Current File : //proc/self/root/kunden/usr/share/selinux/devel/include/contrib.xml

<summary>Contributed Reference Policy modules.</summary>
<module name="abrt" filename="policy/modules/contrib/abrt.if">
<summary>ABRT - automated bug-reporting tool</summary>
<interface name="abrt_stub" lineno="13">
<summary>
abrt stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="abrt_basic_types_template" lineno="30">
<summary>
Creates types and rules for a basic
ABRT daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="abrt_domtrans" lineno="51">
<summary>
Execute abrt in the abrt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="abrt_dump_oops_domtrans" lineno="70">
<summary>
Execute abrt_dump_oops in the abrt_dump_oops_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="abrt_exec" lineno="89">
<summary>
Execute abrt in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_signull" lineno="108">
<summary>
Send a null signal to abrt.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_state" lineno="126">
<summary>
Allow the domain to read abrt state files in /proc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_stream_connect" lineno="145">
<summary>
Connect to abrt over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_dbus_chat" lineno="165">
<summary>
Send and receive messages from
abrt over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_domtrans_helper" lineno="185">
<summary>
Execute abrt-helper in the abrt-helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="abrt_run_helper" lineno="210">
<summary>
Execute abrt helper in the abrt_helper domain, and
allow the specified role the abrt_helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="abrt_read_cache" lineno="229">
<summary>
Read abrt cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_append_cache" lineno="248">
<summary>
Append abrt cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_rw_inherited_cache" lineno="267">
<summary>
Read/Write inherited abrt cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_manage_cache" lineno="286">
<summary>
Manage abrt cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_map_cache" lineno="306">
<summary>
Map abrt cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_config" lineno="325">
<summary>
Read abrt configuration file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_dontaudit_read_config" lineno="344">
<summary>
Dontaudit read abrt configuration file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_log" lineno="364">
<summary>
Read abrt logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_pid_files" lineno="383">
<summary>
Read abrt PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_manage_pid_files" lineno="402">
<summary>
Create, read, write, and delete abrt PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_rw_fifo_file" lineno="421">
<summary>
Read and write abrt fifo files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_systemctl" lineno="439">
<summary>
Execute abrt server in the abrt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="abrt_admin" lineno="470">
<summary>
All of the rules required to administrate
an abrt environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the abrt domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="abrt_domtrans_retrace_worker" lineno="521">
<summary>
Execute abrt-retrace in the abrt-retrace domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="abrt_manage_spool_retrace" lineno="540">
<summary>
Manage abrt retrace server cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_spool_retrace" lineno="561">
<summary>
Read abrt retrace server cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_cache_retrace" lineno="582">
<summary>
Read abrt retrace server cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_dontaudit_write_sock_file" lineno="602">
<summary>
Do not audit attempts to write abrt sock files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="abrt_filetrans_named_content" lineno="620">
<summary>
Transition to abrt named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="abrt_anon_write" dftval="false">
<desc>
<p>
Allow ABRT to modify public files
used for public file transfer services.
</p>
</desc>
</tunable>
<tunable name="abrt_upload_watch_anon_write" dftval="true">
<desc>
<p>
Determine whether abrt-handle-upload
can modify public files used for public file
transfer services in /var/spool/abrt-upload/.
</p>
</desc>
</tunable>
<tunable name="abrt_handle_event" dftval="false">
<desc>
<p>
Determine whether ABRT can run in
the abrt_handle_event_t domain to
handle ABRT event scripts.
</p>
</desc>
</tunable>
</module>
<module name="accountsd" filename="policy/modules/contrib/accountsd.if">
<summary>AccountsService and daemon for manipulating user account information via D-Bus.</summary>
<interface name="accountsd_domtrans" lineno="14">
<summary>
Execute a domain transition to
run accountsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="accountsd_dontaudit_rw_fifo_file" lineno="34">
<summary>
Do not audit attempts to read and
write Accounts Daemon fifo files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="accountsd_dbus_chat" lineno="53">
<summary>
Send and receive messages from
accountsd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="accountsd_search_lib" lineno="73">
<summary>
Search accountsd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="accountsd_watch_lib" lineno="92">
<summary>
Watch accountsd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="accountsd_read_lib_files" lineno="111">
<summary>
Read accountsd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="accountsd_manage_lib_files" lineno="132">
<summary>
Create, read, write, and delete
accountsd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="accountsd_systemctl" lineno="152">
<summary>
All of the rules required to
administrate an accountsd environment.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="accountsd_admin" lineno="177">
<summary>
All of the rules required to administrate
an accountsd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="acct" filename="policy/modules/contrib/acct.if">
<summary>Berkeley process accounting.</summary>
<interface name="acct_domtrans" lineno="14">
<summary>
Transition to the accounting
management domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="acct_exec" lineno="34">
<summary>
Execute accounting management tools
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="acct_exec_data" lineno="54">
<summary>
Execute accounting management data
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="acct_search_data" lineno="73">
<summary>
Search process accounting data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="acct_manage_data" lineno="92">
<summary>
Create, read, write, and delete
process accounting data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="acct_dontaudit_list_data" lineno="112">
<summary>
Dontaudit Attempts to list acct_data directory
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="acct_admin" lineno="137">
<summary>
All of the rules required to
administrate an acct environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="afs" filename="policy/modules/contrib/afs.if">
<summary>Andrew Filesystem server.</summary>
<interface name="afs_domtrans" lineno="14">
<summary>
Execute a domain transition to run the
afs client.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="afs_rw_udp_sockets" lineno="33">
<summary>
Read and write afs client UDP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="afs_read_config" lineno="51">
<summary>
Read AFS config data
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="afs_rw_cache" lineno="69">
<summary>
Read and write afs cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="afs_initrc_domtrans" lineno="88">
<summary>
Execute afs server in the afs domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="afs_admin" lineno="113">
<summary>
All of the rules required to
administrate an afs environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="afterburn" filename="policy/modules/contrib/afterburn.if">
<summary>policy for afterburn</summary>
<interface name="afterburn_domtrans" lineno="13">
<summary>
Execute afterburn in the afterburn domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="afterburn_exec" lineno="32">
<summary>
Execute afterburn in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="aiccu" filename="policy/modules/contrib/aiccu.if">
<summary>Automatic IPv6 Connectivity Client Utility.</summary>
<interface name="aiccu_domtrans" lineno="13">
<summary>
Execute a domain transition to run aiccu.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="aiccu_initrc_domtrans" lineno="32">
<summary>
Execute aiccu server in the aiccu domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="aiccu_read_pid_files" lineno="50">
<summary>
Read aiccu PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="aiccu_admin" lineno="76">
<summary>
All of the rules required to
administrate an aiccu environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="aide" filename="policy/modules/contrib/aide.if">
<summary>Aide filesystem integrity checker.</summary>
<interface name="aide_domtrans" lineno="13">
<summary>
Execute aide in the aide domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="aide_run" lineno="39">
<summary>
Execute aide programs in the AIDE
domain and allow the specified role
the AIDE domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="aide_admin" lineno="65">
<summary>
All of the rules required to
administrate an aide environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="aisexec" filename="policy/modules/contrib/aisexec.if">
<summary>Aisexec Cluster Engine.</summary>
<interface name="aisexec_domtrans" lineno="13">
<summary>
Execute a domain transition to run aisexec.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="aisexec_stream_connect" lineno="33">
<summary>
Connect to aisexec over a unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="aisexec_read_log" lineno="52">
<summary>
Read aisexec log files content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="aisexecd_admin" lineno="79">
<summary>
All of the rules required to
administrate an aisexec environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ajaxterm" filename="policy/modules/contrib/ajaxterm.if">
<summary>policy for ajaxterm</summary>
<interface name="ajaxterm_domtrans" lineno="13">
<summary>
Execute a domain transition to run ajaxterm.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ajaxterm_initrc_domtrans" lineno="31">
<summary>
Execute ajaxterm server in the ajaxterm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ajaxterm_rw_ptys" lineno="49">
<summary>
Read and write the ajaxterm pty type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ajaxterm_admin" lineno="74">
<summary>
All of the rules required to administrate
an ajaxterm environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="alsa" filename="policy/modules/contrib/alsa.if">
<summary>Advanced Linux Sound Architecture utilities.</summary>
<template name="alsa_role" lineno="18">
<summary>
Role access for alsa.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</template>
<interface name="alsa_domtrans" lineno="32">
<summary>
Execute a domain transition to run Alsa.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="alsa_run" lineno="58">
<summary>
Execute a domain transition to run
Alsa, and allow the specified role
the Alsa domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="alsa_rw_semaphores" lineno="77">
<summary>
Read and write Alsa semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_rw_shared_mem" lineno="95">
<summary>
Read and write Alsa shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_read_rw_config" lineno="113">
<summary>
Read writable Alsa configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_manage_rw_config" lineno="138">
<summary>
Manage writable Alsa config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_manage_home_files" lineno="164">
<summary>
Create, read, write, and delete
alsa home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_read_home_files" lineno="184">
<summary>
Read Alsa home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_relabel_home_files" lineno="203">
<summary>
Relabel alsa home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_read_lib" lineno="222">
<summary>
Read Alsa lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_filetrans_home_content" lineno="241">
<summary>
Transition to alsa named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_filetrans_named_content" lineno="259">
<summary>
Transition to alsa named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="alsa_systemctl" lineno="284">
<summary>
Execute alsa server in the alsa domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="alsa_write_lib" lineno="308">
<summary>
Write Alsa lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="amanda" filename="policy/modules/contrib/amanda.if">
<summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
<interface name="amanda_domtrans_recover" lineno="14">
<summary>
Execute a domain transition to run
Amanda recover.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="amanda_run_recover" lineno="41">
<summary>
Execute a domain transition to run
Amanda recover, and allow the specified
role the Amanda recover domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="amanda_search_lib" lineno="60">
<summary>
Search Amanda library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amanda_dontaudit_read_dumpdates" lineno="79">
<summary>
Do not audit attempts to read /etc/dumpdates.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="amanda_rw_dumpdates_files" lineno="97">
<summary>
Read and write /etc/dumpdates.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amanda_manage_lib" lineno="116">
<summary>
Search Amanda library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amanda_append_log_files" lineno="135">
<summary>
Read and append amanda log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amanda_search_var_lib" lineno="154">
<summary>
Search Amanda var library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="amavis" filename="policy/modules/contrib/amavis.if">
<summary>High-performance interface between an email server and content checkers.</summary>
<interface name="amavis_domtrans" lineno="13">
<summary>
Execute a domain transition to run amavis.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="amavis_initrc_domtrans" lineno="32">
<summary>
Execute amavis server in the amavis domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="amavis_read_spool_files" lineno="50">
<summary>
Read amavis spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_manage_spool_files" lineno="71">
<summary>
Create, read, write, and delete
amavis spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_spool_filetrans" lineno="107">
<summary>
Create objects in the amavis spool directories
with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
Private file type.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="amavis_search_lib" lineno="126">
<summary>
Search amavis lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_read_lib_files" lineno="145">
<summary>
Read amavis lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_rw_lib_files" lineno="165">
<summary>
Read and write amavis lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_manage_lib_files" lineno="186">
<summary>
Create, read, write, and delete
amavis lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_setattr_pid_files" lineno="205">
<summary>
Set attributes of amavis pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_create_pid_files" lineno="224">
<summary>
Create amavis pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_admin" lineno="251">
<summary>
All of the rules required to
administrate an amavis environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="amavis_use_jit" dftval="false">
<desc>
<p>
Determine whether amavis can
use JIT compiler.
</p>
</desc>
</tunable>
</module>
<module name="amtu" filename="policy/modules/contrib/amtu.if">
<summary>Abstract Machine Test Utility.</summary>
<interface name="amtu_domtrans" lineno="13">
<summary>
Execute a domain transition to run Amtu.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="amtu_run" lineno="39">
<summary>
Execute a domain transition to run
Amtu, and allow the specified role
the Amtu domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="amtu_admin" lineno="65">
<summary>
All of the rules required to
administrate an amtu environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="anaconda" filename="policy/modules/contrib/anaconda.if">
<summary>Anaconda installer.</summary>
<interface name="anaconda_domtrans_install" lineno="13">
<summary>
Execute a domain transition to run install.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="anaconda_run_install" lineno="39">
<summary>
Execute install in the install
domain, and allow the specified
role the install domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="anaconda_exec_preupgrade" lineno="65">
<summary>
Execute preupgrade in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="anaconda_domtrans_preupgrade" lineno="84">
<summary>
Execute a domain transition to run preupgrade.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="anaconda_read_lib_files_preupgrade" lineno="103">
<summary>
Read preupgrade lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="anaconda_manage_lib_files_preupgrade" lineno="123">
<summary>
Manage preupgrade lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="anaconda_stream_connect" lineno="144">
<summary>
Connect over a unix stream socket
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="anaconda_create_unix_stream_sockets" lineno="163">
<summary>
Create and use a unix stream socket
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="antivirus" filename="policy/modules/contrib/antivirus.if">
<summary>SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan</summary>
<interface name="antivirus_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
antivirus domain.
</summary>
<param name="domain">
<summary>
Prefix for the domain.
</summary>
</param>
</interface>
<interface name="antivirus_domtrans" lineno="34">
<summary>
Execute a domain transition to run antivirus program.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="antivirus_exec" lineno="52">
<summary>
Execute antivirus program without a transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_stream_connect" lineno="70">
<summary>
Connect to run antivirus program.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_append_log" lineno="91">
<summary>
Allow the specified domain to append
to antivirus log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_read_config" lineno="111">
<summary>
Read antivirus configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_search_db" lineno="130">
<summary>
Search antivirus db content directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_read_db" lineno="150">
<summary>
Read antivirus db content directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_rw_db" lineno="171">
<summary>
Read and write antivirus db content directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_manage_db" lineno="191">
<summary>
Manage antivirus db content directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_manage_pid" lineno="212">
<summary>
Manage antivirus pid content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_read_state_clamd" lineno="231">
<summary>
Read antivirus state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_systemctl" lineno="250">
<summary>
Execute antivirus server in the antivirus domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="antivirus_admin" lineno="282">
<summary>
All of the rules required to administrate
an antivirus programs environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the clamav domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="antivirus_can_scan_system" dftval="false">
<desc>
<p>
Allow antivirus programs to read non security files on a system
</p>
</desc>
</tunable>
<tunable name="antivirus_use_jit" dftval="false">
<desc>
<p>
Determine whether antivirus programs can use JIT compiler.
</p>
</desc>
</tunable>
</module>
<module name="apache" filename="policy/modules/contrib/apache.if">
<summary>Apache web server</summary>
<template name="apache_user_content_template" lineno="14">
<summary>
Create a set of derived types for apache
web content.
</summary>
<param name="prefix">
<summary>
The prefix to be used for deriving type names.
</summary>
</param>
</template>
<template name="apache_content_template" lineno="123">
<summary>
Create a set of derived types for apache
web content.
</summary>
<param name="prefix">
<summary>
The prefix to be used for deriving type names.
</summary>
</param>
</template>
<template name="apache_content_alias_template" lineno="234">
<summary>
Create a set of derived types for apache
web content.
</summary>
<param name="prefix">
<summary>
The prefix to be used for deriving new type names.
</summary>
</param>
<param name="oldprefix">
<summary>
The prefix to be used for deriving old type names.
</summary>
</param>
</template>
<interface name="apache_role" lineno="258">
<summary>
Role access for apache
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="apache_read_user_scripts" lineno="327">
<summary>
Read httpd user scripts executables.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_user_content" lineno="347">
<summary>
Read user web content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_user_content" lineno="367">
<summary>
Manage user web content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_domtrans" lineno="387">
<summary>
Transition to apache.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apache_exec" lineno="407">
<summary>
Allow the specified domain to execute apache
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_exec_suexec" lineno="426">
<summary>
Allow the specified domain to execute apache suexec
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_signal" lineno="444">
<summary>
Send a generic signal to apache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_signull" lineno="462">
<summary>
Send a null signal to apache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_sigchld" lineno="480">
<summary>
Send a SIGCHLD signal to apache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_state" lineno="498">
<summary>
Allow the domain to read apache state files in /proc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_use_fds" lineno="517">
<summary>
Inherit and use file descriptors from Apache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_rw_fifo_file" lineno="536">
<summary>
Do not audit attempts to read and write Apache
unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_rw_stream_sockets" lineno="555">
<summary>
Allow attempts to read and write Apache
unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_rw_stream_sockets" lineno="574">
<summary>
Do not audit attempts to read and write Apache
unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_rw_tcp_sockets" lineno="593">
<summary>
Do not audit attempts to read and write Apache
TCP sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_manage_all_content" lineno="612">
<summary>
Create, read, write, and delete all web content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_setattr_cache_dirs" lineno="637">
<summary>
Allow domain to  set the attributes
of the APACHE cache directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_list_cache" lineno="656">
<summary>
Allow the specified domain to list
Apache cache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_rw_cache_files" lineno="675">
<summary>
Allow the specified domain to read
and write Apache cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_delete_cache_dirs" lineno="694">
<summary>
Allow the specified domain to delete
Apache cache dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_delete_cache_files" lineno="713">
<summary>
Allow the specified domain to delete
Apache cache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_search_config" lineno="732">
<summary>
Allow the specified domain to search
apache configuration dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_config" lineno="753">
<summary>
Allow the specified domain to read
apache configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_manage_config" lineno="775">
<summary>
Allow the specified domain to manage
apache configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_domtrans_helper" lineno="797">
<summary>
Execute the Apache helper program with
a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_run_helper" lineno="824">
<summary>
Execute the Apache helper program with
a domain transition, and allow the
specified role the Apache helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_dontaudit_read_log" lineno="845">
<summary>
dontaudit attempts to read
apache log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_read_log" lineno="866">
<summary>
Allow the specified domain to read
apache log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_append_log" lineno="888">
<summary>
Allow the specified domain to append
to apache log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_create_log_dirs" lineno="909">
<summary>
Allow the specified domain to create
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="apache_write_log" lineno="930">
<summary>
Allow the specified domain to write
to apache log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_append_log" lineno="949">
<summary>
Do not audit attempts to append to the
Apache logs.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_manage_lib" lineno="968">
<summary>
Allow the specified domain to manage
to apache var lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_log" lineno="990">
<summary>
Allow the specified domain to manage
to apache log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_search_modules" lineno="1012">
<summary>
Do not audit attempts to search Apache
module directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_read_modules" lineno="1031">
<summary>
Allow the specified domain to read
the apache module directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_list_modules" lineno="1052">
<summary>
Allow the specified domain to list
the contents of the apache modules
directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_exec_modules" lineno="1072">
<summary>
Allow the specified domain to execute
apache modules.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_domtrans_rotatelogs" lineno="1092">
<summary>
Execute a domain transition to run httpd_rotatelogs.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apache_exec_rotatelogs" lineno="1110">
<summary>
Execute httpd_rotatelogs in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apache_exec_sys_script" lineno="1128">
<summary>
Execute httpd system scripts in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apache_list_sys_content" lineno="1148">
<summary>
Allow the specified domain to list
apache system content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_sys_content" lineno="1171">
<summary>
Allow the specified domain to manage
apache system content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_read_sys_content_rw_files" lineno="1194">
<summary>
Allow the specified domain to read
apache system content rw files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_read_inherited_sys_content_rw_files" lineno="1214">
<summary>
Allow the specified domain to read inherited
apache system content rw files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_read_sys_content_rw_dirs" lineno="1236">
<summary>
Allow the specified domain to read
apache system content rw dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_manage_sys_content_rw" lineno="1256">
<summary>
Allow the specified domain to manage
apache system content rw files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_delete_sys_content_rw" lineno="1279">
<summary>
Allow the specified domain to delete
apache system content rw files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_domtrans_sys_script" lineno="1305">
<summary>
Execute all web scripts in the system
script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_rw_sys_script_stream_sockets" lineno="1332">
<summary>
Do not audit attempts to read and write Apache
system script unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_domtrans_all_scripts" lineno="1351">
<summary>
Execute all user scripts in the user
script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apache_run_all_scripts" lineno="1377">
<summary>
Execute all user scripts in the user
script domain.  Add user script domains
to the specified role.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_read_squirrelmail_data" lineno="1397">
<summary>
Allow the specified domain to read
apache squirrelmail data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_append_squirrelmail_data" lineno="1416">
<summary>
Allow the specified domain to append
apache squirrelmail data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_search_sys_content" lineno="1434">
<summary>
Search apache system content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_sys_content" lineno="1452">
<summary>
Read apache system content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_search_sys_scripts" lineno="1472">
<summary>
Search apache system CGI directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_all_user_content" lineno="1491">
<summary>
Create, read, write, and delete all user web content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_search_sys_script_state" lineno="1515">
<summary>
Search system script state directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_tmp_dirs" lineno="1534">
<summary>
Allow the specified domain to read
apache tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_tmp_files" lineno="1554">
<summary>
Allow the specified domain to read
apache tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_tmp_symlinks" lineno="1574">
<summary>
Allow the specified domain to read
apache tmp lnk files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_rw_tmp_files" lineno="1594">
<summary>
Dontaudit attempts to read and write
apache tmp files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_write_tmp_files" lineno="1613">
<summary>
Dontaudit attempts to write
apache tmp files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_cgi_domain" lineno="1646">
<summary>
Execute CGI in the specified domain.
</summary>
<desc>
<p>
Execute CGI in the specified domain.
</p>
<p>
This is an interface to support third party modules
and its use is not allowed in upstream reference
policy.
</p>
</desc>
<param name="domain">
<summary>
Domain run the cgi script in.
</summary>
</param>
<param name="entrypoint">
<summary>
Type of the executable to enter the cgi domain.
</summary>
</param>
</interface>
<interface name="apache_systemctl" lineno="1667">
<summary>
Execute httpd server in the httpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apache_admin" lineno="1697">
<summary>
All of the rules required to administrate an apache environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_dontaudit_leaks" lineno="1763">
<summary>
dontaudit read and write an leaked file descriptors
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_filetrans_named_content" lineno="1786">
<summary>
Transition to apache named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_entrypoint" lineno="1822">
<summary>
Allow any httpd_exec_t to be an entrypoint of this domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_exec_domtrans" lineno="1844">
<summary>
Execute a httpd_exec_t in the specified domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
The type of the new process.
</summary>
</param>
</interface>
<interface name="apache_filetrans_home_content" lineno="1862">
<summary>
Transition to apache home content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_pid_files" lineno="1886">
<summary>
Read apache pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_pid_files" lineno="1905">
<summary>
Manage apache pid objects.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dbus_chat" lineno="1927">
<summary>
Send and receive messages from
httpd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_delete_tmp" lineno="1948">
<summary>
Delete the httpd tmp.
</summary>
<param name="file_type">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_noatsecure" lineno="1966">
<summary>
Allow httpd noatsecure
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_ioctl_stream_sockets" lineno="1985">
<summary>
Allow the specified domain to ioctl an
httpd with a unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_semaphores" lineno="2003">
<summary>
Allow the specified domain read httpd semaphores
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="httpd_anon_write" dftval="false">
<desc>
<p>
Allow Apache to modify public files
used for public file transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="httpd_dontaudit_search_dirs" dftval="false">
<desc>
<p>
Dontaudit Apache to search dirs.
</p>
</desc>
</tunable>
<tunable name="httpd_mod_auth_pam" dftval="false">
<desc>
<p>
Allow Apache to use mod_auth_pam
</p>
</desc>
</tunable>
<tunable name="httpd_mod_auth_ntlm_winbind" dftval="false">
<desc>
<p>
Allow Apache to use mod_auth_ntlm_winbind
</p>
</desc>
</tunable>
<tunable name="httpd_execmem" dftval="false">
<desc>
<p>
Allow httpd scripts and modules execmem/execstack
</p>
</desc>
</tunable>
<tunable name="httpd_manage_ipa" dftval="false">
<desc>
<p>
Allow httpd processes to manage IPA content
</p>
</desc>
</tunable>
<tunable name="httpd_run_ipa" dftval="false">
<desc>
<p>
Allow httpd processes to run IPA helper.
</p>
</desc>
</tunable>
<tunable name="httpd_builtin_scripting" dftval="false">
<desc>
<p>
Allow httpd to use built in scripting (usually php)
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_connect" dftval="false">
<desc>
<p>
Allow HTTPD scripts and modules to connect to the network using TCP.
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_connect_cobbler" dftval="false">
<desc>
<p>
Allow HTTPD scripts and modules to connect to cobbler over the network.
</p>
</desc>
</tunable>
<tunable name="httpd_serve_cobbler_files" dftval="false">
<desc>
<p>
Allow HTTPD scripts and modules to server cobbler files.
</p>
</desc>
</tunable>
<tunable name="httpd_graceful_shutdown" dftval="false">
<desc>
<p>
Allow HTTPD to connect to port 80 for graceful shutdown
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_connect_db" dftval="false">
<desc>
<p>
Allow HTTPD scripts and modules to connect to databases over the network.
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_memcache" dftval="false">
<desc>
<p>
Allow httpd to connect to memcache server
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_relay" dftval="false">
<desc>
<p>
Allow httpd to act as a relay
</p>
</desc>
</tunable>
<tunable name="httpd_can_connect_zabbix" dftval="false">
<desc>
<p>
Allow http daemon to connect to zabbix
</p>
</desc>
</tunable>
<tunable name="httpd_can_connect_mythtv" dftval="false">
<desc>
<p>
Allow http daemon to connect to mythtv
</p>
</desc>
</tunable>
<tunable name="httpd_can_check_spam" dftval="false">
<desc>
<p>
Allow http daemon to check spam
</p>
</desc>
</tunable>
<tunable name="httpd_can_sendmail" dftval="false">
<desc>
<p>
Allow http daemon to send mail
</p>
</desc>
</tunable>
<tunable name="httpd_dbus_avahi" dftval="false">
<desc>
<p>
Allow Apache to communicate with avahi service via dbus
</p>
</desc>
</tunable>
<tunable name="httpd_dbus_sssd" dftval="false">
<desc>
<p>
Allow Apache to communicate with sssd service via dbus
</p>
</desc>
</tunable>
<tunable name="httpd_enable_cgi" dftval="false">
<desc>
<p>
Allow httpd cgi support
</p>
</desc>
</tunable>
<tunable name="httpd_enable_ftp_server" dftval="false">
<desc>
<p>
Allow httpd to act as a FTP server by
listening on the ftp port.
</p>
</desc>
</tunable>
<tunable name="httpd_can_connect_ftp" dftval="false">
<desc>
<p>
Allow httpd to act as a FTP client
connecting to the ftp port and ephemeral ports
</p>
</desc>
</tunable>
<tunable name="httpd_can_manage_courier_spool" dftval="false">
<desc>
<p>
Allow httpd to manage the courier spool sock files.
</p>
</desc>
</tunable>
<tunable name="httpd_can_connect_ldap" dftval="false">
<desc>
<p>
Allow httpd to connect to the ldap port
</p>
</desc>
</tunable>
<tunable name="httpd_enable_homedirs" dftval="false">
<desc>
<p>
Allow httpd to read home directories
</p>
</desc>
</tunable>
<tunable name="httpd_read_user_content" dftval="false">
<desc>
<p>
Allow httpd to read user content
</p>
</desc>
</tunable>
<tunable name="httpd_run_stickshift" dftval="false">
<desc>
<p>
Allow Apache to run in stickshift mode, not transition to passenger
</p>
</desc>
</tunable>
<tunable name="httpd_run_preupgrade" dftval="false">
<desc>
<p>
Allow Apache to run preupgrade
</p>
</desc>
</tunable>
<tunable name="httpd_verify_dns" dftval="false">
<desc>
<p>
Allow Apache to query NS records
</p>
</desc>
</tunable>
<tunable name="httpd_setrlimit" dftval="false">
<desc>
<p>
Allow httpd daemon to change its resource limits
</p>
</desc>
</tunable>
<tunable name="httpd_ssi_exec" dftval="false">
<desc>
<p>
Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
</p>
</desc>
</tunable>
<tunable name="httpd_tmp_exec" dftval="false">
<desc>
<p>
Allow Apache to execute tmp content.
</p>
</desc>
</tunable>
<tunable name="httpd_tty_comm" dftval="false">
<desc>
<p>
Unify HTTPD to communicate with the terminal.
Needed for entering the passphrase for certificates at
the terminal.
</p>
</desc>
</tunable>
<tunable name="httpd_unified" dftval="false">
<desc>
<p>
Unify HTTPD handling of all content files.
</p>
</desc>
</tunable>
<tunable name="httpd_use_openstack" dftval="false">
<desc>
<p>
Allow httpd to access openstack ports
</p>
</desc>
</tunable>
<tunable name="httpd_use_cifs" dftval="false">
<desc>
<p>
Allow httpd to access cifs file systems
</p>
</desc>
</tunable>
<tunable name="httpd_use_fusefs" dftval="false">
<desc>
<p>
Allow httpd to access FUSE file systems
</p>
</desc>
</tunable>
<tunable name="httpd_use_gpg" dftval="false">
<desc>
<p>
Allow httpd to run gpg
</p>
</desc>
</tunable>
<tunable name="httpd_use_sasl" dftval="false">
<desc>
<p>
Allow httpd to connect to  sasl
</p>
</desc>
</tunable>
<tunable name="httpd_use_nfs" dftval="false">
<desc>
<p>
Allow httpd to access nfs file systems
</p>
</desc>
</tunable>
<tunable name="httpd_use_opencryptoki" dftval="false">
<desc>
<p>
Allow httpd to use opencryptoki
</p>
</desc>
</tunable>
<tunable name="httpd_sys_script_anon_write" dftval="false">
<desc>
<p>
Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
</p>
</desc>
</tunable>
</module>
<module name="apcupsd" filename="policy/modules/contrib/apcupsd.if">
<summary>APC UPS monitoring daemon.</summary>
<interface name="apcupsd_domtrans" lineno="14">
<summary>
Execute a domain transition to
run apcupsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apcupsd_initrc_domtrans" lineno="34">
<summary>
Execute apcupsd server in the
apcupsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apcupsd_read_pid_files" lineno="52">
<summary>
Read apcupsd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apcupsd_read_power_files" lineno="71">
<summary>
Read apcupsd power files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apcupsd_read_log" lineno="90">
<summary>
Read apcupsd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apcupsd_append_log" lineno="110">
<summary>
Append apcupsd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apcupsd_cgi_script_domtrans" lineno="131">
<summary>
Execute a domain transition to
run apcupsd_cgi_script.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apcupsd_systemctl" lineno="154">
<summary>
Execute apcupsd server in the apcupsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apcupsd_filetrans_named_content" lineno="179">
<summary>
Create configuration files in /var/lock
with a named file type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apcupsd_admin" lineno="205">
<summary>
All of the rules required to
administrate an apcupsd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="apm" filename="policy/modules/contrib/apm.if">
<summary>Advanced power management.</summary>
<interface name="apm_domtrans_client" lineno="13">
<summary>
Execute apm in the apm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apm_run_client" lineno="39">
<summary>
Execute apm in the apm domain
and allow the specified role
the apm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="apm_use_fds" lineno="58">
<summary>
Use apmd file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apm_write_pipes" lineno="76">
<summary>
Write apmd unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apm_rw_stream_sockets" lineno="95">
<summary>
Read and write to apmd unix
stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apm_append_log" lineno="113">
<summary>
Append apmd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apm_stream_connect" lineno="133">
<summary>
Connect to apmd over an unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apmd_systemctl" lineno="152">
<summary>
Execute apmd server in the apmd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apm_admin" lineno="183">
<summary>
All of the rules required to
administrate an apm environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="apt" filename="policy/modules/contrib/apt.if">
<summary>Advanced package tool.</summary>
<interface name="apt_domtrans" lineno="13">
<summary>
Execute apt programs in the apt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apt_exec" lineno="32">
<summary>
Execute the apt in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_run" lineno="57">
<summary>
Execute apt programs in the apt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apt_use_fds" lineno="76">
<summary>
Use apt file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_dontaudit_use_fds" lineno="95">
<summary>
Do not audit attempts to use
apt file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apt_read_pipes" lineno="113">
<summary>
Read apt unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_rw_pipes" lineno="131">
<summary>
Read and write apt unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_use_ptys" lineno="149">
<summary>
Read and write apt ptys.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_read_cache" lineno="167">
<summary>
Read apt package cache content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_read_db" lineno="188">
<summary>
Read apt package database content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_manage_db" lineno="210">
<summary>
Create, read, write, and delete
apt package database content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apt_dontaudit_manage_db" lineno="232">
<summary>
Do not audit attempts to create,
read, write, and delete apt
package database content.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
</module>
<module name="arpwatch" filename="policy/modules/contrib/arpwatch.if">
<summary>Ethernet activity monitor.</summary>
<interface name="arpwatch_initrc_domtrans" lineno="14">
<summary>
Execute arpwatch server in the
arpwatch domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="arpwatch_search_data" lineno="32">
<summary>
Search arpwatch data file directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="arpwatch_manage_data_files" lineno="52">
<summary>
Create, read, write, and delete
arpwatch data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="arpwatch_rw_tmp_files" lineno="72">
<summary>
Read and write arpwatch temporary
files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="arpwatch_manage_tmp_files" lineno="92">
<summary>
Create, read, write, and delete
arpwatch temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="arpwatch_dontaudit_rw_packet_sockets" lineno="112">
<summary>
Do not audit attempts to read and
write arpwatch packet sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="arpwatch_systemctl" lineno="130">
<summary>
Execute arpwatch server in the arpwatch domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="arpwatch_admin" lineno="161">
<summary>
All of the rules required to
administrate an arpwatch environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="arpwatch_data_filetrans" lineno="220">
<summary>
Create objects in the arpwatch home directory
with an automatic type transition to a specified type
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="type">
<summary>
The type of the object being created.
</summary>
</param>
<param name="object">
<summary>
The class of the object being created.
</summary>
</param>
<param name="name">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
</module>
<module name="asterisk" filename="policy/modules/contrib/asterisk.if">
<summary>Asterisk IP telephony server.</summary>
<interface name="asterisk_domtrans" lineno="13">
<summary>
Execute asterisk in the asterisk domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="asterisk_exec" lineno="32">
<summary>
Execute asterisk in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="asterisk_stream_connect" lineno="52">
<summary>
Connect to asterisk over a unix domain.
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="asterisk_setattr_logs" lineno="72">
<summary>
Set attributes of asterisk log
files and directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="asterisk_setattr_pid_files" lineno="93">
<summary>
Set attributes of the asterisk
PID content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="asterisk_admin" lineno="120">
<summary>
All of the rules required to
administrate an asterisk environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="authconfig" filename="policy/modules/contrib/authconfig.if">
<summary>policy for authconfig</summary>
<interface name="authconfig_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the authconfig domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="authconfig_search_lib" lineno="32">
<summary>
Search authconfig lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="authconfig_read_lib_files" lineno="51">
<summary>
Read authconfig lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="authconfig_manage_lib_files" lineno="70">
<summary>
Manage authconfig lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="authconfig_manage_lib_dirs" lineno="89">
<summary>
Manage authconfig lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="authconfig_admin" lineno="110">
<summary>
All of the rules required to administrate
an authconfig environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="automount" filename="policy/modules/contrib/automount.if">
<summary>Filesystem automounter service.</summary>
<interface name="automount_domtrans" lineno="13">
<summary>
Execute automount in the automount domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="automount_signal" lineno="32">
<summary>
Send generic signals to automount.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="automount_exec_config" lineno="50">
<summary>
Execute automount in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="automount_read_state" lineno="65">
<summary>
Read automount process state.
</summary>
<param name="domain">
<summary>
Domain to allow access.
</summary>
</param>
</interface>
<interface name="automount_dontaudit_use_fds" lineno="87">
<summary>
Do not audit attempts to use
automount file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="automount_write_pipes" lineno="105">
<summary>
Write to a automount unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="automount_dontaudit_write_pipes" lineno="125">
<summary>
Do not audit attempts to write
automount unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="automount_search_tmp_dirs" lineno="144">
<summary>
Allow domain to search of automount temporary
directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="automount_dontaudit_getattr_tmp_dirs" lineno="164">
<summary>
Do not audit attempts to get
attributes of automount temporary
directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="automount_systemctl" lineno="182">
<summary>
Execute automount server in the automount domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="automount_admin" lineno="213">
<summary>
All of the rules required to
administrate an automount environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="avahi" filename="policy/modules/contrib/avahi.if">
<summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture.</summary>
<interface name="avahi_domtrans" lineno="13">
<summary>
Execute avahi server in the avahi domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="avahi_initrc_domtrans" lineno="33">
<summary>
Execute avahi init scripts in the
init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="avahi_signal" lineno="51">
<summary>
Send generic signals to avahi.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_kill" lineno="69">
<summary>
Send kill signals to avahi.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_signull" lineno="87">
<summary>
Send null signals to avahi.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_dbus_chat" lineno="106">
<summary>
Send and receive messages from
avahi over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_stream_connect" lineno="127">
<summary>
Connect to avahi using a unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_create_pid_dirs" lineno="146">
<summary>
Create avahi pid directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_setattr_pid_dirs" lineno="165">
<summary>
Set attributes of avahi pid directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_manage_pid_files" lineno="184">
<summary>
Create, read, and write avahi pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_dontaudit_search_pid" lineno="204">
<summary>
Do not audit attempts to search
avahi pid directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="avahi_systemctl" lineno="222">
<summary>
Execute avahi server in the avahi domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="avahi_filetrans_pid" lineno="257">
<summary>
Create specified objects in generic
pid directories with the avahi pid file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="avahi_admin" lineno="282">
<summary>
All of the rules required to
administrate an avahi environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="awstats" filename="policy/modules/contrib/awstats.if">
<summary>Log file analyzer for advanced statistics.</summary>
<interface name="awstats_domtrans" lineno="14">
<summary>
Execute the awstats program in
the awstats domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="awstats_rw_pipes" lineno="33">
<summary>
Read and write awstats unnamed pipes. (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="awstats_cgi_exec" lineno="47">
<summary>
Execute awstats cgi scripts in the caller domain. (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="awstats_purge_apache_log_files" dftval="false">
<desc>
<p>
Determine whether awstats can
purge httpd log files.
</p>
</desc>
</tunable>
</module>
<module name="backup" filename="policy/modules/contrib/backup.if">
<summary>System backup scripts.</summary>
<interface name="backup_domtrans" lineno="13">
<summary>
Execute backup in the backup domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="backup_run" lineno="40">
<summary>
Execute backup in the backup
domain, and allow the specified
role the backup domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="backup_manage_store_files" lineno="60">
<summary>
Create, read, and write backup
store files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="bacula" filename="policy/modules/contrib/bacula.if">
<summary>Cross platform network backup.</summary>
<interface name="bacula_domtrans_admin" lineno="14">
<summary>
Execute bacula admin bacula
admin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bacula_run_admin" lineno="41">
<summary>
Execute user interfaces in the
bacula admin domain, and allow the
specified role the bacula admin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="bacula_admin" lineno="67">
<summary>
All of the rules required to
administrate an bacula environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="bcfg2" filename="policy/modules/contrib/bcfg2.if">
<summary>configuration management suite.</summary>
<interface name="bcfg2_domtrans" lineno="13">
<summary>
Execute bcfg2 in the bcfg2 domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bcfg2_initrc_domtrans" lineno="32">
<summary>
Execute bcfg2 server in the bcfg2 domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bcfg2_search_lib" lineno="50">
<summary>
Search bcfg2 lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bcfg2_read_lib_files" lineno="69">
<summary>
Read bcfg2 lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bcfg2_manage_lib_files" lineno="89">
<summary>
Create, read, write, and delete
bcfg2 lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bcfg2_manage_lib_dirs" lineno="109">
<summary>
Create, read, write, and delete
bcfg2 lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bcfg2_systemctl" lineno="128">
<summary>
Execute bcfg2 server in the bcfg2 domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bcfg2_admin" lineno="161">
<summary>
All of the rules required to
administrate an bcfg2 environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="bind" filename="policy/modules/contrib/bind.if">
<summary>Berkeley Internet name domain DNS server.</summary>
<interface name="bind_initrc_domtrans" lineno="13">
<summary>
Execute bind server in the bind domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bind_systemctl" lineno="31">
<summary>
Execute bind server in the bind domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bind_domtrans_ndc" lineno="55">
<summary>
Execute ndc in the ndc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bind_signal" lineno="74">
<summary>
Send generic signals to bind.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_signull" lineno="92">
<summary>
Send null signals to bind.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_kill" lineno="110">
<summary>
Send kill signals to bind.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_run_ndc" lineno="135">
<summary>
Execute ndc in the ndc domain, and
allow the specified role the ndc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="bind_domtrans" lineno="154">
<summary>
Execute bind in the named domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bind_read_dnssec_keys" lineno="173">
<summary>
Read dnssec key files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_map_dnssec_keys" lineno="191">
<summary>
Mmap dnssec key files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_read_config" lineno="209">
<summary>
Read bind named configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_write_config" lineno="228">
<summary>
Write bind named configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_manage_config_dirs" lineno="248">
<summary>
Create, read, write, and delete
bind configuration directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_manage_config" lineno="267">
<summary>
Create, read, write, and delete
BIND configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_search_cache" lineno="285">
<summary>
Search bind cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_read_cache" lineno="306">
<summary>
Read bind cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_rw_cache" lineno="327">
<summary>
Allow the specified domain to read
and write Bind cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_manage_cache" lineno="347">
<summary>
Create, read, write, and delete
bind cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_read_pid_files" lineno="368">
<summary>
Read bind pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_setattr_pid_dirs" lineno="387">
<summary>
Set attributes of bind pid directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_setattr_zone_dirs" lineno="405">
<summary>
Set attributes of bind zone directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_read_zone" lineno="423">
<summary>
Read bind zone files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_read_log" lineno="442">
<summary>
Read BIND zone files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_manage_zone_dirs" lineno="464">
<summary>
Create, read, write, and delete
bind zone files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_manage_zone" lineno="484">
<summary>
Create, read, write, and delete
bind zone files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_udp_chat_named" lineno="503">
<summary>
Send and receive datagrams to and from named.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_read_state" lineno="517">
<summary>
Allow the domain to read bind state files in /proc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_admin" lineno="543">
<summary>
All of the rules required to
administrate an bind environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="bind_exec" lineno="597">
<summary>
Execute bind in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="named_tcp_bind_http_port" dftval="false">
<desc>
<p>
Determine whether Bind can bind tcp socket to http ports.
</p>
</desc>
</tunable>
<tunable name="named_write_master_zones" dftval="true">
<desc>
<p>
Determine whether Bind can write to master zone files.
Generally this is used for dynamic DNS or zone transfers.
</p>
</desc>
</tunable>
</module>
<module name="bird" filename="policy/modules/contrib/bird.if">
<summary>BIRD Internet Routing Daemon.</summary>
<interface name="bird_admin" lineno="20">
<summary>
All of the rules required to
administrate an bird environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="bitlbee" filename="policy/modules/contrib/bitlbee.if">
<summary>Tunnels instant messaging traffic to a virtual IRC channel.</summary>
<interface name="bitlbee_read_config" lineno="13">
<summary>
Read bitlbee configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bitlbee_admin" lineno="40">
<summary>
All of the rules required to
administrate an bitlbee environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="blkmapd" filename="policy/modules/contrib/blkmapd.if">
<summary>The blkmapd daemon performs device discovery and mapping for pNFS block layout client.</summary>
<interface name="blkmapd_domtrans" lineno="13">
<summary>
Execute blkmapd_exec_t in the blkmapd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="blkmapd_exec" lineno="32">
<summary>
Execute blkmapd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="blkmapd_initrc_domtrans" lineno="51">
<summary>
Execute blkmapd server in the blkmapd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="blkmapd_read_pid_files" lineno="68">
<summary>
Read blkmapd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="blkmapd_admin" lineno="95">
<summary>
All of the rules required to administrate
an blkmapd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="blueman" filename="policy/modules/contrib/blueman.if">
<summary>Tool to manage Bluetooth devices.</summary>
<interface name="blueman_domtrans" lineno="13">
<summary>
Execute blueman in the blueman domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="blueman_dbus_chat" lineno="33">
<summary>
Send and receive messages from
blueman over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="blueman_search_lib" lineno="54">
<summary>
Search blueman lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="blueman_read_lib_files" lineno="73">
<summary>
Read blueman lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="blueman_manage_lib_files" lineno="93">
<summary>
Create, read, write, and delete
blueman lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="bluetooth" filename="policy/modules/contrib/bluetooth.if">
<summary>Bluetooth tools and system services.</summary>
<interface name="bluetooth_role" lineno="18">
<summary>
Role access for bluetooth.
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="bluetooth_stream_connect" lineno="70">
<summary>
Connect to bluetooth over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bluetooth_domtrans" lineno="97">
<summary>
Execute bluetooth in the bluetooth domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bluetooth_read_config" lineno="116">
<summary>
Read bluetooth configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bluetooth_dbus_chat" lineno="135">
<summary>
Send and receive messages from
bluetooth over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bluetooth_dontaudit_dbus_chat" lineno="156">
<summary>
dontaudit Send and receive messages from
bluetooth over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="bluetooth_domtrans_helper" lineno="176">
<summary>
Execute bluetooth_helper in the bluetooth_helper domain.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bluetooth_run_helper" lineno="202">
<summary>
Execute bluetooth_helper in the bluetooth_helper domain, and
allow the specified role the bluetooth_helper domain.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="terminal">
<summary>
The type of the terminal allow the bluetooth_helper domain to use.
</summary>
</param>
<rolecap/>
</interface>
<interface name="bluetooth_dontaudit_read_helper_state" lineno="217">
<summary>
Do not audit attempts to read
bluetooth process state files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="bluetooth_systemctl" lineno="236">
<summary>
Execute bluetooth server in the bluetooth domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bluetooth_admin" lineno="267">
<summary>
All of the rules required to
administrate an bluetooth environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="boinc" filename="policy/modules/contrib/boinc.if">
<summary>policy for boinc</summary>
<interface name="boinc_domtrans" lineno="13">
<summary>
Execute a domain transition to run boinc.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="boinc_initrc_domtrans" lineno="31">
<summary>
Execute boinc server in the boinc domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boinc_dontaudit_getattr_lib" lineno="49">
<summary>
Dontaudit getattr on boinc lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boinc_search_lib" lineno="67">
<summary>
Search boinc lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boinc_read_lib_files" lineno="86">
<summary>
Read boinc lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boinc_manage_lib_files" lineno="106">
<summary>
Create, read, write, and delete
boinc lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boinc_manage_var_lib" lineno="125">
<summary>
Manage boinc var_lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boinc_systemctl" lineno="146">
<summary>
Execute boinc server in the boinc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="boinc_admin" lineno="177">
<summary>
All of the rules required to administrate
an boinc environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="boinc_execmem" dftval="true">
<desc>
<p>
Determine whether boinc can execmem/execstack.
</p>
</desc>
</tunable>
</module>
<module name="boltd" filename="policy/modules/contrib/boltd.if">
<summary>policy for boltd</summary>
<interface name="boltd_domtrans" lineno="13">
<summary>
Execute boltd_exec_t in the boltd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="boltd_exec" lineno="32">
<summary>
Execute boltd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boltd_search_lib" lineno="51">
<summary>
Search boltd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boltd_read_lib_files" lineno="70">
<summary>
Read boltd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boltd_manage_lib_files" lineno="89">
<summary>
Manage boltd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boltd_manage_lib_dirs" lineno="108">
<summary>
Manage boltd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boltd_admin" lineno="135">
<summary>
All of the rules required to administrate
an boltd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="boltd_mounton_var_lib" lineno="168">
<summary>
Mounton boltd lib  directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boltd_mounton_var_run" lineno="187">
<summary>
Mounton boltd var_run  directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boltd_write_var_run_pipes" lineno="205">
<summary>
Write to boltd named pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boltd_dbus_chat" lineno="224">
<summary>
Send messages to boltd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="boothd" filename="policy/modules/contrib/boothd.if">
<summary>policy for boothd</summary>
<interface name="boothd_domtrans" lineno="13">
<summary>
Execute boothd_exec_t in the boothd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="boothd_exec" lineno="32">
<summary>
Execute boothd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="bootupd" filename="policy/modules/contrib/bootupd.if">
<summary>policy for bootupd</summary>
<interface name="bootupd_domtrans" lineno="13">
<summary>
Execute bootupd_exec_t in the bootupd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bootupd_exec" lineno="32">
<summary>
Execute bootupd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="brctl" filename="policy/modules/contrib/brctl.if">
<summary>Utilities for configuring the Linux ethernet bridge.</summary>
<interface name="brctl_domtrans" lineno="13">
<summary>
Execute a domain transition to run brctl.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="brctl_run" lineno="38">
<summary>
Execute brctl in the brctl domain, and
allow the specified role the brctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="brltty" filename="policy/modules/contrib/brltty.if">
<summary>brltty is refreshable braille display driver for Linux/Unix</summary>
<interface name="brltty_domtrans" lineno="13">
<summary>
Execute brltty in the brltty domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="brltty_systemctl" lineno="31">
<summary>
Execute brltty server in the brltty domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="brltty_admin" lineno="59">
<summary>
All of the rules required to administrate
an brltty environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="bugzilla" filename="policy/modules/contrib/bugzilla.if">
<summary>Bugtracker.</summary>
<interface name="bugzilla_search_content" lineno="13">
<summary>
Search bugzilla directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bugzilla_dontaudit_rw_stream_sockets" lineno="33">
<summary>
Do not audit attempts to read and
write bugzilla script unix domain
stream sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="bugzilla_admin" lineno="52">
<summary>
All of the rules required to
administrate an bugzilla environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="bumblebee" filename="policy/modules/contrib/bumblebee.if">
<summary>policy for bumblebee</summary>
<interface name="bumblebee_domtrans" lineno="13">
<summary>
Execute bumblebee in the bumblebee domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bumblebee_read_pid_files" lineno="32">
<summary>
Read bumblebee PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bumblebee_systemctl" lineno="51">
<summary>
Execute bumblebee server in the bumblebee domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bumblebee_stream_connect" lineno="76">
<summary>
Connect to bumblebee over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bumblebee_admin" lineno="97">
<summary>
All of the rules required to administrate
an bumblebee environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cachefilesd" filename="policy/modules/contrib/cachefilesd.if">
<summary>policy for cachefilesd</summary>
<interface name="cachefilesd_domtrans" lineno="29">
<summary>
Execute a domain transition to run cachefilesd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="calamaris" filename="policy/modules/contrib/calamaris.if">
<summary>Squid log analysis.</summary>
<interface name="calamaris_domtrans" lineno="14">
<summary>
Execute the calamaris in
the calamaris domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="calamaris_run" lineno="40">
<summary>
Execute calamaris in the
calamaris domain, and allow the
specified role the calamaris domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="calamaris_read_www_files" lineno="59">
<summary>
Read calamaris www files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="calamaris_admin" lineno="86">
<summary>
All of the rules required to
administrate an calamaris environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="callweaver" filename="policy/modules/contrib/callweaver.if">
<summary>PBX software.</summary>
<interface name="callweaver_exec" lineno="13">
<summary>
Execute callweaver in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="callweaver_stream_connect" lineno="33">
<summary>
Connect to callweaver over a
unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="callweaver_admin" lineno="59">
<summary>
All of the rules required to
administrate an callweaver environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="canna" filename="policy/modules/contrib/canna.if">
<summary>Kana-kanji conversion server.</summary>
<interface name="canna_stream_connect" lineno="14">
<summary>
Connect to Canna using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="canna_admin" lineno="40">
<summary>
All of the rules required to
administrate an canna environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ccs" filename="policy/modules/contrib/ccs.if">
<summary>Cluster Configuration System.</summary>
<interface name="ccs_domtrans" lineno="13">
<summary>
Execute a domain transition to run ccs.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ccs_stream_connect" lineno="32">
<summary>
Connect to ccs over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ccs_read_config" lineno="51">
<summary>
Read cluster configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ccs_manage_config" lineno="71">
<summary>
Create, read, write, and delete
cluster configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ccs_admin" lineno="98">
<summary>
All of the rules required to
administrate an ccs environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cdrecord" filename="policy/modules/contrib/cdrecord.if">
<summary>Record audio or data Compact Discs from a master.</summary>
<interface name="cdrecord_role" lineno="18">
<summary>
Role access for cdrecord.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<tunable name="cdrecord_read_content" dftval="false">
<desc>
<p>
Determine whether cdrecord can read
various content. nfs, samba, removable
devices, user temp and untrusted
content files
</p>
</desc>
</tunable>
</module>
<module name="certmaster" filename="policy/modules/contrib/certmaster.if">
<summary>Remote certificate distribution framework.</summary>
<interface name="certmaster_domtrans" lineno="13">
<summary>
Execute a domain transition to run certmaster.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="certmaster_exec" lineno="32">
<summary>
Execute certmaster in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmaster_read_log" lineno="51">
<summary>
read certmaster logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmaster_append_log" lineno="70">
<summary>
Append certmaster log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmaster_manage_log" lineno="90">
<summary>
Create, read, write, and delete
certmaster log content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmaster_admin" lineno="117">
<summary>
All of the rules required to
administrate an certmaster environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="certmonger" filename="policy/modules/contrib/certmonger.if">
<summary>Certificate status monitor and PKI enrollment client.</summary>
<interface name="certmonger_domtrans" lineno="13">
<summary>
Execute a domain transition to run certmonger.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="certmonger_dbus_chat" lineno="33">
<summary>
Send and receive messages from
certmonger over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_initrc_domtrans" lineno="54">
<summary>
Execute certmonger server in
the certmonger domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="certmonger_read_pid_files" lineno="72">
<summary>
Read certmonger PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_search_lib" lineno="91">
<summary>
Search certmonger lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_read_lib_files" lineno="110">
<summary>
Read certmonger lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_manage_lib_files" lineno="130">
<summary>
Create, read, write, and delete
certmonger lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_admin" lineno="156">
<summary>
All of the rules required to
administrate an certmonger environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="certwatch" filename="policy/modules/contrib/certwatch.if">
<summary>Digital Certificate Tracking.</summary>
<interface name="certwatch_domtrans" lineno="13">
<summary>
Domain transition to certwatch.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="certwatch_run" lineno="41">
<summary>
Execute certwatch in the certwatch
domain, and allow the specified role
the certwatch domain.
backchannel.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="certwatach_run" lineno="74">
<summary>
Execute certwatch in the certwatch domain, and
allow the specified role the certwatch domain,
and use the caller's terminal. Has a sigchld
backchannel.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="terminal">
<summary>
The type of the terminal allow the certwatch domain to use.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cfengine" filename="policy/modules/contrib/cfengine.if">
<summary>System administration tool for networks.</summary>
<template name="cfengine_domain_template" lineno="13">
<summary>
The template to define a cfengine domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="cfengine_search_lib_files" lineno="49">
<summary>
Search cfengine lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cfengine_read_lib_files" lineno="67">
<summary>
Read cfengine lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cfengine_dontaudit_write_log_files" lineno="87">
<summary>
Do not audit attempts to write
cfengine log files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cfengine_append_inherited_log" lineno="105">
<summary>
Allow the specified domain to append cfengine's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cfengine_dontaudit_write_log" lineno="124">
<summary>
Dontaudit the specified domain to write cfengine's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cfengine_admin" lineno="149">
<summary>
All of the rules required to
administrate an cfengine environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cgroup" filename="policy/modules/contrib/cgroup.if">
<summary>libcg is a library that abstracts the control group file system in Linux.</summary>
<interface name="cgroup_domtrans_cgclear" lineno="14">
<summary>
Execute a domain transition to run
CG Clear.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cgroup_domtrans_cgconfig" lineno="34">
<summary>
Execute a domain transition to run
CG config parser.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cgroup_initrc_domtrans_cgconfig" lineno="54">
<summary>
Execute a domain transition to run
CG config parser.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cgroup_domtrans_cgred" lineno="73">
<summary>
Execute a domain transition to run
CG rules engine daemon.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cgroup_initrc_domtrans_cgred" lineno="94">
<summary>
Execute a domain transition to run
CG rules engine daemon.
domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cgroup_run_cgclear" lineno="121">
<summary>
Execute a domain transition to
run CG Clear and allow the
specified role the CG Clear
domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cgroup_stream_connect_cgred" lineno="141">
<summary>
Connect to CG rules engine daemon
over unix stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cgroup_admin" lineno="167">
<summary>
All of the rules required to administrate
an cgroup environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="chrome" filename="policy/modules/contrib/chrome.if">
<summary>policy for chrome</summary>
<interface name="chrome_domtrans_sandbox" lineno="13">
<summary>
Execute a domain transition to run chrome_sandbox.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="chrome_run_sandbox" lineno="44">
<summary>
Execute chrome_sandbox in the chrome_sandbox domain, and
allow the specified role the chrome_sandbox domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the chrome_sandbox domain.
