aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJason Zaman <jason@perfinion.com>2019-03-25 18:04:21 +0800
committerJason Zaman <jason@perfinion.com>2019-03-25 18:05:25 +0800
commit75bbb83d6fac7a81ec39a73355521cc9ee7c856d (patch)
tree7de5e2f43fba862eccae385226d12b117ebf7047
parentcorenetwork: regenerate for query scripts (diff)
downloadhardened-refpolicy-75bbb83d6fac7a81ec39a73355521cc9ee7c856d.tar.gz
hardened-refpolicy-75bbb83d6fac7a81ec39a73355521cc9ee7c856d.tar.bz2
hardened-refpolicy-75bbb83d6fac7a81ec39a73355521cc9ee7c856d.zip
Update generated policy and doc filesHEAD2.20190201-r1master
Signed-off-by: Jason Zaman <jason@perfinion.com>
-rw-r--r--doc/global_tunables.xml8
-rw-r--r--doc/policy.xml69480
-rw-r--r--policy/booleans.conf1787
-rw-r--r--policy/modules.conf2720
4 files changed, 53924 insertions, 20071 deletions
diff --git a/doc/global_tunables.xml b/doc/global_tunables.xml
index c026deaf..9049a3cd 100644
--- a/doc/global_tunables.xml
+++ b/doc/global_tunables.xml
@@ -106,3 +106,11 @@ and may change other protocols.
</p>
</desc>
</tunable>
+<tunable name="user_udp_server" dftval="false">
+<desc>
+<p>
+Allow users to run UDP servers (bind to ports and accept connection from
+the same domain and outside users)
+</p>
+</desc>
+</tunable>
diff --git a/doc/policy.xml b/doc/policy.xml
index de5f201b..ad2a05a0 100644
--- a/doc/policy.xml
+++ b/doc/policy.xml
@@ -5,11 +5,12 @@
<summary>
Policy modules for administrative functions, such as package management.
</summary>
-<module name="bootloader" filename="policy/modules/admin/bootloader.if">
-<summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
-<interface name="bootloader_domtrans" lineno="13">
+<module name="acct" filename="policy/modules/admin/acct.if">
+<summary>Berkeley process accounting.</summary>
+<interface name="acct_domtrans" lineno="14">
<summary>
-Execute bootloader in the bootloader domain.
+Transition to the accounting
+management domain.
</summary>
<param name="domain">
<summary>
@@ -17,26 +18,21 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="bootloader_run" lineno="39">
+<interface name="acct_exec" lineno="34">
<summary>
-Execute bootloader interactively and do
-a domain transition to the bootloader domain.
+Execute accounting management tools
+in the caller domain.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
-</summary>
-</param>
-<param name="role">
-<summary>
-Role allowed access.
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="bootloader_read_config" lineno="58">
+<interface name="acct_exec_data" lineno="54">
<summary>
-Read the bootloader configuration file.
+Execute accounting management data
+in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -44,48 +40,40 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bootloader_rw_config" lineno="78">
+<interface name="acct_manage_data" lineno="74">
<summary>
-Read and write the bootloader
-configuration file.
+Create, read, write, and delete
+process accounting data.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="bootloader_rw_tmp_files" lineno="97">
+<interface name="acct_admin" lineno="101">
<summary>
-Read and write the bootloader
-temporary data in /tmp.
+All of the rules required to
+administrate an acct environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-</interface>
-<interface name="bootloader_create_runtime_file" lineno="117">
-<summary>
-Read and write the bootloader
-temporary data in /tmp.
-</summary>
-<param name="domain">
+<param name="role">
<summary>
-Domain allowed access.
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
</module>
-<module name="consoletype" filename="policy/modules/admin/consoletype.if">
-<summary>
-Determine of the console connected to the controlling terminal.
-</summary>
-<interface name="consoletype_domtrans" lineno="15">
+<module name="aide" filename="policy/modules/admin/aide.if">
+<summary>Aide filesystem integrity checker.</summary>
+<interface name="aide_domtrans" lineno="13">
<summary>
-Execute consoletype in the consoletype domain.
+Execute aide in the aide domain.
</summary>
<param name="domain">
<summary>
@@ -93,10 +81,11 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="consoletype_run" lineno="44">
+<interface name="aide_run" lineno="39">
<summary>
-Execute consoletype in the consoletype domain, and
-allow the specified role the consoletype domain.
+Execute aide programs in the AIDE
+domain and allow the specified role
+the AIDE domain.
</summary>
<param name="domain">
<summary>
@@ -109,47 +98,38 @@ Role allowed access.
</summary>
</param>
</interface>
-<interface name="consoletype_exec" lineno="64">
+<interface name="aide_admin" lineno="65">
<summary>
-Execute consoletype in the caller domain.
+All of the rules required to
+administrate an aide environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
-</interface>
-</module>
-<module name="dmesg" filename="policy/modules/admin/dmesg.if">
-<summary>Policy for dmesg.</summary>
-<interface name="dmesg_domtrans" lineno="13">
-<summary>
-Execute dmesg in the dmesg domain.
-</summary>
-<param name="domain">
-<summary>
-Domain allowed to transition.
-</summary>
-</param>
-</interface>
-<interface name="dmesg_exec" lineno="33">
-<summary>
-Execute dmesg in the caller domain.
-</summary>
-<param name="domain">
+<param name="role">
<summary>
-Domain allowed access.
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
+<tunable name="aide_mmap_files" dftval="false">
+<desc>
+<p>
+Control if AIDE can mmap files.
+AIDE can be compiled with the option 'with-mmap' in which case it will
+attempt to mmap files while running.
+</p>
+</desc>
+</tunable>
</module>
-<module name="netutils" filename="policy/modules/admin/netutils.if">
-<summary>Network analysis utilities</summary>
-<interface name="netutils_domtrans" lineno="13">
+<module name="alsa" filename="policy/modules/admin/alsa.if">
+<summary>Advanced Linux Sound Architecture utilities.</summary>
+<interface name="alsa_domtrans" lineno="13">
<summary>
-Execute network utilities in the netutils domain.
+Execute a domain transition to run Alsa.
</summary>
<param name="domain">
<summary>
@@ -157,10 +137,11 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="netutils_run" lineno="39">
+<interface name="alsa_run" lineno="39">
<summary>
-Execute network utilities in the netutils domain, and
-allow the specified role the netutils domain.
+Execute a domain transition to run
+Alsa, and allow the specified role
+the Alsa domain.
</summary>
<param name="domain">
<summary>
@@ -172,11 +153,10 @@ Domain allowed to transition.
Role allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="netutils_exec" lineno="58">
+<interface name="alsa_rw_semaphores" lineno="58">
<summary>
-Execute network utilities in the caller domain.
+Read and write Alsa semaphores.
</summary>
<param name="domain">
<summary>
@@ -184,9 +164,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="netutils_signal" lineno="77">
+<interface name="alsa_rw_shared_mem" lineno="76">
<summary>
-Send generic signals to network utilities.
+Read and write Alsa shared memory.
</summary>
<param name="domain">
<summary>
@@ -194,19 +174,19 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="netutils_domtrans_ping" lineno="95">
+<interface name="alsa_read_config" lineno="94">
<summary>
-Execute ping in the ping domain.
+Read Alsa configuration content.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="netutils_kill_ping" lineno="114">
+<interface name="alsa_manage_config" lineno="115">
<summary>
-Send a kill (SIGKILL) signal to ping.
+Manage Alsa config files.
</summary>
<param name="domain">
<summary>
@@ -214,9 +194,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="netutils_signal_ping" lineno="132">
+<interface name="alsa_manage_home_files" lineno="137">
<summary>
-Send generic signals to ping.
+Create, read, write, and delete
+alsa home files.
</summary>
<param name="domain">
<summary>
@@ -224,43 +205,51 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="netutils_run_ping" lineno="157">
+<interface name="alsa_read_home_files" lineno="156">
<summary>
-Execute ping in the ping domain, and
-allow the specified role the ping domain.
+Read Alsa home files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="alsa_relabel_home_files" lineno="175">
<summary>
-Role allowed access.
+Relabel alsa home files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="netutils_run_ping_cond" lineno="183">
+<interface name="alsa_home_filetrans_alsa_home" lineno="206">
<summary>
-Conditionally execute ping in the ping domain, and
-allow the specified role the ping domain.
+Create objects in user home
+directories with the generic alsa
+home type.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
-<param name="role">
+<param name="object_class">
<summary>
-Role allowed access.
+Class of the object being created.
+</summary>
+</param>
+<param name="name" optional="true">
+<summary>
+The name of the object being created.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="netutils_exec_ping" lineno="206">
+<interface name="alsa_read_lib" lineno="224">
<summary>
-Execute ping in the caller domain.
+Read Alsa lib files.
</summary>
<param name="domain">
<summary>
@@ -268,37 +257,50 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="netutils_domtrans_traceroute" lineno="225">
+<interface name="alsa_write_lib" lineno="248">
<summary>
-Execute traceroute in the traceroute domain.
+Write Alsa lib files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="netutils_run_traceroute" lineno="251">
+<interface name="alsa_domain" lineno="282">
<summary>
-Execute traceroute in the traceroute domain, and
-allow the specified role the traceroute domain.
+Mark the selected domain as an alsa-capable domain
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain that links with alsa
</summary>
</param>
-<param name="role">
+<param name="tmpfstype">
<summary>
-Role allowed access.
+Tmpfs type used for shared memory of the given domain
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="netutils_run_traceroute_cond" lineno="277">
+</module>
+<module name="amanda" filename="policy/modules/admin/amanda.if">
+<summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
+<interface name="amanda_domtrans_recover" lineno="14">
<summary>
-Conditionally execute traceroute in the traceroute domain, and
-allow the specified role the traceroute domain.
+Execute a domain transition to run
+Amanda recover.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="amanda_run_recover" lineno="41">
+<summary>
+Execute a domain transition to run
+Amanda recover, and allow the specified
+role the Amanda recover domain.
</summary>
<param name="domain">
<summary>
@@ -312,9 +314,9 @@ Role allowed access.
</param>
<rolecap/>
</interface>
-<interface name="netutils_exec_traceroute" lineno="300">
+<interface name="amanda_search_lib" lineno="60">
<summary>
-Execute traceroute in the caller domain.
+Search Amanda library directories.
</summary>
<param name="domain">
<summary>
@@ -322,68 +324,49 @@ Domain allowed access.
</summary>
</param>
</interface>
-<tunable name="user_ping" dftval="false">
-<desc>
-<p>
-Control users use of ping and traceroute
-</p>
-</desc>
-</tunable>
-</module>
-<module name="su" filename="policy/modules/admin/su.if">
-<summary>Run shells with substitute user and group</summary>
-<template name="su_restricted_domain_template" lineno="31">
+<interface name="amanda_dontaudit_read_dumpdates" lineno="79">
<summary>
-Restricted su domain template.
+Do not audit attempts to read /etc/dumpdates.
</summary>
-<desc>
-<p>
-This template creates a derived domain which is allowed
-to change the linux user id, to run shells as a different
-user.
-</p>
-</desc>
-<param name="userdomain_prefix">
+<param name="domain">
<summary>
-The prefix of the user domain (e.g., user
-is the prefix for user_t).
+Domain to not audit.
</summary>
</param>
-<param name="user_domain">
+</interface>
+<interface name="amanda_rw_dumpdates_files" lineno="97">
<summary>
-The type of the user domain.
+Read and write /etc/dumpdates.
</summary>
-</param>
-<param name="user_role">
+<param name="domain">
<summary>
-The role associated with the user domain.
+Domain allowed access.
</summary>
</param>
-</template>
-<template name="su_role_template" lineno="162">
+</interface>
+<interface name="amanda_manage_lib" lineno="116">
<summary>
-The role template for the su module.
+Manage Amanda library directories.
</summary>
-<param name="role_prefix">
+<param name="domain">
<summary>
-The prefix of the user role (e.g., user
-is the prefix for user_r).
+Domain allowed access.
</summary>
</param>
-<param name="user_role">
+</interface>
+<interface name="amanda_append_log_files" lineno="135">
<summary>
-The role associated with the user domain.
+Read and append amanda log files.
</summary>
-</param>
-<param name="user_domain">
+<param name="domain">
<summary>
-The type of the user domain.
+Domain allowed access.
</summary>
</param>
-</template>
-<interface name="su_exec" lineno="328">
+</interface>
+<interface name="amanda_search_var_lib" lineno="154">
<summary>
-Execute su in the caller domain.
+Search Amanda var library directories.
</summary>
<param name="domain">
<summary>
@@ -392,52 +375,61 @@ Domain allowed access.
</param>
</interface>
</module>
-<module name="sudo" filename="policy/modules/admin/sudo.if">
-<summary>Execute a command with a substitute user</summary>
-<template name="sudo_role_template" lineno="31">
+<module name="amtu" filename="policy/modules/admin/amtu.if">
+<summary>Abstract Machine Test Utility.</summary>
+<interface name="amtu_domtrans" lineno="13">
<summary>
-The role template for the sudo module.
+Execute a domain transition to run Amtu.
</summary>
-<desc>
-<p>
-This template creates a derived domain which is allowed
-to change the linux user id, to run commands as a different
-user.
-</p>
-</desc>
-<param name="role_prefix">
+<param name="domain">
<summary>
-The prefix of the user role (e.g., user
-is the prefix for user_r).
+Domain allowed to transition.
</summary>
</param>
-<param name="user_role">
+</interface>
+<interface name="amtu_run" lineno="39">
<summary>
-The user role.
+Execute a domain transition to run
+Amtu, and allow the specified role
+the Amtu domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
</summary>
</param>
-<param name="user_domain">
+<param name="role">
<summary>
-The user domain associated with the role.
+Role allowed access.
