2 ## Policy for kernel threads, proc filesystem,
3 ## and unlabeled processes and objects.
5 ## <required val="true">
6 ## This module has initial SIDs.
9 ########################################
11 ## Allows to start userland processes
12 ## by transitioning to the specified domain.
14 ## <param name="domain">
16 ## The process type entered by kernel.
19 ## <param name="entrypoint">
21 ## The executable type for the entrypoint.
25 interface(`kernel_domtrans_to',`
30 domtrans_pattern(kernel_t, $2, $1)
33 ########################################
35 ## Allows to start userland processes
36 ## by transitioning to the specified domain,
37 ## with a range transition.
39 ## <param name="domain">
41 ## The process type entered by kernel.
44 ## <param name="entrypoint">
46 ## The executable type for the entrypoint.
49 ## <param name="range">
51 ## Range for the domain.
55 interface(`kernel_ranged_domtrans_to',`
60 kernel_domtrans_to($1, $2)
63 range_transition kernel_t $2:process $3;
67 range_transition kernel_t $2:process $3;
68 mls_rangetrans_target($1)
72 ########################################
74 ## Allows the kernel to mount filesystems on
75 ## the specified directory type.
77 ## <param name="directory_type">
79 ## The type of the directory to use as a mountpoint.
83 interface(`kernel_rootfs_mountpoint',`
88 allow kernel_t $1:dir mounton;
91 ########################################
93 ## Set the process group of kernel threads.
95 ## <param name="domain">
97 ## Domain allowed access.
101 interface(`kernel_setpgid',`
106 allow $1 kernel_t:process setpgid;
109 ########################################
111 ## Set the priority of kernel threads.
113 ## <param name="domain">
115 ## Domain allowed access.
119 interface(`kernel_setsched',`
124 allow $1 kernel_t:process setsched;
127 ########################################
129 ## Send a SIGCHLD signal to kernel threads.
131 ## <param name="domain">
133 ## Domain allowed access.
137 interface(`kernel_sigchld',`
142 allow $1 kernel_t:process sigchld;
145 ########################################
147 ## Send a kill signal to kernel threads.
149 ## <param name="domain">
151 ## Domain allowed access.
155 interface(`kernel_kill',`
160 allow $1 kernel_t:process sigkill;
163 ########################################
165 ## Send a generic signal to kernel threads.
167 ## <param name="domain">
169 ## Domain allowed access.
173 interface(`kernel_signal',`
178 allow $1 kernel_t:process signal;
181 ########################################
183 ## Allows the kernel to share state information with
186 ## <param name="domain">
188 ## The type of the process with which to share state information.
192 interface(`kernel_share_state',`
197 allow kernel_t $1:process share;
200 ########################################
202 ## Permits caller to use kernel file descriptors.
204 ## <param name="domain">
206 ## Domain allowed access.
210 interface(`kernel_use_fds',`
215 allow $1 kernel_t:fd use;
218 ########################################
220 ## Do not audit attempts to use
221 ## kernel file descriptors.
223 ## <param name="domain">
225 ## Domain to not audit.
229 interface(`kernel_dontaudit_use_fds',`
234 dontaudit $1 kernel_t:fd use;
237 ########################################
239 ## Read and write kernel unnamed pipes.
241 ## <param name="domain">
243 ## Domain allowed access.
247 interface(`kernel_rw_pipes',`
252 allow $1 kernel_t:fifo_file { read write };
255 ########################################
257 ## Read and write kernel unix datagram sockets.
259 ## <param name="domain">
261 ## Domain allowed access.
265 interface(`kernel_rw_unix_dgram_sockets',`
270 allow $1 kernel_t:unix_dgram_socket { read write ioctl };
273 ########################################
275 ## Send messages to kernel unix datagram sockets.
277 ## <param name="domain">
279 ## Domain allowed access.
283 interface(`kernel_dgram_send',`
288 allow $1 kernel_t:unix_dgram_socket sendto;
291 ########################################
293 ## Receive messages from kernel TCP sockets. (Deprecated)
295 ## <param name="domain">
297 ## Domain allowed access.
301 interface(`kernel_tcp_recvfrom',`
302 refpolicywarn(`$0($*) has been deprecated.')
305 ########################################
307 ## Send UDP network traffic to the kernel. (Deprecated)
309 ## <param name="domain">
311 ## Domain allowed access.
315 interface(`kernel_udp_send',`
316 refpolicywarn(`$0($*) has been deprecated.')
319 ########################################
321 ## Receive messages from kernel UDP sockets. (Deprecated)
323 ## <param name="domain">
325 ## Domain allowed access.
329 interface(`kernel_udp_recvfrom',`
330 refpolicywarn(`$0($*) has been deprecated.')
333 ########################################
335 ## Allows caller to load kernel modules
337 ## <param name="domain">
339 ## Domain allowed access.
343 interface(`kernel_load_module',`
345 attribute can_load_kernmodule;
348 allow $1 self:capability sys_module;
349 typeattribute $1 can_load_kernmodule;
351 # load_module() calls stop_machine() which
352 # calls sched_setscheduler()
353 allow $1 self:capability sys_nice;
357 ########################################
359 ## Allow search the kernel key ring.
361 ## <param name="domain">
363 ## Domain allowed access.
367 interface(`kernel_search_key',`
372 allow $1 kernel_t:key search;
375 ########################################
377 ## dontaudit search the kernel key ring.
379 ## <param name="domain">
381 ## Domain to not audit.
385 interface(`kernel_dontaudit_search_key',`
390 dontaudit $1 kernel_t:key search;
393 ########################################
395 ## Allow link to the kernel key ring.
397 ## <param name="domain">
399 ## Domain allowed access.
403 interface(`kernel_link_key',`
408 allow $1 kernel_t:key link;
411 ########################################
413 ## dontaudit link to the kernel key ring.