</summary>
</param>
</interface>
<interface name="chrome_role_notrans" lineno="70">
<summary>
Role access for chrome sandbox
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="chrome_role" lineno="111">
<summary>
Role access for chrome sandbox
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="chrome_dontaudit_sandbox_leaks" lineno="126">
<summary>
Dontaudit read/write to a chrome_sandbox leaks
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="chrome_filetrans_home_content" lineno="146">
<summary>
Create chrome directory in the user home directory
with an correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="chronyd" filename="policy/modules/contrib/chronyd.if">
<summary>Chrony NTP background daemon.</summary>
<interface name="chronyd_domtrans" lineno="13">
<summary>
Execute chronyd in the chronyd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="chronyd_initrc_domtrans" lineno="33">
<summary>
Execute chronyd server in the
chronyd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="chronyd_exec" lineno="51">
<summary>
Execute chronyd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_signal" lineno="70">
<summary>
Send generic signals to chronyd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_read_log" lineno="88">
<summary>
Read chronyd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_rw_shm" lineno="107">
<summary>
Read and write chronyd shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_read_keys" lineno="129">
<summary>
Read chronyd keys files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_append_keys" lineno="147">
<summary>
Append chronyd keys files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_systemctl" lineno="165">
<summary>
Execute chronyd server in the chronyd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="chronyd_stream_connect" lineno="190">
<summary>
Connect to chronyd using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_dgram_send" lineno="210">
<summary>
Send to chronyd using a unix domain
datagram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_manage_pid" lineno="229">
<summary>
Manage pid files used by chronyd
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_manage_pid_files" lineno="249">
<summary>
Manage pid files used by chronyd
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_pid_filetrans" lineno="269">
<summary>
Create objects in /var/run
with chronyd runtime private file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_admin" lineno="295">
<summary>
All of the rules required to
administrate an chronyd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="chronyd_service_status" lineno="343">
<summary>
Get chronyd service status
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="chronyd_domtrans_chronyc" lineno="361">
<summary>
Execute chronyc in the chronyc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="chronyd_run_chronyc" lineno="384">
<summary>
Execute chronyc in the chronyc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="cinder" filename="policy/modules/contrib/cinder.if">
<summary>openstack-cinder</summary>
<interface name="cinder_manage_lib_files" lineno="13">
<summary>
Manage cinder lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="cinder_domain_template" lineno="33">
<summary>
Creates types and rules for a basic
openstack-cinder systemd daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
</module>
<module name="cipe" filename="policy/modules/contrib/cipe.if">
<summary>Encrypted tunnel daemon.</summary>
<interface name="cipe_admin" lineno="20">
<summary>
All of the rules required to
administrate an cipe environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="clamav" filename="policy/modules/contrib/clamav.if">
<summary>ClamAV Virus Scanner</summary>
<interface name="clamav_domtrans" lineno="13">
<summary>
Execute a domain transition to run clamd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="clamav_stream_connect" lineno="31">
<summary>
Connect to run clamd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_append_log" lineno="51">
<summary>
Allow the specified domain to append
to clamav log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_read_config" lineno="71">
<summary>
Read clamav configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_search_lib" lineno="90">
<summary>
Search clamav libraries directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_domtrans_clamscan" lineno="109">
<summary>
Execute a domain transition to run clamscan.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="clamav_exec_clamscan" lineno="127">
<summary>
Execute clamscan without a transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_manage_clamd_pid" lineno="145">
<summary>
Manage clamd pid content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_read_state_clamd" lineno="164">
<summary>
Read clamd state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamd_systemctl" lineno="183">
<summary>
Execute clamd server in the clamd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="clamav_admin" lineno="215">
<summary>
All of the rules required to administrate
an clamav environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the clamav domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="clamav_read_user_content_files_clamscan" dftval="false">
<desc>
<p>
Determine whether clamscan can
read user content files.
</p>
</desc>
</tunable>
<tunable name="clamav_read_all_non_security_files_clamscan" dftval="false">
<desc>
<p>
Determine whether clamscan can read
all non-security files.
</p>
</desc>
</tunable>
<tunable name="clamd_use_jit" dftval="false">
<desc>
<p>
Determine whether clamd can use JIT compiler.
</p>
</desc>
</tunable>
</module>
<module name="clockspeed" filename="policy/modules/contrib/clockspeed.if">
<summary>Clock speed measurement and manipulation.</summary>
<interface name="clockspeed_domtrans_cli" lineno="14">
<summary>
Execute clockspeed utilities in
the clockspeed_cli domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="clockspeed_run_cli" lineno="41">
<summary>
Execute clockspeed utilities in the
clockspeed cli domain, and allow the
specified role the clockspeed cli domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="clogd" filename="policy/modules/contrib/clogd.if">
<summary>Clustered Mirror Log Server.</summary>
<interface name="clogd_domtrans" lineno="13">
<summary>
Execute a domain transition to run clogd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="clogd_stream_connect" lineno="33">
<summary>
Connect to clogd over a unix domain
stream socket.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clogd_rw_semaphores" lineno="47">
<summary>
Read and write clogd semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clogd_rw_shm" lineno="65">
<summary>
Read and write clogd shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="cloudform" filename="policy/modules/contrib/cloudform.if">
<summary>cloudform policy</summary>
<template name="cloudform_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
cloudform daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="cloudform_init_domtrans" lineno="36">
<summary>
Execute a domain transition to run cloud_init.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cloudform_rw_pipes" lineno="54">
<summary>
Read and write unnamed cloud-init pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cloudform_init_dgram_send" lineno="72">
<summary>
Send a message to cloud-init over a datagram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cloudform_init_write_tmp" lineno="90">
<summary>
Write to cloud-init temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cloudform_exec_mongod" lineno="109">
<summary>
Execute mongod in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cloudform_read_lib_files" lineno="127">
<summary>
Allow read to cloud lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cloudform_read_lib_lnk_files" lineno="146">
<summary>
Allow read to cloud lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cloudform_dontaudit_write_cloud_log" lineno="165">
<summary>
Execute mongod in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="cmirrord" filename="policy/modules/contrib/cmirrord.if">
<summary>Cluster mirror log daemon.</summary>
<interface name="cmirrord_domtrans" lineno="14">
<summary>
Execute a domain transition to
run cmirrord.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cmirrord_initrc_domtrans" lineno="34">
<summary>
Execute cmirrord server in the
cmirrord domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cmirrord_read_pid_files" lineno="52">
<summary>
Read cmirrord PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cmirrord_rw_shm" lineno="71">
<summary>
Read and write cmirrord shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cmirrord_admin" lineno="102">
<summary>
All of the rules required to
administrate an cmirrord environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cobbler" filename="policy/modules/contrib/cobbler.if">
<summary>Cobbler installation server.</summary>
<interface name="cobblerd_domtrans" lineno="13">
<summary>
Execute a domain transition to run cobblerd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cobblerd_initrc_domtrans" lineno="33">
<summary>
Execute cobblerd init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cobbler_list_config" lineno="53">
<summary>
Read cobbler configuration dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cobbler_read_config" lineno="73">
<summary>
Read cobbler configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cobbler_dontaudit_rw_log" lineno="93">
<summary>
Do not audit attempts to read and write
cobbler log files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cobbler_search_lib" lineno="111">
<summary>
Search cobbler lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cobbler_read_lib_files" lineno="130">
<summary>
Read cobbler lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cobbler_manage_lib_files" lineno="151">
<summary>
Create, read, write, and delete
cobbler lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cobblerd_admin" lineno="179">
<summary>
All of the rules required to
administrate an cobbler environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cobbler_admin" lineno="201">
<summary>
All of the rules required to
administrate an cobbler environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="cobbler_anon_write" dftval="false">
<desc>
<p>
Determine whether Cobbler can modify
public files used for public file
transfer services.
</p>
</desc>
</tunable>
<tunable name="cobbler_can_network_connect" dftval="false">
<desc>
<p>
Determine whether Cobbler can connect
to the network using TCP.
</p>
</desc>
</tunable>
<tunable name="cobbler_use_cifs" dftval="false">
<desc>
<p>
Determine whether Cobbler can access
cifs file systems.
</p>
</desc>
</tunable>
<tunable name="cobbler_use_nfs" dftval="false">
<desc>
<p>
Determine whether Cobbler can access
nfs file systems.
</p>
</desc>
</tunable>
</module>
<module name="collectd" filename="policy/modules/contrib/collectd.if">
<summary>Statistics collection daemon for filling RRD files.</summary>
<interface name="collectd_domtrans" lineno="13">
<summary>
Transition to collectd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="collectd_initrc_domtrans" lineno="32">
<summary>
Execute collectd server in the collectd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="collectd_search_lib" lineno="50">
<summary>
Search collectd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="collectd_read_lib_files" lineno="69">
<summary>
Read collectd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="collectd_manage_lib_files" lineno="88">
<summary>
Manage collectd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="collectd_manage_lib_dirs" lineno="107">
<summary>
Manage collectd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="collectd_manage_rw_content" lineno="126">
<summary>
Manage collectd httpd rw content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="collectd_systemctl" lineno="146">
<summary>
Execute collectd server in the collectd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="collectd_admin" lineno="177">
<summary>
All of the rules required to administrate
an collectd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="collectd_tcp_network_connect" dftval="false">
<desc>
<p>
Determine whether collectd can connect
to the network using TCP.
</p>
</desc>
</tunable>
</module>
<module name="colord" filename="policy/modules/contrib/colord.if">
<summary>GNOME color manager</summary>
<interface name="colord_domtrans" lineno="13">
<summary>
Execute a domain transition to run colord.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="colord_dbus_chat" lineno="32">
<summary>
Send and receive messages from
colord over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="colord_read_lib_files" lineno="53">
<summary>
Read colord lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="colord_systemctl" lineno="72">
<summary>
Execute colord server in the colord domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<tunable name="colord_use_nfs" dftval="false">
<desc>
<p>
Determine whether Colord can access
nfs file systems.
</p>
</desc>
</tunable>
</module>
<module name="comsat" filename="policy/modules/contrib/comsat.if">
<summary>Comsat, a biff server.</summary>
</module>
<module name="condor" filename="policy/modules/contrib/condor.if">
<summary>policy for condor</summary>
<template name="condor_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
condor init daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="condor_domtrans_master" lineno="53">
<summary>
Transition to condor.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="condor_startd_ranged_domtrans_to" lineno="84">
<summary>
Allows to start userland processes
by transitioning to the specified domain,
with a range transition.
</summary>
<param name="domain">
<summary>
The process type entered by condor_startd.
</summary>
</param>
<param name="entrypoint">
<summary>
The executable type for the entrypoint.
</summary>
</param>
<param name="range">
<summary>
Range for the domain.
</summary>
</param>
</interface>
<interface name="condor_startd_domtrans_to" lineno="113">
<summary>
Allows to start userlandprocesses
by transitioning to the specified domain.
</summary>
<param name="domain">
<summary>
The process type entered by condor_startd.
</summary>
</param>
<param name="entrypoint">
<summary>
The executable type for the entrypoint.
</summary>
</param>
</interface>
<interface name="condor_read_log" lineno="132">
<summary>
Read condor's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="condor_append_log" lineno="151">
<summary>
Append to condor log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_manage_log" lineno="170">
<summary>
Manage condor log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_search_lib" lineno="191">
<summary>
Search condor lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_read_lib_files" lineno="210">
<summary>
Read condor lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_rw_lib_files" lineno="229">
<summary>
Read and write condor lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_manage_lib_files" lineno="248">
<summary>
Manage condor lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_manage_lib_dirs" lineno="267">
<summary>
Manage condor lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_read_pid_files" lineno="286">
<summary>
Read condor PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_systemctl" lineno="305">
<summary>
Execute condor server in the condor domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="condor_rw_tcp_sockets_startd" lineno="330">
<summary>
Read and write condor_startd server TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_rw_tcp_sockets_schedd" lineno="348">
<summary>
Read and write condor_schedd server TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_admin" lineno="372">
<summary>
All of the rules required to administrate
an condor environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="condor_tcp_network_connect" dftval="false">
<desc>
<p>
Determine whether Condor can connect
to the network using TCP.
</p>
</desc>
</tunable>
</module>
<module name="conman" filename="policy/modules/contrib/conman.if">
<summary>Conman is a program for connecting to remote consoles being managed by conmand</summary>
<interface name="conman_domtrans" lineno="13">
<summary>
Execute conman in the conman domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="conman_read_log" lineno="32">
<summary>
Read conman's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="conman_append_log" lineno="51">
<summary>
Append to conman log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="conman_manage_log" lineno="70">
<summary>
Manage conman log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="conman_systemctl" lineno="90">
<summary>
Execute conman server in the conman domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="conman_admin" lineno="118">
<summary>
All of the rules required to administrate
an conman environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="conman_can_network" dftval="false">
<desc>
<p>
Determine whether conman can
connect to all TCP ports
</p>
</desc>
</tunable>
<tunable name="conman_use_nfs" dftval="false">
<desc>
<p>
Allow conman to manage nfs files
</p>
</desc>
</tunable>
</module>
<module name="conntrackd" filename="policy/modules/contrib/conntrackd.if">
<summary>Conntrackd connection tracking service</summary>
<interface name="conntrackd_read_config" lineno="14">
<summary>
Read the configuration files for conntrackd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="conntrackd_stream_connect" lineno="35">
<summary>
Connect to conntrackd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="conntrackd_systemctl" lineno="54">
<summary>
Execute conntrackd services in the conntrackd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="conntrackd_admin" lineno="85">
<summary>
All of the rules required to administrate
an conntrackd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the conntrackd domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="consolekit" filename="policy/modules/contrib/consolekit.if">
<summary>Framework for facilitating multiple user sessions on desktops.</summary>
<interface name="consolekit_domtrans" lineno="13">
<summary>
Execute a domain transition to run consolekit.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="consolekit_dontaudit_dbus_chat" lineno="33">
<summary>
dontaudit Send and receive messages from
consolekit over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="consolekit_dbus_chat" lineno="54">
<summary>
Send and receive messages from
consolekit over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="consolekit_dontaudit_read_log" lineno="74">
<summary>
Dontaudit attempts to read consolekit log files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="consolekit_read_log" lineno="92">
<summary>
Read consolekit log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="consolekit_manage_log" lineno="112">
<summary>
Create, read, write, and delete
consolekit log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="consolekit_read_pid_files" lineno="131">
<summary>
Read consolekit PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="consolekit_list_pid_files" lineno="151">
<summary>
List consolekit PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="consolekit_read_state" lineno="170">
<summary>
Allow the domain to read consolekit state files in /proc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="consolekit_systemctl" lineno="189">
<summary>
Execute consolekit server in the consolekit domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="container" filename="policy/modules/contrib/container.if">
<summary>The open-source application container engine.</summary>
<interface name="container_runtime_domtrans" lineno="13">
<summary>
Execute container in the container domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="container_runtime_run" lineno="40">
<summary>
Execute container runtime in the container runtime domain
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="container_runtime_exec" lineno="62">
<summary>
Execute container in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="container_read_state" lineno="81">
<summary>
Read the process state of container runtime
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_search_lib" lineno="99">
<summary>
Search container lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_exec_lib" lineno="118">
<summary>
Execute container lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_read_lib_files" lineno="137">
<summary>
Read container lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_read_share_files" lineno="156">
<summary>
Read container share files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_runtime_read_tmpfs_files" lineno="177">
<summary>
Read container runtime tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_manage_share_files" lineno="198">
<summary>
Manage container share files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_manage_share_dirs" lineno="219">
<summary>
Manage container share dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_exec_share_files" lineno="239">
<summary>
Allow the specified domain to execute container shared files
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_manage_config_files" lineno="257">
<summary>
Manage container config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_manage_lib_files" lineno="279">
<summary>
Manage container lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_manage_files" lineno="299">
<summary>
Manage container files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_manage_dirs" lineno="318">
<summary>
Manage container directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_manage_lib_dirs" lineno="336">
<summary>
Manage container lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_lib_filetrans" lineno="372">
<summary>
Create objects in a container var lib directory
with an automatic type transition to
a specified private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
The type of the object to create.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="container_read_pid_files" lineno="390">
<summary>
Read container PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_systemctl" lineno="409">
<summary>
Execute container server in the container domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="container_rw_sem" lineno="434">
<summary>
Read and write container shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_append_file" lineno="453">
<summary>
Allow the specified domain to append
to container files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_use_ptys" lineno="471">
<summary>
Read and write the container pty type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_filetrans_named_content" lineno="489">
<summary>
Allow domain to create container content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_stream_connect" lineno="593">
<summary>
Connect to container over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_spc_stream_connect" lineno="614">
<summary>
Connect to SPC containers over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_admin" lineno="634">
<summary>
All of the rules required to administrate
an container environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_auth_domtrans" lineno="684">
<summary>
Execute container_auth_exec_t in the container_auth domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="container_auth_exec" lineno="703">
<summary>
Execute container_auth in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_auth_stream_connect" lineno="722">
<summary>
Connect to container_auth over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_runtime_typebounds" lineno="741">
<summary>
container domain typebounds calling domain.
</summary>
<param name="domain">
<summary>
Domain to be typebound.
</summary>
</param>
</interface>
<interface name="container_runtime_entrypoint" lineno="760">
<summary>
Allow any container_runtime_exec_t to be an entrypoint of this domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="docker_exec_lib" lineno="767">
<summary>
Summary is missing!
</summary>
<param name="?">
<summary>
Parameter descriptions are missing!
</summary>
</param>
</interface>
<interface name="docker_read_share_files" lineno="771">
<summary>
Summary is missing!
</summary>
<param name="?">
<summary>
Parameter descriptions are missing!
</summary>
</param>
</interface>
<interface name="docker_exec_share_files" lineno="775">
<summary>
Summary is missing!
</summary>
<param name="?">
<summary>
Parameter descriptions are missing!
</summary>
</param>
</interface>
<interface name="docker_manage_lib_files" lineno="779">
<summary>
Summary is missing!
</summary>
<param name="?">
<summary>
Parameter descriptions are missing!
</summary>
</param>
</interface>
<interface name="docker_manage_lib_dirs" lineno="784">
<summary>
Summary is missing!
</summary>
<param name="?">
<summary>
Parameter descriptions are missing!
</summary>
</param>
</interface>
<interface name="docker_lib_filetrans" lineno="788">
<summary>
Summary is missing!
</summary>
<param name="?">
<summary>
Parameter descriptions are missing!
</summary>
</param>
</interface>
<interface name="docker_read_pid_files" lineno="792">
<summary>
Summary is missing!
</summary>
<param name="?">
<summary>
Parameter descriptions are missing!
</summary>
</param>
</interface>
<interface name="docker_systemctl" lineno="796">
<summary>
Summary is missing!
</summary>
<param name="?">
<summary>
Parameter descriptions are missing!
</summary>
</param>
</interface>
<interface name="docker_use_ptys" lineno="800">
<summary>
Summary is missing!
</summary>
<param name="?">
<summary>
Parameter descriptions are missing!
</summary>
</param>
</interface>
<interface name="docker_stream_connect" lineno="804">
<summary>
Summary is missing!
</summary>
<param name="?">
<summary>
Parameter descriptions are missing!
</summary>
</param>
</interface>
<interface name="docker_spc_stream_connect" lineno="808">
<summary>
Summary is missing!
</summary>
<param name="?">
<summary>
Parameter descriptions are missing!
</summary>
</param>
</interface>
<interface name="container_spc_read_state" lineno="822">
<summary>
Read the process state of spc containers
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="container_runtime_domain_template" lineno="841">
<summary>
Creates types and rules for a basic
container runtime process domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<template name="container_domain_template" lineno="884">
<summary>
Creates types and rules for a basic
container process domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
<param name="prefix">
<summary>
Prefix for the file type.
</summary>
</param>
</template>
<template name="container_manage_files_template" lineno="916">
<summary>
Manage container files template
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
<param name="prefix">
<summary>
Prefix for the file type.
</summary>
</param>
</template>
<interface name="container_spc_rw_pipes" lineno="959">
<summary>
Read and write a spc_t unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_kubelet_domtrans" lineno="977">
<summary>
Execute container in the container domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="container_kubelet_run" lineno="1002">
<summary>
Execute kubelet_exec_t in the kubelet_t domain
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="container_kubelet_stream_connect" lineno="1021">
<summary>
Connect to kubelet over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="container_file" lineno="1040">
<summary>
Create a file type used for container files.
</summary>
<param name="script_file">
<summary>
Type to be used for an container file.
</summary>
</param>
</interface>
<tunable name="container_connect_any" dftval="false">
<desc>
<p>
Determine whether container can
connect to all TCP ports.
</p>
</desc>
</tunable>
<tunable name="container_read_certs" dftval="false">
<desc>
<p>
Allow all container domains to read cert files and directories
</p>
</desc>
</tunable>
<tunable name="sshd_launch_containers" dftval="false">
<desc>
<p>
Determine whether sshd can launch container engines
</p>
</desc>
</tunable>
<tunable name="container_use_devices" dftval="false">
<desc>
<p>
Allow containers to use any device volume mounted into container
</p>
</desc>
</tunable>
<tunable name="container_use_xserver_devices" dftval="false">
<desc>
<p>
Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration
</p>
</desc>
</tunable>
<tunable name="container_use_dri_devices" dftval="true">
<desc>
<p>
Allow containers to use any dri device volume mounted into container
</p>
</desc>
</tunable>
<tunable name="container_manage_cgroup" dftval="false">
<desc>
<p>
Allow sandbox containers to manage cgroup (systemd)
</p>
</desc>
</tunable>
<tunable name="container_use_cephfs" dftval="false">
<desc>
<p>
Determine whether container can
use ceph file system
</p>
</desc>
</tunable>
<tunable name="container_use_ecryptfs" dftval="false">
<desc>
<p>
Determine whether container can
use ecrypt file system
</p>
</desc>
</tunable>
</module>
<module name="coreos_installer" filename="policy/modules/contrib/coreos_installer.if">
<summary>policy for coreos_installer</summary>
<interface name="coreos_installer_domtrans" lineno="13">
<summary>
Execute coreos_installer_exec_t in the coreos_installer domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="coreos_installer_exec" lineno="32">
<summary>
Execute coreos_installer in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="corosync" filename="policy/modules/contrib/corosync.if">
<summary>Corosync Cluster Engine.</summary>
<interface name="corosync_domtrans" lineno="13">
<summary>
Execute a domain transition to run corosync.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="corosync_initrc_domtrans" lineno="33">
<summary>
Execute corosync init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="corosync_exec" lineno="51">
<summary>
Execute corosync in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="corosync_read_log" lineno="70">
<summary>
Read corosync log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="corosync_setattr_log" lineno="90">
<summary>
Setattr corosync log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="corosync_stream_connect" lineno="110">
<summary>
Connect to corosync over a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="corosync_rw_tmpfs" lineno="131">
<summary>
Allow the specified domain to read/write corosync's tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="corosync_systemctl" lineno="150">
<summary>
Execute corosync server in the corosync domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="corosyncd_admin" lineno="181">
<summary>
All of the rules required to
administrate an corosync environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="corosync_admin" lineno="203">
<summary>
All of the rules required to
administrate an corosync environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="couchdb" filename="policy/modules/contrib/couchdb.if">
<summary>Document database server.</summary>
<interface name="couchdb_read_log_files" lineno="13">
<summary>
Allow to read couchdb log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="couchdb_read_lib_files" lineno="32">
<summary>
Allow to read couchdb lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="couchdb_manage_lib_files" lineno="52">
<summary>
All of the rules required to
administrate an couchdb environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="couchdb_manage_lib_dirs" lineno="71">
<summary>
Manage couchdb lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="couchdb_read_conf_files" lineno="90">
<summary>
Allow to read couchdb conf files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="couchdb_read_pid_files" lineno="109">
<summary>
Read couchdb PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="couchdb_search_pid_dirs" lineno="128">
<summary>
Search couchdb PID dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="couchdb_manage_files" lineno="147">
<summary>
Allow domain to manage couchdb content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="couchdb_systemctl" lineno="171">
<summary>
Execute couchdb server in the couchdb domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="couchdb_admin" lineno="204">
<summary>
All of the rules required to administrate
an couchdb environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="courier" filename="policy/modules/contrib/courier.if">
<summary>Courier IMAP and POP3 email servers</summary>
<template name="courier_domain_template" lineno="13">
<summary>
Template for creating courier server processes.
</summary>
<param name="prefix">
<summary>
Prefix name of the server process.
</summary>
</param>
</template>
<interface name="courier_domtrans_authdaemon" lineno="58">
<summary>
Execute the courier authentication daemon with
a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="courier_stream_connect_authdaemon" lineno="76">
<summary>
Connect to courier-authdaemon over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_domtrans_pop" lineno="96">
<summary>
Execute the courier POP3 and IMAP server with
a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="courier_read_config" lineno="114">
<summary>
Read courier config files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_manage_spool_dirs" lineno="134">
<summary>
Create, read, write, and delete courier
spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_manage_spool_files" lineno="154">
<summary>
Create, read, write, and delete courier
spool files.
</summary>
<param name="domains">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_manage_spool_sockets" lineno="173">
<summary>
Manage named socket in a courier spool directory.
</summary>
<param name="domains">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_read_spool" lineno="192">
<summary>
Read courier spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_rw_spool_pipes" lineno="211">
<summary>
Read and write to courier spool pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="cpucontrol" filename="policy/modules/contrib/cpucontrol.if">
<summary>Services for loading CPU microcode and CPU frequency scaling.</summary>
<interface name="cpucontrol_stub" lineno="13">
<summary>
CPUcontrol stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="cpufreqselector" filename="policy/modules/contrib/cpufreqselector.if">
<summary>Command-line CPU frequency settings.</summary>
<interface name="cpufreqselector_dbus_chat" lineno="14">
<summary>
Send and receive messages from
cpufreq-selector over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="cpuplug" filename="policy/modules/contrib/cpuplug.if">
<summary>cpuplugd - Linux on System z CPU and memory hotplug daemon</summary>
<interface name="cpuplug_domtrans" lineno="13">
<summary>
Execute cpuplug in the cpuplug domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="cron" filename="policy/modules/contrib/cron.if">
<summary>Periodic execution of scheduled commands.</summary>
<template name="cron_common_crontab_template" lineno="14">
<summary>
The common rules for a crontab domain.
</summary>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
</template>
<interface name="cron_role" lineno="59">
<summary>
Role access for cron
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<rolecap/>
</interface>
<interface name="cron_unconfined_role" lineno="155">
<summary>
Role access for unconfined cronjobs
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<rolecap/>
</interface>
<interface name="cron_admin_role" lineno="238">
<summary>
Role access for cron
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<rolecap/>
</interface>
<interface name="cron_system_entry" lineno="332">
<summary>
Make the specified program domain accessable
from the system cron jobs.
</summary>
<param name="domain">
<summary>
The type of the process to transition to.
</summary>
</param>
<param name="entrypoint">
<summary>
The type of the file used as an entrypoint to this domain.
</summary>
</param>
</interface>
<interface name="cron_domtrans" lineno="356">
<summary>
Execute cron in the cron system domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cron_exec" lineno="374">
<summary>
Execute crond_exec_t
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_initrc_domtrans" lineno="392">
<summary>
Execute crond server in the crond domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cron_systemctl" lineno="410">
<summary>
Execute crond server in the crond domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cron_use_fds" lineno="435">
<summary>
Inherit and use a file descriptor
from the cron daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_sigchld" lineno="453">
<summary>
Send a SIGCHLD signal to the cron daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_signal" lineno="471">
<summary>
Send a generic signal to cron daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_read_pipes" lineno="489">
<summary>
Read a cron daemon unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_read_state_crond" lineno="507">
<summary>
Read crond state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_dbus_chat_crond" lineno="528">
<summary>
Send and receive messages from
crond over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_dbus_chat_system_job" lineno="549">
<summary>
Send and receive messages from
the cron system domain over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_dontaudit_write_pipes" lineno="569">
<summary>
Do not audit attempts to write cron daemon unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cron_rw_pipes" lineno="587">
<summary>
Read and write a cron daemon unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_dontaudit_setattr_pipes" lineno="605">
<summary>
Do not audit attempts to setattr cron daemon unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cron_rw_inherited_user_spool_files" lineno="623">
<summary>
Read and write inherited user spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_inherited_spool_files" lineno="641">
<summary>
Read and write inherited spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_tcp_sockets" lineno="659">
<summary>
Read, and write cron daemon TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_dontaudit_rw_tcp_sockets" lineno="677">
<summary>
Dontaudit Read, and write cron daemon TCP sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cron_search_spool" lineno="695">
<summary>
Search the directory containing user cron tables.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_manage_system_spool" lineno="714">
<summary>
Search the directory containing user cron tables.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_manage_pid_files" lineno="733">
<summary>
Manage pid files used by cron
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_read_pid_files" lineno="752">
<summary>
Read pid files used by cron
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_anacron_domtrans_system_job" lineno="771">
<summary>
Execute anacron in the cron system domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cron_signull_system_job" lineno="789">
<summary>
Send a null signal to cron system job.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_use_system_job_fds" lineno="808">
<summary>
Inherit and use a file descriptor
from system cron jobs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_write_system_job_pipes" lineno="826">
<summary>
Write a system cron job unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_system_job_pipes" lineno="844">
<summary>
Read and write a system cron job unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_system_job_stream_sockets" lineno="862">
<summary>
Allow read/write unix stream sockets from the system cron jobs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_read_system_job_tmp_files" lineno="880">
<summary>
Read temporary files from the system cron jobs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_dontaudit_append_system_job_tmp_files" lineno="903">
<summary>
Do not audit attempts to append temporary
files from the system cron jobs.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cron_dontaudit_write_system_job_tmp_files" lineno="922">
<summary>
Do not audit attempts to write temporary
files from the system cron jobs.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cron_dgram_send" lineno="943">
<summary>
Send to system_cronjob over a unix domain
datagram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_read_system_job_lib_files" lineno="961">
<summary>
Read temporary files from the system cron jobs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_manage_system_job_lib_files" lineno="980">
<summary>
Manage files from the system cron jobs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_manage_log_files" lineno="1000">
<summary>
Create, read, write and delete
cron log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_generic_log_filetrans_log" lineno="1031">
<summary>
Create specified objects in generic
log directories with the cron log file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="cron_generic_log_filetrans_log_insights" lineno="1060">
<summary>
Create specified objects in generic
log directories with the cron log file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="cron_system_spool_entrypoint" lineno="1079">
<summary>
Allow system_cron_spool_t to be an entrypoint of this domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="crontab_domtrans" lineno="1096">
<summary>
Execute crontab in the crontab domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="crontab_admin_domtrans" lineno="1114">
<summary>
Execute crontab in the admin crontab domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<tunable name="cron_can_relabel" dftval="false">
<desc>
<p>
Allow system cron jobs to relabel filesystem
for restoring file contexts.
</p>
</desc>
</tunable>
<tunable name="cron_userdomain_transition" dftval="true">
<desc>
<p>
Determine whether crond can execute jobs
in the user domain as opposed to the
the generic cronjob domain.
</p>
</desc>
</tunable>
<tunable name="cron_system_cronjob_use_shares" dftval="false">
<desc>
<p>
Allow system cronjob to be executed on
on NFS, CIFS or FUSE filesystem.
</p>
</desc>
</tunable>
<tunable name="fcron_crond" dftval="false">
<desc>
<p>
Enable extra rules in the cron domain
to support fcron.
</p>
</desc>
</tunable>
</module>
<module name="ctdb" filename="policy/modules/contrib/ctdb.if">
<summary>policy for ctdbd</summary>
<interface name="ctdbd_domtrans" lineno="13">
<summary>
Transition to ctdbd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ctdbd_initrc_domtrans" lineno="32">
<summary>
Execute ctdbd server in the ctdbd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_signal" lineno="50">
<summary>
Allow domain to signal ctdbd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_sigchld" lineno="67">
<summary>
Allow domain to sigchld ctdbd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_read_log" lineno="85">
<summary>
Read ctdbd's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ctdbd_append_log" lineno="104">
<summary>
Append to ctdbd log files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ctdbd_manage_log" lineno="123">
<summary>
Manage ctdbd log files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ctdbd_search_lib" lineno="144">
<summary>
Search ctdbd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_read_lib_files" lineno="163">
<summary>
Read ctdbd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_manage_lib_files" lineno="182">
<summary>
Manage ctdbd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_manage_lib_dirs" lineno="202">
<summary>
Manage ctdbd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_read_pid_files" lineno="221">
<summary>
Read ctdbd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_stream_connect" lineno="240">
<summary>
Connect to ctdbd over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_admin" lineno="267">
<summary>
All of the rules required to administrate
an ctdbd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cups" filename="policy/modules/contrib/cups.if">
<summary>Common UNIX printing system.</summary>
<interface name="cups_backend" lineno="19">
<summary>
Create a domain which can be
started by cupsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
<interface name="cups_domtrans" lineno="46">
<summary>
Execute cups in the cups domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cups_stream_connect" lineno="66">
<summary>
Connect to cupsd over an unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_tcp_connect" lineno="86">
<summary>
Connect to cups over TCP.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_dbus_chat" lineno="101">
<summary>
Send and receive messages from
cups over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_read_pid_files" lineno="121">
<summary>
Read cups PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_domtrans_config" lineno="141">
<summary>
Execute cups_config in the
cups config domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cups_signal_config" lineno="161">
<summary>
Send generic signals to the cups
configuration daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_dbus_chat_config" lineno="180">
<summary>
Send and receive messages from
cupsd_config over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_read_config" lineno="201">
<summary>
Read cups configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cups_read_rw_config" lineno="224">
<summary>
Read cups-writable configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cups_read_log" lineno="244">
<summary>
Read cups log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cups_append_log" lineno="263">
<summary>
Append cups log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_write_log" lineno="282">
<summary>
Write cups log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_stream_connect_ptal" lineno="302">
<summary>
Connect to ptal over an unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cupsd_systemctl" lineno="321">
<summary>
Execute cupsd server in the cupsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cups_read_state" lineno="345">
<summary>
Read the process state (/proc/pid) of cupsd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_admin" lineno="372">
<summary>
All of the rules required to
administrate an cups environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cups_filetrans_named_content" lineno="424">
<summary>
Transition to cups named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="cups_execmem" dftval="false">
<desc>
<p>
Allow cups execmem/execstack
</p>
</desc>
</tunable>
</module>
<module name="cvs" filename="policy/modules/contrib/cvs.if">
<summary>Concurrent versions system.</summary>
<interface name="cvs_dontaudit_list_data" lineno="13">
<summary>
Dontaudit Attempts to list the CVS data and metadata.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cvs_read_data" lineno="31">
<summary>
Read CVS data and metadata content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cvs_exec" lineno="51">
<summary>
Execute cvs in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cvs_filetrans_home_content" lineno="70">
<summary>
Transition to cvs named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cvs_admin" lineno="95">
<summary>
All of the rules required to
administrate an cvs environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="cvs_read_shadow" dftval="false">
<desc>
<p>
Determine whether cvs can read shadow
password files.
</p>
</desc>
</tunable>
</module>
<module name="cyphesis" filename="policy/modules/contrib/cyphesis.if">
<summary>Cyphesis WorldForge game server.</summary>
<interface name="cyphesis_domtrans" lineno="13">
<summary>
Execute a domain transition to run cyphesis.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cyphesis_admin" lineno="39">
<summary>
All of the rules required to
administrate an cyphesis environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cyrus" filename="policy/modules/contrib/cyrus.if">
<summary>Cyrus is an IMAP service intended to be run on sealed servers.</summary>
<interface name="cyrus_manage_data" lineno="14">
<summary>
Create, read, write, and delete
cyrus data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cyrus_write_data" lineno="33">
<summary>
Allow write cyrus data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cyrus_stream_connect" lineno="53">
<summary>
Connect to Cyrus using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cyrus_runtime_stream_connect" lineno="76">
<summary>
Connect to Cyrus using a unix
domain stream socket in the runtime filesystem.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cyrus_admin" lineno="102">
<summary>
All of the rules required to
administrate an cyrus environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="daemontools" filename="policy/modules/contrib/daemontools.if">
<summary>Collection of tools for managing UNIX services.</summary>
<interface name="daemontools_ipc_domain" lineno="14">
<summary>
An ipc channel between the
supervised domain and svc_start_t.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="daemontools_service_domain" lineno="41">
<summary>
Create a domain which can be
started by daemontools.
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entrypoint">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
<interface name="daemontools_domtrans_start" lineno="64">
<summary>
Execute svc start in the svc
start domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="daemonstools_run_start" lineno="91">
<summary>
Execute svc start in the svc
start domain, and allow the
specified role the svc start domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="daemontools_domtrans_run" lineno="110">
<summary>
Execute avc run in the svc run domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="daemontools_sigchld_run" lineno="130">
<summary>
Send child terminated signals
to svc run.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="daemontools_domtrans_multilog" lineno="149">
<summary>
Execute avc multilog in the svc
multilog domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="daemontools_search_svc_dir" lineno="168">
<summary>
Search svc svc directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="daemontools_read_svc" lineno="188">
<summary>
Read svc avc files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="daemontools_manage_svc" lineno="210">
<summary>
Create, read, write and delete
svc svc content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dante" filename="policy/modules/contrib/dante.if">
<summary>Dante msproxy and socks4/5 proxy server.</summary>
<interface name="dante_admin" lineno="20">
<summary>
All of the rules required to
administrate an dante environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dbadm" filename="policy/modules/contrib/dbadm.if">
<summary>Database administrator role.</summary>
<interface name="dbadm_role_change" lineno="14">
<summary>
Change to the database administrator role.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dbadm_role_change_to" lineno="44">
<summary>
Change from the database administrator role.
</summary>
<desc>
<p>
Change from the database administrator role to
the specified role.
</p>
<p>
This is an interface to support third party modules
and its use is not allowed in upstream reference
policy.
</p>
</desc>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="dbadm_manage_user_files" dftval="false">
<desc>
<p>
Determine whether dbadm can manage
generic user files.
</p>
</desc>
</tunable>
<tunable name="dbadm_read_user_files" dftval="false">
<desc>
<p>
Determine whether dbadm can read
generic user files.
</p>
</desc>
</tunable>
</module>
<module name="dbskk" filename="policy/modules/contrib/dbskk.if">
<summary>Dictionary server for the SKK Japanese input method system.</summary>
</module>
<module name="dbus" filename="policy/modules/contrib/dbus.if">
<summary>Desktop messaging bus</summary>
<interface name="dbus_stub" lineno="13">
<summary>
DBUS stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="dbus_exec_dbusd" lineno="30">
<summary>
Execute dbus-daemon in the caller domain.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<template name="dbus_role_template" lineno="58">
<summary>
Role access for dbus
</summary>
<param name="role_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</template>
<interface name="dbus_system_bus_client" lineno="153">
<summary>
Template for creating connections to
the system DBUS.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_session_client" lineno="199">
<summary>
Creating connections to specified
DBUS sessions.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_session_bus_client" lineno="221">
<summary>
Template for creating connections to
a user DBUS.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_send_session_bus" lineno="248">
<summary>
Send a message the session DBUS.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_read_config" lineno="267">
<summary>
Read dbus configuration.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_watch_config" lineno="286">
<summary>
Watch dbus configuration.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_read_lib_files" lineno="304">
<summary>
Read system dbus lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_manage_lib_files" lineno="325">
<summary>
Create, read, write, and delete
system dbus lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_connect_session_bus" lineno="345">
<summary>
Connect to the system DBUS
for service (acquire_svc).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_session_domain" lineno="376">
<summary>
Allow a application domain to be started
by the session dbus.
</summary>
<param name="domain_prefix">
<summary>
User domain prefix to be used.
</summary>
</param>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an
entry point to this domain.
</summary>
</param>
</interface>
<interface name="dbus_connect_system_bus" lineno="398">
<summary>
Connect to the system DBUS
for service (acquire_svc).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_send_system_bus" lineno="417">
<summary>
Send a message on the system DBUS.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_system_bus_unconfined" lineno="436">
<summary>
Allow unconfined access to the system DBUS.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_system_domain" lineno="461">
<summary>
Create a domain for processes
which can be started by the system dbus
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
<interface name="dbus_use_system_bus_fds" lineno="489">
<summary>
Use and inherit system DBUS file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_unconfined" lineno="507">
<summary>
Allow unconfined access to the system DBUS.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_delete_pid_files" lineno="525">
<summary>
Delete all dbus pid files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_read_pid_files" lineno="544">
<summary>
Read all dbus pid files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_read_pid_sock_files" lineno="564">
<summary>
Read all dbus pid files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_write_pid_sock_files" lineno="584">
<summary>
Allow domain to write the dbus pid sock_file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_watch_pid_sock_files" lineno="602">
<summary>
Watch system dbus pid socket files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_watch_pid_dirs" lineno="621">
<summary>
Watch system dbus pid directory
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_watch_pid_dir_path" lineno="640">
<summary>
Watch system dbusd pid directory and all its parents
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_rw_tmp_sock_files" lineno="661">
<summary>
Read and write system dbus tmp socket files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_dontaudit_stream_connect_session_bus" lineno="681">
<summary>
Do not audit attempts to connect to
session bus types with a unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dbus_stream_connect_session_bus" lineno="701">
<summary>
Allow attempts to connect to
session bus types with a unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dbus_chat_session_bus" lineno="720">
<summary>
Do not audit attempts to send dbus
messages to session bus types.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dbus_dontaudit_chat_session_bus" lineno="741">
<summary>
Do not audit attempts to send dbus
messages to session bus types.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dbus_dontaudit_chat_system_bus" lineno="761">
<summary>
Do not audit attempts to send dbus
messages to system bus types.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dbus_stream_connect_system_dbusd" lineno="784">
<summary>
Allow attempts to connect to
session bus types with a unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dbus_dontaudit_stream_connect_system_dbusd" lineno="805">
<summary>
Do not audit attempts to connect to
session bus types with a unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dbus_chat_system_bus" lineno="827">
<summary>
Allow attempts to send dbus
messages to system bus types.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dbus_filetrans_named_content_system" lineno="847">
<summary>
Transition to dbus named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_acquire_svc_system_dbusd" lineno="865">
<summary>
Allow attempts to send dbus
messages to system dbusd type.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dbus_signal" lineno="884">
<summary>
Allow signal the system dbusd type.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dbus_manage_session_tmp_dirs" lineno="902">
<summary>
Manage session_dbusd tmp dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_write_session_tmp_sock_files" lineno="920">
<summary>
Write to session_dbusd tmp socket files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_delete_session_tmp_sock_files" lineno="938">
<summary>
Delete session_dbusd tmp socket files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_create_session_tmp_sock_files" lineno="956">
<summary>
Create session_dbusd tmp socket files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_systemctl" lineno="974">
<summary>
Allow systemctl dbus services
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="dcc" filename="policy/modules/contrib/dcc.if">
<summary>Distributed checksum clearinghouse spam filtering.</summary>
<interface name="dcc_domtrans_cdcc" lineno="13">
<summary>
Execute cdcc in the cdcc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dcc_run_cdcc" lineno="40">
<summary>
Execute cdcc in the cdcc domain, and
allow the specified role the
cdcc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dcc_domtrans_client" lineno="60">
<summary>
Execute dcc client in the dcc
client domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dcc_signal_client" lineno="79">
<summary>
Send generic signals to dcc client.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dcc_run_client" lineno="105">
<summary>
Execute dcc client in the dcc
client domain, and allow the
specified role the dcc client domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dcc_domtrans_dbclean" lineno="124">
<summary>
Execute dbclean in the dcc dbclean domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dcc_run_dbclean" lineno="151">
<summary>
Execute dbclean in the dcc dbclean
domain, and allow the specified
role the dcc dbclean domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dcc_stream_connect_dccifd" lineno="171">
<summary>
Connect to dccifd over a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="ddclient" filename="policy/modules/contrib/ddclient.if">
<summary>Update dynamic IP address at DynDNS.org.</summary>
<interface name="ddclient_domtrans" lineno="13">
<summary>
Execute ddclient in the ddclient domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ddclient_run" lineno="40">
<summary>
Execute ddclient in the ddclient
domain, and allow the specified
role the ddclient domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ddclient_admin" lineno="66">
<summary>
All of the rules required to
administrate an ddclient environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ddclient_getattr_pid_files" lineno="114">
<summary>
Get the attributes of ddclient PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="ddcprobe" filename="policy/modules/contrib/ddcprobe.if">
<summary>ddcprobe retrieves monitor and graphics card information.</summary>
<interface name="ddcprobe_domtrans" lineno="13">
<summary>
Execute ddcprobe in the ddcprobe domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ddcprobe_run" lineno="40">
<summary>
Execute ddcprobe in the ddcprobe
domain, and allow the specified
role the ddcprobe domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="denyhosts" filename="policy/modules/contrib/denyhosts.if">
<summary>SSH dictionary attack mitigation.</summary>
<interface name="denyhosts_domtrans" lineno="13">
<summary>
Execute a domain transition to run denyhosts.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="denyhosts_initrc_domtrans" lineno="33">
<summary>
Execute denyhost server in the
denyhost domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="denyhosts_admin" lineno="58">
<summary>
All of the rules required to
administrate an denyhosts environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="devicekit" filename="policy/modules/contrib/devicekit.if">
<summary>Devicekit modular hardware abstraction layer</summary>
<interface name="devicekit_domtrans" lineno="13">
<summary>
Execute a domain transition to run devicekit.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="devicekit_domtrans_disk" lineno="31">
<summary>
Execute a domain transition to run devicekit_disk.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="devicekit_dgram_send" lineno="50">
<summary>
Send to devicekit over a unix domain
datagram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_dbus_chat" lineno="69">
<summary>
Send and receive messages from
devicekit over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_dbus_chat_disk" lineno="90">
<summary>
Send and receive messages from
devicekit disk over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_use_fds_disk" lineno="110">
<summary>
Use file descriptors for devicekit_disk.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_dontaudit_dbus_chat_disk" lineno="129">
<summary>
Dontaudit Send and receive messages from
devicekit disk over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="devicekit_rw_semaphores_disk" lineno="149">
<summary>
Read and write devicekit disk semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_signal_power" lineno="167">
<summary>
Send signal devicekit power
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_dbus_chat_power" lineno="186">
<summary>
Send and receive messages from
devicekit power over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_use_fds_power" lineno="207">
<summary>
Use and inherit devicekit power
file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_append_inherited_log_files" lineno="225">
<summary>
Append inherited devicekit log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_read_log_files" lineno="246">
<summary>
Allow read devicekit log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_dontaudit_rw_log" lineno="266">
<summary>
Do not audit attempts to write the devicekit
log files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="devicekit_read_state_power" lineno="284">
<summary>
Allow the domain to read devicekit_power state files in /proc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_read_pid_files" lineno="303">
<summary>
Read devicekit PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_dontaudit_read_pid_files" lineno="323">
<summary>
Do not audit attempts to read
devicekit PID files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="devicekit_manage_pid_files" lineno="342">
<summary>
Manage devicekit PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_relabel_log_files" lineno="363">
<summary>
Relabel devicekit LOG files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_manage_log_files" lineno="382">
<summary>
Manage devicekit LOG files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_admin" lineno="405">
<summary>
All of the rules required to administrate
an devicekit environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="devicekit_filetrans_named_content" lineno="445">
<summary>
Transition to devicekit named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_mounton_var_lib" lineno="466">
<summary>
Mounton devicekit lib directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="dhcp" filename="policy/modules/contrib/dhcp.if">
<summary>Dynamic host configuration protocol server.</summary>
<interface name="dhcpd_domtrans" lineno="13">
<summary>
Execute a domain transition to run dhcpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dhcpd_setattr_state_files" lineno="33">
<summary>
Set attributes of dhcpd server
state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dhcpd_initrc_domtrans" lineno="53">
<summary>
Execute dhcp server in the dhcp domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dhcpd_systemctl" lineno="71">
<summary>
Execute dhcpd server in the dhcpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dhcpd_admin" lineno="103">
<summary>
All of the rules required to
administrate an dhcpd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="dhcpd_use_ldap" dftval="false">
<desc>
<p>
Determine whether DHCP daemon
can use LDAP backends.
</p>
</desc>
</tunable>
</module>
<module name="dictd" filename="policy/modules/contrib/dictd.if">
<summary>Dictionary daemon.</summary>
<interface name="dictd_tcp_connect" lineno="14">
<summary>
Use dictionary services by connecting
over TCP.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dictd_admin" lineno="35">
<summary>
All of the rules required to
administrate an dictd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dirmngr" filename="policy/modules/contrib/dirmngr.if">
<summary>Server for managing and downloading certificate revocation lists.</summary>
<interface name="dirmngr_admin" lineno="20">
<summary>
All of the rules required to
administrate an dirmngr environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dirsrv-admin" filename="policy/modules/contrib/dirsrv-admin.if">
<summary>Administration Server for Directory Server, dirsrv-admin.</summary>
<interface name="dirsrvadmin_run_exec" lineno="13">
<summary>
Exec dirsrv-admin programs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrvadmin_run_script_exec" lineno="32">
<summary>
Exec cgi programs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrvadmin_read_config" lineno="51">
<summary>
Manage dirsrv-adminserver configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrvadmin_manage_config" lineno="69">
<summary>
Manage dirsrv-adminserver configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrvadmin_read_tmp" lineno="88">
<summary>
Read dirsrv-adminserver tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrvadmin_manage_tmp" lineno="106">
<summary>
Manage dirsrv-adminserver tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrvadmin_systemctl" lineno="125">
<summary>
Execute dirsrv-admin server in the dirsrv-admin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dirsrvadmin_domtrans_unconfined_script_t" lineno="149">
<summary>
Execute admin cgi programs in caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="dirsrv" filename="policy/modules/contrib/dirsrv.if">
<summary>policy for dirsrv</summary>
<interface name="dirsrv_domtrans" lineno="13">
<summary>
Execute a domain transition to run dirsrv.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dirsrv_run" lineno="37">
<summary>
Execute dirsrv in the dirsrv domain, and
allow the specified role the dirsrv domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_signal" lineno="56">
<summary>
Allow caller to signal dirsrv.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_signull" lineno="75">
<summary>
Send a null signal to dirsrv.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_systemctl" lineno="93">
<summary>
Execute dirsrv server in the dirsrv domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dirsrv_getattr_unit_files" lineno="117">
<summary>
Allow domain to getattr dirsrv unit files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dirsrv_manage_log" lineno="135">
<summary>
Allow a domain to manage dirsrv logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_manage_var_lib" lineno="155">
<summary>
Allow a domain to manage dirsrv /var/lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_stream_connect" lineno="173">
<summary>
Connect to dirsrv over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_manage_var_run" lineno="192">
<summary>
Allow a domain to manage dirsrv /var/run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_pid_filetrans" lineno="211">
<summary>
Allow a domain to create dirsrv pid directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_read_var_run" lineno="229">
<summary>
Allow a domain to read dirsrv /var/run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_manage_config" lineno="247">
<summary>
Manage dirsrv configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_read_share" lineno="266">
<summary>
Read dirsrv share files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_noatsecure" lineno="286">
<summary>
Allow dirsrv noatsecure
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_dontaudit_list_tmpfs_dirs" lineno="304">
<summary>
Do not audit attempts to list dirsrv tmpfs directories
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
</module>
<module name="distcc" filename="policy/modules/contrib/distcc.if">
<summary>Distributed compiler daemon.</summary>
<interface name="distcc_admin" lineno="20">
<summary>
All of the rules required to
administrate an distcc environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="djbdns" filename="policy/modules/contrib/djbdns.if">
<summary>Small and secure DNS daemon.</summary>
<template name="djbdns_daemontools_domain_template" lineno="13">
<summary>
The template to define a djbdns domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="djbdns_search_tinydns_keys" lineno="71">
<summary>
Search djbdns-tinydns key ring.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="djbdns_link_tinydns_keys" lineno="89">
<summary>
Link djbdns-tinydns key ring.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="dkim" filename="policy/modules/contrib/dkim.if">
<summary>DomainKeys Identified Mail milter.</summary>
<interface name="dkim_admin" lineno="20">
<summary>
All of the rules required to
administrate an dkim environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dmidecode" filename="policy/modules/contrib/dmidecode.if">
<summary>Decode DMI data for x86/ia64 bioses.</summary>
<interface name="dmidecode_domtrans" lineno="13">
<summary>
Execute dmidecode in the dmidecode domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dmidecode_exec" lineno="32">
<summary>
Execute dmidecode in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dmidecode_run" lineno="59">
<summary>
Execute dmidecode in the dmidecode
domain, and allow the specified
role the dmidecode domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dnsmasq" filename="policy/modules/contrib/dnsmasq.if">
<summary>DNS forwarder and DHCP server.</summary>
<interface name="dnsmasq_domtrans" lineno="13">
<summary>
Execute dnsmasq server in the dnsmasq domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dnsmasq_exec" lineno="32">
<summary>
Execute dnsmasq server in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dnsmasq_rw_inherited_pipes" lineno="50">
<summary>
Allow read/write dnsmasq pipes
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_initrc_domtrans" lineno="70">
<summary>
Execute the dnsmasq init script in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dnsmasq_systemctl" lineno="88">
<summary>
Execute dnsmasq server in the dnsmasq domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dnsmasq_sigchld" lineno="113">
<summary>
Send sigchld to dnsmasq.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_signal" lineno="132">
<summary>
Send generic signals to dnsmasq.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_signull" lineno="151">
<summary>
Send null signals to dnsmasq.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_kill" lineno="170">
<summary>
Send kill signals to dnsmasq.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_read_config" lineno="188">
<summary>
Read dnsmasq config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_write_config" lineno="207">
<summary>
Write dnsmasq config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_delete_pid_files" lineno="226">
<summary>
Delete dnsmasq pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_manage_pid_files" lineno="247">
<summary>
Create, read, write, and delete
dnsmasq pid files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_read_pid_files" lineno="266">
<summary>
Read dnsmasq pid files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_create_pid_dirs" lineno="285">
<summary>
Create dnsmasq pid directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_read_state" lineno="304">
<summary>
Create dnsmasq pid directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_filetrans_named_content_fromdir" lineno="326">
<summary>
Transition to dnsmasq named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the directory for the object to be created.