</summary>
</param>
-</template>
-<interface name="sudo_sigchld" lineno="174">
+</interface>
+<interface name="amtu_admin" lineno="65">
<summary>
-Send a SIGCHLD signal to the sudo domain.
+All of the rules required to
+administrate an amtu environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
</module>
-<module name="usermanage" filename="policy/modules/admin/usermanage.if">
-<summary>Policy for managing user accounts.</summary>
-<interface name="usermanage_domtrans_chfn" lineno="13">
+<module name="anaconda" filename="policy/modules/admin/anaconda.if">
+<summary>Anaconda installer.</summary>
+</module>
+<module name="apt" filename="policy/modules/admin/apt.if">
+<summary>Advanced package tool.</summary>
+<interface name="apt_domtrans" lineno="13">
<summary>
-Execute chfn in the chfn domain.
+Execute apt programs in the apt domain.
</summary>
<param name="domain">
<summary>
@@ -445,10 +437,19 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="usermanage_run_chfn" lineno="42">
+<interface name="apt_exec" lineno="32">
<summary>
-Execute chfn in the chfn domain, and
-allow the specified role the chfn domain.
+Execute the apt in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="apt_run" lineno="57">
+<summary>
+Execute apt programs in the apt domain.
</summary>
<param name="domain">
<summary>
@@ -460,47 +461,42 @@ Domain allowed to transition.
Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="usermanage_domtrans_groupadd" lineno="61">
+<interface name="apt_use_fds" lineno="76">
<summary>
-Execute groupadd in the groupadd domain.
+Use apt file descriptors.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="usermanage_run_groupadd" lineno="91">
+<interface name="apt_dontaudit_use_fds" lineno="95">
<summary>
-Execute groupadd in the groupadd domain, and
-allow the specified role the groupadd domain.
+Do not audit attempts to use
+apt file descriptors.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
-</summary>
-</param>
-<param name="role">
-<summary>
-Role allowed access.
+Domain to not audit.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="usermanage_domtrans_passwd" lineno="110">
+<interface name="apt_read_pipes" lineno="113">
<summary>
-Execute passwd in the passwd domain.
+Read apt unnamed pipes.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="usermanage_kill_passwd" lineno="133">
+<interface name="apt_rw_pipes" lineno="131">
<summary>
-Send sigkills to passwd.
+Read and write apt unnamed pipes.
</summary>
<param name="domain">
<summary>
@@ -508,54 +504,62 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="usermanage_run_passwd" lineno="157">
+<interface name="apt_use_ptys" lineno="149">
<summary>
-Execute passwd in the passwd domain, and
-allow the specified role the passwd domain.
+Read and write apt ptys.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="apt_read_cache" lineno="167">
<summary>
-Role allowed access.
+Read apt package cache content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="usermanage_domtrans_admin_passwd" lineno="177">
+<interface name="apt_manage_cache" lineno="187">
<summary>
-Execute password admin functions in
-the admin passwd domain.
+Create, read, write, and delete apt package cache content.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="usermanage_run_admin_passwd" lineno="204">
+<interface name="apt_read_db" lineno="207">
<summary>
-Execute passwd admin functions in the admin
-passwd domain, and allow the specified role
-the admin passwd domain.
+Read apt package database content.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="apt_manage_db" lineno="229">
<summary>
-Role allowed access.
+Create, read, write, and delete
+apt package database content.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="usermanage_dontaudit_use_useradd_fds" lineno="223">
+<interface name="apt_dontaudit_manage_db" lineno="251">
<summary>
-Do not audit attempts to use useradd fds.
+Do not audit attempts to create,
+read, write, and delete apt
+package database content.
</summary>
<param name="domain">
<summary>
@@ -563,9 +567,12 @@ Domain to not audit.
</summary>
</param>
</interface>
-<interface name="usermanage_domtrans_useradd" lineno="241">
+</module>
+<module name="backup" filename="policy/modules/admin/backup.if">
+<summary>System backup scripts.</summary>
+<interface name="backup_domtrans" lineno="13">
<summary>
-Execute useradd in the useradd domain.
+Execute backup in the backup domain.
</summary>
<param name="domain">
<summary>
@@ -573,10 +580,11 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="usermanage_run_useradd" lineno="271">
+<interface name="backup_run" lineno="40">
<summary>
-Execute useradd in the useradd domain, and
-allow the specified role the useradd domain.
+Execute backup in the backup
+domain, and allow the specified
+role the backup domain.
</summary>
<param name="domain">
<summary>
@@ -590,9 +598,10 @@ Role allowed access.
</param>
<rolecap/>
</interface>
-<interface name="usermanage_read_crack_db" lineno="290">
+<interface name="backup_manage_store_files" lineno="60">
<summary>
-Read the crack database.
+Create, read, and write backup
+store files.
</summary>
<param name="domain">
<summary>
@@ -601,14 +610,12 @@ Domain allowed access.
</param>
</interface>
</module>
-</layer>
-<layer name="apps">
-<summary>Policy modules for applications</summary>
-<module name="seunshare" filename="policy/modules/apps/seunshare.if">
-<summary>Filesystem namespacing/polyinstantiation application.</summary>
-<interface name="seunshare_domtrans" lineno="13">
+<module name="bacula" filename="policy/modules/admin/bacula.if">
+<summary>Cross platform network backup.</summary>
+<interface name="bacula_domtrans_admin" lineno="14">
<summary>
-Execute a domain transition to run seunshare.
+Execute bacula admin bacula
+admin domain.
</summary>
<param name="domain">
<summary>
@@ -616,10 +623,11 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="seunshare_run" lineno="37">
+<interface name="bacula_run_admin" lineno="41">
<summary>
-Execute seunshare in the seunshare domain, and
-allow the specified role the seunshare domain.
+Execute user interfaces in the
+bacula admin domain, and allow the
+specified role the bacula admin domain.
</summary>
<param name="domain">
<summary>
@@ -631,31 +639,31 @@ Domain allowed to transition.
Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="seunshare_role" lineno="69">
+<interface name="bacula_admin" lineno="67">
<summary>
-Role access for seunshare
+All of the rules required to
+administrate an bacula environment.
</summary>
-<param name="role">
+<param name="domain">
<summary>
-Role allowed access.
+Domain allowed access.
</summary>
</param>
-<param name="domain">
+<param name="role">
<summary>
-User domain for the role.
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
</module>
-</layer>
-<layer name="contrib">
-<summary>Contributed Reference Policy modules.</summary>
-<module name="abrt" filename="policy/modules/contrib/abrt.if">
-<summary>ABRT - automated bug-reporting tool</summary>
-<interface name="abrt_domtrans" lineno="13">
+<module name="bcfg2" filename="policy/modules/admin/bcfg2.if">
+<summary>configuration management suite.</summary>
+<interface name="bcfg2_domtrans" lineno="13">
<summary>
-Execute abrt in the abrt domain.
+Execute bcfg2 in the bcfg2 domain.
</summary>
<param name="domain">
<summary>
@@ -663,19 +671,19 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="abrt_exec" lineno="32">
+<interface name="bcfg2_initrc_domtrans" lineno="32">
<summary>
-Execute abrt in the caller domain.
+Execute bcfg2 server in the bcfg2 domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="abrt_signull" lineno="51">
+<interface name="bcfg2_search_lib" lineno="50">
<summary>
-Send a null signal to abrt.
+Search bcfg2 lib directories.
</summary>
<param name="domain">
<summary>
@@ -683,9 +691,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="abrt_read_state" lineno="69">
+<interface name="bcfg2_read_lib_files" lineno="69">
<summary>
-Allow the domain to read abrt state files in /proc.
+Read bcfg2 lib files.
</summary>
<param name="domain">
<summary>
@@ -693,9 +701,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="abrt_stream_connect" lineno="87">
+<interface name="bcfg2_manage_lib_files" lineno="89">
<summary>
-Connect to abrt over an unix stream socket.
+Create, read, write, and delete
+bcfg2 lib files.
</summary>
<param name="domain">
<summary>
@@ -703,10 +712,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="abrt_dbus_chat" lineno="107">
+<interface name="bcfg2_manage_lib_dirs" lineno="109">
<summary>
-Send and receive messages from
-abrt over dbus.
+Create, read, write, and delete
+bcfg2 lib directories.
</summary>
<param name="domain">
<summary>
@@ -714,37 +723,40 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="abrt_domtrans_helper" lineno="127">
+<interface name="bcfg2_admin" lineno="135">
<summary>
-Execute abrt-helper in the abrt-helper domain.
+All of the rules required to
+administrate an bcfg2 environment.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
-<interface name="abrt_run_helper" lineno="152">
+</module>
+<module name="blueman" filename="policy/modules/admin/blueman.if">
+<summary>Tool to manage Bluetooth devices.</summary>
+<interface name="blueman_domtrans" lineno="13">
<summary>
-Execute abrt helper in the abrt_helper domain, and
-allow the specified role the abrt_helper domain.
+Execute blueman in the blueman domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
-<param name="role">
-<summary>
-Role allowed access.
-</summary>
-</param>
-<rolecap/>
</interface>
-<interface name="abrt_cache_manage" lineno="172">
+<interface name="blueman_dbus_chat" lineno="33">
<summary>
Send and receive messages from
-abrt over dbus.
+blueman over dbus.
</summary>
<param name="domain">
<summary>
@@ -752,9 +764,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="abrt_read_config" lineno="190">
+<interface name="blueman_search_lib" lineno="53">
<summary>
-Read abrt configuration file.
+Search blueman lib directories.
</summary>
<param name="domain">
<summary>
@@ -762,9 +774,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="abrt_read_log" lineno="209">
+<interface name="blueman_read_lib_files" lineno="72">
<summary>
-Read abrt logs.
+Read blueman lib files.
</summary>
<param name="domain">
<summary>
@@ -772,9 +784,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="abrt_read_pid_files" lineno="228">
+<interface name="blueman_manage_lib_files" lineno="92">
<summary>
-Read abrt PID files.
+Create, read, write, and delete
+blueman lib files.
</summary>
<param name="domain">
<summary>
@@ -782,39 +795,39 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="abrt_manage_pid_files" lineno="247">
+</module>
+<module name="bootloader" filename="policy/modules/admin/bootloader.if">
+<summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
+<interface name="bootloader_domtrans" lineno="13">
<summary>
-Create, read, write, and delete abrt PID files.
+Execute bootloader in the bootloader domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="abrt_admin" lineno="273">
+<interface name="bootloader_run" lineno="39">
<summary>
-All of the rules required to administrate
-an abrt environment
+Execute bootloader interactively and do
+a domain transition to the bootloader domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
-The role to be allowed to manage the abrt domain.
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
-</module>
-<module name="accountsd" filename="policy/modules/contrib/accountsd.if">
-<summary>AccountsService and daemon for manipulating user account information via D-Bus</summary>
-<interface name="accountsd_domtrans" lineno="13">
+<interface name="bootloader_exec" lineno="58">
<summary>
-Execute a domain transition to run accountsd.
+Execute bootloader in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -822,10 +835,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="accountsd_dontaudit_rw_fifo_file" lineno="32">
+<interface name="bootloader_read_config" lineno="77">
<summary>
-Do not audit attempts to read and write Accounts Daemon
-fifo file.
+Read the bootloader configuration file.
</summary>
<param name="domain">
<summary>
@@ -833,20 +845,22 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="accountsd_dbus_chat" lineno="51">
+<interface name="bootloader_rw_config" lineno="97">
<summary>
-Send and receive messages from
-accountsd over dbus.
+Read and write the bootloader
+configuration file.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="accountsd_search_lib" lineno="71">
+<interface name="bootloader_rw_tmp_files" lineno="116">
<summary>
-Search accountsd lib directories.
+Read and write the bootloader
+temporary data in /tmp.
</summary>
<param name="domain">
<summary>
@@ -854,9 +868,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="accountsd_read_lib_files" lineno="90">
+<interface name="bootloader_create_runtime_file" lineno="136">
<summary>
-Read accountsd lib files.
+Create, read and write the bootloader
+runtime data.
</summary>
<param name="domain">
<summary>
@@ -864,25 +879,27 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="accountsd_manage_lib_files" lineno="110">
+</module>
+<module name="brctl" filename="policy/modules/admin/brctl.if">
+<summary>Utilities for configuring the Linux ethernet bridge.</summary>
+<interface name="brctl_domtrans" lineno="13">
<summary>
-Create, read, write, and delete
-accountsd lib files.
+Execute a domain transition to run brctl.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="accountsd_admin" lineno="136">
+<interface name="brctl_run" lineno="38">
<summary>
-All of the rules required to administrate
-an accountsd environment
+Execute brctl in the brctl domain, and
+allow the specified role the brctl domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
<param name="role">
@@ -890,14 +907,13 @@ Domain allowed access.
Role allowed access.
</summary>
</param>
-<rolecap/>
</interface>
</module>
-<module name="acct" filename="policy/modules/contrib/acct.if">
-<summary>Berkeley process accounting</summary>
-<interface name="acct_domtrans" lineno="13">
+<module name="certwatch" filename="policy/modules/admin/certwatch.if">
+<summary>Digital Certificate Tracking.</summary>
+<interface name="certwatch_domtrans" lineno="13">
<summary>
-Transition to the accounting management domain.
+Domain transition to certwatch.
</summary>
<param name="domain">
<summary>
@@ -905,19 +921,41 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="acct_exec" lineno="32">
+<interface name="certwatch_run" lineno="41">
<summary>
-Execute accounting management tools in the caller domain.
+Execute certwatch in the certwatch
+domain, and allow the specified role
+the certwatch domain.
+backchannel.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="acct_exec_data" lineno="53">
+</module>
+<module name="cfengine" filename="policy/modules/admin/cfengine.if">
+<summary>System administration tool for networks.</summary>
+<template name="cfengine_domain_template" lineno="13">
+<summary>
+The template to define a cfengine domain.
