Layer: kernel

Module: domain

Tunables Interfaces

Description:

Core policy for domains.

This module is required to be included in all policies.

Tunables:

mmap_low_allowed
Default value

false

Description

Control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr.

Return

Interfaces:

domain_all_recvfrom_all_domains( type )
Summary

Allow specified type to receive labeled networking packets from all domains, over all protocols (TCP, UDP, etc)

Parameters
Parameter:Description:
type

Domain allowed access.

domain_base_type( type )
Summary

Make the specified type usable as a basic domain.

Description

Make the specified type usable as a basic domain.

This is primarily used for kernel threads; generally the domain_type() interface is more appropriate for userland processes.

Parameters
Parameter:Description:
type

Type to be used as a basic domain type.

domain_cron_exemption_source( domain )
Summary

Make the specified domain the source of the cron domain exception of the SELinux role and identity change constraints.

Description

Make the specified domain the source of the cron domain exception of the SELinux role and identity change constraints.

This interface is needed to decouple the cron domains from the base module. It should not be used other than on cron domains.

Parameters
Parameter:Description:
domain

Domain target for user exemption.

domain_cron_exemption_target( domain )
Summary

Make the specified domain the target of the cron domain exception of the SELinux role and identity change constraints.

Description

Make the specified domain the target of the cron domain exception of the SELinux role and identity change constraints.

This interface is needed to decouple the cron domains from the base module. It should not be used other than on user cron jobs.

Parameters
Parameter:Description:
domain

Domain target for user exemption.

domain_dontaudit_exec_all_entry_files( domain )
Summary

dontaudit checking for execute on all entry point files

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_getattr_all_dgram_sockets( domain )
Summary

Do not audit attempts to get the attributes of all domains unix datagram sockets.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_getattr_all_domains( domain )
Summary

Do not audit attempts to get the attributes of all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_dontaudit_getattr_all_entry_files( domain )
Summary

Do not audit attempts to get the attributes of all entry point files.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_getattr_all_key_sockets( domain )
Summary

Do not audit attempts to get attributes of all domains IPSEC key management sockets.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_getattr_all_packet_sockets( domain )
Summary

Do not audit attempts to get attributes of all domains packet sockets.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_getattr_all_pipes( domain )
Summary

Do not audit attempts to get the attributes of all domains unnamed pipes.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_getattr_all_raw_sockets( domain )
Summary

Do not audit attempts to get attributes of all domains raw sockets.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_getattr_all_sockets( domain )
Summary

Do not audit attempts to get the attributes of all domains sockets, for all socket types.

Description

Do not audit attempts to get the attributes of all domains sockets, for all socket types.

This interface was added for PCMCIA cardmgr and is probably excessive.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_getattr_all_stream_sockets( domain )
Summary

Do not audit attempts to get the attributes of all domains unix stream sockets.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_getattr_all_tcp_sockets( domain )
Summary

Do not audit attempts to get the attributes of all domains TCP sockets.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_getattr_all_udp_sockets( domain )
Summary

Do not audit attempts to get the attributes of all domains UDP sockets.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_getsession_all_domains( domain )
Summary

Do not audit attempts to get the session ID of all domains.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_list_all_domains_state( domain )
Summary

Do not audit attempts to read the process state directories of all domains.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_ptrace_all_domains( domain )
Summary

Do not audit attempts to ptrace all domains.

Description

Do not audit attempts to ptrace all domains.

Generally this needs to be suppressed because procps tries to access /proc/pid/environ and this now triggers a ptrace check in recent kernels (2.4 and 2.6).

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_ptrace_confined_domains( domain )
Summary

Do not audit attempts to ptrace confined domains.

Description

Do not audit attempts to ptrace confined domains.

Generally this needs to be suppressed because procps tries to access /proc/pid/environ and this now triggers a ptrace check in recent kernels (2.4 and 2.6).

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_read_all_domains_state( domain )
Summary

Do not audit attempts to read the process state (/proc/pid) of all domains.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_rw_all_key_sockets( domain )
Summary

Do not audit attempts to read or write all domains key sockets.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_rw_all_udp_sockets( domain )
Summary

Do not audit attempts to read or write all domains UDP sockets.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_search_all_domains_state( domain )
Summary

Do not audit attempts to search the process state directory (/proc/pid) of all domains.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_signal_all_domains( domain )
Summary

Do not audit attempts to send general signals to all domains.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dontaudit_use_interactive_fds( domain )
Summary

Do not audit attempts to inherit file descriptors from domains with interactive programs.

Parameters
Parameter:Description:
domain

Domain to not audit.

domain_dyntrans_type( domain )
Summary

Allow the specified domain to perform dynamic transitions.

Description

Allow the specified domain to perform dynamic transitions.

This violates process tranquility, and it is strongly suggested that this not be used.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_entry_file( domain , type )
Summary

Make the specified type usable as an entry point for the domain.

Parameters
Parameter:Description:
domain

Domain to be entered.

type

Type of program used for entering the domain.

domain_entry_file_spec_domtrans( domain , target_domain )
Summary

Execute an entry_type in the specified domain.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

target_domain

The type of the new process.

domain_exec_all_entry_files( domain )
Summary

Execute the entry point files for all domains in the caller domain.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_getattr_all_domains( domain )
Summary

Get the attributes of all domains

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_getattr_all_entry_files( domain )
Summary

Get the attributes of entry point files for all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_getattr_all_pipes( domain )
Summary

Get the attributes of all domains unnamed pipes.

