Layer: kernel

Module: kernel

Booleans Interfaces

Description:

Policy for kernel threads, proc filesystem, and unlabeled processes and objects.

This module is required to be included in all policies.

Booleans:

secure_mode_insmod

Default value

false

Description

Disable kernel module loading.

Return

Interfaces:

kernel_associate_proc(
	
		domain
		
	)

Summary

Associate a file to proc_t (/proc)

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_change_ring_buffer_level(
	
		domain
		
	)

Summary

Change the level of kernel messages logged to the console.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_clear_ring_buffer(
	
		domain
		
	)

Summary

Allows the caller to clear the ring buffer.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_create_non_proc_init_mountpoint_files(
	
		domain
		
	)

Summary

Create systemd mountpoint files except proc entries.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_delete_unlabeled_blk_files(
	
		domain
		
	)

Summary

Delete unlabeled block device nodes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_delete_unlabeled_chr_files(
	
		domain
		
	)

Summary

Delete unlabeled character device nodes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_delete_unlabeled_dirs(
	
		domain
		
	)

Summary

Delete unlabeled directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_delete_unlabeled_files(
	
		domain
		
	)

Summary

Delete unlabeled files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_delete_unlabeled_pipes(
	
		domain
		
	)

Summary

Delete unlabeled named pipes

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_delete_unlabeled_sockets(
	
		domain
		
	)

Summary

Delete unlabeled named sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_delete_unlabeled_symlinks(
	
		domain
		
	)

Summary

Delete unlabeled symbolic links.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_dgram_send(
	
		domain
		
	)

Summary

Send messages to kernel unix datagram sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_domtrans_to(
	
		domain
		
			,
		
		entrypoint
		
	)

Summary

Allows to start userland processes by transitioning to the specified domain.

Parameters

Parameter:	Description:
domain	The process type entered by kernel.
entrypoint	The executable type for the entrypoint.

kernel_dontaudit_getattr_core_if(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of core kernel interfaces.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_getattr_message_if(
	
		domain
		
	)

Summary

Do not audit attempts by caller to get the attributes of kernel message interfaces.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_getattr_proc(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of the proc filesystem.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_getattr_unlabeled_blk_files(
	
		domain
		
	)

Summary

Do not audit attempts by caller to get attributes for unlabeled block devices.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_getattr_unlabeled_chr_files(
	
		domain
		
	)

Summary

Do not audit attempts by caller to get attributes for unlabeled character devices.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_getattr_unlabeled_files(
	
		domain
		
	)

Summary

Do not audit attempts by caller to get the attributes of an unlabeled file.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_getattr_unlabeled_pipes(
	
		domain
		
	)

Summary

Do not audit attempts by caller to get the attributes of unlabeled named pipes.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_getattr_unlabeled_sockets(
	
		domain
		
	)

Summary

Do not audit attempts by caller to get the attributes of unlabeled named sockets.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_getattr_unlabeled_symlinks(
	
		domain
		
	)

Summary

Do not audit attempts by caller to get the attributes of unlabeled symbolic links.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_link_key(
	
		domain
		
	)

Summary

dontaudit link to the kernel key ring.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_list_all_proc(
	
		domain
		
	)

Summary

Do not audit attempts to list all proc directories.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_list_all_sysctls(
	
		domain
		
	)

Summary

Do not audit attempts to list all sysctl directories.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_list_proc(
	
		domain
		
	)

Summary

Do not audit attempts to list the contents of directories in /proc.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_list_unlabeled(
	
		domain
		
	)

Summary

Do not audit attempts to list unlabeled directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_dontaudit_raw_recvfrom_unlabeled(
	
		domain
		
	)

Summary

Do not audit attempts to receive Raw IP packets from an unlabeled connection.

Description

Do not audit attempts to receive Raw IP packets from an unlabeled connection.

