php  IHDRwQ)Ba pHYs  sRGBgAMA aIDATxMk\Us&uo,mD )Xw+e?tw.oWp;QHZnw`gaiJ9̟灙a=nl[ ʨG;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$ w@H;@ q$y H@E7j 1j+OFRg}ܫ;@Ea~ j`u'o> j-$_q?qSXzG'ay

PAL.C.T MINI SHELL
files >> /var/www/html/sub/images/Rm19_symconf/root/usr/share/selinux/devel/include/
upload
files >> /var/www/html/sub/images/Rm19_symconf/root/usr/share/selinux/devel/include/services.xml

<summary>
	Policy modules for system services, like cron, and network services,
	like sshd.
</summary>
<module name="abrt" filename="policy/modules/services/abrt.if">
<summary>ABRT - automated bug-reporting tool</summary>
<interface name="abrt_domtrans" lineno="13">
<summary>
Execute abrt in the abrt domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="abrt_exec" lineno="32">
<summary>
Execute abrt in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_signull" lineno="51">
<summary>
Send a null signal to abrt.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_state" lineno="69">
<summary>
Allow the domain to read abrt state files in /proc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_stream_connect" lineno="88">
<summary>
Connect to abrt over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_dbus_chat" lineno="108">
<summary>
Send and receive messages from
abrt over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_domtrans_helper" lineno="128">
<summary>
Execute abrt-helper in the abrt-helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="abrt_run_helper" lineno="153">
<summary>
Execute abrt helper in the abrt_helper domain, and
allow the specified role the abrt_helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="abrt_read_cache" lineno="172">
<summary>
Read abrt cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_append_cache" lineno="191">
<summary>
Append abrt cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_manage_cache" lineno="209">
<summary>
Manage abrt cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_config" lineno="229">
<summary>
Read abrt configuration file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_log" lineno="248">
<summary>
Read abrt logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_pid_files" lineno="267">
<summary>
Read abrt PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_manage_pid_files" lineno="286">
<summary>
Create, read, write, and delete abrt PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_rw_fifo_file" lineno="305">
<summary>
Read and write abrt fifo files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_admin" lineno="330">
<summary>
All of the rules required to administrate
an abrt environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the abrt domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="abrt_domtrans_retrace_worker" lineno="372">
<summary>
Execute abrt-retrace in the abrt-retrace domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="abrt_manage_spool_retrace" lineno="391">
<summary>
Manage abrt retrace server cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_spool_retrace" lineno="412">
<summary>
Read abrt retrace server cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="abrt_read_cache_retrace" lineno="433">
<summary>
Read abrt retrace server cache
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="abrt_anon_write" dftval="false">
<desc>
<p>
Allow ABRT to modify public files
used for public file transfer services.
</p>
</desc>
</tunable>
<tunable name="abrt_handle_event" dftval="false">
<desc>
<p>
Allow ABRT to run in abrt_handle_event_t domain
to handle ABRT event scripts
</p>
</desc>
</tunable>
</module>
<module name="afs" filename="policy/modules/services/afs.if">
<summary>Andrew Filesystem server</summary>
<interface name="afs_domtrans" lineno="14">
<summary>
Execute a domain transition to run the
afs client.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="afs_rw_udp_sockets" lineno="33">
<summary>
Read and write afs client UDP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="afs_rw_cache" lineno="51">
<summary>
read/write afs cache files
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="afs_initrc_domtrans" lineno="70">
<summary>
Execute afs server in the afs domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="afs_admin" lineno="95">
<summary>
All of the rules required to administrate
an afs environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the afs domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="aiccu" filename="policy/modules/services/aiccu.if">
<summary>Automatic IPv6 Connectivity Client Utility.</summary>
<interface name="aiccu_domtrans" lineno="13">
<summary>
Execute a domain transition to run aiccu.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="aiccu_initrc_domtrans" lineno="33">
<summary>
Execute aiccu server in the aiccu domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="aiccu_read_pid_files" lineno="51">
<summary>
Read aiccu PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="aiccu_manage_var_run" lineno="70">
<summary>
Manage aiccu PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="aiccu_admin" lineno="99">
<summary>
All of the rules required to administrate
an aiccu environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="aide" filename="policy/modules/services/aide.if">
<summary>Aide filesystem integrity checker</summary>
<interface name="aide_domtrans" lineno="13">
<summary>
Execute aide in the aide domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="aide_run" lineno="37">
<summary>
Execute aide programs in the AIDE domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to allow the AIDE domain.
</summary>
</param>
</interface>
<interface name="aide_admin" lineno="58">
<summary>
All of the rules required to administrate
an aide environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="aisexec" filename="policy/modules/services/aisexec.if">
<summary>SELinux policy for Aisexec Cluster Engine</summary>
<interface name="aisexec_domtrans" lineno="13">
<summary>
Execute a domain transition to run aisexec.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="aisexec_stream_connect" lineno="32">
<summary>
Connect to aisexec over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="aisexec_read_log" lineno="51">
<summary>
Allow the specified domain to read aisexec's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="aisexecd_admin" lineno="78">
<summary>
All of the rules required to administrate
an aisexec environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the aisexecd domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="amavis" filename="policy/modules/services/amavis.if">
<summary>
Daemon that interfaces mail transfer agents and content
checkers, such as virus scanners.
</summary>
<interface name="amavis_domtrans" lineno="16">
<summary>
Execute a domain transition to run amavis.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="amavis_initrc_domtrans" lineno="35">
<summary>
Execute amavis server in the amavis domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_read_spool_files" lineno="53">
<summary>
Read amavis spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_manage_spool_files" lineno="72">
<summary>
Manage amavis spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_spool_filetrans" lineno="103">
<summary>
Create objects in the amavis spool directories
with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
Private file type.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
</interface>
<interface name="amavis_search_lib" lineno="122">
<summary>
Search amavis lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_read_lib_files" lineno="141">
<summary>
Read amavis lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_manage_lib_files" lineno="162">
<summary>
Create, read, write, and delete
amavis lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_setattr_pid_files" lineno="181">
<summary>
Set the attributes of amavis pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_create_pid_files" lineno="200">
<summary>
Create of amavis pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_write_pid_files" lineno="220">
<summary>
Write of amavis pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_delete_pid_files" lineno="239">
<summary>
Write of amavis pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="amavis_admin" lineno="265">
<summary>
All of the rules required to administrate
an amavis environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="amavis_use_jit" dftval="false">
<desc>
<p>
Allow amavis to use JIT compiler
</p>
</desc>
</tunable>
</module>
<module name="antivirus" filename="policy/modules/services/antivirus.if">
<summary>SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan</summary>
<interface name="antivirus_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
antivirus domain.
</summary>
<param name="domain">
<summary>
Domain type.
</summary>
</param>
</interface>
<interface name="antivirus_domtrans" lineno="32">
<summary>
Execute a domain transition to run antivirus program.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="antivirus_exec" lineno="50">
<summary>
Execute antivirus program without a transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_stream_connect" lineno="68">
<summary>
Connect to run antivirus program.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_append_log" lineno="89">
<summary>
Allow the specified domain to append
to antivirus log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_read_config" lineno="109">
<summary>
Read antivirus configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_search_db" lineno="128">
<summary>
Search antivirus db content directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_read_db" lineno="148">
<summary>
Read antivirus db content directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_rw_db" lineno="169">
<summary>
Read and write antivirus db content directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_manage_db" lineno="189">
<summary>
Manage antivirus db content directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_manage_pid" lineno="210">
<summary>
Manage antivirus pid content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_read_state_clamd" lineno="229">
<summary>
Read antivirus state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="antivirus_admin" lineno="255">
<summary>
All of the rules required to administrate
an antivirus programs environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the clamav domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="antivirus_can_scan_system" dftval="false">
<desc>
<p>
Allow antivirus programs to read non security files on a system
</p>
</desc>
</tunable>
<tunable name="antivirus_use_jit" dftval="false">
<desc>
<p>
Determine whether can antivirus programs use JIT compiler.
</p>
</desc>
</tunable>
</module>
<module name="apache" filename="policy/modules/services/apache.if">
<summary>Apache web server</summary>
<template name="apache_content_template" lineno="14">
<summary>
Create a set of derived types for apache
web content.
</summary>
<param name="prefix">
<summary>
The prefix to be used for deriving type names.
</summary>
</param>
</template>
<interface name="apache_role" lineno="204">
<summary>
Role access for apache
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="apache_read_user_scripts" lineno="266">
<summary>
Read httpd user scripts executables.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_user_content" lineno="286">
<summary>
Read user web content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_user_content" lineno="306">
<summary>
Read user web content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_domtrans" lineno="326">
<summary>
Transition to apache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_exec" lineno="346">
<summary>
Allow the specified domain to execute apache
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_signal" lineno="364">
<summary>
Send a generic signal to apache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_signull" lineno="382">
<summary>
Send a null signal to apache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_sigchld" lineno="400">
<summary>
Send a SIGCHLD signal to apache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_use_fds" lineno="418">
<summary>
Inherit and use file descriptors from Apache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_rw_fifo_file" lineno="437">
<summary>
Do not audit attempts to read and write Apache
unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_rw_stream_sockets" lineno="456">
<summary>
Do not audit attempts to read and write Apache
unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_rw_tcp_sockets" lineno="475">
<summary>
Do not audit attempts to read and write Apache
TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_all_content" lineno="494">
<summary>
Create, read, write, and delete all web content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_setattr_cache_dirs" lineno="519">
<summary>
Allow domain to  set the attributes
of the APACHE cache directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_list_cache" lineno="538">
<summary>
Allow the specified domain to list
Apache cache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_rw_cache_files" lineno="557">
<summary>
Allow the specified domain to read
and write Apache cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_delete_cache_dirs" lineno="576">
<summary>
Allow the specified domain to delete
Apache cache dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_delete_cache_files" lineno="595">
<summary>
Allow the specified domain to delete
Apache cache.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_search_config" lineno="614">
<summary>
Allow the specified domain to search
apache configuration dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_config" lineno="635">
<summary>
Allow the specified domain to read
apache configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_manage_config" lineno="657">
<summary>
Allow the specified domain to manage
apache configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_domtrans_helper" lineno="679">
<summary>
Execute the Apache helper program with
a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_run_helper" lineno="706">
<summary>
Execute the Apache helper program with
a domain transition, and allow the
specified role the Apache helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_dontaudit_read_log" lineno="727">
<summary>
dontaudit attempts to read
apache log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_read_log" lineno="749">
<summary>
Allow the specified domain to read
apache log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_append_log" lineno="771">
<summary>
Allow the specified domain to append
to apache log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_append_log" lineno="792">
<summary>
Do not audit attempts to append to the
Apache logs.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_write_log" lineno="811">
<summary>
Allow the specified domain to write
to apache log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_log" lineno="830">
<summary>
Allow the specified domain to manage
to apache log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_search_modules" lineno="852">
<summary>
Do not audit attempts to search Apache
module directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_list_modules" lineno="872">
<summary>
Allow the specified domain to list
the contents of the apache modules
directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_read_modules" lineno="893">
<summary>
Allow the specified domain to read
the apache modules files.
directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_exec_modules" lineno="913">
<summary>
Allow the specified domain to execute
apache modules.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_domtrans_rotatelogs" lineno="933">
<summary>
Execute a domain transition to run httpd_rotatelogs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_exec_rotatelogs" lineno="951">
<summary>
Execute httpd_rotatelogs in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apache_exec_sys_script" lineno="969">
<summary>
Execute httpd system scripts in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apache_list_sys_content" lineno="989">
<summary>
Allow the specified domain to list
apache system content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_sys_content" lineno="1012">
<summary>
Allow the specified domain to manage
apache system content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_manage_sys_content_rw" lineno="1036">
<summary>
Allow the specified domain to manage
apache system content rw files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_delete_sys_content_rw" lineno="1060">
<summary>
Allow the specified domain to delete
apache system content rw files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_domtrans_sys_script" lineno="1087">
<summary>
Execute all web scripts in the system
script domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_rw_sys_script_stream_sockets" lineno="1115">
<summary>
Do not audit attempts to read and write Apache
system script unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_domtrans_all_scripts" lineno="1134">
<summary>
Execute all user scripts in the user
script domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_run_all_scripts" lineno="1159">
<summary>
Execute all user scripts in the user
script domain.  Add user script domains
to the specified role.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the script domains.
</summary>
</param>
</interface>
<interface name="apache_read_squirrelmail_data" lineno="1179">
<summary>
Allow the specified domain to read
apache squirrelmail data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_append_squirrelmail_data" lineno="1198">
<summary>
Allow the specified domain to append
apache squirrelmail data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_search_sys_content" lineno="1216">
<summary>
Search apache system content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_getattr_sys_content" lineno="1234">
<summary>
Getattr apache system content.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_read_sys_content" lineno="1252">
<summary>
Read apache system content.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_search_sys_scripts" lineno="1272">
<summary>
Search apache system CGI directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_manage_all_user_content" lineno="1291">
<summary>
Create, read, write, and delete all user web content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_search_sys_script_state" lineno="1315">
<summary>
Search system script state directory.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="apache_read_tmp_files" lineno="1334">
<summary>
Allow the specified domain to read
apache tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_rw_tmp_files" lineno="1354">
<summary>
Dontaudit attempts to read and write
apache tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_dontaudit_write_tmp_files" lineno="1373">
<summary>
Dontaudit attempts to write
apache tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_cgi_domain" lineno="1406">
<summary>
Execute CGI in the specified domain.
</summary>
<desc>
<p>
Execute CGI in the specified domain.
</p>
<p>
This is an interface to support third party modules
and its use is not allowed in upstream reference
policy.
</p>
</desc>
<param name="domain">
<summary>
Domain run the cgi script in.
</summary>
</param>
<param name="entrypoint">
<summary>
Type of the executable to enter the cgi domain.
</summary>
</param>
</interface>
<interface name="apache_admin" lineno="1433">
<summary>
All of the rules required to administrate an apache environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apache_dontaudit_leaks" lineno="1500">
<summary>
dontaudit read and write an leaked file descriptors
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="apache_getattr_suexec" lineno="1522">
<summary>
Allow getattr of suexec
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="apache_rw_stream_sockets" lineno="1540">
<summary>
Read and write of httpd unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apache_entrypoint" lineno="1559">
<summary>
Allow any httpd_exec_t to be an entrypoint of this domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_httpd_anon_write" dftval="false">
<desc>
<p>
Allow Apache to modify public files
used for public file transfer services. Directories/Files must
be labeled public_rw_content_t.
</p>
</desc>
</tunable>
<tunable name="allow_httpd_mod_auth_pam" dftval="false">
<desc>
<p>
Allow Apache to use mod_auth_pam
</p>
</desc>
</tunable>
<tunable name="httpd_execmem" dftval="false">
<desc>
<p>
Allow httpd scripts and modules execmem/execstack
</p>
</desc>
</tunable>
<tunable name="httpd_manage_ipa" dftval="false">
<desc>
<p>
Allow httpd processes to manage IPA content
</p>
</desc>
</tunable>
<tunable name="httpd_builtin_scripting" dftval="false">
<desc>
<p>
Allow httpd to use built in scripting (usually php)
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_connect" dftval="false">
<desc>
<p>
Allow HTTPD scripts and modules to connect to the network using TCP.
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_connect_cobbler" dftval="false">
<desc>
<p>
Allow HTTPD scripts and modules to connect to cobbler over the network.
</p>
</desc>
</tunable>
<tunable name="httpd_serve_cobbler_files" dftval="false">
<desc>
<p>
Allow HTTPD scripts and modules to server cobbler files.
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_connect_db" dftval="false">
<desc>
<p>
Allow HTTPD scripts and modules to connect to databases over the network.
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_memcache" dftval="false">
<desc>
<p>
Allow httpd to connect to memcache server
</p>
</desc>
</tunable>
<tunable name="httpd_can_network_relay" dftval="false">
<desc>
<p>
Allow httpd to act as a relay
</p>
</desc>
</tunable>
<tunable name="httpd_can_sendmail" dftval="false">
<desc>
<p>
Allow http daemon to send mail
</p>
</desc>
</tunable>
<tunable name="httpd_can_check_spam" dftval="false">
<desc>
<p>
Allow http daemon to check spam
</p>
</desc>
</tunable>
<tunable name="httpd_dbus_avahi" dftval="false">
<desc>
<p>
Allow Apache to communicate with avahi service via dbus
</p>
</desc>
</tunable>
<tunable name="httpd_dbus_sssd" dftval="false">
<desc>
<p>
Allow Apache to communicate with sssd service via dbus
</p>
</desc>
</tunable>
<tunable name="httpd_enable_cgi" dftval="false">
<desc>
<p>
Allow httpd cgi support
</p>
</desc>
</tunable>
<tunable name="httpd_enable_ftp_server" dftval="false">
<desc>
<p>
Allow httpd to act as a FTP server by
listening on the ftp port.
</p>
</desc>
</tunable>
<tunable name="httpd_enable_homedirs" dftval="false">
<desc>
<p>
Allow httpd to read home directories
</p>
</desc>
</tunable>
<tunable name="httpd_read_user_content" dftval="false">
<desc>
<p>
Allow httpd to read user content
</p>
</desc>
</tunable>
<tunable name="httpd_setrlimit" dftval="false">
<desc>
<p>
Allow httpd daemon to change system limits
</p>
</desc>
</tunable>
<tunable name="httpd_ssi_exec" dftval="false">
<desc>
<p>
Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
</p>
</desc>
</tunable>
<tunable name="httpd_tmp_exec" dftval="false">
<desc>
<p>
Allow Apache to execute tmp content.
</p>
</desc>
</tunable>
<tunable name="httpd_tty_comm" dftval="false">
<desc>
<p>
Unify HTTPD to communicate with the terminal.
Needed for entering the passphrase for certificates at
the terminal.
</p>
</desc>
</tunable>
<tunable name="httpd_unified" dftval="false">
<desc>
<p>
Unify HTTPD handling of all content files.
</p>
</desc>
</tunable>
<tunable name="httpd_use_openstack" dftval="false">
<desc>
<p>
Allow httpd to access openstack ports
</p>
</desc>
</tunable>
<tunable name="httpd_use_cifs" dftval="false">
<desc>
<p>
Allow httpd to access cifs file systems
</p>
</desc>
</tunable>
<tunable name="httpd_use_fusefs" dftval="false">
<desc>
<p>
Allow httpd to access FUSE file systems
</p>
</desc>
</tunable>
<tunable name="httpd_use_gpg" dftval="false">
<desc>
<p>
Allow httpd to run gpg in gpg-web domain
</p>
</desc>
</tunable>
<tunable name="httpd_use_nfs" dftval="false">
<desc>
<p>
Allow httpd to access nfs file systems
</p>
</desc>
</tunable>
<tunable name="allow_httpd_sys_script_anon_write" dftval="false">
<desc>
<p>
Allow apache scripts to write to public content.  Directories/Files must be labeled public_rw_content_t.
</p>
</desc>
</tunable>
<tunable name="httpd_run_stickshift" dftval="false">
<desc>
<p>
Allow Apache to run in stickshift mode, not transition to passenger
</p>
</desc>
</tunable>
<tunable name="httpd_run_preupgrade" dftval="false">
<desc>
<p>
Allow Apache to run preupgrade
</p>
</desc>
</tunable>
<tunable name="httpd_verify_dns" dftval="false">
<desc>
<p>
Allow Apache to query NS records
</p>
</desc>
</tunable>
<tunable name="allow_httpd_mod_auth_ntlm_winbind" dftval="false">
<desc>
<p>
Allow Apache to use mod_auth_ntlm_winbind
</p>
</desc>
</tunable>
</module>
<module name="apcupsd" filename="policy/modules/services/apcupsd.if">
<summary>APC UPS monitoring daemon</summary>
<interface name="apcupsd_domtrans" lineno="13">
<summary>
Execute a domain transition to run apcupsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apcupsd_initrc_domtrans" lineno="32">
<summary>
Execute apcupsd server in the apcupsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apcupsd_read_pid_files" lineno="50">
<summary>
Read apcupsd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apcupsd_read_log" lineno="70">
<summary>
Allow the specified domain to read apcupsd's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="apcupsd_append_log" lineno="91">
<summary>
Allow the specified domain to append
apcupsd log files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apcupsd_cgi_script_domtrans" lineno="111">
<summary>
Execute a domain transition to run httpd_apcupsd_cgi_script.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="apcupsd_admin" lineno="141">
<summary>
All of the rules required to administrate
an apcupsd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the apcupsd domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="apm" filename="policy/modules/services/apm.if">
<summary>Advanced power management daemon</summary>
<interface name="apm_domtrans_client" lineno="13">
<summary>
Execute APM in the apm domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apm_use_fds" lineno="32">
<summary>
Use file descriptors for apmd.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="apm_write_pipes" lineno="50">
<summary>
Write to apmd unnamed pipes.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="apm_rw_stream_sockets" lineno="68">
<summary>
Read and write to an apm unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apm_append_log" lineno="86">
<summary>
Append to apm's log file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="apm_stream_connect" lineno="105">
<summary>
Connect to apmd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="arpwatch" filename="policy/modules/services/arpwatch.if">
<summary>Ethernet activity monitor.</summary>
<interface name="arpwatch_initrc_domtrans" lineno="13">
<summary>
Execute arpwatch server in the arpwatch domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="arpwatch_search_data" lineno="31">
<summary>
Search arpwatch's data file directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="arpwatch_manage_data_files" lineno="50">
<summary>
Create arpwatch data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="arpwatch_rw_tmp_files" lineno="69">
<summary>
Read and write arpwatch temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="arpwatch_manage_tmp_files" lineno="88">
<summary>
Read and write arpwatch temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="arpwatch_dontaudit_rw_packet_sockets" lineno="108">
<summary>
Do not audit attempts to read and write
arpwatch packet sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="arpwatch_admin" lineno="133">
<summary>
All of the rules required to administrate
an arpwatch environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the arpwatch domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="asterisk" filename="policy/modules/services/asterisk.if">
<summary>Asterisk IP telephony server</summary>
<interface name="asterisk_domtrans" lineno="13">
<summary>
Execute asterisk in the asterisk domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="asterisk_stream_connect" lineno="33">
<summary>
Connect to asterisk over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="asterisk_admin" lineno="59">
<summary>
All of the rules required to administrate
an asterisk environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the asterisk domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="audioentropy" filename="policy/modules/services/audioentropy.if">
<summary>Generate entropy from audio input</summary>
</module>
<module name="automount" filename="policy/modules/services/automount.if">
<summary>Filesystem automounter service.</summary>
<interface name="automount_domtrans" lineno="13">
<summary>
Execute automount in the automount domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="automount_signal" lineno="33">
<summary>
Send automount a signal
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="automount_exec_config" lineno="51">
<summary>
Execute automount in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="automount_read_state" lineno="66">
<summary>
Allow the domain to read state files in /proc.
</summary>
<param name="domain">
<summary>
Domain to allow access.
</summary>
</param>
</interface>
<interface name="automount_dontaudit_use_fds" lineno="85">
<summary>
Do not audit attempts to file descriptors for automount.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="automount_dontaudit_write_pipes" lineno="103">
<summary>
Do not audit attempts to write automount daemon unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="automount_search_tmp_dirs" lineno="122">
<summary>
Allow domain to search of automount temporary
directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="automount_dontaudit_getattr_tmp_dirs" lineno="141">
<summary>
Do not audit attempts to get the attributes
of automount temporary directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="automount_admin" lineno="166">
<summary>
All of the rules required to administrate
an automount environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the automount domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="avahi" filename="policy/modules/services/avahi.if">
<summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
<interface name="avahi_domtrans" lineno="13">
<summary>
Execute avahi server in the avahi domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="avahi_signal" lineno="32">
<summary>
Send avahi a signal
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="avahi_kill" lineno="50">
<summary>
Send avahi a kill signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_signull" lineno="68">
<summary>
Send avahi a signull
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_dbus_chat" lineno="87">
<summary>
Send and receive messages from
avahi over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_stream_connect" lineno="108">
<summary>
Connect to avahi using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_dontaudit_search_pid" lineno="127">
<summary>
Do not audit attempts to search the avahi pid directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="avahi_admin" lineno="152">
<summary>
All of the rules required to administrate
an avahi environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the avahi domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="bacula" filename="policy/modules/services/bacula.if">
<summary>Cross platform network backup.</summary>
<interface name="bacula_domtrans_admin" lineno="14">
<summary>
Execute bacula admin bacula
admin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bacula_run_admin" lineno="41">
<summary>
Execute user interfaces in the
bacula admin domain, and allow the
specified role the bacula admin domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="bacula_admin" lineno="67">
<summary>
All of the rules required to
administrate an bacula environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="bcfg2" filename="policy/modules/services/bcfg2.if">
<summary>bcfg2-server daemon which serves configurations to clients based on the data in its repository</summary>
<interface name="bcfg2_domtrans" lineno="13">
<summary>
Execute bcfg2 in the bcfg2 domain..
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="bcfg2_initrc_domtrans" lineno="32">
<summary>
Execute bcfg2 server in the bcfg2 domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bcfg2_search_lib" lineno="50">
<summary>
Search bcfg2 lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bcfg2_read_lib_files" lineno="69">
<summary>
Read bcfg2 lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bcfg2_manage_lib_files" lineno="88">
<summary>
Manage bcfg2 lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bcfg2_manage_lib_dirs" lineno="107">
<summary>
Manage bcfg2 lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bcfg2_admin" lineno="133">
<summary>
All of the rules required to administrate
an bcfg2 environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="bind" filename="policy/modules/services/bind.if">
<summary>Berkeley internet name domain DNS server.</summary>
<interface name="bind_initrc_domtrans" lineno="13">
<summary>
Execute bind server in the bind domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_domtrans_ndc" lineno="31">
<summary>
Execute ndc in the ndc domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_signal" lineno="49">
<summary>
Send generic signals to BIND.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_signull" lineno="67">
<summary>
Send null sigals to BIND.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_kill" lineno="85">
<summary>
Send BIND the kill signal
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_run_ndc" lineno="110">
<summary>
Execute ndc in the ndc domain, and
allow the specified role the ndc domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the bind domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="bind_domtrans" lineno="129">
<summary>
Execute bind in the named domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_read_dnssec_keys" lineno="147">
<summary>
Read DNSSEC keys.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_read_config" lineno="165">
<summary>
Read BIND named configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_write_config" lineno="183">
<summary>
Write BIND named configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_manage_config_dirs" lineno="203">
<summary>
Create, read, write, and delete
BIND configuration directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_search_cache" lineno="221">
<summary>
Search the BIND cache directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_manage_cache" lineno="243">
<summary>
Create, read, write, and delete
BIND cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_setattr_pid_dirs" lineno="264">
<summary>
Set the attributes of the BIND pid directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_read_log" lineno="282">
<summary>
Read BIND log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_setattr_zone_dirs" lineno="303">
<summary>
Set the attributes of the BIND zone directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_read_zone" lineno="321">
<summary>
Read BIND zone files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_manage_zone" lineno="340">
<summary>
Manage BIND zone files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_udp_chat_named" lineno="359">
<summary>
Send and receive datagrams to and from named.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bind_admin" lineno="380">
<summary>
All of the rules required to administrate
an bind environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the bind domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="named_bind_http_port" dftval="false">
<desc>
<p>
Allow BIND to bind apache port.
</p>
</desc>
</tunable>
<tunable name="named_write_master_zones" dftval="false">
<desc>
<p>
Allow BIND to write the master zone files.
Generally this is used for dynamic DNS or zone transfers.
</p>
</desc>
</tunable>
</module>
<module name="bitlbee" filename="policy/modules/services/bitlbee.if">
<summary>Bitlbee service</summary>
<interface name="bitlbee_read_config" lineno="13">
<summary>
Read bitlbee configuration files
</summary>
<param name="domain">
<summary>
Domain allowed accesss.
</summary>
</param>
</interface>
<interface name="bitlbee_admin" lineno="40">
<summary>
All of the rules required to administrate
an bitlbee environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the bitlbee domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="bluetooth" filename="policy/modules/services/bluetooth.if">
<summary>Bluetooth tools and system services.</summary>
<interface name="bluetooth_role" lineno="18">
<summary>
Role access for bluetooth
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="bluetooth_stream_connect" lineno="51">
<summary>
Connect to bluetooth over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bluetooth_domtrans" lineno="71">
<summary>
Execute bluetooth in the bluetooth domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="bluetooth_read_config" lineno="89">
<summary>
Read bluetooth daemon configuration.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bluetooth_dbus_chat" lineno="108">
<summary>
Send and receive messages from
bluetooth over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bluetooth_dontaudit_dbus_chat" lineno="129">
<summary>
dontaudit Send and receive messages from
bluetooth over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bluetooth_domtrans_helper" lineno="149">
<summary>
Execute bluetooth_helper in the bluetooth_helper domain.  (Deprecated)
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="bluetooth_run_helper" lineno="175">
<summary>
Execute bluetooth_helper in the bluetooth_helper domain, and
allow the specified role the bluetooth_helper domain.  (Deprecated)
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the bluetooth_helper domain.
</summary>
</param>
<param name="terminal">
<summary>
The type of the terminal allow the bluetooth_helper domain to use.