415 ## <param name="domain">
417 ## Domain to not audit.
421 interface(`kernel_dontaudit_link_key',`
426 dontaudit $1 kernel_t:key link;
429 ########################################
431 ## Allows caller to read the ring buffer.
433 ## <param name="domain">
435 ## Domain allowed access.
440 interface(`kernel_read_ring_buffer',`
445 allow $1 kernel_t:system syslog_read;
448 ########################################
450 ## Do not audit attempts to read the ring buffer.
452 ## <param name="domain">
454 ## Domain to not audit.
458 interface(`kernel_dontaudit_read_ring_buffer',`
463 dontaudit $1 kernel_t:system syslog_read;
466 ########################################
468 ## Change the level of kernel messages logged to the console.
470 ## <param name="domain">
472 ## Domain allowed access.
477 interface(`kernel_change_ring_buffer_level',`
482 allow $1 kernel_t:system syslog_console;
485 ########################################
487 ## Allows the caller to clear the ring buffer.
489 ## <param name="domain">
491 ## Domain allowed access.
496 interface(`kernel_clear_ring_buffer',`
501 allow $1 kernel_t:system syslog_mod;
504 ########################################
506 ## Allows caller to request the kernel to load a module
510 ## Allow the specified domain to request that the kernel
511 ## load a kernel module. An example of this is the
512 ## auto-loading of network drivers when doing an
513 ## ioctl() on a network interface.
516 ## In the specific case of a module loading request
517 ## on a network interface, the domain will also
518 ## need the net_admin capability.
521 ## <param name="domain">
523 ## Domain allowed access.
527 interface(`kernel_request_load_module',`
532 allow $1 kernel_t:system module_request;
535 ########################################
537 ## Do not audit requests to the kernel to load a module.
539 ## <param name="domain">
541 ## Domain to not audit.
545 interface(`kernel_dontaudit_request_load_module',`
550 dontaudit $1 kernel_t:system module_request;
553 ########################################
555 ## Get information on all System V IPC objects.
557 ## <param name="domain">
559 ## Domain allowed access.
563 interface(`kernel_get_sysvipc_info',`
568 allow $1 kernel_t:system ipc_info;
571 ########################################
573 ## Get the attributes of a kernel debugging filesystem.
575 ## <param name="domain">
577 ## Domain allowed access.
581 interface(`kernel_getattr_debugfs',`
586 allow $1 debugfs_t:filesystem getattr;
589 ########################################
591 ## Mount a kernel debugging filesystem.
593 ## <param name="domain">
595 ## Domain allowed access.
599 interface(`kernel_mount_debugfs',`
604 allow $1 debugfs_t:filesystem mount;
607 ########################################
609 ## Unmount a kernel debugging filesystem.
611 ## <param name="domain">
613 ## Domain allowed access.
617 interface(`kernel_unmount_debugfs',`
622 allow $1 debugfs_t:filesystem unmount;
625 ########################################
627 ## Remount a kernel debugging filesystem.
629 ## <param name="domain">
631 ## Domain allowed access.
635 interface(`kernel_remount_debugfs',`
640 allow $1 debugfs_t:filesystem remount;
643 ########################################
645 ## Search the contents of a kernel debugging filesystem.
647 ## <param name="domain">
649 ## Domain allowed access.
653 interface(`kernel_search_debugfs',`
658 search_dirs_pattern($1, debugfs_t, debugfs_t)
661 ########################################
663 ## Do not audit attempts to search the kernel debugging filesystem.
665 ## <param name="domain">
667 ## Domain to not audit.
671 interface(`kernel_dontaudit_search_debugfs',`
676 dontaudit $1 debugfs_t:dir search_dir_perms;
679 ########################################
681 ## Read information from the debugging filesystem.
683 ## <param name="domain">
685 ## Domain allowed access.
689 interface(`kernel_read_debugfs',`
694 read_files_pattern($1, debugfs_t, debugfs_t)
695 read_lnk_files_pattern($1, debugfs_t, debugfs_t)
696 list_dirs_pattern($1, debugfs_t, debugfs_t)
699 ########################################
701 ## Read/Write information from the debugging filesystem.
703 ## <param name="domain">
705 ## Domain allowed access.
709 interface(`kernel_rw_debugfs',`
714 rw_files_pattern($1, debugfs_t, debugfs_t)
715 read_lnk_files_pattern($1, debugfs_t, debugfs_t)
716 list_dirs_pattern($1, debugfs_t, debugfs_t)
719 ########################################
721 ## Manage information from the debugging filesystem.
723 ## <param name="domain">
725 ## Domain allowed access.
729 interface(`kernel_manage_debugfs',`
734 manage_files_pattern($1, debugfs_t, debugfs_t)
735 read_lnk_files_pattern($1, debugfs_t, debugfs_t)
736 list_dirs_pattern($1, debugfs_t, debugfs_t)
739 ########################################
741 ## Mount a kernel VM filesystem.
743 ## <param name="domain">
745 ## Domain allowed access.
749 interface(`kernel_mount_kvmfs',`
754 allow $1 kvmfs_t:filesystem mount;
757 ########################################
759 ## Unmount the proc filesystem.
761 ## <param name="domain">
763 ## Domain allowed access.
767 interface(`kernel_unmount_proc',`
772 allow $1 proc_t:filesystem unmount;
775 ########################################
777 ## Get the attributes of the proc filesystem.
779 ## <param name="domain">
781 ## Domain allowed access.
785 interface(`kernel_getattr_proc',`
790 allow $1 proc_t:filesystem getattr;
793 ########################################
795 ## Search directories in /proc.
797 ## <param name="domain">
799 ## Domain allowed access.
803 interface(`kernel_search_proc',`
808 search_dirs_pattern($1, proc_t, proc_t)
811 ########################################
813 ## List the contents of directories in /proc.
