
2715 Allow specified domain to get status of systemd-networkd
2716 </summary>
2717 @@ -121167,7 +121331,7 @@ Domain allowed access.
2718 </summary>
2719 </param>
2720 </interface>
2721 -<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="811">
2722 +<interface name="systemd_relabelfrom_networkd_tun_sockets" lineno="868">
2723 <summary>
2724 Relabel systemd_networkd tun socket.
2725 </summary>
2726 @@ -121177,7 +121341,7 @@ Domain allowed access.
2727 </summary>
2728 </param>
2729 </interface>
2730 -<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="829">
2731 +<interface name="systemd_rw_networkd_netlink_route_sockets" lineno="886">
2732 <summary>
2733 Read/Write from systemd_networkd netlink route socket.
2734 </summary>
2735 @@ -121187,7 +121351,7 @@ Domain allowed access.
2736 </summary>
2737 </param>
2738 </interface>
2739 -<interface name="systemd_list_networkd_runtime" lineno="847">
2740 +<interface name="systemd_list_networkd_runtime" lineno="904">
2741 <summary>
2742 Allow domain to list dirs under /run/systemd/netif
2743 </summary>
2744 @@ -121197,7 +121361,7 @@ domain permitted the access
2745 </summary>
2746 </param>
2747 </interface>
2748 -<interface name="systemd_watch_networkd_runtime_dirs" lineno="866">
2749 +<interface name="systemd_watch_networkd_runtime_dirs" lineno="923">
2750 <summary>
2751 Watch directories under /run/systemd/netif
2752 </summary>
2753 @@ -121207,7 +121371,7 @@ Domain permitted the access
2754 </summary>
2755 </param>
2756 </interface>
2757 -<interface name="systemd_read_networkd_runtime" lineno="885">
2758 +<interface name="systemd_read_networkd_runtime" lineno="942">
2759 <summary>
2760 Allow domain to read files generated by systemd_networkd
2761 </summary>
2762 @@ -121217,7 +121381,7 @@ domain allowed access
2763 </summary>
2764 </param>
2765 </interface>
2766 -<interface name="systemd_read_logind_state" lineno="904">
2767 +<interface name="systemd_read_logind_state" lineno="961">
2768 <summary>
2769 Allow systemd_logind_t to read process state for cgroup file
2770 </summary>
2771 @@ -121227,7 +121391,7 @@ Domain systemd_logind_t may access.
2772 </summary>
2773 </param>
2774 </interface>
2775 -<interface name="systemd_start_power_units" lineno="923">
2776 +<interface name="systemd_start_power_units" lineno="980">
2777 <summary>
2778 Allow specified domain to start power units
2779 </summary>
2780 @@ -121237,7 +121401,7 @@ Domain to not audit.
2781 </summary>
2782 </param>
2783 </interface>
2784 -<interface name="systemd_status_power_units" lineno="942">
2785 +<interface name="systemd_status_power_units" lineno="999">
2786 <summary>
2787 Get the system status information about power units
2788 </summary>
2789 @@ -121247,7 +121411,7 @@ Domain allowed access.
2790 </summary>
2791 </param>
2792 </interface>
2793 -<interface name="systemd_stream_connect_socket_proxyd" lineno="961">
2794 +<interface name="systemd_stream_connect_socket_proxyd" lineno="1018">
2795 <summary>
2796 Allows connections to the systemd-socket-proxyd's socket.
2797 </summary>
2798 @@ -121257,7 +121421,7 @@ Domain allowed access.
2799 </summary>
2800 </param>
2801 </interface>
2802 -<interface name="systemd_tmpfiles_conf_file" lineno="980">
2803 +<interface name="systemd_tmpfiles_conf_file" lineno="1037">
2804 <summary>
2805 Make the specified type usable for
2806 systemd tmpfiles config files.
2807 @@ -121268,7 +121432,7 @@ Type to be used for systemd tmpfiles config files.
2808 </summary>
2809 </param>
2810 </interface>
2811 -<interface name="systemd_tmpfiles_creator" lineno="1001">
2812 +<interface name="systemd_tmpfiles_creator" lineno="1058">
2813 <summary>
2814 Allow the specified domain to create
2815 the tmpfiles config directory with
2816 @@ -121280,7 +121444,7 @@ Domain allowed access.
2817 </summary>
2818 </param>
2819 </interface>
2820 -<interface name="systemd_tmpfiles_conf_filetrans" lineno="1037">
2821 +<interface name="systemd_tmpfiles_conf_filetrans" lineno="1094">
2822 <summary>
2823 Create an object in the systemd tmpfiles config
2824 directory, with a private type
2825 @@ -121307,7 +121471,7 @@ The name of the object being created.
2826 </summary>
2827 </param>
2828 </interface>
2829 -<interface name="systemd_list_tmpfiles_conf" lineno="1056">
2830 +<interface name="systemd_list_tmpfiles_conf" lineno="1113">
2831 <summary>
2832 Allow domain to list systemd tmpfiles config directory
2833 </summary>
2834 @@ -121317,7 +121481,7 @@ Domain allowed access.
2835 </summary>
2836 </param>
2837 </interface>
2838 -<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="1074">
2839 +<interface name="systemd_relabelto_tmpfiles_conf_dirs" lineno="1131">
2840 <summary>
2841 Allow domain to relabel to systemd tmpfiles config directory
2842 </summary>
2843 @@ -121327,7 +121491,7 @@ Domain allowed access.