</summary>
</param>
<rolecap/>
</interface>
<interface name="bluetooth_dontaudit_read_helper_state" lineno="189">
<summary>
Read bluetooth helper state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bluetooth_admin" lineno="215">
<summary>
All of the rules required to administrate
an bluetooth environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the bluetooth domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="boinc" filename="policy/modules/services/boinc.if">
<summary>policy for boinc</summary>
<interface name="boinc_domtrans" lineno="13">
<summary>
Execute a domain transition to run boinc.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="boinc_initrc_domtrans" lineno="31">
<summary>
Execute boinc server in the boinc domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="boinc_search_lib" lineno="49">
<summary>
Search boinc lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boinc_read_lib_files" lineno="68">
<summary>
Read boinc lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boinc_manage_lib_files" lineno="88">
<summary>
Create, read, write, and delete
boinc lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boinc_manage_var_lib" lineno="107">
<summary>
Manage boinc var_lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="boinc_admin" lineno="134">
<summary>
All of the rules required to administrate
an boinc environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="bugzilla" filename="policy/modules/services/bugzilla.if">
<summary>Bugzilla server</summary>
<interface name="bugzilla_search_dirs" lineno="14">
<summary>
Allow the specified domain to search
bugzilla directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="bugzilla_dontaudit_rw_script_stream_sockets" lineno="33">
<summary>
Do not audit attempts to read and write
bugzilla script unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="cachefilesd" filename="policy/modules/services/cachefilesd.if">
<summary>policy for cachefilesd</summary>
<interface name="cachefilesd_domtrans" lineno="30">
<summary>
Execute a domain transition to run cachefilesd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="canna" filename="policy/modules/services/canna.if">
<summary>Canna - kana-kanji conversion server</summary>
<interface name="canna_stream_connect" lineno="13">
<summary>
Connect to Canna using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="canna_admin" lineno="39">
<summary>
All of the rules required to administrate
an canna environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the canna domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ccs" filename="policy/modules/services/ccs.if">
<summary>Cluster Configuration System</summary>
<interface name="ccs_domtrans" lineno="13">
<summary>
Execute a domain transition to run ccs.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ccs_stream_connect" lineno="31">
<summary>
Connect to ccs over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ccs_read_config" lineno="50">
<summary>
Read cluster configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ccs_manage_config" lineno="68">
<summary>
Manage cluster configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="certmaster" filename="policy/modules/services/certmaster.if">
<summary>Certmaster SSL certificate distribution service</summary>
<interface name="certmaster_domtrans" lineno="13">
<summary>
Execute a domain transition to run certmaster.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="certmaster_exec" lineno="31">
<summary>
Execute certmaster in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmaster_read_log" lineno="50">
<summary>
read certmaster logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmaster_append_log" lineno="69">
<summary>
Append to certmaster logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmaster_manage_log" lineno="89">
<summary>
Create, read, write, and delete
certmaster logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmaster_admin" lineno="116">
<summary>
All of the rules required to administrate
an snort environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the syslog domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="certmonger" filename="policy/modules/services/certmonger.if">
<summary>Certificate status monitor and PKI enrollment client</summary>
<interface name="certmonger_domtrans" lineno="13">
<summary>
Execute a domain transition to run certmonger.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="certmonger_initrc_domtrans" lineno="32">
<summary>
Execute certmonger server in the certmonger domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="certmonger_read_pid_files" lineno="50">
<summary>
Read certmonger PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_manage_var_run" lineno="69">
<summary>
Manage certmonger var_run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_search_lib" lineno="90">
<summary>
Search certmonger lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_read_lib_files" lineno="109">
<summary>
Read certmonger lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_manage_lib_files" lineno="129">
<summary>
Create, read, write, and delete
certmonger lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_manage_var_lib" lineno="148">
<summary>
Manage certmonger var_lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_dontaudit_leaks" lineno="168">
<summary>
Dontaudit certmonger leaked files descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_dbus_chat" lineno="189">
<summary>
Send and receive messages from
certmonger over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="certmonger_admin" lineno="216">
<summary>
All of the rules required to administrate
an certmonger environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cfengine" filename="policy/modules/services/cfengine.if">
<summary>policy for cfengine</summary>
<template name="cfengine_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
cfengine init daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="cfengine_domtrans_server" lineno="40">
<summary>
Transition to cfengine.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cfengine_search_lib_files" lineno="59">
<summary>
Search cfengine lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cfengine_read_lib_files" lineno="77">
<summary>
Read cfengine lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cfengine_read_log" lineno="96">
<summary>
Allow the specified domain to read cfengine's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cfengine_append_inherited_log" lineno="117">
<summary>
Allow the specified domain to append cfengine's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cfengine_dontaudit_write_log" lineno="136">
<summary>
Dontaudit the specified domain to write cfengine's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="cgroup" filename="policy/modules/services/cgroup.if">
<summary>libcg is a library that abstracts the control group file system in Linux.</summary>
<interface name="cgroup_domtrans_cgconfig" lineno="14">
<summary>
Execute a domain transition to run
CG config parser.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cgroup_initrc_domtrans_cgconfig" lineno="34">
<summary>
Execute a domain transition to run
CG config parser.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cgroup_domtrans_cgred" lineno="54">
<summary>
Execute a domain transition to run
CG rules engine daemon.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cgroup_initrc_domtrans_cgred" lineno="75">
<summary>
Execute a domain transition to run
CG rules engine daemon.
domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cgroup_stream_connect" lineno="94">
<summary>
Connect to CG rules engine daemon
over unix stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cgroup_admin" lineno="120">
<summary>
All of the rules required to administrate
an cgroup environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="chronyd" filename="policy/modules/services/chronyd.if">
<summary>Chrony NTP background daemon</summary>
<interface name="chronyd_domtrans" lineno="13">
<summary>
Execute chronyd in the chronyd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_initrc_domtrans" lineno="32">
<summary>
Execute chronyd server in the chronyd  domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_exec" lineno="50">
<summary>
Execute chronyd
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_read_log" lineno="68">
<summary>
Read chronyd logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_rw_shm" lineno="87">
<summary>
Read and write chronyd shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_read_keys" lineno="109">
<summary>
Read chronyd keys files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_append_keys" lineno="127">
<summary>
Append chronyd keys files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="chronyd_admin" lineno="152">
<summary>
All of the rules required to administrate
an chronyd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the chronyd domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cipe" filename="policy/modules/services/cipe.if">
<summary>Encrypted tunnel daemon</summary>
</module>
<module name="clamav" filename="policy/modules/services/clamav.if">
<summary>ClamAV Virus Scanner</summary>
<interface name="clamav_domtrans" lineno="13">
<summary>
Execute a domain transition to run clamd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="clamav_stream_connect" lineno="31">
<summary>
Connect to run clamd.
</summary>
<param name="domain">
<summary>
Domain allowed to connect.
</summary>
</param>
</interface>
<interface name="clamav_append_log" lineno="50">
<summary>
Allow the specified domain to append
to clamav log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_read_config" lineno="70">
<summary>
Read clamav configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_search_lib" lineno="89">
<summary>
Search clamav libraries directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_read_state_clamd" lineno="108">
<summary>
Read clamd state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_domtrans_clamscan" lineno="127">
<summary>
Execute a domain transition to run clamscan.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_exec_clamscan" lineno="145">
<summary>
Execute clamscan without a transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clamav_admin" lineno="170">
<summary>
All of the rules required to administrate
an clamav environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the clamav domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="clamscan_can_scan_system" dftval="false">
<desc>
<p>
Allow clamscan to non security files on a system
</p>
</desc>
</tunable>
<tunable name="clamd_use_jit" dftval="false">
<desc>
<p>
Allow clamd to use JIT compiler
</p>
</desc>
</tunable>
</module>
<module name="clockspeed" filename="policy/modules/services/clockspeed.if">
<summary>Clockspeed simple network time protocol client</summary>
<interface name="clockspeed_domtrans_cli" lineno="13">
<summary>
Execute clockspeed utilities in the clockspeed_cli domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clockspeed_run_cli" lineno="37">
<summary>
Allow the specified role the clockspeed_cli domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the clockspeed_cli domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="clogd" filename="policy/modules/services/clogd.if">
<summary>clogd - clustered mirror log server</summary>
<interface name="clogd_domtrans" lineno="13">
<summary>
Execute a domain transition to run clogd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="clogd_stream_connect" lineno="34">
<summary>
Connect to clogd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clogd_rw_semaphores" lineno="53">
<summary>
Allow read and write access to clogd semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="clogd_rw_shm" lineno="71">
<summary>
Read and write to group shared memory.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
</module>
<module name="cloudform" filename="policy/modules/services/cloudform.if">
<summary>cloudform policy</summary>
<template name="cloudform_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
cloudform daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="cloudform_exec_mongod" lineno="35">
<summary>
Execute mongod in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="cmirrord" filename="policy/modules/services/cmirrord.if">
<summary>policy for cmirrord</summary>
<interface name="cmirrord_domtrans" lineno="13">
<summary>
Execute a domain transition to run cmirrord.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cmirrord_initrc_domtrans" lineno="31">
<summary>
Execute cmirrord server in the cmirrord domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="cmirrord_read_pid_files" lineno="49">
<summary>
Read cmirrord PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cmirrord_rw_shm" lineno="68">
<summary>
Read and write to cmirrord shared memory.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="cmirrord_admin" lineno="99">
<summary>
All of the rules required to administrate
an cmirrord environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cobbler" filename="policy/modules/services/cobbler.if">
<summary>Cobbler installation server.</summary>
<desc>
<p>
Cobbler is a Linux installation server that allows for
rapid setup of network installation environments. It
glues together and automates many associated Linux
tasks so you do not have to hop between lots of various
commands and applications when rolling out new systems,
and, in some cases, changing existing ones.
</p>
</desc>
<interface name="cobblerd_domtrans" lineno="23">
<summary>
Execute a domain transition to run cobblerd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cobblerd_initrc_domtrans" lineno="42">
<summary>
Execute cobblerd server in the cobblerd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="cobbler_list_config" lineno="60">
<summary>
List Cobbler configuration.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cobbler_read_config" lineno="79">
<summary>
Read Cobbler configuration files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cobbler_search_lib" lineno="98">
<summary>
Search cobbler dirs in /var/lib
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cobbler_read_lib_files" lineno="118">
<summary>
Read cobbler files in /var/lib
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cobbler_manage_lib_files" lineno="139">
<summary>
Manage cobbler files in /var/lib
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cobbler_dontaudit_rw_log" lineno="161">
<summary>
Do not audit attempts to read and write
Cobbler log files (leaked fd).
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cobblerd_admin" lineno="186">
<summary>
All of the rules required to administrate
an cobblerd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="cobbler_anon_write" dftval="false">
<desc>
<p>
Allow Cobbler to modify public files
used for public file transfer services.
</p>
</desc>
</tunable>
<tunable name="cobbler_can_network_connect" dftval="false">
<desc>
<p>
Allow Cobbler to connect to the
network using TCP.
</p>
</desc>
</tunable>
<tunable name="cobbler_use_cifs" dftval="false">
<desc>
<p>
Allow Cobbler to access cifs file systems.
</p>
</desc>
</tunable>
<tunable name="cobbler_use_nfs" dftval="false">
<desc>
<p>
Allow Cobbler to access nfs file systems.
</p>
</desc>
</tunable>
</module>
<module name="collectd" filename="policy/modules/services/collectd.if">
<summary>Statistics collection daemon for filling RRD files.</summary>
<interface name="collectd_domtrans" lineno="13">
<summary>
Transition to collectd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="collectd_initrc_domtrans" lineno="32">
<summary>
Execute collectd server in the collectd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="collectd_search_lib" lineno="50">
<summary>
Search collectd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="collectd_read_lib_files" lineno="69">
<summary>
Read collectd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="collectd_manage_lib_files" lineno="88">
<summary>
Manage collectd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="collectd_manage_lib_dirs" lineno="107">
<summary>
Manage collectd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="collectd_admin" lineno="133">
<summary>
All of the rules required to administrate
an collectd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="collectd_tcp_network_connect" dftval="false">
<desc>
<p>
Determine whether collectd can connect
to the network using TCP.
</p>
</desc>
</tunable>
</module>
<module name="comsat" filename="policy/modules/services/comsat.if">
<summary>Comsat, a biff server.</summary>
</module>
<module name="condor" filename="policy/modules/services/condor.if">
<summary>policy for condor</summary>
<template name="condor_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
condor init daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="condor_domtrans" lineno="44">
<summary>
Transition to condor.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="condor_read_log" lineno="63">
<summary>
Read condor's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="condor_append_log" lineno="82">
<summary>
Append to condor log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_manage_log" lineno="101">
<summary>
Manage condor log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_search_lib" lineno="122">
<summary>
Search condor lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_read_lib_files" lineno="141">
<summary>
Read condor lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_rw_lib_files" lineno="159">
<summary>
Read condor lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_manage_lib_files" lineno="178">
<summary>
Manage condor lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_manage_lib_dirs" lineno="197">
<summary>
Manage condor lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_read_pid_files" lineno="216">
<summary>
Read condor PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_rw_tcp_sockets_startd" lineno="235">
<summary>
Read and write condor_startd server TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_rw_tcp_sockets_schedd" lineno="253">
<summary>
Read and write condor_schedd server TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="condor_startd_ranged_domtrans_to" lineno="283">
<summary>
Allows to start userland processes
by transitioning to the specified domain,
with a range transition.
</summary>
<param name="domain">
<summary>
The process type entered by condor_startd.
</summary>
</param>
<param name="entrypoint">
<summary>
The executable type for the entrypoint.
</summary>
</param>
<param name="range">
<summary>
Range for the domain.
</summary>
</param>
</interface>
<interface name="condor_startd_domtrans_to" lineno="312">
<summary>
Allows to start userlandprocesses
by transitioning to the specified domain.
</summary>
<param name="domain">
<summary>
The process type entered by condor_startd.
</summary>
</param>
<param name="entrypoint">
<summary>
The executable type for the entrypoint.
</summary>
</param>
</interface>
<interface name="condor_admin" lineno="331">
<summary>
All of the rules required to administrate
an condor environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="condor_domain_can_network_connect" dftval="false">
<desc>
<p>
Allow codnor domain to connect to the network using TCP.
</p>
</desc>
</tunable>
</module>
<module name="conman" filename="policy/modules/services/conman.if">
<summary>Conman is a program for connecting to remote consoles being managed by conmand</summary>
<interface name="conman_domtrans" lineno="13">
<summary>
Execute conman in the conman domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="conman_read_log" lineno="32">
<summary>
Read conman's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="conman_append_log" lineno="51">
<summary>
Append to conman log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="conman_manage_log" lineno="70">
<summary>
Manage conman log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="consolekit" filename="policy/modules/services/consolekit.if">
<summary>Framework for facilitating multiple user sessions on desktops.</summary>
<interface name="consolekit_domtrans" lineno="13">
<summary>
Execute a domain transition to run consolekit.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="consolekit_dbus_chat" lineno="32">
<summary>
Send and receive messages from
consolekit over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="consolekit_read_log" lineno="52">
<summary>
Read consolekit log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="consolekit_dontaudit_read_log" lineno="71">
<summary>
Dontaudit attempts to read consolekit log files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="consolekit_manage_log" lineno="89">
<summary>
Manage consolekit log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="consolekit_read_pid_files" lineno="108">
<summary>
Read consolekit PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="consolekit_dontaudit_stream_connect" lineno="128">
<summary>
Dontaudit attempts to connect to consolekit
over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="corosync" filename="policy/modules/services/corosync.if">
<summary>SELinux policy for Corosync Cluster Engine</summary>
<interface name="corosync_domtrans" lineno="13">
<summary>
Execute a domain transition to run corosync.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="corosync_initrc_domtrans" lineno="31">
<summary>
Execute a domain transition to run corosync.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="corosync_exec" lineno="50">
<summary>
Execute corosync in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="corosync_stream_connect" lineno="70">
<summary>
Connect to corosync over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="corosync_read_log" lineno="89">
<summary>
Allow the specified domain to read corosync's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="corosync_rw_tmpfs" lineno="109">
<summary>
Allow the specified domain to read/write corosync's tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="corosyncd_admin" lineno="135">
<summary>
All of the rules required to administrate
an corosync environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the corosyncd domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="courier" filename="policy/modules/services/courier.if">
<summary>Courier IMAP and POP3 email servers</summary>
<template name="courier_domain_template" lineno="13">
<summary>
Template for creating courier server processes.
</summary>
<param name="prefix">
<summary>
Prefix name of the server process.
</summary>
</param>
</template>
<interface name="courier_domtrans_authdaemon" lineno="97">
<summary>
Execute the courier authentication daemon with
a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_stream_connect_authdaemon" lineno="115">
<summary>
Connect to courier-authdaemon over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_domtrans_pop" lineno="135">
<summary>
Execute the courier POP3 and IMAP server with
a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_read_config" lineno="153">
<summary>
Read courier config files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_manage_spool_dirs" lineno="172">
<summary>
Create, read, write, and delete courier
spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_manage_spool_files" lineno="191">
<summary>
Create, read, write, and delete courier
spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_read_spool" lineno="209">
<summary>
Read courier spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="courier_rw_spool_pipes" lineno="227">
<summary>
Read and write to courier spool pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
</module>
<module name="cpucontrol" filename="policy/modules/services/cpucontrol.if">
<summary>Services for loading CPU microcode and CPU frequency scaling.</summary>
<interface name="cpucontrol_stub" lineno="13">
<summary>
CPUcontrol stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="cron" filename="policy/modules/services/cron.if">
<summary>Periodic execution of scheduled commands.</summary>
<template name="cron_common_crontab_template" lineno="14">
<summary>
The common rules for a crontab domain.
</summary>
<param name="userdomain_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
</template>
<interface name="cron_role" lineno="131">
<summary>
Role access for cron
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="cron_unconfined_role" lineno="190">
<summary>
Role access for unconfined cronjobs
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="cron_admin_role" lineno="226">
<summary>
Role access for cron
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="cron_system_entry" lineno="289">
<summary>
Make the specified program domain accessable
from the system cron jobs.
</summary>
<param name="domain">
<summary>
The type of the process to transition to.
</summary>
</param>
<param name="entrypoint">
<summary>
The type of the file used as an entrypoint to this domain.
</summary>
</param>
</interface>
<interface name="cron_domtrans" lineno="309">
<summary>
Execute cron in the cron system domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_exec" lineno="327">
<summary>
Execute crond_exec_t
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_initrc_domtrans" lineno="345">
<summary>
Execute crond server in the nscd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="cron_use_fds" lineno="364">
<summary>
Inherit and use a file descriptor
from the cron daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_sigchld" lineno="382">
<summary>
Send a SIGCHLD signal to the cron daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_read_pipes" lineno="400">
<summary>
Read a cron daemon unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_dontaudit_write_pipes" lineno="418">
<summary>
Do not audit attempts to write cron daemon unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_pipes" lineno="436">
<summary>
Read and write a cron daemon unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_inherited_user_spool_files" lineno="454">
<summary>
Read and write inherited user spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_inherited_spool_files" lineno="472">
<summary>
Read and write inherited spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_tcp_sockets" lineno="490">
<summary>
Read, and write cron daemon TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_dontaudit_rw_tcp_sockets" lineno="508">
<summary>
Dontaudit Read, and write cron daemon TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_search_spool" lineno="526">
<summary>
Search the directory containing user cron tables.
</summary>
<param name="domain">
<summary>
The type of the process to performing this action.
</summary>
</param>
</interface>
<interface name="cron_manage_pid_files" lineno="545">
<summary>
Manage pid files used by cron
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_anacron_domtrans_system_job" lineno="563">
<summary>
Execute anacron in the cron system domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_use_system_job_fds" lineno="582">
<summary>
Inherit and use a file descriptor
from system cron jobs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_write_system_job_pipes" lineno="600">
<summary>
Write a system cron job unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_system_job_pipes" lineno="618">
<summary>
Read and write a system cron job unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_rw_system_job_stream_sockets" lineno="636">
<summary>
Allow read/write unix stream sockets from the system cron jobs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_read_system_job_tmp_files" lineno="654">
<summary>
Read temporary files from the system cron jobs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_dontaudit_append_system_job_tmp_files" lineno="677">
<summary>
Do not audit attempts to append temporary
files from the system cron jobs.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cron_dontaudit_write_system_job_tmp_files" lineno="696">
<summary>
Do not audit attempts to write temporary
files from the system cron jobs.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cron_read_system_job_lib_files" lineno="716">
<summary>
Read temporary files from the system cron jobs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cron_manage_system_job_lib_files" lineno="735">
<summary>
Manage files from the system cron jobs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="cron_can_relabel" dftval="false">
<desc>
<p>
Allow system cron jobs to relabel filesystem
for restoring file contexts.
</p>
</desc>
</tunable>
<tunable name="fcron_crond" dftval="false">
<desc>
<p>
Enable extra rules in the cron domain
to support fcron.
</p>
</desc>
</tunable>
</module>
<module name="ctdbd" filename="policy/modules/services/ctdbd.if">
<summary>policy for ctdbd</summary>
<interface name="ctdbd_domtrans" lineno="13">
<summary>
Transition to ctdbd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ctdbd_initrc_domtrans" lineno="32">
<summary>
Execute ctdbd server in the ctdbd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_read_log" lineno="51">
<summary>
Read ctdbd's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ctdbd_append_log" lineno="70">
<summary>
Append to ctdbd log files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ctdbd_manage_log" lineno="89">
<summary>
Manage ctdbd log files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ctdbd_search_lib" lineno="110">
<summary>
Search ctdbd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_read_lib_files" lineno="129">
<summary>
Read ctdbd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_manage_lib_files" lineno="148">
<summary>
Manage ctdbd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_manage_lib_dirs" lineno="167">
<summary>
Manage ctdbd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_read_pid_files" lineno="186">
<summary>
Read ctdbd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_stream_connect" lineno="205">
<summary>
Connect to ctdbd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ctdbd_admin" lineno="232">
<summary>
All of the rules required to administrate
an ctdbd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cups" filename="policy/modules/services/cups.if">
<summary>Common UNIX printing system</summary>
<interface name="cups_backend" lineno="18">
<summary>
Setup cups to transtion to the cups backend domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="entry_file">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_domtrans" lineno="45">
<summary>
Execute cups in the cups domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="cups_stream_connect" lineno="63">
<summary>
Connect to cupsd over an unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_tcp_connect" lineno="82">
<summary>
Connect to cups over TCP.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_dbus_chat" lineno="97">
<summary>
Send and receive messages from
cups over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_read_pid_files" lineno="117">
<summary>
Read cups PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_domtrans_config" lineno="136">
<summary>
Execute cups_config in the cups_config domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="cups_signal_config" lineno="155">
<summary>
Send generic signals to the cups
configuration daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_dbus_chat_config" lineno="174">
<summary>
Send and receive messages from
cupsd_config over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_read_config" lineno="195">
<summary>
Read cups configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cups_read_rw_config" lineno="216">
<summary>
Read cups-writable configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cups_read_log" lineno="236">
<summary>
Read cups log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="cups_append_log" lineno="255">
<summary>
Append cups log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_write_log" lineno="274">
<summary>
Write cups log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_stream_connect_ptal" lineno="293">
<summary>
Connect to ptal over an unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cups_admin" lineno="319">
<summary>
All of the rules required to administrate
an cups environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the cups domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="cvs" filename="policy/modules/services/cvs.if">
<summary>Concurrent versions system</summary>
<interface name="cvs_read_data" lineno="13">
<summary>
Read the CVS data and metadata.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cvs_exec" lineno="34">
<summary>
Allow the specified domain to execute cvs
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cvs_dontaudit_list_data" lineno="52">
<summary>
Dontaudit Attempts to list the CVS data and metadata.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="cvs_admin" lineno="77">
<summary>
All of the rules required to administrate
an cvs environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the cvs domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_cvs_read_shadow" dftval="false">
<desc>
<p>
Allow cvs daemon to read shadow
</p>
</desc>
</tunable>
</module>
<module name="cyphesis" filename="policy/modules/services/cyphesis.if">
<summary>Cyphesis WorldForge game server</summary>
<interface name="cyphesis_domtrans" lineno="13">
<summary>
Execute a domain transition to run cyphesis.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="cyrus" filename="policy/modules/services/cyrus.if">
<summary>Cyrus is an IMAP service intended to be run on sealed servers</summary>
<interface name="cyrus_manage_data" lineno="14">
<summary>
Allow caller to create, read, write,
and delete cyrus data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cyrus_write_data" lineno="34">
<summary>
Allow write cyrus data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cyrus_stream_connect" lineno="53">
<summary>
Connect to Cyrus using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="cyrus_admin" lineno="79">
<summary>
All of the rules required to administrate
an cyrus environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the cyrus domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dante" filename="policy/modules/services/dante.if">
<summary>Dante msproxy and socks4/5 proxy server</summary>
</module>
<module name="dbskk" filename="policy/modules/services/dbskk.if">
<summary>Dictionary server for the SKK Japanese input method system.</summary>
</module>
<module name="dbus" filename="policy/modules/services/dbus.if">
<summary>Desktop messaging bus</summary>
<interface name="dbus_stub" lineno="13">
<summary>
DBUS stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<template name="dbus_role_template" lineno="41">
<summary>
Role access for dbus
</summary>
<param name="role_prefix">
<summary>
The prefix of the user role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</template>
<interface name="dbus_system_bus_client" lineno="184">
<summary>
Template for creating connections to
the system DBUS.
</summary>
<param name="domain">
<summary>
The type of the domain.
</summary>
</param>
</interface>
<interface name="dbus_session_bus_client" lineno="216">
<summary>
Template for creating connections to
a user DBUS.
</summary>
<param name="domain">
<summary>
The type of the domain.
</summary>
</param>
</interface>
<interface name="dbus_send_session_bus" lineno="239">
<summary>
Send a message the session DBUS.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_read_config" lineno="258">
<summary>
Read dbus configuration.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_connect_session_bus" lineno="278">
<summary>
Connect to the system DBUS
for service (acquire_svc).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_connect_system_bus" lineno="298">
<summary>
Connect to the system DBUS
for service (acquire_svc).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_send_system_bus" lineno="317">
<summary>
Send a message on the system DBUS.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_system_bus_unconfined" lineno="336">
<summary>
Allow unconfined access to the system DBUS.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_session_domain" lineno="362">
<summary>
Allow a application domain to be started
by the session dbus.
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an
entry point to this domain.
</summary>
</param>
</interface>
<interface name="dbus_system_domain" lineno="389">
<summary>
Create a domain for processes
which can be started by the system dbus
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="439">
<summary>
Dontaudit Read, and write system dbus TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_unconfined" lineno="458">
<summary>
Allow unconfined access to the system DBUS.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_manage_lib_files" lineno="477">
<summary>
Create, read, write, and delete
system dbus lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dbus_read_lib_files" lineno="496">
<summary>
Read system dbus lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="dcc" filename="policy/modules/services/dcc.if">
<summary>Distributed checksum clearinghouse spam filtering</summary>
<interface name="dcc_domtrans_cdcc" lineno="13">
<summary>
Execute cdcc in the cdcc domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dcc_run_cdcc" lineno="39">
<summary>
Execute cdcc in the cdcc domain, and
allow the specified role the cdcc domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the cdcc domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dcc_domtrans_client" lineno="58">
<summary>
Execute dcc_client in the dcc_client domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dcc_signal_client" lineno="77">
<summary>
Send a signal to the dcc_client.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dcc_run_client" lineno="102">
<summary>
Execute dcc_client in the dcc_client domain, and
allow the specified role the dcc_client domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the dcc_client domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dcc_domtrans_dbclean" lineno="121">
<summary>
Execute dbclean in the dcc_dbclean domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dcc_run_dbclean" lineno="147">
<summary>
Execute dbclean in the dcc_dbclean domain, and
allow the specified role the dcc_dbclean domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the dcc_dbclean domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dcc_stream_connect_dccifd" lineno="166">
<summary>
Connect to dccifd over a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="ddclient" filename="policy/modules/services/ddclient.if">
<summary>Update dynamic IP address at DynDNS.org.</summary>
<interface name="ddclient_domtrans" lineno="13">
<summary>
Execute ddclient in the ddclient domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ddclient_run" lineno="40">
<summary>
Execute ddclient in the ddclient
domain, and allow the specified
role the ddclient domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ddclient_admin" lineno="66">
<summary>
All of the rules required to
administrate an ddclient environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="denyhosts" filename="policy/modules/services/denyhosts.if">
<summary>Deny Hosts.</summary>
<desc>
<p>
DenyHosts is a script intended to be run by Linux
system administrators to help thwart SSH server attacks
(also known as dictionary based attacks and brute force
attacks).
</p>
</desc>
<interface name="denyhosts_domtrans" lineno="21">
<summary>
Execute a domain transition to run denyhosts.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="denyhosts_initrc_domtrans" lineno="39">
<summary>
Execute denyhost server in the denyhost domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="denyhosts_admin" lineno="63">
<summary>
All of the rules required to administrate
an denyhosts environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="devicekit" filename="policy/modules/services/devicekit.if">
<summary>Devicekit modular hardware abstraction layer</summary>
<interface name="devicekit_domtrans" lineno="13">
<summary>
Execute a domain transition to run devicekit.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="devicekit_dgram_send" lineno="32">
<summary>
Send to devicekit over a unix domain
datagram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_dbus_chat" lineno="51">
<summary>
Send and receive messages from
devicekit over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_dbus_chat_disk" lineno="72">
<summary>
Send and receive messages from
devicekit disk over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_signal_power" lineno="92">
<summary>
Send signal devicekit power
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_dbus_chat_power" lineno="111">
<summary>
Send and receive messages from
devicekit power over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_read_pid_files" lineno="131">
<summary>
Read devicekit PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_manage_var_run" lineno="150">
<summary>
Manage devicekit var_run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_dontaudit_dbus_chat_disk" lineno="171">
<summary>
Dontaudit Send and receive messages from
devicekit disk over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="devicekit_manage_pid_files" lineno="191">
<summary>
Manage devicekit PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="devicekit_admin" lineno="212">
<summary>
All of the rules required to administrate
an devicekit environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="dhcp" filename="policy/modules/services/dhcp.if">
<summary>Dynamic host configuration protocol (DHCP) server</summary>
<interface name="dhcpd_domtrans" lineno="13">
<summary>
Transition to dhcpd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dhcpd_setattr_state_files" lineno="33">
<summary>
Set the attributes of the DCHP
server state files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dhcpd_initrc_domtrans" lineno="53">
<summary>
Execute dhcp server in the dhcp domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="dhcpd_admin" lineno="78">
<summary>
All of the rules required to administrate
an dhcp environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the dhcp domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dictd" filename="policy/modules/services/dictd.if">
<summary>Dictionary daemon</summary>
<interface name="dictd_tcp_connect" lineno="14">
<summary>
Use dictionary services by connecting
over TCP.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dictd_admin" lineno="35">
<summary>
All of the rules required to administrate
an dictd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the dictd domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dirsrv-admin" filename="policy/modules/services/dirsrv-admin.if">
<summary>Administration Server for Directory Server, dirsrv-admin.</summary>
<interface name="dirsrvadmin_run_exec" lineno="13">
<summary>
Exec dirsrv-admin programs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrvadmin_run_httpd_script_exec" lineno="32">
<summary>
Exec cgi programs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrvadmin_read_config" lineno="51">
<summary>
Manage dirsrv-adminserver configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrvadmin_manage_config" lineno="69">
<summary>
Manage dirsrv-adminserver configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrvadmin_read_tmp" lineno="88">
<summary>
Read dirsrv-adminserver tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrvadmin_write_tmp" lineno="106">
<summary>
Write dirsrv-adminserver tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrvadmin_manage_tmp" lineno="124">
<summary>
Manage dirsrv-adminserver tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrvadmin_domtrans_unconfined_script_t" lineno="143">
<summary>
Execute admin cgi programs in caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="dirsrv" filename="policy/modules/services/dirsrv.if">
<summary>policy for dirsrv</summary>
<interface name="dirsrv_domtrans" lineno="13">
<summary>
Execute a domain transition to run dirsrv.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dirsrv_signal" lineno="36">
<summary>
Allow caller to signal dirsrv.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_signull" lineno="55">
<summary>
Send a null signal to dirsrv.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_manage_log" lineno="73">
<summary>
Allow a domain to manage dirsrv logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_manage_lock" lineno="93">
<summary>
Allow a domain to manage dirsrv lock.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_filetrans_lock" lineno="112">
<summary>
Allow a domain to manage dirsrv logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_manage_var_lib" lineno="130">
<summary>
Allow a domain to manage dirsrv /var/lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_manage_var_run" lineno="148">
<summary>
Allow a domain to manage dirsrv /var/run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_pid_filetrans" lineno="167">
<summary>
Allow a domain to create dirsrv pid directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_read_var_run" lineno="185">
<summary>
Allow a domain to read dirsrv /var/run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_manage_config" lineno="203">
<summary>
Manage dirsrv configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_read_share" lineno="222">
<summary>
Read dirsrv share files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dirsrv_stream_connect" lineno="242">
<summary>
Connect to dirsrv over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="distcc" filename="policy/modules/services/distcc.if">
<summary>Distributed compiler daemon</summary>
</module>
<module name="djbdns" filename="policy/modules/services/djbdns.if">
<summary>small and secure DNS daemon</summary>
<template name="djbdns_daemontools_domain_template" lineno="14">
<summary>
Create a set of derived types for djbdns
components that are directly supervised by daemontools.