</summary>
</param>
</interface>
<interface name="dnsmasq_filetrans_named_content" lineno="345">
<summary>
Transition to dnsmasq named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_admin" lineno="375">
<summary>
All of the rules required to
administrate an dnsmasq environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dnsmasq_dbus_chat" lineno="420">
<summary>
Send and receive messages from
dnsmasq over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="dnsmasq_use_ipset" dftval="false">
<desc>
<p>
Allow the dnsmasq to creating and using netlink_sockets.
</p>
</desc>
</tunable>
</module>
<module name="dnssec" filename="policy/modules/contrib/dnssec.if">
<summary>policy for dnssec_trigger</summary>
<interface name="dnssec_trigger_domtrans" lineno="13">
<summary>
Transition to dnssec_trigger.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dnssec_trigger_read_pid_files" lineno="31">
<summary>
Read dnssec_trigger PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnssec_trigger_manage_pid_files" lineno="50">
<summary>
Manage dnssec_trigger PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnssec_trigger_signull" lineno="73">
<summary>
Send signull to dnssec_trigger.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnssec_trigger_sigkill" lineno="92">
<summary>
Send sigkill to dnssec_trigger.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnssec_trigger_admin" lineno="111">
<summary>
All of the rules required to administrate
an dnssec_trigger environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="dovecot" filename="policy/modules/contrib/dovecot.if">
<summary>Dovecot POP and IMAP mail server</summary>
<template name="dovecot_basic_types_template" lineno="14">
<summary>
Creates types and rules for a basic
dovecot daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="dovecot_stream_connect" lineno="35">
<summary>
Connect to dovecot unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dovecot_stream_connect_auth" lineno="55">
<summary>
Connect to dovecot auth unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dovecot_domtrans_deliver" lineno="74">
<summary>
Execute dovecot_deliver in the dovecot_deliver domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dovecot_manage_spool" lineno="92">
<summary>
Create, read, write, and delete the dovecot spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dovecot_dontaudit_unlink_lib_files" lineno="112">
<summary>
Do not audit attempts to delete dovecot lib files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dovecot_write_inherited_tmp_files" lineno="131">
<summary>
Allow attempts to write inherited
dovecot tmp files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dovecot_read_config" lineno="149">
<summary>
Read dovecot configuration file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dovecot_admin" lineno="176">
<summary>
All of the rules required to administrate
an dovecot environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the dovecot domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dovecot_read_certs" lineno="233">
<summary>
Read dovecot SSL certificates
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="dpkg" filename="policy/modules/contrib/dpkg.if">
<summary>Debian package manager.</summary>
<interface name="dpkg_domtrans" lineno="13">
<summary>
Execute dpkg programs in the dpkg domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dpkg_exec" lineno="32">
<summary>
Execute the dkpg in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_domtrans_script" lineno="52">
<summary>
Execute dpkg_script programs in
the dpkg_script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dpkg_run" lineno="79">
<summary>
Execute dpkg programs in the dpkg domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dpkg_use_fds" lineno="98">
<summary>
Inherit and use file descriptors from dpkg.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_read_pipes" lineno="116">
<summary>
Read from unnamed dpkg pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_rw_pipes" lineno="134">
<summary>
Read and write unnamed dpkg pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_use_script_fds" lineno="153">
<summary>
Inherit and use file descriptors
from dpkg scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_read_db" lineno="171">
<summary>
Read dpkg package database content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_manage_db" lineno="193">
<summary>
Create, read, write, and delete
dpkg package database content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dpkg_dontaudit_manage_db" lineno="215">
<summary>
Do not audit attempts to create,
read, write, and delete dpkg
package database content.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dpkg_lock_db" lineno="236">
<summary>
Create, read, write, and delete
dpkg lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="drbd" filename="policy/modules/contrib/drbd.if">
<summary>Mirrors a block device over the network to another machine.</summary>
<interface name="drbd_domtrans" lineno="13">
<summary>
Execute a domain transition to run drbd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="drbd_search_lib" lineno="31">
<summary>
Search drbd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="drbd_read_lib_files" lineno="50">
<summary>
Read drbd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="drbd_manage_lib_files" lineno="70">
<summary>
Create, read, write, and delete
drbd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="drbd_manage_lib_dirs" lineno="89">
<summary>
Manage drbd lib dirs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="drbd_admin" lineno="115">
<summary>
All of the rules required to administrate
an drbd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="dspam" filename="policy/modules/contrib/dspam.if">
<summary>policy for dspam</summary>
<interface name="dspam_domtrans" lineno="14">
<summary>
Execute a domain transition to run dspam.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_initrc_domtrans" lineno="33">
<summary>
Execute dspam server in the dspam domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="dspam_read_log" lineno="52">
<summary>
Allow the specified domain to read dspam's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dspam_append_log" lineno="72">
<summary>
Allow the specified domain to append
dspam log files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dspam_manage_log" lineno="91">
<summary>
Allow domain to manage dspam log files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dspam_search_lib" lineno="112">
<summary>
Search dspam lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_read_lib_files" lineno="131">
<summary>
Read dspam lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_manage_lib_files" lineno="151">
<summary>
Create, read, write, and delete
dspam lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_manage_lib_dirs" lineno="170">
<summary>
Manage dspam lib dirs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_read_pid_files" lineno="190">
<summary>
Read dspam PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_stream_connect" lineno="209">
<summary>
Connect to DSPAM using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_admin" lineno="237">
<summary>
All of the rules required to administrate
an dspam environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="entropyd" filename="policy/modules/contrib/entropyd.if">
<summary>Generate entropy from audio input.</summary>
<interface name="entropyd_admin" lineno="20">
<summary>
All of the rules required to
administrate an entropyd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="entropyd_use_audio" dftval="true">
<desc>
<p>
Determine whether entropyd can use
audio devices as the source for
the entropy feeds.
</p>
</desc>
</tunable>
</module>
<module name="evolution" filename="policy/modules/contrib/evolution.if">
<summary>Evolution email client.</summary>
<interface name="evolution_role" lineno="18">
<summary>
Role access for evolution.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="evolution_home_filetrans" lineno="99">
<summary>
Create objects in the evolution home
directories with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
Private file type.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="evolution_stream_connect" lineno="119">
<summary>
Connect to evolution using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="evolution_dbus_chat" lineno="140">
<summary>
Send and receive messages from
evolution over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="evolution_alarm_dbus_chat" lineno="161">
<summary>
Send and receive messages from
evolution_alarm over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="exim" filename="policy/modules/contrib/exim.if">
<summary>Mail transfer agent.</summary>
<interface name="exim_domtrans" lineno="13">
<summary>
Execute a domain transition to run exim.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="exim_run" lineno="38">
<summary>
Execute the mailman program in the mailman domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the mailman domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="exim_initrc_domtrans" lineno="57">
<summary>
Execute exim in the exim domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="exim_dontaudit_read_tmp_files" lineno="76">
<summary>
Do not audit attempts to read,
exim tmp files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="exim_read_tmp_files" lineno="94">
<summary>
Allow domain to read, exim tmp files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_read_pid_files" lineno="113">
<summary>
Read exim PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_read_log" lineno="133">
<summary>
Allow the specified domain to read exim's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="exim_append_log" lineno="153">
<summary>
Allow the specified domain to append
exim log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_manage_log" lineno="173">
<summary>
Allow the specified domain to manage exim's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="exim_manage_spool_dirs" lineno="193">
<summary>
Create, read, write, and delete
exim spool dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_read_spool_files" lineno="212">
<summary>
Read exim spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_manage_spool_files" lineno="233">
<summary>
Create, read, write, and delete
exim spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_read_var_lib_files" lineno="252">
<summary>
Read exim var lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_manage_var_lib_files" lineno="271">
<summary>
Create, read, and write exim var lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_admin" lineno="296">
<summary>
All of the rules required to
administrate an exim environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<tunable name="exim_can_connect_db" dftval="false">
<desc>
<p>
Determine whether exim can connect to
databases.
</p>
</desc>
</tunable>
<tunable name="exim_read_user_files" dftval="false">
<desc>
<p>
Determine whether exim can read generic
user content files.
</p>
</desc>
</tunable>
<tunable name="exim_manage_user_files" dftval="false">
<desc>
<p>
Determine whether exim can create,
read, write, and delete generic user
content files.
</p>
</desc>
</tunable>
</module>
<module name="fail2ban" filename="policy/modules/contrib/fail2ban.if">
<summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
<interface name="fail2ban_domtrans" lineno="13">
<summary>
Execute a domain transition to run fail2ban.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="fail2ban_domtrans_client" lineno="33">
<summary>
Execute the fail2ban client in
the fail2ban client domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="fail2ban_run_client" lineno="60">
<summary>
Execute fail2ban client in the
fail2ban client domain, and allow
the specified role the fail2ban
client domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_stream_connect" lineno="80">
<summary>
Connect to fail2ban over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_rw_inherited_tmp_files" lineno="99">
<summary>
Read and write inherited temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_rw_stream_sockets" lineno="118">
<summary>
Read and write to an fail2ba unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_dontaudit_use_fds" lineno="137">
<summary>
Do not audit attempts to use
fail2ban file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="fail2ban_dontaudit_rw_stream_sockets" lineno="156">
<summary>
Do not audit attempts to read and
write fail2ban unix stream sockets
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="fail2ban_read_lib_files" lineno="174">
<summary>
Read fail2ban lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_read_log" lineno="194">
<summary>
Allow the specified domain to read fail2ban's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="fail2ban_append_log" lineno="215">
<summary>
Allow the specified domain to append
fail2ban log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_read_pid_files" lineno="235">
<summary>
Read fail2ban PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_dontaudit_leaks" lineno="254">
<summary>
dontaudit read and write an leaked file descriptors
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="fail2ban_admin" lineno="281">
<summary>
All of the rules required to administrate
an fail2ban environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the fail2ban domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="fcoe" filename="policy/modules/contrib/fcoe.if">
<summary>Fibre Channel over Ethernet utilities.</summary>
<interface name="fcoe_dgram_send_fcoemon" lineno="13">
<summary>
Send to fcoemon with a unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fcoe_admin" lineno="39">
<summary>
All of the rules required to
administrate an fcoemon environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="fdo" filename="policy/modules/contrib/fdo.if">
<summary>policy for fdo</summary>
<interface name="fdo_domtrans" lineno="13">
<summary>
Execute fdo_exec_t in the fdo domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="fdo_exec" lineno="32">
<summary>
Execute fdo in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="fedoratp" filename="policy/modules/contrib/fedoratp.if">
<summary>Policy for fedora-third-party</summary>
<interface name="fedoratp_domtrans" lineno="13">
<summary>
Execute fedoratp programs in the fedoratp domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="fetchmail" filename="policy/modules/contrib/fetchmail.if">
<summary>Remote-mail retrieval and forwarding utility.</summary>
<interface name="fetchmail_admin" lineno="20">
<summary>
All of the rules required to
administrate an fetchmail environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="finger" filename="policy/modules/contrib/finger.if">
<summary>Finger user information service.</summary>
<interface name="finger_domtrans" lineno="13">
<summary>
Execute fingerd in the fingerd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="finger_tcp_connect" lineno="32">
<summary>
Connect to fingerd with a tcp socket.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="firewalld" filename="policy/modules/contrib/firewalld.if">
<summary>Service daemon with a D-BUS interface that provides a dynamic managed firewall.</summary>
<interface name="firewalld_read_config" lineno="13">
<summary>
Read firewalld config
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="firewalld_initrc_domtrans" lineno="32">
<summary>
Execute firewalld server in the firewalld domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="firewalld_systemctl" lineno="50">
<summary>
Execute firewalld server in the firewalld domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="firewalld_dbus_chat" lineno="75">
<summary>
Send and receive messages from
firewalld over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="firewalld_dontaudit_write_tmp_files" lineno="96">
<summary>
Dontaudit attempts to write
firewalld tmp files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="firewalld_read_pid_files" lineno="114">
<summary>
Read firewalld PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="firewalld_dontaudit_leaks" lineno="133">
<summary>
Dontaudit read and write leaked firewalld file descriptors
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="firewalld_admin" lineno="158">
<summary>
All of the rules required to administrate
an firewalld environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="firewallgui" filename="policy/modules/contrib/firewallgui.if">
<summary>system-config-firewall dbus system service.</summary>
<interface name="firewallgui_dbus_chat" lineno="14">
<summary>
Send and receive messages from
firewallgui over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="firewallgui_dontaudit_rw_pipes" lineno="35">
<summary>
Do not audit attempts to read and
write firewallgui unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
</module>
<module name="firstboot" filename="policy/modules/contrib/firstboot.if">
<summary>
Final system configuration run during the first boot
after installation of Red Hat/Fedora systems.
</summary>
<interface name="firstboot_domtrans" lineno="16">
<summary>
Execute firstboot in the firstboot domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="firstboot_run" lineno="40">
<summary>
Execute firstboot in the firstboot domain, and
allow the specified role the firstboot domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="firstboot_use_fds" lineno="59">
<summary>
Inherit and use a file descriptor from firstboot.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="firstboot_dontaudit_use_fds" lineno="78">
<summary>
Do not audit attempts to inherit a
file descriptor from firstboot.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="firstboot_dontaudit_leaks" lineno="96">
<summary>
dontaudit read and write an leaked file descriptors
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="firstboot_write_pipes" lineno="115">
<summary>
Write to a firstboot unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="firstboot_rw_pipes" lineno="134">
<summary>
Read and Write to a firstboot unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="firstboot_dontaudit_rw_pipes" lineno="152">
<summary>
Do not audit attemps to read and write to a firstboot unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="firstboot_dontaudit_rw_stream_sockets" lineno="171">
<summary>
Do not audit attemps to read and write to a firstboot
unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
</module>
<module name="fprintd" filename="policy/modules/contrib/fprintd.if">
<summary>DBus fingerprint reader service.</summary>
<interface name="fprintd_domtrans" lineno="13">
<summary>
Execute a domain transition to run fprintd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="fprintd_exec" lineno="32">
<summary>
Execute fprintd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fprintd_dbus_chat" lineno="52">
<summary>
Send and receive messages from
fprintd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fprintd_mounton_var_lib" lineno="72">
<summary>
Mounton fprintd lib directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fprintd_read_var_lib_dir" lineno="90">
<summary>
Read fprintd lib directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fprintd_setattr_var_lib_dir" lineno="108">
<summary>
Setattr fprintd lib directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="freeipmi" filename="policy/modules/contrib/freeipmi.if">
<summary>Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification</summary>
<template name="freeipmi_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
freeipmi init daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="freeipmi_stream_connect" lineno="63">
<summary>
Connect to cluster domains over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="freqset" filename="policy/modules/contrib/freqset.if">
<summary>policy for freqset</summary>
<interface name="freqset_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the freqset domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="freqset_run" lineno="38">
<summary>
Execute freqset in the freqset domain, and
allow the specified role the freqset domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the freqset domain.
</summary>
</param>
</interface>
<interface name="freqset_role" lineno="63">
<summary>
Role access for freqset
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
</module>
<module name="ftp" filename="policy/modules/contrib/ftp.if">
<summary>File transfer protocol service.</summary>
<interface name="ftp_domtrans" lineno="13">
<summary>
Execute a domain transition to run ftpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ftp_initrc_domtrans" lineno="33">
<summary>
Execute ftpd server in the ftpd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="ftp_systemctl" lineno="51">
<summary>
Execute ftpd server in the ftpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ftp_dyntrans_anon_sftpd" lineno="75">
<summary>
Execute a dyntransition to run anon sftpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ftp_tcp_connect" lineno="93">
<summary>
Connect to over ftpd over TCP.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ftp_read_config" lineno="107">
<summary>
Read ftpd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ftp_check_exec" lineno="126">
<summary>
Execute FTP daemon entry point programs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ftp_read_log" lineno="145">
<summary>
Read ftpd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ftp_domtrans_ftpdctl" lineno="164">
<summary>
Execute the ftpdctl in the ftpdctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ftp_run_ftpdctl" lineno="191">
<summary>
Execute the ftpdctl in the ftpdctl
domain, and allow the specified
role the ftpctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ftp_dyntrans_sftpd" lineno="210">
<summary>
Execute a dyntransition to run sftpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ftp_admin" lineno="235">
<summary>
All of the rules required to
administrate an ftp environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="ftpd_anon_write" dftval="false">
<desc>
<p>
Determine whether ftpd can modify
public files used for public file
transfer services. Directories/Files must
be labeled public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="ftpd_full_access" dftval="false">
<desc>
<p>
Determine whether ftpd can login to
local users and can read and write
all files on the system, governed by DAC.
</p>
</desc>
</tunable>
<tunable name="ftpd_use_cifs" dftval="false">
<desc>
<p>
Determine whether ftpd can use CIFS
used for public file transfer services.
</p>
</desc>
</tunable>
<tunable name="ftpd_use_fusefs" dftval="false">
<desc>
<p>
Allow ftpd to use ntfs/fusefs volumes.
</p>
</desc>
</tunable>
<tunable name="ftpd_use_nfs" dftval="false">
<desc>
<p>
Determine whether ftpd can use NFS
used for public file transfer services.
</p>
</desc>
</tunable>
<tunable name="ftpd_connect_db" dftval="false">
<desc>
<p>
Determine whether ftpd can connect to
databases over the TCP network.
</p>
</desc>
</tunable>
<tunable name="ftpd_use_passive_mode" dftval="false">
<desc>
<p>
Determine whether ftpd can bind to all
unreserved ports for passive mode.
</p>
</desc>
</tunable>
<tunable name="ftpd_connect_all_unreserved" dftval="false">
<desc>
<p>
Determine whether ftpd can connect to
all unreserved ports.
</p>
</desc>
</tunable>
</module>
<module name="fwupd" filename="policy/modules/contrib/fwupd.if">
<summary>fwupd is a daemon to allow session software to update device firmware</summary>
<interface name="fwupd_domtrans" lineno="13">
<summary>
Execute fwupd_exec_t in the fwupd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="fwupd_exec" lineno="32">
<summary>
Execute fwupd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fwupd_read_state" lineno="51">
<summary>
Read fwupd process state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fwupd_search_cache" lineno="69">
<summary>
Search fwupd cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fwupd_delete_cache_files" lineno="89">
<summary>
Allow the specified domain to delete
fwupd cache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fwupd_read_cache_files" lineno="108">
<summary>
Read fwupd cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fwupd_manage_cache_files" lineno="128">
<summary>
Create, read, write, and delete
fwupd cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fwupd_manage_cache_dirs" lineno="147">
<summary>
Manage fwupd cache dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fwupd_search_lib" lineno="167">
<summary>
Search fwupd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fwupd_read_lib_files" lineno="186">
<summary>
Read fwupd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fwupd_manage_lib_files" lineno="205">
<summary>
Manage fwupd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fwupd_manage_lib_dirs" lineno="224">
<summary>
Manage fwupd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fwupd_systemctl" lineno="243">
<summary>
Execute fwupd server in the fwupd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="fwupd_admin" lineno="269">
<summary>
All of the rules required to administrate
an fwupd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fwupd_dbus_chat" lineno="310">
<summary>
Send and receive messages from
fwupd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="games" filename="policy/modules/contrib/games.if">
<summary>Various games.</summary>
<interface name="games_role" lineno="18">
<summary>
Role access for games.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="games_rw_data" lineno="53">
<summary>
Read and write games data files.
games data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="games_manage_data_files" lineno="73">
<summary>
Manage games data files.
games data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="gatekeeper" filename="policy/modules/contrib/gatekeeper.if">
<summary>OpenH.323 Voice-Over-IP Gatekeeper.</summary>
<interface name="gatekeeper_admin" lineno="20">
<summary>
All of the rules required to
administrate an gatekeeper environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="gdomap" filename="policy/modules/contrib/gdomap.if">
<summary>GNUstep distributed object mapper.</summary>
<interface name="gdomap_read_config" lineno="13">
<summary>
Read gdomap configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gdomap_admin" lineno="39">
<summary>
All of the rules required to
administrate an gdomap environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="geoclue" filename="policy/modules/contrib/geoclue.if">
<summary>Geoclue is a D-Bus service that provides location information</summary>
<interface name="geoclue_domtrans" lineno="13">
<summary>
Execute geoclue in the geoclue domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="geoclue_search_lib" lineno="32">
<summary>
Search geoclue lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="geoclue_read_lib_files" lineno="51">
<summary>
Read geoclue lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="geoclue_manage_lib_files" lineno="70">
<summary>
Manage geoclue lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="geoclue_manage_lib_dirs" lineno="89">
<summary>
Manage geoclue lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="geoclue_dbus_chat" lineno="109">
<summary>
Send and receive messages from
geoclue over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="geoclue_admin" lineno="132">
<summary>
All of the rules required to administrate
an geoclue environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="git" filename="policy/modules/contrib/git.if">
<summary>GIT revision control system.</summary>
<template name="git_role" lineno="18">
<summary>
Role access for Git session.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</template>
<interface name="git_read_generic_sys_content_files" lineno="63">
<summary>
Read generic system content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="git_filetrans_user_content" lineno="99">
<summary>
Create Git user content with a
named file transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="git_cgi_enable_homedirs" dftval="false">
<desc>
<p>
Determine whether Git CGI
can search home directories.
</p>
</desc>
</tunable>
<tunable name="git_cgi_use_cifs" dftval="false">
<desc>
<p>
Determine whether Git CGI
can access cifs file systems.
</p>
</desc>
</tunable>
<tunable name="git_cgi_use_nfs" dftval="false">
<desc>
<p>
Determine whether Git CGI
can access nfs file systems.
</p>
</desc>
</tunable>
<tunable name="git_session_bind_all_unreserved_ports" dftval="false">
<desc>
<p>
Determine whether Git session daemon
can bind TCP sockets to all
unreserved ports.
</p>
</desc>
</tunable>
<tunable name="git_session_users" dftval="false">
<desc>
<p>
Determine whether calling user domains
can execute Git daemon in the
git_session_t domain.
</p>
</desc>
</tunable>
<tunable name="git_system_enable_homedirs" dftval="false">
<desc>
<p>
Determine whether Git system daemon
can search home directories.
</p>
</desc>
</tunable>
<tunable name="git_system_use_cifs" dftval="false">
<desc>
<p>
Determine whether Git system daemon
can access cifs file systems.
</p>
</desc>
</tunable>
<tunable name="git_system_use_nfs" dftval="false">
<desc>
<p>
Determine whether Git system daemon
can access nfs file systems.
</p>
</desc>
</tunable>
</module>
<module name="gitosis" filename="policy/modules/contrib/gitosis.if">
<summary>Tools for managing and hosting git repositories.</summary>
<interface name="gitosis_domtrans" lineno="13">
<summary>
Execute a domain transition to run gitosis.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gitosis_run" lineno="39">
<summary>
Execute gitosis-serve in the
gitosis domain, and allow the
specified role the gitosis domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="gitosis_read_lib_files" lineno="58">
<summary>
Read gitosis lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gitosis_mmap_lib_files" lineno="79">
<summary>
Mmap gitosis lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gitosis_manage_lib_files" lineno="98">
<summary>
Create, read, write, and delete
gitosis lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="gitosis_can_sendmail" dftval="false">
<desc>
<p>
Determine whether Gitosis can send mail.
</p>
</desc>
</tunable>
</module>
<module name="glance" filename="policy/modules/contrib/glance.if">
<summary>OpenStack image registry and delivery service.</summary>
<template name="glance_basic_types_template" lineno="14">
<summary>
Creates types and rules for a basic
glance daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="glance_domtrans_registry" lineno="47">
<summary>
Execute a domain transition to
run glance registry.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="glance_domtrans_api" lineno="67">
<summary>
Execute a domain transition to
run glance api.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="glance_read_log" lineno="87">
<summary>
Read glance log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="glance_append_log" lineno="106">
<summary>
Append glance log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_manage_log" lineno="126">
<summary>
Create, read, write, and delete
glance log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_search_lib" lineno="147">
<summary>
Search glance lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_read_lib_files" lineno="166">
<summary>
Read glance lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_manage_lib_files" lineno="186">
<summary>
Create, read, write, and delete
glance lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_manage_lib_dirs" lineno="206">
<summary>
Create, read, write, and delete
glance lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_read_pid_files" lineno="225">
<summary>
Read glance pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_manage_pid_files" lineno="245">
<summary>
Create, read, write, and delete
glance pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_admin" lineno="271">
<summary>
All of the rules required to
administrate an glance environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="glance_api_can_network" dftval="false">
<desc>
<p>
Determine whether glance-api can
connect to all TCP ports
</p>
</desc>
</tunable>
<tunable name="glance_use_fusefs" dftval="false">
<desc>
<p>
Allow glance domain to manage fuse files
</p>
</desc>
</tunable>
<tunable name="glance_use_execmem" dftval="false">
<desc>
<p>
Allow glance domain to use executable memory and executable stack
</p>
</desc>
</tunable>
</module>
<module name="gnome" filename="policy/modules/contrib/gnome.if">
<summary>GNU network object model environment (GNOME)</summary>
<interface name="gnome_role" lineno="18">
<summary>
Role access for gnome.  (Deprecated)
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="gnome_role_gkeyringd" lineno="42">
<summary>
The role template for the gnome-keyring-daemon.
</summary>
<param name="user_prefix">
<summary>
The user prefix.
</summary>
</param>
<param name="user_role">
<summary>
The user role.
</summary>
</param>
<param name="user_domain">
<summary>
The user domain associated with the role.
</summary>
</param>
</interface>
<template name="gnome_role_template" lineno="67">
<summary>
The role template for gnome.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<interface name="gnome_run_gkeyringd" lineno="196">
<summary>
Allow domain to run gkeyring in the $1_gkeyringd_t domain.
</summary>
<param name="user_prefix">
<summary>
The user prefix.
</summary>
</param>
<param name="user_role">
<summary>
The user role.
</summary>
</param>
<param name="user_domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_stream_connect_gconf" lineno="215">
<summary>
gconf connection template.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_stream_connect_gkeyringd" lineno="234">
<summary>
Connect to gkeyringd with a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_domtrans_gconfd" lineno="258">
<summary>
Run gconfd in gconfd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_dontaudit_read_config" lineno="276">
<summary>
Dontaudit read gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="gnome_dontaudit_search_config" lineno="295">
<summary>
Dontaudit search gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="gnome_dontaudit_append_config_files" lineno="313">
<summary>
Dontaudit write gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="gnome_dontaudit_write_config_files" lineno="332">
<summary>
Dontaudit write gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="gnome_manage_config" lineno="350">
<summary>
manage gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_signal_all" lineno="372">
<summary>
Send general signals to all gconf domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_cache_filetrans" lineno="407">
<summary>
Create objects in a Gnome cache home directory
with an automatic type transition to
a specified private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
The type of the object to create.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="gnome_config_filetrans" lineno="443">
<summary>
Create objects in a Gnome cache home directory
with an automatic type transition to
a specified private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
The type of the object to create.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="gnome_read_generic_cache_files" lineno="462">
<summary>
Read generic cache home files (.cache)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_create_generic_cache_dir" lineno="481">
<summary>
Create generic cache home dir (.cache)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_setattr_cache_home_dir" lineno="500">
<summary>
Set attributes of cache home dir (.cache)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_cache_home_dir" lineno="519">
<summary>
Manage cache home dir (.cache)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_dontaudit_manage_cache_home_dir" lineno="538">
<summary>
Dontaudit Manage cache home dir (.cache)
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="gnome_append_generic_cache_files" lineno="556">
<summary>
append to generic cache home files (.cache)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_write_generic_cache_files" lineno="575">
<summary>
write to generic cache home files (.cache)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_generic_cache_files" lineno="594">
<summary>
write to generic cache home files (.cache)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_map_generic_cache_files" lineno="613">
<summary>
Map generic cache home files (.cache)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_delete_generic_cache_files" lineno="631">
<summary>
Delete to generic cache home files (.cache)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_generic_cache_sockets" lineno="650">
<summary>
Manage a sock_file in the generic cache home files (.cache)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_dontaudit_rw_generic_cache_files" lineno="669">
<summary>
Dontaudit read/write to generic cache home files (.cache)
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="gnome_read_config" lineno="687">
<summary>
read gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_data_filetrans" lineno="725">
<summary>
Create objects in a Gnome gconf home directory
with an automatic type transition to
a specified private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
The type of the object to create.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="gnome_read_generic_data_home_files" lineno="744">
<summary>
Read generic data home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_map_generic_data_home_files" lineno="763">
<summary>
Read generic data home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_read_generic_data_home_dirs" lineno="782">
<summary>
Read generic data home dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_watch_generic_data_home_dirs" lineno="800">
<summary>
Watch generic data home dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_data" lineno="818">
<summary>
Manage gconf data home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_read_home_icc_data_content" lineno="840">
<summary>
Read icc data home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_read_inherited_home_icc_data_files" lineno="863">
<summary>
Read inherited icc data home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_admin_home_gconf_filetrans" lineno="891">
<summary>
Create gconf_home_t objects in the /root directory
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
The class of the object to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="gnome_dontaudit_read_inherited_gconf_config_files" lineno="910">
<summary>
Do not audit attempts to read
inherited gconf config files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="gnome_read_gconf_config" lineno="928">
<summary>
read gconf config files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_gconf_config" lineno="948">
<summary>
Manage gconf config files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_exec_gconf" lineno="968">
<summary>
Execute gconf programs in
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_exec_keyringd" lineno="986">
<summary>
Execute gnome keyringd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_search_gconf_data_dir" lineno="1005">
<summary>
Search gconf home data dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_read_gconf_home_files" lineno="1026">
<summary>
Read gconf home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_search_gkeyringd_tmp_dirs" lineno="1051">
<summary>
Search gkeyringd temporary directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_list_gkeyringd_tmp_dirs" lineno="1070">
<summary>
List gkeyringd temporary directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_delete_gkeyringd_tmp_content" lineno="1089">
<summary>
Delete gkeyringd temporary
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_gkeyringd_tmp_dirs" lineno="1110">
<summary>
Manage gkeyringd temporary directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_search_gconf" lineno="1129">
<summary>
search gconf homedir (.local)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_setattr_config_dirs" lineno="1148">
<summary>
Set attributes of Gnome config dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_generic_home_files" lineno="1167">
<summary>
Manage generic gnome home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_generic_home_dirs" lineno="1186">
<summary>
Manage generic gnome home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_append_gconf_home_files" lineno="1205">
<summary>
Append gconf home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_gconf_home_files" lineno="1223">
<summary>
manage gconf home files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_stream_connect" lineno="1247">
<summary>
Connect to gnome over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</interface>
<interface name="gnome_list_home_config" lineno="1266">
<summary>
list gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_setattr_home_config" lineno="1284">
<summary>
Set attributes of gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_read_home_config" lineno="1303">
<summary>
read gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_append_home_config" lineno="1322">
<summary>
append gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_delete_home_config" lineno="1340">
<summary>
delete gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_create_home_config_dirs" lineno="1359">
<summary>
Create gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_setattr_home_config_dirs" lineno="1377">
<summary>
setattr gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_home_config" lineno="1395">
<summary>
manage gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_delete_home_config_dirs" lineno="1415">
<summary>
delete gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_home_config_dirs" lineno="1433">
<summary>
manage gnome homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_watch_home_config_dirs" lineno="1451">
<summary>
Watch gnome homedir content directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_watch_home_config_files" lineno="1469">
<summary>
Watch gnome homedir content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_gstreamer_home_files" lineno="1487">
<summary>
manage gstreamer home content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_exec_gstreamer_home_files" lineno="1507">
<summary>
Allow to execute gstreamer home content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_exec_config_home_files" lineno="1525">
<summary>
Allow to execute config home content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_filetrans_gstreamer_home_content" lineno="1543">
<summary>
file name transition gstreamer home content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_gstreamer_home_dirs" lineno="1578">
<summary>
manage gstreamer home content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_rw_inherited_config" lineno="1596">
<summary>
Read/Write all inherited gnome home config
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_dontaudit_rw_inherited_config" lineno="1614">
<summary>
Dontaudit Read/Write all inherited gnome home config
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="gnome_dbus_chat_gconfdefault" lineno="1633">
<summary>
Send and receive messages from
gconf system service over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_dbus_chat_gkeyringd" lineno="1654">
<summary>
Send and receive messages from
gkeyringd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_signull_gkeyringd" lineno="1674">
<summary>
Send signull signal to gkeyringd processes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_read_gkeyringd_state" lineno="1692">
<summary>
Allow the domain to read gkeyringd state files in /proc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_home_dir_filetrans" lineno="1711">
<summary>
Create directories in user home directories
with the gnome home file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_access_check_usr_config" lineno="1731">
<summary>
Check whether sendmail executable
files are executable.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_read_usr_config" lineno="1749">
<summary>
Allow read kde config content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_manage_usr_config" lineno="1770">
<summary>
Allow manage kde config content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_transition_gkeyringd" lineno="1791">
<summary>
Execute gnome-keyring in the user gkeyring domain
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="gnome_filetrans_home_content" lineno="1813">
<summary>
Create gnome content in the user home directory
with an correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_filetrans_config_home_content" lineno="1859">
<summary>
Create gnome dconf dir in the user home directory
with an correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_filetrans_cert_home_content" lineno="1877">
<summary>
File name transition for generic home content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_filetrans_fontconfig_home_content" lineno="1896">
<summary>
Create fontconfig directories in the .config and .cache subdirectories
of the user home directory with correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_filetrans_admin_home_content" lineno="1916">
<summary>
Create gnome directory in the /root directory
with an correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnome_command_domtrans_gkeyringd" lineno="1977">
<summary>
Execute gnome-keyring executable
in the specified domain.
</summary>
<desc>
<p>
Execute a gnome-keyring executable
in the specified domain.  This allows
the specified domain to execute any file
on these filesystems in the specified
domain.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
<p>
This interface was added to handle
the ssh-agent policy.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
The type of the new process.
</summary>
</param>
</interface>
<interface name="gnome_exec_atspi" lineno="1997">
<summary>
Execute gnome-atspi services in the caller domain
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gnome_atspi_domtrans" lineno="2015">
<summary>
Execute gnome-atspi services in the gnome-atspi domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="gnomeclock" filename="policy/modules/contrib/gnomeclock.if">
<summary>Gnome clock handler for setting the time.</summary>
<interface name="gnomeclock_domtrans" lineno="13">
<summary>
Execute a domain transition to run gnomeclock.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gnomeclock_run" lineno="37">
<summary>
Execute gnomeclock in the gnomeclock domain, and
allow the specified role the gnomeclock domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="gnomeclock_dbus_chat" lineno="57">
<summary>
Send and receive messages from
gnomeclock over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnomeclock_dontaudit_dbus_chat" lineno="78">
<summary>
Do not audit send and receive messages from
gnomeclock over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
</module>
<module name="gpg" filename="policy/modules/contrib/gpg.if">
<summary>Policy for GNU Privacy Guard and related programs.</summary>
<interface name="gpg_role" lineno="18">
<summary>
Role access for gpg
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="gpg_domtrans" lineno="85">
<summary>
Transition to a user gpg domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gpg_exec" lineno="103">
<summary>
Execute gpg in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_domtrans_web" lineno="122">
<summary>
Transition to a gpg web domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_entry_type" lineno="141">
<summary>
Make gpg an entrypoint for
the specified domain.
</summary>
<param name="domain">
<summary>
The domain for which cifs_t is an entrypoint.
</summary>
</param>
</interface>
<interface name="gpg_signal" lineno="159">
<summary>
Send generic signals to user gpg processes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_rw_agent_pipes" lineno="177">
<summary>
Read and write GPG agent pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_pinentry_dbus_chat" lineno="197">
<summary>
Send messages to and from GPG
Pinentry over DBUS.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_list_user_secrets" lineno="217">
<summary>
List Gnu Privacy Guard user secrets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_manage_home_content" lineno="236">
<summary>
Allow to manage gpg named home content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_manage_admin_home_content" lineno="256">
<summary>
Allow to manage gpg named admin home content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_filetrans_home_content" lineno="276">
<summary>
Transition to gpg named home content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_filetrans_admin_home_content" lineno="294">
<summary>
Transition to gpg named admin home content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_agent_stream_connect" lineno="312">
<summary>
Connected to gpg_agent_t unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpg_noatsecure" lineno="330">
<summary>
Connected to gpg_agent_t unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="gpg_web_anon_write" dftval="false">
<desc>
<p>
Allow gpg web domain to modify public files
used for public file transfer services.
</p>
</desc>
</tunable>
</module>
<module name="gpm" filename="policy/modules/contrib/gpm.if">
<summary>General Purpose Mouse driver.</summary>
<interface name="gpm_stream_connect" lineno="14">
<summary>
Connect to GPM over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpm_getattr_gpmctl" lineno="34">
<summary>
Get attributes of gpm control
channel named sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpm_dontaudit_getattr_gpmctl" lineno="55">
<summary>
Do not audit attempts to get
attributes of gpm control channel
named sock files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="gpm_setattr_gpmctl" lineno="74">
<summary>
Set attributes of gpm control
channel named sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpm_admin" lineno="100">
<summary>
All of the rules required to
administrate an gpm environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="gpsd" filename="policy/modules/contrib/gpsd.if">
<summary>gpsd monitor daemon.</summary>
<interface name="gpsd_domtrans" lineno="13">
<summary>
Execute a domain transition to run gpsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gpsd_run" lineno="38">
<summary>
Execute gpsd in the gpsd domain, and
allow the specified role the gpsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="gpsd_rw_shm" lineno="57">
<summary>
Read and write gpsd shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpsd_admin" lineno="87">
<summary>
All of the rules required to
administrate an gpsd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="gssproxy" filename="policy/modules/contrib/gssproxy.if">
<summary>policy for gssproxy</summary>
<interface name="gssproxy_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the gssproxy domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gssproxy_search_lib" lineno="32">
<summary>
Search gssproxy lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gssproxy_read_lib_files" lineno="51">
<summary>
Read gssproxy lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gssproxy_manage_lib_files" lineno="70">
<summary>
Manage gssproxy lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gssproxy_manage_lib_dirs" lineno="89">
<summary>
Manage gssproxy lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gssproxy_read_pid_files" lineno="108">
<summary>
Read gssproxy PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gssproxy_systemctl" lineno="127">
<summary>
Execute gssproxy server in the gssproxy domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gssproxy_stream_connect" lineno="152">
<summary>
Connect to gssproxy over an unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gssproxy_admin" lineno="174">
<summary>
All of the rules required to administrate
an gssproxy environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="gssproxy_noatsecure" lineno="210">
<summary>
Read and write to svirt_image devices.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="hadoop" filename="policy/modules/contrib/hadoop.if">
<summary>Software for reliable, scalable, distributed computing.</summary>
<template name="hadoop_domain_template" lineno="13">
<summary>
The template to define a hadoop domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="hadoop_role" lineno="107">
<summary>
Role access for hadoop.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="hadoop_domtrans" lineno="139">
<summary>
Execute hadoop in the
hadoop domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom" lineno="158">
<summary>
Receive from hadoop peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_domtrans_zookeeper_client" lineno="177">
<summary>
Execute zookeeper client in the
zookeeper client domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom_zookeeper_client" lineno="196">
<summary>
Receive from zookeeper peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_domtrans_zookeeper_server" lineno="215">
<summary>
Execute zookeeper server in the
zookeeper server domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom_zookeeper_server" lineno="234">
<summary>
Receive from zookeeper server peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_initrc_domtrans_zookeeper_server" lineno="253">
<summary>
Execute zookeeper server in the
zookeeper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom_datanode" lineno="271">
<summary>
Receive from datanode peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_read_config" lineno="289">
<summary>
Read hadoop configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_exec_config" lineno="308">
<summary>
Execute hadoop configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom_jobtracker" lineno="327">
<summary>
Receive from jobtracker peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_match_lan_spd" lineno="345">
<summary>
Match hadoop lan association.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom_namenode" lineno="363">
<summary>
Receive from namenode peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom_secondarynamenode" lineno="381">
<summary>
Receive from secondary namenode peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_recvfrom_tasktracker" lineno="399">
<summary>
Receive from tasktracker peer.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hadoop_admin" lineno="424">
<summary>
All of the rules required to
administrate an hadoop environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="hddtemp" filename="policy/modules/contrib/hddtemp.if">
<summary>Hard disk temperature tool running as a daemon.</summary>
<interface name="hddtemp_domtrans" lineno="13">
<summary>
Execute a domain transition to run hddtemp.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hddtemp_run" lineno="38">
<summary>
Execute hddtemp in the hddtemp domain, and
allow the specified role the hddtemp domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="hddtemp_exec" lineno="58">
<summary>
Execute hddtemp in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hddtemp_admin" lineno="84">
<summary>
All of the rules required to
administrate an hddtemp environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="hostapd" filename="policy/modules/contrib/hostapd.if">
<summary>policy for hostapd</summary>
<interface name="hostapd_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the hostapd domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hostapd_systemctl" lineno="31">
<summary>
Execute hostapd server in the hostapd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hostapd_read_pid_files" lineno="56">
<summary>
Read hostapd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hostapd_admin" lineno="77">
<summary>
All of the rules required to administrate
an hostapd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="howl" filename="policy/modules/contrib/howl.if">
<summary>Port of Apple Rendezvous multicast DNS.</summary>
<interface name="howl_signal" lineno="13">
<summary>
Send generic signals to howl.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="howl_admin" lineno="38">
<summary>
All of the rules required to
administrate an howl environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="hsqldb" filename="policy/modules/contrib/hsqldb.if">
<summary>Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes.</summary>
<interface name="hsqldb_domtrans" lineno="13">
<summary>
Execute hsqldb_exec_t in the hsqldb domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hsqldb_exec" lineno="32">
<summary>
Execute hsqldb in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hsqldb_dontaudit_read_tmp_files" lineno="52">
<summary>
Do not audit attempts to read,
hsqldb tmp files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="hsqldb_read_tmp_files" lineno="70">
<summary>
Read hsqldb tmp files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hsqldb_manage_tmp" lineno="89">
<summary>
Manage hsqldb tmp files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hsqldb_search_lib" lineno="110">
<summary>
Search hsqldb lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hsqldb_read_lib_files" lineno="129">
<summary>
Read hsqldb lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hsqldb_manage_lib_files" lineno="148">
<summary>
Manage hsqldb lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hsqldb_manage_lib_dirs" lineno="167">
<summary>
Manage hsqldb lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hsqldb_systemctl" lineno="186">
<summary>
Execute hsqldb server in the hsqldb domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hsqldb_admin" lineno="212">
<summary>
All of the rules required to administrate
an hsqldb environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="hwloc" filename="policy/modules/contrib/hwloc.if">
<summary>Dump topology and locality information from hardware tables.</summary>
<interface name="hwloc_domtrans_dhwd" lineno="13">
<summary>
Execute hwloc dhwd in the hwloc dhwd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hwloc_run_dhwd" lineno="38">
<summary>
Execute hwloc dhwd in the hwloc dhwd domain, and
allow the specified role the hwloc dhwd domain,
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="hwloc_exec_dhwd" lineno="57">
<summary>
Execute hwloc dhwd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hwloc_read_runtime_files" lineno="75">
<summary>
Read hwloc runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hwloc_admin" lineno="96">
<summary>
All of the rules required to
administrate an hwloc environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="hypervkvp" filename="policy/modules/contrib/hypervkvp.if">
<summary>policy for hypervkvp</summary>
<interface name="hypervkvp_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the hypervkvp domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hypervkvp_search_lib" lineno="32">
<summary>
Search hypervkvp lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hypervkvp_read_lib_files" lineno="51">
<summary>
Read hypervkvp lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hypervkvp_manage_lib_files" lineno="72">
<summary>
Create, read, write, and delete
hypervkvp lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hypervkvp_systemctl" lineno="91">
<summary>
Execute hypervkvp server in the hypervkvp domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hypervkvp_admin" lineno="116">
<summary>
All of the rules required to administrate
an hypervkvp environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="i18n_input" filename="policy/modules/contrib/i18n_input.if">
<summary>IIIMF htt server.</summary>
<interface name="i18n_use" lineno="13">
<summary>
Use i18n_input over a TCP connection.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="i18n_input_admin" lineno="34">
<summary>
All of the rules required to
administrate an i18n input environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ibacm" filename="policy/modules/contrib/ibacm.if">
<summary>policy for ibacm</summary>
<interface name="ibacm_domtrans" lineno="13">
<summary>
Execute ibacm_exec_t in the ibacm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ibacm_exec" lineno="32">
<summary>
Execute ibacm in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ibacm_read_log" lineno="51">
<summary>
Read ibacm's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ibacm_append_log" lineno="70">
<summary>
Append to ibacm log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ibacm_manage_log" lineno="89">
<summary>
Manage ibacm log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ibacm_read_pid_files" lineno="109">
<summary>
Read ibacm PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ibacm_admin" lineno="137">
<summary>
All of the rules required to administrate
an ibacm environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ibacm_create_netlink_rdma_socket" lineno="172">
<summary>
Allow caller to create netlink rdma socket for ibacm
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="ica" filename="policy/modules/contrib/ica.if">
<summary>policy for ica</summary>
<interface name="ica_read_map_tmpfs_files" lineno="13">
<summary>
Read and map ica tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ica_rw_map_tmpfs_files" lineno="32">
<summary>
Read, write, and map ica tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ica_filetrans_named_content" lineno="51">
<summary>
Transition to ica named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="icecast" filename="policy/modules/contrib/icecast.if">
<summary>ShoutCast compatible streaming media server.</summary>
<interface name="icecast_domtrans" lineno="13">
<summary>
Execute a domain transition to run icecast.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="icecast_signal" lineno="32">
<summary>
Send generic signals to icecast.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="icecast_initrc_domtrans" lineno="50">
<summary>
Execute icecast server in the icecast domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="icecast_read_pid_files" lineno="68">
<summary>
Read icecast pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="icecast_manage_pid_files" lineno="88">
<summary>
Create, read, write, and delete
icecast pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="icecast_read_log" lineno="108">
<summary>
Read icecast log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="icecast_append_log" lineno="127">
<summary>
Append icecast log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="icecast_manage_log" lineno="147">
<summary>
Create, read, write, and delete
icecast log files.
</summary>
<param name="domain">
<summary>
Domain allow access.
</summary>
</param>
</interface>
<interface name="icecast_admin" lineno="173">
<summary>
All of the rules required to
administrate an icecast environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="icecast_use_any_tcp_ports" dftval="false">
<desc>
<p>
Determine whether icecast can listen
on and connect to any TCP port.
</p>
</desc>
</tunable>
</module>
<module name="ifplugd" filename="policy/modules/contrib/ifplugd.if">
<summary>Bring up/down ethernet interfaces based on cable detection.</summary>
<interface name="ifplugd_domtrans" lineno="13">
<summary>
Execute a domain transition to run ifplugd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ifplugd_signal" lineno="32">
<summary>
Send generic signals to ifplugd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ifplugd_read_config" lineno="50">
<summary>
Read ifplugd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ifplugd_manage_config" lineno="70">
<summary>
Create, read, write, and delete
ifplugd configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ifplugd_read_pid_files" lineno="90">
<summary>
Read ifplugd pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ifplugd_admin" lineno="116">
<summary>
All of the rules required to
administrate an ifplugd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="iiosensorproxy" filename="policy/modules/contrib/iiosensorproxy.if">
<summary>IIO sensors to D-Bus proxy</summary>
</module>
<module name="imaze" filename="policy/modules/contrib/imaze.if">
<summary>iMaze game server.</summary>
</module>
<module name="inetd" filename="policy/modules/contrib/inetd.if">
<summary>Internet services daemon.</summary>
<interface name="inetd_core_service_domain" lineno="27">
<summary>
Define the specified domain as a inetd service.
</summary>
<desc>
<p>
Define the specified domain as a inetd service.  The
inetd_service_domain(), inetd_tcp_service_domain(),
or inetd_udp_service_domain() interfaces should be used
instead of this interface, as this interface only provides
the common rules to these three interfaces.
</p>
</desc>
<param name="domain">
<summary>
The type associated with the inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="inetd_tcp_service_domain" lineno="63">
<summary>
Define the specified domain as a TCP inetd service.
</summary>
<param name="domain">
<summary>
The type associated with the inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="inetd_udp_service_domain" lineno="89">
<summary>
Define the specified domain as a UDP inetd service.
</summary>
<param name="domain">
<summary>
The type associated with the inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="inetd_service_domain" lineno="114">
<summary>
Define the specified domain as a TCP and UDP inetd service.
</summary>
<param name="domain">
<summary>
The type associated with the inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="inetd_use_fds" lineno="139">
<summary>
Inherit and use inetd file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inetd_tcp_connect" lineno="157">
<summary>
Connect to the inetd service using a TCP connection.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inetd_domtrans_child" lineno="172">
<summary>
Run inetd child process in the
inet child domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="inetd_udp_send" lineno="191">
<summary>
Send UDP network traffic to inetd.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inetd_rw_tcp_sockets" lineno="205">
<summary>
Read and write inetd TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="inn" filename="policy/modules/contrib/inn.if">
<summary>Internet News NNTP server.</summary>
<interface name="inn_exec" lineno="13">
<summary>
Execute innd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_exec_config" lineno="32">
<summary>
Execute inn configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_manage_log" lineno="52">
<summary>
Create, read, write, and delete
innd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_generic_log_filetrans_innd_log" lineno="81">
<summary>
Create specified objects in generic
log directories with the innd log file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="inn_manage_pid" lineno="100">
<summary>
Create, read, write, and delete
innd pid content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_read_config" lineno="122">
<summary>
Read innd configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_read_news_lib" lineno="143">
<summary>
Read innd news library content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_write_inherited_news_lib" lineno="163">
<summary>
Write innd inherited news library content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_read_news_spool" lineno="181">
<summary>
Read innd news spool content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_dgram_send" lineno="202">
<summary>
Send to a innd unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_domtrans" lineno="221">
<summary>
Execute innd in the innd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="inn_admin" lineno="247">
<summary>
All of the rules required to
administrate an inn environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="insights_client" filename="policy/modules/contrib/insights_client.if">
<summary>policy for insights_client</summary>
<interface name="insights_client_domtrans" lineno="13">
<summary>
Execute insights_client_exec_t in the insights_client domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="insights_client_exec" lineno="32">
<summary>
Execute insights_client in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="insights_client_rw_pipes" lineno="51">
<summary>
Read and write a insights_client unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="insights_search_config" lineno="70">
<summary>
Allow the specified domain to search
insights configuration dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="insights_client_filetrans_named_content" lineno="89">
<summary>
Transition to insights_client named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="insights_client_filetrans_tmp" lineno="123">
<summary>
Transition to insights_client named content in /tmp
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="insights_client_filetrans_run" lineno="142">
<summary>
Transition to insights_client named content in /var/run
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="insights_client_read_config" lineno="160">
<summary>
Read insights_client config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="insights_client_read_lib_files" lineno="180">
<summary>
Read insights_client lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="insights_client_manage_lib_dirs" lineno="200">
<summary>
Manage insights_client lib directories..
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="insights_client_watch_lib_dirs" lineno="219">
<summary>
Watch insights_client lib directories..
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="insights_client_manage_lib_files" lineno="238">
<summary>
Manage insights_client lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="insights_client_write_lib_sock_files" lineno="258">
<summary>
Write to insights_client lib socket files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="insights_client_manage_lib_sock_files" lineno="277">
<summary>
Manage insights_client lib socket files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="insights_client_read_tmp" lineno="296">
<summary>
Read insights_client temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="insights_client_write_tmp" lineno="315">
<summary>
Write/append insights_client temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="iodine" filename="policy/modules/contrib/iodine.if">
<summary>IP over DNS tunneling daemon.</summary>
<interface name="iodined_domtrans" lineno="13">
<summary>
Execute NetworkManager with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="iodined_systemctl" lineno="32">
<summary>
Execute iodined server in the iodined domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="iodined_admin" lineno="64">
<summary>
All of the rules required to
administrate an iodined environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="iodine_admin" lineno="86">
<summary>
All of the rules required to
administrate an iodined environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="iotop" filename="policy/modules/contrib/iotop.if">
<summary>Simple top-like I/O monitor</summary>
<interface name="iotop_domtrans" lineno="13">
<summary>
Allow execution of iotop in the iotop domain from the target domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition to iotop.
</summary>
</param>
</interface>
<interface name="iotop_run" lineno="38">
<summary>
Execute iotop in the iotop domain, and
allow the specified role to access the iotop domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition
</summary>
</param>
<param name="role">
<summary>
The role to be allowed into the iotop domain.
</summary>
</param>
</interface>
</module>
<module name="ipmievd" filename="policy/modules/contrib/ipmievd.if">
<summary>IPMI event daemon for sending events to syslog.</summary>
<interface name="ipmievd_domtrans" lineno="13">
<summary>
Execute ipmievd_exec_t in the ipmievd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ipmievd_exec" lineno="32">
<summary>
Execute ipmievd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipmievd_read_pid_files" lineno="51">
<summary>
Read ipmievd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ipmievd_systemctl" lineno="70">
<summary>
Execute ipmievd server in the ipmievd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ipmievd_admin" lineno="95">
<summary>
All of the rules required to administrate
an ipmievd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="irc" filename="policy/modules/contrib/irc.if">
<summary>IRC client policy.</summary>
<interface name="irc_role" lineno="18">
<summary>
Role access for IRC.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="irc_filetrans_home_content" lineno="71">
<summary>
Transition to alsa named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="irc_use_any_tcp_ports" dftval="false">
<desc>
<p>
Determine whether irc clients can
listen on and connect to any
unreserved TCP ports.
</p>
</desc>
</tunable>
<tunable name="irssi_use_full_network" dftval="false">
<desc>
<p>
Allow the Irssi IRC Client to connect to any port,
and to bind to any unreserved port.
</p>
</desc>
</tunable>
</module>
<module name="ircd" filename="policy/modules/contrib/ircd.if">
<summary>IRC servers.</summary>
<interface name="ircd_admin" lineno="20">
<summary>
All of the rules required to
administrate an ircd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="irqbalance" filename="policy/modules/contrib/irqbalance.if">
<summary>IRQ balancing daemon.</summary>
<interface name="irqbalance_admin" lineno="20">
<summary>
All of the rules required to
administrate an irqbalance environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="irqbalance_run_unconfined" dftval="false">
<desc>
<p>
Allow irqbalance to run unconfined scripts
</p>
</desc>
</tunable>
</module>
<module name="iscsi" filename="policy/modules/contrib/iscsi.if">
<summary>Establish connections to iSCSI devices.</summary>
<interface name="iscsid_domtrans" lineno="13">
<summary>
Execute a domain transition to run iscsid.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="iscsid_run" lineno="38">
<summary>
Execute iscsid programs in the iscsid domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the iscsid domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="iscsi_manage_lock" lineno="58">
<summary>
Create, read, write, and delete
iscsid lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iscsi_manage_semaphores" lineno="79">
<summary>
Create, read, write, and delete
iscsid sempaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iscsi_stream_connect" lineno="98">
<summary>
Connect to iscsid using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iscsi_read_lib_files" lineno="117">
<summary>
Read iscsid lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iscsi_filetrans_named_content" lineno="137">
<summary>
Transition to iscsi named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iscsi_systemctl" lineno="155">
<summary>
Execute iscsi server in the iscsi domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="iscsi_admin" lineno="181">
<summary>
All of the rules required to
administrate an iscsi environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="iscsi_read_pid_files" lineno="222">
<summary>
Read iscsi PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="iscsi_service_status" lineno="241">
<summary>
Get iscsi service status
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="iscsi_service_reload" lineno="259">
<summary>
Reload iscsi service
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
</module>
<module name="isns" filename="policy/modules/contrib/isns.if">
<summary>Internet Storage Name Service.</summary>
<interface name="isnsd_admin" lineno="20">
<summary>
All of the rules required to
administrate an isnsd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="jabber" filename="policy/modules/contrib/jabber.if">
<summary>Jabber instant messaging server</summary>
<template name="jabber_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
jabber init daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="jabber_domtrans_jabberd" lineno="45">
<summary>
Execute a domain transition to run jabberd services
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="jabber_domtrans_jabberd_router" lineno="63">
<summary>
Execute a domain transition to run jabberd router service
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="jabberd_read_lib_files" lineno="81">
<summary>
Read jabberd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jabberd_dontaudit_read_lib_files" lineno="100">
<summary>
Dontaudit inherited read jabberd lib files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="jabberd_manage_lib_files" lineno="119">
<summary>
Create, read, write, and delete
jabberd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jabber_admin" lineno="145">
<summary>
All of the rules required to administrate
an jabber environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the jabber domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="java" filename="policy/modules/contrib/java.if">
<summary>Java virtual machine</summary>
<interface name="java_role" lineno="18">
<summary>
Role access for java.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<template name="java_role_template" lineno="81">
<summary>
The role template for the java module.