2844 </summary>
2845 </param>
2846 </interface>
2847 -<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="1092">
2848 +<interface name="systemd_relabelto_tmpfiles_conf_files" lineno="1149">
2849 <summary>
2850 Allow domain to relabel to systemd tmpfiles config files
2851 </summary>
2852 @@ -121337,7 +121501,7 @@ Domain allowed access.
2853 </summary>
2854 </param>
2855 </interface>
2856 -<interface name="systemd_tmpfilesd_managed" lineno="1115">
2857 +<interface name="systemd_tmpfilesd_managed" lineno="1172">
2858 <summary>
2859 Allow systemd_tmpfiles_t to manage filesystem objects
2860 </summary>
2861 @@ -121352,7 +121516,7 @@ object class to manage
2862 </summary>
2863 </param>
2864 </interface>
2865 -<interface name="systemd_dbus_chat_resolved" lineno="1134">
2866 +<interface name="systemd_dbus_chat_resolved" lineno="1191">
2867 <summary>
2868 Send and receive messages from
2869 systemd resolved over dbus.
2870 @@ -121363,7 +121527,7 @@ Domain allowed access.
2871 </summary>
2872 </param>
2873 </interface>
2874 -<interface name="systemd_read_resolved_runtime" lineno="1154">
2875 +<interface name="systemd_read_resolved_runtime" lineno="1211">
2876 <summary>
2877 Allow domain to read resolv.conf file generated by systemd_resolved
2878 </summary>
2879 @@ -121373,7 +121537,7 @@ domain allowed access
2880 </summary>
2881 </param>
2882 </interface>
2883 -<interface name="systemd_getattr_updated_runtime" lineno="1172">
2884 +<interface name="systemd_getattr_updated_runtime" lineno="1229">
2885 <summary>
2886 Allow domain to getattr on .updated file (generated by systemd-update-done
2887 </summary>
2888 @@ -121383,7 +121547,7 @@ domain allowed access
2889 </summary>
2890 </param>
2891 </interface>
2892 -<interface name="systemd_search_all_user_keys" lineno="1190">
2893 +<interface name="systemd_search_all_user_keys" lineno="1247">
2894 <summary>
2895 Search keys for the all systemd --user domains.
2896 </summary>
2897 @@ -121393,7 +121557,7 @@ Domain allowed access.
2898 </summary>
2899 </param>
2900 </interface>
2901 -<interface name="systemd_create_all_user_keys" lineno="1208">
2902 +<interface name="systemd_create_all_user_keys" lineno="1265">
2903 <summary>
2904 Create keys for the all systemd --user domains.
2905 </summary>
2906 @@ -121403,7 +121567,7 @@ Domain allowed access.
2907 </summary>
2908 </param>
2909 </interface>
2910 -<interface name="systemd_write_all_user_keys" lineno="1226">
2911 +<interface name="systemd_write_all_user_keys" lineno="1283">
2912 <summary>
2913 Write keys for the all systemd --user domains.
2914 </summary>
2915 @@ -121413,7 +121577,7 @@ Domain allowed access.
2916 </summary>
2917 </param>
2918 </interface>
2919 -<interface name="systemd_domtrans_sysusers" lineno="1245">
2920 +<interface name="systemd_domtrans_sysusers" lineno="1302">
2921 <summary>
2922 Execute systemd-sysusers in the
2923 systemd sysusers domain.
2924 @@ -121424,7 +121588,7 @@ Domain allowed access.
2925 </summary>
2926 </param>
2927 </interface>
2928 -<interface name="systemd_run_sysusers" lineno="1270">
2929 +<interface name="systemd_run_sysusers" lineno="1327">
2930 <summary>
2931 Run systemd-sysusers with a domain transition.
2932 </summary>
2933 @@ -121440,6 +121604,17 @@ Role allowed access.
2934 </param>
2935 <rolecap/>
2936 </interface>
2937 +<interface name="systemd_use_inherited_machined_ptys" lineno="1347">
2938 +<summary>
2939 +receive and use a systemd_machined_devpts_t file handle
2940 +</summary>
2941 +<param name="domain">
2942 +<summary>
2943 +Domain allowed access.
2944 +</summary>
2945 +</param>
2946 +<rolecap/>
2947 +</interface>
2948 <tunable name="systemd_tmpfiles_manage_all" dftval="false">
2949 <desc>
2950 <p>
2951
2952 diff --git a/policy/booleans.conf b/policy/booleans.conf
2953 index 4b1ccd81..38a4ea50 100644
2954 --- a/policy/booleans.conf
2955 +++ b/policy/booleans.conf
2956 @@ -1079,6 +1079,12 @@ boinc_execmem = true
2957 #
2958 allow_httpd_bugzilla_script_anon_write = false
2959
2960 +#
2961 +# Determine whether additional rules
2962 +# should be enabled to support acme.sh
2963 +#
2964 +certbot_acmesh = false
2965 +
2966 #
2967 # Determine whether clamscan can
2968 # read user content files.
2969
2970 diff --git a/policy/modules/kernel/corenetwork.te b/policy/modules/kernel/corenetwork.te
2971 index 1d0367c8..372deb5b 100644
2972 --- a/policy/modules/kernel/corenetwork.te
2973 +++ b/policy/modules/kernel/corenetwork.te
2974 @@ -2,7 +2,7 @@
2975 # This is a generated file! Instead of modifying this file, the
2976 # corenetwork.te.in or corenetwork.te.m4 file should be modified.
2977 #
2978 -policy_module(corenetwork, 1.28.1)
2979 +policy_module(corenetwork, 1.29.0)
2980
2981 ########################################
2982 #
Report Message
Find on MARC Find on Google Groups