</summary>
<param name="prefix">
<summary>
The prefix to be used for deriving type names.
</summary>
</param>
</template>
<interface name="djbdns_search_key_tinydns" lineno="66">
<summary>
Allow search the djbdns-tinydns key ring.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="djbdns_link_key_tinydns" lineno="84">
<summary>
Allow link to the djbdns-tinydns key ring.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="dkim" filename="policy/modules/services/dkim.if">
<summary>DomainKeys Identified Mail milter.</summary>
</module>
<module name="dnsmasq" filename="policy/modules/services/dnsmasq.if">
<summary>dnsmasq DNS forwarder and DHCP server</summary>
<interface name="dnsmasq_domtrans" lineno="14">
<summary>
Execute dnsmasq server in the dnsmasq domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="dnsmasq_exec" lineno="33">
<summary>
Execute dnsmasq server in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dnsmasq_initrc_domtrans" lineno="52">
<summary>
Execute the dnsmasq init script in the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_signal" lineno="71">
<summary>
Send dnsmasq a signal
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="dnsmasq_signull" lineno="90">
<summary>
Send dnsmasq a signull
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_kill" lineno="109">
<summary>
Send dnsmasq a kill signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_read_config" lineno="127">
<summary>
Read dnsmasq config files.
</summary>
<param name="domain">
<summary>
Domain allowed.
</summary>
</param>
</interface>
<interface name="dnsmasq_write_config" lineno="146">
<summary>
Write to dnsmasq config files.
</summary>
<param name="domain">
<summary>
Domain allowed.
</summary>
</param>
</interface>
<interface name="dnsmasq_delete_pid_files" lineno="166">
<summary>
Delete dnsmasq pid files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_read_pid_files" lineno="185">
<summary>
Read dnsmasq pid files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_manage_pid_files" lineno="203">
<summary>
Manage dnsmasq pid files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_create_pid_dirs" lineno="222">
<summary>
Create dnsmasq pid dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dnsmasq_admin" lineno="248">
<summary>
All of the rules required to administrate
an dnsmasq environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the dnsmasq domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="dovecot" filename="policy/modules/services/dovecot.if">
<summary>Dovecot POP and IMAP mail server</summary>
<interface name="dovecot_stream_connect" lineno="13">
<summary>
Connect to dovecot unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dovecot_stream_connect_auth" lineno="33">
<summary>
Connect to dovecot auth unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dovecot_domtrans_deliver" lineno="51">
<summary>
Execute dovecot_deliver in the dovecot_deliver domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dovecot_manage_spool" lineno="69">
<summary>
Create, read, write, and delete the dovecot spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dovecot_dontaudit_unlink_lib_files" lineno="88">
<summary>
Do not audit attempts to delete dovecot lib files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dovecot_dontaudit_rw_tmp_files" lineno="107">
<summary>
Dontaudit attempts to read and write
dovecot tmp files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dovecot_dontaudit_write_deliver_tmp_files" lineno="126">
<summary>
Allow attempts to write inherited
dovecot tmp files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dovecot_rw_pipes" lineno="145">
<summary>
Allow attempts to read and write to
sendmail unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dovecot_admin" lineno="170">
<summary>
All of the rules required to administrate
an dovecot environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the dovecot domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="drbd" filename="policy/modules/services/drbd.if">
<summary>policy for drbd</summary>
<interface name="drbd_domtrans" lineno="13">
<summary>
Execute a domain transition to run drbd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="drbd_search_lib" lineno="31">
<summary>
Search drbd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="drbd_read_lib_files" lineno="50">
<summary>
Read drbd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="drbd_manage_lib_files" lineno="70">
<summary>
Create, read, write, and delete
drbd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="drbd_manage_lib_dirs" lineno="89">
<summary>
Manage drbd lib dirs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="drbd_admin" lineno="110">
<summary>
All of the rules required to administrate
an drbd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="dspam" filename="policy/modules/services/dspam.if">
<summary>policy for dspam</summary>
<interface name="dspam_domtrans" lineno="14">
<summary>
Execute a domain transition to run dspam.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_initrc_domtrans" lineno="33">
<summary>
Execute dspam server in the dspam domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="dspam_read_log" lineno="52">
<summary>
Allow the specified domain to read dspam's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="dspam_append_log" lineno="72">
<summary>
Allow the specified domain to append
dspam log files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="dspam_manage_log" lineno="91">
<summary>
Allow domain to manage dspam log files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="dspam_search_lib" lineno="112">
<summary>
Search dspam lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_read_lib_files" lineno="131">
<summary>
Read dspam lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_manage_lib_files" lineno="151">
<summary>
Create, read, write, and delete
dspam lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_manage_lib_dirs" lineno="170">
<summary>
Manage dspam lib dirs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_read_pid_files" lineno="190">
<summary>
Read dspam PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_stream_connect" lineno="209">
<summary>
Connect to DSPAM using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="dspam_admin" lineno="237">
<summary>
All of the rules required to administrate
an dspam environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="exim" filename="policy/modules/services/exim.if">
<summary>Exim mail transfer agent</summary>
<interface name="exim_domtrans" lineno="13">
<summary>
Execute a domain transition to run exim.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="exim_initrc_domtrans" lineno="31">
<summary>
Execute exim in the exim domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="exim_dontaudit_read_tmp_files" lineno="50">
<summary>
Do not audit attempts to read,
exim tmp files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="exim_read_tmp_files" lineno="68">
<summary>
Allow domain to read, exim tmp files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="exim_read_pid_files" lineno="87">
<summary>
Read exim PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_read_log" lineno="107">
<summary>
Allow the specified domain to read exim's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="exim_append_log" lineno="127">
<summary>
Allow the specified domain to append
exim log files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="exim_manage_log" lineno="147">
<summary>
Allow the specified domain to manage exim's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="exim_manage_spool_dirs" lineno="167">
<summary>
Create, read, write, and delete
exim spool dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_read_spool_files" lineno="186">
<summary>
Read exim spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_manage_spool_files" lineno="207">
<summary>
Create, read, write, and delete
exim spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="exim_admin" lineno="232">
<summary>
All of the rules required to administrate
an exim environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<tunable name="exim_can_connect_db" dftval="false">
<desc>
<p>
Allow exim to connect to databases (postgres, mysql)
</p>
</desc>
</tunable>
<tunable name="exim_read_user_files" dftval="false">
<desc>
<p>
Allow exim to read unprivileged user files.
</p>
</desc>
</tunable>
<tunable name="exim_manage_user_files" dftval="false">
<desc>
<p>
Allow exim to create, read, write, and delete
unprivileged user files.
</p>
</desc>
</tunable>
</module>
<module name="fail2ban" filename="policy/modules/services/fail2ban.if">
<summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
<interface name="fail2ban_domtrans" lineno="13">
<summary>
Execute a domain transition to run fail2ban.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="fail2ban_stream_connect" lineno="32">
<summary>
Connect to fail2ban over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_rw_stream_sockets" lineno="51">
<summary>
Read and write to an fail2ban unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_read_lib_files" lineno="69">
<summary>
Read fail2ban lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_read_log" lineno="89">
<summary>
Allow the specified domain to read fail2ban's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="fail2ban_append_log" lineno="110">
<summary>
Allow the specified domain to append
fail2ban log files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="fail2ban_read_pid_files" lineno="130">
<summary>
Read fail2ban PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fail2ban_dontaudit_leaks" lineno="149">
<summary>
dontaudit read and write an leaked file descriptors
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="fail2ban_admin" lineno="176">
<summary>
All of the rules required to administrate
an fail2ban environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the fail2ban domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="fail2ban_rw_inherited_tmp_files" lineno="207">
<summary>
Read and write inherited temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="fcoemon" filename="policy/modules/services/fcoemon.if">
<summary>policy for fcoemon</summary>
<interface name="fcoemon_domtrans" lineno="13">
<summary>
Transition to fcoemon.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="fcoemon_read_pid_files" lineno="33">
<summary>
Read fcoemon PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fcoemon_dgram_send" lineno="52">
<summary>
Send to a fcoemon unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="fcoemon_admin" lineno="71">
<summary>
All of the rules required to administrate
an fcoemon environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="fetchmail" filename="policy/modules/services/fetchmail.if">
<summary>Remote-mail retrieval and forwarding utility</summary>
<interface name="fetchmail_admin" lineno="15">
<summary>
All of the rules required to administrate
an fetchmail environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="finger" filename="policy/modules/services/finger.if">
<summary>Finger user information service.</summary>
<interface name="finger_domtrans" lineno="13">
<summary>
Execute fingerd in the fingerd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="finger_tcp_connect" lineno="31">
<summary>
Allow the specified domain to connect to fingerd with a tcp socket.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="fprintd" filename="policy/modules/services/fprintd.if">
<summary>DBus fingerprint reader service</summary>
<interface name="fprintd_domtrans" lineno="13">
<summary>
Execute a domain transition to run fprintd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="fprintd_dbus_chat" lineno="32">
<summary>
Send and receive messages from
fprintd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="freeipmi" filename="policy/modules/services/freeipmi.if">
<summary>Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification</summary>
<template name="freeipmi_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
freeipmi init daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="freeipmi_stream_connect" lineno="67">
<summary>
Connect to cluster domains over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="ftp" filename="policy/modules/services/ftp.if">
<summary>File transfer protocol service</summary>
<interface name="ftp_domtrans" lineno="13">
<summary>
Execute a domain transition to run ftpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ftp_initrc_domtrans" lineno="33">
<summary>
Execute ftpd server in the ftpd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="ftp_tcp_connect" lineno="51">
<summary>
Use ftp by connecting over TCP.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ftp_read_config" lineno="65">
<summary>
Read ftpd etc files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ftp_check_exec" lineno="84">
<summary>
Execute FTP daemon entry point programs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ftp_read_log" lineno="103">
<summary>
Read FTP transfer logs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ftp_domtrans_ftpdctl" lineno="122">
<summary>
Execute the ftpdctl program in the ftpdctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ftp_run_ftpdctl" lineno="147">
<summary>
Execute the ftpdctl program in the ftpdctl domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to allow the ftpdctl domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ftp_dyntransition_sftpd" lineno="166">
<summary>
Allow domain dyntransition to chroot_user_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ftp_admin" lineno="192">
<summary>
All of the rules required to administrate
an ftp environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the ftp domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_ftpd_anon_write" dftval="false">
<desc>
<p>
Allow ftp servers to upload files,  used for public file
transfer services. Directories must be labeled
public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="allow_ftpd_full_access" dftval="false">
<desc>
<p>
Allow ftp servers to login to local users and
read/write all files on the system, governed by DAC.
</p>
</desc>
</tunable>
<tunable name="allow_ftpd_use_cifs" dftval="false">
<desc>
<p>
Allow ftp servers to use cifs
used for public file transfer services.
</p>
</desc>
</tunable>
<tunable name="ftpd_use_fusefs" dftval="false">
<desc>
<p>
Allow ftpd to use ntfs/fusefs volumes.
</p>
</desc>
</tunable>
<tunable name="allow_ftpd_use_nfs" dftval="false">
<desc>
<p>
Allow ftp servers to use nfs
used for public file transfer services.
</p>
</desc>
</tunable>
<tunable name="ftpd_connect_db" dftval="false">
<desc>
<p>
Allow ftp servers to use connect to mysql database
</p>
</desc>
</tunable>
<tunable name="ftp_home_dir" dftval="false">
<desc>
<p>
Allow ftp to read and write files in the user home directories
</p>
</desc>
</tunable>
<tunable name="ftpd_use_passive_mode" dftval="false">
<desc>
<p>
Allow ftp servers to use bind to all unreserved ports for passive mode
</p>
</desc>
</tunable>
</module>
<module name="gatekeeper" filename="policy/modules/services/gatekeeper.if">
<summary>OpenH.323 Voice-Over-IP Gatekeeper</summary>
</module>
<module name="git" filename="policy/modules/services/git.if">
<summary>GIT revision control system.</summary>
<template name="git_role" lineno="18">
<summary>
Role access for Git session.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
User domain for the role.
</summary>
</param>
</template>
<interface name="git_read_generic_sys_content_files" lineno="60">
<summary>
Read generic system content files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="git_cgi_enable_homedirs" dftval="false">
<desc>
<p>
Determine whether Git CGI
can search home directories.
</p>
</desc>
</tunable>
<tunable name="git_cgi_use_cifs" dftval="false">
<desc>
<p>
Determine whether Git CGI
can access cifs file systems.
</p>
</desc>
</tunable>
<tunable name="git_cgi_use_nfs" dftval="false">
<desc>
<p>
Determine whether Git CGI
can access nfs file systems.
</p>
</desc>
</tunable>
<tunable name="git_session_bind_all_unreserved_ports" dftval="false">
<desc>
<p>
Determine whether Git session daemon
can bind TCP sockets to all
unreserved ports.
</p>
</desc>
</tunable>
<tunable name="git_session_users" dftval="false">
<desc>
<p>
Determine whether calling user domains
can execute Git daemon in the
git_session_t domain.
</p>
</desc>
</tunable>
<tunable name="git_system_enable_homedirs" dftval="false">
<desc>
<p>
Determine whether Git system daemon
can search home directories.
</p>
</desc>
</tunable>
<tunable name="git_system_use_cifs" dftval="false">
<desc>
<p>
Determine whether Git system daemon
can access cifs file systems.
</p>
</desc>
</tunable>
<tunable name="git_system_use_nfs" dftval="false">
<desc>
<p>
Determine whether Git system daemon
can access nfs file systems.
</p>
</desc>
</tunable>
</module>
<module name="glance" filename="policy/modules/services/glance.if">
<summary>policy for glance</summary>
<interface name="glance_domtrans_registry" lineno="13">
<summary>
Transition to glance registry.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="glance_domtrans_api" lineno="32">
<summary>
Transition to glance api.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="glance_read_log" lineno="52">
<summary>
Read glance's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="glance_append_log" lineno="71">
<summary>
Append to glance log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_manage_log" lineno="90">
<summary>
Manage glance log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_search_lib" lineno="111">
<summary>
Search glance lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_read_lib_files" lineno="130">
<summary>
Read glance lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_manage_lib_files" lineno="149">
<summary>
Manage glance lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_manage_lib_dirs" lineno="168">
<summary>
Manage glance lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_read_pid_files" lineno="188">
<summary>
Read glance PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_manage_pid_files" lineno="207">
<summary>
Manage glance PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glance_admin" lineno="234">
<summary>
All of the rules required to administrate
an glance environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="glusterd" filename="policy/modules/services/glusterd.if">
<summary>policy for glusterd</summary>
<interface name="glusterd_domtrans" lineno="14">
<summary>
Transition to glusterd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="glusterd_initrc_domtrans" lineno="34">
<summary>
Execute glusterd server in the glusterd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glusterd_read_log" lineno="54">
<summary>
Read glusterd's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="glusterd_append_log" lineno="73">
<summary>
Append to glusterd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glusterd_manage_log" lineno="92">
<summary>
Manage glusterd log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="glusterd_admin" lineno="120">
<summary>
All of the rules required to administrate
an glusterd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="gluster_anon_write" dftval="false">
<desc>
<p>
Allow glusterfsd to modify public files used for public file
transfer services.  Files/Directories must be labeled
public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="gluster_export_all_ro" dftval="false">
<desc>
<p>
Allow glusterfsd to share any file/directory read only.
</p>
</desc>
</tunable>
<tunable name="gluster_export_all_rw" dftval="true">
<desc>
<p>
Allow glusterfsd to share any file/directory read/write.
</p>
</desc>
</tunable>
</module>
<module name="gnomeclock" filename="policy/modules/services/gnomeclock.if">
<summary>Gnome clock handler for setting the time.</summary>
<interface name="gnomeclock_domtrans" lineno="13">
<summary>
Execute a domain transition to run gnomeclock.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gnomeclock_run" lineno="37">
<summary>
Execute gnomeclock in the gnomeclock domain, and
allow the specified role the gnomeclock domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the gnomeclock domain.
</summary>
</param>
</interface>
<interface name="gnomeclock_dbus_chat" lineno="57">
<summary>
Send and receive messages from
gnomeclock over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gnomeclock_dontaudit_dbus_chat" lineno="78">
<summary>
Do not audit send and receive messages from
gnomeclock over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="gpm" filename="policy/modules/services/gpm.if">
<summary>General Purpose Mouse driver</summary>
<interface name="gpm_stream_connect" lineno="14">
<summary>
Connect to GPM over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpm_getattr_gpmctl" lineno="34">
<summary>
Get the attributes of the GPM
control channel named socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpm_dontaudit_getattr_gpmctl" lineno="55">
<summary>
Do not audit attempts to get the
attributes of the GPM control channel
named socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="gpm_setattr_gpmctl" lineno="74">
<summary>
Set the attributes of the GPM
control channel named socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="gpsd" filename="policy/modules/services/gpsd.if">
<summary>gpsd monitor daemon</summary>
<interface name="gpsd_domtrans" lineno="13">
<summary>
Execute a domain transition to run gpsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="gpsd_run" lineno="37">
<summary>
Execute gpsd in the gpsd domain, and
allow the specified role the gpsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the gpsd domain.
</summary>
</param>
</interface>
<interface name="gpsd_rw_shm" lineno="56">
<summary>
Read and write gpsd shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="hal" filename="policy/modules/services/hal.if">
<summary>Hardware abstraction layer</summary>
<interface name="hal_domtrans" lineno="13">
<summary>
Execute hal in the hal domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_getattr" lineno="31">
<summary>
Get the attributes of a hal process.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_read_state" lineno="49">
<summary>
Read hal system state
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="hal_ptrace" lineno="68">
<summary>
Allow ptrace of hal domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_use_fds" lineno="86">
<summary>
Allow domain to use file descriptors from hal.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="hal_dontaudit_use_fds" lineno="104">
<summary>
Do not audit attempts to use file descriptors from hal.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="hal_rw_pipes" lineno="123">
<summary>
Allow attempts to read and write to
hald unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="hal_dontaudit_rw_pipes" lineno="142">
<summary>
Do not audit attempts to read and write to
hald unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="hal_dgram_send" lineno="161">
<summary>
Send to hal over a unix domain
datagram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_stream_connect" lineno="180">
<summary>
Send to hal over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_dontaudit_rw_dgram_sockets" lineno="198">
<summary>
Dontaudit read/write to a hal unix datagram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_dbus_send" lineno="216">
<summary>
Send a dbus message to hal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_dbus_chat" lineno="236">
<summary>
Send and receive messages from
hal over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_domtrans_mac" lineno="256">
<summary>
Execute hal mac in the hal mac domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_write_log" lineno="275">
<summary>
Allow attempts to write the hal
log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_dontaudit_write_log" lineno="295">
<summary>
Do not audit attempts to write the hal
log files.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="hal_rw_log" lineno="313">
<summary>
Manage hald log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_manage_log" lineno="331">
<summary>
Manage hald log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_read_tmp_files" lineno="351">
<summary>
Read hald tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_dontaudit_append_lib_files" lineno="370">
<summary>
Do not audit attempts to read or write
HAL libraries files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_read_pid_files" lineno="388">
<summary>
Read hald PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_dontaudit_read_pid_files" lineno="408">
<summary>
Do not audit attempts to read
hald PID files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="hal_rw_pid_files" lineno="427">
<summary>
Read/Write hald PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_manage_pid_dirs" lineno="446">
<summary>
Manage hald PID dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hal_manage_pid_files" lineno="465">
<summary>
Manage hald PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="hddtemp" filename="policy/modules/services/hddtemp.if">
<summary>hddtemp hard disk temperature tool running as a daemon</summary>
<interface name="hddtemp_domtrans" lineno="13">
<summary>
Execute hddtemp in the hddtemp domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hddtemp_exec" lineno="32">
<summary>
Execute hddtemp
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="howl" filename="policy/modules/services/howl.if">
<summary>Port of Apple Rendezvous multicast DNS</summary>
<interface name="howl_signal" lineno="13">
<summary>
Send generic signals to howl.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="hypervkvp" filename="policy/modules/services/hypervkvp.if">
<summary>policy for hypervkvp</summary>
<interface name="hypervkvp_domtrans" lineno="13">
<summary>
Execute hypervkvpd in the hypervkvp domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="hypervkvp_search_lib" lineno="32">
<summary>
Search hypervkvp lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hypervkvp_read_lib_files" lineno="51">
<summary>
Read hypervkvp lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="hypervkvp_manage_lib_files" lineno="72">
<summary>
Create, read, write, and delete
hypervkvp lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="i18n_input" filename="policy/modules/services/i18n_input.if">
<summary>IIIMF htt server</summary>
<interface name="i18n_use" lineno="13">
<summary>
Use i18n_input over a TCP connection.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="icecast" filename="policy/modules/services/icecast.if">
<summary> ShoutCast compatible streaming media server</summary>
<interface name="icecast_domtrans" lineno="13">
<summary>
Execute a domain transition to run icecast.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="icecast_signal" lineno="31">
<summary>
Allow domain signal icecast
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="icecast_initrc_domtrans" lineno="49">
<summary>
Execute icecast server in the icecast domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="icecast_read_pid_files" lineno="67">
<summary>
Read icecast PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="icecast_manage_pid_files" lineno="86">
<summary>
Manage icecast pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="icecast_read_log" lineno="106">
<summary>
Allow the specified domain to read icecast's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="icecast_append_log" lineno="126">
<summary>
Allow the specified domain to append
icecast log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="icecast_manage_log" lineno="145">
<summary>
Allow domain to manage icecast log files
</summary>
<param name="domain">
<summary>
Domain allow access.
</summary>
</param>
</interface>
<interface name="icecast_admin" lineno="171">
<summary>
All of the rules required to administrate
an icecast environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="icecast_connect_any" dftval="false">
<desc>
<p>
Determine whether icecast can listen
on and connect to any TCP port.
</p>
</desc>
</tunable>
</module>
<module name="ifplugd" filename="policy/modules/services/ifplugd.if">
<summary>Bring up/down ethernet interfaces based on cable detection.</summary>
<interface name="ifplugd_domtrans" lineno="13">
<summary>
Execute a domain transition to run ifplugd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ifplugd_signal" lineno="31">
<summary>
Send a generic signal to ifplugd
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ifplugd_read_config" lineno="49">
<summary>
Read ifplugd etc configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ifplugd_manage_config" lineno="68">
<summary>
Manage ifplugd etc configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ifplugd_read_pid_files" lineno="88">
<summary>
Read ifplugd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ifplugd_admin" lineno="114">
<summary>
All of the rules required to administrate
an ifplugd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the ifplugd domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="imaze" filename="policy/modules/services/imaze.if">
<summary>iMaze game server</summary>
</module>
<module name="inetd" filename="policy/modules/services/inetd.if">
<summary>Internet services daemon.</summary>
<interface name="inetd_core_service_domain" lineno="27">
<summary>
Define the specified domain as a inetd service.
</summary>
<desc>
<p>
Define the specified domain as a inetd service.  The
inetd_service_domain(), inetd_tcp_service_domain(),
or inetd_udp_service_domain() interfaces should be used
instead of this interface, as this interface only provides
the common rules to these three interfaces.
</p>
</desc>
<param name="domain">
<summary>
The type associated with the inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="inetd_tcp_service_domain" lineno="61">
<summary>
Define the specified domain as a TCP inetd service.
</summary>
<param name="domain">
<summary>
The type associated with the inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="inetd_udp_service_domain" lineno="87">
<summary>
Define the specified domain as a UDP inetd service.
</summary>
<param name="domain">
<summary>
The type associated with the inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="inetd_service_domain" lineno="112">
<summary>
Define the specified domain as a TCP and UDP inetd service.
</summary>
<param name="domain">
<summary>
The type associated with the inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="inetd_use_fds" lineno="138">
<summary>
Inherit and use file descriptors from inetd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inetd_tcp_connect" lineno="156">
<summary>
Connect to the inetd service using a TCP connection.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inetd_domtrans_child" lineno="170">
<summary>
Run inetd child process in the inet child domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inetd_udp_send" lineno="189">
<summary>
Send UDP network traffic to inetd.  (Deprecated)
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="inetd_rw_tcp_sockets" lineno="203">
<summary>
Read and write inetd TCP sockets.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
</module>
<module name="inn" filename="policy/modules/services/inn.if">
<summary>Internet News NNTP server</summary>
<interface name="inn_exec" lineno="14">
<summary>
Allow the specified domain to execute innd
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_exec_config" lineno="33">
<summary>
Allow the specified domain to execute
inn configuration files in /etc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_manage_log" lineno="51">
<summary>
Create, read, write, and delete the innd log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_manage_pid" lineno="70">
<summary>
Create, read, write, and delete the innd pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_read_config" lineno="91">
<summary>
Read innd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_read_news_lib" lineno="111">
<summary>
Read innd news library files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_read_news_spool" lineno="131">
<summary>
Read innd news library files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_dgram_send" lineno="151">
<summary>
Send to a innd unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_domtrans" lineno="169">
<summary>
Execute inn in the inn domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="inn_admin" lineno="195">
<summary>
All of the rules required to administrate
an inn environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the inn domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ircd" filename="policy/modules/services/ircd.if">
<summary>IRC server</summary>
</module>
<module name="irqbalance" filename="policy/modules/services/irqbalance.if">
<summary>IRQ balancing daemon</summary>
</module>
<module name="isns" filename="policy/modules/services/isns.if">
<summary>Internet Storage Name Service.</summary>
<interface name="isnsd_admin" lineno="20">
<summary>
All of the rules required to
administrate an isnsd environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="jabber" filename="policy/modules/services/jabber.if">
<summary>Jabber instant messaging server</summary>
<interface name="jabber_domtrans_jabberd" lineno="13">
<summary>
Execute a domain transition to run jabberd services
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="jabber_domtrans_router" lineno="31">
<summary>
Execute a domain transition to run jabberd router service
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="jabberd_read_lib_files" lineno="49">
<summary>
Read jabberd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jabberd_dontaudit_read_lib_files" lineno="68">
<summary>
Dontaudit inherited read jabberd lib files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="jabberd_manage_lib_files" lineno="87">
<summary>
Create, read, write, and delete
jabberd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="jabber_admin" lineno="113">
<summary>
All of the rules required to administrate
an jabber environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the jabber domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="keepalived" filename="policy/modules/services/keepalived.if">
<summary> keepalived - load-balancing and high-availability service</summary>
<interface name="keepalived_domtrans" lineno="13">
<summary>
Execute keepalived in the keepalived domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="kerberos" filename="policy/modules/services/kerberos.if">
<summary>MIT Kerberos admin and KDC</summary>
<desc>
<p>
This policy supports:
</p>
<p>
Servers:
<ul>
<li>kadmind</li>
<li>krb5kdc</li>
</ul>
</p>
<p>
Clients:
<ul>
<li>kinit</li>
<li>kdestroy</li>
<li>klist</li>
<li>ksu (incomplete)</li>
</ul>
</p>
</desc>
<interface name="kerberos_exec_kadmind" lineno="34">
<summary>
Execute kadmind in the current domain
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_domtrans_kpropd" lineno="52">
<summary>
Execute a domain transition to run kpropd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kerberos_use" lineno="70">
<summary>
Use kerberos services
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_read_config" lineno="131">
<summary>
Read the kerberos configuration file (/etc/krb5.conf).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_dontaudit_write_config" lineno="152">
<summary>
Do not audit attempts to write the kerberos
configuration file (/etc/krb5.conf).
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="kerberos_rw_config" lineno="171">
<summary>
Read and write the kerberos configuration file (/etc/krb5.conf).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_read_keytab" lineno="191">
<summary>
Read the kerberos key table.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_rw_keytab" lineno="210">
<summary>
Read/Write the kerberos key table.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_etc_filetrans_keytab" lineno="229">
<summary>
Create keytab file in /etc
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="kerberos_keytab_template" lineno="253">
<summary>
Create a derived type for kerberos keytab
</summary>
<param name="prefix">
<summary>
The prefix to be used for deriving type names.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</template>
<interface name="kerberos_read_kdc_config" lineno="274">
<summary>
Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_manage_host_rcache" lineno="294">
<summary>
Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="kerberos_connect_524" lineno="327">
<summary>
Connect to krb524 service
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerberos_admin" lineno="356">
<summary>
All of the rules required to administrate
an kerberos environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the kerberos domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mta_tmp_filetrans_host_rcache" lineno="413">
<summary>
Type transition files created in /tmp
to the krb5_host_rcache type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="kerberos_read_home_content" lineno="431">
<summary>
read kerberos homedir content (.k5login)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</template>
<tunable name="allow_kerberos" dftval="false">
<desc>
<p>
Allow confined applications to run with kerberos.
