This module creates the device node concept and provides the policy for many of the device files. Notable exceptions are the mass storage and terminal devices that are covered by other modules.
This module creates the concept of a device node. That is a char or block device file, usually in /dev. All types that are used to label device nodes should use the dev_node macro.
Additionally, this module controls access to three things:
the device directories containing device nodes
device nodes as a group
individual access to specific device nodes covered by this module.
This module is required to be included in all policies.
Add entries to directories in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Append the printer device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Associate the specified file type with device filesystem.
| Parameter: | Description: |
|---|---|
| file_type |
The type of the file to be associated. |
Associate a file to a sysfs filesystem.
| Parameter: | Description: |
|---|---|
| file_type |
The type of the file to be associated to sysfs. |
Associate a file to a usbfs filesystem.
| Parameter: | Description: |
|---|---|
| file_type |
The type of the file to be associated to usbfs. |
Create all block device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create all character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create, read, write, and delete the PCMCIA card manager device with the correct type.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create generic block device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create generic character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create a directory in the device directory.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create symbolic links in device directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create the null device (/dev/null).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create the random device (/dev/random).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Add a sysfs file
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create the urandom device (/dev/urandom).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create the zero device (/dev/zero).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Delete all block device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Delete all character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Delete generic block device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Delete generic character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Delete a directory in the device directory.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Delete generic files in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Delete symbolic links in device directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Delete the lvm control device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Delete the null device (/dev/null).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Do not audit attempts to append to random number generator devices (e.g., /dev/random)
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to get the attributes of the apm bios device node.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dontaudit getattr on all block file device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dontaudit getattr on all character file device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to get the attributes of the autofs device node.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dontaudit getattr on generic block devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dontaudit getattr for generic character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
dontaudit getattr generic files in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dontaudit getattr on generic pipes.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
dontaudit getattr raw memory devices (e.g. /dev/mem).
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to get the attributes of miscellaneous devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to get the attributes of the BIOS non-volatile RAM device.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to get the attributes of the scanner device.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
dontaudit getattr on smartcard devices
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit getting the attributes of sysfs filesystem
| Parameter: | Description: |
|---|---|
| domain |
Domain to dontaudit access from |
Do not audit attempts to get the attributes of a directory in the usb filesystem.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to get the attributes of video4linux device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dontaudit attempts to list all device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dontaudit read on all block file device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dontaudit read on all character file device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to read the framebuffer.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to read the kernel messages
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to read from random number generator devices (e.g., /dev/random)
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to read raw memory devices (e.g. /dev/mem). This is extremely dangerous as it can bypass the SELinux protections, and should only be used by trusted domains.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dont audit attempts to read hardware state information
| Parameter: | Description: |
|---|---|
| domain |
Domain for which the attempts do not need to be audited |
Do not audit attempts to read from pseudo random devices (e.g., /dev/urandom)
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to read and write the PCMCIA card manager device.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dontaudit read and write on the dri devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dontaudit attempts to read/write generic character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain to dontaudit access. |
Dontaudit getattr for generic device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to read and write lvm control device.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to read and write miscellaneous devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Do not audit attempts to search sysfs.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to set the attributes of the apm bios device node.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to set the attributes of the autofs device node.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dot not audit attempts to set the attributes of the framebuffer device node.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dontaudit setattr on generic block devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dontaudit setattr for generic character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to set the attributes of symbolic links in device directories (/dev).
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to set the attributes of miscellaneous devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to set the attributes of the null device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to set the attributes of the scanner device.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to set the attributes of video4linux device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dontaudit write on all block file device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Dontaudit write on all character file device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to write the memory type range registers (MTRR).