+</summary>
+<param name="domain_prefix">
+<summary>
+Domain prefix to be used.
+</summary>
+</param>
+</template>
+<interface name="cfengine_read_lib_files" lineno="46">
<summary>
-Execute accounting management data in the caller domain.
+Read cfengine lib files.
</summary>
<param name="domain">
<summary>
@@ -925,22 +963,40 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="acct_manage_data" lineno="72">
+<interface name="cfengine_dontaudit_write_log_files" lineno="66">
<summary>
-Create, read, write, and delete process accounting data.
+Do not audit attempts to write
+cfengine log files.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="cfengine_admin" lineno="91">
+<summary>
+All of the rules required to
+administrate an cfengine environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
</module>
-<module name="ada" filename="policy/modules/contrib/ada.if">
-<summary>GNAT Ada95 compiler</summary>
-<interface name="ada_domtrans" lineno="13">
+<module name="chkrootkit" filename="policy/modules/admin/chkrootkit.if">
+<summary>chkrootkit - rootkit checker.</summary>
+<interface name="chkrootkit_domtrans" lineno="13">
<summary>
-Execute the ada program in the ada domain.
+Execute a domain transition to run chkrootkit.
</summary>
<param name="domain">
<summary>
@@ -948,10 +1004,11 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="ada_run" lineno="38">
+<interface name="chkrootkit_run" lineno="39">
<summary>
-Execute ada in the ada domain, and
-allow the specified role the ada domain.
+Execute chkrootkit in the chkrootkit domain,
+and allow the specified role
+the chkrootkit domain.
</summary>
<param name="domain">
<summary>
@@ -965,12 +1022,13 @@ Role allowed access.
</param>
</interface>
</module>
-<module name="afs" filename="policy/modules/contrib/afs.if">
-<summary>Andrew Filesystem server</summary>
-<interface name="afs_domtrans" lineno="14">
+<module name="consoletype" filename="policy/modules/admin/consoletype.if">
<summary>
-Execute a domain transition to run the
-afs client.
+Determine of the console connected to the controlling terminal.
+</summary>
+<interface name="consoletype_domtrans" lineno="15">
+<summary>
+Execute consoletype in the consoletype domain.
</summary>
<param name="domain">
<summary>
@@ -978,29 +1036,39 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="afs_rw_udp_sockets" lineno="33">
+<interface name="consoletype_run" lineno="44">
<summary>
-Read and write afs client UDP sockets.
+Execute consoletype in the consoletype domain, and
+allow the specified role the consoletype domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
</interface>
-<interface name="afs_rw_cache" lineno="51">
+<interface name="consoletype_exec" lineno="64">
<summary>
-read/write afs cache files
+Execute consoletype in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="afs_initrc_domtrans" lineno="70">
+</module>
+<module name="ddcprobe" filename="policy/modules/admin/ddcprobe.if">
+<summary>ddcprobe retrieves monitor and graphics card information.</summary>
+<interface name="ddcprobe_domtrans" lineno="13">
<summary>
-Execute afs server in the afs domain.
+Execute ddcprobe in the ddcprobe domain.
</summary>
<param name="domain">
<summary>
@@ -1008,39 +1076,30 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="afs_admin" lineno="95">
+<interface name="ddcprobe_run" lineno="40">
<summary>
-All of the rules required to administrate
-an afs environment
+Execute ddcprobe in the ddcprobe
+domain, and allow the specified
+role the ddcprobe domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
-The role to be allowed to manage the afs domain.
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
-<module name="aiccu" filename="policy/modules/contrib/aiccu.if">
-<summary>Automatic IPv6 Connectivity Client Utility.</summary>
-<interface name="aiccu_domtrans" lineno="13">
-<summary>
-Execute a domain transition to run aiccu.
-</summary>
-<param name="domain">
-<summary>
-Domain allowed to transition.
-</summary>
-</param>
-</interface>
-<interface name="aiccu_initrc_domtrans" lineno="32">
+<module name="dmesg" filename="policy/modules/admin/dmesg.if">
+<summary>Policy for dmesg.</summary>
+<interface name="dmesg_domtrans" lineno="13">
<summary>
-Execute aiccu server in the aiccu domain.
+Execute dmesg in the dmesg domain.
</summary>
<param name="domain">
<summary>
@@ -1048,20 +1107,21 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="aiccu_read_pid_files" lineno="50">
+<interface name="dmesg_exec" lineno="33">
<summary>
-Read aiccu PID files.
+Execute dmesg in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="aiccu_admin" lineno="76">
+<interface name="dmesg_run" lineno="61">
<summary>
-All of the rules required to administrate
-an aiccu environment
+Execute dmesg in the dmesg_t domain, and allow the calling role
+the dmesg_t domain.
</summary>
<param name="domain">
<summary>
@@ -1076,11 +1136,11 @@ Role allowed access.
<rolecap/>
</interface>
</module>
-<module name="aide" filename="policy/modules/contrib/aide.if">
-<summary>Aide filesystem integrity checker</summary>
-<interface name="aide_domtrans" lineno="13">
+<module name="dmidecode" filename="policy/modules/admin/dmidecode.if">
+<summary>Decode DMI data for x86/ia64 bioses.</summary>
+<interface name="dmidecode_domtrans" lineno="13">
<summary>
-Execute aide in the aide domain
+Execute dmidecode in the dmidecode domain.
</summary>
<param name="domain">
<summary>
@@ -1088,9 +1148,11 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="aide_run" lineno="37">
+<interface name="dmidecode_run" lineno="40">
<summary>
-Execute aide programs in the AIDE domain.
+Execute dmidecode in the dmidecode
+domain, and allow the specified
+role the dmidecode domain.
</summary>
<param name="domain">
<summary>
@@ -1099,49 +1161,57 @@ Domain allowed to transition.
</param>
<param name="role">
<summary>
-The role to allow the AIDE domain.
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="aide_admin" lineno="58">
+</module>
+<module name="dphysswapfile" filename="policy/modules/admin/dphysswapfile.if">
+<summary>Set up, mount/unmount, and delete an swap file.</summary>
+<interface name="dphysswapfile_dontaudit_read_swap" lineno="13">
<summary>
-All of the rules required to administrate
-an aide environment
+Dontaudit acces to the swap file.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="aisexec" filename="policy/modules/contrib/aisexec.if">
-<summary>Aisexec Cluster Engine</summary>
-<interface name="aisexec_domtrans" lineno="13">
+<interface name="dphysswapfile_admin" lineno="40">
<summary>
-Execute a domain transition to run aisexec.
+All of the rules required to
+administrate an dphys-swapfile environment.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="aisexec_stream_connect" lineno="32">
+</module>
+<module name="dpkg" filename="policy/modules/admin/dpkg.if">
+<summary>Debian package manager.</summary>
+<interface name="dpkg_domtrans" lineno="13">
<summary>
-Connect to aisexec over a unix domain
-stream socket.
+Execute dpkg programs in the dpkg domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="aisexec_read_log" lineno="51">
+<interface name="dpkg_nnp_domtrans" lineno="32">
<summary>
-Allow the specified domain to read aisexec's log files.
+Transition to dpkg_t when NNP has been set
</summary>
<param name="domain">
<summary>
@@ -1149,66 +1219,56 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="aisexecd_admin" lineno="78">
+<interface name="dpkg_run" lineno="57">
<summary>
-All of the rules required to administrate
-an aisexec environment
+Execute dpkg programs in the dpkg domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
-The role to be allowed to manage the aisexecd domain.
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
-</module>
-<module name="alsa" filename="policy/modules/contrib/alsa.if">
-<summary>Ainit ALSA configuration tool.</summary>
-<interface name="alsa_domtrans" lineno="13">
+<interface name="dpkg_exec" lineno="76">
<summary>
-Execute a domain transition to run Alsa.
+Execute the dkpg in the caller domain.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="alsa_run" lineno="39">
+<interface name="dpkg_domtrans_script" lineno="96">
<summary>
-Execute a domain transition to run
-Alsa, and allow the specified role
-the Alsa domain.
+Execute dpkg_script programs in
+the dpkg_script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
-<param name="role">
-<summary>
-Role allowed access.
-</summary>
-</param>
</interface>
-<interface name="alsa_rw_semaphores" lineno="58">
+<interface name="dpkg_script_rw_pipes" lineno="117">
<summary>
-Read and write Alsa semaphores.
+access dpkg_script fifos
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="alsa_rw_shared_mem" lineno="76">
+<interface name="dpkg_use_fds" lineno="136">
<summary>
-Read and write Alsa shared memory.
+Inherit and use file descriptors from dpkg.
</summary>
<param name="domain">
<summary>
@@ -1216,9 +1276,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="alsa_read_rw_config" lineno="94">
+<interface name="dpkg_read_pipes" lineno="154">
<summary>
-Read writable Alsa config files.
+Read from unnamed dpkg pipes.
</summary>
<param name="domain">
<summary>
@@ -1226,9 +1286,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="alsa_manage_rw_config" lineno="119">
+<interface name="dpkg_rw_pipes" lineno="172">
<summary>
-Manage writable Alsa config files.
+Read and write unnamed dpkg pipes.
</summary>
<param name="domain">
<summary>
@@ -1236,9 +1296,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="alsa_manage_home_files" lineno="144">
+<interface name="dpkg_use_script_fds" lineno="191">
<summary>
-Manage alsa home files.
+Inherit and use file descriptors
+from dpkg scripts.
</summary>
<param name="domain">
<summary>
@@ -1246,9 +1307,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="alsa_read_home_files" lineno="163">
+<interface name="dpkg_script_rw_inherited_pipes" lineno="210">
<summary>
-Read Alsa home files.
+Inherit and use file descriptors
+from dpkg scripts.
</summary>
<param name="domain">
<summary>
@@ -1256,9 +1318,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="alsa_relabel_home_files" lineno="182">
+<interface name="dpkg_read_db" lineno="229">
<summary>
-Relabel alsa home files.
+Read dpkg package database content.
</summary>
<param name="domain">
<summary>
@@ -1266,9 +1328,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="alsa_read_lib" lineno="201">
+<interface name="dpkg_manage_db" lineno="251">
<summary>
-Read Alsa lib files.
+Create, read, write, and delete
+dpkg package database content.
</summary>
<param name="domain">
<summary>
@@ -1276,41 +1339,32 @@ Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="amanda" filename="policy/modules/contrib/amanda.if">
-<summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
-<interface name="amanda_domtrans_recover" lineno="14">
+<interface name="dpkg_dontaudit_manage_db" lineno="273">
<summary>
-Execute a domain transition to run
-Amanda recover.
+Do not audit attempts to create,
+read, write, and delete dpkg
+package database content.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="amanda_run_recover" lineno="41">
+<interface name="dpkg_lock_db" lineno="294">
<summary>
-Execute a domain transition to run
-Amanda recover, and allow the specified
-role the Amanda recover domain.
+Create, read, write, and delete
+dpkg lock files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
-</summary>
-</param>
-<param name="role">
-<summary>
-Role allowed access.
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="amanda_search_lib" lineno="60">
+<interface name="dpkg_manage_script_tmp_files" lineno="314">
<summary>
-Search Amanda library directories.
+manage dpkg_script_tmp_t files and dirs
</summary>
<param name="domain">
<summary>
@@ -1318,19 +1372,19 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="amanda_dontaudit_read_dumpdates" lineno="79">
+<interface name="dpkg_map_script_tmp_files" lineno="334">
<summary>
-Do not audit attempts to read /etc/dumpdates.
+map dpkg_script_tmp_t files
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="amanda_rw_dumpdates_files" lineno="97">
+<interface name="dpkg_read_script_tmp_symlinks" lineno="352">
<summary>
-Read and write /etc/dumpdates.
+read dpkg_script_tmp_t links
</summary>
<param name="domain">
<summary>
@@ -1338,45 +1392,58 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="amanda_manage_lib" lineno="116">
+</module>
+<module name="fakehwclock" filename="policy/modules/admin/fakehwclock.if">
+<summary>fake-hwclock - Control fake hardware clock.</summary>
+<interface name="fakehwclock_domtrans" lineno="13">
<summary>
-Search Amanda library directories.
+Execute a domain transition to run fake-hwclock.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="amanda_append_log_files" lineno="135">
+<interface name="fakehwclock_run" lineno="41">
<summary>
-Read and append amanda logs.
+Execute fake-hwclock in the fake-hwclock domain,
+and allow the specified role
+the fake-hwclock domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
</interface>
-<interface name="amanda_search_var_lib" lineno="154">
+<interface name="fakehwclock_admin" lineno="68">
<summary>
-Search Amanda var library directories.
+All the rules required to
+administrate an fake-hwclock environment.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
-</interface>
-</module>
-<module name="amavis" filename="policy/modules/contrib/amavis.if">
+<param name="role">
<summary>
-Daemon that interfaces mail transfer agents and content
-checkers, such as virus scanners.
+Role allowed access.
</summary>
-<interface name="amavis_domtrans" lineno="16">
+</param>
+</interface>
+</module>
+<module name="firstboot" filename="policy/modules/admin/firstboot.if">
+<summary>Initial system configuration utility.</summary>
+<interface name="firstboot_domtrans" lineno="13">
<summary>
-Execute a domain transition to run amavis.
+Execute firstboot in the firstboot domain.
</summary>
<param name="domain">
<summary>
@@ -1384,19 +1451,26 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="amavis_initrc_domtrans" lineno="35">
+<interface name="firstboot_run" lineno="39">
<summary>
-Execute amavis server in the amavis domain.
+Execute firstboot in the firstboot
+domain, and allow the specified role
+the firstboot domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
</interface>
-<interface name="amavis_read_spool_files" lineno="53">
+<interface name="firstboot_use_fds" lineno="58">
<summary>
-Read amavis spool files.