815 ## <param name="domain">
817 ## Domain allowed access.
821 interface(`kernel_list_proc',`
826 list_dirs_pattern($1, proc_t, proc_t)
829 ########################################
831 ## Do not audit attempts to list the
832 ## contents of directories in /proc.
834 ## <param name="domain">
836 ## Domain to not audit.
840 interface(`kernel_dontaudit_list_proc',`
845 dontaudit $1 proc_t:dir list_dir_perms;
848 ########################################
850 ## Get the attributes of files in /proc.
852 ## <param name="domain">
854 ## Domain allowed access.
858 interface(`kernel_getattr_proc_files',`
863 getattr_files_pattern($1, proc_t, proc_t)
866 ########################################
868 ## Read generic symbolic links in /proc.
872 ## Allow the specified domain to read (follow) generic
873 ## symbolic links (symlinks) in the proc filesystem (/proc).
874 ## This interface does not include access to the targets of
875 ## these links. An example symlink is /proc/self.
878 ## <param name="domain">
880 ## Domain allowed access.
883 ## <infoflow type="read" weight="10"/>
885 interface(`kernel_read_proc_symlinks',`
890 read_lnk_files_pattern($1, proc_t, proc_t)
893 ########################################
895 ## Allows caller to read system state information in /proc.
899 ## Allow the specified domain to read general system
900 ## state information from the proc filesystem (/proc).
903 ## Generally it should be safe to allow this access. Some
904 ## example files that can be read based on this interface:
907 ## <li>/proc/cpuinfo</li>
908 ## <li>/proc/meminfo</li>
909 ## <li>/proc/uptime</li>
912 ## This does not allow access to sysctl entries (/proc/sys/*)
913 ## nor process state information (/proc/pid).
916 ## <param name="domain">
918 ## Domain allowed access.
921 ## <infoflow type="read" weight="10"/>
924 interface(`kernel_read_system_state',`
929 read_files_pattern($1, proc_t, proc_t)
930 read_lnk_files_pattern($1, proc_t, proc_t)
932 list_dirs_pattern($1, proc_t, proc_t)
935 ########################################
937 ## Write to generic proc entries.
939 ## <param name="domain">
941 ## Domain allowed access.
946 # cjp: this should probably go away. any
947 # file thats writable in proc should really
948 # have its own label.
950 interface(`kernel_write_proc_files',`
955 write_files_pattern($1, proc_t, proc_t)
958 ########################################
960 ## Do not audit attempts by caller to
961 ## read system state information in proc.
963 ## <param name="domain">
965 ## Domain to not audit.
969 interface(`kernel_dontaudit_read_system_state',`
974 dontaudit $1 proc_t:file read_file_perms;
977 ########################################
979 ## Do not audit attempts by caller to
980 ## read system state information in proc.
982 ## <param name="domain">
984 ## Domain to not audit.
988 interface(`kernel_dontaudit_read_proc_symlinks',`
993 dontaudit $1 proc_t:lnk_file read;
996 #######################################
998 ## Allow caller to read and write state information for AFS.
1000 ## <param name="domain">
1002 ## Domain allowed access.
1007 interface(`kernel_rw_afs_state',`
1009 type proc_t, proc_afs_t;
1012 list_dirs_pattern($1, proc_t, proc_t)
1013 rw_files_pattern($1, proc_afs_t, proc_afs_t)
1016 #######################################
1018 ## Allow caller to read the state information for software raid.
1020 ## <param name="domain">
1022 ## Domain allowed access.
1027 interface(`kernel_read_software_raid_state',`
1029 type proc_t, proc_mdstat_t;
1032 read_files_pattern($1, proc_t, proc_mdstat_t)
1034 list_dirs_pattern($1, proc_t, proc_t)
1037 #######################################
1039 ## Allow caller to read and set the state information for software raid.
1041 ## <param name="domain">
1043 ## Domain allowed access.
1047 interface(`kernel_rw_software_raid_state',`
1049 type proc_t, proc_mdstat_t;
1052 rw_files_pattern($1, proc_t, proc_mdstat_t)
1054 list_dirs_pattern($1, proc_t, proc_t)
1057 ########################################
1059 ## Allows caller to get attribues of core kernel interface.
1061 ## <param name="domain">
1063 ## Domain allowed access.
1067 interface(`kernel_getattr_core_if',`
1069 type proc_t, proc_kcore_t;
1072 getattr_files_pattern($1, proc_t, proc_kcore_t)
1074 list_dirs_pattern($1, proc_t, proc_t)
1077 ########################################
1079 ## Do not audit attempts to get the attributes of
1080 ## core kernel interfaces.
1082 ## <param name="domain">
1084 ## Domain to not audit.
1088 interface(`kernel_dontaudit_getattr_core_if',`
1093 dontaudit $1 proc_kcore_t:file getattr;
1096 ########################################
1098 ## Allows caller to read the core kernel interface.
1100 ## <param name="domain">
1102 ## Domain allowed access.
1106 interface(`kernel_read_core_if',`
1108 type proc_t, proc_kcore_t;
1109 attribute can_dump_kernel;
1112 allow $1 self:capability sys_rawio;
1113 read_files_pattern($1, proc_t, proc_kcore_t)
1114 list_dirs_pattern($1, proc_t, proc_t)
1116 typeattribute $1 can_dump_kernel;
1119 ########################################
1121 ## Allow caller to read kernel messages
1122 ## using the /proc/kmsg interface.
1124 ## <param name="domain">
1126 ## Domain allowed access.
1130 interface(`kernel_read_messages',`
1132 attribute can_receive_kernel_messages;
1133 type proc_kmsg_t, proc_t;
1136 read_files_pattern($1, proc_t, proc_kmsg_t)
1138 typeattribute $1 can_receive_kernel_messages;
1141 ########################################
1143 ## Allow caller to get the attributes of kernel message
1144 ## interface (/proc/kmsg).