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to write in a sysfs directory.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Do not audit attempts to write to a sysfs file.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Execmod the zero device (/dev/zero).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create, read, and write device nodes. The node will be transitioned to the type provided.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
| file_type |
Type to which the created node will be transitioned. |
| objectclass(es) |
Object class(es) (single or set including {}) for which this the transition will occur. |
| name |
The name of the object being created. |
Automatic type transition to the type for PCMCIA card manager device nodes when created in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
| name |
The name of the object being created. |
Automatic type transition to the type for DRI device nodes when created in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
| name |
The name of the object being created. |
Automatic type transition to the type for event device nodes when created in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
| name |
The name of the object being created. |
Automatic type transition to the type for lirc device nodes when created in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
| name |
The name of the object being created. |
Automatic type transition to the type for xen device nodes when created in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
| name |
The name of the object being created. |
Get the attributes of the apm bios device node.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Getattr the agp devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Getattr on all block file device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Getattr on all character file device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the autofs device node.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the CPU microcode and id interfaces.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
getattr the dri devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the framebuffer device node.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get attributes of device filesystems.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow getattr on generic block devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow getattr for generic character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Getattr generic the USB devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the event devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the ksm devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the kvm devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the lvm comtrol device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of miscellaneous devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the modem devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the mouse devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the memory type range registers (MTRR) device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the null device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of PM QoS devices
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the the power management device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the printer device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the QEMU microcode and id interfaces.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the scanner device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Getattr on smartcard devices
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of the sound devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of sysfs filesystem
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of sysfs directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of a directory in the usb filesystem.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of video4linux devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Get the attributes of X server miscellaneous devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
IOCTL the dri devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
IOCTL the input event devices (/dev/input).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
List all of the device nodes in a device directory.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
List the contents of the sysfs directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow caller to get a list of usb hardware.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read, write, create, and delete all block device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read, write, create, and delete all character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create, delete, read, and write device nodes in device directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create, read, write, and delete the PCMCIA card manager device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create, read, write, and delete the dri devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create, delete, read, and write block device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create, delete, read, and write character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Manage of directories in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create a file in the device directory.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create, delete, read, and write symbolic links in device directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create, read, write, and delete input event devices (/dev/input).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Manage services with script type null_device_t for when /lib/systemd/system/something.service is a link to /dev/null
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create, read, write, and delete smartcard devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create, read, write, and delete sysfs directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
manage the wireless device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create, read, write, and delete Xen devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Map X server miscellaneous devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
mount a sysfs filesystem
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Mount a usbfs filesystem.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Mount a filesystem on /dev
| Parameter: | Description: |
|---|---|
| domain |
Domain allow access. |
Mount on the kernel messages device
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Mount a filesystem on sysfs. (Deprecated)
| Parameter: | Description: |
|---|---|
| domain |
Domain allow access. |
Mount on sysfs directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Make the specified type usable for device nodes in a filesystem.
Make the specified type usable for device nodes in a filesystem. Types used for device nodes that do not use this interface, or an interface that calls this one, will have unexpected behaviors while the system is running.
Example:
type mydev_t; dev_node(mydev_t) allow mydomain_t mydev_t:chr_file read_chr_file_perms;
Related interfaces:
term_tty()
term_pty()
| Parameter: | Description: |
|---|---|
| type |
Type to be used for device nodes. |
Read cpu online hardware state information
Allow the specified domain to read /sys/devices/system/cpu/online
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the CPU identity.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the kernel crash device
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the framebuffer.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read generic character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read generic files in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Read symbolic links in device directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read generic the USB devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read input event devices (/dev/input).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the kernel messages
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the ksm devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the kvm devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the lirc device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the lvm comtrol device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read miscellaneous devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the modem devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the mouse devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the PM QoS devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the QEMU device
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read from random number generator devices (e.g., /dev/random).
Allow the specified domain to read from random number generator devices (e.g., /dev/random). Typically this is used in situations when a cryptographically secure random number is needed.
Related interface:
dev_read_urand()
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read raw memory devices (e.g. /dev/mem). This is extremely dangerous as it can bypass the SELinux protections, and should only be used by trusted domains.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read raw memory devices (e.g. /dev/mem) if a tunable is set. This is extremely dangerous as it can bypass the SELinux protections, and should only be used by trusted domains.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
| tunable |
Tunable to depend on |
Read the realtime clock (/dev/rtc).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the sound devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the sound mixer devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read hardware state information.
Allow the specified domain to read the contents of the sysfs filesystem. This filesystem contains information, parameters, and other settings on the hardware installed on the system.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read from pseudo random number generator devices (e.g., /dev/urandom).
Allow the specified domain to read from pseudo random number generator devices (e.g., /dev/urandom). Typically this is used in situations when a cryptographically secure random number is not necessarily needed. One example is the Stack Smashing Protector (SSP, formerly known as ProPolice) support that may be compiled into programs.