The corenetwork interface corenet_dontaudit_raw_recv_unlabeled() should be used instead of this one.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_read_kernel_sysctl(
	
		domain
		
	)

Summary

Do not audit attempted reading of kernel sysctls

Parameters

Parameter:	Description:
domain	Domain to not audit accesses from

kernel_dontaudit_read_proc_symlinks(
	
		domain
		
	)

Summary

Do not audit attempts by caller to read symbolic links in proc.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_read_ring_buffer(
	
		domain
		
	)

Summary

Do not audit attempts to read the ring buffer.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_read_system_state(
	
		domain
		
	)

Summary

Do not audit attempts by caller to read system state information in proc.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_read_unlabeled_files(
	
		domain
		
	)

Summary

Do not audit attempts by caller to read an unlabeled file.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_recvfrom_unlabeled_peer(
	
		domain
		
	)

Summary

Do not audit attempts to receive packets from an unlabeled peer.

Description

Do not audit attempts to receive packets from an unlabeled peer, these packets do not have any peer labeling information present.

The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled() should be used instead of this one.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_request_load_module(
	
		domain
		
	)

Summary

Do not audit requests to the kernel to load a module.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_search_debugfs(
	
		domain
		
	)

Summary

Do not audit attempts to search the kernel debugging filesystem.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_search_fs_sysctls(
	
		domain
		
	)

Summary

Do not audit attempts to search filesystem sysctl directories.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_search_kernel_sysctl(
	
		domain
		
	)

Summary

Do not audit attempts to search generic kernel sysctls.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_search_key(
	
		domain
		
	)

Summary

dontaudit search the kernel key ring.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_search_network_state(
	
		domain
		
	)

Summary

Do not audit attempts to search the network state directory.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_search_network_sysctl(
	
		domain
		
	)

Summary

Do not audit attempts by caller to search network sysctl directories.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_search_sysctl(
	
		domain
		
	)

Summary

Do not audit attempts by caller to search the base directory of sysctls.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_search_unlabeled(
	
		domain
		
	)

Summary

Do not audit attempts to search unlabeled directories.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_search_xen_state(
	
		domain
		
	)

Summary

Do not audit attempts to search the xen state directory.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_sendrecv_unlabeled_association(
	
		domain
		
	)

Summary

Do not audit attempts to send and receive messages from an unlabeled IPSEC association.

Description

Do not audit attempts to send and receive messages from an unlabeled IPSEC association. Network connections that are not protected by IPSEC have use an unlabeled association.

The corenetwork interface corenet_dontaudit_non_ipsec_sendrecv() should be used instead of this one.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_setattr_proc_dirs(
	
		domain
		
	)

Summary

Do not audit attempts to set the attributes of directories in /proc.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_tcp_recvfrom_unlabeled(
	
		domain
		
	)

Summary

Do not audit attempts to receive TCP packets from an unlabeled connection.

Description

Do not audit attempts to receive TCP packets from an unlabeled connection.

The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled() should be used instead of this one.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_udp_recvfrom_unlabeled(
	
		domain
		
	)

Summary

Do not audit attempts to receive UDP packets from an unlabeled connection.

Description

Do not audit attempts to receive UDP packets from an unlabeled connection.

The corenetwork interface corenet_dontaudit_udp_recv_unlabeled() should be used instead of this one.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_use_fds(
	
		domain
		
	)

Summary

Do not audit attempts to use kernel file descriptors.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_view_key(
	
		domain
		
	)

Summary

dontaudit view the kernel key ring.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_write_debugfs_dirs(
	
		domain
		
	)

Summary

Do not audit attempts to write kernel debugging filesystem dirs.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_write_kernel_ns_lastpid_sysctl(
	
		domain
		
	)

Summary

Do not audit attempts to write kernel ns lastpid sysctls.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_write_kernel_sysctl(
	
		domain
		
	)

Summary

Do not audit attempts to write generic kernel sysctls.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_write_proc_dirs(
	
		domain
		
	)

Summary

Do not audit attempts to write the directories in /proc.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dontaudit_write_unlabeled_chr_files(
	
		domain
		
	)

Summary

Do not audit attempts to write unlabeled character devices.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kernel_dyntrans_to(
	
		domain
		
	)

Summary

Allows the kernel to start userland processes by dynamic transitions to the specified domain.