1146 ## <param name="domain">
1148 ## Domain allowed access.
1152 interface(`kernel_getattr_message_if',`
1154 type proc_kmsg_t, proc_t;
1157 getattr_files_pattern($1, proc_t, proc_kmsg_t)
1160 ########################################
1162 ## Do not audit attempts by caller to get the attributes of kernel
1163 ## message interfaces.
1165 ## <param name="domain">
1167 ## Domain to not audit.
1171 interface(`kernel_dontaudit_getattr_message_if',`
1173 type proc_kmsg_t, proc_t;
1176 dontaudit $1 proc_kmsg_t:file getattr;
1179 ########################################
1181 ## Do not audit attempts to search the network
1184 ## <param name="domain">
1186 ## Domain to not audit.
1191 interface(`kernel_dontaudit_search_network_state',`
1196 dontaudit $1 proc_net_t:dir search;
1199 ########################################
1201 ## Allow searching of network state directory.
1203 ## <param name="domain">
1205 ## Domain allowed access.
1210 interface(`kernel_search_network_state',`
1215 search_dirs_pattern($1, proc_t, proc_net_t)
1218 ########################################
1220 ## Read the network state information.
1224 ## Allow the specified domain to read the networking
1225 ## state information. This includes several pieces
1226 ## of networking information, such as network interface
1227 ## names, netfilter (iptables) statistics, protocol
1228 ## information, routes, and remote procedure call (RPC)
1232 ## <param name="domain">
1234 ## Domain allowed access.
1237 ## <infoflow type="read" weight="10"/>
1240 interface(`kernel_read_network_state',`
1242 type proc_t, proc_net_t;
1245 read_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
1246 read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
1248 list_dirs_pattern($1, proc_t, proc_net_t)
1251 ########################################
1253 ## Allow caller to read the network state symbolic links.
1255 ## <param name="domain">
1257 ## Domain allowed access.
1261 interface(`kernel_read_network_state_symlinks',`
1263 type proc_t, proc_net_t;
1266 read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
1268 list_dirs_pattern($1, proc_t, proc_net_t)
1271 ########################################
1273 ## Allow searching of xen state directory.
1275 ## <param name="domain">
1277 ## Domain allowed access.
1282 interface(`kernel_search_xen_state',`
1284 type proc_t, proc_xen_t;
1287 search_dirs_pattern($1, proc_t, proc_xen_t)
1290 ########################################
1292 ## Do not audit attempts to search the xen
1295 ## <param name="domain">
1297 ## Domain to not audit.
1302 interface(`kernel_dontaudit_search_xen_state',`
1307 dontaudit $1 proc_xen_t:dir search;
1310 ########################################
1312 ## Allow caller to read the xen state information.
1314 ## <param name="domain">
1316 ## Domain allowed access.
1321 interface(`kernel_read_xen_state',`
1323 type proc_t, proc_xen_t;
1326 read_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
1327 read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
1329 list_dirs_pattern($1, proc_t, proc_xen_t)
1332 ########################################
1334 ## Allow caller to read the xen state symbolic links.
1336 ## <param name="domain">
1338 ## Domain allowed access.
1343 interface(`kernel_read_xen_state_symlinks',`
1345 type proc_t, proc_xen_t;
1348 read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
1350 list_dirs_pattern($1, proc_t, proc_xen_t)
1353 ########################################
1355 ## Allow caller to write xen state information.
1357 ## <param name="domain">
1359 ## Domain allowed access.
1364 interface(`kernel_write_xen_state',`
1366 type proc_t, proc_xen_t;
1369 write_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
1372 ########################################
1374 ## Allow attempts to list all proc directories.
1376 ## <param name="domain">
1378 ## Domain allowed access.
1382 interface(`kernel_list_all_proc',`
1384 attribute proc_type;
1387 allow $1 proc_type:dir list_dir_perms;
1388 allow $1 proc_type:file getattr;
1391 ########################################
1393 ## Do not audit attempts to list all proc directories.
1395 ## <param name="domain">
1397 ## Domain to not audit.
1401 interface(`kernel_dontaudit_list_all_proc',`
1403 attribute proc_type;
1406 dontaudit $1 proc_type:dir list_dir_perms;
1407 dontaudit $1 proc_type:file getattr;
1410 ########################################
1412 ## Do not audit attempts by caller to search
1413 ## the base directory of sysctls.
1415 ## <param name="domain">
1417 ## Domain to not audit.
1422 interface(`kernel_dontaudit_search_sysctl',`
1427 dontaudit $1 sysctl_t:dir search;
1430 ########################################
1432 ## Allow access to read sysctl directories.
1434 ## <param name="domain">
1436 ## Domain allowed access.
1441 interface(`kernel_read_sysctl',`
1443 type sysctl_t, proc_t;
1446 list_dirs_pattern($1, proc_t, sysctl_t)
1447 read_files_pattern($1, sysctl_t, sysctl_t)
1450 ########################################
1452 ## Allow caller to read the device sysctls.
1454 ## <param name="domain">
1456 ## Domain allowed access.
1461 interface(`kernel_read_device_sysctls',`
1463 type proc_t, sysctl_t, sysctl_dev_t;
1466 read_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t)
1468 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t)
1471 ########################################
1473 ## Read and write device sysctls.
1475 ## <param name="domain">
1477 ## Domain allowed access.
1482 interface(`kernel_rw_device_sysctls',`
1484 type proc_t, sysctl_t, sysctl_dev_t;
1487 rw_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t)
1489 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t)
1492 ########################################
1494 ## Allow caller to search virtual memory sysctls.
1496 ## <param name="domain">
1498 ## Domain allowed access.
1502 interface(`kernel_search_vm_sysctl',`
1504 type proc_t, sysctl_t, sysctl_vm_t;
1507 search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
1510 ########################################
1512 ## Allow caller to read virtual memory sysctls.