Related interface:
dev_read_rand()
Related tunable:
global_ssp
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read USB hardware information using the usbfs filesystem interface.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read USB monitor devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the video4linux devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read from watchdog devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the wireless device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow full relabeling (to and from) of all device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow full relabeling (to and from) of all device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Relabel from/to all sysfs types.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Relabel the autofs device node.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow full relabeling (to and from) of directories in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Relabel symbolic links in device directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Relabel generic the USB devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Relabel hardware state directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Relabel from generic character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Relabel vfio devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Remount device filesystems.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Remount a sysfs filesystem.
| Parameter: | Description: |
|---|---|
| domain |
Domain allow access. |
Remove entries from directories in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Rename all block device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Rename all character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the apm bios.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the agp devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the autofs device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write cachefiles character device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the PCMCIA card manager device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the the CPU microcode device. This is required to load CPU microcode.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the the hardware SSL accelerator.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the the dlm control device
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the dri devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the framebuffer.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write generic block device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write generic character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write generic files in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write generic the USB devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow read/write the hypervkvp device
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow read/write the hypervvssd device
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow read/write access to InfiniBand devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write input event devices (/dev/input).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write ipmi devices (/dev/ipmi*).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write to the kernel messages device
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write to ksm devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write to kvm devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the lirc device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the loop-control device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the lvm control device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the Intel mei control device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write to modem devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write to mouse devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the memory type range registers (MTRR).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write to the null device (/dev/null).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write BIOS non-volatile RAM.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the the PM QoS devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the the power management device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the printer device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the the QEMU device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and set the realtime clock (/dev/rtc).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the scanner device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write smartcard devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read, write and map the sysdig device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow caller to modify hardware state information.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the TPM device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow caller to modify usb hardware configuration files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write userio device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write vfio devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow read/write the vhost devices
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write VMWare devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write the the wireless device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write Xen devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write X server miscellaneous devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and write to the zero device (/dev/zero).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read, write, and mmap VMWare devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read, write, and execute the zero device (/dev/zero).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read and execute raw memory devices (e.g. /dev/mem). This is extremely dangerous as it can bypass the SELinux protections, and should only be used by trusted domains.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Search the sysfs directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Search the directory containing USB hardware information.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the apm bios device node.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Setattr on all block file device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Setattr on all character file device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of sysfs files, directories and symlinks.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the autofs device node.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the CPU microcode and id interfaces.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the dlm control devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Setattr the dri devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the framebuffer device node.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes on generic block devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes for generic character device files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of /dev directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Setattr generic the USB devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the event devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the ksm devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the kvm devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of miscellaneous devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the modem devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the mouse devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the null device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the the power management device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the printer device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the QEMU microcode and id interfaces.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the scanner device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of the sound devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of usbfs filesystem.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of video4linux device nodes.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of X server miscellaneous devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Create, read, and write device nodes. The node will be transitioned to the type provided. This is a temporary interface until devtmpfs functionality fixed.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
| objectclass(es) |
Object class(es) (single or set including {}) for which this the transition will occur. |
| name |
The name of the object being created. |
Unconfined access to devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
unmount a sysfs filesystem
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Watch the directories in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write the framebuffer.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write generic sock files in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write generic socket files in /dev.
| Parameter: | Description: |
|---|---|
| domain |
Domain to not audit. |
Write to the kernel messages device
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write miscellaneous devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write to the random device (e.g., /dev/random). This adds entropy used to generate the random data read from the random device.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write raw memory devices (e.g. /dev/mem). This is extremely dangerous as it can bypass the SELinux protections, and should only be used by trusted domains.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write raw memory devices (e.g. /dev/mem) if a tunable is set. This is extremely dangerous as it can bypass the SELinux protections, and should only be used by trusted domains.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
| tunable |
Tunable to depend on |
Set the realtime clock (/dev/rtc).
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write the sound devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write the sound mixer devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write to hardware state information.
Allow the specified domain to write to the sysfs filesystem.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write in a sysfs directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write to the pseudo random device (e.g., /dev/urandom). This sets the random number generator seed.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write USB monitor devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write the video4linux devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write to watchdog devices.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write and execute raw memory devices (e.g. /dev/mem). This is extremely dangerous as it can bypass the SELinux protections, and should only be used by trusted domains.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Write and execute raw memory devices (e.g. /dev/mem) if a tunable is set. This is extremely dangerous as it can bypass the SELinux protections, and should only be used by trusted domains.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
| tunable |
Tunable to depend on |