Parameters

Parameter:	Description:
domain	The process type entered by the kernel.

kernel_get_sysvipc_info(
	
		domain
		
	)

Summary

Get information on all System V IPC objects.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_getattr_core_if(
	
		domain
		
	)

Summary

Allows caller to get attributes of core kernel interface.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_getattr_debugfs(
	
		domain
		
	)

Summary

Get the attributes of a kernel debugging filesystem.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_getattr_dgram_sockets(
	
		domain
		
	)

Summary

Getattr on kernel unix datagram sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_getattr_message_if(
	
		domain
		
	)

Summary

Allow caller to get the attributes of kernel message interface (/proc/kmsg).

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_getattr_proc(
	
		domain
		
	)

Summary

Get the attributes of the proc filesystem.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_getattr_proc_files(
	
		domain
		
	)

Summary

Get the attributes of files in /proc.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_getattr_unlabeled_dirs(
	
		domain
		
	)

Summary

Get the attributes of unlabeled directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_ib_access_unlabeled_pkeys(
	
		domain
		
	)

Summary

Access unlabeled infiniband pkeys.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_ib_manage_subnet_unlabeled_endports(
	
		domain
		
	)

Summary

Manage subnet on unlabeled Infiniband endports.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_kill(
	
		domain
		
	)

Summary

Send a kill signal to kernel threads.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_kill_unlabeled(
	
		domain
		
	)

Summary

Send a kill signal to unlabeled processes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_link_key(
	
		domain
		
	)

Summary

Allow link to the kernel key ring.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_list_all_proc(
	
		domain
		
	)

Summary

Allow attempts to list all proc directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_list_proc(
	
		domain
		
	)

Summary

List the contents of directories in /proc.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_list_unlabeled(
	
		domain
		
	)

Summary

List unlabeled directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_load_module(
	
		domain
		
	)

Summary

Allows caller to load kernel modules

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_manage_debugfs(
	
		domain
		
	)

Summary

Manage information from the debugging filesystem.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_manage_unlabeled_blk_files(
	
		domain
		
	)

Summary

Create, read, write, and delete unlabeled block device nodes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_manage_unlabeled_chr_files(
	
		domain
		
	)

Summary

Create, read, write, and delete unlabeled character device nodes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_manage_unlabeled_dirs(
	
		domain
		
	)

Summary

Create, read, write, and delete unlabeled directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_manage_unlabeled_files(
	
		domain
		
	)

Summary

Create, read, write, and delete unlabeled files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_manage_unlabeled_symlinks(
	
		domain
		
	)

Summary

Create, read, write, and delete unlabeled symbolic links.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_mount_debugfs(
	
		domain
		
	)

Summary

Mount a kernel debugging filesystem.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_mount_kvmfs(
	
		domain
		
	)

Summary

Mount a kernel VM filesystem.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_mount_proc(
	
		domain
		
	)

Summary

mount the proc filesystem.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_mount_unlabeled(
	
		domain
		
	)

Summary

Mount a kernel unlabeled filesystem.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_mounton_kernel_sysctl_files(
	
		domain
		
	)

Summary

Mount on kernel sysctl files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_mounton_message_if(
	
		domain
		
	)

Summary

Mount on kernel message interfaces files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_mounton_proc(
	
		domain
		
	)

Summary

Mount on proc directories. (Deprecated)

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_mounton_proc_dirs(
	
		domain
		
	)

Summary

Mount on the directories in /proc.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_mounton_sysctl_dirs(
	
		domain
		
	)

Summary

Mount on sysctl_t dirs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_mounton_sysctl_files(
	
		domain
		
	)

Summary

Mount on sysctl files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_mounton_unlabeled_dirs(
	
		domain
		
	)

Summary

Mount a filesystem on an unlabeled directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_ranged_domtrans_to(
	
		domain
		
			,
		
		entrypoint
		
			,
		
		range
		
	)

Summary

Allows to start userland processes by transitioning to the specified domain, with a range transition.

Parameters

Parameter:	Description:
domain	The process type entered by kernel.
entrypoint	The executable type for the entrypoint.
range	Range for the domain.

kernel_raw_recvfrom_unlabeled(
	
		domain
		
	)

Summary

Receive Raw IP packets from an unlabeled connection.

Description

Receive Raw IP packets from an unlabeled connection.