</summary>
<desc>
<p>
This template creates a derived domains which are used
for java applications.
</p>
</desc>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<template name="java_domtrans" lineno="139">
<summary>
Execute the java program in the java domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</template>
<interface name="java_run" lineno="164">
<summary>
Execute java in the java domain, and
allow the specified role the java domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="java_domtrans_unconfined" lineno="184">
<summary>
Execute the java program in the
unconfined java domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="java_run_unconfined" lineno="210">
<summary>
Execute the java program in the
unconfined java domain and allow the
specified role the java domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="java_exec" lineno="230">
<summary>
Execute the java program in
the callers domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="java_manage_generic_home_content" lineno="250">
<summary>
Create, read, write, and delete
generic java home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="java_home_filetrans_java_home" lineno="282">
<summary>
Create specified objects in user home
directories with the generic java
home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<tunable name="java_execstack" dftval="false">
<desc>
<p>
Determine whether java can make
its stack executable.
</p>
</desc>
</tunable>
</module>
<module name="jetty" filename="policy/modules/contrib/jetty.if">
<summary>Jetty - HTTP server and Servlet container</summary>
<interface name="jetty_domtrans" lineno="13">
<summary>
Execute jetty_exec_t in the jetty domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="jetty_exec" lineno="32">
<summary>
Execute jetty in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jetty_search_cache" lineno="51">
<summary>
Search jetty cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jetty_read_cache_files" lineno="70">
<summary>
Read jetty cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jetty_manage_cache_files" lineno="90">
<summary>
Create, read, write, and delete
jetty cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jetty_manage_cache_dirs" lineno="109">
<summary>
Manage jetty cache dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jetty_read_log" lineno="129">
<summary>
Read jetty's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="jetty_append_log" lineno="148">
<summary>
Append to jetty log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jetty_manage_log" lineno="167">
<summary>
Manage jetty log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jetty_dontaudit_read_tmp_files" lineno="189">
<summary>
Do not audit attempts to read,
jetty tmp files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="jetty_read_tmp_files" lineno="207">
<summary>
Read jetty tmp files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jetty_manage_tmp" lineno="226">
<summary>
Manage jetty tmp files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jetty_search_lib" lineno="247">
<summary>
Search jetty lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jetty_read_lib_files" lineno="266">
<summary>
Read jetty lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jetty_manage_lib_files" lineno="285">
<summary>
Manage jetty lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jetty_manage_lib_dirs" lineno="304">
<summary>
Manage jetty lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jetty_read_pid_files" lineno="323">
<summary>
Read jetty PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jetty_systemctl" lineno="342">
<summary>
Execute jetty server in the jetty domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="jetty_admin" lineno="374">
<summary>
All of the rules required to administrate
an jetty environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="jockey" filename="policy/modules/contrib/jockey.if">
<summary>policy for jockey</summary>
<interface name="jockey_domtrans" lineno="13">
<summary>
Transition to jockey.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="jockey_search_cache" lineno="32">
<summary>
Search jockey cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jockey_read_cache_files" lineno="51">
<summary>
Read jockey cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jockey_manage_cache_files" lineno="71">
<summary>
Create, read, write, and delete
jockey cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jockey_manage_cache_dirs" lineno="90">
<summary>
Manage jockey cache dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jockey_admin" lineno="110">
<summary>
All of the rules required to administrate
an jockey environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="journalctl" filename="policy/modules/contrib/journalctl.if">
<summary>policy for journalctl</summary>
<interface name="journalctl_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the journalctl domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="journalctl_exec" lineno="32">
<summary>
Execute journalctl in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="journalctl_run" lineno="58">
<summary>
Execute journalctl in the journalctl domain, and
allow the specified role the journalctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the journalctl domain.
</summary>
</param>
</interface>
<interface name="journalctl_role" lineno="83">
<summary>
Role access for journalctl
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
</module>
<module name="kdump" filename="policy/modules/contrib/kdump.if">
<summary>Kernel crash dumping mechanism</summary>
<interface name="kdump_domtrans" lineno="13">
<summary>
Execute kdump in the kdump domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kdumpctl_domtrans" lineno="32">
<summary>
Execute kdumpctl in the kdumpctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kdump_initrc_domtrans" lineno="52">
<summary>
Execute kdump in the kdump domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kdump_systemctl" lineno="70">
<summary>
Execute kdump server in the kdump domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kdump_read_config" lineno="95">
<summary>
Read kdump configuration file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kdump_read_crash" lineno="114">
<summary>
Read kdump crash files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kdump_manage_crash" lineno="134">
<summary>
Read kdump crash files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kdump_dontaudit_read_config" lineno="154">
<summary>
Dontaudit read kdump configuration file.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="kdump_manage_config" lineno="172">
<summary>
Manage kdump configuration file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kdump_rw_lock" lineno="191">
<summary>
Read and write kdump lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kdump_rw_inherited_kdumpctl_tmp_pipes" lineno="210">
<summary>
Read/write inherited kdump /var/tmp named pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kdump_manage_kdumpctl_tmp_files" lineno="229">
<summary>
Manage kdump /var/tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kdump_filetrans_named_content" lineno="252">
<summary>
Transition content labels to kdump named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kdump_admin" lineno="277">
<summary>
All of the rules required to administrate
an kdump environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the kdump domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kdump_dontaudit_inherited_kdumpctl_tmp_pipes" lineno="317">
<summary>
Dontaudit Read/write inherited kdump /var/tmp named pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="kdump_manage_lib_files" lineno="336">
<summary>
Manage kdump lib files
</summary>
<param name="domain">
<summary>
Domain to allow access
</summary>
</param>
</interface>
<interface name="kdump_dgram_send_kdumpctl" lineno="354">
<summary>
Send to kdumpctl over a unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="kdumpgui" filename="policy/modules/contrib/kdumpgui.if">
<summary>system-config-kdump GUI</summary>
<interface name="kdumpgui_dbus_chat" lineno="14">
<summary>
Send and receive messages from
kdumpgui over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="kdumpgui_run_bootloader" dftval="false">
<desc>
<p>
Allow s-c-kdump to run bootloader in bootloader_t.
</p>
</desc>
</tunable>
</module>
<module name="keepalived" filename="policy/modules/contrib/keepalived.if">
<summary> keepalived - load-balancing and high-availability service</summary>
<interface name="keepalived_domtrans" lineno="13">
<summary>
Execute keepalived in the keepalived domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="keepalived_systemctl" lineno="31">
<summary>
Execute keepalived server in the keepalived domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="keepalived_admin" lineno="59">
<summary>
All of the rules required to administrate
an keepalived environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="keepalived_connect_any" dftval="false">
<desc>
<p>
Determine whether keepalived can
connect to all TCP ports.
</p>
</desc>
</tunable>
</module>
<module name="kerberos" filename="policy/modules/contrib/kerberos.if">
<summary>MIT Kerberos admin and KDC</summary>
<desc>
<p>
This policy supports:
</p>
<p>
Servers:
<ul>
<li>kadmind</li>
<li>krb5kdc</li>
</ul>
</p>
<p>
Clients:
<ul>
<li>kinit</li>
<li>kdestroy</li>
<li>klist</li>
<li>ksu (incomplete)</li>
</ul>
</p>
</desc>
<interface name="kerberos_exec_kadmind" lineno="34">
<summary>
Execute kadmind in the current domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_domtrans_kpropd" lineno="52">
<summary>
Execute a domain transition to run kpropd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kerberos_use" lineno="70">
<summary>
Use kerberos services
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_read_config" lineno="136">
<summary>
Read the kerberos configuration file (/etc/krb5.conf).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_dontaudit_write_config" lineno="157">
<summary>
Do not audit attempts to write the kerberos
configuration file (/etc/krb5.conf).
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="kerberos_rw_config" lineno="176">
<summary>
Read and write the kerberos configuration file (/etc/krb5.conf).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_read_keytab" lineno="196">
<summary>
Read the kerberos key table.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_rw_keytab" lineno="216">
<summary>
Read/Write the kerberos key table.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_etc_filetrans_keytab" lineno="241">
<summary>
Create keytab file in /etc
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<template name="kerberos_keytab_template" lineno="266">
<summary>
Create a derived type for kerberos keytab
</summary>
<param name="prefix">
<summary>
The prefix to be used for deriving type names.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</template>
<interface name="kerberos_read_kdc_config" lineno="283">
<summary>
Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_manage_kdc_config" lineno="303">
<summary>
Manage the kerberos kdc configuration file (/etc/krb5kdc.conf).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_read_host_rcache" lineno="323">
<summary>
Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_rw_host_rcache" lineno="340">
<summary>
Read/Write the kerberos host rcache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_manage_host_rcache" lineno="360">
<summary>
Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_admin" lineno="400">
<summary>
All of the rules required to administrate
an kerberos environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the kerberos domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_tmp_filetrans_host_rcache" lineno="466">
<summary>
Type transition files created in /tmp
to the krb5_host_rcache type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="kerberos_tmp_filetrans_kadmin" lineno="491">
<summary>
Type transition files created in /tmp
to the kadmind_tmp type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="kerberos_read_home_content" lineno="510">
<summary>
read kerberos homedir content (.k5login)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_manage_kdc_var_lib" lineno="531">
<summary>
Manage the kerberos kdc /var/lib files
and directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_filetrans_admin_home_content" lineno="552">
<summary>
create kerberos content in the  in the /root directory
with an correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_filetrans_home_content" lineno="572">
<summary>
Transition to kerberos named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_filetrans_named_content" lineno="592">
<summary>
Transition to kerberos named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_write_kadmind_tmp_files" lineno="630">
<summary>
Write to temporary kadmind files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="kerberos_enabled" dftval="false">
<desc>
<p>
Allow confined applications to run with kerberos.
</p>
</desc>
</tunable>
</module>
<module name="kerneloops" filename="policy/modules/contrib/kerneloops.if">
<summary>Service for reporting kernel oopses to kerneloops.org.</summary>
<interface name="kerneloops_domtrans" lineno="13">
<summary>
Execute a domain transition to run kerneloops.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kerneloops_dbus_chat" lineno="33">
<summary>
Send and receive messages from
kerneloops over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerneloops_dontaudit_dbus_chat" lineno="55">
<summary>
Do not audit attempts to Send and
receive messages from kerneloops
over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="kerneloops_manage_tmp_files" lineno="76">
<summary>
Create, read, write, and delete
kerneloops temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerneloops_admin" lineno="102">
<summary>
All of the rules required to
administrate an kerneloops environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="keyboardd" filename="policy/modules/contrib/keyboardd.if">
<summary>policy for system-setup-keyboard daemon</summary>
<interface name="keyboardd_domtrans" lineno="13">
<summary>
Execute a domain transition to run keyboard setup daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="keyboardd_read_pipes" lineno="32">
<summary>
Allow attempts to read  to
keyboardd unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="keystone" filename="policy/modules/contrib/keystone.if">
<summary>policy for keystone</summary>
<interface name="keystone_domtrans" lineno="13">
<summary>
Transition to keystone.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="keystone_read_log" lineno="32">
<summary>
Read keystone's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="keystone_append_log" lineno="51">
<summary>
Append to keystone log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="keystone_manage_log" lineno="70">
<summary>
Manage keystone log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="keystone_search_lib" lineno="91">
<summary>
Search keystone lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="keystone_read_lib_files" lineno="110">
<summary>
Read keystone lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="keystone_manage_lib_files" lineno="129">
<summary>
Manage keystone lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="keystone_manage_lib_dirs" lineno="148">
<summary>
Manage keystone lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="keystone_systemctl" lineno="167">
<summary>
Execute keystone server in the keystone domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="keystone_admin" lineno="194">
<summary>
All of the rules required to administrate
an keystone environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="kismet" filename="policy/modules/contrib/kismet.if">
<summary>IEEE 802.11 wireless LAN sniffer.</summary>
<template name="kismet_role" lineno="18">
<summary>
Role access for kismet.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</template>
<interface name="kismet_domtrans" lineno="51">
<summary>
Execute a domain transition to run kismet.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kismet_run" lineno="76">
<summary>
Execute kismet in the kismet domain, and
allow the specified role the kismet domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="kismet_read_pid_files" lineno="95">
<summary>
Read kismet pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_manage_pid_files" lineno="115">
<summary>
Create, read, write, and delete
kismet pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_search_lib" lineno="134">
<summary>
Search kismet lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_read_lib_files" lineno="153">
<summary>
Read kismet lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_manage_lib_files" lineno="174">
<summary>
Create, read, write, and delete
kismet lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_manage_lib" lineno="194">
<summary>
Create, read, write, and delete
kismet lib content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_read_log" lineno="216">
<summary>
Read kismet log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kismet_append_log" lineno="235">
<summary>
Append kismet log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_manage_log" lineno="255">
<summary>
Create, read, write, and delete
kismet log content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kismet_admin" lineno="283">
<summary>
All of the rules required to
administrate an kismet environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="kmscon" filename="policy/modules/contrib/kmscon.if">
<summary>Terminal emulator for Linux graphical console</summary>
<interface name="kmscon_systemctl" lineno="13">
<summary>
Execute kmscon in the kmscon domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="kpatch" filename="policy/modules/contrib/kpatch.if">
<summary>Policy for kpatch</summary>
<interface name="kpatch_domtrans" lineno="13">
<summary>
Transition to kpatch.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kpatch_nnp_domtrans" lineno="33">
<summary>
NNP Transition to kpatch.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kpatch_read_lib_files" lineno="52">
<summary>
Read kpatch lib files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="kpatch_run" lineno="78">
<summary>
Execute kpatch in the kpatch domain, and
allow the specified role the kpatch domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the kpatch domain.
</summary>
</param>
</interface>
</module>
<module name="ksmtuned" filename="policy/modules/contrib/ksmtuned.if">
<summary>Kernel Samepage Merging Tuning Daemon.</summary>
<interface name="ksmtuned_domtrans" lineno="13">
<summary>
Execute a domain transition to run ksmtuned.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ksmtuned_initrc_domtrans" lineno="33">
<summary>
Execute ksmtuned server in
the ksmtuned domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ksmtuned_systemctl" lineno="51">
<summary>
Execute ksmtuned server in the ksmtunedd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ksmtuned_admin" lineno="77">
<summary>
All of the rules required to
administrate an ksmtuned environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="ksmtuned_use_nfs" dftval="false">
<desc>
<p>
Allow ksmtuned to use nfs file systems
</p>
</desc>
</tunable>
<tunable name="ksmtuned_use_cifs" dftval="false">
<desc>
<p>
Allow ksmtuned to use cifs/Samba file systems
</p>
</desc>
</tunable>
</module>
<module name="ktalk" filename="policy/modules/contrib/ktalk.if">
<summary>talk-server - daemon programs for the Internet talk </summary>
<interface name="ktalk_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the ktalkd domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ktalk_systemctl" lineno="31">
<summary>
Execute ktalkd server in the ktalkd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ktalk_admin" lineno="59">
<summary>
All of the rules required to administrate
an ktalkd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="l2tp" filename="policy/modules/contrib/l2tp.if">
<summary>Layer 2 Tunneling Protocol daemons.</summary>
<interface name="l2tpd_domtrans" lineno="13">
<summary>
Transition to l2tpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="l2tpd_initrc_domtrans" lineno="32">
<summary>
Execute l2tpd server in the l2tpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_dgram_send" lineno="50">
<summary>
Send to l2tpd via a unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_rw_socket" lineno="69">
<summary>
Read and write l2tpd sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_read_pid_files" lineno="87">
<summary>
Read l2tpd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_stream_connect" lineno="107">
<summary>
Connect to l2tpd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_rw_pipes" lineno="127">
<summary>
Read and write l2tpd unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_signal" lineno="145">
<summary>
Allow send a signal to l2tpd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_signull" lineno="163">
<summary>
Allow send signull to l2tpd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_sigkill" lineno="181">
<summary>
Allow send sigkill to l2tpd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_dbus_chat" lineno="200">
<summary>
Send and receive messages from
l2tpd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_admin" lineno="227">
<summary>
All of the rules required to administrate
an l2tpd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="l2tpd_rw_pppox_sockets" lineno="266">
<summary>
Read and write to l2tpd unix
sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="ldap" filename="policy/modules/contrib/ldap.if">
<summary>OpenLDAP directory server</summary>
<interface name="ldap_domtrans" lineno="13">
<summary>
Execute OpenLDAP in the ldap domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ldap_initrc_domtrans" lineno="31">
<summary>
Execute OpenLDAP server in the ldap domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ldap_systemctl" lineno="49">
<summary>
Execute slapd server in the slapd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ldap_list_db" lineno="74">
<summary>
Read the contents of the OpenLDAP
database directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ldap_read_db_files" lineno="93">
<summary>
Read the contents of the OpenLDAP
database files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ldap_read_config" lineno="112">
<summary>
Read the OpenLDAP configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ldap_read_certs" lineno="132">
<summary>
Read the OpenLDAP cert files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ldap_use" lineno="153">
<summary>
Use LDAP over TCP connection.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ldap_stream_connect" lineno="167">
<summary>
Connect to slapd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ldap_admin" lineno="193">
<summary>
All of the rules required to administrate
an ldap environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the ldap domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ldap_read_tmpfs_files" lineno="243">
<summary>
Read slapd tmpfs files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="lightsquid" filename="policy/modules/contrib/lightsquid.if">
<summary>Log analyzer for squid proxy.</summary>
<interface name="lightsquid_domtrans" lineno="14">
<summary>
Execute the lightsquid program in
the lightsquid domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lightsquid_run" lineno="40">
<summary>
Execute lightsquid in the
lightsquid domain, and allow the
specified role the lightsquid domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="lightsquid_admin" lineno="66">
<summary>
All of the rules required to
administrate an lightsquid environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="likewise" filename="policy/modules/contrib/likewise.if">
<summary>Likewise Active Directory support for UNIX.</summary>
<desc>
<p>
Likewise Open is a free, open source application that joins Linux, Unix,
and Mac machines to Microsoft Active Directory to securely authenticate
users with their domain credentials.
</p>
</desc>
<template name="likewise_domain_template" lineno="26">
<summary>
The template to define a likewise domain.
</summary>
<desc>
<p>
This template creates a domain to be used for
a new likewise daemon.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The type of daemon to be used.
</summary>
</param>
</template>
<interface name="likewise_stream_connect_lsassd" lineno="92">
<summary>
Connect to lsassd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="linuxptp" filename="policy/modules/contrib/linuxptp.if">
<summary>implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux.</summary>
<interface name="linuxptp_domtrans_phc2sys" lineno="13">
<summary>
Execute domain in the phc2sys domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="linuxptp_domtrans_ptp4l" lineno="32">
<summary>
Execute domain in the phc2sys domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="timemaster_stream_connect" lineno="51">
<summary>
Connect to timemaster using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="timemaster_read_pid_files" lineno="70">
<summary>
Read timemaster conf files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="timemaster_manage_pid_sock_files" lineno="88">
<summary>
Manage timemaster pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="timemaster_rw_shm" lineno="106">
<summary>
Read and write timemaster shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ptp4l_rw_shm" lineno="128">
<summary>
Read and write ptp4l_t shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="phc2sys_rw_shm" lineno="150">
<summary>
Read and write phc2sys_t shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="timemaster_service_status" lineno="172">
<summary>
Get timemaster services status
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="lircd" filename="policy/modules/contrib/lircd.if">
<summary>Linux infared remote control daemon.</summary>
<interface name="lircd_domtrans" lineno="13">
<summary>
Execute a domain transition to run lircd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lircd_stream_connect" lineno="33">
<summary>
Connect to lircd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lircd_read_config" lineno="52">
<summary>
Read lircd etc files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lircd_admin" lineno="78">
<summary>
All of the rules required to
administrate a lircd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="livecd" filename="policy/modules/contrib/livecd.if">
<summary>Tool for building alternate livecd for different os and policy versions.</summary>
<interface name="livecd_domtrans" lineno="13">
<summary>
Execute a domain transition to run livecd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="livecd_run" lineno="39">
<summary>
Execute livecd in the livecd
domain, and allow the specified
role the livecd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="livecd_dontaudit_leaks" lineno="65">
<summary>
Dontaudit read/write to a livecd leaks
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="livecd_read_tmp_files" lineno="83">
<summary>
Read livecd temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="livecd_rw_tmp_files" lineno="102">
<summary>
Read and write livecd temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="livecd_rw_semaphores" lineno="121">
<summary>
Read and write livecd semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="lldpad" filename="policy/modules/contrib/lldpad.if">
<summary>Intel LLDP Agent.</summary>
<interface name="lldpad_domtrans" lineno="13">
<summary>
Transition to lldpad.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lldpad_dgram_send" lineno="32">
<summary>
Send to lldpad with a unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lldpad_admin" lineno="58">
<summary>
All of the rules required to
administrate an lldpad environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="lldpad_relabel_tmpfs" lineno="93">
<summary>
Allow relabel lldpad_tmpfs_t
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="loadkeys" filename="policy/modules/contrib/loadkeys.if">
<summary>Load keyboard mappings.</summary>
<interface name="loadkeys_domtrans" lineno="14">
<summary>
Execute the loadkeys program in
the loadkeys domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="loadkeys_run" lineno="41">
<summary>
Execute the loadkeys program in
the loadkeys domain, and allow the
specified role the loadkeys domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="loadkeys_exec" lineno="60">
<summary>
Execute the loadkeys in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="lockdev" filename="policy/modules/contrib/lockdev.if">
<summary>Library for locking devices.</summary>
<interface name="lockdev_manage_files" lineno="14">
<summary>
Create, read, write, and delete
lockdev lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lockdev_role" lineno="38">
<summary>
Role access for lockdev.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
</module>
<module name="logrotate" filename="policy/modules/contrib/logrotate.if">
<summary>Rotate and archive system logs</summary>
<interface name="logrotate_domtrans" lineno="13">
<summary>
Execute logrotate in the logrotate domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="logrotate_run" lineno="39">
<summary>
Execute logrotate in the logrotate domain, and
allow the specified role the logrotate domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="logrotate_exec" lineno="58">
<summary>
Execute logrotate in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logrotate_use_fds" lineno="77">
<summary>
Inherit and use logrotate file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logrotate_dontaudit_use_fds" lineno="95">
<summary>
Do not audit attempts to inherit logrotate file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="logrotate_read_tmp_files" lineno="113">
<summary>
Read a logrotate temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="logrotate_use_nfs" dftval="false">
<desc>
<p>
Allow logrotate to manage nfs files
</p>
</desc>
</tunable>
<tunable name="logrotate_use_cifs" dftval="false">
<desc>
<p>
Allow logrotate to manage cifs files
</p>
</desc>
</tunable>
<tunable name="logrotate_use_fusefs" dftval="false">
<desc>
<p>
Allow logrotate domain to manage fuse files
</p>
</desc>
</tunable>
<tunable name="logrotate_read_inside_containers" dftval="false">
<desc>
<p>
Allow logrotate to read logs inside
</p>
</desc>
</tunable>
</module>
<module name="logwatch" filename="policy/modules/contrib/logwatch.if">
<summary>System log analyzer and reporter.</summary>
<interface name="logwatch_read_tmp_files" lineno="13">
<summary>
Read logwatch temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logwatch_search_cache_dir" lineno="32">
<summary>
Search logwatch cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="logwatch_dontaudit_leaks" lineno="51">
<summary>
Dontaudit read and write an leaked file descriptors
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="logwatch_manage_cache" lineno="70">
<summary>
Create, read, write, and delete
svirt cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="logwatch_can_network_connect_mail" dftval="false">
<desc>
<p>
Determine whether logwatch can connect
to mail over the network.
</p>
</desc>
</tunable>
</module>
<module name="lpd" filename="policy/modules/contrib/lpd.if">
<summary>Line printer daemon</summary>
<interface name="lpd_role" lineno="19">
<summary>
Role access for lpd
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
<rolecap/>
</interface>
<interface name="lpd_domtrans_checkpc" lineno="63">
<summary>
Execute lpd in the lpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lpd_run_checkpc" lineno="88">
<summary>
Execute amrecover in the lpd domain, and
allow the specified role the lpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="lpd_list_spool" lineno="107">
<summary>
List the contents of the printer spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lpd_read_spool" lineno="126">
<summary>
Read the printer spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lpd_manage_spool" lineno="145">
<summary>
Create, read, write, and delete printer spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lpd_relabel_spool" lineno="168">
<summary>
Relabel from and to the spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lpd_read_config" lineno="188">
<summary>
List the contents of the printer spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="lpd_domtrans_lpr" lineno="207">
<summary>
Transition to a user lpr domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lpd_run_lpr" lineno="232">
<summary>
Execute lpr in the lpr domain, and
allow the specified role the lpr domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="lpd_exec_lpr" lineno="252">
<summary>
Allow the specified domain to execute lpr
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="use_lpd_server" dftval="false">
<desc>
<p>
Determine whether to support lpd server.
</p>
</desc>
</tunable>
</module>
<module name="lsm" filename="policy/modules/contrib/lsm.if">
<summary>libStorageMgmt  plug-in  daemon </summary>
<interface name="lsmd_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the lsmd domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lsmd_read_pid_files" lineno="31">
<summary>
Read lsmd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lsmd_systemctl" lineno="50">
<summary>
Execute lsmd server in the lsmd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lsmd_admin" lineno="78">
<summary>
All of the rules required to administrate
an lsmd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="lsmd_plugin_connect_any" dftval="false">
<desc>
<p>
Determine whether lsmd_plugin can
connect to all TCP ports.
</p>
</desc>
</tunable>
</module>
<module name="lttng-tools" filename="policy/modules/contrib/lttng-tools.if">
<summary>LTTng 2.x central tracing registry session daemon.</summary>
<interface name="lttng_sessiond_domtrans" lineno="13">
<summary>
Execute lttng_sessiond_exec_t in the lttng_sessiond domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lttng_sessiond_exec" lineno="32">
<summary>
Execute lttng_sessiond in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lttng_sessiond_systemctl" lineno="51">
<summary>
Execute lttng_sessiond server in the lttng_sessiond domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lttng_sessiond_admin" lineno="76">
<summary>
All of the rules required to administrate
an lttng_sessiond environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lttng_read_shm" lineno="109">
<summary>
Read and write lttng-tools shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="mailman" filename="policy/modules/contrib/mailman.if">
<summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
<template name="mailman_domain_template" lineno="19">
<summary>
The template to define a mailmain domain.
</summary>
<desc>
<p>
This template creates a domain to be used for
a new mailman daemon.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The type of daemon to be used eg, cgi would give mailman_cgi_
</summary>
</param>
</template>
<interface name="mailman_domtrans" lineno="80">
<summary>
Execute mailman in the mailman domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mailman_run" lineno="104">
<summary>
Execute the mailman program in the mailman domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the mailman domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mailman_domtrans_cgi" lineno="124">
<summary>
Execute mailman CGI scripts in the
mailman CGI domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mailman_exec" lineno="142">
<summary>
Execute mailman in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowd access.
</summary>
</param>
</interface>
<interface name="mailman_signal_cgi" lineno="160">
<summary>
Send generic signals to the mailman cgi domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_signull_cgi" lineno="178">
<summary>
Send null signals to the mailman cgi domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_search_data" lineno="196">
<summary>
Allow domain to search data directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_read_data_files" lineno="214">
<summary>
Allow domain to to read mailman data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_manage_data_files" lineno="235">
<summary>
Allow domain to to create mailman data files
and write the directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_list_data" lineno="254">
<summary>
List the contents of mailman data directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_read_data_symlinks" lineno="272">
<summary>
Allow read acces to mailman data symbolic links.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_read_log" lineno="290">
<summary>
Read mailman logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_append_log" lineno="308">
<summary>
Append to mailman logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_manage_log" lineno="327">
<summary>
Create, read, write, and delete
mailman logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_read_archive" lineno="346">
<summary>
Allow domain to read mailman archive files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_domtrans_queue" lineno="366">
<summary>
Execute mailman_queue in the mailman_queue domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<tunable name="mailman_use_fusefs" dftval="false">
<desc>
<p>
Allow mailman to access FUSE file systems
</p>
</desc>
</tunable>
</module>
<module name="mailscanner" filename="policy/modules/contrib/mailscanner.if">
<summary>E-mail security and anti-spam package for e-mail gateway systems.</summary>
<interface name="mailscanner_initrc_domtrans" lineno="14">
<summary>
Execute a domain transition to run
MailScanner.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mailscanner_admin" lineno="39">
<summary>
All of the rules required to administrate
an mailscanner environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="man2html" filename="policy/modules/contrib/man2html.if">
<summary>A Unix manpage-to-HTML converter.</summary>
<interface name="man2html_script_domtrans" lineno="13">
<summary>
Transition to man2html_script.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="man2html_search_content" lineno="32">
<summary>
Search man2html_script content directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="man2html_read_content_files" lineno="52">
<summary>
Read man2html cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="man2html_manage_content_files" lineno="75">
<summary>
Create, read, write, and delete
man2html content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="man2html_manage_content_dirs" lineno="97">
<summary>
Create, read, write, and delete
man2html content dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="man2html_admin" lineno="119">
<summary>
All of the rules required to administrate
an man2html environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="mandb" filename="policy/modules/contrib/mandb.if">
<summary>policy for mandb</summary>
<interface name="mandb_domtrans" lineno="13">
<summary>
Transition to mandb.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mandb_search_cache" lineno="32">
<summary>
Search mandb cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mandb_read_cache_files" lineno="51">
<summary>
Read mandb cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mandb_map_cache_files" lineno="70">
<summary>
Mmap mandb cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mandb_relabel_cache" lineno="88">
<summary>
Relabel mandb cache files/directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mandb_setattr_cache_dirs" lineno="107">
<summary>
Set attributes on mandb cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mandb_delete_cache" lineno="126">
<summary>
Delete mandb cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mandb_manage_cache_files" lineno="149">
<summary>
Create, read, write, and delete
mandb cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mandb_manage_cache_dirs" lineno="168">
<summary>
Manage mandb cache dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mandb_filetrans_named_home_content" lineno="189">
<summary>
Create configuration files in user
home directories with a named file
type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mandb_admin" lineno="208">
<summary>
All of the rules required to administrate
an mandb environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="mcelog" filename="policy/modules/contrib/mcelog.if">
<summary>Linux hardware error daemon.</summary>
<interface name="mcelog_domtrans" lineno="13">
<summary>
Execute a domain transition to run mcelog.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mcelog_read_log" lineno="32">
<summary>
Read mcelog logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mcelog_admin" lineno="58">
<summary>
All of the rules required to
administrate an mcelog environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="mcelog_client" dftval="false">
<desc>
<p>
Determine whether mcelog supports
client mode.
</p>
</desc>
</tunable>
<tunable name="mcelog_exec_scripts" dftval="true">
<desc>
<p>
Determine whether mcelog can execute scripts.
</p>
</desc>
</tunable>
<tunable name="mcelog_foreground" dftval="false">
<desc>
<p>
Determine whether mcelog can use all
the user ttys.
</p>
</desc>
</tunable>
<tunable name="mcelog_server" dftval="false">
<desc>
<p>
Determine whether mcelog supports
server mode.
</p>
</desc>
</tunable>
</module>
<module name="mediawiki" filename="policy/modules/contrib/mediawiki.if">
<summary>Mediawiki policy</summary>
<interface name="mediawiki_read_tmp_files" lineno="14">
<summary>
Allow the specified domain to read
mediawiki tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mediawiki_delete_tmp_files" lineno="34">
<summary>
Delete mediawiki tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="memcached" filename="policy/modules/contrib/memcached.if">
<summary>high-performance memory object caching system</summary>
<interface name="memcached_domtrans" lineno="13">
<summary>
Execute a domain transition to run memcached.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="memcached_read_pid_files" lineno="32">
<summary>
Read memcached PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="memcached_manage_pid_files" lineno="51">
<summary>
Manage memcached PID files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="memcached_stream_connect" lineno="70">
<summary>
Connect to memcached over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="memcached_admin" lineno="96">
<summary>
All of the rules required to administrate
an memcached environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the memcached domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="milter" filename="policy/modules/contrib/milter.if">
<summary>Milter mail filters</summary>
<template name="milter_template" lineno="14">
<summary>
Create a set of derived types for various
mail filter applications using the milter interface.
</summary>
<param name="milter_name">
<summary>
The name to be used for deriving type names.
</summary>
</param>
</template>
<interface name="milter_stream_connect_all" lineno="48">
<summary>
MTA communication with milter sockets
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="milter_getattr_all_sockets" lineno="68">
<summary>
Allow getattr of milter sockets
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="milter_setattr_all_dirs" lineno="87">
<summary>
Allow setattr of milter dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="milter_manage_spamass_state" lineno="105">
<summary>
Manage spamassassin milter state
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="milter_delete_dkim_pid_files" lineno="126">
<summary>
Delete dkim-milter PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="minidlna" filename="policy/modules/contrib/minidlna.if">
<summary>MiniDLNA lightweight DLNA/UPnP media server</summary>
<interface name="minidlna_admin" lineno="20">
<summary>
All of the rules required to
administrate an minidlna environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="minidlna_initrc_domtrans" lineno="58">
<summary>
Execute minidlna init scripts in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<tunable name="minidlna_read_generic_user_content" dftval="false">
<desc>
<p>
Determine whether minidlna can read generic user content.
</p>
</desc>
</tunable>
</module>
<module name="minissdpd" filename="policy/modules/contrib/minissdpd.if">
<summary>Daemon used by MiniUPnPc to speed up device discoveries.</summary>
<interface name="minissdpd_read_config" lineno="13">
<summary>
Read minissdpd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="minissdpd_admin" lineno="39">
<summary>
All of the rules required to
administrate an minissdpd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="mip6d" filename="policy/modules/contrib/mip6d.if">
<summary>Mobile IPv6 and NEMO Basic Support implementation</summary>
<interface name="mip6d_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the mip6d domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mip6d_systemctl" lineno="31">
<summary>
Execute mip6d server in the mip6d domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mip6d_admin" lineno="59">
<summary>
All of the rules required to administrate
an mip6d environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="mirrormanager" filename="policy/modules/contrib/mirrormanager.if">
<summary>policy for mirrormanager</summary>
<interface name="mirrormanager_domtrans" lineno="13">
<summary>
Execute mirrormanager in the mirrormanager domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mirrormanager_read_log" lineno="33">
<summary>
Read mirrormanager's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mirrormanager_append_log" lineno="52">
<summary>
Append to mirrormanager log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_manage_log" lineno="71">
<summary>
Manage mirrormanager log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_search_lib" lineno="92">
<summary>
Search mirrormanager lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_read_lib_files" lineno="111">
<summary>
Read mirrormanager lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_manage_lib_files" lineno="131">
<summary>
Manage mirrormanager lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_manage_lib_dirs" lineno="150">
<summary>
Manage mirrormanager lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_read_pid_files" lineno="169">
<summary>
Read mirrormanager PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_manage_pid_files" lineno="188">
<summary>
Manage mirrormanager PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_manage_pid_sock_files" lineno="207">
<summary>
Manage mirrormanager PID sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_admin" lineno="227">
<summary>
All of the rules required to administrate
an mirrormanager environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="mock" filename="policy/modules/contrib/mock.if">
<summary>policy for mock</summary>
<interface name="mock_domtrans" lineno="13">
<summary>
Execute a domain transition to run mock.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mock_search_lib" lineno="31">
<summary>
Search mock lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mock_read_lib_files" lineno="50">
<summary>
Read mock lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mock_getattr_lib" lineno="71">
<summary>
Getattr on mock lib file,dir,sock_file ...
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mock_manage_lib_files" lineno="90">
<summary>
Create, read, write, and delete
mock lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mock_manage_lib_dirs" lineno="109">
<summary>
Manage mock lib dirs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mock_manage_lib_symlinks" lineno="128">
<summary>
Manage mock lib symlinks.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mock_manage_lib_chr_files" lineno="147">
<summary>
Manage mock lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mock_dontaudit_write_lib_chr_files" lineno="166">
<summary>
Manage mock lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mock_dontaudit_leaks" lineno="184">
<summary>
Dontaudit read and write an leaked file descriptors
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mock_run" lineno="209">
<summary>
Execute mock in the mock domain, and
allow the specified role the mock domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the mock domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mock_role" lineno="238">
<summary>
Role access for mock
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
<rolecap/>
</interface>
<interface name="mock_signal" lineno="269">
<summary>
Send a generic signal to mock.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mock_admin" lineno="288">
<summary>
All of the rules required to administrate
an mock environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="mock_enable_homedirs" dftval="false">
<desc>
<p>
Allow mock to read files in home directories.
</p>
</desc>
</tunable>
</module>
<module name="modemmanager" filename="policy/modules/contrib/modemmanager.if">
<summary>Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.</summary>
<interface name="modemmanager_domtrans" lineno="13">
<summary>
Execute a domain transition to run modemmanager.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="modemmanager_systemctl" lineno="32">
<summary>
Execute modemmanager server in the modemmanager domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="modemmanager_dbus_chat" lineno="58">
<summary>
Send and receive messages from
modemmanager over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="modemmanager_admin" lineno="80">
<summary>
All of the rules required to administrate
an modemmanager environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="mojomojo" filename="policy/modules/contrib/mojomojo.if">
<summary>MojoMojo Wiki.</summary>
<interface name="mojomojo_admin" lineno="19">
<summary>
All of the rules required to
administrate an mojomojo environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="mon_statd" filename="policy/modules/contrib/mon_statd.if">
<summary>policy for mon_statd</summary>
<interface name="mon_statd_domtrans" lineno="13">
<summary>
Execute mon_statd in the mon_statd domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mon_procd_domtrans" lineno="32">
<summary>
Execute mon_procd in the mon_procd domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="mongodb" filename="policy/modules/contrib/mongodb.if">
<summary>Scalable, high-performance, open source NoSQL database.</summary>
<interface name="mongodb_admin" lineno="20">
<summary>
All of the rules required to
administrate an mongodb environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="mono" filename="policy/modules/contrib/mono.if">
<summary>Run .NET server and client applications on Linux.</summary>
<template name="mono_role_template" lineno="30">
<summary>
The role template for the mono module.
</summary>
<desc>
<p>
This template creates a derived domains which are used
for mono applications.
</p>
</desc>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<interface name="mono_domtrans" lineno="80">
<summary>
Execute mono in the mono domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mono_run" lineno="105">
<summary>
Execute mono in the mono domain, and
allow the specified role the mono domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="mono_exec" lineno="124">
<summary>
Execute mono in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mono_rw_shm" lineno="143">
<summary>
Read and write mono shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="monop" filename="policy/modules/contrib/monop.if">
<summary>Monopoly daemon.</summary>
<interface name="monop_admin" lineno="20">
<summary>
All of the rules required to
administrate an monop environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="motion" filename="policy/modules/contrib/motion.if">
<summary>Detect motion using a video4linux device</summary>
<interface name="motion_domtrans" lineno="13">
<summary>
Execute motion in the motion domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="motion_read_log" lineno="32">
<summary>
Read motion's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="motion_append_log" lineno="51">
<summary>
Append to motion log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="motion_manage_log" lineno="70">
<summary>
Manage motion log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="motion_manage_pid" lineno="91">
<summary>
Manage motion pid files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="motion_manage_data" lineno="110">
<summary>
Manage motion data files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="motion_systemctl" lineno="129">
<summary>
Execute motion server in the motion domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="motion_manage_all_files" lineno="154">
<summary>
Manage all motion files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="motion_admin" lineno="173">
<summary>
All of the rules required to administrate
an motion environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="mozilla" filename="policy/modules/contrib/mozilla.if">
<summary>Policy for Mozilla and related web browsers</summary>
<interface name="mozilla_role" lineno="18">
<summary>
Role access for mozilla
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="mozilla_read_user_home_files" lineno="76">
<summary>
Read mozilla home directory content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_write_user_home_files" lineno="97">
<summary>
Write mozilla home directory content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_dontaudit_rw_user_home_files" lineno="116">
<summary>
Dontaudit attempts to read/write mozilla home directory content
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mozilla_dontaudit_manage_user_home_files" lineno="134">
<summary>
Dontaudit attempts to write mozilla home directory content
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mozilla_exec_user_home_files" lineno="153">
<summary>
Execute mozilla home directory content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_execmod_user_home_files" lineno="171">
<summary>
Execmod mozilla home directory content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_domtrans" lineno="189">
<summary>
Run mozilla in the mozilla domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mozilla_domtrans_spec" lineno="212">
<summary>
Execute a mozilla_exec_t in the specified domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
The type of the new process.
</summary>
</param>
</interface>
<interface name="mozilla_domtrans_plugin" lineno="231">
<summary>
Execute a domain transition to run mozilla_plugin.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_nnp_domtrans_plugin" lineno="280">
<summary>
Allow caller to transition to mozilla_plugin_t with NoNewPrivileges
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_run_plugin" lineno="304">
<summary>
Execute mozilla_plugin in the mozilla_plugin domain, and
allow the specified role the mozilla_plugin domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the mozilla_plugin domain.
</summary>
</param>
</interface>
<interface name="mozilla_role_plugin" lineno="334">
<summary>
Execute qemu unconfined programs in the role.
</summary>
<param name="role">
<summary>
The role to allow the mozilla_plugin domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mozilla_dbus_chat" lineno="354">
<summary>
Send and receive messages from
mozilla over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_rw_tcp_sockets" lineno="374">
<summary>
read/write mozilla per user tcp_socket
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_plugin_read_tmpfs_files" lineno="392">
<summary>
Read mozilla_plugin tmpfs files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="mozilla_plugin_rw_tmpfs_files" lineno="410">
<summary>
Read/Write mozilla_plugin tmpfs files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="mozilla_plugin_delete_tmpfs_files" lineno="428">
<summary>
Delete mozilla_plugin tmpfs files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="mozilla_plugin_dontaudit_rw_sem" lineno="446">
<summary>
Dontaudit generict ipc read/write to a mozilla_plugin
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mozilla_plugin_rw_sem" lineno="464">
<summary>
Allow generict ipc read/write to a mozilla_plugin
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mozilla_plugin_dontaudit_leaks" lineno="482">
<summary>
Dontaudit read/write to a mozilla_plugin leaks
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mozilla_plugin_dontaudit_rw_tmp_files" lineno="500">
<summary>
Dontaudit read/write to a mozilla_plugin tmp files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mozilla_plugin_rw_tmp_files" lineno="518">
<summary>
Allow read/write to a mozilla_plugin tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_plugin_manage_rw_files" lineno="537">
<summary>
Create, read, write, and delete
mozilla_plugin rw files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_plugin_read_rw_files" lineno="556">
<summary>
read mozilla_plugin rw files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_filetrans_home_content" lineno="575">
<summary>
Create mozilla content in the user home directory
with an correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mozilla_plugin_read_state" lineno="622">
<summary>
Allow the domain to read mozilla_plugin state files in /proc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="mozilla_plugin_can_network_connect" dftval="true">
<desc>
<p>
Allow mozilla plugin domain to connect to the network using TCP.
</p>
</desc>
</tunable>
<tunable name="mozilla_plugin_bind_unreserved_ports" dftval="false">
<desc>
<p>
Allow mozilla plugin domain to bind unreserved tcp/udp ports.
</p>
</desc>
</tunable>
<tunable name="mozilla_plugin_use_spice" dftval="false">
<desc>
<p>
Allow mozilla plugin to support spice protocols.
</p>
</desc>
</tunable>
<tunable name="mozilla_plugin_use_gps" dftval="false">
<desc>
<p>
Allow mozilla plugin to support GPS.
</p>
</desc>
</tunable>
<tunable name="mozilla_plugin_use_bluejeans" dftval="false">
<desc>
<p>
Allow mozilla plugin to use Bluejeans.
</p>
</desc>
</tunable>
<tunable name="mozilla_read_content" dftval="false">
<desc>
<p>
Allow confined web browsers to read home directory content
</p>
</desc>
</tunable>
</module>
<module name="mpd" filename="policy/modules/contrib/mpd.if">
<summary>Music Player Daemon.</summary>
<template name="mpd_role" lineno="18">
<summary>
Role access for mpd.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</template>
<interface name="mpd_domtrans" lineno="32">
<summary>
Execute a domain transition to run mpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mpd_initrc_domtrans" lineno="51">
<summary>
Execute mpd server in the mpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mpd_read_data_files" lineno="69">
<summary>
Read mpd data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_manage_data_files" lineno="89">
<summary>
Create, read, write, and delete
mpd data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_manage_user_data_content" lineno="109">
<summary>
Create, read, write, and delete
mpd user data content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_relabel_user_data_content" lineno="130">
<summary>
Relabel mpd user data content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_home_filetrans_user_data" lineno="162">
<summary>
Create objects in user home
directories with the mpd user data type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mpd_read_tmpfs_files" lineno="180">
<summary>
Read mpd tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_manage_tmpfs_files" lineno="200">
<summary>
Create, read, write, and delete
mpd tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_search_lib" lineno="220">
<summary>
Search mpd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_read_lib_files" lineno="239">
<summary>
Read mpd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_manage_lib_files" lineno="259">
<summary>
Create, read, write, and delete
mpd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_var_lib_filetrans" lineno="294">
<summary>
Create specified objects in mpd
lib directories with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mpd_manage_lib_dirs" lineno="314">
<summary>
Create, read, write, and delete
mpd lib dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_stream_connect" lineno="333">
<summary>
Connect to mpd over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_admin" lineno="359">
<summary>
All of the rules required to
administrate an mpd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="mpd_enable_homedirs" dftval="false">
<desc>
<p>
Determine whether mpd can traverse
user home directories.
</p>
</desc>
</tunable>
<tunable name="mpd_use_cifs" dftval="false">
<desc>
<p>
Determine whether mpd can use
cifs file systems.
</p>
</desc>
</tunable>
<tunable name="mpd_use_nfs" dftval="false">
<desc>
<p>
Determine whether mpd can use
nfs file systems.
</p>
</desc>
</tunable>
</module>
<module name="mplayer" filename="policy/modules/contrib/mplayer.if">
<summary>Mplayer media player and encoder.</summary>
<interface name="mplayer_role" lineno="18">
<summary>
Role access for mplayer
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="mplayer_domtrans" lineno="65">
<summary>
Run mplayer in mplayer domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mplayer_exec" lineno="85">
<summary>
Execute mplayer in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mplayer_read_user_home_files" lineno="104">
<summary>
Read mplayer user home content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mplayer_manage_generic_home_content" lineno="124">
<summary>
Create, read, write, and delete
generic mplayer home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mplayer_home_filetrans_mplayer_home" lineno="157">
<summary>
Create specified objects in user home
directories with the generic mplayer
home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mplayer_filetrans_home_content" lineno="177">
<summary>
Create specified objects in user home
directories with the generic mplayer
home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="mplayer_execstack" dftval="false">
<desc>
<p>
Determine whether mplayer can make
its stack executable.
</p>
</desc>
</tunable>
</module>
<module name="mptcpd" filename="policy/modules/contrib/mptcpd.if">
<summary>policy for mptcpd</summary>
<interface name="mptcpd_domtrans" lineno="13">
<summary>
Execute mptcpd_exec_t in the mptcpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mptcpd_exec" lineno="32">
<summary>
Execute mptcpd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="mrtg" filename="policy/modules/contrib/mrtg.if">
<summary>Network traffic graphing.</summary>
<interface name="mrtg_read_lib_files" lineno="13">
<summary>
Read mrtg lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mrtg_append_create_logs" lineno="32">
<summary>
Create and append mrtg log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mrtg_admin" lineno="59">
<summary>
All of the rules required to
administrate an mrtg environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="mta" filename="policy/modules/contrib/mta.if">
<summary>Policy common to all email tranfer agents.</summary>
<interface name="mta_stub" lineno="13">
<summary>
MTA stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="mta_base_mail_template" lineno="42">
<summary>
Basic mail transfer agent domain template.
</summary>
<desc>
<p>
This template creates a derived domain which is
a email transfer agent, which sends mail on
behalf of the user.
</p>
<p>
This is the basic types and rules, common
to the system agent and user agents.
</p>
</desc>
<param name="domain_prefix">
<summary>
The prefix of the domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<rolecap/>
</template>
<interface name="mta_role" lineno="92">
<summary>
Role access for mta
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="mta_mailserver" lineno="134">
<summary>
Make the specified domain usable for a mail server.
</summary>
<param name="type">
<summary>
Type to be used as a mail server domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
<interface name="mta_agent_executable" lineno="153">
<summary>
Make the specified type a MTA executable file.
</summary>
<param name="type">
<summary>
Type to be used as a mail client.
</summary>
</param>
</interface>
<interface name="mta_dontaudit_leaks_system_mail" lineno="173">
<summary>
Dontaudit read and write an leaked file descriptors
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mta_system_content" lineno="192">
<summary>
Make the specified type by a system MTA.
</summary>
<param name="type">
<summary>
Type to be used as a mail client.
</summary>
</param>
</interface>
<interface name="mta_sendmail_mailserver" lineno="225">
<summary>
Modified mailserver interface for
sendmail daemon use.
</summary>
<desc>
<p>
A modified MTA mail server interface for
the sendmail program.  It's design does
not fit well with policy, and using the
regular interface causes a type_transition
conflict if direct running of init scripts
is enabled.
</p>
<p>
This interface should most likely only be used
by the sendmail policy.
</p>
</desc>
<param name="domain">
<summary>
The type to be used for the mail server.
</summary>
</param>
</interface>
<interface name="mta_mailserver_sender" lineno="246">
<summary>
Make a type a mailserver type used
for sending mail.
</summary>
<param name="domain">
<summary>
Mail server domain type used for sending mail.
</summary>
</param>
</interface>
<interface name="mta_mailserver_delivery" lineno="265">
<summary>
Make a type a mailserver type used
for delivering mail to local users.
</summary>
<param name="domain">
<summary>
Mail server domain type used for delivering mail.
</summary>
</param>
</interface>
<interface name="mta_mailserver_user_agent" lineno="294">
<summary>
Make a type a mailserver type used
for sending mail on behalf of local
users to the local mail spool.
</summary>
<param name="domain">
<summary>
Mail server domain type used for sending local mail.
</summary>
</param>
</interface>
<interface name="mta_send_mail" lineno="318">
<summary>
Send mail from the system.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mta_sendmail_domtrans" lineno="360">
<summary>
Execute send mail in a specified domain.
</summary>
<desc>
<p>
Execute send mail in a specified domain.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="source_domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
Domain to transition to.
</summary>
</param>
</interface>
<interface name="mta_signal_system_mail" lineno="387">
<summary>
Send system mail client a signal
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_role_access_system_mail" lineno="405">
<summary>
Allow role to access system_mail_t.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="mta_signal_user_agent" lineno="423">
<summary>
Send all user mail client a signal
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_kill_user_agent" lineno="441">
<summary>
Send all user mail client a kill signal
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_kill_system_mail" lineno="459">
<summary>
Send system mail client a kill signal
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_sendmail_exec" lineno="477">
<summary>
Execute sendmail in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_sendmail_access_check" lineno="496">
<summary>
Check whether sendmail executable
files are executable.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_read_config" lineno="516">
<summary>
Read mail server configuration.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mta_write_config" lineno="538">
<summary>
write mail server configuration.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mta_manage_config" lineno="557">
<summary>
Manage mail server configuration.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mta_read_aliases" lineno="575">
<summary>
Read mail address aliases.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_map_aliases" lineno="595">
<summary>
Mmap mail address aliases.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_manage_aliases" lineno="613">
<summary>
Create, read, write, and delete mail address aliases.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_etc_filetrans_aliases" lineno="640">
<summary>
Type transition files created in /etc
to the mail address aliases type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mta_rw_aliases" lineno="659">
<summary>
Read and write mail aliases.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mta_dontaudit_rw_delivery_tcp_sockets" lineno="679">
<summary>
Do not audit attempts to read and write TCP
sockets of mail delivery domains.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mta_rw_delivery_tcp_sockets" lineno="698">
<summary>
Allow attempts to read and write TCP
sockets of mail delivery domains.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mta_tcp_connect_all_mailservers" lineno="716">
<summary>
Connect to all mail servers over TCP.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_dontaudit_read_spool_symlinks" lineno="731">
<summary>
Do not audit attempts to read a symlink
in the mail spool.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mta_getattr_spool" lineno="749">
<summary>
Get the attributes of mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_dontaudit_getattr_spool_files" lineno="771">
<summary>
Do not audit attempts to get the attributes
of mail spool files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mta_spool_filetrans" lineno="808">
<summary>
Create private objects in the
mail spool directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mta_read_spool" lineno="827">
<summary>
Read the mail spool.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_rw_spool" lineno="846">
<summary>
Read and write the mail spool.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_append_spool" lineno="868">
<summary>
Create, read, and write the mail spool.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_delete_spool" lineno="890">
<summary>
Delete from the mail spool.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_manage_spool" lineno="909">
<summary>
Create, read, write, and delete mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_search_queue" lineno="931">
<summary>
Search mail queue dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_list_queue" lineno="950">
<summary>
List the mail queue.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_read_queue" lineno="969">
<summary>
Read the mail queue.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_dontaudit_rw_queue" lineno="989">
<summary>
Do not audit attempts to read and
write the mail queue.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mta_manage_queue" lineno="1009">
<summary>
Create, read, write, and delete
mail queue files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_spool_filetrans_queue" lineno="1045">
<summary>
Create private objects in the
mqueue spool directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="mta_read_sendmail_bin" lineno="1065">
<summary>
Read sendmail binary.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_rw_user_mail_stream_sockets" lineno="1084">
<summary>
Read and write unix domain stream sockets
of user mail domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_filetrans_aliases" lineno="1108">
<summary>
Type transition files created in calling dir
to the mail address aliases type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="domain">
<summary>
Directory to transition on.