</p>
</desc>
</tunable>
</module>
<module name="kerneloops" filename="policy/modules/services/kerneloops.if">
<summary>Service for reporting kernel oopses to kerneloops.org</summary>
<interface name="kerneloops_domtrans" lineno="13">
<summary>
Execute a domain transition to run kerneloops.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="kerneloops_dbus_chat" lineno="33">
<summary>
Send and receive messages from
kerneloops over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerneloops_dontaudit_dbus_chat" lineno="54">
<summary>
dontaudit attempts to Send and receive messages from
kerneloops over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="kerneloops_manage_tmp_files" lineno="74">
<summary>
Allow domain to manage kerneloops tmp files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="kerneloops_admin" lineno="100">
<summary>
All of the rules required to administrate
an kerneloops environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the kerneloops domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="keystone" filename="policy/modules/services/keystone.if">
<summary>policy for keystone</summary>
<interface name="keystone_domtrans" lineno="13">
<summary>
Transition to keystone.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="keystone_read_log" lineno="32">
<summary>
Read keystone's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="keystone_append_log" lineno="51">
<summary>
Append to keystone log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="keystone_manage_log" lineno="70">
<summary>
Manage keystone log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="keystone_search_lib" lineno="91">
<summary>
Search keystone lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="keystone_read_lib_files" lineno="110">
<summary>
Read keystone lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="keystone_manage_lib_files" lineno="129">
<summary>
Manage keystone lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="keystone_manage_lib_dirs" lineno="148">
<summary>
Manage keystone lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="keystone_admin" lineno="174">
<summary>
All of the rules required to administrate
an keystone environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ksmtuned" filename="policy/modules/services/ksmtuned.if">
<summary>Kernel Samepage Merging (KSM) Tuning Daemon</summary>
<interface name="ksmtuned_domtrans" lineno="13">
<summary>
Execute a domain transition to run ksmtuned.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ksmtuned_initrc_domtrans" lineno="31">
<summary>
Execute ksmtuned server in the ksmtuned domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ksmtuned_admin" lineno="56">
<summary>
All of the rules required to administrate
an ksmtuned environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ktalk" filename="policy/modules/services/ktalk.if">
<summary>KDE Talk daemon</summary>
</module>
<module name="l2tpd" filename="policy/modules/services/l2tpd.if">
<summary>Layer 2 Tunneling Protocol daemons.</summary>
<interface name="l2tpd_domtrans" lineno="13">
<summary>
Transition to l2tpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="l2tpd_initrc_domtrans" lineno="32">
<summary>
Execute l2tpd server in the l2tpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_dgram_send" lineno="50">
<summary>
Send to l2tpd via a unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_rw_socket" lineno="69">
<summary>
Read and write l2tpd sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_read_pid_files" lineno="87">
<summary>
Read l2tpd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_stream_connect" lineno="107">
<summary>
Connect to l2tpd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_rw_pipes" lineno="127">
<summary>
Read and write l2tpd unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="l2tpd_admin" lineno="152">
<summary>
All of the rules required to administrate
an l2tpd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ldap" filename="policy/modules/services/ldap.if">
<summary>OpenLDAP directory server</summary>
<interface name="ldap_domtrans" lineno="13">
<summary>
Execute OpenLDAP in the ldap domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="ldap_initrc_domtrans" lineno="32">
<summary>
Execute OpenLDAP server in the ldap domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="ldap_list_db" lineno="52">
<summary>
Read the contents of the OpenLDAP
database directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ldap_read_db_files" lineno="71">
<summary>
Read the contents of the OpenLDAP
database files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ldap_read_config" lineno="90">
<summary>
Read the OpenLDAP configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ldap_use" lineno="109">
<summary>
Use LDAP over TCP connection.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ldap_stream_connect" lineno="123">
<summary>
Connect to slapd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ldap_stream_connect_dirsrv" lineno="146">
<summary>
Connect to dirsrv over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ldap_admin" lineno="172">
<summary>
All of the rules required to administrate
an ldap environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the ldap domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="likewise" filename="policy/modules/services/likewise.if">
<summary>Likewise Active Directory support for UNIX.</summary>
<desc>
<p>
Likewise Open is a free, open source application that joins Linux, Unix,
and Mac machines to Microsoft Active Directory to securely authenticate
users with their domain credentials.
</p>
</desc>
<template name="likewise_domain_template" lineno="26">
<summary>
The template to define a likewise domain.
</summary>
<desc>
<p>
This template creates a domain to be used for
a new likewise daemon.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The type of daemon to be used.
</summary>
</param>
</template>
<interface name="likewise_stream_connect_lsassd" lineno="98">
<summary>
Connect to lsassd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="lircd" filename="policy/modules/services/lircd.if">
<summary>Linux infared remote control daemon</summary>
<interface name="lircd_domtrans" lineno="13">
<summary>
Execute a domain transition to run lircd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lircd_stream_connect" lineno="33">
<summary>
Connect to lircd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lircd_read_config" lineno="52">
<summary>
Read lircd etc file
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="lircd_admin" lineno="77">
<summary>
All of the rules required to administrate
a lircd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the syslog domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="lldpad" filename="policy/modules/services/lldpad.if">
<summary>Intel LLDP Agent.</summary>
<interface name="lldpad_domtrans" lineno="13">
<summary>
Transition to lldpad.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lldpad_dgram_send" lineno="32">
<summary>
Send to lldpad with a unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lldpad_dgram_recv" lineno="51">
<summary>
Recv to lldpad with a unix dgram socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lldpad_admin" lineno="77">
<summary>
All of the rules required to
administrate an lldpad environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="lpd" filename="policy/modules/services/lpd.if">
<summary>Line printer daemon</summary>
<interface name="lpd_role" lineno="18">
<summary>
Role access for lpd
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="lpd_domtrans_checkpc" lineno="47">
<summary>
Execute lpd in the lpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lpd_run_checkpc" lineno="72">
<summary>
Execute amrecover in the lpd domain, and
allow the specified role the lpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the lpd domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="lpd_list_spool" lineno="91">
<summary>
List the contents of the printer spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lpd_read_spool" lineno="110">
<summary>
Read the printer spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lpd_manage_spool" lineno="129">
<summary>
Create, read, write, and delete printer spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lpd_relabel_spool" lineno="150">
<summary>
Relabel from and to the spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="lpd_read_config" lineno="170">
<summary>
List the contents of the printer spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<template name="lpd_domtrans_lpr" lineno="189">
<summary>
Transition to a user lpr domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</template>
<interface name="lpd_exec_lpr" lineno="208">
<summary>
Allow the specified domain to execute lpr
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="use_lpd_server" dftval="false">
<desc>
<p>
Use lpd server instead of cups
</p>
</desc>
</tunable>
</module>
<module name="lsm" filename="policy/modules/services/lsm.if">
<summary>libStorageMgmt  plug-in  daemon </summary>
<interface name="lsmd_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the lsmd domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="lsmd_read_pid_files" lineno="31">
<summary>
Read lsmd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="lsmd_plugin_connect_any" dftval="false">
<desc>
<p>
Determine whether lsmd_plugin can
connect to all TCP ports.
</p>
</desc>
</tunable>
</module>
<module name="mailman" filename="policy/modules/services/mailman.if">
<summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
<template name="mailman_domain_template" lineno="19">
<summary>
The template to define a mailmain domain.
</summary>
<desc>
<p>
This template creates a domain to be used for
a new mailman daemon.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The type of daemon to be used eg, cgi would give mailman_cgi_
</summary>
</param>
</template>
<interface name="mailman_domtrans" lineno="103">
<summary>
Execute mailman in the mailman domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_run" lineno="127">
<summary>
Execute the mailman program in the mailman domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to allow the mailman domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mailman_domtrans_cgi" lineno="147">
<summary>
Execute mailman CGI scripts in the
mailman CGI domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mailman_exec" lineno="165">
<summary>
Execute mailman in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowd access.
</summary>
</param>
</interface>
<interface name="mailman_signal_cgi" lineno="183">
<summary>
Send generic signals to the mailman cgi domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_search_data" lineno="201">
<summary>
Allow domain to search data directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_read_data_files" lineno="219">
<summary>
Allow domain to to read mailman data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_manage_data_files" lineno="240">
<summary>
Allow domain to to create mailman data files
and write the directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_list_data" lineno="259">
<summary>
List the contents of mailman data directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_read_data_symlinks" lineno="277">
<summary>
Allow read acces to mailman data symbolic links.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_read_log" lineno="295">
<summary>
Read mailman logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_append_log" lineno="313">
<summary>
Append to mailman logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_manage_log" lineno="332">
<summary>
Create, read, write, and delete
mailman logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_read_archive" lineno="351">
<summary>
Allow domain to read mailman archive files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mailman_domtrans_queue" lineno="371">
<summary>
Execute mailman_queue in the mailman_queue domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="matahari" filename="policy/modules/services/matahari.if">
<summary>policy for matahari</summary>
<template name="matahari_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
matahari init daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="matahari_search_lib" lineno="39">
<summary>
Search matahari lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="matahari_read_lib_files" lineno="58">
<summary>
Read matahari lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="matahari_manage_lib_files" lineno="78">
<summary>
Create, read, write, and delete
matahari lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="matahari_manage_lib_dirs" lineno="97">
<summary>
Manage matahari lib dirs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="matahari_read_pid_files" lineno="116">
<summary>
Read matahari PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="matahari_manage_pid_files" lineno="135">
<summary>
Read matahari PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="matahari_hostd_domtrans" lineno="154">
<summary>
Execute a domain transition to run matahari_hostd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="matahari_netd_domtrans" lineno="172">
<summary>
Execute a domain transition to run matahari_netd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="matahari_serviced_domtrans" lineno="190">
<summary>
Execute a domain transition to run matahari_serviced.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="matahari_admin" lineno="215">
<summary>
All of the rules required to administrate
an matahari environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="memcached" filename="policy/modules/services/memcached.if">
<summary>high-performance memory object caching system</summary>
<interface name="memcached_domtrans" lineno="13">
<summary>
Execute a domain transition to run memcached.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="memcached_read_pid_files" lineno="32">
<summary>
Read memcached PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="memcached_admin" lineno="58">
<summary>
All of the rules required to administrate
an memcached environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the memcached domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="memcached_manage_pid_files" lineno="87">
<summary>
Manage memcached PID files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="memcached_stream_connect" lineno="106">
<summary>
Connect to memcached over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="milter" filename="policy/modules/services/milter.if">
<summary>Milter mail filters</summary>
<template name="milter_template" lineno="14">
<summary>
Create a set of derived types for various
mail filter applications using the milter interface.
</summary>
<param name="milter_name">
<summary>
The name to be used for deriving type names.
</summary>
</param>
</template>
<interface name="milter_stream_connect_all" lineno="57">
<summary>
MTA communication with milter sockets
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="milter_getattr_all_sockets" lineno="76">
<summary>
Allow getattr of milter sockets
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="milter_setattr_all_dirs" lineno="95">
<summary>
Allow setattr of milter dirs
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="milter_manage_spamass_state" lineno="113">
<summary>
Manage spamassassin milter state
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="milter_delete_dkim_pid_files" lineno="134">
<summary>
Delete dkim-milter PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="mip6d" filename="policy/modules/services/mip6d.if">
<summary>Mobile IPv6 and NEMO Basic Support implementation</summary>
<interface name="mip6d_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the mip6d domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="mirrormanager" filename="policy/modules/services/mirrormanager.if">
<summary>policy for mirrormanager</summary>
<interface name="mirrormanager_domtrans" lineno="13">
<summary>
Execute mirrormanager in the mirrormanager domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mirrormanager_read_log" lineno="33">
<summary>
Read mirrormanager's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mirrormanager_append_log" lineno="52">
<summary>
Append to mirrormanager log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_manage_log" lineno="71">
<summary>
Manage mirrormanager log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_search_lib" lineno="92">
<summary>
Search mirrormanager lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_read_lib_files" lineno="111">
<summary>
Read mirrormanager lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_manage_lib_files" lineno="131">
<summary>
Manage mirrormanager lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_manage_lib_dirs" lineno="150">
<summary>
Manage mirrormanager lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_read_pid_files" lineno="169">
<summary>
Read mirrormanager PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_manage_pid_files" lineno="188">
<summary>
Manage mirrormanager PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_manage_pid_sock_files" lineno="207">
<summary>
Manage mirrormanager PID sock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mirrormanager_admin" lineno="227">
<summary>
All of the rules required to administrate
an mirrormanager environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="modemmanager" filename="policy/modules/services/modemmanager.if">
<summary>Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.</summary>
<interface name="modemmanager_domtrans" lineno="13">
<summary>
Execute a domain transition to run modemmanager.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="modemmanager_dbus_chat" lineno="32">
<summary>
Send and receive messages from
modemmanager over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="monop" filename="policy/modules/services/monop.if">
<summary>Monopoly daemon</summary>
</module>
<module name="mpd" filename="policy/modules/services/mpd.if">
<summary>policy for daemon for playing music</summary>
<interface name="mpd_domtrans" lineno="13">
<summary>
Execute a domain transition to run mpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="mpd_initrc_domtrans" lineno="32">
<summary>
Execute mpd server in the mpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_read_data_files" lineno="50">
<summary>
Read mpd data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_read_tmpfs_files" lineno="69">
<summary>
Read mpd tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_manage_tmpfs_files" lineno="88">
<summary>
Manage mpd tmpfs files.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="mpd_manage_data_files" lineno="108">
<summary>
Manage mpd data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_search_lib" lineno="128">
<summary>
Search mpd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_read_lib_files" lineno="147">
<summary>
Read mpd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_manage_lib_files" lineno="167">
<summary>
Create, read, write, and delete
mpd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_var_lib_filetrans" lineno="197">
<summary>
Create an object in the root directory, with a private
type using a type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
</interface>
<interface name="mpd_manage_lib_dirs" lineno="215">
<summary>
Manage mpd lib dirs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_dbus_chat" lineno="235">
<summary>
Send and receive messages from
mpd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mpd_admin" lineno="262">
<summary>
All of the rules required to administrate
an mpd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="mta" filename="policy/modules/services/mta.if">
<summary>Policy common to all email tranfer agents.</summary>
<interface name="mta_stub" lineno="13">
<summary>
MTA stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="mta_base_mail_template" lineno="41">
<summary>
Basic mail transfer agent domain template.
</summary>
<desc>
<p>
This template creates a derived domain which is
a email transfer agent, which sends mail on
behalf of the user.
</p>
<p>
This is the basic types and rules, common
to the system agent and user agents.
</p>
</desc>
<param name="domain_prefix">
<summary>
The prefix of the domain (e.g., user
is the prefix for user_t).
</summary>
</param>
</template>
<interface name="mta_filetrans_aliases" lineno="164">
<summary>
Type transition files created in calling dir
to the mail address aliases type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="domain">
<summary>
Directory to transition on.
</summary>
</param>
</interface>
<interface name="mta_role" lineno="187">
<summary>
Role access for mta
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="mta_read_home" lineno="214">
<summary>
ALlow domain to read mail content in the homedir
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_manage_home_rw" lineno="234">
<summary>
Allow domain to manage mail content in the homedir
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_mailserver" lineno="260">
<summary>
Make the specified domain usable for a mail server.
</summary>
<param name="type">
<summary>
Type to be used as a mail server domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
<interface name="mta_agent_executable" lineno="279">
<summary>
Make the specified type a MTA executable file.
</summary>
<param name="type">
<summary>
Type to be used as a mail client.
</summary>
</param>
</interface>
<interface name="mta_dontaudit_leaks_system_mail" lineno="299">
<summary>
Dontaudit read and write an leaked file descriptors
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="mta_system_content" lineno="318">
<summary>
Make the specified type by a system MTA.
</summary>
<param name="type">
<summary>
Type to be used as a mail client.
</summary>
</param>
</interface>
<interface name="mta_sendmail_mailserver" lineno="351">
<summary>
Modified mailserver interface for
sendmail daemon use.
</summary>
<desc>
<p>
A modified MTA mail server interface for
the sendmail program.  It's design does
not fit well with policy, and using the
regular interface causes a type_transition
conflict if direct running of init scripts
is enabled.
</p>
<p>
This interface should most likely only be used
by the sendmail policy.
</p>
</desc>
<param name="domain">
<summary>
The type to be used for the mail server.
</summary>
</param>
</interface>
<interface name="mta_mailserver_sender" lineno="372">
<summary>
Make a type a mailserver type used
for sending mail.
</summary>
<param name="domain">
<summary>
Mail server domain type used for sending mail.
</summary>
</param>
</interface>
<interface name="mta_mailserver_delivery" lineno="391">
<summary>
Make a type a mailserver type used
for delivering mail to local users.
</summary>
<param name="domain">
<summary>
Mail server domain type used for delivering mail.
</summary>
</param>
</interface>
<interface name="mta_mailserver_user_agent" lineno="412">
<summary>
Make a type a mailserver type used
for sending mail on behalf of local
users to the local mail spool.
</summary>
<param name="domain">
<summary>
Mail server domain type used for sending local mail.
</summary>
</param>
</interface>
<interface name="mta_send_mail" lineno="437">
<summary>
Send mail from the system.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_signal" lineno="468">
<summary>
Send mail client a signal
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="mta_sendmail_domtrans" lineno="501">
<summary>
Execute send mail in a specified domain.
</summary>
<desc>
<p>
Execute send mail in a specified domain.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="source_domain">
<summary>
Domain to transition from.
</summary>
</param>
<param name="target_domain">
<summary>
Domain to transition to.
</summary>
</param>
</interface>
<interface name="mta_signal_system_mail" lineno="528">
<summary>
Send system mail client a signal
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_kill_system_mail" lineno="546">
<summary>
Send system mail client a kill signal
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_sendmail_exec" lineno="564">
<summary>
Execute sendmail in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_read_config" lineno="583">
<summary>
Read mail server configuration.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mta_write_config" lineno="605">
<summary>
write mail server configuration.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mta_read_aliases" lineno="624">
<summary>
Read mail address aliases.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_manage_aliases" lineno="643">
<summary>
Create, read, write, and delete mail address aliases.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_etc_filetrans_aliases" lineno="664">
<summary>
Type transition files created in /etc
to the mail address aliases type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_rw_aliases" lineno="683">
<summary>
Read and write mail aliases.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mta_dontaudit_rw_delivery_tcp_sockets" lineno="703">
<summary>
Do not audit attempts to read and write TCP
sockets of mail delivery domains.
</summary>
<param name="domain">
<summary>
Mail server domain.
</summary>
</param>
</interface>
<interface name="mta_tcp_connect_all_mailservers" lineno="721">
<summary>
Connect to all mail servers over TCP.  (Deprecated)
</summary>
<param name="domain">
<summary>
Mail server domain.
</summary>
</param>
</interface>
<interface name="mta_dontaudit_read_spool_symlinks" lineno="736">
<summary>
Do not audit attempts to read a symlink
in the mail spool.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_getattr_spool" lineno="754">
<summary>
Get the attributes of mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_dontaudit_getattr_spool_files" lineno="776">
<summary>
Do not audit attempts to get the attributes
of mail spool files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mta_spool_filetrans" lineno="808">
<summary>
Create private objects in the
mail spool directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
</interface>
<interface name="mta_rw_spool" lineno="827">
<summary>
Read and write the mail spool.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_append_spool" lineno="849">
<summary>
Create, read, and write the mail spool.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_delete_spool" lineno="871">
<summary>
Delete from the mail spool.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_manage_spool" lineno="890">
<summary>
Create, read, write, and delete mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_search_queue" lineno="911">
<summary>
Search mail queue dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_list_queue" lineno="930">
<summary>
List the mail queue.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_read_queue" lineno="949">
<summary>
Read the mail queue.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_dontaudit_rw_queue" lineno="969">
<summary>
Do not audit attempts to read and
write the mail queue.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="mta_manage_queue" lineno="989">
<summary>
Create, read, write, and delete
mail queue files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_spool_filetrans_queue" lineno="1020">
<summary>
Type transition files created in calling dir
to the mail address aliases type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private_type">
<summary>
Directory to transition on.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
</interface>
<interface name="mta_read_sendmail_bin" lineno="1040">
<summary>
Read sendmail binary.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_rw_user_mail_stream_sockets" lineno="1059">
<summary>
Read and write unix domain stream sockets
of user mail domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mta_signal_user_agent" lineno="1077">
<summary>
Send all user mail client a signal
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="munin" filename="policy/modules/services/munin.if">
<summary>Munin network-wide load graphing (formerly LRRD)</summary>
<interface name="munin_stream_connect" lineno="14">
<summary>
Connect to munin over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="munin_read_config" lineno="34">
<summary>
Read munin configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="munin_dontaudit_leaks" lineno="55">
<summary>
dontaudit read and write an leaked file descriptors
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="munin_append_log" lineno="74">
<summary>
Append to the munin log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="munin_search_lib" lineno="94">
<summary>
Search munin library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="munin_dontaudit_search_lib" lineno="114">
<summary>
Do not audit attempts to search
munin library directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="munin_plugin_template" lineno="133">
<summary>
Create a set of derived types for various
munin plugins,
</summary>
<param name="plugins_group_name">
<summary>
The name to be used for deriving type names.
</summary>
</param>
</template>
<interface name="munin_admin" lineno="180">
<summary>
All of the rules required to administrate
an munin environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the munin domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="mysql" filename="policy/modules/services/mysql.if">
<summary>Policy for MySQL</summary>
<interface name="mysql_domtrans" lineno="13">
<summary>
Execute MySQL in the mysql domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_exec" lineno="31">
<summary>
Execute MySQL in the coller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_safe_exec" lineno="49">
<summary>
Execute MySQL_safe in the coller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_signal" lineno="67">
<summary>
Send a generic signal to MySQL.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_tcp_connect" lineno="85">
<summary>
Allow the specified domain to connect to postgresql with a tcp socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_stream_connect" lineno="107">
<summary>
Connect to MySQL using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mysql_read_config" lineno="128">
<summary>
Read MySQL configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="mysql_search_db" lineno="151">
<summary>
Search the directories that contain MySQL
database storage.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_list_db" lineno="171">
<summary>
List the directories that contain MySQL
database storage.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_rw_db_dirs" lineno="190">
<summary>
Read and write to the MySQL database directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_manage_db_dirs" lineno="209">
<summary>
Create, read, write, and delete MySQL database directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_append_db_files" lineno="228">
<summary>
Append to the MySQL database directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_rw_db_files" lineno="247">
<summary>
Read and write to the MySQL database directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_manage_db_files" lineno="266">
<summary>
Create, read, write, and delete MySQL database files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_rw_db_sockets" lineno="286">
<summary>
Read and write to the MySQL database
named socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_write_log" lineno="306">
<summary>
Write to the MySQL log.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_domtrans_mysql_safe" lineno="325">
<summary>
Execute MySQL server in the mysql domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_read_pid_files" lineno="343">
<summary>
Read MySQL PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="mysql_search_pid_files" lineno="363">
<summary>
Search MySQL PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>

</interface>
<interface name="mysql_admin" lineno="387">
<summary>
All of the rules required to administrate an mysql environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the mysql domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="mysql_connect_any" dftval="false">
<desc>
<p>
Allow mysqld to connect to all ports
</p>
</desc>
</tunable>
</module>
<module name="nagios" filename="policy/modules/services/nagios.if">
<summary>Net Saint / NAGIOS - network monitoring server</summary>
<interface name="nagios_dontaudit_rw_pipes" lineno="15">
<summary>
Do not audit attempts to read or write nagios
unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
<rolecap/>
</interface>
<interface name="nagios_read_config" lineno="35">
<summary>
Allow the specified domain to read
nagios configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="nagios_read_tmp_files" lineno="56">
<summary>
Allow the specified domain to read
nagios temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_rw_inerited_tmp_files" lineno="76">
<summary>
Allow the specified domain to read
nagios temporary files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_domtrans_nrpe" lineno="96">
<summary>
Execute the nagios NRPE with
a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_search_spool" lineno="114">
<summary>
Search nagios spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_read_log" lineno="133">
<summary>
Read nagios logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_dontaudit_rw_log" lineno="152">
<summary>
dontaudit Read and write nagios logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="nagios_plugin_template" lineno="171">
<summary>
Create a set of derived types for various
nagios plugins,
</summary>
<param name="plugins_group_name">
<summary>
The name to be used for deriving type names.
</summary>
</param>
</template>
<interface name="nrpe_dontaudit_write_pipes" lineno="223">
<summary>
Do not audit attempts to write nrpe daemon unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nagios_admin" lineno="248">
<summary>
All of the rules required to administrate
an nagios environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the nagios domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="nessus" filename="policy/modules/services/nessus.if">
<summary>Nessus network scanning daemon</summary>
<interface name="nessus_tcp_connect" lineno="13">
<summary>
Connect to nessus over a TCP socket  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="networkmanager" filename="policy/modules/services/networkmanager.if">
<summary>Manager for dynamically switching between networks.</summary>
<interface name="networkmanager_rw_udp_sockets" lineno="14">
<summary>
Read and write NetworkManager UDP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_rw_packet_sockets" lineno="33">
<summary>
Read and write NetworkManager packet sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_rw_routing_sockets" lineno="53">
<summary>
Read and write NetworkManager netlink
routing sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_domtrans" lineno="71">
<summary>
Execute NetworkManager with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_dbus_chat" lineno="91">
<summary>
Send and receive messages from
NetworkManager over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_dontaudit_dbus_chat" lineno="112">
<summary>
Send and receive messages from
NetworkManager over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_signal" lineno="132">
<summary>
Send a generic signal to NetworkManager
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_initrc_domtrans" lineno="150">
<summary>
Execute NetworkManager scripts with an automatic domain transition to initrc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_read_pid_files" lineno="168">
<summary>
Read NetworkManager PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_read_var_lib_files" lineno="187">
<summary>
Read NetworkManager PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_run" lineno="214">
<summary>
Execute NetworkManager in the NetworkManager domain, and
allow the specified role the NetworkManager domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the NetworkManager domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="networkmanager_attach_tun_iface" lineno="233">
<summary>
Allow caller to relabel tun_socket
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="networkmanager_append_log" lineno="253">
<summary>
Allow the specified domain to append
to Network Manager log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="nis" filename="policy/modules/services/nis.if">
<summary>Policy for NIS (YP) servers and clients</summary>
<interface name="nis_use_ypbind_uncond" lineno="26">
<summary>
Use the ypbind service to access NIS services
unconditionally.
</summary>
<desc>
<p>
Use the ypbind service to access NIS services
unconditionally.
</p>
<p>
This interface was added because of apache and
spamassassin, to fix a nested conditionals problem.
When that support is added, this should be removed,
and the regular	interface should be used.
</p>
</desc>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="nis_use_ypbind" lineno="91">
<summary>
Use the ypbind service to access NIS services.
</summary>
<desc>
<p>
Allow the specified domain to use the ypbind service
to access Network Information Service (NIS) services.
Information that can be retreived from NIS includes
usernames, passwords, home directories, and groups.
If the network is configured to have a single sign-on
using NIS, it is likely that any program that does
authentication will need this access.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<infoflow type="both" weight="10"/>
<rolecap/>
</interface>
<interface name="nis_authenticate" lineno="108">
<summary>
Use the nis to authenticate passwords
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="nis_domtrans_ypbind" lineno="126">
<summary>
Execute ypbind in the ypbind domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_run_ypbind" lineno="152">
<summary>
Execute ypbind in the ypbind domain, and
allow the specified role the ypbind domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the ypbind domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="nis_signal_ypbind" lineno="171">
<summary>
Send generic signals to ypbind.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_list_var_yp" lineno="189">
<summary>
List the contents of the NIS data directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_udp_send_ypbind" lineno="208">
<summary>
Send UDP network traffic to NIS clients.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_tcp_connect_ypbind" lineno="222">
<summary>
Connect to ypbind over TCP.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_read_ypbind_pid" lineno="236">
<summary>
Read ypbind pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_delete_ypbind_pid" lineno="255">
<summary>
Delete ypbind pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_read_ypserv_config" lineno="274">
<summary>
Read ypserv configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_domtrans_ypxfr" lineno="293">
<summary>
Execute ypxfr in the ypxfr domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_initrc_domtrans" lineno="313">
<summary>
Execute nis server in the nis domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_initrc_domtrans_ypbind" lineno="331">
<summary>
Execute nis server in the nis domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nis_admin" lineno="356">
<summary>
All of the rules required to administrate
an nis environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="nova" filename="policy/modules/services/nova.if">
<summary>openstack-nova</summary>
<interface name="nova_manage_lib_files" lineno="13">
<summary>
Manage nova lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="nova_domain_template" lineno="33">
<summary>
Creates types and rules for a basic
openstack-nova systemd daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
</module>
<module name="nscd" filename="policy/modules/services/nscd.if">
<summary>Name service cache daemon</summary>
<interface name="nscd_signal" lineno="13">
<summary>
Send generic signals to NSCD.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_kill" lineno="31">
<summary>
Send NSCD the kill signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_signull" lineno="49">
<summary>
Send signulls to NSCD.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_domtrans" lineno="67">
<summary>
Execute NSCD in the nscd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="nscd_exec" lineno="87">
<summary>
Allow the specified domain to execute nscd
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_socket_use" lineno="106">
<summary>
Use NSCD services by connecting using
a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_use" lineno="136">
<summary>
Use nscd services
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_shm_use" lineno="155">
<summary>
Use NSCD services by mapping the database from
an inherited NSCD file descriptor.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_dontaudit_search_pid" lineno="188">
<summary>
Do not audit attempts to search the NSCD pid directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_read_pid" lineno="206">
<summary>
Read NSCD pid file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_unconfined" lineno="225">
<summary>
Unconfined access to NSCD services.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_run" lineno="250">
<summary>
Execute nscd in the nscd domain, and
allow the specified role the nscd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the nscd domain.
</summary>
</param>
</interface>
<interface name="nscd_initrc_domtrans" lineno="269">
<summary>
Execute the nscd server init script.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nscd_admin" lineno="294">
<summary>
All of the rules required to administrate
an nscd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the nscd domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="nscd_use_shm" dftval="false">
<desc>
<p>
Allow confined applications to use nscd shared memory.
</p>
</desc>
</tunable>
</module>
<module name="nsd" filename="policy/modules/services/nsd.if">
<summary>Authoritative only name server</summary>
<interface name="nsd_udp_chat" lineno="13">
<summary>
Send and receive datagrams from NSD.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nsd_tcp_connect" lineno="27">
<summary>
Connect to NSD over a TCP socket  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="nslcd" filename="policy/modules/services/nslcd.if">
<summary>nslcd - local LDAP name service daemon.</summary>
<interface name="nslcd_domtrans" lineno="13">
<summary>
Execute a domain transition to run nslcd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="nslcd_initrc_domtrans" lineno="31">
<summary>
Execute nslcd server in the nslcd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="nslcd_read_pid_files" lineno="49">
<summary>
Read nslcd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nslcd_stream_connect" lineno="68">
<summary>
Connect to nslcd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed to connect.
</summary>
</param>
</interface>
<interface name="nslcd_admin" lineno="94">
<summary>
All of the rules required to administrate
an nslcd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ntop" filename="policy/modules/services/ntop.if">
<summary>Network Top</summary>
<interface name="ntop_domtrans" lineno="13">
<summary>
Execute a domain transition to run ntop.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ntop_initrc_domtrans" lineno="31">
<summary>
Execute ntop server in the ntop domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="ntop_read_config" lineno="49">
<summary>
Read ntop content in /etc
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntop_search_lib" lineno="68">
<summary>
Search ntop dirs in /var/lib
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntop_read_lib_files" lineno="87">
<summary>
Read ntop files in /var/lib
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntop_manage_lib_files" lineno="106">
<summary>
Manage ntop files in /var/lib
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntop_admin" lineno="132">
<summary>
All of the rules required to administrate
an ntop environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ntp" filename="policy/modules/services/ntp.if">
<summary>Network time protocol daemon</summary>
<interface name="ntp_stub" lineno="13">
<summary>
NTP stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ntp_domtrans" lineno="29">
<summary>
Execute ntp server in the ntpd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="ntp_run" lineno="55">
<summary>
Execute ntp in the ntp domain, and
allow the specified role the ntp domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ntp_domtrans_ntpdate" lineno="74">
<summary>
Execute ntp server in the ntpd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="ntp_initrc_domtrans" lineno="93">
<summary>
Execute ntp server in the ntpd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="ntp_rw_shm" lineno="111">
<summary>
Read and write ntpd shared memory.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="ntp_admin" lineno="140">
<summary>
All of the rules required to administrate
an ntp environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the ntp domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="numad" filename="policy/modules/services/numad.if">
<summary>policy for numad</summary>
<interface name="numad_domtrans" lineno="13">
<summary>
Transition to numad.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="numad_admin" lineno="33">
<summary>
All of the rules required to administrate
an numad environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="nut" filename="policy/modules/services/nut.if">
<summary>nut - Network UPS Tools </summary>
</module>
<module name="nx" filename="policy/modules/services/nx.if">
<summary>NX remote desktop</summary>
<interface name="nx_spec_domtrans_server" lineno="13">
<summary>
Transition to NX server.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nx_read_home_files" lineno="31">
<summary>
Read nx home directory content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nx_search_var_lib" lineno="51">
<summary>
Read nx home directory content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="nx_var_lib_filetrans" lineno="80">
<summary>
Create an object in the root directory, with a private
type using a type transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
</interface>
</module>
<module name="oav" filename="policy/modules/services/oav.if">
<summary>Open AntiVirus scannerdaemon and signature update</summary>
<interface name="oav_domtrans_update" lineno="13">
<summary>
Execute oav_update in the oav_update domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oav_run_update" lineno="39">
<summary>
Execute oav_update in the oav_update domain, and
allow the specified role the oav_update domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the oav_update domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="oddjob" filename="policy/modules/services/oddjob.if">
<summary>
Oddjob provides a mechanism by which unprivileged applications can
request that specified privileged operations be performed on their
behalf.