+Inherit and use firstboot file descriptors.
</summary>
<param name="domain">
<summary>
@@ -1404,81 +1478,121 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="amavis_manage_spool_files" lineno="72">
+<interface name="firstboot_dontaudit_use_fds" lineno="77">
<summary>
-Manage amavis spool files.
+Do not audit attempts to inherit
+firstboot file descriptors.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="amavis_spool_filetrans" lineno="103">
+<interface name="firstboot_write_pipes" lineno="95">
<summary>
-Create objects in the amavis spool directories
-with a private type.
+Write firstboot unnamed pipes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="private_type">
+</interface>
+<interface name="firstboot_rw_pipes" lineno="113">
<summary>
-Private file type.
+Read and Write firstboot unnamed pipes.
</summary>
-</param>
-<param name="object_class">
+<param name="domain">
<summary>
-Class of the object being created.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="amavis_search_lib" lineno="122">
+<interface name="firstboot_dontaudit_rw_pipes" lineno="132">
<summary>
-Search amavis lib directories.
+Do not audit attemps to read and
+write firstboot unnamed pipes.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="amavis_read_lib_files" lineno="141">
+<interface name="firstboot_dontaudit_rw_stream_sockets" lineno="152">
<summary>
-Read amavis lib files.
+Do not audit attemps to read and
+write firstboot unix domain
+stream sockets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="amavis_manage_lib_files" lineno="162">
+<tunable name="firstboot_read_generic_user_content" dftval="true">
+<desc>
+<p>
+Grant the firstboot domains read access to generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="firstboot_read_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the firstboot domains read access to all user content
+</p>
+</desc>
+</tunable>
+<tunable name="firstboot_manage_generic_user_content" dftval="false">
+<desc>
+<p>
+Grant the firstboot domains manage rights on generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="firstboot_manage_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the firstboot domains manage rights on all user content
+</p>
+</desc>
+</tunable>
+</module>
+<module name="hwloc" filename="policy/modules/admin/hwloc.if">
+<summary>Dump topology and locality information from hardware tables.</summary>
+<interface name="hwloc_domtrans_dhwd" lineno="13">
<summary>
-Create, read, write, and delete
-amavis lib files.
+Execute hwloc dhwd in the hwloc dhwd domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="amavis_setattr_pid_files" lineno="181">
+<interface name="hwloc_run_dhwd" lineno="38">
<summary>
-Set the attributes of amavis pid files.
+Execute hwloc dhwd in the hwloc dhwd domain, and
+allow the specified role the hwloc dhwd domain,
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="amavis_create_pid_files" lineno="200">
+<interface name="hwloc_exec_dhwd" lineno="57">
<summary>
-Create of amavis pid files.
+Execute hwloc dhwd in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -1486,29 +1600,34 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="amavis_admin" lineno="226">
+<interface name="hwloc_read_runtime_files" lineno="75">
<summary>
-All of the rules required to administrate
-an amavis environment
+Read hwloc runtime files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="hwloc_admin" lineno="96">
<summary>
-Role allowed access.
+All of the rules required to
+administrate an hwloc environment.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
-<module name="amtu" filename="policy/modules/contrib/amtu.if">
-<summary>Abstract Machine Test Utility.</summary>
-<interface name="amtu_domtrans" lineno="13">
+<module name="kdump" filename="policy/modules/admin/kdump.if">
+<summary>Kernel crash dumping mechanism.</summary>
+<interface name="kdump_domtrans" lineno="13">
<summary>
-Execute a domain transition to run Amtu.
+Execute kdump in the kdump domain.
</summary>
<param name="domain">
<summary>
@@ -1516,88 +1635,105 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="amtu_run" lineno="39">
+<interface name="kdump_initrc_domtrans" lineno="33">
<summary>
-Execute a domain transition to run
-Amtu, and allow the specified role
-the Amtu domain.
+Execute kdump init scripts in
+the init script domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="kdump_read_config" lineno="51">
<summary>
-Role allowed access.
+Read kdump configuration files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="anaconda" filename="policy/modules/contrib/anaconda.if">
-<summary>Anaconda installer.</summary>
-</module>
-<module name="apache" filename="policy/modules/contrib/apache.if">
-<summary>Apache web server</summary>
-<template name="apache_content_template" lineno="14">
+<interface name="kdump_manage_config" lineno="71">
<summary>
-Create a set of derived types for apache
-web content.
+Create, read, write, and delete
+kdmup configuration files.
</summary>
-<param name="prefix">
+<param name="domain">
<summary>
-The prefix to be used for deriving type names.
+Domain allowed access.
</summary>
</param>
-</template>
-<interface name="apache_role" lineno="211">
+</interface>
+<interface name="kdump_admin" lineno="97">
<summary>
-Role access for apache
+All of the rules required to
+administrate an kdump environment.
</summary>
-<param name="role">
+<param name="domain">
<summary>
-Role allowed access
+Domain allowed access.
</summary>
</param>
-<param name="domain">
+<param name="role">
<summary>
-User domain for the role
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="apache_read_user_scripts" lineno="271">
+</module>
+<module name="kdumpgui" filename="policy/modules/admin/kdumpgui.if">
+<summary>System-config-kdump GUI.</summary>
+</module>
+<module name="kismet" filename="policy/modules/admin/kismet.if">
+<summary>IEEE 802.11 wireless LAN sniffer.</summary>
+<template name="kismet_role" lineno="18">
<summary>
-Read httpd user scripts executables.
+Role access for kismet.
</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role.
</summary>
</param>
-</interface>
-<interface name="apache_read_user_content" lineno="291">
+</template>
+<interface name="kismet_domtrans" lineno="51">
<summary>
-Read user web content.
+Execute a domain transition to run kismet.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="apache_domtrans" lineno="311">
+<interface name="kismet_run" lineno="76">
<summary>
-Transition to apache.
+Execute kismet in the kismet domain, and
+allow the specified role the kismet domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
</interface>
-<interface name="apache_signal" lineno="330">
+<interface name="kismet_read_pid_files" lineno="95">
<summary>
-Send a generic signal to apache.
+Read kismet pid files.
</summary>
<param name="domain">
<summary>
@@ -1605,9 +1741,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_signull" lineno="348">
+<interface name="kismet_manage_pid_files" lineno="115">
<summary>
-Send a null signal to apache.
+Create, read, write, and delete
+kismet pid files.
</summary>
<param name="domain">
<summary>
@@ -1615,9 +1752,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_sigchld" lineno="366">
+<interface name="kismet_search_lib" lineno="134">
<summary>
-Send a SIGCHLD signal to apache.
+Search kismet lib directories.
</summary>
<param name="domain">
<summary>
@@ -1625,9 +1762,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_use_fds" lineno="384">
+<interface name="kismet_read_lib_files" lineno="153">
<summary>
-Inherit and use file descriptors from Apache.
+Read kismet lib files.
</summary>
<param name="domain">
<summary>
@@ -1635,54 +1772,53 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_dontaudit_rw_fifo_file" lineno="403">
+<interface name="kismet_manage_lib_files" lineno="174">
<summary>
-Do not audit attempts to read and write Apache
-unnamed pipes.
+Create, read, write, and delete
+kismet lib files.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_dontaudit_rw_stream_sockets" lineno="422">
+<interface name="kismet_manage_lib" lineno="194">
<summary>
-Do not audit attempts to read and write Apache
-unix domain stream sockets.
+Create, read, write, and delete
+kismet lib content.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_dontaudit_rw_tcp_sockets" lineno="441">
+<interface name="kismet_read_log" lineno="216">
<summary>
-Do not audit attempts to read and write Apache
-TCP sockets.
+Read kismet log files.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="apache_manage_all_content" lineno="460">
+<interface name="kismet_append_log" lineno="235">
<summary>
-Create, read, write, and delete all web content.
+Append kismet log files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="apache_setattr_cache_dirs" lineno="485">
+<interface name="kismet_manage_log" lineno="255">
<summary>
-Allow domain to set the attributes
-of the APACHE cache directory.
+Create, read, write, and delete
+kismet log content.
</summary>
<param name="domain">
<summary>
@@ -1690,78 +1826,98 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_list_cache" lineno="504">
+<interface name="kismet_admin" lineno="283">
<summary>
-Allow the specified domain to list
-Apache cache.
+All of the rules required to
+administrate an kismet environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
-<interface name="apache_rw_cache_files" lineno="523">
+</module>
+<module name="kudzu" filename="policy/modules/admin/kudzu.if">
+<summary>Hardware detection and configuration tools.</summary>
+<interface name="kudzu_domtrans" lineno="13">
<summary>
-Allow the specified domain to read
-and write Apache cache files.
+Execute kudzu in the kudzu domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="apache_delete_cache_files" lineno="542">
+<interface name="kudzu_run" lineno="39">
<summary>
-Allow the specified domain to delete
-Apache cache.
+Execute kudzu in the kudzu domain, and
+allow the specified role the kudzu domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="apache_read_config" lineno="562">
+<interface name="kudzu_getattr_exec_files" lineno="58">
<summary>
-Allow the specified domain to read
-apache configuration files.
+Get attributes of kudzu executable files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="apache_manage_config" lineno="584">
+<interface name="kudzu_admin" lineno="83">
<summary>
-Allow the specified domain to manage
-apache configuration files.
+All of the rules required to
+administrate an kudzu environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
-<interface name="apache_domtrans_helper" lineno="606">
+</module>
+<module name="logrotate" filename="policy/modules/admin/logrotate.if">
+<summary>Rotates, compresses, removes and mails system log files.</summary>
+<interface name="logrotate_domtrans" lineno="13">
<summary>
-Execute the Apache helper program with
-a domain transition.
+Execute logrotate in the logrotate domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="apache_run_helper" lineno="633">
+<interface name="logrotate_run" lineno="40">
<summary>
-Execute the Apache helper program with
-a domain transition, and allow the
-specified role the Apache helper domain.
+Execute logrotate in the logrotate
+domain, and allow the specified
+role the logrotate domain.
</summary>
<param name="domain">
<summary>
@@ -1775,22 +1931,19 @@ Role allowed access.
</param>
<rolecap/>
</interface>
-<interface name="apache_read_log" lineno="654">
+<interface name="logrotate_exec" lineno="59">
<summary>
-Allow the specified domain to read
-apache log files.
+Execute logrotate in the caller domain.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="apache_append_log" lineno="676">
+<interface name="logrotate_use_fds" lineno="78">
<summary>
-Allow the specified domain to append
-to apache log files.
+Inherit and use logrotate file descriptors.
</summary>
<param name="domain">
<summary>
@@ -1798,10 +1951,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_dontaudit_append_log" lineno="697">
+<interface name="logrotate_dontaudit_use_fds" lineno="97">
<summary>
-Do not audit attempts to append to the
-Apache logs.
+Do not audit attempts to inherit
+logrotate file descriptors.
</summary>
<param name="domain">
<summary>
@@ -1809,10 +1962,9 @@ Domain to not audit.
</summary>
</param>
</interface>
-<interface name="apache_manage_log" lineno="716">
+<interface name="logrotate_read_tmp_files" lineno="115">
<summary>
-Allow the specified domain to manage
-to apache log files.
+Read logrotate temporary files.
</summary>
<param name="domain">
<summary>
@@ -1820,22 +1972,22 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_dontaudit_search_modules" lineno="738">
+</module>
+<module name="logwatch" filename="policy/modules/admin/logwatch.if">
+<summary>System log analyzer and reporter.</summary>
+<interface name="logwatch_read_tmp_files" lineno="13">
<summary>
-Do not audit attempts to search Apache
-module directories.
+Read logwatch temporary files.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_list_modules" lineno="758">
+<interface name="logwatch_search_cache_dir" lineno="32">
<summary>
-Allow the specified domain to list
-the contents of the apache modules
-directory.
+Search logwatch cache directories.
</summary>
<param name="domain">
<summary>
@@ -1843,31 +1995,98 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_exec_modules" lineno="777">
+<tunable name="logwatch_can_network_connect_mail" dftval="false">
+<desc>
+<p>
+Determine whether logwatch can connect
+to mail over the network.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="mcelog" filename="policy/modules/admin/mcelog.if">
+<summary>Linux hardware error daemon.</summary>
+<interface name="mcelog_domtrans" lineno="13">
<summary>
-Allow the specified domain to execute
-apache modules.
+Execute a domain transition to run mcelog.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="mcelog_admin" lineno="39">
+<summary>
+All of the rules required to
+administrate an mcelog environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
-<interface name="apache_domtrans_rotatelogs" lineno="797">
+<tunable name="mcelog_client" dftval="false">
+<desc>
+<p>
+Determine whether mcelog supports
+client mode.
+</p>
+</desc>
+</tunable>
+<tunable name="mcelog_exec_scripts" dftval="true">
+<desc>
+<p>
+Determine whether mcelog can execute scripts.
+</p>
+</desc>
+</tunable>
+<tunable name="mcelog_foreground" dftval="false">
+<desc>
+<p>
+Determine whether mcelog can use all
+the user ttys.
+</p>
+</desc>
+</tunable>
+<tunable name="mcelog_server" dftval="false">
+<desc>
+<p>
+Determine whether mcelog supports
+server mode.
+</p>
+</desc>
+</tunable>
+<tunable name="mcelog_syslog" dftval="false">
+<desc>
+<p>
+Determine whether mcelog can use syslog.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="mrtg" filename="policy/modules/admin/mrtg.if">
+<summary>Network traffic graphing.</summary>
+<interface name="mrtg_read_config" lineno="13">
<summary>
-Execute a domain transition to run httpd_rotatelogs.
+Read mrtg configuration
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_list_sys_content" lineno="816">
+<interface name="mrtg_append_create_logs" lineno="31">
<summary>
-Allow the specified domain to list
-apache system content files.