</summary>
</param>
</interface>
<interface name="mta_append_home" lineno="1126">
<summary>
ALlow domain to append mail content in the homedir
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_read_home" lineno="1149">
<summary>
ALlow domain to read mail content in the homedir
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_mmap_home_rw" lineno="1172">
<summary>
ALlow domain to mmap mail content in the homedir
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_read_home_rw" lineno="1190">
<summary>
ALlow domain to read mail content in the homedir
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_manage_home_rw" lineno="1215">
<summary>
Allow domain to manage mail content in the homedir
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_filetrans_admin_home_content" lineno="1244">
<summary>
create mail content in the  in the /root directory
with an correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_filetrans_home_content" lineno="1270">
<summary>
Transition to mta named home content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_filetrans_named_content" lineno="1296">
<summary>
Transition to mta named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="munin" filename="policy/modules/contrib/munin.if">
<summary>Munin network-wide load graphing (formerly LRRD)</summary>
<template name="munin_plugin_template" lineno="14">
<summary>
Create a set of derived types for various
munin plugins,
</summary>
<param name="prefix">
<summary>
The name to be used for deriving type names.
</summary>
</param>
</template>
<interface name="munin_stream_connect" lineno="62">
<summary>
Connect to munin over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="munin_read_config" lineno="82">
<summary>
Read munin configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="munin_read_var_lib_files" lineno="103">
<summary>
Read munin library files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="munin_manage_var_lib_files" lineno="123">
<summary>
Manage munin library files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="munin_append_var_lib_files" lineno="143">
<summary>
Append munin library files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="munin_dontaudit_leaks" lineno="163">
<summary>
dontaudit read and write an leaked file descriptors
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="munin_append_log" lineno="182">
<summary>
Append to the munin log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="munin_search_lib" lineno="202">
<summary>
Search munin library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="munin_dontaudit_search_lib" lineno="222">
<summary>
Do not audit attempts to search
munin library directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="munin_admin" lineno="247">
<summary>
All of the rules required to administrate
an munin environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the munin domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="mysql" filename="policy/modules/contrib/mysql.if">
<summary>Policy for MySQL</summary>
<interface name="mysql_domtrans" lineno="13">
<summary>
Execute MySQL in the mysql domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mysql_exec" lineno="31">
<summary>
Execute MySQL in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_signal" lineno="49">
<summary>
Send a generic signal to MySQL.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_signull" lineno="67">
<summary>
Send a null signal to mysql.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_tcp_connect" lineno="85">
<summary>
Allow the specified domain to connect to postgresql with a tcp socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_stream_connect" lineno="107">
<summary>
Connect to MySQL using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mysql_read_config" lineno="128">
<summary>
Read MySQL configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mysql_search_db" lineno="151">
<summary>
Search the directories that contain MySQL
database storage.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_list_db" lineno="171">
<summary>
List the directories that contain MySQL
database storage.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_rw_db_dirs" lineno="190">
<summary>
Read and write to the MySQL database directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_manage_db_dirs" lineno="209">
<summary>
Create, read, write, and delete MySQL database directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_append_db_files" lineno="228">
<summary>
Append to the MySQL database directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_read_db_lnk_files" lineno="246">
<summary>
Read and write to the MySQL database directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_rw_db_files" lineno="265">
<summary>
Read and write to the MySQL database directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_manage_db_files" lineno="284">
<summary>
Create, read, write, and delete MySQL database files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_rw_db_sockets" lineno="304">
<summary>
Read and write to the MySQL database
named socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_append_log" lineno="324">
<summary>
Allow the specified domain to append to MySQL log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_dontaudit_append_log" lineno="344">
<summary>
Do not audit attempts to append to the MySQL logs.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mysql_read_log" lineno="363">
<summary>
Allow the specified domain to read MySQL log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mysql_dontaudit_read_log" lineno="385">
<summary>
dontaudit attempts to read MySQL log files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mysql_write_log" lineno="404">
<summary>
Write to the MySQL log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_dontaudit_write_log" lineno="424">
<summary>
dontaudit attempts to write to the MySQL log files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mysql_dontaudit_rw_db" lineno="443">
<summary>
dontaudit attempts to read/write to the MySQL db files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mysql_domtrans_mysql_safe" lineno="461">
<summary>
Execute MySQL safe script in the mysql safe domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mysql_safe_exec" lineno="479">
<summary>
Execute MySQL_safe in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_read_pid_files" lineno="497">
<summary>
Read MySQL PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_search_pid_files" lineno="517">
<summary>
Search MySQL PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>

</interface>
<interface name="mysql_systemctl" lineno="535">
<summary>
Execute mysqld server in the mysqld domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mysql_read_home_content" lineno="559">
<summary>
read mysqld homedir content (.k5login)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_filetrans_named_content" lineno="578">
<summary>
Transition to mysqld named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_admin" lineno="606">
<summary>
All of the rules required to administrate an mysql environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the mysql domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="mysql_connect_any" dftval="false">
<desc>
<p>
Allow mysqld to connect to all ports
</p>
</desc>
</tunable>
<tunable name="mysql_connect_http" dftval="false">
<desc>
<p>
Allow mysqld to connect to http port
</p>
</desc>
</tunable>
</module>
<module name="mythtv" filename="policy/modules/contrib/mythtv.if">
<summary>policy for mythtv_script</summary>
<interface name="mythtv_script_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the mythtv_script domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mythtv_read_lib" lineno="32">
<summary>
read mythtv libs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mythtv_manage_lib" lineno="52">
<summary>
Create, read, write, and delete
mythtv lib content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mythtv_read_log" lineno="72">
<summary>
read mythtv logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mythtv_append_log" lineno="91">
<summary>
Append mythtv log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mythtv_manage_log" lineno="111">
<summary>
Create, read, write, and delete
mythtv log content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mythtv_admin" lineno="133">
<summary>
All of the rules required to
administrate an mythtv environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="naemon" filename="policy/modules/contrib/naemon.if">
<summary>New monitoring suite that aims to be faster and more stable, while giving you a clearer view of the state of your network.</summary>
<interface name="naemon_domtrans" lineno="13">
<summary>
Execute naemon in the naemon domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="naemon_initrc_domtrans" lineno="32">
<summary>
Execute naemon server in the naemon domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="naemon_search_cache" lineno="50">
<summary>
Search naemon cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="naemon_read_cache_files" lineno="69">
<summary>
Read naemon cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="naemon_manage_cache_files" lineno="89">
<summary>
Create, read, write, and delete
naemon cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="naemon_manage_cache_dirs" lineno="108">
<summary>
Manage naemon cache dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="naemon_read_log" lineno="128">
<summary>
Read naemon's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="naemon_append_log" lineno="147">
<summary>
Append to naemon log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="naemon_manage_log" lineno="166">
<summary>
Manage naemon log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="naemon_search_lib" lineno="187">
<summary>
Search naemon lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="naemon_read_lib_files" lineno="206">
<summary>
Read naemon lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="naemon_manage_lib_files" lineno="225">
<summary>
Manage naemon lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="naemon_manage_lib_dirs" lineno="244">
<summary>
Manage naemon lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="naemon_admin" lineno="271">
<summary>
All of the rules required to administrate
an naemon environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="nagios" filename="policy/modules/contrib/nagios.if">
<summary>Net Saint / NAGIOS - network monitoring server</summary>
<template name="nagios_plugin_template" lineno="14">
<summary>
Create a set of derived types for various
nagios plugins,
</summary>
<param name="plugins_group_name">
<summary>
The name to be used for deriving type names.
</summary>
</param>
</template>
<interface name="nagios_domtrans_unconfined_plugins" lineno="46">
<summary>
Execute the nagios unconfined plugins with
a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_dontaudit_rw_pipes" lineno="66">
<summary>
Do not audit attempts to read or write nagios
unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="nagios_read_config" lineno="86">
<summary>
Allow the specified domain to read
nagios configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="nagios_read_lib" lineno="105">
<summary>
Read nagios lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_read_log" lineno="125">
<summary>
Read nagios logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_dontaudit_rw_log" lineno="144">
<summary>
Do not audit attempts to read or write nagios logs.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="nagios_search_spool" lineno="162">
<summary>
Search nagios spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_append_spool" lineno="181">
<summary>
Append nagios spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_read_tmp_files" lineno="201">
<summary>
Allow the specified domain to read
nagios temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_rw_inerited_tmp_files" lineno="221">
<summary>
Allow the specified domain to read
nagios temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_domtrans_nrpe" lineno="241">
<summary>
Execute the nagios NRPE with
a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nagios_dontaudit_write_pipes_nrpe" lineno="259">
<summary>
Do not audit attempts to write nrpe daemon unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_admin" lineno="284">
<summary>
All of the rules required to administrate
an nagios environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the nagios domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="nagios_unconfined_signull" lineno="330">
<summary>
Send a null signal to nagios_unconfined_plugin.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="nagios_run_sudo" dftval="false">
<desc>
<p>
Allow nagios/nrpe to call sudo from NRPE utils scripts.
</p>
</desc>
</tunable>
<tunable name="nagios_run_pnp4nagios" dftval="false">
<desc>
<p>
Allow nagios run in conjunction with PNP4Nagios.
</p>
</desc>
</tunable>
<tunable name="nagios_use_nfs" dftval="false">
<desc>
<p>
Determine whether Nagios, NRPE can
access nfs file systems.
</p>
</desc>
</tunable>
</module>
<module name="namespace" filename="policy/modules/contrib/namespace.if">
<summary>policy for namespace</summary>
<interface name="namespace_init_domtrans" lineno="13">
<summary>
Execute a domain transition to run namespace_init.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="namespace_init_run" lineno="38">
<summary>
Execute namespace_init in the namespace_init domain, and
allow the specified role the namespace_init domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the namespace_init domain.
</summary>
</param>
</interface>
</module>
<module name="ncftool" filename="policy/modules/contrib/ncftool.if">
<summary>Cross-platform network configuration library.</summary>
<interface name="ncftool_domtrans" lineno="13">
<summary>
Execute a domain transition to run ncftool.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ncftool_run" lineno="39">
<summary>
Execute ncftool in the ncftool
domain, and allow the specified
role the ncftool domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="nessus" filename="policy/modules/contrib/nessus.if">
<summary>Network scanning daemon.</summary>
<interface name="nessus_tcp_connect" lineno="13">
<summary>
Connect to nessus over a TCP socket  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nessus_admin" lineno="34">
<summary>
All of the rules required to
administrate an nessus environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="networkmanager" filename="policy/modules/contrib/networkmanager.if">
<summary>Manager for dynamically switching between networks.</summary>
<interface name="networkmanager_rw_udp_sockets" lineno="14">
<summary>
Read and write NetworkManager UDP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_rw_packet_sockets" lineno="33">
<summary>
Read and write NetworkManager packet sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_attach_tun_iface" lineno="51">
<summary>
Allow caller to relabel tun_socket
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_rw_routing_sockets" lineno="72">
<summary>
Read and write NetworkManager netlink
routing sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_read_pipes" lineno="90">
<summary>
Read networkmanager unnamed pipes
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_domtrans" lineno="108">
<summary>
Execute NetworkManager with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="networkmanager_initrc_domtrans" lineno="127">
<summary>
Execute NetworkManager scripts with an automatic domain transition to initrc.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="networkmanager_systemctl" lineno="145">
<summary>
Execute NetworkManager server in the NetworkManager domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="networkmanager_dbus_chat" lineno="170">
<summary>
Send and receive messages from
NetworkManager over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_read_state" lineno="190">
<summary>
Read metworkmanager process state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_dontaudit_dbus_chat" lineno="212">
<summary>
Do not audit attempts to send and
receive messages from NetworkManager
over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="networkmanager_signal" lineno="232">
<summary>
Send a generic signal to NetworkManager
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_manage_lib_files" lineno="251">
<summary>
Create, read, and write
networkmanager library files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_read_lib_files" lineno="271">
<summary>
Read networkmanager lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_write_rw_conf" lineno="292">
<summary>
Write NetworkManager rw conf files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_read_conf" lineno="313">
<summary>
Read NetworkManager conf files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_read_pid_files" lineno="334">
<summary>
Read NetworkManager PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_manage_pid_files" lineno="354">
<summary>
Manage NetworkManager PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_manage_pid_sock_files" lineno="374">
<summary>
Manage NetworkManager PID sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_watch_pid_dirs" lineno="393">
<summary>
Watch NetworkManager PID directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_pid_filetrans" lineno="428">
<summary>
Create objects in /etc with a private
type using a type_transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="file_type">
<summary>
Private file type.
</summary>
</param>
<param name="class">
<summary>
Object classes to be created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="networkmanager_stream_connect" lineno="447">
<summary>
Connect to networkmanager over
a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_delete_pid_files" lineno="466">
<summary>
Delete NetworkManager PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_run" lineno="492">
<summary>
Execute NetworkManager in the NetworkManager domain, and
allow the specified role the NetworkManager domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="networkmanager_append_log" lineno="512">
<summary>
Allow the specified domain to append
to Network Manager log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_manage_lib" lineno="535">
<summary>
Allow the specified domain to manage
to Network Manager lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="NetworkManager_read_state" lineno="555">
<summary>
Read the process state (/proc/pid) of NetworkManager.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_dgram_send" lineno="575">
<summary>
Send to NetworkManager with a unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_sigchld" lineno="595">
<summary>
Send sigchld to networkmanager.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_signull" lineno="614">
<summary>
Send signull to networkmanager.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_sigkill" lineno="633">
<summary>
Send sigkill to networkmanager.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_filetrans_named_content" lineno="651">
<summary>
Transition to networkmanager named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="networkmanager_dispatcher_plugin_template" lineno="695">
<summary>
Create a set of derived types for various
NetworkManager-dispatcher plugins
</summary>
<param name="prefix">
<summary>
The name to be used for deriving type names.
</summary>
</param>
</template>
</module>
<module name="ninfod" filename="policy/modules/contrib/ninfod.if">
<summary>Respond to IPv6 Node Information Queries</summary>
<interface name="ninfod_domtrans" lineno="13">
<summary>
Execute ninfod in the ninfod domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ninfod_systemctl" lineno="31">
<summary>
Execute ninfod server in the ninfod domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ninfod_admin" lineno="59">
<summary>
All of the rules required to administrate
an ninfod environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="nis" filename="policy/modules/contrib/nis.if">
<summary>Policy for NIS (YP) servers and clients</summary>
<interface name="nis_use_ypbind_uncond" lineno="26">
<summary>
Use the ypbind service to access NIS services
unconditionally.
</summary>
<desc>
<p>
Use the ypbind service to access NIS services
unconditionally.
</p>
<p>
This interface was added because of apache and
spamassassin, to fix a nested conditionals problem.
When that support is added, this should be removed,
and the regular	interface should be used.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_use_ypbind" lineno="84">
<summary>
Use the ypbind service to access NIS services.
</summary>
<desc>
<p>
Allow the specified domain to use the ypbind service
to access Network Information Service (NIS) services.
Information that can be retreived from NIS includes
usernames, passwords, home directories, and groups.
If the network is configured to have a single sign-on
using NIS, it is likely that any program that does
authentication will need this access.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<infoflow type="both" weight="10"/>
<rolecap/>
</interface>
<interface name="nis_authenticate" lineno="101">
<summary>
Use the nis to authenticate passwords
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="nis_domtrans_ypbind" lineno="119">
<summary>
Execute ypbind in the ypbind domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nis_exec_ypbind" lineno="138">
<summary>
Execute ypbind in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nis_run_ypbind" lineno="163">
<summary>
Execute ypbind in the ypbind domain, and
allow the specified role the ypbind domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="nis_signal_ypbind" lineno="182">
<summary>
Send generic signals to ypbind.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_list_var_yp" lineno="200">
<summary>
List the contents of the NIS data directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_udp_send_ypbind" lineno="219">
<summary>
Send UDP network traffic to NIS clients.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_tcp_connect_ypbind" lineno="233">
<summary>
Connect to ypbind over TCP.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_read_ypbind_pid" lineno="247">
<summary>
Read ypbind pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_delete_ypbind_pid" lineno="266">
<summary>
Delete ypbind pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_read_ypserv_config" lineno="285">
<summary>
Read ypserv configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_domtrans_ypxfr" lineno="304">
<summary>
Execute ypxfr in the ypxfr domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nis_initrc_domtrans" lineno="324">
<summary>
Execute nis server in the nis domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nis_initrc_domtrans_ypbind" lineno="342">
<summary>
Execute nis server in the nis domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nis_systemctl_ypbind" lineno="360">
<summary>
Execute ypbind server in the ypbind domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nis_systemctl" lineno="384">
<summary>
Execute ypbind server in the ypbind domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nis_admin" lineno="418">
<summary>
All of the rules required to administrate
an nis environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="nova" filename="policy/modules/contrib/nova.if">
<summary>openstack-nova</summary>
<interface name="nova_manage_lib_files" lineno="13">
<summary>
Manage nova lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="nova_domain_template" lineno="33">
<summary>
Creates types and rules for a basic
openstack-nova systemd daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
</module>
<module name="nscd" filename="policy/modules/contrib/nscd.if">
<summary>Name service cache daemon</summary>
<interface name="nscd_signal" lineno="13">
<summary>
Send generic signals to NSCD.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_kill" lineno="31">
<summary>
Send NSCD the kill signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_signull" lineno="49">
<summary>
Send signulls to NSCD.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_domtrans" lineno="67">
<summary>
Execute NSCD in the nscd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nscd_exec" lineno="87">
<summary>
Allow the specified domain to execute nscd
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_socket_use" lineno="106">
<summary>
Use NSCD services by connecting using
a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_use" lineno="135">
<summary>
Use nscd services
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_dontaudit_write_sock_file" lineno="152">
<summary>
Do not audit attempts to write nscd sock files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="nscd_shm_use" lineno="174">
<summary>
Use NSCD services by mapping the database from
an inherited NSCD file descriptor.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_dontaudit_search_pid" lineno="209">
<summary>
Do not audit attempts to search the NSCD pid directory.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="nscd_dontaudit_read_pid" lineno="227">
<summary>
Do not audit attempts to read the NSCD pid directory.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="nscd_read_pid" lineno="245">
<summary>
Read NSCD pid file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_unconfined" lineno="264">
<summary>
Unconfined access to NSCD services.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_run" lineno="290">
<summary>
Execute nscd in the nscd domain, and
allow the specified role the nscd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="nscd_initrc_domtrans" lineno="309">
<summary>
Execute the nscd server init script.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nscd_systemctl" lineno="327">
<summary>
Execute nscd server in the nscd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nscd_shutdown" lineno="351">
<summary>
Allow the specified domain shut down nscd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nscd_admin" lineno="377">
<summary>
All of the rules required to administrate
an nscd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the nscd domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="nscd_use_shm" dftval="false">
<desc>
<p>
Allow confined applications to use nscd shared memory.
</p>
</desc>
</tunable>
</module>
<module name="nsd" filename="policy/modules/contrib/nsd.if">
<summary>Authoritative only name server</summary>
<interface name="nsd_read_pid" lineno="13">
<summary>
Read NSD pid file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nsd_udp_chat" lineno="32">
<summary>
Send and receive datagrams from NSD.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nsd_tcp_connect" lineno="46">
<summary>
Connect to NSD over a TCP socket  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="nslcd" filename="policy/modules/contrib/nslcd.if">
<summary>nslcd - local LDAP name service daemon.</summary>
<interface name="nslcd_domtrans" lineno="13">
<summary>
Execute a domain transition to run nslcd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nslcd_initrc_domtrans" lineno="31">
<summary>
Execute nslcd server in the nslcd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nslcd_read_pid_files" lineno="49">
<summary>
Read nslcd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nslcd_dontaudit_write_ock_file" lineno="68">
<summary>
Dontaudit write to nslcd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nslcd_stream_connect" lineno="86">
<summary>
Connect to nslcd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nslcd_dontaudit_write_sock_file" lineno="105">
<summary>
Do not audit attempts to write nslcd sock files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="nslcd_admin" lineno="131">
<summary>
All of the rules required to administrate
an nslcd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ntop" filename="policy/modules/contrib/ntop.if">
<summary>A network traffic probe similar to the UNIX top command.</summary>
<interface name="ntop_admin" lineno="20">
<summary>
All of the rules required to
administrate an ntop environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ntp" filename="policy/modules/contrib/ntp.if">
<summary>Network time protocol daemon</summary>
<interface name="ntp_stub" lineno="13">
<summary>
NTP stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_domtrans" lineno="29">
<summary>
Execute ntp server in the ntpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ntp_exec" lineno="48">
<summary>
Execute ntp server in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ntp_run" lineno="74">
<summary>
Execute ntp in the ntp domain, and
allow the specified role the ntp domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ntp_domtrans_ntpdate" lineno="93">
<summary>
Execute ntp server in the ntpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ntp_initrc_domtrans" lineno="112">
<summary>
Execute ntp server in the ntpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ntp_read_unit_file" lineno="130">
<summary>
Allow domain to read ntpd systemd unit files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_systemctl" lineno="149">
<summary>
Execute ntpd server in the ntpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ntp_signal" lineno="173">
<summary>
Send a generic signal to ntpd
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_read_drift_files" lineno="191">
<summary>
Read ntp drift files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_rw_shm" lineno="210">
<summary>
Read and write ntpd shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_read_state" lineno="232">
<summary>
Allow the domain to read ntpd state files in /proc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_admin" lineno="258">
<summary>
All of the rules required to administrate
an ntp environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the ntp domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ntp_filetrans_named_content" lineno="309">
<summary>
Transition content labels to ntp named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_manage_log" lineno="331">
<summary>
Create, read, write, and delete
ntp log content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="numad" filename="policy/modules/contrib/numad.if">
<summary>policy for numad</summary>
<interface name="numad_domtrans" lineno="13">
<summary>
Transition to numad.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="numad_systemctl" lineno="31">
<summary>
Execute numad server in the numad domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="numad_dbus_chat" lineno="57">
<summary>
Send and receive messages from
numad over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="numad_admin" lineno="78">
<summary>
All of the rules required to administrate
an numad environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="nut" filename="policy/modules/contrib/nut.if">
<summary>nut - Network UPS Tools </summary>
<template name="nut_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
Network UPS Tools systemd daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="nut_systemctl" lineno="48">
<summary>
Execute swift server in the swift domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="nvme_stas" filename="policy/modules/contrib/nvme_stas.if">
<summary>policy for nvme_stas</summary>
<interface name="nvme_stas_domtrans" lineno="13">
<summary>
Execute nvme_stas_exec_t in the nvme_stas domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nvme_stas_exec" lineno="32">
<summary>
Execute nvme_stas in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nvme_stas_dbus_chat" lineno="52">
<summary>
Send and receive messages from
nvme_stas over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="nx" filename="policy/modules/contrib/nx.if">
<summary>NX remote desktop.</summary>
<interface name="nx_spec_domtrans_server" lineno="13">
<summary>
Transition to nx server.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nx_read_home_files" lineno="32">
<summary>
Read nx home directory content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nx_search_var_lib" lineno="53">
<summary>
Search nx lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nx_var_lib_filetrans" lineno="88">
<summary>
Create specified objects in nx lib
directories with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="nx_filetrans_named_content" lineno="106">
<summary>
Transition to nx named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="oav" filename="policy/modules/contrib/oav.if">
<summary>Open AntiVirus scannerdaemon and signature update.</summary>
<interface name="oav_domtrans_update" lineno="13">
<summary>
Execute oav_update in the oav_update domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="oav_run_update" lineno="40">
<summary>
Execute oav_update in the oav update
domain, and allow the specified role
the oav_update domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="obex" filename="policy/modules/contrib/obex.if">
<summary>D-Bus service providing high-level OBEX client and server side functionality.</summary>
<interface name="obex_domtrans" lineno="13">
<summary>
Transition to obex.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="obex_dbus_chat" lineno="33">
<summary>
Send and receive messages from
obex over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="obex_role" lineno="64">
<summary>
Role access for obex domains
that executes via dbus-session
</summary>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
<param name="domain_prefix">
<summary>
User domain prefix to be used.
</summary>
</param>
</template>
</module>
<module name="oddjob" filename="policy/modules/contrib/oddjob.if">
<summary>
Oddjob provides a mechanism by which unprivileged applications can
request that specified privileged operations be performed on their
behalf.
</summary>
<interface name="oddjob_domtrans" lineno="17">
<summary>
Execute a domain transition to run oddjob.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="oddjob_dontaudit_rw_fifo_file" lineno="36">
<summary>
Do not audit attempts to read and write
oddjob fifo file.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="oddjob_system_entry" lineno="60">
<summary>
Make the specified program domain accessable
from the oddjob.
</summary>
<param name="domain">
<summary>
The type of the process to transition to.
</summary>
</param>
<param name="entrypoint">
<summary>
The type of the file used as an entrypoint to this domain.
</summary>
</param>
</interface>
<interface name="oddjob_dbus_chat" lineno="80">
<summary>
Send and receive messages from
oddjob over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oddjob_sigchld" lineno="100">
<summary>
Send a SIGCHLD signal to oddjob.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oddjob_domtrans_mkhomedir" lineno="118">
<summary>
Execute a domain transition to run oddjob_mkhomedir.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="oddjob_run_mkhomedir" lineno="142">
<summary>
Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="oddjob_run" lineno="167">
<summary>
Execute the oddjob program in the oddjob domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="oddjob_systemctl" lineno="186">
<summary>
Execute oddjob in the oddjob domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="oddjob_ranged_domain" lineno="221">
<summary>
Create a domain which can be started by init,
with a range transition.
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
<param name="range">
<summary>
Range for the domain.
</summary>
</param>
</interface>
<interface name="oddjob_mkhomedir_entrypoint" lineno="249">
<summary>
Allow any oddjob_mkhomedir_exec_t to be an entrypoint of this domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="oident" filename="policy/modules/contrib/oident.if">
<summary>An ident daemon with IP masq/NAT support and the ability to specify responses.</summary>
<interface name="oident_role" lineno="18">
<summary>
Role access for oident.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="oident_read_user_content" lineno="32">
<summary>
Read oidentd user home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oident_manage_user_content" lineno="52">
<summary>
Create, read, write, and delete
oidentd user home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oident_relabel_user_content" lineno="71">
<summary>
Relabel oidentd user home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oident_home_filetrans_oidentd_home" lineno="101">
<summary>
Create objects in user home
directories with the oidentd home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="oident_admin" lineno="126">
<summary>
All of the rules required to
administrate an oident environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="opafm" filename="policy/modules/contrib/opafm.if">
<summary>Policy for opafm</summary>
</module>
<module name="openca" filename="policy/modules/contrib/openca.if">
<summary>Open Certificate Authority.</summary>
<interface name="openca_domtrans" lineno="14">
<summary>
Execute the openca with
a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openca_signal" lineno="34">
<summary>
Send generic signals to openca.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openca_sigstop" lineno="52">
<summary>
Send stop signals to openca.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openca_kill" lineno="70">
<summary>
Send kill signals to openca.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="openct" filename="policy/modules/contrib/openct.if">
<summary>Service for handling smart card readers.</summary>
<interface name="openct_signull" lineno="13">
<summary>
Send null signals to openct.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openct_exec" lineno="31">
<summary>
Execute openct in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openct_domtrans" lineno="50">
<summary>
Execute a domain transition to run openct.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openct_read_pid_files" lineno="69">
<summary>
Read openct pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openct_stream_connect" lineno="89">
<summary>
Connect to openct over an unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openct_admin" lineno="115">
<summary>
All of the rules required to
administrate an openct environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="opendnssec" filename="policy/modules/contrib/opendnssec.if">
<summary>policy for opendnssec</summary>
<interface name="opendnssec_domtrans" lineno="13">
<summary>
Execute opendnssec_exec_t in the opendnssec domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="opendnssec_exec" lineno="32">
<summary>
Execute opendnssec in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="opendnssec_read_config" lineno="52">
<summary>
Read the opendnssec configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="opendnssec_manage_config" lineno="73">
<summary>
Read the opendnssec configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="opendnssec_manage_var_files" lineno="94">
<summary>
Allow the specified domain to
read and write opendnssec /var files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="opendnssec_read_pid_files" lineno="114">
<summary>
Read opendnssec PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="opendnssec_systemctl" lineno="133">
<summary>
Execute opendnssec server in the opendnssec domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="opendnssec_admin" lineno="165">
<summary>
All of the rules required to administrate
an opendnssec environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="opendnssec_filetrans_etc_content" lineno="201">
<summary>
Transition to quota named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="opendnssec_stream_connect" lineno="220">
<summary>
Connect to opendnssec over an unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="openfortivpn" filename="policy/modules/contrib/openfortivpn.if">
<summary>Fortinet compatible SSL VPN daemons.</summary>
<interface name="openfortivpn_domtrans" lineno="13">
<summary>
Transition to openfortivpn.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openfortivpn_signal" lineno="32">
<summary>
Allow send a signal to openfortivpn.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openfortivpn_signull" lineno="50">
<summary>
Allow send signull to openfortivpn.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openfortivpn_sigkill" lineno="68">
<summary>
Allow send sigkill to openfortivpn.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openfortivpn_dbus_chat" lineno="87">
<summary>
Send and receive messages from
openfortivpn over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openfortivpn_use_ptys" lineno="107">
<summary>
Read from and write to the openfortivpn devpts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="openfortivpn_can_network_connect" dftval="true">
<desc>
<p>
Determine whether openfortivpn can
connect to the TCP network.
</p>
</desc>
</tunable>
</module>
<module name="openhpid" filename="policy/modules/contrib/openhpid.if">
<summary>policy for openhpid</summary>
<interface name="openhpid_domtrans" lineno="14">
<summary>
Transition to openhpid.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openhpid_initrc_domtrans" lineno="34">
<summary>
Execute openhpid server in the openhpid domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openhpid_search_lib" lineno="53">
<summary>
Search openhpid lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openhpid_read_lib_files" lineno="72">
<summary>
Read openhpid lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openhpid_manage_lib_files" lineno="91">
<summary>
Manage openhpid lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openhpid_manage_lib_dirs" lineno="110">
<summary>
Manage openhpid lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openhpid_admin" lineno="137">
<summary>
All of the rules required to administrate
an openhpid environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="openshift-origin" filename="policy/modules/contrib/openshift-origin.if">
<summary></summary>
</module>
<module name="openshift" filename="policy/modules/contrib/openshift.if">
<summary> policy for openshift </summary>
<interface name="openshift_initrc_domtrans" lineno="13">
<summary>
Execute openshift server in the openshift domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="openshift_initrc_run" lineno="37">
<summary>
Execute openshift server in the openshift domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
<param name="role">
<summary>
Role access to this domain.
</summary>
</param>
</interface>
<interface name="openshift_initrc_signull" lineno="57">
<summary>
Send a null signal to openshift init scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_initrc_signal" lineno="75">
<summary>
Send a signal to openshift init scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_search_cache" lineno="93">
<summary>
Search openshift cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_read_cache_files" lineno="107">
<summary>
Read openshift cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_manage_cache_files" lineno="122">
<summary>
Create, read, write, and delete
openshift cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_manage_cache_dirs" lineno="137">
<summary>
Create, read, write, and delete
openshift cache dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_read_log" lineno="153">
<summary>
Allow the specified domain to read openshift's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="openshift_append_log" lineno="173">
<summary>
Allow the specified domain to append
openshift log files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openshift_manage_log" lineno="192">
<summary>
Allow domain to manage openshift log files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="openshift_search_lib" lineno="213">
<summary>
Search openshift lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_getattr_lib" lineno="233">
<summary>
Getattr openshift lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_read_lib_files" lineno="252">
<summary>
Read openshift lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_append_lib_files" lineno="272">
<summary>
Read openshift lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_manage_lib_files" lineno="292">
<summary>
Create, read, write, and delete
openshift lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_manage_lib_dirs" lineno="313">
<summary>
Create, read, write, and delete
openshift lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_manage_content" lineno="332">
<summary>
Manage openshift lib content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_relabelfrom_lib" lineno="354">
<summary>
Relabel openshift library files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_lib_filetrans" lineno="390">
<summary>
Create private objects in the
mail lib directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="openshift_read_pid_files" lineno="409">
<summary>
Read openshift PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_admin" lineno="435">
<summary>
All of the rules required to administrate
an openshift environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<template name="openshift_service_domain_template" lineno="477">
<summary>
Make the specified type usable as a openshift domain.
</summary>
<param name="openshiftdomain_prefix">
<summary>
The prefix of the domain (e.g., openshift
is the prefix for openshift_t).
</summary>
</param>
</template>
<interface name="openshift_net_type" lineno="523">
<summary>
Make the specified type usable as a openshift domain.
</summary>
<param name="type">
<summary>
Type to be used as a openshift domain type.
</summary>
</param>
</interface>
<interface name="openshift_rw_inherited_content" lineno="541">
<summary>
Read and write inherited openshift files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_manage_tmp_files" lineno="559">
<summary>
Manage openshift tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_manage_tmp_sockets" lineno="577">
<summary>
Manage openshift tmp sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_mounton_tmp" lineno="595">
<summary>
Mounton openshift tmp directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_dontaudit_rw_inherited_fifo_files" lineno="613">
<summary>
Dontaudit Read and write inherited script fifo files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_transition" lineno="634">
<summary>
Allow calling app to transition to an openshift domain
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<rolecap/>
</interface>
<interface name="openshift_dyntransition" lineno="658">
<summary>
Allow calling app to transition to an openshift domain
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<rolecap/>
</interface>
<interface name="openshift_run" lineno="688">
<summary>
Execute openshift in the openshift domain, and
allow the specified role the openshift domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<tunable name="openshift_use_nfs" dftval="false">
<desc>
<p>
Allow openshift to access nfs file systems without labels
</p>
</desc>
</tunable>
</module>
<module name="opensm" filename="policy/modules/contrib/opensm.if">
<summary>Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB</summary>
<interface name="opensm_domtrans" lineno="13">
<summary>
Execute opensm in the opensm domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="opensm_search_cache" lineno="32">
<summary>
Search opensm cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="opensm_read_cache_files" lineno="51">
<summary>
Read opensm cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="opensm_manage_cache_files" lineno="71">
<summary>
Create, read, write, and delete
opensm cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="opensm_manage_cache_dirs" lineno="90">
<summary>
Manage opensm cache dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="opensm_read_log" lineno="109">
<summary>
Read opensm's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="opensm_append_log" lineno="128">
<summary>
Append to opensm log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="opensm_manage_log" lineno="147">
<summary>
Manage opensm log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="opensm_systemctl" lineno="167">
<summary>
Execute opensm server in the opensm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="opensm_admin" lineno="195">
<summary>
All of the rules required to administrate
an opensm environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="openvpn" filename="policy/modules/contrib/openvpn.if">
<summary>full-featured SSL VPN solution.</summary>
<interface name="openvpn_domtrans" lineno="14">
<summary>
Execute openvpn clients in the
openvpn domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openvpn_exec" lineno="34">
<summary>
Execute openvpn clients in the
caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openvpn_run" lineno="60">
<summary>
Execute openvpn clients in the
openvpn domain, and allow the
specified role the openvpn domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="openvpn_kill" lineno="79">
<summary>
Send kill signals to openvpn.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvpn_signal" lineno="97">
<summary>
Send generic signals to openvpn.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvpn_signull" lineno="115">
<summary>
Send null signals to openvpn.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvpn_read_config" lineno="134">
<summary>
Read openvpn configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="openvpn_stream_connect" lineno="156">
<summary>
Connect to openvpn over
a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvpn_search_lib" lineno="175">
<summary>
Search openvpn lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvpn_noatsecure" lineno="194">
<summary>
Read and write to sopenvpn_image devices.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvpn_admin" lineno="219">
<summary>
All of the rules required to
administrate an openvpn environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="openvpn_run_unconfined" dftval="false">
<desc>
<p>
Allow openvpn to run unconfined scripts
</p>
</desc>
</tunable>
<tunable name="openvpn_enable_homedirs" dftval="false">
<desc>
<p>
Determine whether openvpn can
read generic user home content files.
</p>
</desc>
</tunable>
<tunable name="openvpn_can_network_connect" dftval="true">
<desc>
<p>
Determine whether openvpn can
connect to the TCP network.
</p>
</desc>
</tunable>
</module>
<module name="openvswitch" filename="policy/modules/contrib/openvswitch.if">
<summary>policy for openvswitch</summary>
<interface name="openvswitch_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the openvswitch domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openvswitch_read_log" lineno="32">
<summary>
Read openvswitch's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="openvswitch_append_log" lineno="51">
<summary>
Append to openvswitch log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_manage_log" lineno="70">
<summary>
Manage openvswitch log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_search_lib" lineno="91">
<summary>
Search openvswitch lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_read_lib_files" lineno="110">
<summary>
Read openvswitch lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_manage_lib_files" lineno="129">
<summary>
Manage openvswitch lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_manage_lib_dirs" lineno="148">
<summary>
Manage openvswitch lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_read_pid_files" lineno="167">
<summary>
Read openvswitch PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_stream_connect" lineno="187">
<summary>
Allow stream connect to openvswitch.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_systemctl" lineno="206">
<summary>
Execute openvswitch server in the openvswitch domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openvswitch_admin" lineno="233">
<summary>
All of the rules required to administrate
an openvswitch environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="openwsman" filename="policy/modules/contrib/openwsman.if">
<summary>WS-Management Server</summary>
<interface name="openwsman_domtrans" lineno="13">
<summary>
Execute openwsman in the openwsman domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openwsman_systemctl" lineno="31">
<summary>
Execute openwsman server in the openwsman domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openwsman_admin" lineno="59">
<summary>
All of the rules required to administrate
an openwsman environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="oracleasm" filename="policy/modules/contrib/oracleasm.if">
<summary>policy for oracleasm</summary>
<interface name="oracleasm_domtrans" lineno="13">
<summary>
Transition to oracleasm.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="oracleasm_initrc_domtrans" lineno="33">
<summary>
Execute oracleasm server in the oracleasm domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oracleasm_admin" lineno="59">
<summary>
All of the rules required to administrate
an oracleasm environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="osad" filename="policy/modules/contrib/osad.if">
<summary>Client-side service written in Python that responds to pings and runs rhn_check when told to by osa-dispatcher. </summary>
<interface name="osad_domtrans" lineno="13">
<summary>
Execute osad in the osad domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="osad_initrc_domtrans" lineno="32">
<summary>
Execute osad server in the osad domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="osad_read_log" lineno="50">
<summary>
Read osad's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="osad_append_log" lineno="69">
<summary>
Append to osad log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="osad_manage_log" lineno="88">
<summary>
Manage osad log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="osad_read_pid_files" lineno="108">
<summary>
Read osad PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="osad_admin" lineno="135">
<summary>
All of the rules required to administrate
an osad environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pacemaker" filename="policy/modules/contrib/pacemaker.if">
<summary>>A scalable high-availability cluster resource manager.</summary>
<interface name="pacemaker_domtrans" lineno="13">
<summary>
Transition to pacemaker.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pacemaker_initrc_domtrans" lineno="32">
<summary>
Execute pacemaker server in the pacemaker domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pacemaker_search_lib" lineno="50">
<summary>
Search pacemaker lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pacemaker_read_lib_files" lineno="69">
<summary>
Read pacemaker lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pacemaker_manage_lib_files" lineno="88">
<summary>
Manage pacemaker lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pacemaker_manage_lib_dirs" lineno="107">
<summary>
Manage pacemaker lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pacemaker_read_pid_files" lineno="126">
<summary>
Read pacemaker PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pacemaker_systemctl" lineno="145">
<summary>
Execute pacemaker server in the pacemaker domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pacemaker_admin" lineno="178">
<summary>
All of the rules required to administrate
an pacemaker environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="pacemaker_use_execmem" dftval="false">
<desc>
<p>
Allow pacemaker memcheck-amd64- to use executable memory
</p>
</desc>
</tunable>
</module>
<module name="pads" filename="policy/modules/contrib/pads.if">
<summary>Passive Asset Detection System.</summary>
<interface name="pads_admin" lineno="20">
<summary>
All of the rules required to
administrate an pads environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="passenger" filename="policy/modules/contrib/passenger.if">
<summary>Ruby on rails deployment for Apache and Nginx servers.</summary>
<interface name="passenger_domtrans" lineno="13">
<summary>
Execute passenger in the passenger domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="passenger_exec" lineno="32">
<summary>
Execute passenger in the current domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="passenger_getattr_log_files" lineno="50">
<summary>
Getattr passenger log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="passenger_read_lib_files" lineno="68">
<summary>
Read passenger lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="passenger_manage_lib_files" lineno="88">
<summary>
Manage passenger lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="passenger_manage_pid_content" lineno="109">
<summary>
Manage passenger var_run content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="passenger_stream_connect" lineno="131">
<summary>
Connect to passenger unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="passenger_manage_tmp_files" lineno="154">
<summary>
Allow to manage passenger tmp files/dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="passenger_kill" lineno="174">
<summary>
Send kill signals to passenger.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="pcmcia" filename="policy/modules/contrib/pcmcia.if">
<summary>PCMCIA card management services.</summary>
<interface name="pcmcia_stub" lineno="13">
<summary>
PCMCIA stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcmcia_domtrans_cardmgr" lineno="29">
<summary>
Execute cardmgr in the cardmgr domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pcmcia_use_cardmgr_fds" lineno="48">
<summary>
Inherit and use cardmgr file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcmcia_domtrans_cardctl" lineno="66">
<summary>
Execute cardctl in the cardmgr domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pcmcia_run_cardctl" lineno="93">
<summary>
Execute cardctl in the cardmgr
domain, and allow the specified
role the cardmgr domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="pcmcia_read_pid" lineno="112">
<summary>
Read cardmgr pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcmcia_manage_pid" lineno="132">
<summary>
Create, read, write, and delete
cardmgr pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcmcia_manage_pid_chr_files" lineno="152">
<summary>
Create, read, write, and delete
cardmgr runtime character nodes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="pcp" filename="policy/modules/contrib/pcp.if">
<summary>The  pcp  command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
<template name="pcp_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
pcp daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="pcp_read_lib_files" lineno="43">
<summary>
Allow domain to read pcp lib files
</summary>
<param name="domain">
<summary>
Prefix for the domain.
</summary>
</param>
</interface>
<interface name="pcp_admin" lineno="63">
<summary>
All of the rules required to administrate
an pcp environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="pcp_pmie_exec" lineno="106">
<summary>
Allow the specified domain to execute pcp_pmie
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pcp_pmlogger_exec" lineno="126">
<summary>
Allow the specified domain to execute pcp_pmlogger
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pcp_filetrans_named_content" lineno="145">
<summary>
Transition to pcp named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcp_write_pid_sock_file" lineno="162">
<summary>
Allow the specified domain to write to pcp sock file
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="pcp_bind_all_unreserved_ports" dftval="false">
<desc>
<p>
Allow pcp to bind to all unreserved_ports
</p>
</desc>
</tunable>
<tunable name="pcp_read_generic_logs" dftval="false">
<desc>
<p>
Allow pcp to read generic logs
</p>
</desc>
</tunable>
</module>
<module name="pcscd" filename="policy/modules/contrib/pcscd.if">
<summary>PCSC smart card service.</summary>
<interface name="pcscd_domtrans" lineno="13">
<summary>
Execute a domain transition to run pcscd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pcscd_read_pub_files" lineno="34">
<summary>
Read pcscd pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcscd_read_pid_files" lineno="49">
<summary>
Read pcscd pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcscd_manage_pub_files" lineno="69">
<summary>
Create, read, write, and delete
pcscd pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcscd_manage_pub_pipes" lineno="84">
<summary>
Create, read, write, and delete
pcscd pid fifo files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcscd_signull" lineno="98">
<summary>
Send signulls to pcscd processes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcscd_stream_connect" lineno="117">
<summary>
Connect to pcscd over an unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcscd_admin" lineno="143">
<summary>
All of the rules required to
administrate an pcscd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pdns" filename="policy/modules/contrib/pdns.if">
<summary>PowerDNS DNS server.</summary>
<interface name="pdns_domtrans" lineno="13">
<summary>
Execute pdns in the pdns domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pdns_domtrans_pdns_control" lineno="31">
<summary>
Execute pdns_control in the pdns_control domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pdns_read_config" lineno="52">
<summary>
Allow the specified domain to read
pdns configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="pdns_stream_connect" lineno="74">
<summary>
Connect to pdns over an unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="pdns_can_network_connect_db" dftval="false">
<desc>
<p>
Allow PowerDNS to connect to databases over the network.
</p>
</desc>
</tunable>
</module>
<module name="pegasus" filename="policy/modules/contrib/pegasus.if">
<summary>The Open Group Pegasus CIM/WBEM Server.</summary>
<template name="pegasus_openlmi_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
openlmi init daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="pegasus_stream_connect" lineno="51">
<summary>
Connect to pegasus over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="perdition" filename="policy/modules/contrib/perdition.if">
<summary>Perdition POP and IMAP proxy.</summary>
<interface name="perdition_tcp_connect" lineno="13">
<summary>
Connect to perdition over a TCP socket  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="perdition_admin" lineno="34">
<summary>
All of the rules required to
administrate an perdition environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pesign" filename="policy/modules/contrib/pesign.if">
<summary>pesign utility for signing UEFI binaries as well as other associated tools</summary>
<interface name="pesign_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the pesign domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pesign_read_pid_files" lineno="31">
<summary>
Read pesign PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pesign_systemctl" lineno="50">
<summary>
Execute pesign server in the pesign domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pesign_admin" lineno="78">
<summary>
All of the rules required to administrate
an pesign environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pingd" filename="policy/modules/contrib/pingd.if">
<summary>Pingd of the Whatsup cluster node up/down detection utility.</summary>
<interface name="pingd_domtrans" lineno="13">
<summary>
Execute a domain transition to run pingd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pingd_read_config" lineno="32">
<summary>
Read pingd etc configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pingd_manage_config" lineno="52">
<summary>
Create, read, write, and delete
pingd etc configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pingd_admin" lineno="79">
<summary>
All of the rules required to
administrate an pingd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="piranha" filename="policy/modules/contrib/piranha.if">
<summary>policy for piranha</summary>
<template name="piranha_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
cluster init daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="piranha_domtrans_fos" lineno="66">
<summary>
Execute a domain transition to run fos.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="piranha_domtrans_lvs" lineno="84">
<summary>
Execute a domain transition to run lvsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="piranha_domtrans_pulse" lineno="102">
<summary>
Execute a domain transition to run pulse.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="piranha_pulse_initrc_domtrans" lineno="120">
<summary>
Execute pulse server in the pulse domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="piranha_read_log" lineno="139">
<summary>
Allow the specified domain to read piranha's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="piranha_append_log" lineno="159">
<summary>
Allow the specified domain to append
piranha log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="piranha_manage_log" lineno="178">
<summary>
Allow domain to manage piranha log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="piranha_lvs_can_network_connect" dftval="false">
<desc>
<p>
Allow piranha-lvs domain to connect to the network using TCP.
</p>
</desc>
</tunable>
</module>
<module name="pkcs" filename="policy/modules/contrib/pkcs.if">
<summary>Implementations of the Cryptoki specification.</summary>
<interface name="pkcs_read_lock" lineno="13">
<summary>
Read pkcs lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs_manage_lock" lineno="34">
<summary>
Create, read, write, and delete
pkcs lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs_rw_shm" lineno="55">
<summary>
Read and write pkcs Shared
memory segments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs_destroy_shm" lineno="73">
<summary>
Destroy pkcsslotd sysv shared memory segments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs_stream_connect" lineno="92">
<summary>
Connect to pkcs using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs_manage_var_lib" lineno="110">
<summary>
Manage pkcs var_lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs_getattr_exec_files" lineno="129">
<summary>
Get attributes of pkcs executable files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs_domtrans" lineno="147">
<summary>
Transition to pkcs_slotd
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs_tmpfs_named_filetrans" lineno="167">
<summary>
Create specific objects in the tmpfs directories
with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs_delete_tmpfs_files" lineno="192">
<summary>
Delete pkcs files in the tmpfs directories
with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs_use_opencryptoki" lineno="210">
<summary>
Use opencryptoki services
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs_admin_slotd" lineno="249">
<summary>
All of the rules required to
administrate an pkcs slotd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pkcs11proxyd" filename="policy/modules/contrib/pkcs11proxyd.if">
<summary>pkcs11proxyd-softhsm-ctl - manage the isolated PKCS #11 daemon with softhsm</summary>
<interface name="pkcs11proxyd_domtrans" lineno="13">
<summary>
Execute pkcs11proxyd_exec_t in the pkcs11proxyd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pkcs11proxyd_exec" lineno="32">
<summary>
Execute pkcs11proxyd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs11proxyd_search_lib" lineno="51">
<summary>
Search pkcs11proxyd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs11proxyd_read_lib_files" lineno="70">
<summary>
Read pkcs11proxyd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs11proxyd_manage_lib_files" lineno="89">
<summary>
Manage pkcs11proxyd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs11proxyd_manage_lib_dirs" lineno="108">
<summary>
Manage pkcs11proxyd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcs11proxyd_admin" lineno="135">
<summary>
All of the rules required to administrate
an pkcs11proxyd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="pkcs11proxyd_stream_connect" lineno="167">
<summary>
Connect to pkcs11proxyd over an unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="pki" filename="policy/modules/contrib/pki.if">
<summary>policy for pki</summary>
<interface name="pki_rw_tomcat_cert" lineno="13">
<summary>
Allow read and write pki cert files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_manage_tomcat_cert" lineno="34">
<summary>
Allow read and write pki cert files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_manage_tomcat_etc_rw" lineno="55">
<summary>
Allow read and write pki cert files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_read_tomcat_cert" lineno="74">
<summary>
Allow domain to read pki cert files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="pki_apache_template" lineno="94">
<summary>
Create a set of derived types for apache
web content.
</summary>
<param name="prefix">
<summary>
The prefix to be used for deriving type names.
</summary>
</param>
</template>
<interface name="pki_apache_domain_signal" lineno="188">
<summary>
Send a null signal to pki apache domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_apache_domain_signull" lineno="206">
<summary>
Send a null signal to pki apache domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_manage_apache_run" lineno="224">
<summary>
Allow domain to read pki apache subsystem pid files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_manage_apache_lib" lineno="243">
<summary>
Allow domain to manage pki apache subsystem lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_search_log_dirs" lineno="263">
<summary>
Dontaudit domain to write pki log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_dontaudit_write_log" lineno="282">
<summary>
Dontaudit domain to write pki log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_manage_apache_log_files" lineno="300">
<summary>
Allow domain to manage pki apache subsystem log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_manage_apache_config_files" lineno="319">
<summary>
Allow domain to manage pki apache subsystem config files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_read_tomcat_lib_files" lineno="338">
<summary>
Allow domain to read pki tomcat lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_manage_tomcat_lib" lineno="358">
<summary>
Allow domain to manage pki tomcat lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_manage_tomcat_log" lineno="378">
<summary>
Allow domain to manage pki tomcat lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_read_tomcat_lib_dirs" lineno="397">
<summary>
Allow domain to read pki tomcat lib dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_read_common_files" lineno="415">
<summary>
Allow read pki_common_t files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_exec_common_files" lineno="433">
<summary>
Allow execute pki_common_t files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_manage_common_files" lineno="451">
<summary>
Allow read pki_common_t files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_stream_connect" lineno="471">
<summary>
Connect to pki over an unix
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pki_tomcat_systemctl" lineno="490">
<summary>
Execute pki in the pkit_tomcat_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pki_manage_tomcat_pid" lineno="515">
<summary>
Create, read, write, and delete
pki tomcat pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="plymouthd" filename="policy/modules/contrib/plymouthd.if">
<summary>Plymouth graphical boot</summary>
<interface name="plymouthd_domtrans" lineno="13">
<summary>
Execute a domain transition to run plymouthd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="plymouthd_exec" lineno="31">
<summary>
Execute the plymoth daemon in the current domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_stream_connect" lineno="50">
<summary>
Allow domain to Stream socket connect
to Plymouth daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_exec_plymouth" lineno="68">
<summary>
Execute the plymoth command in the current domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_domtrans_plymouth" lineno="86">
<summary>
Execute a domain transition to run plymouthd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="plymouthd_search_spool" lineno="104">
<summary>
Search plymouthd spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_read_spool_files" lineno="123">
<summary>
Read plymouthd spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_manage_spool_files" lineno="143">
<summary>
Create, read, write, and delete
plymouthd spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_search_lib" lineno="162">
<summary>
Search plymouthd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_read_lib_files" lineno="181">
<summary>
Read plymouthd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_manage_lib_files" lineno="201">
<summary>
Create, read, write, and delete
plymouthd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_read_pid_files" lineno="220">
<summary>
Read plymouthd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_read_log" lineno="240">
<summary>
Allow the specified domain to read
to plymouthd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_create_log" lineno="259">
<summary>
Allow the specified domain to create plymouthd's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_manage_log" lineno="279">
<summary>
Allow the specified domain to manage
to plymouthd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_filetrans_named_content" lineno="300">
<summary>
Allow domain to create boot.log
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_admin" lineno="320">
<summary>
All of the rules required to administrate
an plymouthd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="podsleuth" filename="policy/modules/contrib/podsleuth.if">
<summary>Podsleuth is a tool to get information about an Apple (TM) iPod (TM).</summary>
<interface name="podsleuth_domtrans" lineno="13">
<summary>
Execute a domain transition to run podsleuth.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="podsleuth_run" lineno="39">
<summary>
Execute podsleuth in the podsleuth
domain, and allow the specified role
the podsleuth domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="policykit" filename="policy/modules/contrib/policykit.if">
<summary>Policy framework for controlling privileges for system-wide services.</summary>
<interface name="policykit_dbus_chat" lineno="14">
<summary>
Send and receive messages from
policykit over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_dbus_chat_auth" lineno="37">
<summary>
Send and receive messages from
policykit over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_domtrans_auth" lineno="59">
<summary>
Execute a domain transition to run polkit_auth.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="policykit_run_auth" lineno="84">
<summary>
Execute a policy_auth in the policy_auth domain, and
allow the specified role the policy_auth domain,
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="policykit_domtrans_grant" lineno="106">
<summary>
Execute a domain transition to run polkit_grant.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="policykit_run_grant" lineno="131">
<summary>
Execute a policy_grant in the policy_grant domain, and
allow the specified role the policy_grant domain,
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="policykit_read_reload" lineno="154">
<summary>
read policykit reload files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_rw_reload" lineno="173">
<summary>
rw policykit reload files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_domtrans_resolve" lineno="192">
<summary>
Execute a domain transition to run polkit_resolve.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="policykit_search_lib" lineno="212">
<summary>
Search policykit lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_read_lib" lineno="231">
<summary>
read policykit lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="policykit_role" lineno="260">
<summary>
The per role template for the policykit module.
</summary>
<param name="user_role">
<summary>
Role allowed access
</summary>
</param>
<param name="user_domain">
<summary>
User domain for the role
</summary>
</param>
</template>
<interface name="policykit_signal_auth" lineno="278">
<summary>
Send generic signal to policy_auth
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="polipo" filename="policy/modules/contrib/polipo.if">
<summary>Caching web proxy.</summary>
<template name="polipo_role" lineno="18">
<summary>
Role access for polipo session.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</template>
<interface name="polipo_named_filetrans_config_home_files" lineno="60">
<summary>
Create configuration files in user
home directories with a named file
type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="polipo_named_filetrans_cache_home_dirs" lineno="80">
<summary>
Create cache directories in user
home directories with a named file
type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="polipo_named_filetrans_admin_config_home_files" lineno="100">
<summary>
Create configuration files in admin
home directories with a named file
type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="polipo_named_filetrans_admin_cache_home_dirs" lineno="120">
<summary>
Create cache directories in admin
home directories with a named file
type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="polipo_named_filetrans_log_files" lineno="139">
<summary>
Create log files with a named file
type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="polipo_systemctl" lineno="157">
<summary>
Execute polipo server in the polipo domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="polipo_admin" lineno="187">
<summary>
Administrate an polipo environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="polipo_use_cifs" dftval="false">
<desc>
<p>
Determine whether polipo can
access cifs file systems.