</summary>
<interface name="oddjob_domtrans" lineno="17">
<summary>
Execute a domain transition to run oddjob.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="oddjob_dontaudit_rw_fifo_file" lineno="36">
<summary>
Do not audit attempts to read and write
oddjob fifo file.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="oddjob_system_entry" lineno="60">
<summary>
Make the specified program domain accessable
from the oddjob.
</summary>
<param name="domain">
<summary>
The type of the process to transition to.
</summary>
</param>
<param name="entrypoint">
<summary>
The type of the file used as an entrypoint to this domain.
</summary>
</param>
</interface>
<interface name="oddjob_dbus_chat" lineno="80">
<summary>
Send and receive messages from
oddjob over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oddjob_sigchld" lineno="100">
<summary>
Send a SIGCHLD signal to oddjob.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oddjob_domtrans_mkhomedir" lineno="118">
<summary>
Execute a domain transition to run oddjob_mkhomedir.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="oddjob_run_mkhomedir" lineno="142">
<summary>
Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="oddjob_ranged_domain" lineno="172">
<summary>
Create a domain which can be started by init,
with a range transition.
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
<param name="range">
<summary>
Range for the domain.
</summary>
</param>
</interface>
</module>
<module name="oident" filename="policy/modules/services/oident.if">
<summary>SELinux policy for Oident daemon.</summary>
<desc>
<p>
Oident daemon is a server that implements the TCP/IP
standard IDENT user identification protocol as
specified in the RFC 1413 document.
</p>
</desc>
<interface name="oident_read_user_content" lineno="21">
<summary>
Allow the specified domain to read
Oidentd personal configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oident_manage_user_content" lineno="41">
<summary>
Allow the specified domain to create, read, write, and delete
Oidentd personal configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oident_relabel_user_content" lineno="61">
<summary>
Allow the specified domain to relabel
Oidentd personal configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="openca" filename="policy/modules/services/openca.if">
<summary>OpenCA - Open Certificate Authority</summary>
<interface name="openca_domtrans" lineno="14">
<summary>
Execute the OpenCA program with
a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openca_signal" lineno="34">
<summary>
Send OpenCA generic signals.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openca_sigstop" lineno="52">
<summary>
Send OpenCA stop signals.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openca_kill" lineno="70">
<summary>
Kill OpenCA.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="openct" filename="policy/modules/services/openct.if">
<summary>Service for handling smart card readers.</summary>
<interface name="openct_signull" lineno="13">
<summary>
Send openct a null signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openct_exec" lineno="31">
<summary>
Execute openct in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openct_domtrans" lineno="50">
<summary>
Execute a domain transition to run openct.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openct_read_pid_files" lineno="69">
<summary>
Read openct PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openct_stream_connect" lineno="88">
<summary>
Connect to openct over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="openhpid" filename="policy/modules/services/openhpid.if">
<summary>policy for openhpid</summary>
<interface name="openhpid_domtrans" lineno="14">
<summary>
Transition to openhpid.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openhpid_initrc_domtrans" lineno="34">
<summary>
Execute openhpid server in the openhpid domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openhpid_search_lib" lineno="53">
<summary>
Search openhpid lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openhpid_read_lib_files" lineno="72">
<summary>
Read openhpid lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openhpid_manage_lib_files" lineno="91">
<summary>
Manage openhpid lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openhpid_manage_lib_dirs" lineno="110">
<summary>
Manage openhpid lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openhpid_admin" lineno="137">
<summary>
All of the rules required to administrate
an openhpid environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="openshift-origin" filename="policy/modules/services/openshift-origin.if">
<summary></summary>
</module>
<module name="openshift" filename="policy/modules/services/openshift.if">
<summary> policy for openshift </summary>
<interface name="openshift_initrc_domtrans" lineno="13">
<summary>
Execute openshift server in the openshift domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="openshift_dontaudit_read_initrc" lineno="32">
<summary>
Execute openshift server in the openshift domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="openshift_initrc_run" lineno="54">
<summary>
Execute openshift server in the openshift domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
<param name="role">
<summary>
Role access to this domain.
</summary>
</param>
</interface>
<interface name="openshift_initrc_signull" lineno="74">
<summary>
Send a null signal to openshift init scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_initrc_signal" lineno="92">
<summary>
Send a signal to openshift init scripts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_search_cache" lineno="110">
<summary>
Search openshift cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_read_cache_files" lineno="129">
<summary>
Read openshift cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_manage_cache_files" lineno="149">
<summary>
Create, read, write, and delete
openshift cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_manage_cache_dirs" lineno="169">
<summary>
Create, read, write, and delete
openshift cache dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_read_log" lineno="190">
<summary>
Allow the specified domain to read openshift's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="openshift_append_log" lineno="210">
<summary>
Allow the specified domain to append
openshift log files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openshift_manage_log" lineno="229">
<summary>
Allow domain to manage openshift log files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="openshift_getattr_lib" lineno="250">
<summary>
Getattr openshift lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_search_lib" lineno="269">
<summary>
Search openshift lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_read_lib_files" lineno="290">
<summary>
Read openshift lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_append_lib_files" lineno="311">
<summary>
Read openshift lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_manage_lib_files" lineno="331">
<summary>
Create, read, write, and delete
openshift lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_manage_lib_dirs" lineno="351">
<summary>
Manage openshift lib dirs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_manage_content" lineno="370">
<summary>
Manage openshift lib content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_lib_filetrans" lineno="407">
<summary>
Create private objects in the
mail lib directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
<param name="name" optional="true">
<summary>
The name of the object being created.
</summary>
</param>
</interface>
<interface name="openshift_read_pid_files" lineno="426">
<summary>
Read openshift PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_admin" lineno="453">
<summary>
All of the rules required to administrate
an openshift environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<template name="openshift_service_domain_template" lineno="496">
<summary>
Make the specified type usable as a openshift domain.
</summary>
<param name="openshiftdomain_prefix">
<summary>
The prefix of the domain (e.g., openshift
is the prefix for openshift_t).
</summary>
</param>
</template>
<template name="openshift_net_type" lineno="542">
<summary>
Make the specified type usable as a openshift domain.
</summary>
<param name="type">
<summary>
Type to be used as a openshift domain type.
</summary>
</param>
</template>
<interface name="openshift_rw_inherited_content" lineno="560">
<summary>
Read and write inherited openshift files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_manage_tmp_files" lineno="578">
<summary>
Manage openshift tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_manage_tmp_sockets" lineno="596">
<summary>
Manage openshift tmp sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_mounton_tmp" lineno="614">
<summary>
Mounton openshift tmp directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_dontaudit_rw_inherited_fifo_files" lineno="632">
<summary>
Dontaudit Read and write inherited script fifo files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openshift_transition" lineno="651">
<summary>
Allow calling app to transition to an openshift domain
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<rolecap/>
</interface>
<interface name="openshift_dyntransition" lineno="675">
<summary>
Allow calling app to transition to an openshift domain
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<rolecap/>
</interface>
<interface name="openshift_run" lineno="705">
<summary>
Execute openshift in the openshift domain, and
allow the specified role the openshift domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
<tunable name="openshift_use_nfs" dftval="false">
<desc>
<p>
Allow openshift to access nfs file systems without labels
</p>
</desc>
</tunable>
</module>
<module name="openvpn" filename="policy/modules/services/openvpn.if">
<summary>full-featured SSL VPN solution</summary>
<interface name="openvpn_domtrans" lineno="13">
<summary>
Execute OPENVPN clients in the openvpn domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvpn_run" lineno="38">
<summary>
Execute OPENVPN clients in the openvpn domain, and
allow the specified role the openvpn domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the openvpn domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="openvpn_kill" lineno="57">
<summary>
Send OPENVPN clients the kill signal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvpn_signal" lineno="75">
<summary>
Send generic signals to OPENVPN clients.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvpn_signull" lineno="93">
<summary>
Send signulls to OPENVPN clients.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvpn_read_config" lineno="113">
<summary>
Allow the specified domain to read
OpenVPN configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="openvpn_admin" lineno="141">
<summary>
All of the rules required to administrate
an openvpn environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the openvpn domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="openvpn_enable_homedirs" dftval="false">
<desc>
<p>
Allow openvpn to read home directories
</p>
</desc>
</tunable>
<tunable name="openvpn_run_unconfined" dftval="false">
<desc>
<p>
Allow openvpn to run unconfined scripts
</p>
</desc>
</tunable>
</module>
<module name="openvswitch" filename="policy/modules/services/openvswitch.if">
<summary> Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. </summary>
<interface name="openvswitch_domain_template" lineno="14">
<summary>
Transition to openvswitch.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openvswitch_domtrans" lineno="36">
<summary>
Execute TEMPLATE in the openvswitch domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="openvswitch_stream_connect" lineno="55">
<summary>
Allow stream connect to openvswitch.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_read_pid_files" lineno="74">
<summary>
Read openvswitch PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_search_lib" lineno="93">
<summary>
Search openvswitch lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_read_lib_files" lineno="112">
<summary>
Read openvswitch lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_manage_lib_files" lineno="131">
<summary>
Manage openvswitch lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="openvswitch_manage_lib_dirs" lineno="150">
<summary>
Manage openvswitch lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="openwsman" filename="policy/modules/services/openwsman.if">
<summary>WS-Management Server</summary>
<interface name="openwsman_domtrans" lineno="13">
<summary>
Execute openwsman in the openwsman domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="oracleasm" filename="policy/modules/services/oracleasm.if">
<summary>policy for oracleasm</summary>
<interface name="oracleasm_domtrans" lineno="13">
<summary>
Transition to oracleasm.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="oracleasm_initrc_domtrans" lineno="33">
<summary>
Execute oracleasm server in the oracleasm domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="oracleasm_admin" lineno="59">
<summary>
All of the rules required to administrate
an oracleasm environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="osad" filename="policy/modules/services/osad.if">
<summary>Client-side service written in Python that responds to pings and runs rhn_check when told to by osa-dispatcher. </summary>
<interface name="osad_domtrans" lineno="13">
<summary>
Execute osad in the osad domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="osad_initrc_domtrans" lineno="32">
<summary>
Execute osad server in the osad domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="osad_read_log" lineno="50">
<summary>
Read osad's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="osad_append_log" lineno="69">
<summary>
Append to osad log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="osad_manage_log" lineno="88">
<summary>
Manage osad log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="osad_read_pid_files" lineno="108">
<summary>
Read osad PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="osad_admin" lineno="135">
<summary>
All of the rules required to administrate
an osad environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pacemaker" filename="policy/modules/services/pacemaker.if">
<summary>policy for pacemaker</summary>
<interface name="pacemaker_domtrans" lineno="13">
<summary>
Transition to pacemaker.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pacemaker_initrc_domtrans" lineno="32">
<summary>
Execute pacemaker server in the pacemaker domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pacemaker_search_lib" lineno="50">
<summary>
Search pacemaker lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pacemaker_read_lib_files" lineno="69">
<summary>
Read pacemaker lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pacemaker_manage_lib_files" lineno="88">
<summary>
Manage pacemaker lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pacemaker_manage_lib_dirs" lineno="107">
<summary>
Manage pacemaker lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pacemaker_read_pid_files" lineno="126">
<summary>
Read pacemaker PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pacemaker_admin" lineno="152">
<summary>
All of the rules required to administrate
an pacemaker environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="pads" filename="policy/modules/services/pads.if">
<summary>Passive Asset Detection System</summary>
<desc>
<p>
PADS is a libpcap based detection engine used to
passively detect network assets.  It is designed to
complement IDS technology by providing context to IDS
alerts.
</p>
</desc>
<interface name="pads_admin" lineno="28">
<summary>
All of the rules required to administrate
an pads environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="passenger" filename="policy/modules/services/passenger.if">
<summary>Ruby on rails deployment for Apache and Nginx servers.</summary>
<interface name="passenger_domtrans" lineno="13">
<summary>
Execute passenger in the passenger domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="passenger_exec" lineno="31">
<summary>
Execute passenger in the current domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="passenger_read_lib_files" lineno="49">
<summary>
Read passenger lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="passenger_manage_lib_files" lineno="69">
<summary>
Manage passenger lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="passenger_manage_pid_content" lineno="90">
<summary>
Manage passenger var_run content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="passenger_stream_connect" lineno="112">
<summary>
Connect to passenger unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="passenger_manage_tmp_files" lineno="130">
<summary>
Allow to manage passenger tmp files/dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="passenger_rw_tmp_sock_files" lineno="150">
<summary>
Allow to manage passenger tmp sock_files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="pcp" filename="policy/modules/services/pcp.if">
<summary>The  pcp  command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
<template name="pcp_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
pcp daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="pcp_read_lib_files" lineno="38">
<summary>
Allow domain to read pcp lib files
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</interface>
<interface name="pcp_admin" lineno="58">
<summary>
All of the rules required to administrate
an pcp environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="pcp_pmie_exec" lineno="102">
<summary>
Allow the specified domain to execute pcp_pmie
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pcp_pmlogger_exec" lineno="122">
<summary>
Allow the specified domain to execute pcp_pmlogger
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<tunable name="pcp_bind_all_unreserved_ports" dftval="false">
<desc>
<p>
Allow pcp to bind to all unreserved_ports
</p>
</desc>
</tunable>
</module>
<module name="pcscd" filename="policy/modules/services/pcscd.if">
<summary>PCSC smart card service</summary>
<interface name="pcscd_domtrans" lineno="13">
<summary>
Execute a domain transition to run pcscd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pcscd_read_pub_files" lineno="31">
<summary>
Read pcscd pub files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcscd_manage_pub_files" lineno="50">
<summary>
Manage pcscd pub files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcscd_manage_pub_pipes" lineno="69">
<summary>
Manage pcscd pub fifo files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pcscd_stream_connect" lineno="88">
<summary>
Connect to pcscd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="pegasus" filename="policy/modules/services/pegasus.if">
<summary>The Open Group Pegasus CIM/WBEM Server.</summary>
</module>
<module name="perdition" filename="policy/modules/services/perdition.if">
<summary>Perdition POP and IMAP proxy</summary>
<interface name="perdition_tcp_connect" lineno="13">
<summary>
Connect to perdition over a TCP socket  (Deprecated)
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
</module>
<module name="pingd" filename="policy/modules/services/pingd.if">
<summary>Pingd of the Whatsup cluster node up/down detection utility</summary>
<interface name="pingd_domtrans" lineno="13">
<summary>
Execute a domain transition to run pingd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pingd_read_config" lineno="31">
<summary>
Read pingd etc configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pingd_manage_config" lineno="50">
<summary>
Manage pingd etc configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pingd_admin" lineno="78">
<summary>
All of the rules required to administrate
an pingd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the pingd domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="piranha" filename="policy/modules/services/piranha.if">
<summary>policy for piranha</summary>
<template name="piranha_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
cluster init daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="piranha_domtrans_fos" lineno="64">
<summary>
Execute a domain transition to run fos.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="piranha_domtrans_lvs" lineno="82">
<summary>
Execute a domain transition to run lvsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="piranha_domtrans_pulse" lineno="100">
<summary>
Execute a domain transition to run pulse.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="piranha_pulse_initrc_domtrans" lineno="118">
<summary>
Execute pulse server in the pulse domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="piranha_read_log" lineno="137">
<summary>
Allow the specified domain to read piranha's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="piranha_append_log" lineno="157">
<summary>
Allow the specified domain to append
piranha log files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="piranha_manage_log" lineno="176">
<summary>
Allow domain to manage piranha log files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<tunable name="piranha_lvs_can_network_connect" dftval="false">
<desc>
<p>
Allow piranha-lvs domain to connect to the network using TCP.
</p>
</desc>
</tunable>
</module>
<module name="pkcsslotd" filename="policy/modules/services/pkcsslotd.if">
<summary>policy for pkcsslotd</summary>
<interface name="pkcsslotd_domtrans" lineno="13">
<summary>
Transition to pkcsslotd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="pkcsslotd_search_lib" lineno="32">
<summary>
Search pkcsslotd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcsslotd_read_lib_files" lineno="51">
<summary>
Read pkcsslotd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcsslotd_manage_lib_files" lineno="70">
<summary>
Manage pkcsslotd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcsslotd_manage_lib_dirs" lineno="89">
<summary>
Manage pkcsslotd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pkcsslotd_admin" lineno="109">
<summary>
All of the rules required to administrate
an pkcsslotd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="plymouthd" filename="policy/modules/services/plymouthd.if">
<summary>policy for plymouthd</summary>
<interface name="plymouthd_domtrans" lineno="13">
<summary>
Execute a domain transition to run plymouthd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="plymouthd_exec" lineno="31">
<summary>
Execute the plymoth daemon in the current domain
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="plymouthd_exec_plymouth" lineno="49">
<summary>
Execute the plymoth command in the current domain
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="plymouthd_domtrans_plymouth" lineno="67">
<summary>
Execute a domain transition to run plymouthd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="plymouthd_read_pid_files" lineno="86">
<summary>
Read plymouthd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_manage_var_run" lineno="105">
<summary>
Manage plymouthd var_run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_search_lib" lineno="126">
<summary>
Search plymouthd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_read_lib_files" lineno="145">
<summary>
Read plymouthd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_manage_lib_files" lineno="165">
<summary>
Create, read, write, and delete
plymouthd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_manage_var_lib" lineno="184">
<summary>
Manage plymouthd var_lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_search_spool" lineno="205">
<summary>
Search plymouthd spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_read_spool_files" lineno="224">
<summary>
Read plymouthd spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_manage_spool_files" lineno="244">
<summary>
Create, read, write, and delete
plymouthd spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_manage_spool" lineno="263">
<summary>
Allow domain to manage plymouthd spool files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="plymouthd_admin" lineno="284">
<summary>
All of the rules required to administrate
an plymouthd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="plymouthd_stream_connect" lineno="314">
<summary>
Allow domain to Stream socket connect
to Plymouth daemon.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="policykit" filename="policy/modules/services/policykit.if">
<summary>Policy framework for controlling privileges for system-wide services.</summary>
<interface name="policykit_dbus_chat" lineno="14">
<summary>
Send and receive messages from
policykit over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_dbus_chat_auth" lineno="37">
<summary>
Send and receive messages from
policykit over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_domtrans_auth" lineno="59">
<summary>
Execute a domain transition to run polkit_auth.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="policykit_run_auth" lineno="83">
<summary>
Execute a policy_auth in the policy_auth domain, and
allow the specified role the policy_auth domain,
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the load_policy domain.
</summary>
</param>
</interface>
<interface name="policykit_domtrans_grant" lineno="105">
<summary>
Execute a domain transition to run polkit_grant.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="policykit_run_grant" lineno="130">
<summary>
Execute a policy_grant in the policy_grant domain, and
allow the specified role the policy_grant domain,
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the load_policy domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="policykit_read_reload" lineno="153">
<summary>
read policykit reload files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_rw_reload" lineno="172">
<summary>
rw policykit reload files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_domtrans_resolve" lineno="191">
<summary>
Execute a domain transition to run polkit_resolve.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="policykit_search_lib" lineno="211">
<summary>
Search policykit lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="policykit_read_lib" lineno="230">
<summary>
read policykit lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="policykit_role" lineno="257">
<summary>
The per role template for the policykit module.
</summary>
<param name="user_role">
<summary>
Role allowed access
</summary>
</param>
<param name="user_domain">
<summary>
User domain for the role
</summary>
</param>
</template>
<interface name="policykit_signal_auth" lineno="274">
<summary>
Send generic signal to policy_auth
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="portmap" filename="policy/modules/services/portmap.if">
<summary>RPC port mapping service.</summary>
<interface name="portmap_domtrans_helper" lineno="13">
<summary>
Execute portmap_helper in the helper domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="portmap_run_helper" lineno="40">
<summary>
Execute portmap helper in the helper domain, and
allow the specified role the helper domain.
Communicate with portmap.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the portmap domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="portmap_udp_send" lineno="59">
<summary>
Send UDP network traffic to portmap.  (Deprecated)
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="portmap_udp_chat" lineno="73">
<summary>
Send and receive UDP network traffic from portmap.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="portmap_tcp_connect" lineno="87">
<summary>
Connect to portmap over a TCP socket  (Deprecated)
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
</module>
<module name="portreserve" filename="policy/modules/services/portreserve.if">
<summary>Reserve well-known ports in the RPC port range.</summary>
<interface name="portreserve_domtrans" lineno="13">
<summary>
Execute a domain transition to run portreserve.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="portreserve_initrc_domtrans" lineno="31">
<summary>
Execute portreserve in the portreserve domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="portreserve_read_config" lineno="52">
<summary>
Allow the specified domain to read
portreserve etcuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>

</interface>
<interface name="portreserve_manage_config" lineno="75">
<summary>
Allow the specified domain to manage
portreserve etcuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>

</interface>
<interface name="portreserve_admin" lineno="102">
<summary>
All of the rules required to administrate
an portreserve environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
</interface>
</module>
<module name="portslave" filename="policy/modules/services/portslave.if">
<summary>Portslave terminal server software</summary>
<interface name="portslave_domtrans" lineno="13">
<summary>
Execute portslave with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
</module>
<module name="postfix" filename="policy/modules/services/postfix.if">
<summary>Postfix email server</summary>
<interface name="postfix_stub" lineno="13">
<summary>
Postfix stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="postfix_domain_template" lineno="30">
<summary>
Creates types and rules for a basic
postfix process domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<template name="postfix_server_domain_template" lineno="120">
<summary>
Creates a postfix server process domain.
</summary>
<param name="prefix">
<summary>
Prefix of the domain.
</summary>
</param>
</template>
<template name="postfix_user_domain_template" lineno="166">
<summary>
Creates a process domain for programs
that are ran by users.
</summary>
<param name="prefix">
<summary>
Prefix of the domain.
</summary>
</param>
</template>
<interface name="postfix_read_config" lineno="195">
<summary>
Read postfix configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postfix_config_filetrans" lineno="226">
<summary>
Create files with the specified type in
the postfix configuration directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="private type">
<summary>
The type of the object to be created.
</summary>
</param>
<param name="object">
<summary>
The object class of the object being created.
</summary>
</param>
</interface>
<interface name="postfix_dontaudit_rw_local_tcp_sockets" lineno="247">
<summary>
Do not audit attempts to read and
write postfix local delivery
TCP sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="postfix_rw_local_pipes" lineno="266">
<summary>
Allow read/write postfix local pipes
TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_rw_public_pipes" lineno="285">
<summary>
Allow read/write postfix public pipes
TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_read_local_state" lineno="303">
<summary>
Allow domain to read postfix local process state
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_read_master_state" lineno="322">
<summary>
Allow domain to read postfix master process state
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_use_fds_master" lineno="342">
<summary>
Use postfix master process file
file descriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_dontaudit_use_fds" lineno="362">
<summary>
Do not audit attempts to use
postfix master process file
file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="postfix_domtrans_map" lineno="380">
<summary>
Execute postfix_map in the postfix_map domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_run_map" lineno="405">
<summary>
Execute postfix_map in the postfix_map domain, and
allow the specified role the postfix_map domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postfix_domtrans_master" lineno="425">
<summary>
Execute the master postfix program in the
postfix_master domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_initrc_domtrans" lineno="444">
<summary>
Execute the master postfix in the postfix master domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_exec_master" lineno="463">
<summary>
Execute the master postfix program in the
caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_stream_connect_master" lineno="481">
<summary>
Connect to postfix master process using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_rw_master_pipes" lineno="499">
<summary>
Allow read/write postfix master pipes
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_domtrans_postdrop" lineno="518">
<summary>
Execute the master postdrop in the
postfix_postdrop domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_domtrans_postqueue" lineno="537">
<summary>
Execute the master postqueue in the
postfix_postqueue domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_exec_postqueue" lineno="555">
<summary>
Execute the master postqueue in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_create_private_sockets" lineno="573">
<summary>
Create a named socket in a postfix private directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_manage_private_sockets" lineno="592">
<summary>
manage named socket in a postfix private directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_domtrans_smtp" lineno="612">
<summary>
Execute the master postfix program in the
postfix_master domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postfix_getattr_spool_files" lineno="630">
<summary>
Getattr postfix mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_search_spool" lineno="649">
<summary>
Search postfix mail spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_list_spool" lineno="668">
<summary>
List postfix mail spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_read_spool_files" lineno="687">
<summary>
Read postfix mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_manage_spool_files" lineno="706">
<summary>
Create, read, write, and delete postfix mail spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_rw_spool_maildrop_files" lineno="725">
<summary>
Read, write, and delete postfix maildrop spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_manage_spool_maildrop_files" lineno="744">
<summary>
Create, read, write, and delete postfix maildrop spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_domtrans_user_mail_handler" lineno="765">
<summary>
Execute postfix user mail programs
in their respective domains.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postfix_admin" lineno="790">
<summary>
All of the rules required to administrate
an postfix environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postfix_run_postdrop" lineno="866">
<summary>
Execute the master postdrop in the
postfix_postdrop domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the iptables domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_postfix_local_write_mail_spool" dftval="true">
<desc>
<p>
Allow postfix_local domain full write access to mail_spool directories
</p>
</desc>
</tunable>
</module>
<module name="postfixpolicyd" filename="policy/modules/services/postfixpolicyd.if">
<summary>Postfix policy server</summary>
<interface name="postfixpolicyd_admin" lineno="20">
<summary>
All of the rules required to administrate
an postfixpolicyd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the postfixpolicyd domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="postgresql" filename="policy/modules/services/postgresql.if">
<summary>PostgreSQL relational database</summary>
<interface name="postgresql_role" lineno="18">
<summary>
Role access for SE-PostgreSQL.
</summary>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
<param name="user_domain">
<summary>
The type of the user domain.
</summary>
</param>
</interface>
<interface name="postgresql_loadable_module" lineno="104">
<summary>
Marks as a SE-PostgreSQL loadable shared library module
</summary>
<param name="type">
<summary>
Type marked as a database object type.
</summary>
</param>
</interface>
<interface name="postgresql_database_object" lineno="122">
<summary>
Marks as a SE-PostgreSQL database object type
</summary>
<param name="type">
<summary>
Type marked as a database object type.
</summary>
</param>
</interface>
<interface name="postgresql_schema_object" lineno="140">
<summary>
Marks as a SE-PostgreSQL schema object type
</summary>
<param name="type">
<summary>
Type marked as a schema object type.
</summary>
</param>
</interface>
<interface name="postgresql_table_object" lineno="158">
<summary>
Marks as a SE-PostgreSQL table/column/tuple object type
</summary>
<param name="type">
<summary>
Type marked as a table/column/tuple object type.
</summary>
</param>
</interface>
<interface name="postgresql_system_table_object" lineno="176">
<summary>
Marks as a SE-PostgreSQL system table/column/tuple object type
</summary>
<param name="type">
<summary>
Type marked as a table/column/tuple object type.
</summary>
</param>
</interface>
<interface name="postgresql_sequence_object" lineno="195">
<summary>
Marks as a SE-PostgreSQL sequence type
</summary>
<param name="type">
<summary>
Type marked as a sequence type.
</summary>
</param>
</interface>
<interface name="postgresql_view_object" lineno="213">
<summary>
Marks as a SE-PostgreSQL view object type
</summary>
<param name="type">
<summary>
Type marked as a view object type.
</summary>
</param>
</interface>
<interface name="postgresql_procedure_object" lineno="231">
<summary>
Marks as a SE-PostgreSQL procedure object type
</summary>
<param name="type">
<summary>
Type marked as a database object type.
</summary>
</param>
</interface>
<interface name="postgresql_language_object" lineno="249">
<summary>
Marks as a SE-PostgreSQL procedural language object type
</summary>
<param name="type">
<summary>
Type marked as a procedural language object type.
</summary>
</param>
</interface>
<interface name="postgresql_blob_object" lineno="267">
<summary>
Marks as a SE-PostgreSQL binary large object type
</summary>
<param name="type">
<summary>
Type marked as a database binary large object type.