+Create and append mrtg log files.
</summary>
<param name="domain">
<summary>
@@ -1875,22 +2094,29 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_manage_sys_content" lineno="838">
+<interface name="mrtg_admin" lineno="58">
<summary>
-Allow the specified domain to manage
-apache system content files.
+All of the rules required to
+administrate an mrtg environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
<rolecap/>
</interface>
-<interface name="apache_domtrans_sys_script" lineno="862">
+</module>
+<module name="ncftool" filename="policy/modules/admin/ncftool.if">
+<summary>Cross-platform network configuration library.</summary>
+<interface name="ncftool_domtrans" lineno="13">
<summary>
-Execute all web scripts in the system
-script domain.
+Execute a domain transition to run ncftool.
</summary>
<param name="domain">
<summary>
@@ -1898,21 +2124,29 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="apache_dontaudit_rw_sys_script_stream_sockets" lineno="884">
+<interface name="ncftool_run" lineno="39">
<summary>
-Do not audit attempts to read and write Apache
-system script unix domain stream sockets.
+Execute ncftool in the ncftool
+domain, and allow the specified
+role the ncftool domain.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
</interface>
-<interface name="apache_domtrans_all_scripts" lineno="903">
+</module>
+<module name="netutils" filename="policy/modules/admin/netutils.if">
+<summary>Network analysis utilities</summary>
+<interface name="netutils_domtrans" lineno="13">
<summary>
-Execute all user scripts in the user
-script domain.
+Execute network utilities in the netutils domain.
</summary>
<param name="domain">
<summary>
@@ -1920,11 +2154,10 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="apache_run_all_scripts" lineno="928">
+<interface name="netutils_run" lineno="39">
<summary>
-Execute all user scripts in the user
-script domain. Add user script domains
-to the specified role.
+Execute network utilities in the netutils domain, and
+allow the specified role the netutils domain.
</summary>
<param name="domain">
<summary>
@@ -1933,14 +2166,14 @@ Domain allowed to transition.
</param>
<param name="role">
<summary>
-Role allowed access..
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="apache_read_squirrelmail_data" lineno="948">
+<interface name="netutils_exec" lineno="58">
<summary>
-Allow the specified domain to read
-apache squirrelmail data.
+Execute network utilities in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -1948,10 +2181,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_append_squirrelmail_data" lineno="967">
+<interface name="netutils_signal" lineno="77">
<summary>
-Allow the specified domain to append
-apache squirrelmail data.
+Send generic signals to network utilities.
</summary>
<param name="domain">
<summary>
@@ -1959,19 +2191,19 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_search_sys_content" lineno="985">
+<interface name="netutils_domtrans_ping" lineno="95">
<summary>
-Search apache system content.
+Execute ping in the ping domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="apache_read_sys_content" lineno="1003">
+<interface name="netutils_kill_ping" lineno="114">
<summary>
-Read apache system content.
+Send a kill (SIGKILL) signal to ping.
</summary>
<param name="domain">
<summary>
@@ -1979,9 +2211,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_search_sys_scripts" lineno="1023">
+<interface name="netutils_signal_ping" lineno="132">
<summary>
-Search apache system CGI directories.
+Send generic signals to ping.
</summary>
<param name="domain">
<summary>
@@ -1989,31 +2221,43 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_manage_all_user_content" lineno="1042">
+<interface name="netutils_run_ping" lineno="157">
<summary>
-Create, read, write, and delete all user web content.
+Execute ping in the ping domain, and
+allow the specified role the ping domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
-<interface name="apache_search_sys_script_state" lineno="1066">
+<interface name="netutils_run_ping_cond" lineno="183">
<summary>
-Search system script state directory.
+Conditionally execute ping in the ping domain, and
+allow the specified role the ping domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
-<interface name="apache_read_tmp_files" lineno="1085">
+<interface name="netutils_exec_ping" lineno="206">
<summary>
-Allow the specified domain to read
-apache tmp files.
+Execute ping in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -2021,55 +2265,41 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apache_dontaudit_write_tmp_files" lineno="1105">
+<interface name="netutils_domtrans_traceroute" lineno="225">
<summary>
-Dontaudit attempts to write
-apache tmp files.
+Execute traceroute in the traceroute domain.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="apache_cgi_domain" lineno="1138">
+<interface name="netutils_run_traceroute" lineno="251">
<summary>
-Execute CGI in the specified domain.
+Execute traceroute in the traceroute domain, and
+allow the specified role the traceroute domain.
</summary>
-<desc>
-<p>
-Execute CGI in the specified domain.
-</p>
-<p>
-This is an interface to support third party modules
-and its use is not allowed in upstream reference
-policy.
-</p>
-</desc>
<param name="domain">
<summary>
-Domain run the cgi script in.
+Domain allowed to transition.
</summary>
</param>
-<param name="entrypoint">
+<param name="role">
<summary>
-Type of the executable to enter the cgi domain.
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="apache_admin" lineno="1171">
-<summary>
-All of the rules required to administrate an apache environment
-</summary>
-<param name="prefix">
+<interface name="netutils_run_traceroute_cond" lineno="277">
<summary>
-Prefix of the domain. Example, user would be
-the prefix for the uder_t domain.
+Conditionally execute traceroute in the traceroute domain, and
+allow the specified role the traceroute domain.
</summary>
-</param>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
<param name="role">
@@ -2079,143 +2309,29 @@ Role allowed access.
</param>
<rolecap/>
</interface>
-<tunable name="allow_httpd_anon_write" dftval="false">
-<desc>
-<p>
-Allow Apache to modify public files
-used for public file transfer services. Directories/Files must
-be labeled public_content_rw_t.
-</p>
-</desc>
-</tunable>
-<tunable name="allow_httpd_mod_auth_pam" dftval="false">
-<desc>
-<p>
-Allow Apache to use mod_auth_pam
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_builtin_scripting" dftval="false">
-<desc>
-<p>
-Allow httpd to use built in scripting (usually php)
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_can_network_connect" dftval="false">
-<desc>
-<p>
-Allow HTTPD scripts and modules to connect to the network using TCP.
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_can_network_connect_db" dftval="false">
-<desc>
-<p>
-Allow HTTPD scripts and modules to connect to databases over the network.
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_can_network_relay" dftval="false">
-<desc>
-<p>
-Allow httpd to act as a relay
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_can_sendmail" dftval="false">
-<desc>
-<p>
-Allow http daemon to send mail
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_dbus_avahi" dftval="false">
-<desc>
-<p>
-Allow Apache to communicate with avahi service via dbus
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_enable_cgi" dftval="false">
-<desc>
-<p>
-Allow httpd cgi support
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_enable_ftp_server" dftval="false">
-<desc>
-<p>
-Allow httpd to act as a FTP server by
-listening on the ftp port.
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_enable_homedirs" dftval="false">
-<desc>
-<p>
-Allow httpd to read home directories
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_setrlimit" dftval="false">
-<desc>
-<p>
-Allow httpd daemon to change its resource limits
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_ssi_exec" dftval="false">
-<desc>
-<p>
-Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_tty_comm" dftval="false">
-<desc>
-<p>
-Unify HTTPD to communicate with the terminal.
-Needed for entering the passphrase for certificates at
-the terminal.
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_unified" dftval="false">
-<desc>
-<p>
-Unify HTTPD handling of all content files.
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_use_cifs" dftval="false">
-<desc>
-<p>
-Allow httpd to access cifs file systems
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_use_gpg" dftval="false">
-<desc>
-<p>
-Allow httpd to run gpg
-</p>
-</desc>
-</tunable>
-<tunable name="httpd_use_nfs" dftval="false">
+<interface name="netutils_exec_traceroute" lineno="300">
+<summary>
+Execute traceroute in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<tunable name="user_ping" dftval="false">
<desc>
<p>
-Allow httpd to access nfs file systems
+Control users use of ping and traceroute
</p>
</desc>
</tunable>
</module>
-<module name="apcupsd" filename="policy/modules/contrib/apcupsd.if">
-<summary>APC UPS monitoring daemon</summary>
-<interface name="apcupsd_domtrans" lineno="13">
+<module name="passenger" filename="policy/modules/admin/passenger.if">
+<summary>Ruby on rails deployment for Apache and Nginx servers.</summary>
+<interface name="passenger_domtrans" lineno="13">
<summary>
-Execute a domain transition to run apcupsd.
+Execute passenger in the passenger domain.
</summary>
<param name="domain">
<summary>
@@ -2223,19 +2339,19 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="apcupsd_initrc_domtrans" lineno="32">
+<interface name="passenger_exec" lineno="32">
<summary>
-Execute apcupsd server in the apcupsd domain.
+Execute passenger in the caller domain.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apcupsd_read_pid_files" lineno="50">
+<interface name="passenger_read_lib_files" lineno="51">
<summary>
-Read apcupsd PID files.
+Read passenger lib files.
</summary>
<param name="domain">
<summary>
@@ -2243,31 +2359,58 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="apcupsd_read_log" lineno="70">
+</module>
+<module name="portage" filename="policy/modules/admin/portage.if">
+<summary>Package Management System.</summary>
+<interface name="portage_domtrans" lineno="13">
<summary>
-Allow the specified domain to read apcupsd's log files.
+Execute emerge in the portage domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="portage_run" lineno="43">
+<summary>
+Execute emerge in the portage domain,
+and allow the specified role the
+portage domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
-<interface name="apcupsd_append_log" lineno="91">
+<interface name="portage_compile_domain" lineno="68">
<summary>
-Allow the specified domain to append
-apcupsd log files.
+Template for portage sandbox.
</summary>
+<desc>
+<p>
+Template for portage sandbox. Portage
+does all compiling in the sandbox.
+</p>
+</desc>
<param name="domain">
<summary>
-Domain allowed access.
+Domain Allowed Access
</summary>
</param>
</interface>
-<interface name="apcupsd_cgi_script_domtrans" lineno="111">
+<interface name="portage_domtrans_fetch" lineno="235">
<summary>
-Execute a domain transition to run httpd_apcupsd_cgi_script.
+Execute tree management functions
+(fetching, layman, ...) in the
+portage fetch domain.
</summary>
<param name="domain">
<summary>
@@ -2275,29 +2418,29 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="apcupsd_admin" lineno="141">
+<interface name="portage_run_fetch" lineno="264">
<summary>
-All of the rules required to administrate
-an apcupsd environment
+Execute tree management functions
+(fetching, layman, ...) in the
+portage fetch domain, and allow
+the specified role the portage
+fetch domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
-The role to be allowed to manage the apcupsd domain.
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
-</module>
-<module name="apm" filename="policy/modules/contrib/apm.if">
-<summary>Advanced power management daemon</summary>
-<interface name="apm_domtrans_client" lineno="13">
+<interface name="portage_domtrans_gcc_config" lineno="283">
<summary>
-Execute APM in the apm domain.
+Execute gcc-config in the gcc config domain.
</summary>
<param name="domain">
<summary>
@@ -2305,263 +2448,302 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="apm_use_fds" lineno="32">
+<interface name="portage_run_gcc_config" lineno="310">
<summary>
-Use file descriptors for apmd.
+Execute gcc-config in the gcc config
+domain, and allow the specified role
+the gcc_config domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
-</interface>
-<interface name="apm_write_pipes" lineno="50">
-<summary>
-Write to apmd unnamed pipes.
-</summary>
-<param name="domain">
+<param name="role">
<summary>
-Domain allowed access.
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="apm_rw_stream_sockets" lineno="68">
+<interface name="portage_dontaudit_use_fds" lineno="330">
<summary>
-Read and write to an apm unix stream socket.
+Do not audit attempts to use
+portage file descriptors.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="apm_append_log" lineno="86">
+<interface name="portage_dontaudit_search_tmp" lineno="349">
<summary>
-Append to apm's log file.
+Do not audit attempts to search the
+portage temporary directories.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="apm_stream_connect" lineno="105">
+<interface name="portage_dontaudit_rw_tmp_files" lineno="368">
<summary>
-Connect to apmd over an unix stream socket.
+Do not audit attempts to read and write
+the portage temporary files.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-</module>
-<module name="apt" filename="policy/modules/contrib/apt.if">
-<summary>APT advanced package tool.</summary>
-<interface name="apt_domtrans" lineno="13">
+<interface name="portage_eselect_module" lineno="393">
<summary>
-Execute apt programs in the apt domain.
+Allow the domain to run within an eselect module script.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to allow within an eselect module
</summary>
</param>
</interface>
-<interface name="apt_run" lineno="39">
+<interface name="portage_ro_role" lineno="416">
<summary>
-Execute apt programs in the apt domain.
+Read all portage files
</summary>
-<param name="domain">
+<param name="role">
<summary>
-Domain allowed to transition.
+Role allowed access
</summary>
</param>
-<param name="role">
+<param name="domain">
<summary>
-The role to allow the apt domain.
+Domain allowed access
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="apt_use_fds" lineno="59">
+<interface name="portage_read_db" lineno="436">
<summary>
-Inherit and use file descriptors from apt.
+Read portage db files
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="apt_dontaudit_use_fds" lineno="78">
+<interface name="portage_read_cache" lineno="456">
<summary>
-Do not audit attempts to use file descriptors from apt.
+Read portage cache files
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="apt_read_pipes" lineno="96">
+<interface name="portage_read_config" lineno="477">
<summary>
-Read from an unnamed apt pipe.
+Read portage configuration files
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="apt_rw_pipes" lineno="115">
+<interface name="portage_read_ebuild" lineno="499">
<summary>
-Read and write an unnamed apt pipe.
+Read portage ebuild files
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="apt_use_ptys" lineno="134">
+<interface name="portage_read_log" lineno="521">
<summary>
-Read from and write to apt ptys.