1514 ## <param name="domain">
1516 ## Domain allowed access.
1521 interface(`kernel_read_vm_sysctls',`
1523 type proc_t, sysctl_t, sysctl_vm_t;
1526 read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t)
1528 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
1531 ########################################
1533 ## Read and write virtual memory sysctls.
1535 ## <param name="domain">
1537 ## Domain allowed access.
1542 interface(`kernel_rw_vm_sysctls',`
1544 type proc_t, sysctl_t, sysctl_vm_t;
1547 rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t)
1548 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
1551 allow $1 sysctl_vm_t:dir write;
1554 ########################################
1556 ## Search network sysctl directories.
1558 ## <param name="domain">
1560 ## Domain allowed access.
1564 interface(`kernel_search_network_sysctl',`
1566 type proc_t, sysctl_t, sysctl_net_t;
1569 search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
1572 ########################################
1574 ## Do not audit attempts by caller to search network sysctl directories.
1576 ## <param name="domain">
1578 ## Domain to not audit.
1582 interface(`kernel_dontaudit_search_network_sysctl',`
1587 dontaudit $1 sysctl_net_t:dir search;
1590 ########################################
1592 ## Allow caller to read network sysctls.
1594 ## <param name="domain">
1596 ## Domain allowed access.
1601 interface(`kernel_read_net_sysctls',`
1603 type proc_t, sysctl_t, sysctl_net_t;
1606 read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
1608 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
1611 ########################################
1613 ## Allow caller to modiry contents of sysctl network files.
1615 ## <param name="domain">
1617 ## Domain allowed access.
1622 interface(`kernel_rw_net_sysctls',`
1624 type proc_t, sysctl_t, sysctl_net_t;
1627 rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
1629 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
1632 ########################################
1634 ## Allow caller to read unix domain
1637 ## <param name="domain">
1639 ## Domain allowed access.
1644 interface(`kernel_read_unix_sysctls',`
1646 type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
1649 read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
1651 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
1654 ########################################
1656 ## Read and write unix domain
1659 ## <param name="domain">
1661 ## Domain allowed access.
1666 interface(`kernel_rw_unix_sysctls',`
1668 type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
1671 rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
1673 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
1676 ########################################
1678 ## Read the hotplug sysctl.
1680 ## <param name="domain">
1682 ## Domain allowed access.
1687 interface(`kernel_read_hotplug_sysctls',`
1689 type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
1692 read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
1694 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
1697 ########################################
1699 ## Read and write the hotplug sysctl.
1701 ## <param name="domain">
1703 ## Domain allowed access.
1708 interface(`kernel_rw_hotplug_sysctls',`
1710 type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
1713 rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
1715 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
1718 ########################################
1720 ## Read the modprobe sysctl.
1722 ## <param name="domain">
1724 ## Domain allowed access.
1729 interface(`kernel_read_modprobe_sysctls',`
1731 type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
1734 read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
1736 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
1739 ########################################
1741 ## Read and write the modprobe sysctl.
1743 ## <param name="domain">
1745 ## Domain allowed access.
1750 interface(`kernel_rw_modprobe_sysctls',`
1752 type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
1755 rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
1757 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
1760 ########################################
1762 ## Do not audit attempts to search generic kernel sysctls.
1764 ## <param name="domain">
1766 ## Domain to not audit.
1770 interface(`kernel_dontaudit_search_kernel_sysctl',`
1772 type sysctl_kernel_t;
1775 dontaudit $1 sysctl_kernel_t:dir search;
1778 ########################################
1780 ## Read generic crypto sysctls.
1782 ## <param name="domain">
1784 ## Domain allowed access.
1788 interface(`kernel_read_crypto_sysctls',`
1790 type proc_t, sysctl_t, sysctl_crypto_t;
1793 read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
1794 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
1797 ########################################
1799 ## Read general kernel sysctls.
1803 ## Allow the specified domain to read general
1804 ## kernel sysctl settings. These settings are typically
1805 ## read using the sysctl program. The settings
1806 ## that are included by this interface are prefixed
1807 ## with "kernel.", for example, kernel.sysrq.
1810 ## This does not include access to the hotplug
1811 ## handler setting (kernel.hotplug)
1812 ## nor the module installer handler setting
1813 ## (kernel.modprobe).
1816 ## Related interfaces:
1819 ## <li>kernel_rw_kernel_sysctl()</li>
1822 ## <param name="domain">
1824 ## Domain allowed access.
1827 ## <infoflow type="read" weight="10"/>
1829 interface(`kernel_read_kernel_sysctls',`
1831 type proc_t, sysctl_t, sysctl_kernel_t;
1834 read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)
1836 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
1839 ########################################
1841 ## Do not audit attempts to write generic kernel sysctls.
1843 ## <param name="domain">
1845 ## Domain to not audit.
1849 interface(`kernel_dontaudit_write_kernel_sysctl',`
1851 type sysctl_kernel_t;
1854 dontaudit $1 sysctl_kernel_t:file write;
1857 ########################################
1859 ## Read and write generic kernel sysctls.
1861 ## <param name="domain">
1863 ## Domain allowed access.
1868 interface(`kernel_rw_kernel_sysctl',`
1870 type proc_t, sysctl_t, sysctl_kernel_t;
1873 rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)
1875 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
1878 ########################################
1880 ## Read filesystem sysctls.
1882 ## <param name="domain">
1884 ## Domain allowed access.
1889 interface(`kernel_read_fs_sysctls',`
1891 type proc_t, sysctl_t, sysctl_fs_t;
1894 read_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
1896 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
1899 ########################################
1901 ## Read and write fileystem sysctls.
1903 ## <param name="domain">
1905 ## Domain allowed access.