The corenetwork interface corenet_raw_recv_unlabeled() should be used instead of this one.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_all_sysctls(
	
		domain
		
	)

Summary

Allow caller to read all sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_core_if(
	
		domain
		
	)

Summary

Allows caller to read the core kernel interface.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_crypto_sysctls(
	
		domain
		
	)

Summary

Read generic crypto sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_debugfs(
	
		domain
		
	)

Summary

Read information from the debugging filesystem.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_device_sysctls(
	
		domain
		
	)

Summary

Allow caller to read the device sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_fs_sysctls(
	
		domain
		
	)

Summary

Read filesystem sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_hotplug_sysctls(
	
		domain
		
	)

Summary

Read the hotplug sysctl.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_irq_sysctls(
	
		domain
		
	)

Summary

Read IRQ sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_kernel_ns_lastpid_sysctls(
	
		domain
		
	)

Summary

Read kernel ns lastpid sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_kernel_sysctls(
	
		domain
		
	)

Summary

Read general kernel sysctls.

Description

Allow the specified domain to read general kernel sysctl settings. These settings are typically read using the sysctl program. The settings that are included by this interface are prefixed with "kernel.", for example, kernel.sysrq.

This does not include access to the hotplug handler setting (kernel.hotplug) nor the module installer handler setting (kernel.modprobe).

Related interfaces:

kernel_rw_kernel_sysctl()

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_messages(
	
		domain
		
	)

Summary

Allow caller to read kernel messages using the /proc/kmsg interface.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_modprobe_sysctls(
	
		domain
		
	)

Summary

Read the modprobe sysctl.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_net_sysctls(
	
		domain
		
	)

Summary

Allow caller to read network sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_network_state(
	
		domain
		
	)

Summary

Read the network state information.

Description

Allow the specified domain to read the networking state information. This includes several pieces of networking information, such as network interface names, netfilter (iptables) statistics, protocol information, routes, and remote procedure call (RPC) information.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_network_state_symlinks(
	
		domain
		
	)

Summary

Allow caller to read the network state symbolic links.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_proc_symlinks(
	
		domain
		
	)

Summary

Read generic symbolic links in /proc.

Description

Allow the specified domain to read (follow) generic symbolic links (symlinks) in the proc filesystem (/proc). This interface does not include access to the targets of these links. An example symlink is /proc/self.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_ring_buffer(
	
		domain
		
	)

Summary

Allows caller to read the ring buffer.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_rpc_sysctls(
	
		domain
		
	)

Summary

Read RPC sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_software_raid_state(
	
		domain
		
	)

Summary

Allow caller to read the state information for software raid.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_sysctl(
	
		domain
		
	)

Summary

Allow access to read sysctl directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_system_state(
	
		domain
		
	)

Summary

Allows caller to read system state information in /proc.

Description

Allow the specified domain to read general system state information from the proc filesystem (/proc).

Generally it should be safe to allow this access. Some example files that can be read based on this interface:

/proc/cpuinfo

/proc/meminfo

/proc/uptime

This does not allow access to sysctl entries (/proc/sys/*) nor process state information (/proc/pid).

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_unix_sysctls(
	
		domain
		
	)

Summary

Allow caller to read unix domain socket sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_unlabeled_files(
	
		domain
		
	)

Summary

Read unlabeled files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_unlabeled_state(
	
		domain
		
	)

Summary

Read the process state (/proc/pid) of all unlabeled_t.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_vm_overcommit_sysctl(
	
		domain
		
	)

Summary

Read virtual memory overcommit sysctl.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_vm_sysctls(
	
		domain
		
	)

Summary

Allow caller to read virtual memory sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_xen_state(
	
		domain
		
	)

Summary

Allow caller to read the xen state information.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_read_xen_state_symlinks(
	
		domain
		
	)

Summary

Allow caller to read the xen state symbolic links.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_recvfrom_unlabeled_peer(
	
		domain
		
	)

Summary

Receive packets from an unlabeled peer.

Description

Receive packets from an unlabeled peer, these packets do not have any peer labeling information present.