+Read portage log files
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="apt_read_cache" lineno="152">
+<interface name="portage_read_srcrepo" lineno="540">
<summary>
-Read the apt package cache.
+Read portage src repository files
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="apt_read_db" lineno="173">
+<interface name="portage_dontaudit_write_cache" lineno="562">
<summary>
-Read the apt package database.
+Do not audit writing portage cache files
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="apt_manage_db" lineno="194">
+<tunable name="portage_use_nfs" dftval="false">
+<desc>
+<p>
+Determine whether portage can
+use nfs filesystems.
+</p>
+</desc>
+</tunable>
+<tunable name="portage_read_user_content" dftval="false">
+<desc>
+<p>
+Determine whether portage domains can read user content.
+This is for non-portage_t domains as portage_t can manage the entire file system.
+</p>
+</desc>
+</tunable>
+<tunable name="portage_mount_fs" dftval="false">
+<desc>
+<p>
+Determine whether portage can mount file systems (used to mount /boot for instance).
+</p>
+</desc>
+</tunable>
+<tunable name="portage_enable_test" dftval="false">
+<desc>
+<p>
+Extra rules which are sometimes needed when FEATURES=test is enabled
+</p>
+</desc>
+</tunable>
+</module>
+<module name="prelink" filename="policy/modules/admin/prelink.if">
+<summary>Prelink ELF shared library mappings.</summary>
+<interface name="prelink_domtrans" lineno="13">
<summary>
-Create, read, write, and delete the apt package database.
+Execute prelink in the prelink domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="apt_dontaudit_manage_db" lineno="217">
+<interface name="prelink_exec" lineno="37">
<summary>
-Do not audit attempts to create, read,
-write, and delete the apt package database.
+Execute prelink in the caller domain.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="arpwatch" filename="policy/modules/contrib/arpwatch.if">
-<summary>Ethernet activity monitor.</summary>
-<interface name="arpwatch_initrc_domtrans" lineno="13">
+<interface name="prelink_run" lineno="64">
<summary>
-Execute arpwatch server in the arpwatch domain.
+Execute prelink in the prelink
+domain, and allow the specified role
+the prelink domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
-<interface name="arpwatch_search_data" lineno="31">
+<interface name="prelink_object_file" lineno="83">
<summary>
-Search arpwatch's data file directories.
+Make the specified file type prelinkable.
</summary>
-<param name="domain">
+<param name="file_type">
<summary>
-Domain allowed access.
+File type to be prelinked.
</summary>
</param>
</interface>
-<interface name="arpwatch_manage_data_files" lineno="50">
+<interface name="prelink_read_cache" lineno="101">
<summary>
-Create arpwatch data files.
+Read prelink cache files.
</summary>
-<param name="domain">
+<param name="file_type">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
-<interface name="arpwatch_rw_tmp_files" lineno="69">
+<interface name="prelink_delete_cache" lineno="120">
<summary>
-Read and write arpwatch temporary files.
+Delete prelink cache files.
</summary>
-<param name="domain">
+<param name="file_type">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
-<interface name="arpwatch_manage_tmp_files" lineno="88">
+<interface name="prelink_manage_log" lineno="140">
<summary>
-Read and write arpwatch temporary files.
+Create, read, write, and delete
+prelink log files.
</summary>
-<param name="domain">
+<param name="file_type">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
-<interface name="arpwatch_dontaudit_rw_packet_sockets" lineno="108">
+<interface name="prelink_manage_lib" lineno="160">
<summary>
-Do not audit attempts to read and write
-arpwatch packet sockets.
+Create, read, write, and delete
+prelink var_lib files.
</summary>
-<param name="domain">
+<param name="file_type">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="arpwatch_admin" lineno="133">
+<interface name="prelink_relabelfrom_lib" lineno="179">
<summary>
-All of the rules required to administrate
-an arpwatch environment
+Relabel from prelink lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="prelink_relabel_lib" lineno="198">
<summary>
-The role to be allowed to manage the arpwatch domain.
+Relabel prelink lib files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
</module>
-<module name="asterisk" filename="policy/modules/contrib/asterisk.if">
-<summary>Asterisk IP telephony server</summary>
-<interface name="asterisk_domtrans" lineno="13">
+<module name="puppet" filename="policy/modules/admin/puppet.if">
+<summary>Configuration management system.</summary>
+<interface name="puppet_domtrans_puppetca" lineno="14">
<summary>
-Execute asterisk in the asterisk domain.
+Execute puppetca in the puppetca
+domain.
</summary>
<param name="domain">
<summary>
@@ -2569,30 +2751,27 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="asterisk_stream_connect" lineno="33">
+<interface name="puppet_run_puppetca" lineno="41">
<summary>
-Connect to asterisk over a unix domain
-stream socket.
+Execute puppetca in the puppetca
+domain and allow the specified
+role the puppetca domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
-</interface>
-<interface name="asterisk_setattr_logs" lineno="52">
-<summary>
-Allow changing the attributes of the asterisk log files and directories
-</summary>
-<param name="domain">
+<param name="role">
<summary>
-Domain allowed access.
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="asterisk_setattr_pid_files" lineno="73">
+<interface name="puppet_read_config" lineno="60">
<summary>
-Allow changing the attributes of the asterisk PID files
+Read puppet configuration content.
</summary>
<param name="domain">
<summary>
@@ -2600,52 +2779,40 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="asterisk_admin" lineno="100">
+<interface name="puppet_read_lib_files" lineno="81">
<summary>
-All of the rules required to administrate
-an asterisk environment
+Read Puppet lib files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
-<summary>
-The role to be allowed to manage the asterisk domain.
-</summary>
-</param>
-<rolecap/>
</interface>
-</module>
-<module name="authbind" filename="policy/modules/contrib/authbind.if">
-<summary>Tool for non-root processes to bind to reserved ports</summary>
-<interface name="authbind_domtrans" lineno="13">
+<interface name="puppet_manage_lib_files" lineno="101">
<summary>
-Use authbind to bind to a reserved port.
+Create, read, write, and delete
+puppet lib files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="automount" filename="policy/modules/contrib/automount.if">
-<summary>Filesystem automounter service.</summary>
-<interface name="automount_domtrans" lineno="13">
+<interface name="puppet_append_log_files" lineno="120">
<summary>
-Execute automount in the automount domain.
+Append puppet log files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="automount_signal" lineno="33">
+<interface name="puppet_create_log_files" lineno="139">
<summary>
-Send automount a signal
+Create puppet log files.
</summary>
<param name="domain">
<summary>
@@ -2653,9 +2820,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="automount_exec_config" lineno="51">
+<interface name="puppet_read_log_files" lineno="158">
<summary>
-Execute automount in the caller domain.
+Read puppet log files.
</summary>
<param name="domain">
<summary>
@@ -2663,70 +2830,75 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="automount_read_state" lineno="66">
+<interface name="puppet_rw_tmp" lineno="177">
<summary>
-Allow the domain to read state files in /proc.
+Read and write to puppet tempoprary files.
</summary>
<param name="domain">
<summary>
-Domain to allow access.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="automount_dontaudit_use_fds" lineno="84">
+<interface name="puppet_admin" lineno="203">
<summary>
-Do not audit attempts to file descriptors for automount.
+All of the rules required to
+administrate an puppet environment.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
-</interface>
-<interface name="automount_dontaudit_write_pipes" lineno="102">
-<summary>
-Do not audit attempts to write automount daemon unnamed pipes.
-</summary>
-<param name="domain">
+<param name="role">
<summary>
-Domain to not audit.
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="automount_dontaudit_getattr_tmp_dirs" lineno="121">
+<tunable name="puppet_manage_all_files" dftval="false">
+<desc>
+<p>
+Determine whether puppet can
+manage all non-security files.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="quota" filename="policy/modules/admin/quota.if">
+<summary>File system quota management.</summary>
+<interface name="quota_domtrans" lineno="13">
<summary>
-Do not audit attempts to get the attributes
-of automount temporary directories.
+Execute quota management tools in the quota domain.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="automount_admin" lineno="146">
+<interface name="quota_run" lineno="40">
<summary>
-All of the rules required to administrate
-an automount environment
+Execute quota management tools in
+the quota domain, and allow the
+specified role the quota domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
-The role to be allowed to manage the automount domain.
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
-</module>
-<module name="avahi" filename="policy/modules/contrib/avahi.if">
-<summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
-<interface name="avahi_domtrans" lineno="13">
+<interface name="quota_domtrans_nld" lineno="59">
<summary>
-Execute avahi server in the avahi domain.
+Execute quota nld in the quota nld domain.
</summary>
<param name="domain">
<summary>
@@ -2734,9 +2906,10 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="avahi_signal" lineno="32">
+<interface name="quota_manage_db_files" lineno="79">
<summary>
-Send avahi a signal
+Create, read, write, and delete
+quota db files.
</summary>
<param name="domain">
<summary>
@@ -2744,61 +2917,59 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="avahi_kill" lineno="50">
+<interface name="quota_spec_filetrans_db" lineno="114">
<summary>
-Send avahi a kill signal.
+Create specified objects in specified
+directories with a type transition to
+the quota db file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-</interface>
-<interface name="avahi_signull" lineno="68">
-<summary>
-Send avahi a signull
-</summary>
-<param name="domain">
+<param name="file_type">
<summary>
-Domain allowed access.
+Directory to transition on.
</summary>
</param>
-</interface>
-<interface name="avahi_dbus_chat" lineno="87">
+<param name="object">
<summary>
-Send and receive messages from
-avahi over dbus.
+The object class of the object being created.
</summary>
-<param name="domain">
+</param>
+<param name="name" optional="true">
<summary>
-Domain allowed access.
+The name of the object being created.
</summary>
</param>
</interface>
-<interface name="avahi_stream_connect" lineno="107">
+<interface name="quota_dontaudit_getattr_db" lineno="133">
<summary>
-Connect to avahi using a unix domain stream socket.
+Do not audit attempts to get attributes
+of filesystem quota data files.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="avahi_dontaudit_search_pid" lineno="126">
+<interface name="quota_manage_flags" lineno="152">
<summary>
-Do not audit attempts to search the avahi pid directory.
+Create, read, write, and delete
+quota flag files.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="avahi_admin" lineno="151">
+<interface name="quota_admin" lineno="178">
<summary>
-All of the rules required to administrate
-an avahi environment
+All of the rules required to
+administrate an quota environment.
</summary>
<param name="domain">
<summary>
@@ -2807,73 +2978,91 @@ Domain allowed access.
</param>
<param name="role">
<summary>
-The role to be allowed to manage the avahi domain.
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
-<module name="awstats" filename="policy/modules/contrib/awstats.if">
-<summary>
-AWStats is a free powerful and featureful tool that generates advanced
-web, streaming, ftp or mail server statistics, graphically.
-</summary>
-<interface name="awstats_rw_pipes" lineno="16">
+<module name="readahead" filename="policy/modules/admin/readahead.if">
+<summary>Read files into page cache for improved performance.</summary>
+<interface name="readahead_domtrans" lineno="14">
<summary>
-Read and write awstats unnamed pipes.
+Execute a domain transition
+to run readahead.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="awstats_cgi_exec" lineno="34">
+</module>
+<module name="rkhunter" filename="policy/modules/admin/rkhunter.if">
+<summary>rkhunter - rootkit checker.</summary>
+<interface name="rkhunter_domtrans" lineno="13">
<summary>
-Execute awstats cgi scripts in the caller domain.
+Execute a domain transition to run rkhunter.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-</module>
-<module name="backup" filename="policy/modules/contrib/backup.if">
-<summary>System backup scripts</summary>
-<interface name="backup_domtrans" lineno="13">
+<interface name="rkhunter_run" lineno="39">
<summary>
-Execute backup in the backup domain.
+Execute rkhunter in the rkhunter domain,
+and allow the specified role
+the rkhunter domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
</interface>
-<interface name="backup_run" lineno="38">
+<tunable name="rkhunter_connect_http" dftval="false">
+<desc>
+<p>
+Determine whether rkhunter can connect
+to http ports. This is required by the
+--update option.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="rpm" filename="policy/modules/admin/rpm.if">
+<summary>Redhat package manager.</summary>
+<interface name="rpm_domtrans" lineno="13">
<summary>
-Execute backup in the backup domain, and
-allow the specified role the backup domain.
+Execute rpm in the rpm domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="rpm_debuginfo_domtrans" lineno="33">
<summary>
-Role allowed access.
+Execute debuginfo install
+in the rpm domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="bacula" filename="policy/modules/contrib/bacula.if">
-<summary>bacula backup program</summary>
-<interface name="bacula_domtrans_admin" lineno="13">
+<interface name="rpm_domtrans_script" lineno="52">
<summary>
-Execute user interfaces in the bacula_admin domain.
+Execute rpm scripts in the rpm script domain.
</summary>
<param name="domain">
<summary>
@@ -2881,10 +3070,11 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="bacula_run_admin" lineno="38">
+<interface name="rpm_run" lineno="82">
<summary>
-Execute user interfaces in the bacula_admin domain, and
-allow the specified role to transition to the bacula_admin domain.
+Execute rpm in the rpm domain,
+and allow the specified roles the
+rpm domain.
</summary>
<param name="domain">
<summary>
@@ -2898,22 +3088,19 @@ Role allowed access.
</param>
<rolecap/>
</interface>
-</module>
-<module name="bcfg2" filename="policy/modules/contrib/bcfg2.if">
-<summary>bcfg2-server daemon which serves configurations to clients based on the data in its repository</summary>
-<interface name="bcfg2_domtrans" lineno="13">
+<interface name="rpm_exec" lineno="101">
<summary>
-Execute bcfg2 in the bcfg2 domain..