1910 interface(`kernel_rw_fs_sysctls',`
1912 type proc_t, sysctl_t, sysctl_fs_t;
1915 rw_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
1917 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
1920 ########################################
1922 ## Read IRQ sysctls.
1924 ## <param name="domain">
1926 ## Domain allowed access.
1931 interface(`kernel_read_irq_sysctls',`
1933 type proc_t, sysctl_irq_t;
1936 read_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t)
1938 list_dirs_pattern($1, proc_t, sysctl_irq_t)
1941 ########################################
1943 ## Read and write IRQ sysctls.
1945 ## <param name="domain">
1947 ## Domain allowed access.
1952 interface(`kernel_rw_irq_sysctls',`
1954 type proc_t, sysctl_irq_t;
1957 rw_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t)
1959 list_dirs_pattern($1, proc_t, sysctl_irq_t)
1962 ########################################
1964 ## Read RPC sysctls.
1966 ## <param name="domain">
1968 ## Domain allowed access.
1973 interface(`kernel_read_rpc_sysctls',`
1975 type proc_t, proc_net_t, sysctl_rpc_t;
1978 read_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
1980 list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
1983 ########################################
1985 ## Read and write RPC sysctls.
1987 ## <param name="domain">
1989 ## Domain allowed access.
1994 interface(`kernel_rw_rpc_sysctls',`
1996 type proc_t, proc_net_t, sysctl_rpc_t;
1999 rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
2001 list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
2004 ########################################
2006 ## Do not audit attempts to list all sysctl directories.
2008 ## <param name="domain">
2010 ## Domain to not audit.
2014 interface(`kernel_dontaudit_list_all_sysctls',`
2016 attribute sysctl_type;
2019 dontaudit $1 sysctl_type:dir list_dir_perms;
2020 dontaudit $1 sysctl_type:file read_file_perms;
2023 ########################################
2025 ## Allow caller to read all sysctls.
2027 ## <param name="domain">
2029 ## Domain allowed access.
2034 interface(`kernel_read_all_sysctls',`
2036 attribute sysctl_type;
2037 type proc_t, proc_net_t;
2040 # proc_net_t for /proc/net/rpc sysctls
2041 read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
2043 list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type)
2046 ########################################
2048 ## Read and write all sysctls.
2050 ## <param name="domain">
2052 ## Domain allowed access.
2057 interface(`kernel_rw_all_sysctls',`
2059 attribute sysctl_type;
2060 type proc_t, proc_net_t;
2063 # proc_net_t for /proc/net/rpc sysctls
2064 rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
2066 allow $1 sysctl_type:dir list_dir_perms;
2067 # why is setattr needed?
2068 allow $1 sysctl_type:file setattr;
2071 ########################################
2073 ## Send a kill signal to unlabeled processes.
2075 ## <param name="domain">
2077 ## Domain allowed access.
2081 interface(`kernel_kill_unlabeled',`
2086 allow $1 unlabeled_t:process sigkill;
2089 ########################################
2091 ## Mount a kernel unlabeled filesystem.
2093 ## <param name="domain">
2095 ## Domain allowed access.
2099 interface(`kernel_mount_unlabeled',`
2104 allow $1 unlabeled_t:filesystem mount;
2107 ########################################
2109 ## Unmount a kernel unlabeled filesystem.
2111 ## <param name="domain">
2113 ## Domain allowed access.
2117 interface(`kernel_unmount_unlabeled',`
2122 allow $1 unlabeled_t:filesystem unmount;
2125 ########################################
2127 ## Send general signals to unlabeled processes.
2129 ## <param name="domain">
2131 ## Domain allowed access.
2135 interface(`kernel_signal_unlabeled',`
2140 allow $1 unlabeled_t:process signal;
2143 ########################################
2145 ## Send a null signal to unlabeled processes.
2147 ## <param name="domain">
2149 ## Domain allowed access.
2153 interface(`kernel_signull_unlabeled',`
2158 allow $1 unlabeled_t:process signull;
2161 ########################################
2163 ## Send a stop signal to unlabeled processes.
2165 ## <param name="domain">
2167 ## Domain allowed access.
2171 interface(`kernel_sigstop_unlabeled',`
2176 allow $1 unlabeled_t:process sigstop;
2179 ########################################
2181 ## Send a child terminated signal to unlabeled processes.
2183 ## <param name="domain">
2185 ## Domain allowed access.
2189 interface(`kernel_sigchld_unlabeled',`
2194 allow $1 unlabeled_t:process sigchld;
2197 ########################################
2199 ## List unlabeled directories.
2201 ## <param name="domain">
2203 ## Domain allowed access.
2207 interface(`kernel_list_unlabeled',`
2212 allow $1 unlabeled_t:dir list_dir_perms;
2215 ########################################
2217 ## Read the process state (/proc/pid) of all unlabeled_t.
2219 ## <param name="domain">
2221 ## Domain allowed access.
2225 interface(`kernel_read_unlabeled_state',`
2230 allow $1 unlabeled_t:dir list_dir_perms;
2231 read_files_pattern($1, unlabeled_t, unlabeled_t)
2232 read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
2235 ########################################
2237 ## Do not audit attempts to list unlabeled directories.
2239 ## <param name="domain">
2241 ## Domain allowed access.
2245 interface(`kernel_dontaudit_list_unlabeled',`
2250 dontaudit $1 unlabeled_t:dir list_dir_perms;
2253 ########################################
2255 ## Read and write unlabeled directories.
2257 ## <param name="domain">
2259 ## Domain allowed access.
2263 interface(`kernel_rw_unlabeled_dirs',`
2268 allow $1 unlabeled_t:dir rw_dir_perms;
2271 ########################################
2273 ## Read and write unlabeled files.
2275 ## <param name="domain">
2277 ## Domain allowed access.