</summary>
</param>
</interface>
<interface name="postgresql_search_db" lineno="285">
<summary>
Allow the specified domain to search postgresql's database directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgresql_manage_db" lineno="303">
<summary>
Allow the specified domain to manage postgresql's database.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgresql_domtrans" lineno="323">
<summary>
Execute postgresql in the postgresql domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="postgresql_exec" lineno="341">
<summary>
Execute Postgresql in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgresql_signal" lineno="359">
<summary>
Allow domain to signal postgresql
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgresql_read_config" lineno="377">
<summary>
Allow the specified domain to read postgresql's etc.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="postgresql_tcp_connect" lineno="398">
<summary>
Allow the specified domain to connect to postgresql with a tcp socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgresql_stream_connect" lineno="419">
<summary>
Allow the specified domain to connect to postgresql with a unix socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgresql_unpriv_client" lineno="440">
<summary>
Allow the specified domain unprivileged accesses to unifined database objects
managed by SE-PostgreSQL,
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgresql_unconfined" lineno="527">
<summary>
Allow the specified domain unconfined accesses to any database objects
managed by SE-PostgreSQL,
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="postgresql_admin" lineno="551">
<summary>
All of the rules required to administrate an postgresql environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the postgresql domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="postgresql_can_rsync" dftval="false">
<desc>
<p>
Allow postgresql to use ssh and rsync for point-in-time recovery
</p>
</desc>
</tunable>
<tunable name="sepgsql_enable_users_ddl" dftval="true">
<desc>
<p>
Allow unprivileged users to execute DDL statement
</p>
</desc>
</tunable>
<tunable name="sepgsql_unconfined_dbadm" dftval="true">
<desc>
<p>
Allow database admins to execute DML statement
</p>
</desc>
</tunable>
</module>
<module name="postgrey" filename="policy/modules/services/postgrey.if">
<summary>Postfix grey-listing server</summary>
<interface name="postgrey_stream_connect" lineno="13">
<summary>
Write to postgrey socket
</summary>
<param name="domain">
<summary>
Domain allowed to talk to postgrey
</summary>
</param>
</interface>
<interface name="postgrey_search_spool" lineno="33">
<summary>
Search the spool directory
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="postgrey_admin" lineno="58">
<summary>
All of the rules required to administrate
an postgrey environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the postgrey domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ppp" filename="policy/modules/services/ppp.if">
<summary>Point to Point Protocol daemon creates links in ppp networks</summary>
<interface name="ppp_use_fds" lineno="13">
<summary>
Use PPP file discriptors.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_dontaudit_use_fds" lineno="32">
<summary>
Do not audit attempts to inherit
and use PPP file discriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ppp_sigchld" lineno="50">
<summary>
Send a SIGCHLD signal to PPP.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_kill" lineno="70">
<summary>
Send ppp a kill signal
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_signal" lineno="88">
<summary>
Send a generic signal to PPP.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_signull" lineno="106">
<summary>
Send a generic signull to PPP.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_domtrans" lineno="124">
<summary>
Execute domain in the ppp domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_run_cond" lineno="149">
<summary>
Conditionally execute ppp daemon on behalf of a user or staff type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to allow the ppp domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ppp_run" lineno="177">
<summary>
Unconditionally execute ppp daemon on behalf of a user or staff type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to allow the ppp domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ppp_exec" lineno="201">
<summary>
Execute domain in the ppp caller.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_read_config" lineno="220">
<summary>
Read ppp configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_read_rw_config" lineno="239">
<summary>
Read PPP-writable configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_read_secrets" lineno="259">
<summary>
Read PPP secrets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_read_pid_files" lineno="279">
<summary>
Read PPP pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_manage_pid_files" lineno="297">
<summary>
Create, read, write, and delete PPP pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_pid_filetrans" lineno="315">
<summary>
Create, read, write, and delete PPP pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ppp_initrc_domtrans" lineno="333">
<summary>
Execute ppp server in the ntpd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="ppp_admin" lineno="358">
<summary>
All of the rules required to administrate
an ppp environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="pppd_can_insmod" dftval="false">
<desc>
<p>
Allow pppd to load kernel modules for certain modems
</p>
</desc>
</tunable>
<tunable name="pppd_for_user" dftval="false">
<desc>
<p>
Allow pppd to be run for a regular user
</p>
</desc>
</tunable>
</module>
<module name="prelude" filename="policy/modules/services/prelude.if">
<summary>Prelude hybrid intrusion detection system</summary>
<interface name="prelude_domtrans" lineno="13">
<summary>
Execute a domain transition to run prelude.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="prelude_domtrans_audisp" lineno="31">
<summary>
Execute a domain transition to run prelude_audisp.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="prelude_signal_audisp" lineno="49">
<summary>
Signal the prelude_audisp domain.
</summary>
<param name="domain">
<summary>
Domain allowed acccess.
</summary>
</param>
</interface>
<interface name="prelude_read_spool" lineno="67">
<summary>
Read the prelude spool files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="prelude_manage_spool" lineno="86">
<summary>
Manage to prelude-manager spool files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="prelude_admin" lineno="113">
<summary>
All of the rules required to administrate
an prelude environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="privoxy" filename="policy/modules/services/privoxy.if">
<summary>Privacy enhancing web proxy.</summary>
<interface name="privoxy_admin" lineno="20">
<summary>
All of the rules required to administrate
an privoxy environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="privoxy_connect_any" dftval="false">
<desc>
<p>
Allow privoxy to connect to all ports, not just
HTTP, FTP, and Gopher ports.
</p>
</desc>
</tunable>
</module>
<module name="procmail" filename="policy/modules/services/procmail.if">
<summary>Procmail mail delivery agent</summary>
<interface name="procmail_domtrans" lineno="13">
<summary>
Execute procmail with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="procmail_exec" lineno="33">
<summary>
Execute procmail in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="procmail_read_tmp_files" lineno="53">
<summary>
Read procmail tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="procmail_rw_tmp_files" lineno="72">
<summary>
Read/write procmail tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="procmail_read_home_files" lineno="91">
<summary>
Read procmail home directory content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="psad" filename="policy/modules/services/psad.if">
<summary>Intrusion Detection and Log Analysis with iptables</summary>
<interface name="psad_domtrans" lineno="13">
<summary>
Execute a domain transition to run psad.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="psad_signal" lineno="31">
<summary>
Send a generic signal to psad
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_signull" lineno="49">
<summary>
Send a null signal to psad.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_read_config" lineno="67">
<summary>
Read psad etc configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_manage_config" lineno="86">
<summary>
Manage psad etc configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_read_pid_files" lineno="107">
<summary>
Read psad PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_rw_pid_files" lineno="126">
<summary>
Read psad PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_read_log" lineno="146">
<summary>
Allow the specified domain to read psad's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="psad_append_log" lineno="167">
<summary>
Allow the specified domain to append to psad's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="psad_write_log" lineno="188">
<summary>
Allow the specified domain to write to psad's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="psad_rw_fifo_file" lineno="207">
<summary>
Read and write psad fifo files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_rw_tmp_files" lineno="227">
<summary>
Read and write psad tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="psad_admin" lineno="253">
<summary>
All of the rules required to administrate
an psad environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the syslog domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="publicfile" filename="policy/modules/services/publicfile.if">
<summary>publicfile supplies files to the public through HTTP and FTP</summary>
</module>
<module name="puppet" filename="policy/modules/services/puppet.if">
<summary>Puppet client daemon</summary>
<desc>
<p>
Puppet is a configuration management system written in Ruby.
The client daemon is responsible for periodically requesting the
desired system state from the server and ensuring the state of
the client system matches.
</p>
</desc>
<interface name="puppet_domtrans_master" lineno="22">
<summary>
Execute puppet_master in the puppet_master
domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="puppet_rw_tmp" lineno="44">
<summary>
Read / Write to Puppet temp files.  Puppet uses
some system binaries (groupadd, etc) that run in
a non-puppet domain and redirects output into temp
files.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="puppet_read_config" lineno="63">
<summary>
Allow the specified domain to read puppet's config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_read_log" lineno="83">
<summary>
Allow the specified domain to read puppet's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_create_log" lineno="102">
<summary>
Allow the specified domain to create puppet's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_append_log" lineno="121">
<summary>
Allow the specified domain to append puppet's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_read_lib" lineno="140">
<summary>
Read Puppet lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_manage_lib" lineno="159">
<summary>
Manage Puppet lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_search_log" lineno="178">
<summary>
Allow the specified domain to search puppet's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="puppet_search_pid" lineno="197">
<summary>
Allow the specified domain to search puppet's pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="puppet_manage_all_files" dftval="false">
<desc>
<p>
Allow Puppet client to manage all file
types.
</p>
</desc>
</tunable>
<tunable name="puppetmaster_use_db" dftval="false">
<desc>
<p>
Allow Puppet master to use connect to mysql and postgresql database
</p>
</desc>
</tunable>
</module>
<module name="pxe" filename="policy/modules/services/pxe.if">
<summary>Server for the PXE network boot protocol</summary>
</module>
<module name="pyicqt" filename="policy/modules/services/pyicqt.if">
<summary>PyICQt is an ICQ transport for XMPP server.</summary>
</module>
<module name="pyzor" filename="policy/modules/services/pyzor.if">
<summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary>
<interface name="pyzor_role" lineno="18">
<summary>
Role access for pyzor
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="pyzor_signal" lineno="44">
<summary>
Send generic signals to pyzor
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pyzor_domtrans" lineno="62">
<summary>
Execute pyzor with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pyzor_exec" lineno="82">
<summary>
Execute pyzor in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="pyzor_admin" lineno="109">
<summary>
All of the rules required to administrate
an pyzor environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the pyzor domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="qmail" filename="policy/modules/services/qmail.if">
<summary>Qmail Mail Server</summary>
<template name="qmail_child_domain_template" lineno="18">
<summary>
Template for qmail parent/sub-domain pairs
</summary>
<param name="child_prefix">
<summary>
The prefix of the child domain
</summary>
</param>
<param name="parent_domain">
<summary>
The name of the parent domain.
</summary>
</param>
</template>
<interface name="qmail_domtrans_inject" lineno="60">
<summary>
Transition to qmail_inject_t
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="qmail_domtrans_queue" lineno="86">
<summary>
Transition to qmail_queue_t
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="qmail_read_config" lineno="113">
<summary>
Read qmail configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="qmail_smtpd_service_domain" lineno="145">
<summary>
Define the specified domain as a qmail-smtp service.
Needed by antivirus/antispam filters.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
<interface name="qmail_manage_spool_dirs" lineno="164">
<summary>
Create, read, write, and delete qmail
spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qmail_manage_spool_files" lineno="183">
<summary>
Create, read, write, and delete qmail
spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qmail_rw_spool_pipes" lineno="201">
<summary>
Read and write to qmail spool pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
</module>
<module name="qpidd" filename="policy/modules/services/qpidd.if">
<summary>policy for qpidd</summary>
<interface name="qpidd_domtrans" lineno="13">
<summary>
Execute a domain transition to run qpidd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="qpidd_initrc_domtrans" lineno="32">
<summary>
Execute qpidd server in the qpidd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="qpidd_read_pid_files" lineno="50">
<summary>
Read qpidd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_manage_var_run" lineno="69">
<summary>
Manage qpidd var_run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_search_lib" lineno="90">
<summary>
Search qpidd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_read_lib_files" lineno="109">
<summary>
Read qpidd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_manage_lib_files" lineno="129">
<summary>
Create, read, write, and delete
qpidd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_manage_var_lib" lineno="148">
<summary>
Manage qpidd var_lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_admin" lineno="176">
<summary>
All of the rules required to administrate
an qpidd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="qpidd_rw_semaphores" lineno="206">
<summary>
Allow read and write access to qpidd semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="qpidd_rw_shm" lineno="224">
<summary>
Read and write to qpidd shared memory.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
</module>
<module name="quantum" filename="policy/modules/services/quantum.if">
<summary>Quantum is a virtual network service for Openstack</summary>
<interface name="neutron_domtrans" lineno="13">
<summary>
Transition to neutron.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="neutron_read_log" lineno="33">
<summary>
Read neutron's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="neutron_append_log" lineno="52">
<summary>
Append to neutron log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_manage_log" lineno="71">
<summary>
Manage neutron log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_search_lib" lineno="92">
<summary>
Search neutron lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_read_lib_files" lineno="111">
<summary>
Read neutron lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_manage_lib_files" lineno="130">
<summary>
Manage neutron lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_manage_lib_dirs" lineno="149">
<summary>
Manage neutron lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_rw_fifo_file" lineno="168">
<summary>
Read and write neutron fifo files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_sigchld" lineno="186">
<summary>
Allow domain to send sigchld to neutron process.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_stream_connect" lineno="205">
<summary>
Connect to neutron over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="neutron_admin" lineno="226">
<summary>
All of the rules required to administrate
an neutron environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="radius" filename="policy/modules/services/radius.if">
<summary>RADIUS authentication and accounting server.</summary>
<interface name="radius_use" lineno="13">
<summary>
Use radius over a UDP connection.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="radius_admin" lineno="34">
<summary>
All of the rules required to administrate
an radius environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="radvd" filename="policy/modules/services/radvd.if">
<summary>IPv6 router advertisement daemon</summary>
<interface name="radvd_read_pid_files" lineno="13">
<summary>
Read radvd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="radvd_admin" lineno="39">
<summary>
All of the rules required to administrate
an radvd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="razor" filename="policy/modules/services/razor.if">
<summary>A distributed, collaborative, spam detection and filtering network.</summary>
<desc>
<p>
A distributed, collaborative, spam detection and filtering network.
</p>
<p>
This policy will work with either the ATrpms provided config
file in /etc/razor, or with the default of dumping everything into
$HOME/.razor.
</p>
</desc>
<template name="razor_common_domain_template" lineno="25">
<summary>
Template to create types and rules common to
all razor domains.
</summary>
<param name="prefix">
<summary>
The prefix of the domain (e.g., user
is the prefix for user_t).
</summary>
</param>
</template>
<interface name="razor_role" lineno="121">
<summary>
Role access for razor
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
</interface>
<interface name="razor_domtrans" lineno="153">
<summary>
Execute razor in the system razor domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="razor_manage_user_home_files" lineno="172">
<summary>
Create, read, write, and delete razor files
in a user home subdirectory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</template>
<interface name="razor_read_lib_files" lineno="192">
<summary>
read razor lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rdisc" filename="policy/modules/services/rdisc.if">
<summary>Network router discovery daemon</summary>
<interface name="rdisc_exec" lineno="13">
<summary>
Execute rdisc in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="remotelogin" filename="policy/modules/services/remotelogin.if">
<summary>Policy for rshd, rlogind, and telnetd.</summary>
<interface name="remotelogin_domtrans" lineno="13">
<summary>
Domain transition to the remote login domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="remotelogin_signal" lineno="31">
<summary>
allow Domain to signal remote login domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
</module>
<module name="resmgr" filename="policy/modules/services/resmgr.if">
<summary>Resource management daemon</summary>
<interface name="resmgr_stream_connect" lineno="14">
<summary>
Connect to resmgrd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rgmanager" filename="policy/modules/services/rgmanager.if">
<summary>SELinux policy for rgmanager</summary>
<interface name="rgmanager_domtrans" lineno="13">
<summary>
Execute a domain transition to run rgmanager.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rgmanager_rw_semaphores" lineno="33">
<summary>
Allow read and write access to rgmanager semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rgmanager_stream_connect" lineno="51">
<summary>
Connect to rgmanager over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rgmanager_manage_tmpfs_files" lineno="70">
<summary>
Allow manage rgmanager tmpfs files.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rgmanager_manage_tmp_files" lineno="90">
<summary>
Allow manage rgmanager tmp files.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rgmanager_manage_pid_files" lineno="110">
<summary>
Allow manage rgmanager pid files.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rgmanager_admin" lineno="136">
<summary>
All of the rules required to administrate
an rgmanager environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the rgmanager domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rgmanager_manage_files" lineno="172">
<summary>
Allow the specified domain to manage rgmanager's lib/run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rgmanager_search_lib" lineno="195">
<summary>
Allow the specified domain to search rgmanager's lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="rgmanager_can_network_connect" dftval="false">
<desc>
<p>
Allow rgmanager domain to connect to the network using TCP.
</p>
</desc>
</tunable>
</module>
<module name="rhcs" filename="policy/modules/services/rhcs.if">
<summary>RHCS - Red Hat Cluster Suite</summary>
<template name="rhcs_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
rhcs init daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="rhcs_domtrans_dlm_controld" lineno="74">
<summary>
Execute a domain transition to run dlm_controld.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_dlm_controld" lineno="94">
<summary>
Connect to dlm_controld over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_dlm_controld_semaphores" lineno="113">
<summary>
Allow read and write access to dlm_controld semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_fenced" lineno="134">
<summary>
Execute a domain transition to run fenced.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_getattr_fenced" lineno="153">
<summary>
Allow a domain to getattr on fenced executable.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_rw_fenced_semaphores" lineno="171">
<summary>
Allow read and write access to fenced semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_fenced" lineno="192">
<summary>
Connect to fenced over an unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_gfs_controld" lineno="212">
<summary>
Execute a domain transition to run gfs_controld.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_gfs_controld_semaphores" lineno="231">
<summary>
Allow read and write access to gfs_controld semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_gfs_controld_shm" lineno="252">
<summary>
Read and write to gfs_controld_t shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_gfs_controld" lineno="273">
<summary>
Connect to gfs_controld_t over an unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_groupd" lineno="292">
<summary>
Execute a domain transition to run groupd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_groupd" lineno="312">
<summary>
Connect to groupd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_groupd_semaphores" lineno="331">
<summary>
Allow read and write access to groupd semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_groupd_shm" lineno="352">
<summary>
Read and write to group shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_cluster_shm" lineno="373">
<summary>
Read and write to cluster domains shared memory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_cluster_semaphores" lineno="398">
<summary>
Read and write access to cluster domains semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_cluster" lineno="417">
<summary>
Connect to cluster domains over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_stream_connect_cluster_to" lineno="443">
<summary>
Connect to cluster domains over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_qdiskd" lineno="463">
<summary>
Execute a domain transition to run qdiskd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_read_qdiskd_tmpfs_files" lineno="482">
<summary>
Allow domain to read qdiskd tmpfs files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_domtrans_cluster" lineno="500">
<summary>
Execute a domain transition to run cluster administrative domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_initrc_domtrans_cluster" lineno="520">
<summary>
Execute cluster init scripts in
the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhcs_exec_cluster" lineno="538">
<summary>
Execute cluster in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_read_log_cluster" lineno="557">
<summary>
Read cluster log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_setattr_log_cluster" lineno="577">
<summary>
Setattr cluster log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_inherited_cluster_tmp_files" lineno="595">
<summary>
Allow the specified domain to read/write inherited cluster's tmpf files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_manage_cluster_tmp_files" lineno="613">
<summary>
Allow manage cluster tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_rw_cluster_tmpfs" lineno="632">
<summary>
Allow the specified domain to read/write cluster's tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_manage_cluster_tmpfs_files" lineno="650">
<summary>
Allow manage cluster tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_manage_cluster_pid_files" lineno="669">
<summary>
Allow manage cluster pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_read_cluster_pid_files" lineno="688">
<summary>
Allow read cluster pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_read_cluster_lib_files" lineno="707">
<summary>
Allow domain to read cluster lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_manage_cluster_lib_files" lineno="726">
<summary>
Allow domain to manage cluster lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhcs_relabel_cluster_lib_files" lineno="745">
<summary>
Allow domain to relabel cluster lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="fenced_can_network_connect" dftval="false">
<desc>
<p>
Allow fenced domain to connect to the network using TCP.
</p>
</desc>
</tunable>
<tunable name="fenced_can_ssh" dftval="false">
<desc>
<p>
Allow fenced domain to execute ssh.
</p>
</desc>
</tunable>
<tunable name="cluster_can_network_connect" dftval="false">
<desc>
<p>
Allow cluster administrative domains to connect to the network using TCP.
</p>
</desc>
</tunable>
<tunable name="cluster_manage_all_files" dftval="true">
<desc>
<p>
Allow cluster administrative domains to manage all files on a system.
</p>
</desc>
</tunable>
<tunable name="cluster_use_execmem" dftval="false">
<desc>
<p>
Allow cluster administrative cluster domains memcheck-amd64- to use executable memory
</p>
</desc>
</tunable>
</module>
<module name="rhev" filename="policy/modules/services/rhev.if">
<summary>rhev polic module contains policies for rhev apps</summary>
<interface name="rhev_domtrans_agentd" lineno="13">
<summary>
Execute rhev-agentd in the rhev_agentd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhev_read_pid_files_agentd" lineno="31">
<summary>
Read rhev-agentd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhev_stream_connect_agentd" lineno="51">
<summary>
Connect to rhev_agentd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhev_sigchld_agentd" lineno="70">
<summary>
Send sigchld to rhev-agentd
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
</module>
<module name="rhgb" filename="policy/modules/services/rhgb.if">
<summary> Red Hat Graphical Boot </summary>
<interface name="rhgb_stub" lineno="13">
<summary>
RHGB stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
N/A
</summary>
</param>
</interface>
<interface name="rhgb_use_fds" lineno="29">
<summary>
Use a rhgb file descriptor.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rhgb_getpgid" lineno="47">
<summary>
Get the process group of rhgb.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhgb_signal" lineno="65">
<summary>
Send a signal to rhgb.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhgb_rw_stream_sockets" lineno="83">
<summary>
Read and write to unix stream sockets.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rhgb_dontaudit_rw_stream_sockets" lineno="102">
<summary>
Do not audit attempts to read and write
rhgb unix domain stream sockets.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rhgb_stream_connect" lineno="120">
<summary>
Connected to rhgb unix stream socket.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rhgb_rw_shm" lineno="138">
<summary>
Read and write to rhgb shared memory.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rhgb_use_ptys" lineno="156">
<summary>
Read from and write to the rhgb devpts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhgb_dontaudit_use_ptys" lineno="174">
<summary>
dontaudit Read from and write to the rhgb devpts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhgb_rw_tmpfs_files" lineno="192">
<summary>
Read and write to rhgb temporary file system.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
</module>
<module name="rhnsd" filename="policy/modules/services/rhnsd.if">
<summary>policy for rhnsd</summary>
<interface name="rhnsd_domtrans" lineno="13">
<summary>
Transition to rhnsd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhnsd_initrc_domtrans" lineno="32">
<summary>
Execute rhnsd server in the rhnsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhnsd_manage_config" lineno="51">
<summary>
Allow the specified domain to manage
rhnsd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhnsd_admin" lineno="77">
<summary>
All of the rules required to administrate
an rhnsd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rhsmcertd" filename="policy/modules/services/rhsmcertd.if">
<summary>Subscription Management Certificate Daemon policy</summary>
<interface name="rhsmcertd_domtrans" lineno="13">
<summary>
Transition to rhsmcertd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rhsmcertd_initrc_domtrans" lineno="33">
<summary>
Execute rhsmcertd server in the rhsmcertd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_read_log" lineno="53">
<summary>
Read rhsmcertd's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rhsmcertd_append_log" lineno="72">
<summary>
Append to rhsmcertd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_manage_log" lineno="91">
<summary>
Manage rhsmcertd log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_search_lib" lineno="112">
<summary>
Search rhsmcertd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_read_lib_files" lineno="131">
<summary>
Read rhsmcertd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_manage_lib_files" lineno="150">
<summary>
Manage rhsmcertd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_manage_lib_dirs" lineno="169">
<summary>
Manage rhsmcertd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_read_pid_files" lineno="189">
<summary>
Read rhsmcertd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_stream_connect" lineno="209">
<summary>
Connect to rhsmcertd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_dbus_chat" lineno="229">
<summary>
Send and receive messages from
rhsmcertd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_dontaudit_dbus_chat" lineno="250">
<summary>
Dontaudit Send and receive messages from
rhsmcertd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rhsmcertd_admin" lineno="277">
<summary>
All of the rules required to administrate
an rhsmcertd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ricci" filename="policy/modules/services/ricci.if">
<summary>Ricci cluster management agent</summary>
<interface name="ricci_domtrans" lineno="13">
<summary>
Execute a domain transition to run ricci.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_initrc_domtrans" lineno="31">
<summary>
Execute ricci server in the ricci domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modcluster" lineno="49">
<summary>
Execute a domain transition to run ricci_modcluster.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_dontaudit_use_modcluster_fds" lineno="68">
<summary>
Do not audit attempts to use
ricci_modcluster file descriptors.
</summary>
<param name="domain">
<summary>
The type of process not to audit.
</summary>
</param>
</interface>
<interface name="ricci_dontaudit_rw_modcluster_pipes" lineno="87">
<summary>
Do not audit attempts to read write
ricci_modcluster unamed pipes.
</summary>
<param name="domain">
<summary>
The type of process not to audit.
</summary>
</param>
</interface>
<interface name="ricci_stream_connect_modclusterd" lineno="105">
<summary>
Connect to ricci_modclusterd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ricci_rw_modclusterd_tmpfs_files" lineno="124">
<summary>
Read and write to ricci_modclusterd temporary file system.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modlog" lineno="143">
<summary>
Execute a domain transition to run ricci_modlog.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modrpm" lineno="161">
<summary>
Execute a domain transition to run ricci_modrpm.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modservice" lineno="179">
<summary>
Execute a domain transition to run ricci_modservice.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_domtrans_modstorage" lineno="197">
<summary>
Execute a domain transition to run ricci_modstorage.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ricci_read_lib_files" lineno="215">
<summary>
Allow the specified domain to read ricci's lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ricci_manage_lib_files" lineno="235">
<summary>
Allow the specified domain to manage ricci's lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ricci_admin" lineno="262">
<summary>
All of the rules required to administrate
an ricci environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rlogin" filename="policy/modules/services/rlogin.if">
<summary>Remote login daemon</summary>
<interface name="rlogin_domtrans" lineno="13">
<summary>
Execute rlogind in the rlogin domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rlogin_read_home_content" lineno="32">
<summary>
read rlogin homedir content (.config)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="roundup" filename="policy/modules/services/roundup.if">
<summary>Roundup Issue Tracking System policy</summary>
<interface name="roundup_admin" lineno="20">
<summary>
All of the rules required to administrate
an roundup environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the roundup domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rpc" filename="policy/modules/services/rpc.if">
<summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
<interface name="rpc_stub" lineno="13">
<summary>
RPC stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="rpc_domain_template" lineno="35">
<summary>
The template to define a rpc domain.
</summary>
<desc>
<p>
This template creates a domain to be used for
a new rpc daemon.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The type of daemon to be used.
</summary>
</param>
</template>
<interface name="rpc_udp_send" lineno="135">
<summary>
Send UDP network traffic to rpc and recieve UDP traffic from rpc.  (Deprecated)
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rpc_dontaudit_getattr_exports" lineno="150">
<summary>
Do not audit attempts to get the attributes
of the NFS export file.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rpc_read_exports" lineno="168">
<summary>
Allow read access to exports.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rpc_write_exports" lineno="186">
<summary>
Allow write access to exports.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rpc_domtrans_nfsd" lineno="204">
<summary>
Execute domain in nfsd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rpc_initrc_domtrans_nfsd" lineno="222">
<summary>
Execute domain in nfsd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_domtrans_rpcd" lineno="240">
<summary>
Execute domain in rpcd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="rpc_kill_rpcd" lineno="259">
<summary>
Send kill signals to rpcd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_run_rpcd" lineno="284">
<summary>
Execute rpcd in the rcpd domain, and
allow the specified role the rpcd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rpc_initrc_domtrans_rpcd" lineno="303">
<summary>
Execute domain in rpcd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_read_nfs_content" lineno="322">
<summary>
Read NFS exported content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rpc_manage_nfs_rw_content" lineno="343">
<summary>
Allow domain to create read and write NFS directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rpc_manage_nfs_ro_content" lineno="364">
<summary>
Allow domain to create read and write NFS directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rpc_udp_rw_nfs_sockets" lineno="384">
<summary>
Allow domain to read and write to an NFS UDP socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_udp_send_nfs" lineno="402">
<summary>
Send UDP traffic to NFSd.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_search_nfs_state_data" lineno="416">
<summary>
Search NFS state data in /var/lib/nfs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_read_nfs_state_data" lineno="435">
<summary>
Read NFS state data in /var/lib/nfs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpc_manage_nfs_state_data" lineno="454">
<summary>
Manage NFS state data in /var/lib/nfs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="allow_gssd_read_tmp" dftval="true">
<desc>
<p>
Allow gssd to read temp directory.  For access to kerberos tgt.
</p>
</desc>
</tunable>
</module>
<module name="rpcbind" filename="policy/modules/services/rpcbind.if">
<summary>Universal Addresses to RPC Program Number Mapper</summary>
<interface name="rpcbind_domtrans" lineno="13">
<summary>
Execute a domain transition to run rpcbind.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rpcbind_stream_connect" lineno="31">
<summary>
Connect to rpcbindd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_read_pid_files" lineno="50">
<summary>
Read rpcbind PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_search_lib" lineno="69">
<summary>
Search rpcbind lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_read_lib_files" lineno="88">
<summary>
Read rpcbind lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_manage_lib_files" lineno="108">
<summary>
Create, read, write, and delete
rpcbind lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rpcbind_admin" lineno="134">
<summary>
All of the rules required to administrate
an rpcbind environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the rpcbind domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="rshd" filename="policy/modules/services/rshd.if">
<summary>Remote shell service.</summary>
<interface name="rshd_domtrans" lineno="13">
<summary>
Domain transition to rshd.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
</module>
<module name="rsync" filename="policy/modules/services/rsync.if">
<summary>Fast incremental file transfer for synchronization</summary>
<interface name="rsync_entry_type" lineno="14">
<summary>
Make rsync an entry point for
the specified domain.
</summary>
<param name="domain">
<summary>
The domain for which init scripts are an entrypoint.
</summary>
</param>
</interface>
<interface name="rsync_entry_spec_domtrans" lineno="47">
<summary>
Execute a rsync in a specified domain.
</summary>
<desc>
<p>
Execute a rsync in a specified domain.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="source_domain">
<summary>
Domain to transition from.
</summary>
</param>
<param name="target_domain">
<summary>
Domain to transition to.
</summary>
</param>
</interface>
<interface name="rsync_entry_domtrans" lineno="80">
<summary>
Execute a rsync in a specified domain.
</summary>
<desc>
<p>
Execute a rsync in a specified domain.
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="source_domain">
<summary>
Domain to transition from.
</summary>
</param>
<param name="target_domain">
<summary>
Domain to transition to.
</summary>
</param>
</interface>
<interface name="rsync_exec" lineno="99">
<summary>
Execute rsync in the caller domain domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rsync_read_config" lineno="117">
<summary>
Read rsync config files.
</summary>
<param name="domain">
<summary>
Domain allowed.
</summary>
</param>
</interface>
<interface name="rsync_write_config" lineno="136">
<summary>
Write to rsync config files.
</summary>
<param name="domain">
<summary>
Domain allowed.
</summary>
</param>
</interface>
<interface name="rsync_manage_config" lineno="155">
<summary>
Manage rsync config files.
</summary>
<param name="domain">
<summary>
Domain allowed.
</summary>
</param>
</interface>
<interface name="rsync_filetrans_config" lineno="180">
<summary>
Create objects in the amavis spool directories
with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
</interface>
<tunable name="rsync_client" dftval="false">
<desc>
<p>
Allow rsync to run as a client
</p>
</desc>
</tunable>
<tunable name="rsync_export_all_ro" dftval="false">
<desc>
<p>
Allow rsync to export any files/directories read only.