Description

Get the attributes of all domains unnamed pipes.

This is commonly used for domains that can use lsof on all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_getattr_all_sockets( domain )
Summary

Get the attributes of all domains sockets, for all socket types.

Description

Get the attributes of all domains sockets, for all socket types.

This is commonly used for domains that can use lsof on all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_getattr_all_stream_sockets( domain )
Summary

Get the attributes of all domains unix datagram sockets.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_getattr_confined_domains( domain )
Summary

Get the attributes of all confined domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_getcap_all_domains( domain )
Summary

Get the capability information of all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_getpgid_all_domains( domain )
Summary

Get the process group ID of all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_getsched_all_domains( domain )
Summary

Get the scheduler information of all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_getsession_all_domains( domain )
Summary

Get the session ID of all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_interactive_fd( domain )
Summary

Make the file descriptors of the specified domain for interactive use (widely inheritable)

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_ipsec_setcontext_all_domains( type )
Summary

Allow specified type to set context of all domains IPSEC associations.

Parameters
Parameter:Description:
type

Domain allowed access.

domain_kill_all_domains( domain )
Summary

Send a kill signal to all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_manage_all_entry_files( domain )
Summary

Create, read, write, and delete all entrypoint files.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_mmap_all_entry_files( domain )
Summary

Mmap all entry point files as executable.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_mmap_low( domain )
Summary

Ability to mmap a low area of the address space conditionally, as configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps protect against exploiting null deref bugs in the kernel.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_mmap_low_uncond( domain )
Summary

Ability to mmap a low area of the address space unconditionally, as configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps protect against exploiting null deref bugs in the kernel.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_obj_id_change_exemption( domain )
Summary

Makes caller an exception to the constraint preventing changing the user identity in object contexts.

Parameters
Parameter:Description:
domain

The process type to make an exception to the constraint.

domain_ptrace_all_domains( domain )
Summary

Ptrace all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_public_key( type )
Summary

Allow all domains to search specified type keys.

Description

When setting up IMA/EVM key(s) are added to the kernel keyring but the type of the key is the domain adding the key. This interface will allow all domains search the key so IMA/EVM validation can happen.

Parameters
Parameter:Description:
type

Type of key to be searched.

domain_read_all_domains_state( domain )
Summary

Read the process state (/proc/pid) of all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_read_all_entry_files( domain )
Summary

Read the entry point files for all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_read_confined_domains_state( domain )
Summary

Read the process state (/proc/pid) of all confined domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_relabel_all_entry_files( domain )
Summary

Relabel to and from all entry point file types.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_role_change_exemption( domain )
Summary

Makes caller an exception to the constraint preventing changing of role.

Parameters
Parameter:Description:
domain

The process type to make an exception to the constraint.

domain_search_all_domains_state( domain )
Summary

Search the process state directory (/proc/pid) of all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_setpriority_all_domains( domain )
Summary

Set the nice level of all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_sigchld_all_domains( domain )
Summary

Send a child terminated signal to all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_sigchld_interactive_fds( domain )
Summary

Send a SIGCHLD signal to domains whose file discriptors are widely inheritable.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_signal_all_domains( domain )
Summary

Send general signals to all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_signull_all_domains( domain )
Summary

Send a null signal to all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_sigstop_all_domains( domain )
Summary

Send a stop signal to all domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_subj_id_change_exemption( domain )
Summary

Makes caller an exception to the constraint preventing changing of user identity.

Parameters
Parameter:Description:
domain

The process type to make an exception to the constraint.

domain_system_change_exemption( domain )
Summary

Makes caller and exception to the constraint preventing changing to the system user identity and system role.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_type( type )
Summary

Make the specified type usable as a domain.

Description

Make the specified type usable as a domain. This, or an interface that calls this interface, must be used on all types that are used as domains.

Related interfaces:

  • application_domain()

  • init_daemon_domain()

  • init_domaion()

  • init_ranged_daemon_domain()

  • init_ranged_domain()

  • init_ranged_system_domain()

  • init_script_domain()

  • init_system_domain()

Example:

type mydomain_t; domain_type(mydomain_t) type myfile_t; files_type(myfile_t) allow mydomain_t myfile_t:file read_file_perms;

Parameters
Parameter:Description:
type

Type to be used as a domain type.

domain_unconfined( domain )
Summary

Unconfined access to domains.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_unconfined_signal( domain )
Summary

Send generic signals to the unconfined domain.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_use_interactive_fds( domain )
Summary

Inherit and use file descriptors from domains with interactive programs.

Description

Allow the specified domain to inherit and use file descriptors from domains with interactive programs. This does not allow access to the objects being referenced by the file descriptors.

Parameters
Parameter:Description:
domain

Domain allowed access.

domain_user_exemption_target( domain )
Summary

Make the specified domain the target of the user domain exception of the SELinux role and identity change constraints.

Description

Make the specified domain the target of the user domain exception of the SELinux role and identity change constraints.

This interface is needed to decouple the user domains from the base module. It should not be used other than on user domains.

Parameters
Parameter:Description:
domain

Domain target for user exemption.

Return