2281 interface(`kernel_rw_unlabeled_files',`
2286 allow $1 unlabeled_t:file rw_file_perms;
2289 ########################################
2291 ## Do not audit attempts by caller to get the
2292 ## attributes of an unlabeled file.
2294 ## <param name="domain">
2296 ## Domain to not audit.
2300 interface(`kernel_dontaudit_getattr_unlabeled_files',`
2305 dontaudit $1 unlabeled_t:file getattr;
2308 ########################################
2310 ## Do not audit attempts by caller to
2311 ## read an unlabeled file.
2313 ## <param name="domain">
2315 ## Domain to not audit.
2319 interface(`kernel_dontaudit_read_unlabeled_files',`
2324 dontaudit $1 unlabeled_t:file { getattr read };
2327 ########################################
2329 ## Do not audit attempts by caller to get the
2330 ## attributes of unlabeled symbolic links.
2332 ## <param name="domain">
2334 ## Domain to not audit.
2338 interface(`kernel_dontaudit_getattr_unlabeled_symlinks',`
2343 dontaudit $1 unlabeled_t:lnk_file getattr;
2346 ########################################
2348 ## Do not audit attempts by caller to get the
2349 ## attributes of unlabeled named pipes.
2351 ## <param name="domain">
2353 ## Domain to not audit.
2357 interface(`kernel_dontaudit_getattr_unlabeled_pipes',`
2362 dontaudit $1 unlabeled_t:fifo_file getattr;
2365 ########################################
2367 ## Do not audit attempts by caller to get the
2368 ## attributes of unlabeled named sockets.
2370 ## <param name="domain">
2372 ## Domain to not audit.
2376 interface(`kernel_dontaudit_getattr_unlabeled_sockets',`
2381 dontaudit $1 unlabeled_t:sock_file getattr;
2384 ########################################
2386 ## Do not audit attempts by caller to get attributes for
2387 ## unlabeled block devices.
2389 ## <param name="domain">
2391 ## Domain to not audit.
2395 interface(`kernel_dontaudit_getattr_unlabeled_blk_files',`
2400 dontaudit $1 unlabeled_t:blk_file getattr;
2403 ########################################
2405 ## Read and write unlabeled block device nodes.
2407 ## <param name="domain">
2409 ## Domain allowed access.
2413 interface(`kernel_rw_unlabeled_blk_files',`
2418 allow $1 unlabeled_t:blk_file getattr;
2421 ########################################
2423 ## Do not audit attempts by caller to get attributes for
2424 ## unlabeled character devices.
2426 ## <param name="domain">
2428 ## Domain to not audit.
2432 interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
2437 dontaudit $1 unlabeled_t:chr_file getattr;
2440 ########################################
2442 ## Allow caller to relabel unlabeled directories.
2444 ## <param name="domain">
2446 ## Domain allowed access.
2450 interface(`kernel_relabelfrom_unlabeled_dirs',`
2455 allow $1 unlabeled_t:dir { list_dir_perms relabelfrom };
2458 ########################################
2460 ## Allow caller to relabel unlabeled files.
2462 ## <param name="domain">
2464 ## Domain allowed access.
2468 interface(`kernel_relabelfrom_unlabeled_files',`
2473 kernel_list_unlabeled($1)
2474 allow $1 unlabeled_t:file { getattr relabelfrom };
2477 ########################################
2479 ## Allow caller to relabel unlabeled symbolic links.
2481 ## <param name="domain">
2483 ## Domain allowed access.
2487 interface(`kernel_relabelfrom_unlabeled_symlinks',`
2492 kernel_list_unlabeled($1)
2493 allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
2496 ########################################
2498 ## Allow caller to relabel unlabeled named pipes.
2500 ## <param name="domain">
2502 ## Domain allowed access.
2506 interface(`kernel_relabelfrom_unlabeled_pipes',`
2511 kernel_list_unlabeled($1)
2512 allow $1 unlabeled_t:fifo_file { getattr relabelfrom };
2515 ########################################
2517 ## Allow caller to relabel unlabeled named sockets.
2519 ## <param name="domain">
2521 ## Domain allowed access.
2525 interface(`kernel_relabelfrom_unlabeled_sockets',`
2530 kernel_list_unlabeled($1)
2531 allow $1 unlabeled_t:sock_file { getattr relabelfrom };
2534 ########################################
2536 ## Send and receive messages from an
2537 ## unlabeled IPSEC association.
2541 ## Send and receive messages from an
2542 ## unlabeled IPSEC association. Network
2543 ## connections that are not protected
2544 ## by IPSEC have use an unlabeled
2548 ## The corenetwork interface
2549 ## corenet_non_ipsec_sendrecv() should
2550 ## be used instead of this one.
2553 ## <param name="domain">
2555 ## Domain allowed access.
2559 interface(`kernel_sendrecv_unlabeled_association',`
2564 allow $1 unlabeled_t:association { sendto recvfrom };
2566 # temporary hack until labeling on packets is supported
2567 allow $1 unlabeled_t:packet { send recv };
2570 ########################################
2572 ## Do not audit attempts to send and receive messages
2573 ## from an unlabeled IPSEC association.
2577 ## Do not audit attempts to send and receive messages
2578 ## from an unlabeled IPSEC association. Network
2579 ## connections that are not protected
2580 ## by IPSEC have use an unlabeled
2584 ## The corenetwork interface
2585 ## corenet_dontaudit_non_ipsec_sendrecv() should
2586 ## be used instead of this one.
2589 ## <param name="domain">
2591 ## Domain to not audit.
2595 interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
2600 dontaudit $1 unlabeled_t:association { sendto recvfrom };
2603 ########################################
2605 ## Receive TCP packets from an unlabeled connection.
2609 ## Receive TCP packets from an unlabeled connection.
2612 ## The corenetwork interface corenet_tcp_recv_unlabeled() should
2613 ## be used instead of this one.
2616 ## <param name="domain">
2618 ## Domain allowed access.