</p>
</desc>
</tunable>
<tunable name="allow_rsync_anon_write" dftval="false">
<desc>
<p>
Allow rsync to modify public files
used for public file transfer services.  Files/Directories must be
labeled public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="rsync_use_cifs" dftval="false">
<desc>
<p>
Allow rsync servers to share cifs files systems
</p>
</desc>
</tunable>
<tunable name="rsync_use_nfs" dftval="false">
<desc>
<p>
Allow rsync servers to share nfs files systems
</p>
</desc>
</tunable>
</module>
<module name="rtas" filename="policy/modules/services/rtas.if">
<summary>Platform diagnostics report firmware events.</summary>
<interface name="rtas_errd_domtrans" lineno="13">
<summary>
Execute rtas_errd in the rtas_errd domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rtas_errd_read_log" lineno="33">
<summary>
Read rtas_errd's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="rtas_errd_append_log" lineno="52">
<summary>
Append to rtas_errd log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rtas_errd_manage_log" lineno="71">
<summary>
Manage rtas_errd log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rtas_errd_read_pid_files" lineno="92">
<summary>
Read rtas_errd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rtas_errd_admin" lineno="112">
<summary>
All of the rules required to administrate
an rtas_errd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rtkit" filename="policy/modules/services/rtkit.if">
<summary>Realtime scheduling for user processes.</summary>
<interface name="rtkit_daemon_domtrans" lineno="13">
<summary>
Execute a domain transition to run rtkit_daemon.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rtkit_daemon_dbus_chat" lineno="32">
<summary>
Send and receive messages from
rtkit_daemon over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rtkit_daemon_dontaudit_dbus_chat" lineno="53">
<summary>
Do not audit send and receive messages from
rtkit_daemon over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rtkit_scheduled" lineno="73">
<summary>
Allow rtkit to control scheduling for your process
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="rwho" filename="policy/modules/services/rwho.if">
<summary>Who is logged in on other machines?</summary>
<interface name="rwho_domtrans" lineno="13">
<summary>
Execute a domain transition to run rwho.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="rwho_search_log" lineno="31">
<summary>
Search rwho log directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_read_log_files" lineno="50">
<summary>
Read rwho log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_search_spool" lineno="70">
<summary>
Search rwho spool directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_read_spool_files" lineno="89">
<summary>
Read rwho spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_manage_spool_files" lineno="109">
<summary>
Create, read, write, and delete
rwho spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="rwho_admin" lineno="135">
<summary>
All of the rules required to administrate
an rwho environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="samba" filename="policy/modules/services/samba.if">
<summary>
SMB and CIFS client/server programs for UNIX and
name  Service  Switch  daemon for resolving names
from Windows NT servers.
</summary>
<interface name="samba_domtrans_nmbd" lineno="17">
<summary>
Execute nmbd net in the nmbd_t domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="samba_initrc_domtrans" lineno="36">
<summary>
Execute samba server in the samba domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="samba_domtrans_net" lineno="54">
<summary>
Execute samba net in the samba_net domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="samba_domtrans_unconfined_net" lineno="73">
<summary>
Execute samba net in the samba_unconfined_net domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="samba_run_net" lineno="99">
<summary>
Execute samba net in the samba_net domain, and
allow the specified role the samba_net domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the samba_net domain.
</summary>
</param>
<rolecap/>
</interface>
<template name="samba_role_notrans" lineno="118">
<summary>
The role for the samba module.
</summary>
<param name="role">
<summary>
The role to be allowed the samba_net domain.
</summary>
</param>
</template>
<interface name="samba_run_unconfined_net" lineno="143">
<summary>
Execute samba net in the samba_unconfined_net domain, and
allow the specified role the samba_unconfined_net domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the samba_unconfined_net domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_domtrans_smbmount" lineno="162">
<summary>
Execute smbmount in the smbmount domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="samba_run_smbmount" lineno="188">
<summary>
Execute smbmount interactively and do
a domain transition to the smbmount domain.
</summary>
<param name="domain">
<summary>
Domain allowed acces.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the smbmount domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_read_config" lineno="209">
<summary>
Allow the specified domain to read
samba configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_rw_config" lineno="230">
<summary>
Allow the specified domain to read
and write samba configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_manage_config" lineno="251">
<summary>
Allow the specified domain to read
and write samba configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_read_log" lineno="272">
<summary>
Allow the specified domain to read samba's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_append_log" lineno="293">
<summary>
Allow the specified domain to append to samba's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_exec_log" lineno="313">
<summary>
Execute samba log in the caller domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="samba_read_secrets" lineno="332">
<summary>
Allow the specified domain to read samba's secrets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_read_share_files" lineno="351">
<summary>
Allow the specified domain to read samba's shares
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_search_var" lineno="371">
<summary>
Allow the specified domain to search
samba /var directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_read_var_files" lineno="392">
<summary>
Allow the specified domain to
read samba /var files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_dontaudit_write_var_files" lineno="413">
<summary>
Do not audit attempts to write samba
/var files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_rw_var_files" lineno="432">
<summary>
Allow the specified domain to
read and write samba /var files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_manage_var_files" lineno="453">
<summary>
Allow the specified domain to
read and write samba /var files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_domtrans_smbcontrol" lineno="474">
<summary>
Execute a domain transition to run smbcontrol.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="samba_run_smbcontrol" lineno="499">
<summary>
Execute smbcontrol in the smbcontrol domain, and
allow the specified role the smbcontrol domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the smbcontrol domain.
</summary>
</param>
</interface>
<interface name="samba_domtrans_smbd" lineno="518">
<summary>
Execute smbd in the smbd_t domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="samba_dontaudit_use_fds" lineno="537">
<summary>
Do not audit attempts to use file descriptors from samba.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="samba_write_smbmount_tcp_sockets" lineno="555">
<summary>
Allow the specified domain to write to smbmount tcp sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_rw_smbmount_tcp_sockets" lineno="573">
<summary>
Allow the specified domain to read and write to smbmount tcp sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_domtrans_winbind_helper" lineno="591">
<summary>
Execute winbind_helper in the winbind_helper domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="samba_run_winbind_helper" lineno="617">
<summary>
Execute winbind_helper in the winbind_helper domain, and
allow the specified role the winbind_helper domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the winbind_helper domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="samba_read_winbind_pid" lineno="636">
<summary>
Allow the specified domain to read the winbind pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_signal_nmbd" lineno="655">
<summary>
Allow domain to signal samba
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="samba_stream_connect_nmbd" lineno="672">
<summary>
Connect to nmbd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="samba_signal_smbd" lineno="692">
<summary>
Allow domain to signal samba
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="samba_stream_connect_winbind" lineno="709">
<summary>
Connect to winbind.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<template name="samba_helper_template" lineno="741">
<summary>
Create a set of derived types for apache
web content.
</summary>
<param name="prefix">
<summary>
The prefix to be used for deriving type names.
</summary>
</param>
</template>
<interface name="samba_search_pid" lineno="771">
<summary>
Search the samba pid directory.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="samba_admin" lineno="797">
<summary>
All of the rules required to administrate
an samba environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the samba domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_smbd_anon_write" dftval="false">
<desc>
<p>
Allow samba to modify public files used for public file
transfer services.  Files/Directories must be labeled
public_content_rw_t.
</p>
</desc>
</tunable>
<tunable name="samba_create_home_dirs" dftval="false">
<desc>
<p>
Allow samba to create new home directories (e.g. via PAM)
</p>
</desc>
</tunable>
<tunable name="samba_domain_controller" dftval="false">
<desc>
<p>
Allow samba to act as the domain controller, add users,
groups and change passwords.

</p>
</desc>
</tunable>
<tunable name="samba_portmapper" dftval="false">
<desc>
<p>
Allow samba to act as a portmapper

</p>
</desc>
</tunable>
<tunable name="samba_enable_home_dirs" dftval="false">
<desc>
<p>
Allow samba to share users home directories.
</p>
</desc>
</tunable>
<tunable name="samba_export_all_ro" dftval="false">
<desc>
<p>
Allow samba to share any file/directory read only.
</p>
</desc>
</tunable>
<tunable name="samba_export_all_rw" dftval="false">
<desc>
<p>
Allow samba to share any file/directory read/write.
</p>
</desc>
</tunable>
<tunable name="samba_run_unconfined" dftval="false">
<desc>
<p>
Allow samba to run unconfined scripts
</p>
</desc>
</tunable>
<tunable name="samba_share_nfs" dftval="false">
<desc>
<p>
Allow samba to export NFS volumes.
</p>
</desc>
</tunable>
<tunable name="samba_share_fusefs" dftval="false">
<desc>
<p>
Allow samba to export ntfs/fusefs volumes.
</p>
</desc>
</tunable>
</module>
<module name="sanlock" filename="policy/modules/services/sanlock.if">
<summary>policy for sanlock</summary>
<interface name="sanlock_domtrans" lineno="13">
<summary>
Execute a domain transition to run sanlock.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sanlock_initrc_domtrans" lineno="32">
<summary>
Execute sanlock server in the sanlock domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="sanlock_manage_pid_files" lineno="50">
<summary>
Create, read, write, and delete sanlock PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sanlock_stream_connect" lineno="69">
<summary>
Connect to sanlock over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sanlock_admin" lineno="95">
<summary>
All of the rules required to administrate
an sanlock environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="sanlock_use_nfs" dftval="false">
<desc>
<p>
Allow sanlock to manage nfs files
</p>
</desc>
</tunable>
<tunable name="sanlock_use_samba" dftval="false">
<desc>
<p>
Allow sanlock to manage cifs files
</p>
</desc>
</tunable>
<tunable name="sanlock_use_fusefs" dftval="false">
<desc>
<p>
Allow sanlock to read/write fuse files
</p>
</desc>
</tunable>
</module>
<module name="sasl" filename="policy/modules/services/sasl.if">
<summary>SASL authentication server</summary>
<interface name="sasl_connect" lineno="13">
<summary>
Connect to SASL.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sasl_admin" lineno="39">
<summary>
All of the rules required to administrate
an sasl environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_saslauthd_read_shadow" dftval="false">
<desc>
<p>
Allow sasl to read shadow
</p>
</desc>
</tunable>
</module>
<module name="sblim" filename="policy/modules/services/sblim.if">
<summary> Standards Based Linux Instrumentation for Manageability. </summary>
<template name="sblim_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
sblim daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="sblim_domtrans_gatherd" lineno="41">
<summary>
Transition to gatherd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sblim_read_pid_files" lineno="60">
<summary>
Read gatherd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sblim_stream_connect_sfcbd" lineno="79">
<summary>
Connect to sblim_sfcb over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sblim_getattr_exec_sfcbd" lineno="100">
<summary>
Getattr on sblim executable.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sblim_stream_connect_sfcb" lineno="119">
<summary>
Connect to sblim_sfcb over a unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sblim_rw_semaphores_sfcbd" lineno="138">
<summary>
Allow read and write access to sblim semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sblim_admin" lineno="159">
<summary>
All of the rules required to administrate
an gatherd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="sendmail" filename="policy/modules/services/sendmail.if">
<summary>Policy for sendmail.</summary>
<interface name="sendmail_stub" lineno="13">
<summary>
Sendmail stub interface.  No access allowed.
</summary>
<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_rw_pipes" lineno="30">
<summary>
Allow attempts to read and write to
sendmail unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="sendmail_domtrans" lineno="48">
<summary>
Domain transition to sendmail.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_initrc_domtrans" lineno="66">
<summary>
Execute sendmail in the sendmail domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="sendmail_run" lineno="90">
<summary>
Execute the sendmail program in the sendmail domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to allow the sendmail domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sendmail_signal" lineno="109">
<summary>
Send generic signals to sendmail.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_rw_tcp_sockets" lineno="127">
<summary>
Read and write sendmail TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_dontaudit_rw_tcp_sockets" lineno="146">
<summary>
Do not audit attempts to read and write
sendmail TCP sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="sendmail_rw_unix_stream_sockets" lineno="164">
<summary>
Read and write sendmail unix_stream_sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_dontaudit_rw_unix_stream_sockets" lineno="183">
<summary>
Do not audit attempts to read and write
sendmail unix_stream_sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_read_log" lineno="202">
<summary>
Read sendmail logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sendmail_manage_log" lineno="222">
<summary>
Create, read, write, and delete sendmail logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sendmail_create_log" lineno="241">
<summary>
Create sendmail logs with the correct type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_manage_tmp_files" lineno="259">
<summary>
Manage sendmail tmp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_run_unconfined" lineno="286">
<summary>
Execute sendmail in the unconfined sendmail domain, and
allow the specified role the unconfined sendmail domain,
and use the caller's terminal.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="sendmail_domtrans_unconfined" lineno="305">
<summary>
Execute sendmail in the unconfined sendmail domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sendmail_admin" lineno="331">
<summary>
All of the rules required to administrate
an sendmail environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="sensord" filename="policy/modules/services/sensord.if">
<summary>Sensor information logging daemon</summary>
<interface name="sensord_domtrans" lineno="13">
<summary>
Execute sensord in the sensord domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sensord_admin" lineno="33">
<summary>
All of the rules required to administrate
an sensord environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="setroubleshoot" filename="policy/modules/services/setroubleshoot.if">
<summary>SELinux troubleshooting service</summary>
<interface name="setroubleshoot_stream_connect" lineno="13">
<summary>
Connect to setroubleshootd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="setroubleshoot_dontaudit_stream_connect" lineno="34">
<summary>
Dontaudit attempts to connect to setroubleshootd
over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="setroubleshoot_dbus_chat" lineno="54">
<summary>
Send and receive messages from
setroubleshoot over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="setroubleshoot_dontaudit_dbus_chat" lineno="75">
<summary>
dontaudit send and receive messages from
setroubleshoot over dbus.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="setroubleshoot_dbus_chat_fixit" lineno="96">
<summary>
Send and receive messages from
setroubleshoot over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="setroubleshoot_fixit_dontaudit_leaks" lineno="116">
<summary>
Dontaudit read/write to a setroubleshoot leaked sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="setroubleshoot_admin" lineno="136">
<summary>
All of the rules required to administrate
an setroubleshoot environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="sge" filename="policy/modules/services/sge.if">
<summary>Policy for gridengine MPI jobs</summary>
<tunable name="sge_use_nfs" dftval="false">
<desc>
<p>
Allow sge to access nfs file systems.
</p>
</desc>
</tunable>
<tunable name="sge_domain_can_network_connect" dftval="false">
<desc>
<p>
Allow sge to connect to the network using any TCP port
</p>
</desc>
</tunable>
</module>
<module name="slpd" filename="policy/modules/services/slpd.if">
<summary>OpenSLP server daemon to dynamically register services.</summary>
<interface name="slpd_domtrans" lineno="13">
<summary>
Transition to slpd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="slpd_initrc_domtrans" lineno="32">
<summary>
Execute slpd server in the slpd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="slpd_admin" lineno="57">
<summary>
All of the rules required to administrate
an slpd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="slrnpull" filename="policy/modules/services/slrnpull.if">
<summary>Service for downloading news feeds the slrn newsreader.</summary>
<interface name="slrnpull_search_spool" lineno="13">
<summary>
Allow the domain to search slrnpull spools.
</summary>
<param name="pty_type">
<summary>
domain allowed access
</summary>
</param>
</interface>
<interface name="slrnpull_manage_spool" lineno="33">
<summary>
Allow the domain to create, read,
write, and delete slrnpull spools.
</summary>
<param name="pty_type">
<summary>
domain allowed access
</summary>
</param>
</interface>
</module>
<module name="smartmon" filename="policy/modules/services/smartmon.if">
<summary>Smart disk monitoring daemon policy</summary>
<interface name="smartmon_read_tmp_files" lineno="13">
<summary>
Allow caller to read smartmon temporary files.
</summary>
<param name="domain">
<summary>
The process type reading the temporary files.
</summary>
</param>
</interface>
<interface name="smartmon_admin" lineno="39">
<summary>
All of the rules required to administrate
an smartmon environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="smartmon_3ware" dftval="false">
<desc>
<p>
Enable additional permissions needed to support
devices on 3ware controllers.
</p>
</desc>
</tunable>
</module>
<module name="smokeping" filename="policy/modules/services/smokeping.if">
<summary>Smokeping network latency measurement.</summary>
<interface name="smokeping_domtrans" lineno="13">
<summary>
Execute a domain transition to run smokeping.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="smokeping_initrc_domtrans" lineno="31">
<summary>
Execute smokeping server in the smokeping domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_read_pid_files" lineno="49">
<summary>
Read smokeping PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_manage_pid_files" lineno="68">
<summary>
Manage smokeping PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_getattr_lib_files" lineno="87">
<summary>
Get attributes of smokeping lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_read_lib_files" lineno="106">
<summary>
Read smokeping lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_manage_lib_files" lineno="125">
<summary>
Manage smokeping lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smokeping_admin" lineno="151">
<summary>
All of the rules required to administrate
a smokeping environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="smstools" filename="policy/modules/services/smstools.if">
<summary> Tools to send and receive short messages through GSM modems or mobile phones.</summary>
<interface name="smsd_search_lib" lineno="13">
<summary>
Search smsd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_read_lib_files" lineno="32">
<summary>
Read smsd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_manage_lib_files" lineno="51">
<summary>
Manage smsd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smsd_manage_lib_dirs" lineno="70">
<summary>
Manage smsd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="smstools_admin" lineno="96">
<summary>
All of the rules required to
administrate an smstools environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="snmp" filename="policy/modules/services/snmp.if">
<summary>Simple network management protocol services</summary>
<interface name="snmp_stream_connect" lineno="13">
<summary>
Connect to snmpd using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_tcp_connect" lineno="32">
<summary>
Use snmp over a TCP connection.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_udp_chat" lineno="46">
<summary>
Send and receive UDP traffic to SNMP  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_read_snmp_var_lib_files" lineno="60">
<summary>
Read snmpd libraries.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_read_snmp_var_lib_dirs" lineno="81">
<summary>
Read snmpd libraries directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_manage_var_lib_dirs" lineno="100">
<summary>
Manage snmpd libraries directories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_append_snmp_var_lib_files" lineno="119">
<summary>
Append snmpd libraries.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_manage_var_lib_files" lineno="139">
<summary>
Manage snmpd libraries files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="snmp_dontaudit_read_snmp_var_lib_files" lineno="159">
<summary>
dontaudit Read snmpd libraries.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="snmp_dontaudit_write_snmp_var_lib_files" lineno="178">
<summary>
dontaudit write snmpd libraries files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="snmp_admin" lineno="203">
<summary>
All of the rules required to administrate
an snmp environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the snmp domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="snort" filename="policy/modules/services/snort.if">
<summary>Snort network intrusion detection system</summary>
<interface name="snort_domtrans" lineno="13">
<summary>
Execute a domain transition to run snort.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="snort_admin" lineno="38">
<summary>
All of the rules required to administrate
an snort environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the snort domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="soundserver" filename="policy/modules/services/soundserver.if">
<summary>sound server for network audio server programs, nasd, yiff, etc</summary>
<interface name="soundserver_tcp_connect" lineno="13">
<summary>
Connect to the sound server over a TCP socket  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="soundserver_admin" lineno="34">
<summary>
All of the rules required to administrate
an soundd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the soundd domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="spamassassin" filename="policy/modules/services/spamassassin.if">
<summary>Filter used for removing unsolicited email.</summary>
<interface name="spamassassin_role" lineno="19">
<summary>
Role access for spamassassin
</summary>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
<rolecap/>
</interface>
<interface name="spamassassin_exec" lineno="57">
<summary>
Execute the standalone spamassassin
program in the caller directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_signal_spamd" lineno="76">
<summary>
Singnal the spam assassin daemon
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="spamassassin_exec_spamd" lineno="95">
<summary>
Execute the spamassassin daemon
program in the caller directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_domtrans_client" lineno="113">
<summary>
Execute spamassassin client in the spamassassin client domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_kill_client" lineno="132">
<summary>
Send kill signal to spamassassin client
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_manage_home_client" lineno="150">
<summary>
Manage spamc home files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_exec_client" lineno="172">
<summary>
Execute the spamassassin client
program in the caller directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_domtrans_local_client" lineno="190">
<summary>
Execute spamassassin standalone client in the user spamassassin domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_read_lib_files" lineno="208">
<summary>
read spamd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_manage_lib_files" lineno="230">
<summary>
Create, read, write, and delete
spamd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="spamassassin_read_spamd_tmp_files" lineno="249">
<summary>
Read temporary spamd file.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="spamassassin_dontaudit_getattr_spamd_tmp_sockets" lineno="269">
<summary>
Do not audit attempts to get attributes of temporary
spamd sockets/
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="spamd_stream_connect" lineno="287">
<summary>
Connect to run spamd.
</summary>
<param name="domain">
<summary>
Domain allowed to connect.
</summary>
</param>
</interface>
<interface name="spamassassin_read_pid_files" lineno="306">
<summary>
Read spamd pid file.
</summary>
<param name="domain">
<summary>
Domain allowed to connect.
</summary>
</param>
</interface>
<interface name="spamassassin_spamd_admin" lineno="332">
<summary>
All of the rules required to administrate
an spamassassin environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the spamassassin domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="spamassassin_can_network" dftval="false">
<desc>
<p>
Allow user spamassassin clients to use the network.
</p>
</desc>
</tunable>
<tunable name="spamd_enable_home_dirs" dftval="true">
<desc>
<p>
Allow spamd to read/write user home directories.
</p>
</desc>
</tunable>
</module>
<module name="speedtouch" filename="policy/modules/services/speedtouch.if">
<summary>Alcatel speedtouch USB ADSL modem</summary>
</module>
<module name="squid" filename="policy/modules/services/squid.if">
<summary>Squid caching http proxy server</summary>
<interface name="squid_domtrans" lineno="13">
<summary>
Execute squid in the squid domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="squid_exec" lineno="32">
<summary>
Execute squid
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="squid_signal" lineno="50">
<summary>
Send generic signals to squid.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="squid_rw_stream_sockets" lineno="69">
<summary>
Allow read and write squid
unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="squid_dontaudit_search_cache" lineno="87">
<summary>
Do not audit attempts to search squid cache dirs
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="squid_read_config" lineno="106">
<summary>
Read squid configuration file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="squid_read_log" lineno="126">
<summary>
Append squid logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="squid_append_log" lineno="145">
<summary>
Append squid logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="squid_manage_logs" lineno="166">
<summary>
Create, read, write, and delete
squid logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="squid_use" lineno="185">
<summary>
Use squid services by connecting over TCP.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="squid_admin" lineno="206">
<summary>
All of the rules required to administrate
an squid environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the squid domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="squid_connect_any" dftval="false">
<desc>
<p>
Allow squid to connect to all ports, not just
HTTP, FTP, and Gopher ports.
</p>
</desc>
</tunable>
<tunable name="squid_use_tproxy" dftval="false">
<desc>
<p>
Allow squid to run as a transparent proxy (TPROXY)
</p>
</desc>
</tunable>
</module>
<module name="ssh" filename="policy/modules/services/ssh.if">
<summary>Secure shell client and server policy.</summary>
<template name="ssh_basic_client_template" lineno="34">
<summary>
Basic SSH client template.
</summary>
<desc>
<p>
This template creates a derived domains which are used
for ssh client sessions.  A derived
type is also created to protect the user ssh keys.
</p>
<p>
This template was added for NX.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The prefix of the domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="user_domain">
<summary>
The type of the domain.
</summary>
</param>
<param name="user_role">
<summary>
The role associated with the user domain.
</summary>
</param>
</template>
<template name="ssh_server_template" lineno="171">
<summary>
The template to define a ssh server.
</summary>
<desc>
<p>
This template creates a domains to be used for
creating a ssh server.  This is typically done
to have multiple ssh servers of different sensitivities,
such as for an internal network-facing ssh server, and
a external network-facing ssh server.
</p>
</desc>
<param name="userdomain_prefix">
<summary>
The prefix of the server domain (e.g., sshd
is the prefix for sshd_t).
</summary>
</param>
</template>
<template name="ssh_role_template" lineno="318">
<summary>
Role access for ssh
</summary>
<param name="role_prefix">
<summary>
The prefix of the role (e.g., user
is the prefix for user_r).
</summary>
</param>
<param name="role">
<summary>
Role allowed access
</summary>
</param>
<param name="domain">
<summary>
User domain for the role
</summary>
</param>
<rolecap/>
</template>
<interface name="ssh_sigchld" lineno="465">
<summary>
Send a SIGCHLD signal to the ssh server.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_signal" lineno="483">
<summary>
Send a generic signal to the ssh server.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_read_pipes" lineno="501">
<summary>
Read a ssh server unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_rw_pipes" lineno="518">
<summary>
Read and write a ssh server unnamed pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_rw_stream_sockets" lineno="536">
<summary>
Read and write ssh server unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_rw_dgram_sockets" lineno="554">
<summary>
Read and write ssh server unix dgram sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_rw_tcp_sockets" lineno="572">
<summary>
Read and write ssh server TCP sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_dontaudit_rw_tcp_sockets" lineno="591">
<summary>
Do not audit attempts to read and write
ssh server TCP sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ssh_tcp_connect" lineno="609">
<summary>
Connect to SSH daemons over TCP sockets.  (Deprecated)
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_domtrans" lineno="623">
<summary>
Execute the ssh daemon sshd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_initrc_domtrans" lineno="642">
<summary>
Execute sshd server in the sshd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="ssh_exec" lineno="660">
<summary>
Execute the ssh client in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_setattr_key_files" lineno="679">
<summary>
Set the attributes of sshd key files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_agent_exec" lineno="698">
<summary>
Execute the ssh agent client in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_read_user_home_files" lineno="717">
<summary>
Read ssh home directory content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_domtrans_keygen" lineno="738">
<summary>
Execute the ssh key generator in the ssh keygen domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_exec_keygen" lineno="756">
<summary>
Execute the ssh key generator in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ssh_run_keygen" lineno="781">
<summary>
Execute ssh-keygen in the iptables domain, and
allow the specified role the ssh-keygen domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ssh_dontaudit_read_server_keys" lineno="800">
<summary>
Read ssh server keys
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_manage_user_home_files" lineno="818">
<summary>
Manage ssh home directory content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_create_user_home_files" lineno="840">
<summary>
Create Secure Shell home directory
content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_delete_tmp" lineno="862">
<summary>
Delete from the ssh temp files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_signull" lineno="881">
<summary>
Send a null signal to sshd processes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_dyntransition_chroot_user" lineno="898">
<summary>
Allow domain dyntransition to chroot_user_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_getattr_user_home_dir" lineno="917">
<summary>
Getattr ssh home directory
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_dontaudit_search_user_home_dir" lineno="935">
<summary>
Dontaudit search ssh home directory
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="ssh_dontaudit_use_ptys" lineno="954">
<summary>
Do not audit attempts to read and
write the sshd pty type.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ssh_use_ptys" lineno="972">
<summary>
Read and write inherited sshd pty type.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="ssh_admin_server" lineno="997">
<summary>
All of the rules required to administrate
an sshd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_ssh_keysign" dftval="false">
<desc>
<p>
allow host key based authentication
</p>
</desc>
</tunable>
<tunable name="ssh_sysadm_login" dftval="false">
<desc>
<p>
Allow ssh logins as sysadm_r:sysadm_t
</p>
</desc>
</tunable>
<tunable name="ssh_chroot_rw_homedirs" dftval="false">
<desc>
<p>
Allow ssh with chroot env to read and write files
in the user home directories
</p>
</desc>
</tunable>
<tunable name="ssh_chroot_full_access" dftval="false">
<desc>
<p>
Allow ssh with chroot env to manage all files
</p>
</desc>
</tunable>
<tunable name="ssh_chroot_manage_apache_content" dftval="false">
<desc>
<p>
Allow ssh with chroot env to apache content
</p>
</desc>
</tunable>
</module>
<module name="sssd" filename="policy/modules/services/sssd.if">
<summary>System Security Services Daemon</summary>
<interface name="sssd_domtrans" lineno="13">
<summary>
Execute a domain transition to run sssd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="sssd_initrc_domtrans" lineno="31">
<summary>
Execute sssd server in the sssd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_read_public_files" lineno="49">
<summary>
Read sssd public files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_read_pid_files" lineno="69">
<summary>
Read sssd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_manage_pids" lineno="88">
<summary>
Manage sssd var_run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_search_lib" lineno="108">
<summary>
Search sssd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_dontaudit_search_lib" lineno="127">
<summary>
Do not audit attempts to search sssd lib directories.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="sssd_read_lib_files" lineno="145">
<summary>
Read sssd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_manage_lib_files" lineno="166">
<summary>
Create, read, write, and delete
sssd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_dbus_chat" lineno="187">
<summary>
Send and receive messages from
sssd over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_stream_connect" lineno="207">
<summary>
Connect to sssd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="sssd_admin" lineno="233">
<summary>
All of the rules required to administrate
an sssd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the sssd domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="stapserver" filename="policy/modules/services/stapserver.if">
<summary> Instrumentation System Server </summary>
<interface name="stapserver_domtrans" lineno="13">
<summary>
Execute stapserver in the stapserver domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="stapserver_read_log" lineno="32">
<summary>
Read stapserver's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="stapserver_append_log" lineno="51">
<summary>
Append to stapserver log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="stapserver_manage_log" lineno="70">
<summary>
Manage stapserver log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="stapserver_read_pid_files" lineno="90">
<summary>
Read stapserver PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="stapserver_manage_lib" lineno="109">
<summary>
Manage stapserver lib files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="stapserver_admin" lineno="130">
<summary>
All of the rules required to administrate
an stapserver environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="stunnel" filename="policy/modules/services/stunnel.if">
<summary>SSL Tunneling Proxy</summary>
<interface name="stunnel_service_domain" lineno="18">
<summary>
Define the specified domain as a stunnel inetd service.
</summary>
<param name="domain">
<summary>
The type associated with the stunnel inetd service process.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
</module>
<module name="svnserve" filename="policy/modules/services/svnserve.if">
<summary>policy for svnserve</summary>
<interface name="svnserve_domtrans" lineno="14">
<summary>
Transition to svnserve.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="svnserve_initrc_domtrans" lineno="34">
<summary>
Execute svnserve server in the svnserve domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="svnserve_read_pid_files" lineno="52">
<summary>
Read svnserve PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="svnserve_admin" lineno="73">
<summary>
All of the rules required to administrate
an svnserve environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="swift" filename="policy/modules/services/swift.if">
<summary>policy for swift</summary>
<interface name="swift_domtrans" lineno="13">
<summary>
Execute TEMPLATE in the swift domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="swift_read_pid_files" lineno="32">
<summary>
Read swift PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="swift_manage_data_files" lineno="51">
<summary>
Manage swift data files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="swift_manage_lock" lineno="71">
<summary>
Read and write swift lock files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="swift_filetrans_lock" lineno="90">
<summary>
Transition content labels to swift named content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="swift_can_network" dftval="false">
<desc>
<p>
Determine whether swift can
connect to all TCP ports
</p>
</desc>
</tunable>
</module>
<module name="sysstat" filename="policy/modules/services/sysstat.if">
<summary>Policy for sysstat. Reports on various system states</summary>
<interface name="sysstat_manage_log" lineno="14">
<summary>
Manage sysstat logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="tcpd" filename="policy/modules/services/tcpd.if">
<summary>Policy for TCP daemon.</summary>
<interface name="tcpd_domtrans" lineno="13">
<summary>
Execute tcpd in the tcpd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="tcpd_wrapped_domain" lineno="37">
<summary>
Create a domain for services that
utilize tcp wrappers.
</summary>
<param name="domain">
<summary>
Type to be used as a domain.
</summary>
</param>
<param name="entry_point">
<summary>
Type of the program to be used as an entry point to this domain.