</p>
</desc>
</tunable>
<tunable name="polipo_use_nfs" dftval="false">
<desc>
<p>
Determine whether Polipo can
access nfs file systems.
</p>
</desc>
</tunable>
<tunable name="polipo_session_bind_all_unreserved_ports" dftval="false">
<desc>
<p>
Determine whether Polipo session daemon
can bind tcp sockets to all unreserved ports.
</p>
</desc>
</tunable>
<tunable name="polipo_session_users" dftval="false">
<desc>
<p>
Determine whether calling user domains
can execute Polipo daemon in the
polipo_session_t domain.
</p>
</desc>
</tunable>
<tunable name="polipo_connect_all_unreserved" dftval="false">
<desc>
<p>
Allow polipo to connect to all ports > 1023
</p>
</desc>
</tunable>
</module>
<module name="portage" filename="policy/modules/contrib/portage.if">
<summary>Package Management System.</summary>
<interface name="portage_domtrans" lineno="13">
<summary>
Execute emerge in the portage domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="portage_run" lineno="40">
<summary>
Execute emerge in the portage domain,
and allow the specified role the
portage domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="portage_compile_domain" lineno="65">
<summary>
Template for portage sandbox.
</summary>
<desc>
<p>
Template for portage sandbox.  Portage
does all compiling in the sandbox.
</p>
</desc>
<param name="domain">
<summary>
Domain Allowed Access
</summary>
</param>
</interface>
<interface name="portage_domtrans_fetch" lineno="218">
<summary>
Execute tree management functions
(fetching, layman, ...) in the
portage fetch domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="portage_run_fetch" lineno="247">
<summary>
Execute tree management functions
(fetching, layman, ...) in the
portage fetch domain, and allow
the specified role the portage
fetch domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="portage_domtrans_gcc_config" lineno="266">
<summary>
Execute gcc-config in the gcc config domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="portage_run_gcc_config" lineno="293">
<summary>
Execute gcc-config in the gcc config
domain, and allow the specified role
the gcc_config domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="portage_dontaudit_use_fds" lineno="313">
<summary>
Do not audit attempts to use
portage file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="portage_dontaudit_search_tmp" lineno="332">
<summary>
Do not audit attempts to search the
portage temporary directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="portage_dontaudit_rw_tmp_files" lineno="351">
<summary>
Do not audit attempts to read and write
the portage temporary files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<tunable name="portage_use_nfs" dftval="false">
<desc>
<p>
Determine whether portage can
use nfs filesystems.
</p>
</desc>
</tunable>
</module>
<module name="portmap" filename="policy/modules/contrib/portmap.if">
<summary>RPC port mapping service.</summary>
<interface name="portmap_domtrans_helper" lineno="13">
<summary>
Execute portmap helper in the helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="portmap_run_helper" lineno="40">
<summary>
Execute portmap helper in the helper
domain, and allow the specified role
the helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="portmap_udp_send" lineno="59">
<summary>
Send UDP network traffic to portmap.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="portmap_udp_chat" lineno="73">
<summary>
Send and receive UDP network traffic from portmap.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="portmap_tcp_connect" lineno="87">
<summary>
Connect to portmap over a TCP socket  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="portmap_admin" lineno="108">
<summary>
All of the rules required to
administrate an portmap environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="portreserve" filename="policy/modules/contrib/portreserve.if">
<summary>Reserve well-known ports in the RPC port range.</summary>
<interface name="portreserve_domtrans" lineno="13">
<summary>
Execute a domain transition to run portreserve.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="portreserve_read_config" lineno="33">
<summary>
Read portreserve configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="portreserve_manage_config" lineno="55">
<summary>
Create, read, write, and delete
portreserve configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="portreserve_initrc_domtrans" lineno="77">
<summary>
Execute portreserve init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="portreserve_admin" lineno="102">
<summary>
All of the rules required to
administrate an portreserve environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="portslave" filename="policy/modules/contrib/portslave.if">
<summary>Portslave terminal server software.</summary>
<interface name="portslave_domtrans" lineno="13">
<summary>
Execute portslave with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="postfix" filename="policy/modules/contrib/postfix.if">
<summary>Postfix email server</summary>
<interface name="postfix_stub" lineno="13">
<summary>
Postfix stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="postfix_domain_template" lineno="30">
<summary>
Creates types and rules for a basic
postfix process domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<template name="postfix_server_domain_template" lineno="60">
<summary>
Creates a postfix server process domain.
</summary>
<param name="prefix">
<summary>
Prefix of the domain.
</summary>
</param>
</template>
<template name="postfix_user_domain_template" lineno="101">
<summary>
Creates a process domain for programs
that are ran by users.
</summary>
<param name="prefix">
<summary>
Prefix of the domain.
</summary>
</param>
</template>
<interface name="postfix_read_config" lineno="130">
<summary>
Read postfix configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postfix_config_filetrans" lineno="167">
<summary>
Create files with the specified type in
the postfix configuration directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="postfix_dontaudit_rw_local_tcp_sockets" lineno="188">
<summary>
Do not audit attempts to read and
write postfix local delivery
TCP sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="postfix_rw_local_pipes" lineno="207">
<summary>
Allow read/write postfix local pipes
TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_rw_public_pipes" lineno="226">
<summary>
Allow read/write postfix public pipes
TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_read_local_state" lineno="244">
<summary>
Allow domain to read postfix local process state
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_read_master_state" lineno="263">
<summary>
Allow domain to read postfix master process state
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_use_fds_master" lineno="283">
<summary>
Use postfix master process file
file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_dontaudit_use_fds" lineno="303">
<summary>
Do not audit attempts to use
postfix master process file
file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="postfix_domtrans_map" lineno="321">
<summary>
Execute postfix_map in the postfix_map domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_run_map" lineno="346">
<summary>
Execute postfix_map in the postfix_map domain, and
allow the specified role the postfix_map domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postfix_domtrans_master" lineno="366">
<summary>
Execute the master postfix program in the
postfix_master domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_initrc_domtrans" lineno="386">
<summary>
Execute the master postfix in the postfix master domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_exec_master" lineno="405">
<summary>
Execute the master postfix program in the
caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_stream_connect_master" lineno="423">
<summary>
Connect to postfix master process using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_rw_inherited_master_pipes" lineno="441">
<summary>
Allow read/write postfix master pipes
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_domtrans_postdrop" lineno="460">
<summary>
Execute the master postdrop in the
postfix_postdrop domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_domtrans_postqueue" lineno="479">
<summary>
Execute the master postqueue in the
postfix_postqueue domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_run_postqueue" lineno="505">
<summary>
Execute the master postqueue in the
postfix_postdrop domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the iptables domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postfix_domtrans_postgqueue" lineno="525">
<summary>
Execute postfix_postgqueue in the postfix_postgqueue domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_run_postgqueue" lineno="550">
<summary>
Execute postfix_postgqueue in the postfix_postgqueue domain, and
allow the specified role the postfix_postgqueue domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postfix_exec_postqueue" lineno="570">
<summary>
Execute the master postqueue in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_create_private_sockets" lineno="588">
<summary>
Create a named socket in a postfix private directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_manage_private_sockets" lineno="607">
<summary>
manage named socket in a postfix private directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_domtrans_smtp" lineno="627">
<summary>
Execute the master postfix program in the
postfix_master domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_getattr_spool_files" lineno="645">
<summary>
Getattr postfix mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_search_spool" lineno="664">
<summary>
Search postfix mail spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_list_spool" lineno="683">
<summary>
List postfix mail spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_read_spool_files" lineno="702">
<summary>
Read postfix mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_manage_spool_files" lineno="721">
<summary>
Create, read, write, and delete postfix mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_rw_spool_maildrop_files" lineno="740">
<summary>
Read, write, and delete postfix maildrop spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_manage_spool_maildrop_files" lineno="759">
<summary>
Create, read, write, and delete postfix maildrop spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_domtrans_user_mail_handler" lineno="780">
<summary>
Execute postfix user mail programs
in their respective domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_admin" lineno="805">
<summary>
All of the rules required to administrate
an postfix environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postfix_run_postdrop" lineno="893">
<summary>
Execute the master postdrop in the
postfix_postdrop domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the iptables domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postfix_exec" lineno="915">
<summary>
Execute postfix exec in the users domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_filetrans_named_content" lineno="933">
<summary>
Transition to postfix named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="postfix_local_write_mail_spool" dftval="true">
<desc>
<p>
Allow postfix_local domain full write access to mail_spool directories
</p>
</desc>
</tunable>
</module>
<module name="postfixpolicyd" filename="policy/modules/contrib/postfixpolicyd.if">
<summary>Postfix policy server.</summary>
<interface name="postfixpolicyd_admin" lineno="20">
<summary>
All of the rules required to administrate
an postfixpolicyd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="postgrey" filename="policy/modules/contrib/postgrey.if">
<summary>Postfix grey-listing server.</summary>
<interface name="postgrey_stream_connect" lineno="14">
<summary>
Connect to postgrey using a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgrey_search_spool" lineno="34">
<summary>
Search spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgrey_admin" lineno="60">
<summary>
All of the rules required to
administrate an postgrey environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="powerprofiles" filename="policy/modules/contrib/powerprofiles.if">
<summary>Power profiles handling over D-Bus</summary>
</module>
<module name="ppp" filename="policy/modules/contrib/ppp.if">
<summary>Point to Point Protocol daemon creates links in ppp networks</summary>
<interface name="ppp_manage_home_files" lineno="14">
<summary>
Create, read, write, and delete
ppp home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_read_home_files" lineno="33">
<summary>
Read ppp user home content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_relabel_home_files" lineno="53">
<summary>
Relabel ppp home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_home_filetrans_ppp_home" lineno="83">
<summary>
Create objects in user home
directories with the ppp home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="ppp_use_fds" lineno="101">
<summary>
Inherit and use ppp file discriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_dontaudit_use_fds" lineno="120">
<summary>
Do not audit attempts to inherit
and use PPP file discriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ppp_sigchld" lineno="138">
<summary>
Send a SIGCHLD signal to PPP.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_kill" lineno="157">
<summary>
Send ppp a kill signal
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_signal" lineno="175">
<summary>
Send a generic signal to PPP.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_signull" lineno="193">
<summary>
Send a generic signull to PPP.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_domtrans" lineno="211">
<summary>
Execute domain in the ppp domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ppp_run_cond" lineno="236">
<summary>
Conditionally execute ppp daemon on behalf of a user or staff type.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the ppp domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ppp_run" lineno="264">
<summary>
Unconditionally execute ppp daemon on behalf of a user or staff type.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the ppp domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ppp_exec" lineno="283">
<summary>
Execute domain in the ppp caller.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_read_config" lineno="302">
<summary>
Read ppp configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_read_rw_config" lineno="321">
<summary>
Read PPP-writable configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_read_secrets" lineno="341">
<summary>
Read PPP secrets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_read_pid_files" lineno="361">
<summary>
Read PPP pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_manage_pid_files" lineno="380">
<summary>
Create, read, write, and delete PPP pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_pid_filetrans" lineno="399">
<summary>
Create, read, write, and delete PPP pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_initrc_domtrans" lineno="417">
<summary>
Execute ppp server in the ntpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ppp_systemctl" lineno="435">
<summary>
Execute pppd server in the pppd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ppp_filetrans_named_content" lineno="460">
<summary>
Transition to ppp named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_admin" lineno="485">
<summary>
All of the rules required to administrate
an ppp environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="pppd_can_insmod" dftval="false">
<desc>
<p>
Allow pppd to load kernel modules for certain modems
</p>
</desc>
</tunable>
<tunable name="pppd_for_user" dftval="false">
<desc>
<p>
Allow pppd to be run for a regular user
</p>
</desc>
</tunable>
</module>
<module name="prelink" filename="policy/modules/contrib/prelink.if">
<summary>Prelink ELF shared library mappings.</summary>
<interface name="prelink_domtrans" lineno="13">
<summary>
Execute the prelink program in the prelink domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="prelink_exec" lineno="37">
<summary>
Execute the prelink program in the current domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelink_run" lineno="62">
<summary>
Execute the prelink program in the prelink domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the prelink domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="prelink_object_file" lineno="82">
<summary>
Make the specified file type prelinkable.
</summary>
<param name="file_type">
<summary>
File type to be prelinked.
</summary>
</param>
</interface>
<interface name="prelink_read_cache" lineno="100">
<summary>
Read the prelink cache.
</summary>
<param name="file_type">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelink_delete_cache" lineno="119">
<summary>
Delete the prelink cache.
</summary>
<param name="file_type">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelink_manage_log" lineno="139">
<summary>
Create, read, write, and delete
prelink log files.
</summary>
<param name="file_type">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelink_manage_lib" lineno="159">
<summary>
Create, read, write, and delete
prelink var_lib files.
</summary>
<param name="file_type">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelink_relabelfrom_lib" lineno="178">
<summary>
Relabel from files in the /boot directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelink_relabel_lib" lineno="197">
<summary>
Relabel from files in the /boot directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelink_filetrans_named_content" lineno="216">
<summary>
Transition to prelink named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="prelude" filename="policy/modules/contrib/prelude.if">
<summary>Prelude hybrid intrusion detection system</summary>
<interface name="prelude_domtrans" lineno="13">
<summary>
Execute a domain transition to run prelude.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="prelude_domtrans_audisp" lineno="31">
<summary>
Execute a domain transition to run prelude_audisp.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="prelude_signal_audisp" lineno="49">
<summary>
Signal the prelude_audisp domain.
</summary>
<param name="domain">
<summary>
Domain allowed acccess.
</summary>
</param>
</interface>
<interface name="prelude_read_spool" lineno="67">
<summary>
Read the prelude spool files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelude_manage_spool" lineno="86">
<summary>
Manage to prelude-manager spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelude_admin" lineno="113">
<summary>
All of the rules required to administrate
an prelude environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="privoxy" filename="policy/modules/contrib/privoxy.if">
<summary>Privacy enhancing web proxy.</summary>
<interface name="privoxy_admin" lineno="20">
<summary>
All of the rules required to
administrate an privoxy environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="privoxy_connect_any" dftval="false">
<desc>
<p>
Determine whether privoxy can
connect to all tcp ports.
</p>
</desc>
</tunable>
</module>
<module name="procmail" filename="policy/modules/contrib/procmail.if">
<summary>Procmail mail delivery agent</summary>
<interface name="procmail_domtrans" lineno="13">
<summary>
Execute procmail with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="procmail_exec" lineno="35">
<summary>
Execute procmail in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="procmail_read_tmp_files" lineno="55">
<summary>
Read procmail tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="procmail_rw_tmp_files" lineno="74">
<summary>
Read/write procmail tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="procmail_read_home_files" lineno="93">
<summary>
Read procmail home directory content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="prosody" filename="policy/modules/contrib/prosody.if">
<summary>policy for prosody</summary>
<interface name="prosody_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the prosody domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="prosody_search_lib" lineno="32">
<summary>
Search prosody lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prosody_read_lib_files" lineno="51">
<summary>
Read prosody lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prosody_manage_lib_files" lineno="70">
<summary>
Manage prosody lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prosody_manage_lib_dirs" lineno="89">
<summary>
Manage prosody lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prosody_read_pid_files" lineno="108">
<summary>
Read prosody PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prosody_systemctl" lineno="127">
<summary>
Execute prosody server in the prosody domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="prosody_run" lineno="159">
<summary>
Execute prosody in the prosody domain, and
allow the specified role the prosody domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the prosody domain.
</summary>
</param>
</interface>
<interface name="prosody_stream_connect" lineno="180">
<summary>
Connect to prosody with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prosody_role" lineno="204">
<summary>
Role access for prosody
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="prosody_admin" lineno="230">
<summary>
All of the rules required to administrate
an prosody environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="prosody_bind_http_port" dftval="false">
<desc>
<p>
Permit to prosody to bind apache port.
Need to be activated to use BOSH.
</p>
</desc>
</tunable>
</module>
<module name="psad" filename="policy/modules/contrib/psad.if">
<summary>Intrusion Detection and Log Analysis with iptables.</summary>
<interface name="psad_domtrans" lineno="13">
<summary>
Execute a domain transition to run psad.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="psad_signal" lineno="32">
<summary>
Send generic signals to psad.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_signull" lineno="50">
<summary>
Send null signals to psad.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_read_config" lineno="68">
<summary>
Read psad configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_manage_config" lineno="90">
<summary>
Create, read, write, and delete
psad configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_read_pid_files" lineno="110">
<summary>
Read psad pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_rw_pid_files" lineno="129">
<summary>
Read and write psad PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_read_log" lineno="149">
<summary>
Read psad log content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="psad_append_log" lineno="170">
<summary>
Append psad log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="psad_write_log" lineno="190">
<summary>
Allow the specified domain to write to psad's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="psad_setattr_log" lineno="209">
<summary>
Allow the specified domain to setattr to psad's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_rw_fifo_file" lineno="228">
<summary>
Read and write psad fifo files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_setattr_fifo_file" lineno="247">
<summary>
Allow setattr to psad fifo files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_search_lib_files" lineno="267">
<summary>
Allow search to psad lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_rw_tmp_files" lineno="286">
<summary>
Read and write psad temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_admin" lineno="312">
<summary>
All of the rules required to
administrate an psad environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ptchown" filename="policy/modules/contrib/ptchown.if">
<summary>helper function for grantpt(3), changes ownship and permissions of pseudotty.</summary>
<interface name="ptchown_domtrans" lineno="13">
<summary>
Execute a domain transition to run ptchown.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ptchown_exec" lineno="32">
<summary>
Execute ptchown in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ptchown_run" lineno="58">
<summary>
Execute ptchown in the ptchown
domain, and allow the specified
role the ptchown domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="publicfile" filename="policy/modules/contrib/publicfile.if">
<summary>publicfile supplies files to the public through HTTP and FTP.</summary>
</module>
<module name="pulseaudio" filename="policy/modules/contrib/pulseaudio.if">
<summary>Pulseaudio network sound server.</summary>
<interface name="pulseaudio_role" lineno="18">
<summary>
Role access for pulseaudio
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="pulseaudio_domtrans" lineno="59">
<summary>
Execute a domain transition to run pulseaudio.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pulseaudio_run" lineno="87">
<summary>
Execute pulseaudio in the pulseaudio domain, and
allow the specified role the pulseaudio domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_exec" lineno="106">
<summary>
Execute a pulseaudio in the current domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_dontaudit_exec" lineno="124">
<summary>
Do not audit to execute a pulseaudio.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="pulseaudio_signull" lineno="143">
<summary>
Send signull signal to pulseaudio
processes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_stream_connect" lineno="162">
<summary>
Connect to pulseaudio over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_dbus_chat" lineno="187">
<summary>
Send and receive messages from
pulseaudio over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_setattr_home_dir" lineno="207">
<summary>
Set the attributes of the pulseaudio homedir.
</summary>
<param name="user_domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_read_home_files" lineno="225">
<summary>
Read pulseaudio homedir files.
</summary>
<param name="user_domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_rw_home_files" lineno="245">
<summary>
Read and write Pulse Audio files.
</summary>
<param name="user_domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_manage_home_dirs" lineno="266">
<summary>
Create, read, write, and delete pulseaudio
home directories.
</summary>
<param name="user_domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_manage_home_files" lineno="286">
<summary>
Create, read, write, and delete pulseaudio
home directory files.
</summary>
<param name="user_domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_manage_home_symlinks" lineno="308">
<summary>
Create, read, write, and delete pulseaudio
home directory symlinks.
</summary>
<param name="user_domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_filetrans_home_content" lineno="328">
<summary>
Create pulseaudio content in the user home directory
with an correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_filetrans_admin_home_content" lineno="352">
<summary>
Create pulseaudio content in the admin home directory
with an correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pulseaudio_tmpfs_content" lineno="373">
<summary>
Make the specified tmpfs file type
pulseaudio tmpfs content.
</summary>
<param name="file_type">
<summary>
File type to make pulseaudio tmpfs content.
</summary>
</param>
</interface>
<interface name="pulseaudio_read_state" lineno="391">
<summary>
Allow the domain to read pulseaudio state files in /proc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="puppet" filename="policy/modules/contrib/puppet.if">
<summary>Puppet client daemon</summary>
<desc>
<p>
Puppet is a configuration management system written in Ruby.
The client daemon is responsible for periodically requesting the
desired system state from the server and ensuring the state of
the client system matches.
</p>
</desc>
<interface name="puppet_domtrans_master" lineno="22">
<summary>
Execute puppet_master in the puppet_master
domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="puppet_domtrans" lineno="42">
<summary>
Execute puppet in the puppet
domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="puppet_domtrans_puppetca" lineno="62">
<summary>
Execute puppetca in the puppetca
domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="puppet_run" lineno="89">
<summary>
Execute puppet in the puppet
domain and allow the specified
role the puppetca domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="puppet_run_puppetca" lineno="116">
<summary>
Execute puppetca in the puppetca
domain and allow the specified
role the puppetca domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="puppet_rw_tmp" lineno="139">
<summary>
Read / Write to Puppet temp files.  Puppet uses
some system binaries (groupadd, etc) that run in
a non-puppet domain and redirects output into temp
files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_read_lib" lineno="158">
<summary>
Read Puppet lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_manage_lib" lineno="177">
<summary>
Manage Puppet lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_search_log" lineno="196">
<summary>
Allow the specified domain to search puppet's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_read_log" lineno="215">
<summary>
Allow the specified domain to read puppet's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_create_log" lineno="234">
<summary>
Allow the specified domain to create puppet's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_append_log" lineno="253">
<summary>
Allow the specified domain to append puppet's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_manage_log" lineno="272">
<summary>
Allow the specified domain to manage puppet's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_read_config" lineno="291">
<summary>
Allow the specified domain to read puppet's config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_search_pid" lineno="312">
<summary>
Allow the specified domain to search puppet's pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="puppetagent_manage_all_files" dftval="false">
<desc>
<p>
Allow Puppet client to manage all file
types.
</p>
</desc>
</tunable>
<tunable name="puppetmaster_use_db" dftval="false">
<desc>
<p>
Allow Puppet master to use connect to MySQL and PostgreSQL database
</p>
</desc>
</tunable>
</module>
<module name="pwauth" filename="policy/modules/contrib/pwauth.if">
<summary>policy for pwauth</summary>
<interface name="pwauth_domtrans" lineno="13">
<summary>
Transition to pwauth.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pwauth_run" lineno="38">
<summary>
Execute pwauth in the pwauth domain, and
allow the specified role the pwauth domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the pwauth domain.
</summary>
</param>
</interface>
<interface name="pwauth_role" lineno="62">
<summary>
Role access for pwauth
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
</module>
<module name="pxe" filename="policy/modules/contrib/pxe.if">
<summary>Server for the PXE network boot protocol.</summary>
<interface name="pxe_admin" lineno="20">
<summary>
All of the rules required to
administrate an pxe environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pyzor" filename="policy/modules/contrib/pyzor.if">
<summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary>
<interface name="pyzor_role" lineno="19">
<summary>
Role access for pyzor
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
<rolecap/>
</interface>
<interface name="pyzor_signal" lineno="48">
<summary>
Send generic signals to pyzor
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pyzor_domtrans" lineno="66">
<summary>
Execute pyzor with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pyzor_exec" lineno="86">
<summary>
Execute pyzor in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pyzor_admin" lineno="113">
<summary>
All of the rules required to administrate
an pyzor environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the pyzor domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="qatlib" filename="policy/modules/contrib/qatlib.if">
<summary>policy for qatlib</summary>
<interface name="qatlib_domtrans" lineno="13">
<summary>
Execute qatlib_exec_t in the qatlib domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="qatlib_exec" lineno="32">
<summary>
Execute qatlib in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="qemu" filename="policy/modules/contrib/qemu.if">
<summary>QEMU machine emulator and virtualizer</summary>
<template name="qemu_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
qemu process domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="qemu_domtrans" lineno="112">
<summary>
Execute a domain transition to run qemu.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="qemu_exec" lineno="130">
<summary>
Execute a qemu in the callers domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_run" lineno="154">
<summary>
Execute qemu in the qemu domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the qemu domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="qemu_read_state" lineno="175">
<summary>
Allow the domain to read state files in /proc.
</summary>
<param name="domain">
<summary>
Domain to allow access.
</summary>
</param>
</interface>
<interface name="qemu_setsched" lineno="193">
<summary>
Set the schedule on qemu.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_signal" lineno="211">
<summary>
Send a signal to qemu.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_kill" lineno="229">
<summary>
Send a sigill to qemu
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_spec_domtrans" lineno="264">
<summary>
Execute qemu_exec_t
in the specified domain but do not
do it automatically. This is an explicit
transition, requiring the caller to use setexeccon().
</summary>
<desc>
<p>
Execute qemu_exec_t
in the specified domain.  This allows
the specified domain to qemu programs
on these filesystems in the specified
domain.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="target_domain">
<summary>
The type of the new process.
</summary>
</param>
</interface>
<interface name="qemu_unconfined_role" lineno="289">
<summary>
Execute qemu unconfined programs in the role.
</summary>
<param name="role">
<summary>
The role to allow the qemu unconfined domain.
</summary>
</param>
</interface>
<interface name="qemu_manage_tmp_dirs" lineno="308">
<summary>
Manage qemu temporary dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_manage_tmp_files" lineno="326">
<summary>
Manage qemu temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qemu_entry_type" lineno="345">
<summary>
Make qemu_exec_t an entrypoint for
the specified domain.
</summary>
<param name="domain">
<summary>
The domain for which qemu_exec_t is an entrypoint.
</summary>
</param>
</interface>
<interface name="qemu_getattr_exec" lineno="363">
<summary>
Getattr on qemu executable.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<tunable name="qemu_full_network" dftval="false">
<desc>
<p>
Allow qemu to connect fully to the network
</p>
</desc>
</tunable>
<tunable name="qemu_use_cifs" dftval="true">
<desc>
<p>
Allow qemu to use cifs/Samba file systems
</p>
</desc>
</tunable>
<tunable name="qemu_use_comm" dftval="false">
<desc>
<p>
Allow qemu to use serial/parallel communication ports
</p>
</desc>
</tunable>
<tunable name="qemu_use_nfs" dftval="true">
<desc>
<p>
Allow qemu to use nfs file systems
</p>
</desc>
</tunable>
<tunable name="qemu_use_usb" dftval="true">
<desc>
<p>
Allow qemu to use usb devices
</p>
</desc>
</tunable>
</module>
<module name="qmail" filename="policy/modules/contrib/qmail.if">
<summary>Qmail Mail Server</summary>
<template name="qmail_child_domain_template" lineno="18">
<summary>
Template for qmail parent/sub-domain pairs
</summary>
<param name="child_prefix">
<summary>
The prefix of the child domain
</summary>
</param>
<param name="parent_domain">
<summary>
The name of the parent domain.
</summary>
</param>
</template>
<interface name="qmail_domtrans_inject" lineno="59">
<summary>
Transition to qmail_inject_t
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="qmail_domtrans_queue" lineno="84">
<summary>
Transition to qmail_queue_t
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="qmail_read_config" lineno="110">
<summary>
Read qmail configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="qmail_smtpd_service_domain" lineno="142">
<summary>
Define the specified domain as a qmail-smtp service.
Needed by antivirus/antispam filters.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="qmail_manage_spool_dirs" lineno="161">
<summary>
Create, read, write, and delete qmail
spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qmail_manage_spool_files" lineno="180">
<summary>
Create, read, write, and delete qmail
spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qmail_rw_spool_pipes" lineno="198">
<summary>
Read and write to qmail spool pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
</module>
<module name="qpid" filename="policy/modules/contrib/qpid.if">
<summary>policy for qpidd</summary>
<interface name="qpidd_domtrans" lineno="13">
<summary>
Execute a domain transition to run qpidd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="qpidd_initrc_domtrans" lineno="31">
<summary>
Execute qpidd server in the qpidd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_read_pid_files" lineno="49">
<summary>
Read qpidd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_manage_var_run" lineno="68">
<summary>
Manage qpidd var_run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_search_lib" lineno="89">
<summary>
Search qpidd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_read_lib_files" lineno="108">
<summary>
Read qpidd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_manage_lib_files" lineno="128">
<summary>
Create, read, write, and delete
qpidd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_manage_var_lib" lineno="147">
<summary>
Manage qpidd var_lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_rw_semaphores" lineno="168">
<summary>
Allow read and write access to qpidd semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_rw_shm" lineno="186">
<summary>
Read and write to qpidd shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_admin" lineno="214">
<summary>
All of the rules required to
administrate an qpidd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="quantum" filename="policy/modules/contrib/quantum.if">
<summary>Virtual network service for Openstack.</summary>
<interface name="neutron_domtrans" lineno="13">
<summary>
Transition to neutron.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="neutron_rw_inherited_pipes" lineno="32">
<summary>
Allow read/write neutron pipes
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_sigchld" lineno="51">
<summary>
Send sigchld to neutron.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_read_log" lineno="70">
<summary>
Read neutron's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="neutron_append_log" lineno="89">
<summary>
Append to neutron log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_manage_log" lineno="108">
<summary>
Manage neutron log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_search_lib" lineno="129">
<summary>
Search neutron lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_read_lib_files" lineno="148">
<summary>
Read neutron lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_manage_lib_files" lineno="167">
<summary>
Manage neutron lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_manage_lib_dirs" lineno="187">
<summary>
Manage neutron lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_rw_fifo_file" lineno="206">
<summary>
Read and write neutron fifo files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_stream_connect" lineno="225">
<summary>
Connect to neutron over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_systemctl" lineno="245">
<summary>
Execute neutron server in the neutron domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="neutron_read_state" lineno="270">
<summary>
Read neutron process state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_admin" lineno="291">
<summary>
All of the rules required to administrate
an neutron environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="neutron_can_network" dftval="false">
<desc>
<p>
Determine whether neutron can
connect to all TCP ports
</p>
</desc>
</tunable>
</module>
<module name="quota" filename="policy/modules/contrib/quota.if">
<summary>File system quota management</summary>
<interface name="quota_domtrans" lineno="13">
<summary>
Execute quota management tools in the quota domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="quota_run" lineno="39">
<summary>
Execute quota management tools in the quota domain, and
allow the specified role the quota domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="quota_read_db" lineno="58">
<summary>
Alow to read of filesystem quota data files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="quota_dontaudit_getattr_db" lineno="77">
<summary>
Do not audit attempts to get the attributes
of filesystem quota data files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="quota_manage_db" lineno="96">
<summary>
Create, read, write, and delete quota
db files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="quota_manage_flags" lineno="115">
<summary>
Create, read, write, and delete quota
flag files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="quota_filetrans_named_content" lineno="134">
<summary>
Transition to quota named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="quota_domtrans_nld" lineno="171">
<summary>
Transition to quota_nld.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="rabbitmq" filename="policy/modules/contrib/rabbitmq.if">
<summary>AMQP server written in Erlang.</summary>
<interface name="rabbitmq_domtrans" lineno="13">
<summary>
Execute rabbitmq in the rabbitmq domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rabbitmq_admin" lineno="39">
<summary>
All of the rules required to
administrate an rabbitmq environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="radius" filename="policy/modules/contrib/radius.if">
<summary>RADIUS authentication and accounting server.</summary>
<interface name="radius_use" lineno="13">
<summary>
Use radius over a UDP connection.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="radiusd_systemctl" lineno="27">
<summary>
Execute radiusd server in the radiusd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="radius_admin" lineno="58">
<summary>
All of the rules required to
administrate an radius environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="radius_use_jit" dftval="false">
<desc>
<p>
Determine whether radius can use JIT compiler.
</p>
</desc>
</tunable>
</module>
<module name="radvd" filename="policy/modules/contrib/radvd.if">
<summary>IPv6 router advertisement daemon.</summary>
<interface name="radvd_read_pid_files" lineno="13">
<summary>
Read radvd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="radvd_admin" lineno="39">
<summary>
All of the rules required to
administrate an radvd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="raid" filename="policy/modules/contrib/raid.if">
<summary>RAID array management tools</summary>
<interface name="raid_domtrans_mdadm" lineno="13">
<summary>
Execute software raid tools in the mdadm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="raid_run_mdadm" lineno="39">
<summary>
Execute a domain transition to mdadm_t for the
specified role, allowing it to use the mdadm_t
domain
</summary>
<param name="role">
<summary>
Role allowed to access mdadm_t domain
</summary>
</param>
<param name="domain">
<summary>
Domain allowed to transition to mdadm_t
</summary>
</param>
</interface>
<interface name="mdadm_systemctl" lineno="58">
<summary>
Execute mdadm server in the mdadm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="raid_read_mdadm_pid" lineno="82">
<summary>
read the mdadm pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="raid_manage_mdadm_pid" lineno="108">
<summary>
Create, read, write, and delete the mdadm pid files.
</summary>
<desc>
<p>
Create, read, write, and delete the mdadm pid files.
</p>
<p>
Added for use in the init module.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="raid_access_check_mdadm" lineno="129">
<summary>
Check access to the mdadm executable.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="raid_read_conf_files" lineno="149">
<summary>
Read mdadm config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="raid_manage_conf_files" lineno="167">
<summary>
Manage mdadm config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="raid_filetrans_named_content" lineno="185">
<summary>
Transition to mdadm named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="raid_relabel_mdadm_var_run_content" lineno="205">
<summary>
Relabel from mdadm_var_run_t sock file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="raid_stream_connect" lineno="224">
<summary>
Connect to raid with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rasdaemon" filename="policy/modules/contrib/rasdaemon.if">
<summary>The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing</summary>
<interface name="rasdaemon_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the rasdaemon domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rasdaemon_search_lib" lineno="32">
<summary>
Search rasdaemon lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rasdaemon_read_lib_files" lineno="51">
<summary>
Read rasdaemon lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rasdaemon_manage_lib_files" lineno="70">
<summary>
Manage rasdaemon lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rasdaemon_manage_lib_dirs" lineno="89">
<summary>
Manage rasdaemon lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rasdaemon_systemctl" lineno="108">
<summary>
Execute rasdaemon server in the rasdaemon domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rasdaemon_admin" lineno="136">
<summary>
All of the rules required to administrate
an rasdaemon environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="razor" filename="policy/modules/contrib/razor.if">
<summary>A distributed, collaborative, spam detection and filtering network.</summary>
<desc>
<p>
A distributed, collaborative, spam detection and filtering network.
</p>
<p>
This policy will work with either the ATrpms provided config
file in /etc/razor, or with the default of dumping everything into
$HOME/.razor.
</p>
</desc>
<template name="razor_common_domain_template" lineno="25">
<summary>
Template to create types and rules common to
all razor domains.
</summary>
<param name="prefix">
<summary>
The prefix of the domain (e.g., user
is the prefix for user_t).
</summary>
</param>
</template>
<interface name="razor_role" lineno="122">
<summary>
Role access for razor
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
<rolecap/>
</interface>
<interface name="razor_domtrans" lineno="157">
<summary>
Execute razor in the system razor domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="razor_manage_user_home_files" lineno="176">
<summary>
Create, read, write, and delete razor files
in a user home subdirectory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="razor_read_lib_files" lineno="196">
<summary>
read razor lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rdisc" filename="policy/modules/contrib/rdisc.if">
<summary>Network router discovery daemon.</summary>
<interface name="rdisc_exec" lineno="13">
<summary>
Execute rdisc in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rdisc_systemctl" lineno="32">
<summary>
Execute rdisc server in the rdisc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rdisc_admin" lineno="59">
<summary>
All of the rules required to administrate
an rdisc environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="readahead" filename="policy/modules/contrib/readahead.if">
<summary>Read files into page cache for improved performance.</summary>
<interface name="readahead_domtrans" lineno="14">
<summary>
Execute a domain transition
to run readahead.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="readahead_manage_pid_files" lineno="33">
<summary>
Manage readahead var_run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="realmd" filename="policy/modules/contrib/realmd.if">
<summary>dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA</summary>
<interface name="realmd_domtrans" lineno="13">
<summary>
Execute realmd in the realmd_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="realmd_dbus_chat" lineno="33">
<summary>
Send and receive messages from
realmd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="realmd_search_cache" lineno="53">
<summary>
Search realmd cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="realmd_read_cache_files" lineno="72">
<summary>
Read realmd cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="realmd_manage_cache_files" lineno="92">
<summary>
Create, read, write, and delete
realmd cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="realmd_manage_cache_dirs" lineno="111">
<summary>
Manage realmd cache dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="realmd_read_tmp_files" lineno="131">
<summary>
Read realmd tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="realmd_read_var_lib" lineno="150">
<summary>
Read realmd library files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="realmd_dgram_send" lineno="171">
<summary>
Send to realmd  over a unix domain
datagram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="redis" filename="policy/modules/contrib/redis.if">
<summary>Advanced key-value store</summary>
<interface name="redis_domtrans" lineno="13">
<summary>
Execute redis server in the redis domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="redis_initrc_domtrans" lineno="32">
<summary>
Execute redis server in the redis domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="redis_read_log" lineno="50">
<summary>
Read redis's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="redis_append_log" lineno="69">
<summary>
Append to redis log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="redis_manage_log" lineno="88">
<summary>
Manage redis log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="redis_search_lib" lineno="109">
<summary>
Search redis lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="redis_read_lib_files" lineno="128">
<summary>
Read redis lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="redis_manage_lib_files" lineno="147">
<summary>
Manage redis lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="redis_manage_lib_dirs" lineno="166">
<summary>
Manage redis lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="redis_read_pid_files" lineno="185">
<summary>
Read redis PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="redis_stream_connect" lineno="204">
<summary>
Connect to redis over an unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="redis_systemctl" lineno="223">
<summary>
Execute redis server in the redis domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="redis_admin" lineno="255">
<summary>
All of the rules required to administrate
an redis environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="redis_enable_notify" dftval="false">
<desc>
<p>
Allow Redis to run redis-sentinal notification scripts.
</p>
</desc>
</tunable>
</module>
<module name="remotelogin" filename="policy/modules/contrib/remotelogin.if">
<summary>Policy for rshd, rlogind, and telnetd.</summary>
<interface name="remotelogin_domtrans" lineno="13">
<summary>
Domain transition to the remote login domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="remotelogin_signal" lineno="31">
<summary>
allow Domain to signal remote login domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="remotelogin_signull" lineno="49">
<summary>
allow Domain to signal remote login domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="resmgr" filename="policy/modules/contrib/resmgr.if">
<summary>Resource management daemon.</summary>
<interface name="resmgr_stream_connect" lineno="14">
<summary>
Connect to resmgrd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="resmgr_admin" lineno="40">
<summary>
All of the rules required to
administrate an resmgr environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rgmanager" filename="policy/modules/contrib/rgmanager.if">
<summary>rgmanager - Resource Group Manager</summary>
<interface name="rgmanager_domtrans" lineno="13">
<summary>
Execute a domain transition to run rgmanager.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rgmanager_stream_connect" lineno="32">
<summary>
Connect to rgmanager over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rgmanager_manage_pid_files" lineno="51">
<summary>
Manage rgmanager pid files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rgmanager_manage_tmp_files" lineno="70">
<summary>
Allow manage rgmanager tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rgmanager_manage_tmpfs_files" lineno="89">
<summary>
Allow manage rgmanager tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rgmanager_rw_semaphores" lineno="108">
<summary>
Allow read and write access to rgmanager semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rgmanager_admin" lineno="133">
<summary>
All of the rules required to administrate
an rgmanager environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the rgmanager domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rgmanager_manage_files" lineno="173">
<summary>
Allow the specified domain to manage rgmanager's lib/run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rgmanager_execute_lib" lineno="196">
<summary>
Allow the specified domain to execute rgmanager's lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rgmanager_search_lib" lineno="216">
<summary>
Allow the specified domain to search rgmanager's lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="rgmanager_can_network_connect" dftval="false">
<desc>
<p>
Allow rgmanager domain to connect to the network using TCP.
</p>
</desc>
</tunable>
</module>
<module name="rhcd" filename="policy/modules/contrib/rhcd.if">
<summary>policy for rhcd</summary>
<interface name="rhcd_domtrans" lineno="13">
<summary>
Execute rhcd_exec_t in the rhcd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcd_exec" lineno="32">
<summary>
Execute rhcd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcd_read_fifo_files" lineno="51">
<summary>
Read rhcd fifo files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcd_write_fifo_files" lineno="69">
<summary>
Write/append rhcd fifo files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcd_dgram_send" lineno="87">
<summary>
Send a message to rhcd over a datagram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rhcs" filename="policy/modules/contrib/rhcs.if">
<summary>RHCS - Red Hat Cluster Suite</summary>
<template name="rhcs_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
rhcs init daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="rhcs_domtrans_dlm_controld" lineno="71">
<summary>
Execute a domain transition to run dlm_controld.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_dlm_controld" lineno="91">
<summary>
Connect to dlm_controld over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_haproxy" lineno="111">
<summary>
Connect to haproxy over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_signull_haproxy" lineno="130">
<summary>
Send a null signal to haproxy.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_dlm_controld_semaphores" lineno="148">
<summary>
Allow read and write access to dlm_controld semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_fenced" lineno="169">
<summary>
Execute a domain transition to run fenced.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_getattr_fenced" lineno="188">
<summary>
Allow a domain to getattr on fenced executable.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_rw_fenced_semaphores" lineno="206">
<summary>
Allow read and write access to fenced semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_read_fenced_pid_files" lineno="227">
<summary>
Read fenced PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_fenced" lineno="246">
<summary>
Connect to fenced over a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_dbus_chat_fenced" lineno="266">
<summary>
Send and receive messages from
fenced over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_haproxy" lineno="286">
<summary>
Execute a domain transition to run fenced.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_gfs_controld" lineno="305">
<summary>
Execute a domain transition to run gfs_controld.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_rw_gfs_controld_semaphores" lineno="324">
<summary>
Allow read and write access to gfs_controld semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_gfs_controld_shm" lineno="345">
<summary>
Read and write to gfs_controld_t shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_gfs_controld" lineno="366">
<summary>
Connect to gfs_controld_t over a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_groupd" lineno="385">
<summary>
Execute a domain transition to run groupd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_groupd" lineno="405">
<summary>
Connect to groupd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_groupd_semaphores" lineno="424">
<summary>
Allow read and write access to groupd semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_groupd_shm" lineno="445">
<summary>
Read and write to group shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_cluster_shm" lineno="466">
<summary>
Read and write to group shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_cluster_semaphores" lineno="487">
<summary>
Read and write access to cluster domains semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_cluster" lineno="506">
<summary>
Connect to cluster domains over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_cluster_to" lineno="531">
<summary>
Connect to cluster domains over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_signull_cluster" lineno="551">
<summary>
Send a null signal to cluster.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_qdiskd" lineno="569">
<summary>
Execute a domain transition to run qdiskd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_read_qdiskd_tmpfs_files" lineno="588">
<summary>
Allow domain to read qdiskd tmpfs files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_read_cluster_lib_files" lineno="607">
<summary>
Allow domain to read cluster lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_manage_cluster_lib_files" lineno="626">
<summary>
Allow domain to manage cluster lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_relabel_cluster_lib_files" lineno="645">
<summary>
Allow domain to relabel cluster lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_cluster" lineno="665">
<summary>
Execute a domain transition to run cluster administrative domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_initrc_domtrans_cluster" lineno="685">
<summary>
Execute cluster init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_exec_cluster" lineno="703">
<summary>
Execute cluster in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_read_log_cluster" lineno="722">
<summary>
Read cluster log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_create_log_cluster" lineno="742">
<summary>
Allow the specified domain to create cluster log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_setattr_log_cluster" lineno="761">
<summary>
Setattr cluster log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_inherited_cluster_tmp_files" lineno="779">
<summary>
Allow the specified domain to read/write inherited cluster's tmpf files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_manage_cluster_tmp_files" lineno="797">
<summary>
Allow manage cluster tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_cluster_tmpfs" lineno="816">
<summary>
Allow the specified domain to read/write cluster's tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_manage_cluster_tmpfs_files" lineno="836">
<summary>
Allow manage cluster tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_read_cluster_pid_files" lineno="855">
<summary>
Allow read cluster pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_manage_cluster_pid_files" lineno="875">
<summary>
Allow manage cluster pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_systemctl_cluster" lineno="894">
<summary>
Execute cluster server in the cluster domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_dbus_chat_cluster" lineno="919">
<summary>
Send and receive messages from
a cluster service over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_admin_cluster" lineno="948">
<summary>
All of the rules required to administrate
an cluster environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the rgmanager domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rhcs_start_haproxy_services" lineno="993">
<summary>
Start haproxy unit files domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_named_filetrans_log_dir" lineno="1013">
<summary>
Create log files with a named file
type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="fenced_can_network_connect" dftval="false">
<desc>
<p>
Determine whether fenced can
connect to the TCP network.
</p>
</desc>
</tunable>
<tunable name="fenced_can_ssh" dftval="false">
<desc>
<p>
Determine whether fenced can use ssh.
</p>
</desc>
</tunable>
<tunable name="cluster_can_network_connect" dftval="false">
<desc>
<p>
Allow cluster administrative domains to connect to the network using TCP.
</p>
</desc>
</tunable>
<tunable name="cluster_manage_all_files" dftval="false">
<desc>
<p>
Allow cluster administrative domains to manage all files on a system.
</p>
</desc>
</tunable>
<tunable name="cluster_use_execmem" dftval="false">
<desc>
<p>
Allow cluster administrative cluster domains memcheck-amd64- to use executable memory
</p>
</desc>
</tunable>
<tunable name="haproxy_connect_any" dftval="false">
<desc>
<p>
Determine whether haproxy can
connect to all TCP ports.
</p>
</desc>
</tunable>
</module>
<module name="rhev" filename="policy/modules/contrib/rhev.if">
<summary>rhev polic module contains policies for rhev apps</summary>
<interface name="rhev_domtrans_agentd" lineno="13">
<summary>
Execute rhev-agentd in the rhev_agentd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhev_read_pid_files_agentd" lineno="31">
<summary>
Read rhev-agentd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhev_stream_connect_agentd" lineno="51">
<summary>
Connect to rhev_agentd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhev_sigchld_agentd" lineno="70">
<summary>
Send sigchld to rhev-agentd
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
</module>
<module name="rhgb" filename="policy/modules/contrib/rhgb.if">
<summary> Red Hat Graphical Boot </summary>
<interface name="rhgb_stub" lineno="13">
<summary>
RHGB stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
N/A
</summary>
</param>
</interface>
<interface name="rhgb_use_fds" lineno="29">
<summary>
Use a rhgb file descriptor.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhgb_getpgid" lineno="47">
<summary>
Get the process group of rhgb.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhgb_signal" lineno="65">
<summary>
Send a signal to rhgb.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhgb_rw_stream_sockets" lineno="83">
<summary>
Read and write to unix stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhgb_dontaudit_rw_stream_sockets" lineno="102">
<summary>
Do not audit attempts to read and write
rhgb unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="rhgb_stream_connect" lineno="120">
<summary>
Connected to rhgb unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhgb_rw_shm" lineno="138">
<summary>
Read and write to rhgb shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhgb_use_ptys" lineno="156">
<summary>
Read from and write to the rhgb devpts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhgb_dontaudit_use_ptys" lineno="174">
<summary>
dontaudit Read from and write to the rhgb devpts.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="rhgb_rw_tmpfs_files" lineno="192">
<summary>
Read and write to rhgb temporary file system.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rhnsd" filename="policy/modules/contrib/rhnsd.if">
<summary>policy for rhnsd</summary>
<interface name="rhnsd_domtrans" lineno="13">
<summary>
Transition to rhnsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhnsd_initrc_domtrans" lineno="32">
<summary>
Execute rhnsd server in the rhnsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhnsd_systemctl" lineno="50">
<summary>
Execute rhnsd server in the rhnsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhnsd_manage_config" lineno="76">
<summary>
Allow the specified domain to manage
rhnsd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhnsd_read_config" lineno="97">
<summary>
Allow the specified domain to manage
rhnsd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhnsd_search_conf" lineno="116">
<summary>
Allow the specified domain search rhnsd configuration directory
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhnsd_admin" lineno="142">
<summary>
All of the rules required to administrate
an rhnsd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rhsmcertd" filename="policy/modules/contrib/rhsmcertd.if">
<summary>Subscription Management Certificate Daemon policy</summary>
<interface name="rhsmcertd_domtrans" lineno="13">
<summary>
Transition to rhsmcertd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhsmcertd_initrc_domtrans" lineno="32">
<summary>
Execute rhsmcertd server in the rhsmcertd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_read_config_files" lineno="50">
<summary>
Read rhsmcertd's config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_manage_config_files" lineno="70">
<summary>
Manage rhsmcertd's config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_read_log" lineno="90">
<summary>
Read rhsmcertd's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rhsmcertd_append_log" lineno="109">
<summary>
Append to rhsmcertd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_manage_log" lineno="128">
<summary>
Manage rhsmcertd log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_search_lib" lineno="149">
<summary>
Search rhsmcertd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_read_lib_files" lineno="168">
<summary>
Read rhsmcertd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_manage_lib_files" lineno="187">
<summary>
Manage rhsmcertd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_manage_lib_dirs" lineno="206">
<summary>
Manage rhsmcertd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cloud_what_read_cache_files" lineno="225">
<summary>
Read cloud-what cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cloud_what_manage_cache_files" lineno="244">
<summary>
Manage cloud-what cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cloud_what_manage_cache_dirs" lineno="263">
<summary>
Manage cloud-what cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_read_pid_files" lineno="282">
<summary>
Read rhsmcertd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_manage_pid_files" lineno="301">
<summary>
Read rhsmcertd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_rw_inherited_lock_files" lineno="320">
<summary>
Read/wirte inherited lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_rw_lock_files" lineno="339">
<summary>
Read/wirte lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_stream_connect" lineno="359">
<summary>
Connect to rhsmcertd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_dbus_chat" lineno="379">
<summary>
Send and receive messages from
rhsmcertd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_dontaudit_dbus_chat" lineno="400">
<summary>
Dontaudit Send and receive messages from
rhsmcertd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_admin" lineno="428">
<summary>
All of the rules required to administrate
an rhsmcertd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ricci" filename="policy/modules/contrib/ricci.if">
<summary>Ricci cluster management agent</summary>
<interface name="ricci_domtrans" lineno="13">
<summary>
Execute a domain transition to run ricci.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_initrc_domtrans" lineno="31">
<summary>
Execute ricci server in the ricci domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modcluster" lineno="49">
<summary>
Execute a domain transition to run ricci_modcluster.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_dontaudit_use_modcluster_fds" lineno="68">
<summary>
Do not audit attempts to use
ricci_modcluster file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ricci_dontaudit_rw_modcluster_pipes" lineno="87">
<summary>
Do not audit attempts to read write
ricci_modcluster unamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ricci_stream_connect_modclusterd" lineno="105">
<summary>
Connect to ricci_modclusterd over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ricci_rw_modclusterd_tmpfs_files" lineno="124">
<summary>
Read and write to ricci_modcluserd temporary file system.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modlog" lineno="143">
<summary>
Execute a domain transition to run ricci_modlog.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modrpm" lineno="161">
<summary>
Execute a domain transition to run ricci_modrpm.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modservice" lineno="179">
<summary>
Execute a domain transition to run ricci_modservice.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modstorage" lineno="197">
<summary>
Execute a domain transition to run ricci_modstorage.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_manage_lib_files" lineno="215">
<summary>
Allow the specified domain to manage ricci's lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ricci_admin" lineno="242">
<summary>
All of the rules required to administrate
an ricci environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rkhunter" filename="policy/modules/contrib/rkhunter.if">
<summary> policy for rkhunter </summary>
<interface name="rkhunter_append_lib_files" lineno="13">
<summary>
Append rkhunter lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rkhunter_manage_lib_files" lineno="32">
<summary>
Manage rkhunter lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rkt" filename="policy/modules/contrib/rkt.if">
<summary>CLI for running app containers</summary>
<interface name="rkt_domtrans" lineno="13">
<summary>
Execute rkt_exec_t in the rkt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rkt_exec" lineno="32">
<summary>
Execute rkt in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rkt_search_lib" lineno="51">
<summary>
Search rkt lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rkt_read_lib_files" lineno="70">
<summary>
Read rkt lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rkt_manage_lib_files" lineno="89">
<summary>
Manage rkt lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rkt_manage_lib_dirs" lineno="108">
<summary>
Manage rkt lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rkt_systemctl" lineno="127">
<summary>
Execute rkt server in the rkt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rkt_admin" lineno="153">
<summary>
All of the rules required to administrate
an rkt environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rlogin" filename="policy/modules/contrib/rlogin.if">
<summary>Remote login daemon.</summary>
<interface name="rlogin_domtrans" lineno="13">
<summary>
Execute rlogind in the rlogin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rlogin_read_home_content" lineno="32">
<summary>
Read rlogin user home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rlogin_manage_rlogind_home_files" lineno="54">
<summary>
Create, read, write, and delete
rlogind home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rlogin_relabel_rlogind_home_files" lineno="73">
<summary>
Relabel rlogind home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rlogin_home_filetrans_logind_home" lineno="103">
<summary>
Create objects in user home
directories with the rlogind home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="rlogin_manage_rlogind_tmp_content" lineno="122">
<summary>
Create, read, write, and delete
rlogind temporary content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rlogin_relabel_rlogind_tmp_content" lineno="142">
<summary>
Relabel rlogind temporary content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rngd" filename="policy/modules/contrib/rngd.if">
<summary>Check and feed random data from hardware device to kernel random device.</summary>
<interface name="rng_systemctl_rngd" lineno="13">
<summary>
Execute rngd in the rngd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rng_admin" lineno="43">
<summary>
All of the rules required to
administrate an rng environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="rngd_execmem" dftval="false">
<desc>
<p>
Allow rngd_t domain to use executable memory
</p>
</desc>
</tunable>
</module>
<module name="rolekit" filename="policy/modules/contrib/rolekit.if">
<summary>Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. </summary>
<interface name="rolekit_domtrans" lineno="13">
<summary>
Execute rolekit in the rolekit domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rolekit_systemctl" lineno="32">
<summary>
Execute rolekit server in the rolekit domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rolekit_manage_keys" lineno="56">
<summary>
Manage rolekit kernel keyrings.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rolekit_dbus_chat" lineno="76">
<summary>
Send and receive messages from
policykit over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rolekit_admin" lineno="100">
<summary>
All of the rules required to administrate
an rolekit environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rolekit_dgram_send" lineno="132">
<summary>
Send to rolekit with a unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="roundup" filename="policy/modules/contrib/roundup.if">
<summary>Roundup Issue Tracking System.</summary>
<interface name="roundup_admin" lineno="20">
<summary>
All of the rules required to
administrate an roundup environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rpc" filename="policy/modules/contrib/rpc.if">
<summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
<interface name="rpc_stub" lineno="13">
<summary>
RPC stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="rpc_domain_template" lineno="35">
<summary>
The template to define a rpc domain.
</summary>
<desc>
<p>
This template creates a domain to be used for
a new rpc daemon.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The type of daemon to be used.