2622 interface(`kernel_tcp_recvfrom_unlabeled',`
2627 allow $1 unlabeled_t:tcp_socket recvfrom;
2630 ########################################
2632 ## Do not audit attempts to receive TCP packets from an unlabeled
2637 ## Do not audit attempts to receive TCP packets from an unlabeled
2641 ## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
2642 ## should be used instead of this one.
2645 ## <param name="domain">
2647 ## Domain to not audit.
2651 interface(`kernel_dontaudit_tcp_recvfrom_unlabeled',`
2656 dontaudit $1 unlabeled_t:tcp_socket recvfrom;
2659 ########################################
2661 ## Receive UDP packets from an unlabeled connection.
2665 ## Receive UDP packets from an unlabeled connection.
2668 ## The corenetwork interface corenet_udp_recv_unlabeled() should
2669 ## be used instead of this one.
2672 ## <param name="domain">
2674 ## Domain allowed access.
2678 interface(`kernel_udp_recvfrom_unlabeled',`
2683 allow $1 unlabeled_t:udp_socket recvfrom;
2686 ########################################
2688 ## Do not audit attempts to receive UDP packets from an unlabeled
2693 ## Do not audit attempts to receive UDP packets from an unlabeled
2697 ## The corenetwork interface corenet_dontaudit_udp_recv_unlabeled()
2698 ## should be used instead of this one.
2701 ## <param name="domain">
2703 ## Domain to not audit.
2707 interface(`kernel_dontaudit_udp_recvfrom_unlabeled',`
2712 dontaudit $1 unlabeled_t:udp_socket recvfrom;
2715 ########################################
2717 ## Receive Raw IP packets from an unlabeled connection.
2721 ## Receive Raw IP packets from an unlabeled connection.
2724 ## The corenetwork interface corenet_raw_recv_unlabeled() should
2725 ## be used instead of this one.
2728 ## <param name="domain">
2730 ## Domain allowed access.
2734 interface(`kernel_raw_recvfrom_unlabeled',`
2739 allow $1 unlabeled_t:rawip_socket recvfrom;
2742 ########################################
2744 ## Do not audit attempts to receive Raw IP packets from an unlabeled
2749 ## Do not audit attempts to receive Raw IP packets from an unlabeled
2753 ## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
2754 ## should be used instead of this one.
2757 ## <param name="domain">
2759 ## Domain to not audit.
2763 interface(`kernel_dontaudit_raw_recvfrom_unlabeled',`
2768 dontaudit $1 unlabeled_t:rawip_socket recvfrom;
2771 ########################################
2773 ## Send and receive unlabeled packets.
2777 ## Send and receive unlabeled packets.
2778 ## These packets do not match any netfilter
2782 ## The corenetwork interface
2783 ## corenet_sendrecv_unlabeled_packets() should
2784 ## be used instead of this one.
2787 ## <param name="domain">
2789 ## Domain allowed access.
2793 interface(`kernel_sendrecv_unlabeled_packets',`
2798 allow $1 unlabeled_t:packet { send recv };
2801 ########################################
2803 ## Receive packets from an unlabeled peer.
2807 ## Receive packets from an unlabeled peer, these packets do not have any
2808 ## peer labeling information present.
2811 ## The corenetwork interface corenet_recvfrom_unlabeled_peer() should
2812 ## be used instead of this one.
2815 ## <param name="domain">
2817 ## Domain allowed access.
2821 interface(`kernel_recvfrom_unlabeled_peer',`
2826 allow $1 unlabeled_t:peer recv;
2829 ########################################
2831 ## Do not audit attempts to receive packets from an unlabeled peer.
2835 ## Do not audit attempts to receive packets from an unlabeled peer,
2836 ## these packets do not have any peer labeling information present.
2839 ## The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled()
2840 ## should be used instead of this one.
2843 ## <param name="domain">
2845 ## Domain to not audit.
2849 interface(`kernel_dontaudit_recvfrom_unlabeled_peer',`
2854 dontaudit $1 unlabeled_t:peer recv;
2857 ########################################
2859 ## Relabel from unlabeled database objects.
2861 ## <param name="domain">
2863 ## Domain allowed access.
2867 interface(`kernel_relabelfrom_unlabeled_database',`
2870 class db_database { setattr relabelfrom };
2871 class db_table { setattr relabelfrom };
2872 class db_procedure { setattr relabelfrom };
2873 class db_column { setattr relabelfrom };
2874 class db_tuple { update relabelfrom };
2875 class db_blob { setattr relabelfrom };
2878 allow $1 unlabeled_t:db_database { setattr relabelfrom };
2879 allow $1 unlabeled_t:db_table { setattr relabelfrom };
2880 allow $1 unlabeled_t:db_procedure { setattr relabelfrom };
2881 allow $1 unlabeled_t:db_column { setattr relabelfrom };
2882 allow $1 unlabeled_t:db_tuple { update relabelfrom };
2883 allow $1 unlabeled_t:db_blob { setattr relabelfrom };
2886 ########################################
2888 ## Relabel to unlabeled context .
2890 ## <param name="domain">
2892 ## Domain allowed access.
2896 interface(`kernel_relabelto_unlabeled',`
2901 allow $1 unlabeled_t:dir_file_class_set relabelto;
2904 ########################################
2906 ## Unconfined access to kernel module resources.
2908 ## <param name="domain">
2910 ## Domain allowed access.
2914 interface(`kernel_unconfined',`
2916 attribute kern_unconfined;
2919 typeattribute $1 kern_unconfined;
2922 ########################################
2924 ## Allow the specified domain to connect to
2925 ## the kernel with a unix socket.
2927 ## <param name="domain">
2929 ## Domain allowed access.
2933 interface(`kernel_stream_connect',`
2938 allow $1 kernel_t:unix_stream_socket connectto;