+Execute the rpm in the caller domain.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bcfg2_initrc_domtrans" lineno="32">
+<interface name="rpm_signull" lineno="120">
<summary>
-Execute bcfg2 server in the bcfg2 domain.
+Send null signals to rpm.
</summary>
<param name="domain">
<summary>
@@ -2921,9 +3108,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bcfg2_search_lib" lineno="50">
+<interface name="rpm_use_fds" lineno="138">
<summary>
-Search bcfg2 lib directories.
+Inherit and use file descriptors from rpm.
</summary>
<param name="domain">
<summary>
@@ -2931,9 +3118,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bcfg2_read_lib_files" lineno="69">
+<interface name="rpm_read_pipes" lineno="156">
<summary>
-Read bcfg2 lib files.
+Read rpm unnamed pipes.
</summary>
<param name="domain">
<summary>
@@ -2941,9 +3128,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bcfg2_manage_lib_files" lineno="88">
+<interface name="rpm_rw_pipes" lineno="174">
<summary>
-Manage bcfg2 lib files.
+Read and write rpm unnamed pipes.
</summary>
<param name="domain">
<summary>
@@ -2951,9 +3138,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bcfg2_manage_lib_dirs" lineno="107">
+<interface name="rpm_dbus_chat" lineno="193">
<summary>
-Manage bcfg2 lib directories.
+Send and receive messages from
+rpm over dbus.
</summary>
<param name="domain">
<summary>
@@ -2961,49 +3149,41 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bcfg2_admin" lineno="133">
+<interface name="rpm_dontaudit_dbus_chat" lineno="214">
<summary>
-All of the rules required to administrate
-an bcfg2 environment
+Do not audit attempts to send and
+receive messages from rpm over dbus.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
-</summary>
-</param>
-<param name="role">
-<summary>
-Role allowed access.
+Domain to not audit.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="bind" filename="policy/modules/contrib/bind.if">
-<summary>Berkeley internet name domain DNS server.</summary>
-<interface name="bind_initrc_domtrans" lineno="13">
+<interface name="rpm_script_dbus_chat" lineno="235">
<summary>
-Execute bind server in the bind domain.
+Send and receive messages from
+rpm script over dbus.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_domtrans_ndc" lineno="31">
+<interface name="rpm_search_log" lineno="255">
<summary>
-Execute ndc in the ndc domain.
+Search rpm log directories.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_signal" lineno="49">
+<interface name="rpm_append_log" lineno="274">
<summary>
-Send generic signals to BIND.
+Append rpm log files.
</summary>
<param name="domain">
<summary>
@@ -3011,9 +3191,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_signull" lineno="67">
+<interface name="rpm_manage_log" lineno="294">
<summary>
-Send null sigals to BIND.
+Create, read, write, and delete
+rpm log files.
</summary>
<param name="domain">
<summary>
@@ -3021,9 +3202,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_kill" lineno="85">
+<interface name="rpm_use_script_fds" lineno="313">
<summary>
-Send BIND the kill signal
+Inherit and use rpm script file descriptors.
</summary>
<param name="domain">
<summary>
@@ -3031,36 +3212,31 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_run_ndc" lineno="110">
+<interface name="rpm_manage_script_tmp_files" lineno="332">
<summary>
-Execute ndc in the ndc domain, and
-allow the specified role the ndc domain.
+Create, read, write, and delete
+rpm script temporary files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
-</summary>
-</param>
-<param name="role">
-<summary>
-Role allowed access.
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="bind_domtrans" lineno="129">
+<interface name="rpm_append_tmp_files" lineno="351">
<summary>
-Execute bind in the named domain.
+Append rpm temporary files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_read_dnssec_keys" lineno="147">
+<interface name="rpm_manage_tmp_files" lineno="371">
<summary>
-Read DNSSEC keys.
+Create, read, write, and delete
+rpm temporary files.
</summary>
<param name="domain">
<summary>
@@ -3068,9 +3244,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_read_config" lineno="165">
+<interface name="rpm_read_script_tmp_files" lineno="390">
<summary>
-Read BIND named configuration files.
+Read rpm script temporary files.
</summary>
<param name="domain">
<summary>
@@ -3078,9 +3254,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_write_config" lineno="183">
+<interface name="rpm_read_cache" lineno="410">
<summary>
-Write BIND named configuration files.
+Read rpm cache content.
</summary>
<param name="domain">
<summary>
@@ -3088,10 +3264,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_manage_config_dirs" lineno="203">
+<interface name="rpm_manage_cache" lineno="432">
<summary>
Create, read, write, and delete
-BIND configuration directories.
+rpm cache content.
</summary>
<param name="domain">
<summary>
@@ -3099,9 +3275,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_search_cache" lineno="221">
+<interface name="rpm_read_db" lineno="453">
<summary>
-Search the BIND cache directory.
+Read rpm lib content.
</summary>
<param name="domain">
<summary>
@@ -3109,10 +3285,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_manage_cache" lineno="243">
+<interface name="rpm_delete_db" lineno="475">
<summary>
-Create, read, write, and delete
-BIND cache files.
+Delete rpm lib files.
</summary>
<param name="domain">
<summary>
@@ -3120,9 +3295,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_setattr_pid_dirs" lineno="264">
+<interface name="rpm_manage_db" lineno="495">
<summary>
-Set the attributes of the BIND pid directory.
+Create, read, write, and delete
+rpm lib files.
</summary>
<param name="domain">
<summary>
@@ -3130,19 +3306,20 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_setattr_zone_dirs" lineno="282">
+<interface name="rpm_dontaudit_manage_db" lineno="517">
<summary>
-Set the attributes of the BIND zone directory.
+Do not audit attempts to create, read,
+write, and delete rpm lib content.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="bind_read_zone" lineno="300">
+<interface name="rpm_read_pid_files" lineno="538">
<summary>
-Read BIND zone files.
+Read rpm pid files.
</summary>
<param name="domain">
<summary>
@@ -3150,9 +3327,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_manage_zone" lineno="319">
+<interface name="rpm_manage_pid_files" lineno="558">
<summary>
-Manage BIND zone files.
+Create, read, write, and delete
+rpm pid files.
</summary>
<param name="domain">
<summary>
@@ -3160,20 +3338,31 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bind_udp_chat_named" lineno="338">
+<interface name="rpm_pid_filetrans_rpm_pid" lineno="588">
<summary>
-Send and receive datagrams to and from named. (Deprecated)
+Create specified objects in pid directories
+with the rpm pid file type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="object_class">
+<summary>
+Class of the object being created.
+</summary>
+</param>
+<param name="name" optional="true">
+<summary>
+The name of the object being created.
+</summary>
+</param>
</interface>
-<interface name="bind_admin" lineno="359">
+<interface name="rpm_admin" lineno="613">
<summary>
-All of the rules required to administrate
-an bind environment
+All of the rules required to
+administrate an rpm environment.
</summary>
<param name="domain">
<summary>
@@ -3182,66 +3371,84 @@ Domain allowed access.
</param>
<param name="role">
<summary>
-The role to be allowed to manage the bind domain.
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
-<tunable name="named_write_master_zones" dftval="false">
-<desc>
-<p>
-Allow BIND to write the master zone files.
-Generally this is used for dynamic DNS or zone transfers.
-</p>
-</desc>
-</tunable>
</module>
-<module name="bitlbee" filename="policy/modules/contrib/bitlbee.if">
-<summary>Bitlbee service</summary>
-<interface name="bitlbee_read_config" lineno="13">
+<module name="samhain" filename="policy/modules/admin/samhain.if">
+<summary>Check file integrity.</summary>
+<template name="samhain_service_template" lineno="13">
<summary>
-Read bitlbee configuration files
+The template to define a samhain domain.
+</summary>
+<param name="domain_prefix">
+<summary>
+Domain prefix to be used.
+</summary>
+</param>
+</template>
+<interface name="samhain_domtrans" lineno="38">
+<summary>
+Execute samhain in the samhain domain
</summary>
<param name="domain">
<summary>
-Domain allowed accesss.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="bitlbee_admin" lineno="40">
+<interface name="samhain_run" lineno="82">
<summary>
-All of the rules required to administrate
-an bitlbee environment
+Execute samhain in the samhain
+domain with the clearance security
+level and allow the specifiled role
+the samhain domain.
</summary>
+<desc>
+<p>
+Execute samhain in the samhain
+domain with the clearance security
+level and allow the specifiled role
+the samhain domain.
+</p>
+<p>
+The range_transition rule used in
+this interface requires that the
+calling domain should have the
+clearance security level otherwise
+the MLS constraint for process
+transition would fail.
+</p>
+</desc>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
-The role to be allowed to manage the bitlbee domain.
+Role allowed to access.
</summary>
</param>
<rolecap/>
</interface>
-</module>
-<module name="blueman" filename="policy/modules/contrib/blueman.if">
-<summary>Blueman is a tool to manage Bluetooth devices</summary>
-<interface name="blueman_domtrans" lineno="13">
+<interface name="samhain_manage_config_files" lineno="107">
<summary>
-Execute blueman in the blueman domain..
+Create, read, write, and delete
+samhain configuration files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="blueman_dbus_chat" lineno="33">
+<interface name="samhain_manage_db_files" lineno="127">
<summary>
-Send and receive messages from
-blueman over dbus.
+Create, read, write, and delete
+samhain database files.
</summary>
<param name="domain">
<summary>
@@ -3249,9 +3456,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="blueman_search_lib" lineno="53">
+<interface name="samhain_manage_init_script_files" lineno="147">
<summary>
-Search blueman lib directories.
+Create, read, write, and delete
+samhain init script files.
</summary>
<param name="domain">
<summary>
@@ -3259,9 +3467,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="blueman_read_lib_files" lineno="72">
+<interface name="samhain_manage_log_files" lineno="167">
<summary>
-Read blueman lib files.
+Create, read, write, and delete
+samhain log and log.lock files.
</summary>
<param name="domain">
<summary>
@@ -3269,10 +3478,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="blueman_manage_lib_files" lineno="92">
+<interface name="samhain_manage_pid_files" lineno="187">
<summary>
Create, read, write, and delete
-blueman lib files.
+samhain pid files.
</summary>
<param name="domain">
<summary>
@@ -3280,69 +3489,87 @@ Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="bluetooth" filename="policy/modules/contrib/bluetooth.if">
-<summary>Bluetooth tools and system services.</summary>
-<interface name="bluetooth_role" lineno="18">
+<interface name="samhain_admin" lineno="213">
<summary>
-Role access for bluetooth
+All of the rules required to
+administrate the samhain environment.
</summary>
-<param name="role">
+<param name="domain">
<summary>
-Role allowed access
+Domain allowed access.
</summary>
</param>
-<param name="domain">
+<param name="role" unused="true">
<summary>
-User domain for the role
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="bluetooth_stream_connect" lineno="51">
+</module>
+<module name="sblim" filename="policy/modules/admin/sblim.if">
+<summary>Standards Based Linux Instrumentation for Manageability.</summary>
+<interface name="sblim_domtrans_gatherd" lineno="13">
<summary>
-Connect to bluetooth over a unix domain
-stream socket.
+Execute gatherd in the gatherd domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="bluetooth_domtrans" lineno="71">
+<interface name="sblim_read_pid_files" lineno="32">
<summary>
-Execute bluetooth in the bluetooth domain.
+Read gatherd pid files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bluetooth_read_config" lineno="89">
+<interface name="sblim_admin" lineno="58">
<summary>
-Read bluetooth daemon configuration.
+All of the rules required to
+administrate an sblim environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
-<interface name="bluetooth_dbus_chat" lineno="108">
+</module>
+<module name="sectoolm" filename="policy/modules/admin/sectoolm.if">
+<summary>Sectool security audit tool.</summary>
+<interface name="sectoolm_role" lineno="18">
<summary>
-Send and receive messages from
-bluetooth over dbus.
+Role access for sectoolm.
+</summary>
+<param name="role" unused="true">
+<summary>
+Role allowed access.
</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role.
</summary>
</param>
</interface>
-<interface name="bluetooth_domtrans_helper" lineno="128">
+</module>
+<module name="shorewall" filename="policy/modules/admin/shorewall.if">
+<summary>Shoreline Firewall high-level tool for configuring netfilter.</summary>
+<interface name="shorewall_domtrans" lineno="13">
<summary>
-Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
+Execute a domain transition to run shorewall.
</summary>
<param name="domain">
<summary>
@@ -3350,75 +3577,60 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="bluetooth_run_helper" lineno="154">
+<interface name="shorewall_lib_domtrans" lineno="33">
<summary>
-Execute bluetooth_helper in the bluetooth_helper domain, and
-allow the specified role the bluetooth_helper domain. (Deprecated)
+Execute a domain transition to run shorewall
+using executables from /var/lib.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="shorewall_read_config" lineno="52">
<summary>
-Role allowed access.
+Read shorewall configuration files.
</summary>
-</param>
-<param name="terminal">
+<param name="domain">
<summary>
-The type of the terminal allow the bluetooth_helper domain to use.
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="bluetooth_dontaudit_read_helper_state" lineno="168">
+<interface name="shorewall_read_pid_files" lineno="71">
<summary>
-Read bluetooth helper state files.
+Read shorewall pid files.
</summary>
-<param name="domain">
+<param name="domain" unused="true">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bluetooth_admin" lineno="194">
+<interface name="shorewall_rw_pid_files" lineno="85">
<summary>
-All of the rules required to administrate
-an bluetooth environment
+Read and write shorewall pid files.
</summary>
-<param name="domain">
+<param name="domain" unused="true">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
-<summary>
-The role to be allowed to manage the bluetooth domain.
-</summary>
-</param>
-<rolecap/>
</interface>
-</module>
-<module name="brctl" filename="policy/modules/contrib/brctl.if">
-<summary>Utilities for configuring the linux ethernet bridge</summary>
-<interface name="brctl_domtrans" lineno="13">
+<interface name="shorewall_read_lib_files" lineno="99">
<summary>
-Execute a domain transition to run brctl.