</summary>
</param>
</interface>
</module>
<module name="telnet" filename="policy/modules/services/telnet.if">
<summary>Telnet daemon</summary>
</module>
<module name="tftp" filename="policy/modules/services/tftp.if">
<summary>Trivial file transfer protocol daemon</summary>
<interface name="tftp_read_content" lineno="13">
<summary>
Read tftp content
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_search_rw_content" lineno="36">
<summary>
Search tftp /var/lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_list_rw_content" lineno="55">
<summary>
Search tftp /var/lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_manage_rw_content" lineno="74">
<summary>
Manage tftp /var/lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tftp_filetrans_tftpdir" lineno="105">
<summary>
Create objects in tftpdir directories
with specified types.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="file_type">
<summary>
Private file type.
</summary>
</param>
<param name="object_class">
<summary>
Class of the object being created.
</summary>
</param>
</interface>
<interface name="tftp_admin" lineno="126">
<summary>
All of the rules required to administrate
an tftp environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="tftp_anon_write" dftval="false">
<desc>
<p>
Allow tftp to modify public files
used for public file transfer services.
</p>
</desc>
</tunable>
<tunable name="tftp_use_nfs" dftval="false">
<desc>
<p>
Allow tftp to read from a NFS store
for public file transfer services.
</p>
</desc>
</tunable>
<tunable name="tftp_use_cifs" dftval="false">
<desc>
<p>
Allow tftp to read from a CIFS store
for public file transfer services.
</p>
</desc>
</tunable>
</module>
<module name="tgtd" filename="policy/modules/services/tgtd.if">
<summary>Linux Target Framework Daemon.</summary>
<desc>
<p>
Linux target framework (tgt) aims to simplify various
SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation
and maintenance. Our key goals are the clean integration into
the scsi-mid layer and implementing a great portion of tgt
in user space.
</p>
</desc>
<interface name="tgtd_rw_semaphores" lineno="22">
<summary>
Allow read and write access to tgtd semaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tgtd_manage_semaphores" lineno="40">
<summary>
Manage tgtd sempaphores.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tgtd_stream_connect" lineno="58">
<summary>
Connect to tgtd using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="timidity" filename="policy/modules/services/timidity.if">
<summary>MIDI to WAV converter and player configured as a service</summary>
</module>
<module name="tomcat" filename="policy/modules/services/tomcat.if">
<summary>policy for tomcat</summary>
<template name="tomcat_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
tomcat daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="tomcat_domtrans" lineno="85">
<summary>
Transition to tomcat.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tomcat_search_cache" lineno="104">
<summary>
Search tomcat cache directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_read_cache_files" lineno="123">
<summary>
Read tomcat cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_manage_cache_files" lineno="143">
<summary>
Create, read, write, and delete
tomcat cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_manage_cache_dirs" lineno="162">
<summary>
Manage tomcat cache dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_read_log" lineno="182">
<summary>
Read tomcat's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="tomcat_append_log" lineno="201">
<summary>
Append to tomcat log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_manage_log" lineno="220">
<summary>
Manage tomcat log files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_search_lib" lineno="241">
<summary>
Search tomcat lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_read_lib_files" lineno="260">
<summary>
Read tomcat lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_manage_lib_files" lineno="279">
<summary>
Manage tomcat lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_manage_lib_dirs" lineno="298">
<summary>
Manage tomcat lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_read_pid_files" lineno="317">
<summary>
Read tomcat PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tomcat_admin" lineno="338">
<summary>
All of the rules required to administrate
an tomcat environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="tor" filename="policy/modules/services/tor.if">
<summary>TOR, the onion router</summary>
<interface name="tor_domtrans" lineno="13">
<summary>
Execute a domain transition to run TOR.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tor_admin" lineno="38">
<summary>
All of the rules required to administrate
an tor environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the tor domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="tor_bind_all_unreserved_ports" dftval="false">
<desc>
<p>
Allow tor daemon to bind
tcp sockets to all unreserved ports.
</p>
</desc>
</tunable>
</module>
<module name="transproxy" filename="policy/modules/services/transproxy.if">
<summary>HTTP transperant proxy</summary>
</module>
<module name="tuned" filename="policy/modules/services/tuned.if">
<summary>Dynamic adaptive system tuning daemon</summary>
<interface name="tuned_domtrans" lineno="13">
<summary>
Execute a domain transition to run tuned.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="tuned_exec" lineno="31">
<summary>
Execute tuned in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tuned_read_pid_files" lineno="50">
<summary>
Read tuned PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tuned_manage_pid_files" lineno="69">
<summary>
Manage tuned PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="tuned_initrc_domtrans" lineno="88">
<summary>
Execute tuned server in the tuned domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="tuned_admin" lineno="113">
<summary>
All of the rules required to administrate
an tuned environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="ucspitcp" filename="policy/modules/services/ucspitcp.if">
<summary>ucspitcp policy</summary>
<desc>
<p>
Policy for DJB's ucspi-tcpd
</p>
</desc>
<interface name="ucspitcp_service_domain" lineno="23">
<summary>
Define a specified domain as a ucspitcp service.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="entrypoint">
<summary>
The type associated with the process program.
</summary>
</param>
</interface>
</module>
<module name="ulogd" filename="policy/modules/services/ulogd.if">
<summary>Iptables/netfilter userspace logging daemon.</summary>
<interface name="ulogd_domtrans" lineno="13">
<summary>
Execute a domain transition to run ulogd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ulogd_read_config" lineno="33">
<summary>
Allow the specified domain to read
ulogd configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ulogd_read_log" lineno="53">
<summary>
Allow the specified domain to read ulogd's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ulogd_search_log" lineno="73">
<summary>
Allow the specified domain to search ulogd's log files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="ulogd_append_log" lineno="93">
<summary>
Allow the specified domain to append to ulogd's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="ulogd_admin" lineno="120">
<summary>
All of the rules required to administrate
an ulogd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the syslog domain.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="uptime" filename="policy/modules/services/uptime.if">
<summary>Uptime daemon</summary>
</module>
<module name="usbmuxd" filename="policy/modules/services/usbmuxd.if">
<summary>USB multiplexing daemon for communicating with Apple iPod Touch and iPhone</summary>
<interface name="usbmuxd_domtrans" lineno="13">
<summary>
Execute a domain transition to run usbmuxd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="usbmuxd_stream_connect" lineno="32">
<summary>
Connect to usbmuxd over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="uucp" filename="policy/modules/services/uucp.if">
<summary>Unix to Unix Copy</summary>
<interface name="uucp_domtrans" lineno="14">
<summary>
Execute the uucico program in the
uucpd_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="uucp_append_log" lineno="33">
<summary>
Allow the specified domain to append
to uucp log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uucp_manage_spool" lineno="53">
<summary>
Create, read, write, and delete uucp spool files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uucp_domtrans_uux" lineno="75">
<summary>
Execute the master uux program in the
uux_t domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uucp_admin" lineno="95">
<summary>
All of the rules required to administrate
an uucp environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="uuidd" filename="policy/modules/services/uuidd.if">
<summary>policy for uuidd</summary>
<interface name="uuidd_domtrans" lineno="13">
<summary>
Transition to uuidd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="uuidd_initrc_domtrans" lineno="32">
<summary>
Execute uuidd server in the uuidd domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_search_lib" lineno="50">
<summary>
Search uuidd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_read_lib_files" lineno="69">
<summary>
Read uuidd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_manage_lib_files" lineno="88">
<summary>
Manage uuidd lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_manage_lib_dirs" lineno="107">
<summary>
Manage uuidd lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_read_pid_files" lineno="127">
<summary>
Read uuidd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_stream_connect_manager" lineno="146">
<summary>
Connect to uuidd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="uuidd_admin" lineno="172">
<summary>
All of the rules required to administrate
an uuidd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="uwimap" filename="policy/modules/services/uwimap.if">
<summary>University of Washington IMAP toolkit POP3 and IMAP mail server</summary>
<interface name="uwimap_domtrans" lineno="13">
<summary>
Execute the UW IMAP/POP3 servers with a domain transition.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="varnishd" filename="policy/modules/services/varnishd.if">
<summary>Varnishd http accelerator daemon</summary>
<interface name="varnishd_domtrans" lineno="13">
<summary>
Execute varnishd in the varnishd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="varnishd_exec" lineno="32">
<summary>
Execute varnishd
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="varnishd_read_config" lineno="50">
<summary>
Read varnishd configuration file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_read_lib_files" lineno="69">
<summary>
Read varnish lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_read_log" lineno="88">
<summary>
Read varnish logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_append_log" lineno="107">
<summary>
Append varnish logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_manage_log" lineno="126">
<summary>
Manage varnish logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="varnishd_admin_varnishlog" lineno="152">
<summary>
All of the rules required to administrate
an varnishlog environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the varnishlog domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="varnishd_admin" lineno="192">
<summary>
All of the rules required to administrate
an varnishd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the varnishd domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="varnishd_connect_any" dftval="false">
<desc>
<p>
Allow varnishd to connect to all ports,
not just HTTP.
</p>
</desc>
</tunable>
</module>
<module name="vdagent" filename="policy/modules/services/vdagent.if">
<summary>policy for vdagent</summary>
<interface name="vdagent_getattr_exec" lineno="13">
<summary>
Getattr on vdagent executable.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vdagent_domtrans" lineno="31">
<summary>
Execute a domain transition to run vdagent.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vdagent_getattr_log" lineno="49">
<summary>
Get the attributes of vdagent logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vdagent_read_pid_files" lineno="68">
<summary>
Read vdagent PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vdagent_stream_connect" lineno="88">
<summary>
Connect to vdagent over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vdagent_admin" lineno="108">
<summary>
All of the rules required to administrate
an vdagent environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="vhostmd" filename="policy/modules/services/vhostmd.if">
<summary>Virtual host metrics daemon</summary>
<interface name="vhostmd_domtrans" lineno="13">
<summary>
Execute a domain transition to run vhostmd.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="vhostmd_initrc_domtrans" lineno="31">
<summary>
Execute vhostmd server in the vhostmd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="vhostmd_read_tmpfs_files" lineno="49">
<summary>
Allow domain to read, vhostmd tmpfs files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="vhostmd_dontaudit_read_tmpfs_files" lineno="69">
<summary>
Do not audit attempts to read,
vhostmd tmpfs files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="vhostmd_rw_tmpfs_files" lineno="87">
<summary>
Allow domain to read and write vhostmd tmpfs files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="vhostmd_manage_tmpfs_files" lineno="106">
<summary>
Create, read, write, and delete vhostmd tmpfs files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="vhostmd_read_pid_files" lineno="125">
<summary>
Read vhostmd PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_manage_pid_files" lineno="144">
<summary>
Manage vhostmd var_run files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_stream_connect" lineno="163">
<summary>
Connect to vhostmd over an unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_dontaudit_rw_stream_connect" lineno="183">
<summary>
Dontaudit read and write to vhostmd
over an unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="vhostmd_admin" lineno="208">
<summary>
All of the rules required to administrate
an vhostmd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
<module name="virt" filename="policy/modules/services/virt.if">
<summary>Libvirt virtualization API</summary>
<template name="virt_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
qemu process domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="virt_image" lineno="78">
<summary>
Make the specified type usable as a virt image
</summary>
<param name="type">
<summary>
Type to be used as a virtual image
</summary>
</param>
</interface>
<interface name="virt_getattr_exec" lineno="100">
<summary>
Getattr on virt executable.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="virt_domtrans" lineno="118">
<summary>
Execute a domain transition to run virt.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="virt_run" lineno="141">
<summary>
Execute a domain transition to run virt.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
Role allowed to access.
</summary>
</param>
</interface>
<interface name="virt_domtrans_bridgehelper" lineno="163">
<summary>
Transition to virt_bridgehelper.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="virt_stream_connect" lineno="181">
<summary>
Connect to virt over an unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_attach_tun_iface" lineno="200">
<summary>
Allow domain to attach to virt TUN devices
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_config" lineno="219">
<summary>
Read virt config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_config" lineno="241">
<summary>
manage virt config files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_search_content" lineno="263">
<summary>
Allow domain to search virt image files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="virt_search_images" lineno="283">
<summary>
Allow domain to search virt image direcories
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_content" lineno="302">
<summary>
Allow domain to manage virt image files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="virt_write_content" lineno="337">
<summary>
Allow domain to write virt image files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="virt_read_pid_files" lineno="355">
<summary>
Read virt PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_pid_symlinks" lineno="374">
<summary>
Read virt PID lnk files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_pid_files" lineno="393">
<summary>
Manage virt pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_search_lib" lineno="412">
<summary>
Search virt lib directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_lib_files" lineno="431">
<summary>
Read virt lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_dontaudit_read_lib_files" lineno="451">
<summary>
Dontaudit inherited read virt lib files.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="virt_manage_lib_files" lineno="470">
<summary>
Create, read, write, and delete
virt lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_log" lineno="490">
<summary>
Allow the specified domain to read virt's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="virt_append_log" lineno="510">
<summary>
Allow the specified domain to append
virt log files.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="virt_manage_log" lineno="529">
<summary>
Allow domain to manage virt log files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="virt_read_blk_images" lineno="549">
<summary>
Allow domain to read virt blk image files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_getattr_images" lineno="567">
<summary>
Allow domain to read virt image files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="virt_read_images" lineno="587">
<summary>
Allow domain to read virt image files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="virt_manage_cache" lineno="625">
<summary>
Create, read, write, and delete
svirt cache files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_images" lineno="646">
<summary>
Allow domain to manage virt image files
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="virt_admin" lineno="690">
<summary>
All of the rules required to administrate
an virt environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="virt_transition_svirt" lineno="733">
<summary>
Execute qemu in the svirt domain, and
allow the specified role the svirt domain.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the svirt domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="virt_dontaudit_write_pipes" lineno="759">
<summary>
Do not audit attempts to write virt daemon unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_kill_svirt" lineno="776">
<summary>
Send a sigkill to virtual machines
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_kill" lineno="794">
<summary>
Send a sigkill to virtd daemon
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_signal_svirt" lineno="812">
<summary>
Send a signal to virtual machines
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_read_tmp_files" lineno="831">
<summary>
allow domain to read
virt tmpf files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="virt_dontaudit_write_tmp_files" lineno="851">
<summary>
dontaudit domain to write
virt tmp files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="virt_write_tmp_sock" lineno="870">
<summary>
Allow domain to write
virt tmp sock files
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
</interface>
<interface name="virt_exec_sandbox_files" lineno="888">
<summary>
Execute Sandbox Files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_manage_sandbox_files" lineno="906">
<summary>
Manage Sandbox Files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_relabel_sandbox_filesystem" lineno="928">
<summary>
Relabel Sandbox File systems
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_mounton_sandbox_file" lineno="946">
<summary>
Mounton Sandbox Files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="virt_stream_connect_sandbox" lineno="964">
<summary>
Connect to virt over a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<tunable name="virt_use_comm" dftval="false">
<desc>
<p>
Allow virt to use serial/parallell communication ports
</p>
</desc>
</tunable>
<tunable name="virt_use_fusefs" dftval="false">
<desc>
<p>
Allow virt to read fuse files
</p>
</desc>
</tunable>
<tunable name="virt_use_nfs" dftval="false">
<desc>
<p>
Allow virt to manage nfs files
</p>
</desc>
</tunable>
<tunable name="virt_use_samba" dftval="false">
<desc>
<p>
Allow virt to manage cifs files
</p>
</desc>
</tunable>
<tunable name="virt_use_sysfs" dftval="false">
<desc>
<p>
Allow virt to manage device configuration, (pci)
</p>
</desc>
</tunable>
<tunable name="virt_use_sanlock" dftval="false">
<desc>
<p>
Allow confined virtual guests to interact with the sanlock
</p>
</desc>
</tunable>
<tunable name="virt_use_xserver" dftval="false">
<desc>
<p>
Allow virtual machine to interact with the xserver
</p>
</desc>
</tunable>
<tunable name="virt_use_usb" dftval="true">
<desc>
<p>
Allow virt to use usb devices
</p>
</desc>
</tunable>
<tunable name="virt_use_execmem" dftval="false">
<desc>
<p>
Allow confined virtual guests to use executable memory and executable stack
</p>
</desc>
</tunable>
</module>
<module name="w3c" filename="policy/modules/services/w3c.if">
<summary>W3C Markup Validator</summary>
</module>
<module name="watchdog" filename="policy/modules/services/watchdog.if">
<summary>Software watchdog</summary>
</module>
<module name="wdmd" filename="policy/modules/services/wdmd.if">
<summary>policy for wdmd</summary>
<interface name="wdmd_domtrans" lineno="14">
<summary>
Execute a domain transition to run wdmd.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="wdmd_initrc_domtrans" lineno="33">
<summary>
Execute wdmd server in the wdmd domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
</interface>
<interface name="wdmd_admin" lineno="58">
<summary>
All of the rules required to administrate
an wdmd environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="wdmd_stream_connect" lineno="84">
<summary>
Connect to wdmd over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="wdmd_rw_tmpfs" lineno="102">
<summary>
Allow the specified domain to read/write wdmd's tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="wdmd_manage_tmpfs" lineno="120">
<summary>
Allow the specified domain to read/write wdmd's tmpfs files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="xfs" filename="policy/modules/services/xfs.if">
<summary>X Windows Font Server</summary>
<interface name="xfs_read_sockets" lineno="13">
<summary>
Read a X font server named socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xfs_stream_connect" lineno="33">
<summary>
Connect to a X font server over
a unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xfs_exec" lineno="53">
<summary>
Allow the specified domain to execute xfs
in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="xprint" filename="policy/modules/services/xprint.if">
<summary>X print server</summary>
</module>
<module name="xserver" filename="policy/modules/services/xserver.if">
<summary>X Windows Server</summary>
<interface name="xserver_restricted_role" lineno="19">
<summary>
Rules required for using the X Windows server
and environment, for restricted users.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_role" lineno="156">
<summary>
Rules required for using the X Windows server
and environment.
</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_ro_session" lineno="209">
<summary>
Create sessions on the X server, with read-only
access to the X server shared
memory segments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="tmpfs_type">
<summary>
The type of the domain SYSV tmpfs files.
</summary>
</param>
</interface>
<interface name="xserver_rw_session" lineno="249">
<summary>
Create sessions on the X server, with read and write
access to the X server shared
memory segments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="tmpfs_type">
<summary>
The type of the domain SYSV tmpfs files.
</summary>
</param>
</interface>
<interface name="xserver_non_drawing_client" lineno="269">
<summary>
Create non-drawing client sessions on an X server.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_user_client" lineno="306">
<summary>
Create full client sessions
on a user X server.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="tmpfs_type">
<summary>
The type of the domain SYSV tmpfs files.
</summary>
</param>
</interface>
<template name="xserver_common_x_domain_template" lineno="367">
<summary>
Interface to provide X object permissions on a given X server to
an X client domain.  Provides the minimal set required by a basic
X client application.
</summary>
<param name="prefix">
<summary>
The prefix of the X client domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="domain">
<summary>
Client domain allowed access.
</summary>
</param>
</template>
<template name="xserver_object_types_template" lineno="442">
<summary>
Template for creating the set of types used
in an X windows domain.
</summary>
<param name="prefix">
<summary>
The prefix of the X client domain (e.g., user
is the prefix for user_t).
</summary>
</param>
</template>
<template name="xserver_user_x_domain_template" lineno="484">
<summary>
Interface to provide X object permissions on a given X server to
an X client domain.  Provides the minimal set required by a basic
X client application.
</summary>
<param name="prefix">
<summary>
The prefix of the X client domain (e.g., user
is the prefix for user_t).
</summary>
</param>
<param name="domain">
<summary>
Client domain allowed access.
</summary>
</param>
<param name="tmpfs_type">
<summary>
The type of the domain SYSV tmpfs files.
</summary>
</param>
</template>
<interface name="xserver_use_user_fonts" lineno="553">
<summary>
Read user fonts, user font configuration,
and manage the user font cache.
</summary>
<desc>
<p>
Read user fonts, user font configuration,
and manage the user font cache.
</p>
<p>
This is a templated interface, and should only
be called from a per-userdomain template.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_domtrans_xauth" lineno="583">
<summary>
Transition to the Xauthority domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_exec_xauth" lineno="604">
<summary>
Allow exec of Xauthority program..
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_exec_xauth" lineno="622">
<summary>
Dontaudit exec of Xauthority program.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_user_home_dir_filetrans_user_xauth" lineno="640">
<summary>
Create a Xauthority file in the user home directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_use_all_users_fonts" lineno="659">
<summary>
Read all users fonts, user font configurations,
and manage all users font caches.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_user_xauth" lineno="674">
<summary>
Read all users .Xauthority.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_setattr_console_pipes" lineno="694">
<summary>
Set the attributes of the X windows console named pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_rw_console" lineno="712">
<summary>
Read and write the X windows console named pipe.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_use_xdm_fds" lineno="730">
<summary>
Use file descriptors for xdm.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_use_xdm_fds" lineno="749">
<summary>
Do not audit attempts to inherit
XDM file descriptors.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="xserver_rw_xdm_pipes" lineno="767">
<summary>
Read and write XDM unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_rw_xdm_pipes" lineno="786">
<summary>
Do not audit attempts to read and write
XDM unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="xserver_stream_connect_xdm" lineno="806">
<summary>
Connect to XDM over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_xdm_rw_config" lineno="827">
<summary>
Read xdm-writable configuration files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_setattr_xdm_tmp_dirs" lineno="846">
<summary>
Set the attributes of XDM temporary directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_create_xdm_tmp_sockets" lineno="865">
<summary>
Create a named socket in a XDM
temporary directory.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_xdm_pid" lineno="885">
<summary>
Read XDM pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_read_xdm_pid" lineno="904">
<summary>
Dontaudit Read XDM pid files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_xdm_lib_files" lineno="923">
<summary>
Read XDM var lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_xsession_entry_type" lineno="941">
<summary>
Make an X session script an entrypoint for the specified domain.
</summary>
<param name="domain">
<summary>
The domain for which the shell is an entrypoint.
</summary>
</param>
</interface>
<interface name="xserver_xsession_spec_domtrans" lineno="978">
<summary>
Execute an X session in the target domain.  This
is an explicit transition, requiring the
caller to use setexeccon().
</summary>
<desc>
<p>
Execute an Xsession in the target domain.  This
is an explicit transition, requiring the
caller to use setexeccon().
</p>
<p>
No interprocess communication (signals, pipes,
etc.) is provided by this interface since
the domains are not owned by this module.
</p>
</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="target_domain">
<summary>
The type of the shell process.
</summary>
</param>
</interface>
<interface name="xserver_getattr_log" lineno="996">
<summary>
Get the attributes of X server logs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_write_log" lineno="1016">
<summary>
Do not audit attempts to write the X server
log files.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_delete_log" lineno="1035">
<summary>
Do not audit attempts to write the X server
log files.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_read_xkb_libs" lineno="1056">
<summary>
Read X keyboard extension libraries.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_read_xdm_etc_files" lineno="1077">
<summary>
Read xdm config files.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_manage_xdm_etc_files" lineno="1096">
<summary>
Manage xdm config files.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_read_xdm_tmp_files" lineno="1115">
<summary>
Read xdm temporary files.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_read_xdm_tmp_files" lineno="1134">
<summary>
Do not audit attempts to read xdm temporary files.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_rw_xdm_tmp_files" lineno="1153">
<summary>
Read write xdm temporary files.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_manage_xdm_tmp_files" lineno="1172">
<summary>
Create, read, write, and delete xdm temporary files.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_getattr_xdm_tmp_sockets" lineno="1190">
<summary>
dontaudit getattr xdm temporary named sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_domtrans" lineno="1208">
<summary>
Execute the X server in the X server domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_signal" lineno="1227">
<summary>
Signal X servers
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_kill" lineno="1245">
<summary>
Kill X servers
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_rw_shm" lineno="1264">
<summary>
Read and write X server Sys V Shared
memory segments.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_rw_tcp_sockets" lineno="1283">
<summary>
Do not audit attempts to read and write to
X server sockets.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_rw_stream_sockets" lineno="1302">
<summary>
Do not audit attempts to read and write X server
unix domain stream sockets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_stream_connect" lineno="1321">
<summary>
Connect to the X server over a unix domain
stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_stream_connect" lineno="1341">
<summary>
Dontaudit attempts to connect to xserver
over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
</interface>
<interface name="xserver_read_tmp_files" lineno="1359">
<summary>
Read X server temporary files.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_manage_core_devices" lineno="1380">
<summary>
Interface to provide X object permissions on a given X server to
an X client domain.  Gives the domain permission to read the
virtual core keyboard and virtual core pointer devices.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_unconfined" lineno="1414">
<summary>
Interface to provide X object permissions on a given X server to
an X client domain.  Gives the domain complete control over the
display.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dontaudit_append_xdm_home_files" lineno="1434">
<summary>
Dontaudit append to .xsession-errors file
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_append_xdm_home_files" lineno="1462">
<summary>
append to .xsession-errors file
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<interface name="xserver_xdm_manage_spool" lineno="1490">
<summary>
Manage the xdm_spool files
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_dbus_chat_xdm" lineno="1510">
<summary>
Send and receive messages from
xdm over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_read_pid" lineno="1530">
<summary>
Read xserver files created in /var/run
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_exec_pid" lineno="1549">
<summary>
Execute xserver files created in /var/run
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_write_pid" lineno="1568">
<summary>
Write xserver files created in /var/run
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_xdm_append_log" lineno="1588">
<summary>
Allow append the xdm
log files.
</summary>
<param name="domain">
<summary>
Domain to not audit
</summary>
</param>
</interface>
<template name="xserver_read_user_iceauth" lineno="1608">
<summary>
Read a user Iceauthority domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</template>
<interface name="xserver_rw_inherited_user_fonts" lineno="1627">
<summary>
Read user homedir fonts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_search_xdm_lib" lineno="1649">
<summary>
Search XDM var lib dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="xserver_entry_type" lineno="1668">
<summary>
Make an X executable an entrypoint for the specified domain.
</summary>
<param name="domain">
<summary>
The domain for which the shell is an entrypoint.
</summary>
</param>
</interface>
<interface name="xserver_run" lineno="1693">
<summary>
Execute xsever in the xserver domain, and
allow the specified role the xserver domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the xserver domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="xserver_run_xauth" lineno="1719">
<summary>
Execute xsever in the xserver domain, and
allow the specified role the xserver domain.
</summary>
<param name="domain">
<summary>
The type of the process performing this action.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the xserver domain.
</summary>
</param>
<rolecap/>
</interface>
<interface name="xserver_manage_home_fonts" lineno="1738">
<summary>
Read user homedir fonts.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_write_xshm" dftval="false">
<desc>
<p>
Allows clients to write to the X server shared
memory segments.
</p>
</desc>
</tunable>
<tunable name="allow_xserver_execmem" dftval="false">
<desc>
<p>
Allows XServer to execute writable memory
</p>
</desc>
</tunable>
<tunable name="xdm_exec_bootloader" dftval="false">
<desc>
<p>
Allows xdm to execute bootloader
</p>
</desc>
</tunable>
<tunable name="xdm_sysadm_login" dftval="false">
<desc>
<p>
Allow xdm logins as sysadm
</p>
</desc>
</tunable>
<tunable name="xserver_object_manager" dftval="false">
<desc>
<p>
Support X userspace object manager
</p>
</desc>
</tunable>
<tunable name="user_direct_dri" dftval="false">
<desc>
<p>
Allow regular users direct dri device access
</p>
</desc>
</tunable>
</module>
<module name="zabbix" filename="policy/modules/services/zabbix.if">
<summary>Distributed infrastructure monitoring</summary>
<interface name="zabbix_domtrans" lineno="13">
<summary>
Execute a domain transition to run zabbix.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zabbix_tcp_connect" lineno="31">
<summary>
Allow connectivity to the zabbix server
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zabbix_read_log" lineno="53">
<summary>
Allow the specified domain to read zabbix's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="zabbix_append_log" lineno="73">
<summary>
Allow the specified domain to append
zabbix log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zabbix_read_pid_files" lineno="92">
<summary>
Read zabbix PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zabbix_read_inherited_tmp_files" lineno="112">
<summary>
Allow the specified domain to read zabbix's log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="zabbix_rw_tcp_socket" lineno="130">
<summary>
Read zabbix PID files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zabbix_agent_tcp_connect" lineno="147">
<summary>
Allow connectivity to a zabbix agent
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zabbix_admin" lineno="175">
<summary>
All of the rules required to administrate
an zabbix environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the zabbix domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="zabbix_can_network" dftval="false">
<desc>
<p>
Determine whether zabbix can
connect to all TCP ports
</p>
</desc>
</tunable>
</module>
<module name="zarafa" filename="policy/modules/services/zarafa.if">
<summary>Zarafa collaboration platform.</summary>
<template name="zarafa_domain_template" lineno="14">
<summary>
Creates types and rules for a basic
zararfa init daemon domain.
</summary>
<param name="prefix">
<summary>
Prefix for the domain.
</summary>
</param>
</template>
<interface name="zarafa_search_config" lineno="58">
<summary>
Allow the specified domain to search
zarafa configuration dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zarafa_domtrans_deliver" lineno="77">
<summary>
Execute a domain transition to run zarafa_deliver.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zarafa_read_deliver_exec" lineno="95">
<summary>
Read zarafa_deliver executable.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zarafa_domtrans_server" lineno="112">
<summary>
Execute a domain transition to run zarafa_server.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zarafa_stream_connect_server" lineno="130">
<summary>
Connect to zarafa-server unix domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zarafa_manage_lib_files" lineno="150">
<summary>
Allow the specified domain to manage
zarafa /var/lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zarafa_read_lib_files" lineno="172">
<summary>
Allow the specified domain to manage
zarafa /var/lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
<module name="zebra" filename="policy/modules/services/zebra.if">
<summary>Zebra border gateway protocol network routing service</summary>
<interface name="zebra_read_config" lineno="14">
<summary>
Read the configuration files for zebra.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
<interface name="zebra_stream_connect" lineno="35">
<summary>
Connect to zebra over an unix stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
<interface name="zebra_admin" lineno="61">
<summary>
All of the rules required to administrate
an zebra environment
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<param name="role">
<summary>
The role to be allowed to manage the zebra domain.
</summary>
</param>
<rolecap/>
</interface>
<tunable name="allow_zebra_write_config" dftval="false">
<desc>
<p>
Allow zebra daemon to write it configuration files
</p>
</desc>
</tunable>
</module>
<module name="zosremote" filename="policy/modules/services/zosremote.if">
<summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
<interface name="zosremote_domtrans" lineno="13">
<summary>
Execute a domain transition to run audispd-zos-remote.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
</interface>
<interface name="zosremote_run" lineno="38">
<summary>
Allow specified type and role to transition and
run in the zos_remote_t domain. Allow specified type
to use zos_remote_t terminal.
</summary>
<param name="domain">
<summary>
Domain allowed access
</summary>
</param>
<param name="role">
<summary>
The role to be allowed the zos_remote domain.
</summary>
</param>
</interface>
</module>
y~or5J={Eeu磝QkᯘG{?+]ן?wM3X^歌>{7پK>on\jyR g/=fOroNVv~Y+NGuÝHWyw[eQʨSb>>}Gmx[o[<{Ϯ_qF vMIENDB`