</summary>
</param>
</template>
<interface name="rpc_udp_send" lineno="76">
<summary>
Send UDP network traffic to rpc and recieve UDP traffic from rpc.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_dontaudit_getattr_exports" lineno="91">
<summary>
Do not audit attempts to get the attributes
of the NFS export file.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="rpc_read_exports" lineno="109">
<summary>
Allow read access to exports.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_write_exports" lineno="127">
<summary>
Allow write access to exports.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_manage_exports" lineno="145">
<summary>
Manage nfs file exports
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_watch_exports" lineno="163">
<summary>
Watch nfs file exports
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_domtrans_nfsd" lineno="182">
<summary>
Execute domain in nfsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpc_initrc_domtrans_nfsd" lineno="200">
<summary>
Execute domain in nfsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpc_systemctl_nfsd" lineno="218">
<summary>
Execute nfsd server in the nfsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpc_kill_rpcd" lineno="242">
<summary>
Send kill signals to rpcd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_domtrans_rpcd" lineno="260">
<summary>
Execute domain in rpcd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpc_run_rpcd" lineno="286">
<summary>
Execute rpcd in the rcpd domain, and
allow the specified role the rpcd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rpc_initrc_domtrans_rpcd" lineno="305">
<summary>
Execute domain in rpcd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpc_systemctl_rpcd" lineno="323">
<summary>
Execute rpcd server in the rpcd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpc_udp_rw_nfs_sockets" lineno="347">
<summary>
Allow domain to read and write to an NFS UDP socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_udp_send_nfs" lineno="365">
<summary>
Send UDP traffic to NFSd.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_search_nfs_state_data" lineno="379">
<summary>
Search NFS state data in /var/lib/nfs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_list_nfs_state_data" lineno="398">
<summary>
List NFS state data in /var/lib/nfs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_manage_nfs_state_data_dir" lineno="417">
<summary>
Manage NFS state data in /var/lib/nfs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_read_nfs_state_data" lineno="436">
<summary>
Read NFS state data in /var/lib/nfs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_manage_nfs_state_data" lineno="456">
<summary>
Manage NFS state data in /var/lib/nfs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_domtrans_gssd" lineno="477">
<summary>
Execute domain in gssd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpc_rw_gssd_keys" lineno="495">
<summary>
Write keys for all user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_filetrans_var_lib_nfs_content" lineno="513">
<summary>
Transition to alsa named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_admin" lineno="538">
<summary>
All of the rules required to
administrate an rpc environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rpc_read_gssd_state" lineno="582">
<summary>
Read gssd process state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_gssd_noatsecure" lineno="600">
<summary>
Read and write to svirt_image devices.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_dbus_chat_nfsd" lineno="619">
<summary>
Send and receive messages from
ganesha over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="gssd_read_tmp" dftval="true">
<desc>
<p>
Allow gssd to list tmp directories and read the kerberos credential cache.
</p>
</desc>
</tunable>
<tunable name="nfsd_anon_write" dftval="false">
<desc>
<p>
Allow nfs servers to modify public files
used for public file transfer services.  Files/Directories must be
labeled public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="rpcd_use_fusefs" dftval="false">
<desc>
<p>
Allow rpcd_t  to manage fuse files
</p>
</desc>
</tunable>
</module>
<module name="rpcbind" filename="policy/modules/contrib/rpcbind.if">
<summary>Universal Addresses to RPC Program Number Mapper</summary>
<interface name="rpcbind_domtrans" lineno="13">
<summary>
Execute a domain transition to run rpcbind.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpcbind_stream_connect" lineno="31">
<summary>
Connect to rpcbindd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_read_pid_files" lineno="50">
<summary>
Read rpcbind PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_search_lib" lineno="69">
<summary>
Search rpcbind lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_read_lib_files" lineno="88">
<summary>
Read rpcbind lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_manage_lib_files" lineno="108">
<summary>
Create, read, write, and delete
rpcbind lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_signull" lineno="127">
<summary>
Send a null signal to rpcbind.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_filetrans_named_content" lineno="145">
<summary>
Transition to rpcbind named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_relabel_sock_file" lineno="163">
<summary>
Relabel from rpcbind sock file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_admin" lineno="188">
<summary>
All of the rules required to administrate
an rpcbind environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the rpcbind domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rpm" filename="policy/modules/contrib/rpm.if">
<summary>Policy for the RPM package manager.</summary>
<interface name="rpm_domtrans" lineno="13">
<summary>
Execute rpm programs in the rpm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpm_debuginfo_domtrans" lineno="35">
<summary>
Execute debuginfo_install programs in the rpm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpm_domtrans_script" lineno="55">
<summary>
Execute rpm_script programs in the rpm_script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpm_run" lineno="83">
<summary>
Execute RPM programs in the RPM domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the RPM domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rpm_exec" lineno="107">
<summary>
Execute the rpm client in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpmdb_domtrans_rpmdb" lineno="126">
<summary>
Execute rpmdb in the rpmdb domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpmdb_run_rpmdb" lineno="151">
<summary>
Execute rpmdb in the rpmdb domain,
and allow the specified role the rpmdb domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="rpm_dontaudit_exec" lineno="170">
<summary>
Do not audit to execute a rpm.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="rpm_sigkill" lineno="188">
<summary>
Send a kill signal to rpm.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_signull" lineno="206">
<summary>
Send a null signal to rpm.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_script_signal" lineno="224">
<summary>
Send a signals to rpm.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_use_fds" lineno="242">
<summary>
Inherit and use file descriptors from RPM.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_read_pipes" lineno="260">
<summary>
Read from an unnamed RPM pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_rw_pipes" lineno="278">
<summary>
Read and write an unnamed RPM pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_rw_script_inherited_pipes" lineno="296">
<summary>
Read and write an unnamed RPM script pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_dontaudit_leaks" lineno="314">
<summary>
dontaudit read and write an leaked file descriptors
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="rpm_dbus_chat" lineno="351">
<summary>
Send and receive messages from
rpm over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_dontaudit_dbus_chat" lineno="372">
<summary>
Do not audit attempts to send and
receive messages from rpm over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="rpm_script_dbus_chat" lineno="393">
<summary>
Send and receive messages from
rpm_script over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_stream_connect" lineno="413">
<summary>
Connect to rpm unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_search_log" lineno="431">
<summary>
Search RPM log directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_append_log" lineno="451">
<summary>
Allow the specified domain to append
to rpm log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_read_log" lineno="469">
<summary>
Create, read, write, and delete the RPM log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_manage_log" lineno="487">
<summary>
Create, read, write, and delete the RPM log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_named_filetrans" lineno="506">
<summary>
Create rpm logs with an correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_hawkey_named_filetrans" lineno="536">
<summary>
Create rpm hawkey logs with an correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_use_script_fds" lineno="555">
<summary>
Inherit and use file descriptors from RPM scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_manage_script_tmp_files" lineno="574">
<summary>
Create, read, write, and delete RPM
script temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_append_tmp_files" lineno="596">
<summary>
Allow the specified domain to append
to rpm tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_manage_tmp_files" lineno="615">
<summary>
Create, read, write, and delete RPM
temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_read_tmp_files" lineno="636">
<summary>
Read rpm temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_read_script_tmp_files" lineno="656">
<summary>
Read RPM script temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_read_cache" lineno="676">
<summary>
Read the RPM cache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_manage_cache" lineno="697">
<summary>
Create, read, write, and delete the RPM package database.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_read_db" lineno="718">
<summary>
Read the RPM package database.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_setattr_db_files" lineno="741">
<summary>
Set the attributes of RPM package database.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_delete_db" lineno="760">
<summary>
Delete the RPM package database.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_manage_db" lineno="779">
<summary>
Create, read, write, and delete the RPM package database.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_dontaudit_read_db" lineno="800">
<summary>
Do not audit attempts to create, read,the RPM package database.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="rpm_dontaudit_manage_db" lineno="821">
<summary>
Do not audit attempts to create, read,
write, and delete the RPM package database.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="rpm_read_pid_files" lineno="842">
<summary>
Read rpm pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_manage_pid_files" lineno="861">
<summary>
Create, read, write, and delete rpm pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_pid_filetrans" lineno="880">
<summary>
Create files in /var/run with the rpm pid file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_inherited_fifo" lineno="898">
<summary>
Send a null signal to rpm.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_entry_type" lineno="918">
<summary>
Make rpm_exec_t an entry point for
the specified domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_transition_script" lineno="941">
<summary>
Allow application to transition to rpm_script domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="rpm_admin" lineno="975">
<summary>
All of the rules required to
administrate an rpm environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rpm_script_ioctl_stream_sockets" lineno="1027">
<summary>
Allow the specified domain to ioctl rpm_script_t
with a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpm_script_rw_stream_sockets" lineno="1046">
<summary>
Allow the specified domain read and write to rpm_script_t
over a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rrdcached" filename="policy/modules/contrib/rrdcached.if">
<summary>rrdcached - Daemon that receives updates to existing RRD files, accumulates them and writes the updates to the RRD file.</summary>
<interface name="rrdcached_domtrans" lineno="13">
<summary>
Execute rrdcached_exec_t in the rrdcached domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rrdcached_exec" lineno="32">
<summary>
Execute rrdcached in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rrdcached_read_pid_files" lineno="50">
<summary>
Read rrdcached PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rrdcached_admin" lineno="77">
<summary>
All of the rules required to administrate
an rrdcached environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rshd" filename="policy/modules/contrib/rshd.if">
<summary>Remote shell service.</summary>
<interface name="rshd_domtrans" lineno="13">
<summary>
Domain transition to rshd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="rshim" filename="policy/modules/contrib/rshim.if">
<summary>policy for rshim</summary>
<interface name="rshim_domtrans" lineno="13">
<summary>
Execute rshim_exec_t in the rshim domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rshim_exec" lineno="32">
<summary>
Execute rshim in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rssh" filename="policy/modules/contrib/rssh.if">
<summary>Restricted (scp/sftp) only shell.</summary>
<interface name="rssh_role" lineno="18">
<summary>
Role access for rssh.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="rssh_spec_domtrans" lineno="46">
<summary>
Execute rssh in the rssh domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rssh_exec" lineno="66">
<summary>
Execute the rssh program
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rssh_domtrans_chroot_helper" lineno="86">
<summary>
Execute a domain transition to
run rssh chroot helper.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rssh_read_ro_content" lineno="105">
<summary>
Read users rssh read-only content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rsync" filename="policy/modules/contrib/rsync.if">
<summary>Fast incremental file transfer for synchronization</summary>
<interface name="rsync_stub" lineno="13">
<summary>
Sendmail stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rsync_entry_type" lineno="30">
<summary>
Make rsync an entry point for
the specified domain.
</summary>
<param name="domain">
<summary>
The domain for which init scripts are an entrypoint.
</summary>
</param>
</interface>
<interface name="rsync_entry_spec_domtrans" lineno="63">
<summary>
Execute a rsync in a specified domain.
</summary>
<desc>
<p>
Execute a rsync in a specified domain.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="source_domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
Domain to transition to.
</summary>
</param>
</interface>
<interface name="rsync_entry_domtrans" lineno="96">
<summary>
Execute a rsync in a specified domain.
</summary>
<desc>
<p>
Execute a rsync in a specified domain.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="source_domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
Domain to transition to.
</summary>
</param>
</interface>
<interface name="rsync_exec" lineno="115">
<summary>
Execute rsync in the caller domain domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rsync_ioctl_stream_sockets" lineno="133">
<summary>
Allow the specified domain to ioctl an
rsync with a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rsync_read_config" lineno="151">
<summary>
Read rsync config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rsync_read_data" lineno="170">
<summary>
Read rsync data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rsync_rw_unix_stream_sockets" lineno="188">
<summary>
Read and write rsync unix_stream_sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rsync_write_config" lineno="206">
<summary>
Write to rsync config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rsync_manage_config" lineno="225">
<summary>
Manage rsync config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rsync_etc_filetrans_config" lineno="255">
<summary>
Create objects in etc directories
with rsync etc type.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="rsync_filetrans_named_content" lineno="273">
<summary>
Transition to rsync named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="rsync_client" dftval="false">
<desc>
<p>
Allow rsync to run as a client
</p>
</desc>
</tunable>
<tunable name="rsync_export_all_ro" dftval="false">
<desc>
<p>
Allow rsync to export any files/directories read only.
</p>
</desc>
</tunable>
<tunable name="rsync_anon_write" dftval="false">
<desc>
<p>
Allow rsync to modify public files
used for public file transfer services.  Files/Directories must be
labeled public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="rsync_full_access" dftval="false">
<desc>
<p>
Allow rsync server to manage all files/directories on the system.
</p>
</desc>
</tunable>
<tunable name="rsync_sys_admin" dftval="false">
<desc>
<p>
Allow rsync sys_admin capability.
This capability is required to restore files
with extended attributes in the "trusted" namespace.
</p>
</desc>
</tunable>
</module>
<module name="rtas" filename="policy/modules/contrib/rtas.if">
<summary>Platform diagnostics report firmware events.</summary>
<interface name="rtas_errd_domtrans" lineno="13">
<summary>
Execute rtas_errd in the rtas_errd domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rtas_errd_read_log" lineno="33">
<summary>
Read rtas_errd's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rtas_errd_append_log" lineno="52">
<summary>
Append to rtas_errd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rtas_errd_manage_log" lineno="71">
<summary>
Manage rtas_errd log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rtas_errd_read_lock" lineno="93">
<summary>
Read rtas_errd's lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rtas_errd_rw_lock" lineno="113">
<summary>
Read and Write rtas_errd's lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rtas_errd_dontaudit_write_lock" lineno="132">
<summary>
Dontaudit attempts to write to rtas_errd's lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rtas_errd_read_pid_files" lineno="150">
<summary>
Read rtas_errd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rtas_errd_systemctl" lineno="169">
<summary>
Execute rtas_errd server in the rtas_errd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rtas_errd_admin" lineno="196">
<summary>
All of the rules required to administrate
an rtas_errd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rtkit" filename="policy/modules/contrib/rtkit.if">
<summary>Realtime scheduling for user processes.</summary>
<interface name="rtkit_daemon_domtrans" lineno="13">
<summary>
Execute a domain transition to run rtkit_daemon.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rtkit_daemon_dbus_chat" lineno="32">
<summary>
Send and receive messages from
rtkit_daemon over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rtkit_daemon_dontaudit_dbus_chat" lineno="53">
<summary>
Do not audit send and receive messages from
rtkit_daemon over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="rtkit_scheduled" lineno="74">
<summary>
Allow rtkit to control scheduling for your process
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rwho" filename="policy/modules/contrib/rwho.if">
<summary>Who is logged in on other machines?</summary>
<interface name="rwho_domtrans" lineno="13">
<summary>
Execute a domain transition to run rwho.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rwho_search_log" lineno="32">
<summary>
Search rwho log directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_read_log_files" lineno="51">
<summary>
Read rwho log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_search_spool" lineno="71">
<summary>
Search rwho spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_read_spool_files" lineno="90">
<summary>
Read rwho spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_manage_spool_files" lineno="110">
<summary>
Create, read, write, and delete
rwho spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_admin" lineno="136">
<summary>
All of the rules required to
administrate an rwho environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="samba" filename="policy/modules/contrib/samba.if">
<summary>
SMB and CIFS client/server programs for UNIX and
name  Service  Switch  daemon for resolving names
from Windows NT servers.
</summary>
<interface name="samba_domtrans_nmbd" lineno="17">
<summary>
Execute nmbd net in the nmbd_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_signal_nmbd" lineno="36">
<summary>
Allow domain to signal samba
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_search_pid" lineno="53">
<summary>
Search the samba pid directory.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="samba_stream_connect_nmbd" lineno="72">
<summary>
Connect to nmbd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_initrc_domtrans" lineno="91">
<summary>
Execute samba server in the samba domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_systemctl" lineno="109">
<summary>
Execute samba server in the samba domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_service_status" lineno="133">
<summary>
Get samba services status
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_domtrans_net" lineno="151">
<summary>
Execute samba net in the samba_net domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_domtrans_unconfined_net" lineno="170">
<summary>
Execute samba net in the samba_unconfined_net domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_exec_net" lineno="189">
<summary>
Execute samba net in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_run_net" lineno="215">
<summary>
Execute samba net in the samba_net domain, and
allow the specified role the samba_net domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_role_notrans" lineno="235">
<summary>
The role for the samba module.
</summary>
<param name="role">
<summary>
The role to be allowed the samba_net domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_run_unconfined_net" lineno="260">
<summary>
Execute samba net in the samba_unconfined_net domain, and
allow the specified role the samba_unconfined_net domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the samba_unconfined_net domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_domtrans_smbmount" lineno="279">
<summary>
Execute smbmount in the smbmount domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_run_smbmount" lineno="305">
<summary>
Execute smbmount interactively and do
a domain transition to the smbmount domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_read_config" lineno="326">
<summary>
Allow the specified domain to read
samba configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_rw_config" lineno="348">
<summary>
Allow the specified domain to read
and write samba configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_manage_config" lineno="369">
<summary>
Allow the specified domain to read
and write samba configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_read_log" lineno="390">
<summary>
Allow the specified domain to read samba's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_append_log" lineno="411">
<summary>
Allow the specified domain to append to samba's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_exec_log" lineno="431">
<summary>
Execute samba log in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_read_secrets" lineno="450">
<summary>
Allow the specified domain to read samba's secrets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_read_share_files" lineno="469">
<summary>
Allow the specified domain to read samba's shares
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_search_var" lineno="489">
<summary>
Allow the specified domain to search
samba /var directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_read_var_files" lineno="510">
<summary>
Allow the specified domain to
read samba /var files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_dontaudit_write_var_files" lineno="531">
<summary>
Do not audit attempts to write samba
/var files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="samba_create_var_files" lineno="550">
<summary>
Allow the specified domain to
create samba /var files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_rw_var_files" lineno="569">
<summary>
Allow the specified domain to
read and write samba /var files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_manage_var_files" lineno="591">
<summary>
Allow the specified domain to
read and write samba /var files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_manage_var_dirs" lineno="615">
<summary>
Allow the specified domain to
read and write samba /var directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_manage_var_sock_files" lineno="635">
<summary>
Manage samba var sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_domtrans_smbcontrol" lineno="654">
<summary>
Execute a domain transition to run smbcontrol.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_run_smbcontrol" lineno="679">
<summary>
Execute smbcontrol in the smbcontrol domain, and
allow the specified role the smbcontrol domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="samba_domtrans_smbd" lineno="698">
<summary>
Execute smbd in the smbd_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_setattr_samba_share_dirs" lineno="717">
<summary>
Set attributes of samba_share directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_signal_smbd" lineno="735">
<summary>
Allow domain to signal samba
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_signull_smbd" lineno="752">
<summary>
Allow domain to signull samba
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_dontaudit_use_fds" lineno="769">
<summary>
Do not audit attempts to use file descriptors from samba.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="samba_write_smbmount_tcp_sockets" lineno="787">
<summary>
Allow the specified domain to write to smbmount tcp sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_rw_smbmount_tcp_sockets" lineno="805">
<summary>
Allow the specified domain to read and write to smbmount tcp sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_getattr_winbind" lineno="823">
<summary>
Allow to getattr on winbind binary.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_domtrans_winbind_helper" lineno="841">
<summary>
Execute winbind_helper in the winbind_helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_run_winbind_helper" lineno="867">
<summary>
Execute winbind_helper in the winbind_helper domain, and
allow the specified role the winbind_helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_read_winbind_pid" lineno="886">
<summary>
Allow the specified domain to read the winbind pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_manage_winbind_pid" lineno="905">
<summary>
Manage winbind  PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_signull_winbind" lineno="926">
<summary>
Allow domain to signull winbind
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_signull_unconfined_net" lineno="943">
<summary>
Allow domain to signull samba_unconfined_net
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_stream_connect_winbind" lineno="960">
<summary>
Connect to winbind.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="samba_helper_template" lineno="993">
<summary>
Create a set of derived types for apache
web content.
</summary>
<param name="prefix">
<summary>
The prefix to be used for deriving type names.
</summary>
</param>
</template>
<interface name="samba_admin" lineno="1030">
<summary>
All of the rules required to administrate
an samba environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the samba domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_domtrans_winbind_rpcd" lineno="1113">
<summary>
Execute winbind rpcd in the winbind_rpcd_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_exec_bgqd" lineno="1132">
<summary>
Execute samba-bgqd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed accesss.
</summary>
</param>
</interface>
<tunable name="smbd_anon_write" dftval="false">
<desc>
<p>
Allow samba to modify public files used for public file
transfer services.  Files/Directories must be labeled
public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="samba_create_home_dirs" dftval="false">
<desc>
<p>
Allow samba to create new home directories (e.g. via PAM)
</p>
</desc>
</tunable>
<tunable name="samba_domain_controller" dftval="false">
<desc>
<p>
Allow samba to act as the domain controller, add users,
groups and change passwords.

</p>
</desc>
</tunable>
<tunable name="samba_portmapper" dftval="false">
<desc>
<p>
Allow samba to act as a portmapper

</p>
</desc>
</tunable>
<tunable name="samba_enable_home_dirs" dftval="false">
<desc>
<p>
Allow samba and winbind-rpcd to share users home directories.
</p>
</desc>
</tunable>
<tunable name="samba_export_all_ro" dftval="false">
<desc>
<p>
Allow samba to share any file/directory read only.
</p>
</desc>
</tunable>
<tunable name="samba_export_all_rw" dftval="false">
<desc>
<p>
Allow samba to share any file/directory read/write.
</p>
</desc>
</tunable>
<tunable name="samba_run_unconfined" dftval="false">
<desc>
<p>
Allow samba to run unconfined scripts
</p>
</desc>
</tunable>
<tunable name="samba_share_nfs" dftval="false">
<desc>
<p>
Allow samba to export NFS volumes.
</p>
</desc>
</tunable>
<tunable name="samba_share_fusefs" dftval="false">
<desc>
<p>
Allow samba to export ntfs/fusefs volumes.
</p>
</desc>
</tunable>
<tunable name="samba_load_libgfapi" dftval="false">
<desc>
<p>
Allow smbd to load libgfapi from gluster.
</p>
</desc>
</tunable>
</module>
<module name="sambagui" filename="policy/modules/contrib/sambagui.if">
<summary>system-config-samba dbus service.</summary>
</module>
<module name="samhain" filename="policy/modules/contrib/samhain.if">
<summary>Check file integrity.</summary>
<template name="samhain_service_template" lineno="13">
<summary>
The template to define a samhain domain.
</summary>
<param name="domain_prefix">
<summary>
Domain prefix to be used.
</summary>
</param>
</template>
<interface name="samhain_domtrans" lineno="40">
<summary>
Execute samhain in the samhain domain
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samhain_run" lineno="84">
<summary>
Execute samhain in the samhain
domain with the clearance security
level and allow the specifiled role
the samhain domain.
</summary>
<desc>
<p>
Execute samhain in the samhain
domain with the clearance security
level and allow the specifiled role
the samhain domain.
</p>
<p>
The range_transition rule used in
this interface requires that the
calling domain should have the
clearance security level otherwise
the MLS constraint for process
transition would fail.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed to access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samhain_manage_config_files" lineno="109">
<summary>
Create, read, write, and delete
samhain configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samhain_manage_db_files" lineno="129">
<summary>
Create, read, write, and delete
samhain database files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samhain_manage_init_script_files" lineno="149">
<summary>
Create, read, write, and delete
samhain init script files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samhain_manage_log_files" lineno="169">
<summary>
Create, read, write, and delete
samhain log and log.lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samhain_manage_pid_files" lineno="189">
<summary>
Create, read, write, and delete
samhain pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samhain_admin" lineno="215">
<summary>
All of the rules required to
administrate the samhain environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="sandbox" filename="policy/modules/contrib/sandbox.if">
<summary>policy for sandbox</summary>
<interface name="sandbox_transition" lineno="19">
<summary>
Execute sandbox in the sandbox domain, and
allow the specified role the sandbox domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the sandbox domain.
</summary>
</param>
</interface>
<interface name="sandbox_dyntransition" lineno="49">
<summary>
Execute sandbox in the sandbox domain, and
allow the specified role the sandbox domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<template name="sandbox_domain_template" lineno="68">
<summary>
Creates types and rules for a basic
sandbox process domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
</module>
<module name="sandboxX" filename="policy/modules/contrib/sandboxX.if">
<summary>policy for sandboxX </summary>
<interface name="sandbox_x_transition" lineno="19">
<summary>
Execute sandbox in the sandbox domain, and
allow the specified role the sandbox domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the sandbox domain.
</summary>
</param>
</interface>
<template name="sandbox_x_domain_template" lineno="77">
<summary>
Creates types and rules for a basic
sandbox process domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="sandbox_rw_xserver_tmpfs_files" lineno="153">
<summary>
allow domain to read,
write sandbox_xserver tmp files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="sandbox_read_tmpfs_files" lineno="172">
<summary>
allow domain to read
sandbox tmpfs files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="sandbox_manage_tmpfs_files" lineno="191">
<summary>
allow domain to manage
sandbox tmpfs files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="sandbox_delete_files" lineno="209">
<summary>
Delete sandbox files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="sandbox_manage_content" lineno="227">
<summary>
Manage sandbox content
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="sandbox_delete_lnk_files" lineno="250">
<summary>
Delete sandbox symbolic links
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="sandbox_delete_pipes" lineno="268">
<summary>
Delete sandbox fifo files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="sandbox_delete_sock_files" lineno="286">
<summary>
Delete sandbox sock files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="sandbox_setattr_dirs" lineno="305">
<summary>
Allow domain to  set the attributes
of the sandbox directory.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="sandbox_delete_dirs" lineno="323">
<summary>
Delete sandbox directories
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="sandbox_list" lineno="341">
<summary>
allow domain to list sandbox dirs
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="sandbox_use_ptys" lineno="359">
<summary>
Read and write a sandbox domain pty.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sandbox_exec_file" lineno="377">
<summary>
Allow domain to execute sandbox_file_t in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sandbox_dontaudit_mounton" lineno="395">
<summary>
Allow domain to execute sandbox_file_t in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="sanlock" filename="policy/modules/contrib/sanlock.if">
<summary>Sanlock - lock manager built on shared storage.</summary>
<interface name="sanlock_domtrans" lineno="14">
<summary>
Execute a domain transition to run sanlock.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sanlock_initrc_domtrans" lineno="33">
<summary>
Execute sanlock server in the sanlock domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="sanlock_manage_pid_files" lineno="51">
<summary>
Create, read, write, and delete sanlock PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sanlock_stream_connect" lineno="70">
<summary>
Connect to sanlock over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sanlock_systemctl" lineno="89">
<summary>
Execute virt server in the virt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sanlock_admin" lineno="120">
<summary>
All of the rules required to administrate
an sanlock environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sanlock_domtrans_sanlk_resetd" lineno="153">
<summary>
Execute sanlk_resetd_exec_t in the sanlk_resetd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sanlock_exec_sanlk_resetd" lineno="172">
<summary>
Execute sanlk_resetd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sanlock_systemctl_sanlk_resetd" lineno="191">
<summary>
Execute sanlk_resetd server in the sanlk_resetd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sanlock_admin_sanlk_resetd" lineno="216">
<summary>
All of the rules required to administrate
an sanlk_resetd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sanlock_read_state" lineno="251">
<summary>
Read sanlock process state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="sanlock_use_nfs" dftval="false">
<desc>
<p>
Allow sanlock to manage nfs files
</p>
</desc>
</tunable>
<tunable name="sanlock_use_samba" dftval="false">
<desc>
<p>
Allow sanlock to manage cifs files
</p>
</desc>
</tunable>
<tunable name="sanlock_use_fusefs" dftval="false">
<desc>
<p>
Allow sanlock to read/write fuse files
</p>
</desc>
</tunable>
<tunable name="sanlock_enable_home_dirs" dftval="false">
<desc>
<p>
Allow sanlock to read/write user home directories.
</p>
</desc>
</tunable>
</module>
<module name="sap" filename="policy/modules/contrib/sap.if">
<summary>SAP policy</summary>
<interface name="sap_exec" lineno="13">
<summary>
Execute sap in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sap_unconfined_domtrans" lineno="32">
<summary>
Execute sap in sap unconfined domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="sasl" filename="policy/modules/contrib/sasl.if">
<summary>SASL authentication server</summary>
<interface name="sasl_connect" lineno="13">
<summary>
Connect to SASL.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sasl_admin" lineno="39">
<summary>
All of the rules required to administrate
an sasl environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="saslauthd_read_shadow" dftval="false">
<desc>
<p>
Allow sasl to read shadow
</p>
</desc>
</tunable>
</module>
<module name="sbd" filename="policy/modules/contrib/sbd.if">
<summary>policy for sbd</summary>
<interface name="sbd_domtrans" lineno="13">
<summary>
Execute sbd_exec_t in the sbd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sbd_exec" lineno="32">
<summary>
Execute sbd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sbd_read_pid_files" lineno="50">
<summary>
Read sbd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sbd_systemctl" lineno="69">
<summary>
Execute sbd server in the sbd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sbd_admin" lineno="101">
<summary>
All of the rules required to administrate
an sbd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="sblim" filename="policy/modules/contrib/sblim.if">
<summary> Standards Based Linux Instrumentation for Manageability. </summary>
<template name="sblim_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
sblim daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="sblim_domtrans_gatherd" lineno="41">
<summary>
Transition to gatherd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sblim_read_pid_files" lineno="60">
<summary>
Read gatherd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sblim_filetrans_named_content" lineno="79">
<summary>
Transition to sblim named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sblim_stream_connect_sfcbd" lineno="97">
<summary>
Connect to sblim_sfcb over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sblim_getattr_exec_sfcbd" lineno="118">
<summary>
Getattr on sblim executable.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sblim_stream_connect_sfcb" lineno="137">
<summary>
Connect to sblim_sfcb over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sblim_rw_semaphores_sfcbd" lineno="156">
<summary>
Allow read and write access to sblim semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sblim_admin" lineno="177">
<summary>
All of the rules required to administrate
an gatherd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="screen" filename="policy/modules/contrib/screen.if">
<summary>GNU terminal multiplexer</summary>
<template name="screen_role_template" lineno="24">
<summary>
The role template for the screen module.
</summary>
<param name="role_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<template name="screen_admin_role_template" lineno="123">
<summary>
The admin role template for the screen module
</summary>
<param name="role_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<interface name="screen_exec" lineno="142">
<summary>
Execute the rssh program
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="screen_sigchld" lineno="160">
<summary>
Send a SIGCHLD signal to the screen domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="screen_allow_session_sharing" dftval="false">
<desc>
<p>
Determine whether screen can
use fsetid/setuid/setgid capability.
</p>
</desc>
</tunable>
</module>
<module name="sectoolm" filename="policy/modules/contrib/sectoolm.if">
<summary>Sectool security audit tool</summary>
</module>
<module name="sendmail" filename="policy/modules/contrib/sendmail.if">
<summary>Policy for sendmail.</summary>
<interface name="sendmail_stub" lineno="13">
<summary>
Sendmail stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_rw_pipes" lineno="30">
<summary>
Allow attempts to read and write to
sendmail unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_domtrans" lineno="48">
<summary>
Domain transition to sendmail.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sendmail_initrc_domtrans" lineno="66">
<summary>
Execute sendmail in the sendmail domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_run" lineno="90">
<summary>
Execute the sendmail program in the sendmail domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the sendmail domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sendmail_signal" lineno="109">
<summary>
Send generic signals to sendmail.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_domtrans_unconfined" lineno="127">
<summary>
Execute sendmail in the sendmail_unconfined domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sendmail_run_unconfined" lineno="155">
<summary>
Execute sendmail in the unconfined
sendmail domain, and allow the
specified role the unconfined
sendmail domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sendmail_rw_tcp_sockets" lineno="174">
<summary>
Read and write sendmail TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_dontaudit_rw_tcp_sockets" lineno="193">
<summary>
Do not audit attempts to read and write
sendmail TCP sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="sendmail_rw_unix_stream_sockets" lineno="211">
<summary>
Read and write sendmail unix_stream_sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_dontaudit_rw_unix_stream_sockets" lineno="230">
<summary>
Do not audit attempts to read and write
sendmail unix_stream_sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="sendmail_read_log" lineno="249">
<summary>
Read sendmail logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sendmail_manage_log" lineno="269">
<summary>
Create, read, write, and delete sendmail logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sendmail_create_log" lineno="288">
<summary>
Create sendmail logs with the correct type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_log_filetrans_sendmail_log" lineno="313">
<summary>
Create specified objects in generic
log directories sendmail log file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="sendmail_manage_tmp_files" lineno="331">
<summary>
Manage sendmail tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_setattr_pid_files" lineno="350">
<summary>
Set the attributes of sendmail pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_admin" lineno="376">
<summary>
All of the rules required to administrate
an sendmail environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="sensord" filename="policy/modules/contrib/sensord.if">
<summary>Sensor information logging daemon</summary>
<interface name="sensord_domtrans" lineno="13">
<summary>
Execute sensord in the sensord domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sensord_systemctl" lineno="31">
<summary>
Execute sensord server in the sensord domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sensord_admin" lineno="58">
<summary>
All of the rules required to administrate
an sensord environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="setroubleshoot" filename="policy/modules/contrib/setroubleshoot.if">
<summary>SELinux troubleshooting service</summary>
<interface name="setroubleshoot_stream_connect" lineno="13">
<summary>
Connect to setroubleshootd over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="setroubleshoot_dontaudit_stream_connect" lineno="34">
<summary>
Dontaudit attempts to connect to setroubleshootd
over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="setroubleshoot_signull" lineno="53">
<summary>
Send null signals to setroubleshoot.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="setroubleshoot_dbus_chat" lineno="72">
<summary>
Send and receive messages from
setroubleshoot over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="setroubleshoot_dontaudit_dbus_chat" lineno="93">
<summary>
Do not audit send and receive messages from
setroubleshoot over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="setroubleshoot_dbus_chat_fixit" lineno="114">
<summary>
Send and receive messages from
setroubleshoot fixit over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="setroubleshoot_fixit_dontaudit_leaks" lineno="134">
<summary>
Dontaudit read/write to a setroubleshoot leaked sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="setroubleshoot_admin" lineno="155">
<summary>
All of the rules required to administrate
an setroubleshoot environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="sge" filename="policy/modules/contrib/sge.if">
<summary>Policy for gridengine MPI jobs</summary>
<template name="sge_basic_types_template" lineno="14">
<summary>
Creates types and rules for a basic
sge domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="sge_rw_tcp_sockets" lineno="35">
<summary>
read/write sge_shepherd per tcp_socket
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="sge_use_nfs" dftval="false">
<desc>
<p>
Allow sge to access nfs file systems.
</p>
</desc>
</tunable>
<tunable name="sge_domain_can_network_connect" dftval="false">
<desc>
<p>
Allow sge to connect to the network using any TCP port
</p>
</desc>
</tunable>
</module>
<module name="shorewall" filename="policy/modules/contrib/shorewall.if">
<summary>Shoreline Firewall high-level tool for configuring netfilter</summary>
<interface name="shorewall_domtrans" lineno="13">
<summary>
Execute a domain transition to run shorewall.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="shorewall_lib_domtrans" lineno="31">
<summary>
Execute a domain transition to run shorewall.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="shorewall_read_config" lineno="49">
<summary>
Read shorewall etc configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="shorewall_read_lib_files" lineno="68">
<summary>
Read shorewall /var/lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="shorewall_rw_lib_files" lineno="88">
<summary>
Read and write shorewall /var/lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="shorewall_read_tmp_files" lineno="108">
<summary>
Read shorewall tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="shorewall_admin" lineno="134">
<summary>
All of the rules required to administrate
an shorewall environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the syslog domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="shutdown" filename="policy/modules/contrib/shutdown.if">
<summary>System shutdown command</summary>
<interface name="shutdown_domtrans" lineno="13">
<summary>
Execute a domain transition to run shutdown.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="shutdown_run" lineno="53">
<summary>
Execute shutdown in the shutdown domain, and
allow the specified role the shutdown domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="shutdown_role" lineno="78">
<summary>
Role access for shutdown
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="shutdown_send_sigchld" lineno="99">
<summary>
Recieve sigchld from shutdown
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="shutdown_dbus_chat" lineno="118">
<summary>
Send and receive messages from
shutdown over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="shutdown_getattr_exec_files" lineno="138">
<summary>
Get attributes of shutdown executable.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="slocate" filename="policy/modules/contrib/slocate.if">
<summary>Update database for mlocate.</summary>
<interface name="slocate_create_append_log" lineno="13">
<summary>
Create the locate log with append mode.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="locate_read_lib_files" lineno="27">
<summary>
Read locate lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="slpd" filename="policy/modules/contrib/slpd.if">
<summary>OpenSLP server daemon to dynamically register services.</summary>
<interface name="slpd_domtrans" lineno="13">
<summary>
Transition to slpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="slpd_initrc_domtrans" lineno="32">
<summary>
Execute slpd server in the slpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="slpd_admin" lineno="57">
<summary>
All of the rules required to
administrate an slpd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="slrnpull" filename="policy/modules/contrib/slrnpull.if">
<summary>Service for downloading news feeds the slrn newsreader.</summary>
<interface name="slrnpull_search_spool" lineno="13">
<summary>
Search slrnpull spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="slrnpull_manage_spool" lineno="33">
<summary>
Create, read, write, and delete
slrnpull spool content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="smartmon" filename="policy/modules/contrib/smartmon.if">
<summary>Smart disk monitoring daemon.</summary>
<interface name="smartmon_read_tmp_files" lineno="13">
<summary>
Read smartmon temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smartmon_admin" lineno="39">
<summary>
All of the rules required to
administrate an smartmon environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="smartmon_3ware" dftval="false">
<desc>
<p>
Determine whether smartmon can support
devices on 3ware controllers.
</p>
</desc>
</tunable>
</module>
<module name="smokeping" filename="policy/modules/contrib/smokeping.if">
<summary>Smokeping network latency measurement.</summary>
<interface name="smokeping_domtrans" lineno="13">
<summary>
Execute a domain transition to run smokeping.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="smokeping_initrc_domtrans" lineno="33">
<summary>
Execute smokeping init scripts in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="smokeping_read_pid_files" lineno="51">
<summary>
Read smokeping pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_manage_pid_files" lineno="71">
<summary>
Create, read, write, and delete
smokeping pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_getattr_lib_files" lineno="90">
<summary>
Get attributes of smokeping lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_read_lib_files" lineno="109">
<summary>
Read smokeping lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_manage_lib_files" lineno="129">
<summary>
Create, read, write, and delete
smokeping lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_admin" lineno="155">
<summary>
All of the rules required to
administrate a smokeping environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="smoltclient" filename="policy/modules/contrib/smoltclient.if">
<summary>The Fedora hardware profiler client.</summary>
</module>
<module name="smsd" filename="policy/modules/contrib/smsd.if">
<summary>The SMS Server Tools are made to send and receive short messages through GSM modems. It supports easy file interfaces and it can run external programs for automatic actions.</summary>
<interface name="smsd_domtrans" lineno="13">
<summary>
Execute smsd in the smsd domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="smsd_initrc_domtrans" lineno="32">
<summary>
Execute smsd server in the smsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_read_log" lineno="50">
<summary>
Read smsd's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_append_log" lineno="69">
<summary>
Append to smsd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_manage_log" lineno="88">
<summary>
Manage smsd log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_read_pid_files" lineno="108">
<summary>
Read smsd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_search_spool" lineno="127">
<summary>
Search smsd spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_read_spool_files" lineno="146">
<summary>
Read smsd spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_manage_spool_files" lineno="165">
<summary>
Manage smsd spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_manage_spool_dirs" lineno="184">
<summary>
Manage smsd spool dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_admin" lineno="210">
<summary>
All of the rules required to administrate
an smsd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="smstools" filename="policy/modules/contrib/smstools.if">
<summary> Tools to send and receive short messages through GSM modems or mobile phones.</summary>
<interface name="smsd_search_lib" lineno="13">
<summary>
Search smsd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_read_lib_files" lineno="32">
<summary>
Read smsd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_manage_lib_files" lineno="51">
<summary>
Manage smsd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_manage_lib_dirs" lineno="70">
<summary>
Manage smsd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smstools_admin" lineno="96">
<summary>
All of the rules required to
administrate an smstools environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="snapper" filename="policy/modules/contrib/snapper.if">
<summary>policy for snapperd</summary>
<interface name="snapper_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the snapperd domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="snapper_dbus_chat" lineno="33">
<summary>
Send and receive messages from
snapperd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snapper_read_inherited_pipe" lineno="53">
<summary>
Allow a domain to read inherited snapper pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snapper_relabel_snapshots" lineno="71">
<summary>
Allow a domain to relabel snapshots to snapperd_data_t
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snapper_filetrans_named_content" lineno="90">
<summary>
Allow domain to create .smapshot
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="snmp" filename="policy/modules/contrib/snmp.if">
<summary>Simple network management protocol services.</summary>
<interface name="snmp_signull" lineno="13">
<summary>
Send null signals to snmp.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_stream_connect" lineno="32">
<summary>
Connect to snmpd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_tcp_connect" lineno="51">
<summary>
Connect to snmp over the TCP network.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_udp_chat" lineno="72">
<summary>
Send and receive UDP traffic to SNMP  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_read_snmp_var_lib_files" lineno="86">
<summary>
Read snmpd lib content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_read_snmp_var_lib_dirs" lineno="107">
<summary>
Read snmpd libraries directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_manage_var_lib_dirs" lineno="126">
<summary>
Manage snmpd libraries directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_manage_var_lib_files" lineno="144">
<summary>
Manage snmpd libraries.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_manage_var_lib_sock_files" lineno="164">
<summary>
Manage snmpd libraries.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_dontaudit_manage_snmp_var_lib_files" lineno="185">
<summary>
Do not audit attempts to manage
snmpd lib content.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="snmp_dontaudit_read_snmp_var_lib_files" lineno="206">
<summary>
Do not audit attempts to read
snmpd lib content.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="snmp_dontaudit_write_snmp_var_lib_files" lineno="227">
<summary>
Do not audit attempts to write
snmpd lib files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="snmp_admin" lineno="252">
<summary>
All of the rules required to
administrate an snmp environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="snort" filename="policy/modules/contrib/snort.if">
<summary>Snort network intrusion detection system.</summary>
<interface name="snort_domtrans" lineno="13">
<summary>
Execute a domain transition to run snort.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="snort_admin" lineno="39">
<summary>
All of the rules required to
administrate an snort environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="sosreport" filename="policy/modules/contrib/sosreport.if">
<summary>Generate debugging information for system.</summary>
<interface name="sosreport_domtrans" lineno="13">
<summary>
Execute a domain transition to run sosreport.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sosreport_run" lineno="39">
<summary>
Execute sosreport in the sosreport
domain, and allow the specified
role the sosreport domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="sosreport_role" lineno="63">
<summary>
Role access for sosreport.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="sosreport_read_tmp_files" lineno="84">
<summary>
Read sosreport temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sosreport_append_tmp_files" lineno="103">
<summary>
Append sosreport temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sosreport_delete_tmp_files" lineno="122">
<summary>
Delete sosreport temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sosreport_signull" lineno="141">
<summary>
Send a null signal to sosreport.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sosreport_dbus_chat" lineno="160">
<summary>
Send and receive messages from
sosreport over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sosreport_dgram_send" lineno="180">
<summary>
Send a message to sosreport over the datagram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="soundserver" filename="policy/modules/contrib/soundserver.if">
<summary>sound server for network audio server programs, nasd, yiff, etc</summary>
<interface name="soundserver_tcp_connect" lineno="13">
<summary>
Connect to the sound server over a TCP socket  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="soundserver_admin" lineno="34">
<summary>
All of the rules required to
administrate an soundd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="spamassassin" filename="policy/modules/contrib/spamassassin.if">
<summary>Filter used for removing unsolicited email.</summary>
<interface name="spamassassin_role" lineno="19">
<summary>
Role access for spamassassin
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
<rolecap/>
</interface>
<interface name="spamassassin_exec" lineno="57">
<summary>
Execute the standalone spamassassin
program in the caller directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_signal_spamd" lineno="75">
<summary>
Singnal the spam assassin daemon
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_exec_spamd" lineno="94">
<summary>
Execute the spamassassin daemon
program in the caller directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_domtrans_client" lineno="112">
<summary>
Execute spamassassin client in the spamassassin client domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="spamassassin_kill_client" lineno="131">
<summary>
Send kill signal to spamassassin client
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_manage_home_client" lineno="149">
<summary>
Manage spamc home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_read_home_client" lineno="170">
<summary>
Read spamc home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_exec_client" lineno="192">
<summary>
Execute the spamassassin client
program in the caller directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_domtrans_local_client" lineno="210">
<summary>
Execute spamassassin standalone client in the user spamassassin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="spamassassin_read_lib_files" lineno="228">
<summary>
read spamd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_manage_lib_files" lineno="250">
<summary>
Create, read, write, and delete
spamd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_read_spamd_tmp_files" lineno="269">
<summary>
Read temporary spamd file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_dontaudit_getattr_spamd_tmp_sockets" lineno="289">
<summary>
Do not audit attempts to get attributes of temporary
spamd sockets/
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="spamd_stream_connect" lineno="307">
<summary>
Connect to run spamd.
</summary>
<param name="domain">
<summary>
Domain allowed to connect.
</summary>
</param>
</interface>
<interface name="spamassassin_read_pid_files" lineno="326">
<summary>
Read spamd pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_filetrans_home_content" lineno="345">
<summary>
Transition to spamassassin named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_filetrans_admin_home_content" lineno="366">
<summary>
Transition to spamassassin named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_spamd_admin" lineno="394">
<summary>
All of the rules required to administrate
an spamassassin environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the spamassassin domain.
</summary>
</param>
</interface>
<interface name="spamassassin_systemctl" lineno="438">
<summary>
Execute spamassassin server in the spamassassin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<tunable name="spamassassin_can_network" dftval="false">
<desc>
<p>
Allow user spamassassin clients to use the network.
</p>
</desc>
</tunable>
<tunable name="spamd_enable_home_dirs" dftval="true">
<desc>
<p>
Allow spamd to read/write user home directories.
</p>
</desc>
</tunable>
<tunable name="spamd_update_can_network" dftval="false">
<desc>
<p>
Allow spamd_update to connect to all ports.
</p>
</desc>
</tunable>
</module>
<module name="speech-dispatcher" filename="policy/modules/contrib/speech-dispatcher.if">
<summary>speech-dispatcher - server process managing speech requests in Speech Dispatcher</summary>
<interface name="speech_dispatcher_domtrans" lineno="13">
<summary>
Execute speech-dispatcher in the speech_dispatcher domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="speech_dispatcher_read_log" lineno="32">
<summary>
Read speech-dispatcher's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="speech_dispatcher_append_log" lineno="51">
<summary>
Append to speech-dispatcher log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="speech_dispatcher_manage_log" lineno="70">
<summary>
Manage speech-dispatcher log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="speech_dispatcher_systemctl" lineno="90">
<summary>
Execute speech-dispatcher server in the speech_dispatcher domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="speech_dispatcher_admin" lineno="118">
<summary>
All of the rules required to administrate
an speech-dispatcher environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="squid" filename="policy/modules/contrib/squid.if">
<summary>Squid caching http proxy server.</summary>
<interface name="squid_domtrans" lineno="13">
<summary>
Execute squid in the squid domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="squid_exec" lineno="32">
<summary>
Execute squid in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="squid_signal" lineno="51">
<summary>
Send generic signals to squid.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="squid_rw_stream_sockets" lineno="70">
<summary>
Read and write squid unix
domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="squid_dontaudit_search_cache" lineno="89">
<summary>
Do not audit attempts to search
squid cache directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="squid_read_config" lineno="108">
<summary>
Read squid configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="squid_read_log" lineno="128">
<summary>
Read squid log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="squid_append_log" lineno="147">
<summary>
Append squid log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="squid_manage_logs" lineno="168">
<summary>
Create, read, write, and delete
squid log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="squid_use" lineno="187">
<summary>
Use squid services by connecting over TCP.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="squid_admin" lineno="208">
<summary>
All of the rules required to
administrate an squid environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="squid_connect_any" dftval="false">
<desc>
<p>
Determine whether squid can
connect to all TCP ports.
</p>
</desc>
</tunable>
<tunable name="squid_use_tproxy" dftval="false">
<desc>
<p>
Determine whether squid can run
as a transparent proxy.
</p>
</desc>
</tunable>
<tunable name="squid_bind_snmp_port" dftval="false">
<desc>
<p>
Determine whether squid should
have access to snmp port.
</p>
</desc>
</tunable>
</module>
<module name="sslh" filename="policy/modules/contrib/sslh.if">
<summary>policy for sslh</summary>
<interface name="sslh_domtrans" lineno="13">
<summary>
Execute sslh in the sslh domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sslh_systemctl" lineno="32">
<summary>
Execute tor server in the tor domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sslh_read_config" lineno="57">
<summary>
Permit the reading of sslh config files
</summary>
<param name="domain">
<summary>
Domain allowed to access.
</summary>
</param>
</interface>
<interface name="sslh_write_config" lineno="78">
<summary>
Permit the creation and writing of sslh config files
</summary>
<param name="domain">
<summary>
Domain allowed to configure.
</summary>
</param>
</interface>
<interface name="sslh_admin" lineno="107">
<summary>
All of the rules required to
administrate an sslh environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="sslh_can_connect_any_port" dftval="false">
<desc>
<p>
Determine whether sslh can connect
to any tcp port or if it is restricted
to the standard http, openvpn and jabber ports.
</p>
</desc>
</tunable>
<tunable name="sslh_can_bind_any_port" dftval="false">
<desc>
<p>
Determine whether sslh can listen
on any tcp port or if it is restricted
to the standard http.
</p>
</desc>
</tunable>
</module>
<module name="sssd" filename="policy/modules/contrib/sssd.if">
<summary>System Security Services Daemon</summary>
<interface name="sssd_getattr_exec" lineno="13">
<summary>
Allow a domain to getattr on sssd binary.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sssd_domtrans" lineno="31">
<summary>
Execute a domain transition to run sssd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sssd_initrc_domtrans" lineno="49">
<summary>
Execute sssd server in the sssd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sssd_systemctl" lineno="67">
<summary>
Execute sssd server in the sssd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sssd_read_config" lineno="91">
<summary>
Read sssd configuration.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_write_config" lineno="111">
<summary>
Write sssd configuration.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_create_config" lineno="130">
<summary>
Write sssd configuration.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_manage_config" lineno="149">
<summary>
Manage sssd configuration.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_read_public_files" lineno="168">
<summary>
Read sssd public files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_delete_public_files" lineno="189">
<summary>
Delete sssd public files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_dontaudit_read_public_files" lineno="208">
<summary>
Dontaudit read sssd public files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_manage_public_files" lineno="226">
<summary>
Manage sssd public files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_read_pid_files" lineno="245">
<summary>
Read sssd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_manage_pids" lineno="264">
<summary>
Manage sssd var_run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_search_lib" lineno="284">
<summary>
Search sssd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_dontaudit_search_lib" lineno="303">
<summary>
Do not audit attempts to search sssd lib directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="sssd_dontaudit_read_lib" lineno="321">
<summary>
Do not audit attempts to read sssd lib files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="sssd_read_lib_files" lineno="339">
<summary>
Read sssd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_manage_lib_files" lineno="360">
<summary>
Create, read, write, and delete
sssd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_dbus_chat" lineno="382">
<summary>
Send and receive messages from
sssd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_stream_connect" lineno="402">
<summary>
Connect to sssd over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_dontaudit_stream_connect" lineno="421">
<summary>
Dontaudit attempts to connect to sssd over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_run_sssd" lineno="447">
<summary>
Execute sssd in the sssd domain, and
allow the specified role the sssd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sssd_run_stream_connect" lineno="467">
<summary>
Connect to sssd over a unix stream socket in /var/run.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_dontaudit_run_stream_connect" lineno="486">
<summary>
Dontaudit attempts to connect to sssd over a unix stream socket in /var/run.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_manage_keys" lineno="505">
<summary>
Manage keys for all user domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_rw_inherited_pipes" lineno="525">
<summary>
Allow attempts to read and write to
sssd pipes
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_signal" lineno="543">
<summary>
Allow caller to signal sssd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_signull" lineno="561">
<summary>
Allow caller to signull sssd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_filetrans_named_content" lineno="579">
<summary>
Transition to sssd named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_admin" lineno="614">
<summary>
All of the rules required to administrate
an sssd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the sssd domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="sssd_access_kernel_keys" dftval="false">
<desc>
<p>
Allow sssd read, view, and write access to kernel keys with kernel_t type
</p>
</desc>
</tunable>
<tunable name="sssd_connect_all_unreserved_ports" dftval="false">
<desc>
<p>
Allow sssd connect to all unreserved ports
</p>
</desc>
</tunable>
<tunable name="sssd_use_usb" dftval="false">
<desc>
<p>
Allow sssd use usb devices
</p>
</desc>
</tunable>
</module>
<module name="stalld" filename="policy/modules/contrib/stalld.if">
<summary>policy for stalld</summary>
<interface name="stalld_domtrans" lineno="13">
<summary>
Execute stalld_exec_t in the stalld domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="stalld_exec" lineno="32">
<summary>
Execute stalld in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="stalld_read_pid_files" lineno="51">
<summary>
Read stalld PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="stalld_admin" lineno="77">
<summary>
All of the rules required to administrate
an stalld environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="stapserver" filename="policy/modules/contrib/stapserver.if">
<summary> Instrumentation System Server </summary>
<interface name="stapserver_domtrans" lineno="13">
<summary>
Execute stapserver in the stapserver domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="stapserver_read_log" lineno="32">
<summary>
Read stapserver's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="stapserver_append_log" lineno="51">
<summary>
Append to stapserver log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="stapserver_manage_log" lineno="70">
<summary>
Manage stapserver log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="stapserver_read_pid_files" lineno="90">
<summary>
Read stapserver PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="stapserver_manage_lib" lineno="109">
<summary>
Manage stapserver lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="stapserver_admin" lineno="130">
<summary>
All of the rules required to administrate
an stapserver environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="stratisd" filename="policy/modules/contrib/stratisd.if">
<summary>Daemon to create and monitor storage pools</summary>
<interface name="stratisd_dbus_chat" lineno="14">
<summary>
Send and receive messages from
stratisd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="stratisd_domtrans" lineno="34">
<summary>
Execute stratisd_exec_t in the stratisd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="stratisd_exec" lineno="53">
<summary>
Execute stratisd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="stratisd_read_pid_files" lineno="72">
<summary>
Read stratisd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="stratisd_admin" lineno="98">
<summary>
All of the rules required to administrate
an stratisd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="stratisd_data_read_lnk_files" lineno="129">
<summary>
Read stratisd data symlinks
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="stratisd_data_list_dirs" lineno="147">
<summary>
Read stratisd data directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="stunnel" filename="policy/modules/contrib/stunnel.if">
<summary>SSL Tunneling Proxy.</summary>
<interface name="stunnel_service_domain" lineno="18">
<summary>
Define the specified domain as a stunnel inetd service.