The corenetwork interface corenet_recvfrom_unlabeled_peer() should be used instead of this one.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_relabelfrom_unlabeled_blk_devs(
	
		domain
		
	)

Summary

Allow caller to relabel from unlabeled block devices.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_relabelfrom_unlabeled_chr_devs(
	
		domain
		
	)

Summary

Allow caller to relabel from unlabeled character devices.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_relabelfrom_unlabeled_database(
	
		domain
		
	)

Summary

Relabel from unlabeled database objects.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_relabelfrom_unlabeled_dirs(
	
		domain
		
	)

Summary

Allow caller to relabel unlabeled directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_relabelfrom_unlabeled_files(
	
		domain
		
	)

Summary

Allow caller to relabel unlabeled files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_relabelfrom_unlabeled_pipes(
	
		domain
		
	)

Summary

Allow caller to relabel unlabeled named pipes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_relabelfrom_unlabeled_sockets(
	
		domain
		
	)

Summary

Allow caller to relabel unlabeled named sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_relabelfrom_unlabeled_symlinks(
	
		domain
		
	)

Summary

Allow caller to relabel unlabeled symbolic links.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_remount_debugfs(
	
		domain
		
	)

Summary

Remount a kernel debugging filesystem.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_remount_proc(
	
		domain
		
	)

Summary

remount the proc filesystem.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_request_load_module(
	
		domain
		
	)

Summary

Allows caller to request the kernel to load a module

Description

Allow the specified domain to request that the kernel load a kernel module. An example of this is the auto-loading of network drivers when doing an ioctl() on a network interface.

In the specific case of a module loading request on a network interface, the domain will also need the net_admin capability.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rootfs_mountpoint(
	
		directory_type
		
	)

Summary

Allows the kernel to mount filesystems on the specified directory type.

Parameters

Parameter:	Description:
directory_type	The type of the directory to use as a mountpoint.

kernel_rw_afs_state(
	
		domain
		
	)

Summary

Allow caller to read and write state information for AFS.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_all_sysctls(
	
		domain
		
	)

Summary

Read and write all sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_device_sysctls(
	
		domain
		
	)

Summary

Read and write device sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_fs_sysctls(
	
		domain
		
	)

Summary

Read and write filesystem sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_hotplug_sysctls(
	
		domain
		
	)

Summary

Read and write the hotplug sysctl.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_irq_sysctls(
	
		domain
		
	)

Summary

Read and write IRQ sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_kernel_ns_lastpid_sysctl(
	
		domain
		
	)

Summary

Read and write kernel ns lastpid sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_kernel_sysctl(
	
		domain
		
	)

Summary

Read and write generic kernel sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_modprobe_sysctls(
	
		domain
		
	)

Summary

Read and write the modprobe sysctl.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_net_sysctls(
	
		domain
		
	)

Summary

Allow caller to modiry contents of sysctl network files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_netlink_audit_sockets(
	
		domain
		
	)

Summary

Send messages to kernel netlink audit sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_pipes(
	
		domain
		
	)

Summary

Read and write kernel unnamed pipes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_rpc_sysctls(
	
		domain
		
	)

Summary

Read and write RPC sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_software_raid_state(
	
		domain
		
	)

Summary

Allow caller to read and set the state information for software raid.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_stream_sockets(
	
		domain
		
	)

Summary

Read/write to kernel using a unix domain stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_unix_dgram_sockets(
	
		domain
		
	)

Summary

Read and write kernel unix datagram sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_unix_sysctls(
	
		domain
		
	)

Summary

Read and write unix domain socket sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_unlabeled_blk_files(
	
		domain
		
	)

Summary

Read and write unlabeled block device nodes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_unlabeled_dirs(
	
		domain
		
	)

Summary

Read and write unlabeled directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_unlabeled_files(
	
		domain
		
	)

Summary

Read and write unlabeled files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_vm_overcommit_sysctl(
	
		domain
		
	)

Summary

Read and write virtual memory overcommit sysctl.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_rw_vm_sysctls(
	
		domain
		
	)

Summary

Read and write virtual memory sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_search_debugfs(
	
		domain
		
	)

Summary

Search the contents of a kernel debugging filesystem.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_search_fs_sysctls(
	
		domain
		
	)

Summary

Search filesystem sysctl directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_search_key(
	
		domain
		
	)

Summary

Allow search the kernel key ring.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_search_network_state(
	
		domain
		
	)

Summary

Allow searching of network state directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_search_network_sysctl(
	
		domain
		
	)

Summary

Search network sysctl directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_search_proc(
	
		domain
		
	)

Summary

Search directories in /proc.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_search_vm_sysctl(
	
		domain
		
	)

Summary

Allow caller to search virtual memory sysctls.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_search_xen_state(
	
		domain
		
	)

Summary

Allow searching of xen state directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_sendrecv_unlabeled_association(
	
		domain
		
	)

Summary

Send and receive messages from an unlabeled IPSEC association.