</summary>
<param name="domain">
<summary>
The type associated with the stunnel inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="stunnel_read_config" lineno="37">
<summary>
Read stunnel configuration content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="svnserve" filename="policy/modules/contrib/svnserve.if">
<summary>policy for svnserve</summary>
<interface name="svnserve_domtrans" lineno="14">
<summary>
Transition to svnserve.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="svnserve_initrc_domtrans" lineno="34">
<summary>
Execute svnserve server in the svnserve domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="svnserve_systemctl" lineno="52">
<summary>
Execute svnserve server in the svnserve domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="svnserve_read_pid_files" lineno="76">
<summary>
Read svnserve PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="svnserve_admin" lineno="97">
<summary>
All of the rules required to administrate
an svnserve environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="swift" filename="policy/modules/contrib/swift.if">
<summary>policy for swift</summary>
<interface name="swift_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the swift domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="swift_read_pid_files" lineno="32">
<summary>
Read swift PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="swift_manage_data_files" lineno="51">
<summary>
Manage swift data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="swift_manage_lock" lineno="71">
<summary>
Read and write swift lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="swift_filetrans_named_lock" lineno="90">
<summary>
Transition content labels to swift named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="swift_systemctl" lineno="108">
<summary>
Execute swift server in the swift domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="swift_admin" lineno="135">
<summary>
All of the rules required to administrate
an swift environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="swift_can_network" dftval="false">
<desc>
<p>
Determine whether swift can
connect to all TCP ports
</p>
</desc>
</tunable>
</module>
<module name="switcheroo" filename="policy/modules/contrib/switcheroo.if">
<summary>switcheroo: D-Bus service to check dual GPU availability</summary>
</module>
<module name="sxid" filename="policy/modules/contrib/sxid.if">
<summary>SUID/SGID program monitoring.</summary>
<interface name="sxid_read_log" lineno="14">
<summary>
Read sxid log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="sysstat" filename="policy/modules/contrib/sysstat.if">
<summary>Reports on various system states.</summary>
<interface name="sysstat_manage_log" lineno="15">
<summary>
Create, read, write, and delete
sysstat log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sysstat_admin" lineno="41">
<summary>
All of the rules required to
administrate an sysstat environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sysstat_domtrans" lineno="68">
<summary>
Execute sysstat_exec_t in the sysstat domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="tangd" filename="policy/modules/contrib/tangd.if">
<summary>policy for tangd</summary>
<interface name="tangd_domtrans" lineno="13">
<summary>
Execute tangd_exec_t in the tangd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tangd_exec" lineno="32">
<summary>
Execute tangd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tangd_read_db_files" lineno="52">
<summary>
Read the contents of the tangd
database files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="targetd" filename="policy/modules/contrib/targetd.if">
<summary> Targetd  is  a service to allow the remote configuration of block device volumes and file systems within dedicated pools </summary>
<interface name="targetd_domtrans" lineno="13">
<summary>
Execute targetd_exec_t in the targetd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="targetd_exec" lineno="32">
<summary>
Execute targetd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="targetd_search_conf" lineno="51">
<summary>
Search targetd conf directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="targetd_read_conf_files" lineno="70">
<summary>
Read targetd conf files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="targetd_manage_conf_files" lineno="90">
<summary>
Manage targetd conf files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="targetd_systemctl" lineno="109">
<summary>
Execute targetd server in the targetd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="targetd_admin" lineno="141">
<summary>
All of the rules required to administrate
an targetd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="targetcli_filetrans_admin_home_content" lineno="177">
<summary>
Transition to targetcli named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="tcpd" filename="policy/modules/contrib/tcpd.if">
<summary>TCP daemon.</summary>
<interface name="tcpd_domtrans" lineno="13">
<summary>
Execute tcpd in the tcpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tcpd_wrapped_domain" lineno="38">
<summary>
Create a domain for services that
utilize tcp wrappers.
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
<interface name="tcpd_rw_tcp_sockets" lineno="58">
<summary>
Read and write tcpd server TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="tcsd" filename="policy/modules/contrib/tcsd.if">
<summary>TSS Core Services daemon.</summary>
<interface name="tcsd_domtrans" lineno="13">
<summary>
Execute a domain transition to run tcsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tcsd_initrc_domtrans" lineno="33">
<summary>
Execute tcsd init scripts in the
initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tcsd_search_lib" lineno="51">
<summary>
Search tcsd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tcsd_manage_lib_dirs" lineno="71">
<summary>
Create, read, write, and delete
tcsd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tcsd_read_lib_files" lineno="90">
<summary>
Read tcsd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tcsd_manage_lib_files" lineno="110">
<summary>
Create, read, write, and delete
tcsd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tcsd_admin" lineno="136">
<summary>
All of the rules required to
administrate an tcsd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="telepathy" filename="policy/modules/contrib/telepathy.if">
<summary>Telepathy communications framework.</summary>
<template name="telepathy_domain_template" lineno="14">
<summary>
Creates basic types for telepathy
domain
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<template name="telepathy_role" lineno="54">
<summary>
Role access for telepathy domains
that executes via dbus-session
</summary>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
<param name="domain_prefix">
<summary>
User domain prefix to be used.
</summary>
</param>
</template>
<interface name="telepathy_gabble_stream_connect" lineno="99">
<summary>
Stream connect to Telepathy Gabble
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="telepathy_gabble_stream_connect_to" lineno="123">
<summary>
Allow Telepathy Gabble to stream connect to a domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="telepathy_gabble_dbus_chat" lineno="142">
<summary>
Send DBus messages to and from
Telepathy Gabble.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="telepathy_mission_control_read_state" lineno="162">
<summary>
Read telepathy mission control state.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="telepathy_msn_stream_connect" lineno="181">
<summary>
Stream connect to telepathy MSN managers
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="telepathy_salut_stream_connect" lineno="200">
<summary>
Stream connect to Telepathy Salut
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="telepathy_dbus_chat" lineno="220">
<summary>
Send DBus messages to and from
all Telepathy domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="telepathy_command_domtrans" lineno="260">
<summary>
Execute telepathy executable
in the specified domain.
</summary>
<desc>
<p>
Execute a telepathy executable
in the specified domain.  This allows
the specified domain to execute any file
on these filesystems in the specified
domain.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
The type of the new process.
</summary>
</param>
</interface>
<interface name="telepathy_filetrans_home_content" lineno="287">
<summary>
Create telepathy content in the user home directory
with an correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="telepathy_exec" lineno="329">
<summary>
Execute telepathy in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="telepathy_tcp_connect_generic_network_ports" dftval="false">
<desc>
<p>
Allow the Telepathy connection managers
to connect to any generic TCP port.
</p>
</desc>
</tunable>
<tunable name="telepathy_connect_all_ports" dftval="false">
<desc>
<p>
Allow the Telepathy connection managers
to connect to any network port.
</p>
</desc>
</tunable>
</module>
<module name="telnet" filename="policy/modules/contrib/telnet.if">
<summary>Telnet daemon.</summary>
<interface name="telnet_use_ptys" lineno="13">
<summary>
Read and write telnetd pty devices.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="tftp" filename="policy/modules/contrib/tftp.if">
<summary>Trivial file transfer protocol daemon</summary>
<interface name="tftp_read_content" lineno="13">
<summary>
Read tftp content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_search_rw_content" lineno="38">
<summary>
Search tftp /var/lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_read_rw_content" lineno="57">
<summary>
Allow read tftp /var/lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_write_rw_content" lineno="76">
<summary>
Allow write tftp /var/lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_manage_rw_content" lineno="95">
<summary>
Manage tftp /var/lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_delete_content_dirs" lineno="115">
<summary>
Manage tftp /var/lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_read_config" lineno="134">
<summary>
Read tftp config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_manage_config" lineno="152">
<summary>
Manage tftp config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_filetrans_tftpdir" lineno="182">
<summary>
Create objects in tftpdir directories
with specified types.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="file_type">
<summary>
Private file type.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
</interface>
<interface name="tftp_filetrans_named_content" lineno="201">
<summary>
Transition to tftp named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_admin" lineno="221">
<summary>
All of the rules required to administrate
an tftp environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="tftp_anon_write" dftval="false">
<desc>
<p>
Allow tftp to modify public files
used for public file transfer services.
</p>
</desc>
</tunable>
<tunable name="tftp_home_dir" dftval="false">
<desc>
<p>
Allow tftp to read and write files in the user home directories
</p>
</desc>
</tunable>
</module>
<module name="tgtd" filename="policy/modules/contrib/tgtd.if">
<summary>Linux Target Framework Daemon.</summary>
<interface name="tgtd_rw_semaphores" lineno="13">
<summary>
Read and write tgtd semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tgtd_manage_semaphores" lineno="32">
<summary>
Create, read, write, and delete
tgtd sempaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tgtd_stream_connect" lineno="51">
<summary>
Connect to tgtd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tgtd_admin" lineno="77">
<summary>
All of the rules required to
administrate an tgtd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="thin" filename="policy/modules/contrib/thin.if">
<summary>thin policy</summary>
<template name="thin_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
thin daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="thin_exec" lineno="38">
<summary>
Execute mongod in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="thin_stream_connect" lineno="57">
<summary>
Connect to thin over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="thumb" filename="policy/modules/contrib/thumb.if">
<summary>policy for thumb</summary>
<interface name="thumb_domtrans" lineno="13">
<summary>
Transition to thumb.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="thumb_nnp_domtrans" lineno="33">
<summary>
NNP Transition to thumb.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="thumb_run" lineno="58">
<summary>
Execute thumb in the thumb domain, and
allow the specified role the thumb domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the thumb domain.
</summary>
</param>
</interface>
<interface name="thumb_role" lineno="92">
<summary>
Role access for thumb
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="thumb_dbus_chat" lineno="118">
<summary>
Send and receive messages from
thumb over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="thumb_filetrans_home_content" lineno="140">
<summary>
Create thumb content in the user home directory
with an correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="thunderbird" filename="policy/modules/contrib/thunderbird.if">
<summary>Thunderbird email client.</summary>
<interface name="thunderbird_role" lineno="18">
<summary>
Role access for thunderbird.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="thunderbird_domtrans" lineno="52">
<summary>
Execute thunderbird in the thunderbird domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="timedatex" filename="policy/modules/contrib/timedatex.if">
<summary>timedatex - D-Bus service for system clock and RTC settings</summary>
<interface name="timedatex_domtrans" lineno="13">
<summary>
Execute timedatex_exec_t in the timedatex domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="timedatex_dbus_chat" lineno="33">
<summary>
Send and receive messages from
timedatex over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="timedatex_exec" lineno="53">
<summary>
Execute timedatex in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="timidity" filename="policy/modules/contrib/timidity.if">
<summary>MIDI to WAV converter and player configured as a service.</summary>
</module>
<module name="tlp" filename="policy/modules/contrib/tlp.if">
<summary>policy for tlp</summary>
<interface name="tlp_domtrans" lineno="13">
<summary>
Execute tlp_exec_t in the tlp domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tlp_exec" lineno="32">
<summary>
Execute tlp in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tlp_filetrans_named_content" lineno="51">
<summary>
Transition to tlp named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tlp_search_conf" lineno="69">
<summary>
Search tlp conf directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tlp_read_conf_files" lineno="88">
<summary>
Read tlp conf files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tlp_manage_conf_files" lineno="108">
<summary>
Manage tlp conf files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tlp_systemctl" lineno="127">
<summary>
Execute tlp server in the tlp domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tlp_manage_pid_files" lineno="151">
<summary>
Read all dbus pid files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tlp_admin" lineno="177">
<summary>
All of the rules required to administrate
an tlp environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="tmpreaper" filename="policy/modules/contrib/tmpreaper.if">
<summary>Manage temporary directory sizes and file ages.</summary>
<interface name="tmpreaper_exec" lineno="13">
<summary>
Execute tmpreaper in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="tmpreaper_use_nfs" dftval="false">
<desc>
<p>
Determine whether tmpreaper can use
nfs file systems.
</p>
</desc>
</tunable>
<tunable name="tmpreaper_use_cifs" dftval="false">
<desc>
<p>
Determine whether tmpreaper can use
cifs file systems.
</p>
</desc>
</tunable>
<tunable name="tmpreaper_use_samba" dftval="false">
<desc>
<p>
Determine whether tmpreaper can use samba_share files
</p>
</desc>
</tunable>
</module>
<module name="tomcat" filename="policy/modules/contrib/tomcat.if">
<summary>policy for tomcat</summary>
<template name="tomcat_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
tomcat daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="tomcat_domtrans" lineno="88">
<summary>
Transition to tomcat.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tomcat_search_cache" lineno="107">
<summary>
Search tomcat cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_read_cache_files" lineno="126">
<summary>
Read tomcat cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_manage_cache_files" lineno="146">
<summary>
Create, read, write, and delete
tomcat cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_manage_cache_dirs" lineno="165">
<summary>
Manage tomcat cache dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_read_log" lineno="185">
<summary>
Read tomcat's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="tomcat_append_log" lineno="204">
<summary>
Append to tomcat log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_manage_log" lineno="223">
<summary>
Manage tomcat log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_search_lib" lineno="244">
<summary>
Search tomcat lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_read_lib_files" lineno="263">
<summary>
Read tomcat lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_manage_lib_files" lineno="282">
<summary>
Manage tomcat lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_manage_lib_dirs" lineno="301">
<summary>
Manage tomcat lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_read_pid_files" lineno="320">
<summary>
Read tomcat PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_systemctl" lineno="339">
<summary>
Execute tomcat server in the tomcat domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tomcat_admin" lineno="366">
<summary>
All of the rules required to administrate
an tomcat environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="tomcat_read_rpm_db" dftval="false">
<desc>
<p>
Allow tomcat to read rpm database.
</p>
</desc>
</tunable>
<tunable name="tomcat_use_execmem" dftval="false">
<desc>
<p>
Allow tomcat to use executable memory and executable stack
</p>
</desc>
</tunable>
<tunable name="tomcat_can_network_connect_db" dftval="false">
<desc>
<p>
Allow tomcat to connect to databases over the network.
</p>
</desc>
</tunable>
</module>
<module name="tor" filename="policy/modules/contrib/tor.if">
<summary>The onion router.</summary>
<interface name="tor_domtrans" lineno="13">
<summary>
Execute a domain transition to run tor.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tor_systemctl" lineno="32">
<summary>
Execute tor server in the tor domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tor_admin" lineno="63">
<summary>
All of the rules required to
administrate an tor environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="tor_bind_all_unreserved_ports" dftval="false">
<desc>
<p>
Determine whether tor can bind
tcp and udp sockets to all unreserved ports.
</p>
</desc>
</tunable>
<tunable name="tor_can_network_relay" dftval="false">
<desc>
<p>
Allow tor to act as a relay
</p>
</desc>
</tunable>
<tunable name="tor_can_onion_services" dftval="false">
<desc>
<p>
Allow tor to run onion services
</p>
</desc>
</tunable>
</module>
<module name="transproxy" filename="policy/modules/contrib/transproxy.if">
<summary>Portable Transparent Proxy Solution.</summary>
<interface name="transproxy_admin" lineno="20">
<summary>
All of the rules required to
administrate an transproxy environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="tripwire" filename="policy/modules/contrib/tripwire.if">
<summary>File integrity checker.</summary>
<interface name="tripwire_domtrans_tripwire" lineno="13">
<summary>
Execute tripwire in the tripwire domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tripwire_run_tripwire" lineno="40">
<summary>
Execute tripwire in the tripwire
domain, and allow the specified
role the tripwire domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="tripwire_domtrans_twadmin" lineno="59">
<summary>
Execute twadmin in the twadmin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tripwire_run_twadmin" lineno="86">
<summary>
Execute twadmin in the twadmin
domain, and allow the specified
role the twadmin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="tripwire_domtrans_twprint" lineno="105">
<summary>
Execute twprint in the twprint domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tripwire_run_twprint" lineno="132">
<summary>
Execute twprint in the twprint
domain, and allow the specified
role the twprint domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="tripwire_domtrans_siggen" lineno="151">
<summary>
Execute siggen in the siggen domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tripwire_run_siggen" lineno="178">
<summary>
Execute siggen in the siggen domain,
and allow the specified role
the siggen domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="tuned" filename="policy/modules/contrib/tuned.if">
<summary>Dynamic adaptive system tuning daemon.</summary>
<interface name="tuned_domtrans" lineno="13">
<summary>
Execute a domain transition to run tuned.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tuned_exec" lineno="32">
<summary>
Execute tuned in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tuned_read_etc_files" lineno="51">
<summary>
Read tuned etc files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tuned_read_pid_files" lineno="70">
<summary>
Read tuned pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tuned_manage_pid_files" lineno="90">
<summary>
Create, read, write, and delete
tuned pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tuned_initrc_domtrans" lineno="110">
<summary>
Execute tuned init scripts in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tuned_admin" lineno="135">
<summary>
All of the rules required to
administrate an tuned environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="tuned_dbus_chat" lineno="173">
<summary>
Send and receive messages from tuned over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access,
</summary>
</param>
</interface>
</module>
<module name="tvtime" filename="policy/modules/contrib/tvtime.if">
<summary>High quality television application.</summary>
<interface name="tvtime_filetrans_home_content" lineno="13">
<summary>
Transition to alsa named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tvtime_role" lineno="36">
<summary>
Role access for tvtime
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
</module>
<module name="tzdata" filename="policy/modules/contrib/tzdata.if">
<summary>Time zone updater.</summary>
<interface name="tzdata_domtrans" lineno="13">
<summary>
Execute a domain transition to run tzdata.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tzdata_run" lineno="40">
<summary>
Execute tzdata in the tzdata domain,
and allow the specified role
the tzdata domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ucspitcp" filename="policy/modules/contrib/ucspitcp.if">
<summary>UNIX Client-Server Program Interface for TCP.</summary>
<interface name="ucspitcp_service_domain" lineno="18">
<summary>
Define a specified domain as a ucspitcp service.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
</module>
<module name="ulogd" filename="policy/modules/contrib/ulogd.if">
<summary>Iptables/netfilter userspace logging daemon.</summary>
<interface name="ulogd_domtrans" lineno="13">
<summary>
Execute a domain transition to run ulogd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ulogd_read_config" lineno="33">
<summary>
Read ulogd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ulogd_read_log" lineno="53">
<summary>
Read ulogd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ulogd_search_log" lineno="73">
<summary>
Search ulogd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ulogd_append_log" lineno="93">
<summary>
Append to ulogd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ulogd_admin" lineno="120">
<summary>
All of the rules required to
administrate an ulogd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="uml" filename="policy/modules/contrib/uml.if">
<summary>User mode linux tools and services.</summary>
<interface name="uml_role" lineno="18">
<summary>
Role access for uml.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="uml_setattr_util_sockets" lineno="55">
<summary>
Set attributes of uml pid sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uml_manage_util_files" lineno="74">
<summary>
Create, read, write, and delete
uml pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="updfstab" filename="policy/modules/contrib/updfstab.if">
<summary>Red Hat utility to change fstab.</summary>
<interface name="updfstab_domtrans" lineno="13">
<summary>
Execute updfstab in the updfstab domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="uptime" filename="policy/modules/contrib/uptime.if">
<summary>Daemon to record and keep track of system up times.</summary>
<interface name="uptime_admin" lineno="20">
<summary>
All of the rules required to
administrate an uptime environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="usbmodules" filename="policy/modules/contrib/usbmodules.if">
<summary>List kernel modules of USB devices.</summary>
<interface name="usbmodules_domtrans" lineno="13">
<summary>
Execute usbmodules in the usbmodules domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="usbmodules_run" lineno="40">
<summary>
Execute usbmodules in the usbmodules
domain, and allow the specified
role the usbmodules domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="usbmuxd" filename="policy/modules/contrib/usbmuxd.if">
<summary>USB multiplexing daemon for communicating with Apple iPod Touch and iPhone.</summary>
<interface name="usbmuxd_domtrans" lineno="13">
<summary>
Execute a domain transition to run usbmuxd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="usbmuxd_stream_connect" lineno="33">
<summary>
Connect to usbmuxd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="usbmuxd_systemctl" lineno="52">
<summary>
Execute usbmuxd server in the usbmuxd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="usbmuxd_admin" lineno="83">
<summary>
All of the rules required to administrate
an usbmuxd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the usbmuxd domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="userhelper" filename="policy/modules/contrib/userhelper.if">
<summary>SELinux utility to run a shell with a new role</summary>
<template name="userhelper_role_template" lineno="24">
<summary>
The role template for the userhelper module.
</summary>
<param name="userrole_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="user_role">
<summary>
The user role.
</summary>
</param>
<param name="user_domain">
<summary>
The user domain associated with the role.
</summary>
</param>
</template>
<interface name="userhelper_search_config" lineno="169">
<summary>
Search the userhelper configuration directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userhelper_dontaudit_search_config" lineno="188">
<summary>
Do not audit attempts to search
the userhelper configuration directory.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userhelper_dontaudit_write_config" lineno="207">
<summary>
Do not audit attempts to write
the userhelper configuration files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="userhelper_use_fd" lineno="225">
<summary>
Allow domain to use userhelper file descriptor.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userhelper_sigchld" lineno="243">
<summary>
Allow domain to send sigchld to userhelper.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="userhelper_exec" lineno="261">
<summary>
Execute the userhelper program in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="userhelper_console_role_template" lineno="296">
<summary>
The role template for the consolehelper module.
</summary>
<desc>
<p>
This template creates a derived domains which are used
for consolehelper applications.
</p>
</desc>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<interface name="userhelper_exec_consolehelper" lineno="354">
<summary>
Execute the consolehelper program
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="usernetctl" filename="policy/modules/contrib/usernetctl.if">
<summary>User network interface configuration helper.</summary>
<interface name="usernetctl_domtrans" lineno="13">
<summary>
Execute usernetctl in the usernetctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="usernetctl_run" lineno="40">
<summary>
Execute usernetctl in the usernetctl
domain, and allow the specified role
the usernetctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="uucp" filename="policy/modules/contrib/uucp.if">
<summary>Unix to Unix Copy.</summary>
<interface name="uucp_domtrans" lineno="13">
<summary>
Execute uucico in the uucpd_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="uucp_append_log" lineno="32">
<summary>
Append uucp log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uucp_manage_spool" lineno="53">
<summary>
Create, read, write, and delete
uucp spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uucp_domtrans_uux" lineno="74">
<summary>
Execute uux in the uux_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="uucp_admin" lineno="95">
<summary>
All of the rules required to
administrate an uucp environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="uuidd" filename="policy/modules/contrib/uuidd.if">
<summary>UUID generation daemon.</summary>
<interface name="uuidd_domtrans" lineno="13">
<summary>
Execute uuidd in the uuidd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="uuidd_initrc_domtrans" lineno="33">
<summary>
Execute uuidd init scripts in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_search_lib" lineno="51">
<summary>
Search uuidd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_read_lib_files" lineno="70">
<summary>
Read uuidd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_manage_lib_files" lineno="90">
<summary>
Create, read, write, and delete
uuidd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_manage_lib_dirs" lineno="110">
<summary>
Create, read, write, and delete
uuidd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_read_pid_files" lineno="129">
<summary>
Read uuidd pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_stream_connect_manager" lineno="149">
<summary>
Connect to uuidd with an unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_admin" lineno="176">
<summary>
All of the rules required to
administrate an uuidd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="uwimap" filename="policy/modules/contrib/uwimap.if">
<summary>University of Washington IMAP toolkit POP3 and IMAP mail server.</summary>
<interface name="uwimap_domtrans" lineno="13">
<summary>
Execute imapd in the imapd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="varnishd" filename="policy/modules/contrib/varnishd.if">
<summary>Varnishd http accelerator daemon.</summary>
<interface name="varnishd_domtrans" lineno="13">
<summary>
Execute varnishd in the varnishd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="varnishd_exec" lineno="32">
<summary>
Execute varnishd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_read_config" lineno="51">
<summary>
Read varnishd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_read_lib_files" lineno="70">
<summary>
Read varnish lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_read_log" lineno="90">
<summary>
Read varnish log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_append_log" lineno="109">
<summary>
Append varnish log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_manage_log" lineno="129">
<summary>
Create, read, write, and delete
varnish log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_admin_varnishlog" lineno="155">
<summary>
All of the rules required to
administrate an varnishlog environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="varnishd_admin" lineno="197">
<summary>
All of the rules required to
administrate an varnishd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="varnishd_connect_any" dftval="false">
<desc>
<p>
Determine whether varnishd can
use the full TCP network.
</p>
</desc>
</tunable>
</module>
<module name="vbetool" filename="policy/modules/contrib/vbetool.if">
<summary>run real-mode video BIOS code to alter hardware state.</summary>
<interface name="vbetool_domtrans" lineno="13">
<summary>
Execute vbetool in the vbetool domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vbetool_run" lineno="39">
<summary>
Execute vbetool in the vbetool
domain, and allow the specified
role the vbetool domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<tunable name="vbetool_mmap_zero_ignore" dftval="false">
<desc>
<p>
Determine whether attempts by
vbetool to mmap low regions should
be silently blocked.
</p>
</desc>
</tunable>
</module>
<module name="vdagent" filename="policy/modules/contrib/vdagent.if">
<summary>Spice agent for Linux.</summary>
<interface name="vdagent_domtrans" lineno="13">
<summary>
Execute a domain transition to run vdagent.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vdagent_getattr_exec_files" lineno="32">
<summary>
Get attributes of vdagent executable files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vdagent_getattr_log" lineno="50">
<summary>
Get attributes of vdagent log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vdagent_read_pid_files" lineno="69">
<summary>
Read vdagent pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vdagent_stream_connect" lineno="89">
<summary>
Connect to vdagent with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vdagent_admin" lineno="114">
<summary>
All of the rules required to
administrate an vdagent environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="vhostmd" filename="policy/modules/contrib/vhostmd.if">
<summary>Virtual host metrics daemon.</summary>
<interface name="vhostmd_domtrans" lineno="13">
<summary>
Execute a domain transition to run vhostmd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vhostmd_initrc_domtrans" lineno="33">
<summary>
Execute vhostmd init scripts in
the initrc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vhostmd_read_tmpfs_files" lineno="51">
<summary>
Read vhostmd tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_dontaudit_read_tmpfs_files" lineno="71">
<summary>
Do not audit attempts to read
vhostmd tmpfs files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="vhostmd_rw_tmpfs_files" lineno="89">
<summary>
Read and write vhostmd tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_manage_tmpfs_files" lineno="109">
<summary>
Create, read, write, and delete
vhostmd tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_read_pid_files" lineno="128">
<summary>
Read vhostmd pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_manage_pid_files" lineno="148">
<summary>
Create, read, write, and delete
vhostmd pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_stream_connect" lineno="168">
<summary>
Connect to vhostmd with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_dontaudit_rw_stream_connect" lineno="188">
<summary>
Do not audit attempts to read and
write vhostmd unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="vhostmd_admin" lineno="213">
<summary>
All of the rules required to
administrate an vhostmd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="virt" filename="policy/modules/contrib/virt.if">
<summary>Libvirt virtualization API</summary>
<interface name="virt_stub_lxc" lineno="13">
<summary>
virtd_lxc_t stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_stub_svirt_sandbox_domain" lineno="29">
<summary>
svirt_sandbox_domain attribute stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_stub_container_image" lineno="45">
<summary>
container_file_t stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_stub_svirt_sandbox_file" lineno="51">
<summary>
Summary is missing!
</summary>
<param name="?">
<summary>
Parameter descriptions are missing!
</summary>
</param>
</interface>
<template name="virt_domain_template" lineno="69">
<summary>
Creates types and rules for a basic
qemu process domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="virt_image" lineno="112">
<summary>
Make the specified type usable as a virt image
</summary>
<param name="type">
<summary>
Type to be used as a virtual image
</summary>
</param>
</interface>
<interface name="virt_getattr_exec" lineno="134">
<summary>
Getattr on virt executable.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="virt_domtrans" lineno="152">
<summary>
Execute a domain transition to run virt.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="virt_exec" lineno="170">
<summary>
Execute virtd in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_domtrans_bridgehelper" lineno="187">
<summary>
Transition to virt_bridgehelper.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="virt_prog_run_bpf" lineno="205">
<summary>
Allow caller domain to run bpftool.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_stream_connect" lineno="224">
<summary>
Connect to virt over a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_stream_connect_svirt" lineno="243">
<summary>
Connect to svirt process over a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_rw_stream_sockets_svirt" lineno="263">
<summary>
Read and write to apmd unix
stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_attach_tun_iface" lineno="281">
<summary>
Allow domain to attach to virt TUN devices
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_attach_sandbox_tun_iface" lineno="300">
<summary>
Allow domain to attach to virt sandbox TUN devices
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_config" lineno="319">
<summary>
Read virt config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_config" lineno="340">
<summary>
manage virt config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_getattr_content" lineno="361">
<summary>
Allow domain to manage virt image files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_content" lineno="379">
<summary>
Allow domain to manage virt image files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_write_content" lineno="417">
<summary>
Allow domain to write virt image files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_pid_symlinks" lineno="435">
<summary>
Read virt PID symlinks files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_pid_files" lineno="454">
<summary>
Read virt PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_pid_dirs" lineno="474">
<summary>
Manage virt pid directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_pid_files" lineno="496">
<summary>
Manage virt pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_pid_filetrans" lineno="534">
<summary>
Create objects in the pid directory
with a private type with a type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="file">
<summary>
Type to which the created node will be transitioned.
</summary>
</param>
<param name="class">
<summary>
Object class(es) (single or set including {}) for which this
the transition will occur.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="virt_search_lib" lineno="552">
<summary>
Search virt lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_lib_files" lineno="571">
<summary>
Read virt lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_dontaudit_read_lib_files" lineno="592">
<summary>
Dontaudit inherited read virt lib files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="virt_manage_lib_files" lineno="611">
<summary>
Create, read, write, and delete
virt lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_log" lineno="631">
<summary>
Allow the specified domain to read virt's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="virt_append_log" lineno="651">
<summary>
Allow the specified domain to append
virt log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_log" lineno="670">
<summary>
Allow domain to manage virt log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_getattr_images" lineno="690">
<summary>
Allow domain to getattr virt image direcories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_search_images" lineno="709">
<summary>
Allow domain to search virt image direcories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_images" lineno="728">
<summary>
Allow domain to read virt image files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_blk_images" lineno="765">
<summary>
Allow domain to read virt blk image files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_rw_chr_files" lineno="783">
<summary>
Allow domain to read/write virt image chr files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_cache" lineno="802">
<summary>
Create, read, write, and delete
svirt cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_images" lineno="823">
<summary>
Allow domain to manage virt image files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_default_image_type" lineno="848">
<summary>
Allow domain to manage virt image files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_systemctl" lineno="870">
<summary>
Execute virt server in the virt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="virt_ptrace" lineno="894">
<summary>
Ptrace the svirt domain
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="virt_exec_sandbox_files" lineno="912">
<summary>
Execute Sandbox Files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_sandbox_entrypoint" lineno="931">
<summary>
Allow any svirt_file_type to be an entrypoint of this domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="virt_list_sandbox_dirs" lineno="948">
<summary>
List Sandbox Dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_sandbox_files" lineno="966">
<summary>
Read Sandbox Files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_sandbox_files" lineno="986">
<summary>
Manage Sandbox Files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_getattr_sandbox_filesystem" lineno="1009">
<summary>
Getattr Sandbox File systems
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_relabel_sandbox_filesystem" lineno="1027">
<summary>
Relabel Sandbox File systems
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_mounton_sandbox_file" lineno="1045">
<summary>
Mounton Sandbox Files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_stream_connect_sandbox" lineno="1063">
<summary>
Connect to virt over a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_transition_svirt" lineno="1091">
<summary>
Execute qemu in the svirt domain, and
allow the specified role the svirt domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the sandbox domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="virt_dontaudit_write_pipes" lineno="1125">
<summary>
Do not audit attempts to write virt daemon unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="virt_kill_svirt" lineno="1144">
<summary>
Send a sigkill to virtual machines
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_kill" lineno="1162">
<summary>
Send a sigkill to virtd daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_signal" lineno="1180">
<summary>
Send a signal to virtd daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_signull" lineno="1198">
<summary>
Send null signal to virtd daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_signal_svirt" lineno="1216">
<summary>
Send a signal to virtual machines
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_signal_sandbox" lineno="1234">
<summary>
Send a signal to sandbox domains
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_home_files" lineno="1252">
<summary>
Manage virt home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_tmpfs_files" lineno="1272">
<summary>
allow domain to read
virt tmpfs files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="virt_manage_tmpfs_files" lineno="1291">
<summary>
allow domain to manage
virt tmpfs files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="virt_filetrans_home_content" lineno="1310">
<summary>
Create .virt directory in the user home directory
with an correct label.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_dontaudit_read_chr_dev" lineno="1340">
<summary>
Dontaudit attempts to Read virt_image_type devices.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="virt_sandbox_domain_template" lineno="1359">
<summary>
Creates types and rules for a basic
virt_lxc process domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<template name="virt_sandbox_domain" lineno="1391">
<summary>
Make the specified type usable as a lxc domain
</summary>
<param name="type">
<summary>
Type to be used as a lxc domain
</summary>
</param>
</template>
<template name="virt_sandbox_net_domain" lineno="1409">
<summary>
Make the specified type usable as a lxc network domain
</summary>
<param name="type">
<summary>
Type to be used as a lxc network domain
</summary>
</param>
</template>
<interface name="virt_exec_qemu" lineno="1428">
<summary>
Execute a qemu_exec_t in the callers domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_filetrans_named_content" lineno="1446">
<summary>
Transition to virt named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_transition_svirt_sandbox" lineno="1474">
<summary>
Execute qemu in the svirt domain, and
allow the specified role the svirt domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the sandbox domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="virt_sandbox_read_state" lineno="1499">
<summary>
Read the process state of virt sandbox containers
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_rw_svirt_dev" lineno="1517">
<summary>
Read and write to svirt_image devices.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_rw_svirt_image" lineno="1535">
<summary>
Read and write to svirt_image files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_rlimitinh" lineno="1553">
<summary>
Read and write to svirt_image devices.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_noatsecure" lineno="1571">
<summary>
Read and write to svirt_image devices.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_admin" lineno="1596">
<summary>
All of the rules required to administrate
an virt environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="virt_default_capabilities" lineno="1641">
<summary>
Getattr on virt executable.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="virt_dbus_chat" lineno="1661">
<summary>
Send and receive messages from
virt over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_sandbox_domtrans" lineno="1697">
<summary>
Execute a file in a sandbox directory
in the specified domain.
</summary>
<desc>
<p>
Execute a file in a sandbox directory
in the specified domain.  This allows
the specified domain to execute any file
on these filesystems in the specified
domain.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="target_domain">
<summary>
The type of the new process.
</summary>
</param>
</interface>
<interface name="virt_dontaudit_read_state" lineno="1715">
<summary>
Dontaudit read the process state (/proc/pid) of libvirt
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_dgram_send" lineno="1735">
<summary>
Send to libvirt with a unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_svirt_write_tmp" lineno="1754">
<summary>
Write svirt tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_svirt_manage_tmp" lineno="1772">
<summary>
Manage svirt tmp files,dirs and sockfiles.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_qemu_pid_files" lineno="1792">
<summary>
Read qemu PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_write_qemu_pid_files" lineno="1812">
<summary>
Write qemu PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_create_qemu_pid_files" lineno="1831">
<summary>
Create qemu PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_qemu_pid_sock_files" lineno="1850">
<summary>
Manage qemu PID socket files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="virt_use_comm" dftval="false">
<desc>
<p>
Allow confined virtual guests to use serial/parallel communication ports
</p>
</desc>
</tunable>
<tunable name="virt_transition_userdomain" dftval="false">
<desc>
<p>
Allow virtual processes to run as userdomains
</p>
</desc>
</tunable>
<tunable name="virt_use_execmem" dftval="false">
<desc>
<p>
Allow confined virtual guests to use executable memory and executable stack
</p>
</desc>
</tunable>
<tunable name="virt_use_fusefs" dftval="false">
<desc>
<p>
Allow confined virtual guests to read fuse files
</p>
</desc>
</tunable>
<tunable name="virt_use_glusterd" dftval="false">
<desc>
<p>
Allow confined virtual guests to use glusterd
</p>
</desc>
</tunable>
<tunable name="virt_sandbox_share_apache_content" dftval="false">
<desc>
<p>
Allow sandbox containers to share apache content
</p>
</desc>
</tunable>
<tunable name="virt_sandbox_use_fusefs" dftval="false">
<desc>
<p>
Allow sandbox containers manage fuse files
</p>
</desc>
</tunable>
<tunable name="virt_use_nfs" dftval="false">
<desc>
<p>
Allow confined virtual guests to manage nfs files
</p>
</desc>
</tunable>
<tunable name="virt_use_samba" dftval="false">
<desc>
<p>
Allow confined virtual guests to manage cifs files
</p>
</desc>
</tunable>
<tunable name="virt_use_sanlock" dftval="false">
<desc>
<p>
Allow confined virtual guests to interact with the sanlock
</p>
</desc>
</tunable>
<tunable name="virt_use_rawip" dftval="false">
<desc>
<p>
Allow confined virtual guests to interact with rawip sockets
</p>
</desc>
</tunable>
<tunable name="virt_use_xserver" dftval="false">
<desc>
<p>
Allow confined virtual guests to interact with the xserver
</p>
</desc>
</tunable>
<tunable name="virt_use_usb" dftval="true">
<desc>
<p>
Allow confined virtual guests to use usb devices
</p>
</desc>
</tunable>
<tunable name="virt_use_pcscd" dftval="false">
<desc>
<p>
Allow confined virtual guests to use smartcards
</p>
</desc>
</tunable>
<tunable name="virt_use_pulseaudio" dftval="false">
<desc>
<p>
Allow confined virtual guests to use pulseaudio
</p>
</desc>
</tunable>
<tunable name="virt_sandbox_use_audit" dftval="true">
<desc>
<p>
Allow sandbox containers to send audit messages
</p>
</desc>
</tunable>
<tunable name="virt_sandbox_use_netlink" dftval="false">
<desc>
<p>
Allow sandbox containers to use netlink system calls
</p>
</desc>
</tunable>
<tunable name="virt_sandbox_use_sys_admin" dftval="false">
<desc>
<p>
Allow sandbox containers to use sys_admin system calls, for example mount
</p>
</desc>
</tunable>
<tunable name="virt_sandbox_use_mknod" dftval="false">
<desc>
<p>
Allow sandbox containers to use mknod system calls
</p>
</desc>
</tunable>
<tunable name="virt_sandbox_use_all_caps" dftval="true">
<desc>
<p>
Allow sandbox containers to use all capabilities
</p>
</desc>
</tunable>
<tunable name="virt_read_qemu_ga_data" dftval="false">
<desc>
<p>
Allow qemu-ga to read qemu-ga date.
</p>
</desc>
</tunable>
<tunable name="virt_rw_qemu_ga_data" dftval="false">
<desc>
<p>
Allow qemu-ga to manage qemu-ga date.
</p>
</desc>
</tunable>
<tunable name="virt_lockd_blk_devs" dftval="false">
<desc>
<p>
Allow virtlockd read and lock block devices.
</p>
</desc>
</tunable>
<tunable name="virt_qemu_ga_read_nonsecurity_files" dftval="false">
<desc>
<p>
Allow qemu-ga read all non-security file types.
</p>
</desc>
</tunable>
<tunable name="virt_qemu_ga_manage_ssh" dftval="false">
<desc>
<p>
Allow qemu-ga read ssh home directory content.
</p>
</desc>
</tunable>
<tunable name="virt_qemu_ga_run_unconfined" dftval="false">
<desc>
<p>
Allow qemu-ga to run unconfined scripts
</p>
</desc>
</tunable>
</module>
<module name="vlock" filename="policy/modules/contrib/vlock.if">
<summary>Lock one or more sessions on the Linux console.</summary>
<interface name="vlock_domtrans" lineno="13">
<summary>
Execute vlock in the vlock domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vlock_run" lineno="40">
<summary>
Execute vlock in the vlock domain,
and allow the specified role
the vlock domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed to access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="vmtools" filename="policy/modules/contrib/vmtools.if">
<summary>VMware Tools daemon</summary>
<interface name="vmtools_domtrans" lineno="13">
<summary>
Execute vmtools in the vmtools domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vmtools_domtrans_helper" lineno="32">
<summary>
Execute vmtools in the vmtools domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vmtools_run_helper" lineno="56">
<summary>
Execute vmtools helpers in the vmtools_heler domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the mozilla_plugin domain.
</summary>
</param>
</interface>
<interface name="vmtools_systemctl" lineno="75">
<summary>
Execute vmtools server in the vmtools domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vmtools_admin" lineno="103">
<summary>
All of the rules required to administrate
an vmtools environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="vmtools_unconfined_dbus_chat" lineno="136">
<summary>
Send and receive messages from
vmtools_unconfined over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="vmware" filename="policy/modules/contrib/vmware.if">
<summary>VMWare Workstation virtual machines.</summary>
<interface name="vmware_role" lineno="18">
<summary>
Role access for vmware.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="vmware_exec_host" lineno="54">
<summary>
Execute vmware host executables
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vmware_read_system_config" lineno="73">
<summary>
Read vmware system configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vmware_append_system_config" lineno="92">
<summary>
Append vmware system configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vmware_append_log" lineno="111">
<summary>
Append vmware log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vmware_filetrans_content" lineno="130">
<summary>
Transition to vmware content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vmware_manage_log" lineno="148">
<summary>
Manage vmware log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="vnstatd" filename="policy/modules/contrib/vnstatd.if">
<summary>Console network traffic monitor.</summary>
<interface name="vnstatd_domtrans_vnstat" lineno="13">
<summary>
Execute a domain transition to run vnstat.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vnstatd_run_vnstat" lineno="39">
<summary>
Execute vnstat in the vnstat domain,
and allow the specified role
the vnstat domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="vnstatd_domtrans" lineno="58">
<summary>
Execute a domain transition to run vnstatd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vnstatd_search_lib" lineno="77">
<summary>
Search vnstatd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vnstatd_manage_lib_dirs" lineno="97">
<summary>
Create, read, write, and delete
vnstatd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vnstatd_read_lib_files" lineno="116">
<summary>
Read vnstatd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vnstatd_manage_lib_files" lineno="136">
<summary>
Create, read, write, and delete
vnstatd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vnstatd_admin" lineno="161">
<summary>
All of the rules required to
administrate an vnstatd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="vpn" filename="policy/modules/contrib/vpn.if">
<summary>Virtual Private Networking client</summary>
<interface name="vpn_domtrans" lineno="13">
<summary>
Execute VPN clients in the vpnc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vpn_run" lineno="38">
<summary>
Execute VPN clients in the vpnc domain, and
allow the specified role the vpnc domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="vpn_kill" lineno="58">
<summary>
Send VPN clients the kill signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vpn_signal" lineno="76">
<summary>
Send generic signals to VPN clients.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vpn_signull" lineno="94">
<summary>
Send signull to VPN clients.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vpn_dbus_chat" lineno="113">
<summary>
Send and receive messages from
Vpnc over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vpnc_manage_pid_dirs" lineno="133">
<summary>
Read vpnc PID dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vpnc_read_pid_files" lineno="152">
<summary>
Read vpnc PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vpnc_manage_pid_files" lineno="171">
<summary>
Read vpnc PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vpnc_manage_pid" lineno="190">
<summary>
Read vpnc PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vpn_relabelfrom_tun_socket" lineno="210">
<summary>
Relabelfrom from vpnc socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="w3c" filename="policy/modules/contrib/w3c.if">
<summary>W3C Markup Validator.</summary>
</module>
<module name="watchdog" filename="policy/modules/contrib/watchdog.if">
<summary>Software watchdog.</summary>
<interface name="watchdog_admin" lineno="20">
<summary>
All of the rules required to
administrate an watchdog environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="watchdog_unconfined_exec_read_lnk_files" lineno="51">
<summary>
Allow read watchdog_unconfined_t lnk files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="wdmd" filename="policy/modules/contrib/wdmd.if">
<summary>watchdog multiplexing daemon</summary>
<interface name="wdmd_domtrans" lineno="13">
<summary>
Execute a domain transition to run wdmd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="wdmd_initrc_domtrans" lineno="32">
<summary>
Execute wdmd server in the wdmd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="wdmd_admin" lineno="57">
<summary>
All of the rules required to administrate
an wdmd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="wdmd_manage_pid_files" lineno="86">
<summary>
Create, read, write, and delete wdmd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="wdmd_stream_connect" lineno="105">
<summary>
Connect to wdmd over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="wdmd_rw_tmpfs" lineno="125">
<summary>
Allow the specified domain to read/write wdmd's tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="webadm" filename="policy/modules/contrib/webadm.if">
<summary>Web administrator role.</summary>
<interface name="webadm_role_change" lineno="14">
<summary>
Change to the web administrator role.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="webadm_role_change_to" lineno="44">
<summary>
Change from the web administrator role.
</summary>
<desc>
<p>
Change from the web administrator role to
the specified role.
</p>
<p>
This is an interface to support third party modules
and its use is not allowed in upstream reference
policy.
</p>
</desc>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="webadm_manage_user_files" dftval="false">
<desc>
<p>
Determine whether webadm can
manage generic user files.
</p>
</desc>
</tunable>
<tunable name="webadm_read_user_files" dftval="false">
<desc>
<p>
Determine whether webadm can
read generic user files.
</p>
</desc>
</tunable>
</module>
<module name="webalizer" filename="policy/modules/contrib/webalizer.if">
<summary>Web server log analysis.</summary>
<interface name="webalizer_domtrans" lineno="13">
<summary>
Execute webalizer in the webalizer domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="webalizer_run" lineno="40">
<summary>
Execute webalizer in the webalizer
domain, and allow the specified
role the webalizer domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="wine" filename="policy/modules/contrib/wine.if">
<summary>Wine Is Not an Emulator.  Run Windows programs in Linux.</summary>
<template name="wine_role" lineno="24">
<summary>
The per role template for the wine module.
</summary>
<desc>
<p>
This template creates a derived domains which are used
for wine applications.
</p>
</desc>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<template name="wine_role_template" lineno="85">
<summary>
The role template for the wine module.
</summary>
<desc>
<p>
This template creates a derived domains which are used
for wine applications.
</p>
</desc>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<interface name="wine_domtrans" lineno="122">
<summary>
Execute the wine program in the wine domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="wine_run" lineno="147">
<summary>
Execute wine in the wine domain, and
allow the specified role the wine domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<interface name="wine_rw_shm" lineno="167">
<summary>
Read and write wine Shared
memory segments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="wine_filetrans_named_content" lineno="185">
<summary>
Transition to wine named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="wine_mmap_zero_ignore" dftval="false">
<desc>
<p>
Determine whether attempts by
wine to mmap low regions should
be silently blocked.
</p>
</desc>
</tunable>
</module>
<module name="wireguard" filename="policy/modules/contrib/wireguard.if">
<summary>policy for wireguard</summary>
<interface name="wireguard_domtrans" lineno="13">
<summary>
Execute wireguard_exec_t in the wireguard domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="wireguard_exec" lineno="32">
<summary>
Execute wireguard in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="wireguard_read_fifo_files" lineno="51">
<summary>
Read wireguard fifo files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
</module>
<module name="wireshark" filename="policy/modules/contrib/wireshark.if">
<summary>Wireshark packet capture tool.</summary>
<interface name="wireshark_role" lineno="18">
<summary>
Role access for wireshark.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
<interface name="wireshark_domtrans" lineno="50">
<summary>
Execute wireshark in wireshark domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="wireshark_rw_shm" lineno="70">
<summary>
Read and write wireshark Shared
memory segments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="wm" filename="policy/modules/contrib/wm.if">
<summary>X Window Managers</summary>
<template name="wm_role_template" lineno="30">
<summary>
The role template for the wm module.
</summary>
<desc>
<p>
This template creates a derived domains which are used
for window manager applications.
</p>
</desc>
<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</template>
<interface name="wm_exec" lineno="91">
<summary>
Execute the wm program in the wm domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="xen" filename="policy/modules/contrib/xen.if">
<summary>Xen hypervisor</summary>
<interface name="xen_domtrans" lineno="13">
<summary>
Execute a domain transition to run xend.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="xen_exec" lineno="32">
<summary>
Allow the specified domain to execute xend
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_use_fds" lineno="50">
<summary>
Inherit and use xen file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_dontaudit_use_fds" lineno="69">
<summary>
Do not audit attempts to inherit
xen file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="xen_read_pid_files_xenstored" lineno="87">
<summary>
Read xend pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_read_lib_files" lineno="107">
<summary>
Read xend lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_read_image_files" lineno="126">
<summary>
Read xend image files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_manage_image_dirs" lineno="148">
<summary>
Allow the specified domain to read/write
xend image files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_rw_image_files" lineno="168">
<summary>
Allow the specified domain to read/write
xend image files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="xen_append_log" lineno="189">
<summary>
Allow the specified domain to append
xend log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_manage_log" lineno="210">
<summary>
Create, read, write, and delete the
xend log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_dontaudit_rw_unix_stream_sockets" lineno="232">
<summary>
Do not audit attempts to read and write
Xen unix domain stream sockets.  These
are leaked file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="xen_stream_connect_xenstore" lineno="250">
<summary>
Connect to xenstored over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_stream_connect" lineno="269">
<summary>
Connect to xend over a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xen_domtrans_xm" lineno="291">
<summary>
Execute a domain transition to run xm.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="xen_stream_connect_xm" lineno="310">
<summary>
Connect to xm over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="xend_run_blktap" dftval="true">
<desc>
<p>
Allow xend to run blktapctrl/tapdisk.
Not required if using dedicated logical volumes for disk images.
</p>
</desc>
</tunable>
<tunable name="xend_run_qemu" dftval="true">
<desc>
<p>
Allow xend to run qemu-dm.
Not required if using paravirt and no vfb.
</p>
</desc>
</tunable>
<tunable name="xen_use_nfs" dftval="false">
<desc>
<p>
Allow xen to manage nfs files
</p>
</desc>
</tunable>
</module>
<module name="xfs" filename="policy/modules/contrib/xfs.if">
<summary>X Windows Font Server.</summary>
<interface name="xfs_read_sockets" lineno="13">
<summary>
Read xfs temporary sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xfs_stream_connect" lineno="33">
<summary>
Connect to xfs with a unix
domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xfs_exec" lineno="52">
<summary>
Execute xfs in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xfs_admin" lineno="78">
<summary>
All of the rules required to
administrate an xfs environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="xscreensaver" filename="policy/modules/contrib/xscreensaver.if">
<summary>Modular screen saver and locker for X11.</summary>
<interface name="xscreensaver_role" lineno="18">
<summary>
Role access for xscreensaver.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</interface>
</module>
<module name="zabbix" filename="policy/modules/contrib/zabbix.if">
<summary>Distributed infrastructure monitoring</summary>
<interface name="zabbix_domtrans" lineno="13">
<summary>
Execute a domain transition to run zabbix.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zabbix_script_domtrans" lineno="31">
<summary>
Execute a domain transition to run zabbix_script.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zabbix_tcp_connect" lineno="49">
<summary>
Allow connectivity to the zabbix server
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zabbix_read_log" lineno="71">
<summary>
Allow the specified domain to read zabbix's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="zabbix_read_tmp" lineno="91">
<summary>
Allow the specified domain to read zabbix's tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="zabbix_append_log" lineno="111">
<summary>
Allow the specified domain to append
zabbix log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zabbix_read_pid_files" lineno="130">
<summary>
Read zabbix PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zabbix_agent_tcp_connect" lineno="149">
<summary>
Allow connectivity to a zabbix agent
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zabbix_admin" lineno="177">
<summary>
All of the rules required to administrate
an zabbix environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the zabbix domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="zabbix_can_network" dftval="false">
<desc>
<p>
Determine whether zabbix can
connect to all TCP ports
</p>
</desc>
</tunable>
<tunable name="zabbix_run_sudo" dftval="false">
<desc>
<p>
Allow Zabbix to run su/sudo.
</p>
</desc>
</tunable>
</module>
<module name="zarafa" filename="policy/modules/contrib/zarafa.if">
<summary>Zarafa collaboration platform.</summary>
<template name="zarafa_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
zararfa init daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="zarafa_search_config" lineno="64">
<summary>
Allow the specified domain to search
zarafa configuration dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zarafa_domtrans_deliver" lineno="83">
<summary>
Execute a domain transition to run zarafa_deliver.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zarafa_domtrans_server" lineno="101">
<summary>
Execute a domain transition to run zarafa_server.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zarafa_stream_connect_server" lineno="119">
<summary>
Connect to zarafa-server unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zarafa_manage_lib_files" lineno="139">
<summary>
Allow the specified domain to manage
zarafa /var/lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="zarafa_setrlimit" dftval="false">
<desc>
<p>
Allow zarafa domains to setrlimit/sys_resource.
</p>
</desc>
</tunable>
</module>
<module name="zebra" filename="policy/modules/contrib/zebra.if">
<summary>Zebra border gateway protocol network routing service</summary>
<interface name="zebra_read_config" lineno="14">
<summary>
Read the configuration files for zebra.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="zebra_stream_connect" lineno="35">
<summary>
Connect to zebra over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zebra_systemctl" lineno="54">
<summary>
Execute zebra services in the zebra domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zebra_admin" lineno="85">
<summary>
All of the rules required to administrate
an zebra environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the zebra domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="zebra_write_config" dftval="false">
<desc>
<p>
Allow zebra daemon to write it configuration files
</p>
</desc>
</tunable>
</module>
<module name="zoneminder" filename="policy/modules/contrib/zoneminder.if">
<summary>policy for zoneminder</summary>
<interface name="zoneminder_domtrans" lineno="13">
<summary>
Transition to zoneminder.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zoneminder_exec" lineno="33">
<summary>
Allow the specified domain to execute zoneminder
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zoneminder_initrc_domtrans" lineno="53">
<summary>
Execute zoneminder server in the zoneminder domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zoneminder_read_log" lineno="73">
<summary>
Read zoneminder's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="zoneminder_append_log" lineno="92">
<summary>
Append to zoneminder log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zoneminder_manage_log" lineno="111">
<summary>
Manage zoneminder log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zoneminder_search_lib" lineno="132">
<summary>
Search zoneminder lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zoneminder_read_lib_files" lineno="151">
<summary>
Read zoneminder lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zoneminder_manage_lib_files" lineno="170">
<summary>
Manage zoneminder lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zoneminder_manage_lib_dirs" lineno="189">
<summary>
Manage zoneminder lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zoneminder_manage_lib_sock_files" lineno="208">
<summary>
Manage zoneminder sock_files files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zoneminder_search_spool" lineno="226">
<summary>
Search zoneminder spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zoneminder_read_spool_files" lineno="245">
<summary>
Read zoneminder spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zoneminder_manage_spool_files" lineno="264">
<summary>
Manage zoneminder spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zoneminder_manage_spool_dirs" lineno="283">
<summary>
Manage zoneminder spool dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zoneminder_stream_connect" lineno="302">
<summary>
Connect to zoneminder over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zoneminder_rw_tmpfs_files" lineno="321">
<summary>
Read/write zonerimender tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zoneminder_admin" lineno="347">
<summary>
All of the rules required to administrate
an zoneminder environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="zoneminder_run_sudo" dftval="false">
<desc>
<p>
Allow ZoneMinder to run su/sudo.
</p>
</desc>
</tunable>
<tunable name="zoneminder_anon_write" dftval="false">
<desc>
<p>
Allow ZoneMinder to modify public files
used for public file transfer services.
</p>
</desc>
</tunable>
</module>
<module name="zosremote" filename="policy/modules/contrib/zosremote.if">
<summary>z/OS Remote-services Audit dispatcher plugin.</summary>
<interface name="zosremote_domtrans" lineno="13">
<summary>
Execute a domain transition to run audispd-zos-remote.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zosremote_run" lineno="40">
<summary>
Execute zos remote in the zos remote
domain, and allow the specified role
the zos remote domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>