Description

Send and receive messages from an unlabeled IPSEC association. Network connections that are not protected by IPSEC have use an unlabeled association.

The corenetwork interface corenet_non_ipsec_sendrecv() should be used instead of this one.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_sendrecv_unlabeled_packets(
	
		domain
		
	)

Summary

Send and receive unlabeled packets.

Description

Send and receive unlabeled packets. These packets do not match any netfilter SECMARK rules.

The corenetwork interface corenet_sendrecv_unlabeled_packets() should be used instead of this one.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_setpgid(
	
		domain
		
	)

Summary

Set the process group of kernel threads.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_setsched(
	
		domain
		
	)

Summary

Set the priority of kernel threads.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_share_state(
	
		domain
		
	)

Summary

Allows the kernel to share state information with the caller.

Parameters

Parameter:	Description:
domain	The type of the process with which to share state information.

kernel_sigchld(
	
		domain
		
	)

Summary

Send a SIGCHLD signal to kernel threads.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_sigchld_unlabeled(
	
		domain
		
	)

Summary

Send a child terminated signal to unlabeled processes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_signal(
	
		domain
		
	)

Summary

Send a generic signal to kernel threads.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_signal_unlabeled(
	
		domain
		
	)

Summary

Send general signals to unlabeled processes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_signull_unlabeled(
	
		domain
		
	)

Summary

Send a null signal to unlabeled processes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_sigstop_unlabeled(
	
		domain
		
	)

Summary

Send a stop signal to unlabeled processes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_stream_connect(
	
		domain
		
	)

Summary

Connect to kernel using a unix domain stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_tcp_recvfrom_unlabeled(
	
		domain
		
	)

Summary

Receive TCP packets from an unlabeled connection.

Description

Receive TCP packets from an unlabeled connection.

The corenetwork interface corenet_tcp_recv_unlabeled() should be used instead of this one.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_udp_recvfrom_unlabeled(
	
		domain
		
	)

Summary

Receive UDP packets from an unlabeled connection.

Description

Receive UDP packets from an unlabeled connection.

The corenetwork interface corenet_udp_recv_unlabeled() should be used instead of this one.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_unconfined(
	
		domain
		
	)

Summary

Unconfined access to kernel module resources.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_unlabeled_filetrans(
	
		domain
		
			,
		
		private type
		
			,
		
		object
		
			,
		
		name
		
	)

Summary

Create an object in unlabeled directories with a private type.

Parameters

Parameter:	Description:
domain	Domain allowed access.
private type	The type of the object to be created.
object	The object class of the object being created.
name	The name of the object being created.

kernel_unmount_debugfs(
	
		domain
		
	)

Summary

Unmount a kernel debugging filesystem.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_unmount_proc(
	
		domain
		
	)

Summary

Unmount the proc filesystem.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_unmount_unlabeled(
	
		domain
		
	)

Summary

Unmount a kernel unlabeled filesystem.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_use_fds(
	
		domain
		
	)

Summary

Permits caller to use kernel file descriptors.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_view_key(
	
		domain
		
	)

Summary

Allow view the kernel key ring.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_write_key(
	
		domain
		
	)

Summary

allow write access to the kernel key ring.

Parameters

Parameter:	Description:
domain	Domain to allow.

kernel_write_non_proc_init_mountpoint_files(
	
		domain
		
	)

Summary

Write systemd mountpoint files except proc entries.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_write_proc_files(
	
		domain
		
	)

Summary

Write to generic proc entries.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kernel_write_xen_state(
	
		domain
		
	)

Summary

Allow caller to write xen state information.

Parameters

Parameter:	Description:
domain	Domain allowed access.

Return