+Read shorewall lib files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="bugzilla" filename="policy/modules/contrib/bugzilla.if">
-<summary>Bugzilla server</summary>
-<interface name="bugzilla_search_content" lineno="14">
+<interface name="shorewall_rw_lib_files" lineno="118">
<summary>
-Allow the specified domain to search
-bugzilla directories.
+Read and write shorewall lib files.
</summary>
<param name="domain">
<summary>
@@ -3426,21 +3638,20 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bugzilla_dontaudit_rw_stream_sockets" lineno="33">
+<interface name="shorewall_read_tmp_files" lineno="137">
<summary>
-Do not audit attempts to read and write
-bugzilla script unix domain stream sockets.
+Read shorewall temporary files.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="bugzilla_admin" lineno="58">
+<interface name="shorewall_admin" lineno="163">
<summary>
-All of the rules required to administrate
-an bugzilla environment
+All of the rules required to
+administrate an shorewall environment.
</summary>
<param name="domain">
<summary>
@@ -3449,70 +3660,69 @@ Domain allowed access.
</param>
<param name="role">
<summary>
-The role to be allowed to manage the bugzilla domain.
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
-<module name="calamaris" filename="policy/modules/contrib/calamaris.if">
-<summary>Squid log analysis</summary>
-<interface name="calamaris_read_www_files" lineno="13">
+<module name="shutdown" filename="policy/modules/admin/shutdown.if">
+<summary>System shutdown command.</summary>
+<interface name="shutdown_role" lineno="18">
+<summary>
+Role access for shutdown.
+</summary>
+<param name="role">
<summary>
-Allow domain to read calamaris www files.
+Role allowed access.
</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role.
</summary>
</param>
</interface>
-</module>
-<module name="canna" filename="policy/modules/contrib/canna.if">
-<summary>Canna - kana-kanji conversion server</summary>
-<interface name="canna_stream_connect" lineno="13">
+<interface name="shutdown_domtrans" lineno="39">
<summary>
-Connect to Canna using a unix domain stream socket.
+Execute a domain transition to run shutdown.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="canna_admin" lineno="39">
+<interface name="shutdown_run" lineno="65">
<summary>
-All of the rules required to administrate
-an canna environment
+Execute shutdown in the shutdown
+domain, and allow the specified role
+the shutdown domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
-The role to be allowed to manage the canna domain.
+Role allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="ccs" filename="policy/modules/contrib/ccs.if">
-<summary>Cluster Configuration System</summary>
-<interface name="ccs_domtrans" lineno="13">
+<interface name="shutdown_signal" lineno="84">
<summary>
-Execute a domain transition to run ccs.
+Send generic signals to shutdown.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ccs_stream_connect" lineno="31">
+<interface name="shutdown_sigchld" lineno="102">
<summary>
-Connect to ccs over an unix stream socket.
+Send SIGCHLD signals to shutdown.
</summary>
<param name="domain">
<summary>
@@ -3520,9 +3730,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ccs_read_config" lineno="50">
+<interface name="shutdown_getattr_exec_files" lineno="120">
<summary>
-Read cluster configuration files.
+Get attributes of shutdown executable files.
</summary>
<param name="domain">
<summary>
@@ -3530,59 +3740,57 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ccs_manage_config" lineno="68">
+</module>
+<module name="smoltclient" filename="policy/modules/admin/smoltclient.if">
+<summary>The Fedora hardware profiler client.</summary>
+</module>
+<module name="sosreport" filename="policy/modules/admin/sosreport.if">
+<summary>Generate debugging information for system.</summary>
+<interface name="sosreport_domtrans" lineno="13">
<summary>
-Manage cluster configuration files.
+Execute a domain transition to run sosreport.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-</module>
-<module name="cdrecord" filename="policy/modules/contrib/cdrecord.if">
-<summary>Policy for cdrecord</summary>
-<interface name="cdrecord_role" lineno="18">
+<interface name="sosreport_run" lineno="39">
<summary>
-Role access for cdrecord
+Execute sosreport in the sosreport
+domain, and allow the specified
+role the sosreport domain.
</summary>
-<param name="role">
+<param name="domain">
<summary>
-Role allowed access
+Domain allowed access.
</summary>
</param>
-<param name="domain">
+<param name="role">
<summary>
-User domain for the role
+Role allowed access.
</summary>
</param>
</interface>
-<tunable name="cdrecord_read_content" dftval="false">
-<desc>
-<p>
-Allow cdrecord to read various content.
-nfs, samba, removable devices, user temp
-and untrusted content files
-</p>
-</desc>
-</tunable>
-</module>
-<module name="certmaster" filename="policy/modules/contrib/certmaster.if">
-<summary>Certmaster SSL certificate distribution service</summary>
-<interface name="certmaster_domtrans" lineno="13">
+<interface name="sosreport_role" lineno="63">
<summary>
-Execute a domain transition to run certmaster.
+Role access for sosreport.
</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed to transition.
+User domain for the role.
</summary>
</param>
</interface>
-<interface name="certmaster_exec" lineno="31">
+<interface name="sosreport_read_tmp_files" lineno="84">
<summary>
-Execute certmaster in the caller domain.
+Read sosreport temporary files.
</summary>
<param name="domain">
<summary>
@@ -3590,9 +3798,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="certmaster_read_log" lineno="50">
+<interface name="sosreport_append_tmp_files" lineno="103">
<summary>
-read certmaster logs.
+Append sosreport temporary files.
</summary>
<param name="domain">
<summary>
@@ -3600,9 +3808,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="certmaster_append_log" lineno="69">
+<interface name="sosreport_delete_tmp_files" lineno="122">
<summary>
-Append to certmaster logs.
+Delete sosreport temporary files.
</summary>
<param name="domain">
<summary>
@@ -3610,10 +3818,61 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="certmaster_manage_log" lineno="89">
+</module>
+<module name="su" filename="policy/modules/admin/su.if">
+<summary>Run shells with substitute user and group.</summary>
+<template name="su_restricted_domain_template" lineno="31">
<summary>
-Create, read, write, and delete
-certmaster logs.
+Restricted su domain template.
+</summary>
+<desc>
+<p>
+This template creates a derived domain which is allowed
+to change the linux user id, to run shells as a different
+user.
+</p>
+</desc>
+<param name="userdomain_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+</template>
+<template name="su_role_template" lineno="144">
+<summary>
+The role template for the su module.
+</summary>
+<param name="role_prefix">
+<summary>
+The prefix of the user role (e.g., user
+is the prefix for user_r).
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</template>
+<interface name="su_exec" lineno="280">
+<summary>
+Execute su in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -3621,60 +3880,96 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="certmaster_admin" lineno="116">
+</module>
+<module name="sudo" filename="policy/modules/admin/sudo.if">
+<summary>Execute a command with a substitute user</summary>
+<template name="sudo_role_template" lineno="31">
<summary>
-All of the rules required to administrate
-an snort environment
+The role template for the sudo module.
</summary>
-<param name="domain">
+<desc>
+<p>
+This template creates a derived domain which is allowed
+to change the linux user id, to run commands as a different
+user.
+</p>
+</desc>
+<param name="role_prefix">
<summary>
-Domain allowed access.
+The prefix of the user role (e.g., user
+is the prefix for user_r).
</summary>
</param>
-<param name="role">
+<param name="user_role">
<summary>
-The role to be allowed to manage the syslog domain.
+The user role.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The user domain associated with the role.
+</summary>
+</param>
+</template>
+<interface name="sudo_sigchld" lineno="184">
+<summary>
+Send a SIGCHLD signal to the sudo domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
</module>
-<module name="certmonger" filename="policy/modules/contrib/certmonger.if">
-<summary>Certificate status monitor and PKI enrollment client</summary>
-<interface name="certmonger_domtrans" lineno="13">
+<module name="sxid" filename="policy/modules/admin/sxid.if">
+<summary>SUID/SGID program monitoring.</summary>
+<interface name="sxid_read_log" lineno="14">
<summary>
-Execute a domain transition to run certmonger.
+Read sxid log files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="certmonger_dbus_chat" lineno="32">
+</module>
+<module name="tboot" filename="policy/modules/admin/tboot.if">
+<summary>Utilities for the tboot TXT module.</summary>
+<interface name="tboot_domtrans_txtstat" lineno="13">
<summary>
-Send and receive messages from
-certmonger over dbus.
+Execute txt-stat in the txtstat domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="certmonger_initrc_domtrans" lineno="52">
+<interface name="tboot_run_txtstat" lineno="38">
<summary>
-Execute certmonger server in the certmonger domain.
+Execute txt-stat in the txtstat domain, and
+allow the specified role the txtstat domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
+<param name="role">
+<summary>
+The role to be allowed the txtstat domain.
+</summary>
+</param>
</interface>
-<interface name="certmonger_read_pid_files" lineno="70">
+</module>
+<module name="tmpreaper" filename="policy/modules/admin/tmpreaper.if">
+<summary>Manage temporary directory sizes and file ages.</summary>
+<interface name="tmpreaper_exec" lineno="13">
<summary>
-Read certmonger PID files.
+Execute tmpreaper in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -3682,45 +3977,56 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="certmonger_search_lib" lineno="89">
+</module>
+<module name="tripwire" filename="policy/modules/admin/tripwire.if">
+<summary>File integrity checker.</summary>
+<interface name="tripwire_domtrans_tripwire" lineno="13">
<summary>
-Search certmonger lib directories.
+Execute tripwire in the tripwire domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="certmonger_read_lib_files" lineno="108">
+<interface name="tripwire_run_tripwire" lineno="40">
<summary>
-Read certmonger lib files.
+Execute tripwire in the tripwire
+domain, and allow the specified
+role the tripwire domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="certmonger_manage_lib_files" lineno="128">
+<interface name="tripwire_domtrans_twadmin" lineno="59">
<summary>
-Create, read, write, and delete
-certmonger lib files.
+Execute twadmin in the twadmin domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="certmonger_admin" lineno="154">
+<interface name="tripwire_run_twadmin" lineno="86">
<summary>
-All of the rules required to administrate
-an certmonger environment
+Execute twadmin in the twadmin
+domain, and allow the specified
+role the twadmin domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
<param name="role">
@@ -3730,12 +4036,9 @@ Role allowed access.
</param>
<rolecap/>
</interface>
-</module>
-<module name="certwatch" filename="policy/modules/contrib/certwatch.if">
-<summary>Digital Certificate Tracking</summary>
-<interface name="certwatch_domtrans" lineno="13">
+<interface name="tripwire_domtrans_twprint" lineno="105">
<summary>
-Domain transition to certwatch.
+Execute twprint in the twprint domain.
</summary>
<param name="domain">
<summary>
@@ -3743,12 +4046,11 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="certwatch_run" lineno="42">
+<interface name="tripwire_run_twprint" lineno="132">
<summary>
-Execute certwatch in the certwatch domain, and
-allow the specified role the certwatch domain,
-and use the caller's terminal. Has a sigchld
-backchannel.
+Execute twprint in the twprint
+domain, and allow the specified
+role the twprint domain.
</summary>
<param name="domain">
<summary>
@@ -3762,37 +4064,40 @@ Role allowed access.
</param>
<rolecap/>
</interface>
-<interface name="certwatach_run" lineno="75">
+<interface name="tripwire_domtrans_siggen" lineno="151">
<summary>
-Execute certwatch in the certwatch domain, and
-allow the specified role the certwatch domain,
-and use the caller's terminal. Has a sigchld
-backchannel. (Deprecated)
+Execute siggen in the siggen domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="tripwire_run_siggen" lineno="178">
<summary>
-Role allowed access.
+Execute siggen in the siggen domain,
+and allow the specified role
+the siggen domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
</summary>
</param>
-<param name="terminal">
+<param name="role">
<summary>
-The type of the terminal allow the certwatch domain to use.
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
</module>
-<module name="cgroup" filename="policy/modules/contrib/cgroup.if">
-<summary>libcg is a library that abstracts the control group file system in Linux.</summary>
-<interface name="cgroup_domtrans_cgclear" lineno="14">
+<module name="tzdata" filename="policy/modules/admin/tzdata.if">
+<summary>Time zone updater.</summary>
+<interface name="tzdata_domtrans" lineno="13">
<summary>
-Execute a domain transition to run
-CG Clear.
+Execute a domain transition to run tzdata.
</summary>
<param name="domain">
<summary>
@@ -3800,21 +4105,30 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="cgroup_domtrans_cgconfig" lineno="34">
+<interface name="tzdata_run" lineno="40">
<summary>
-Execute a domain transition to run
-CG config parser.
+Execute tzdata in the tzdata domain,
+and allow the specified role
+the tzdata domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
-<interface name="cgroup_initrc_domtrans_cgconfig" lineno="54">
+</module>
+<module name="updfstab" filename="policy/modules/admin/updfstab.if">
+<summary>Red Hat utility to change fstab.</summary>
+<interface name="updfstab_domtrans" lineno="13">
<summary>
-Execute a domain transition to run
-CG config parser.
+Execute updfstab in the updfstab domain.
</summary>
<param name="domain">
<summary>
@@ -3822,10 +4136,12 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="cgroup_domtrans_cgred" lineno="73">
+</module>
+<module name="usbmodules" filename="policy/modules/admin/usbmodules.if">
+<summary>List kernel modules of USB devices.</summary>
+<interface name="usbmodules_domtrans" lineno="13">
<summary>
-Execute a domain transition to run
-CG rules engine daemon.
+Execute usbmodules in the usbmodules domain.
</summary>
<param name="domain">
<summary>
@@ -3833,24 +4149,41 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="cgroup_initrc_domtrans_cgred" lineno="94">
+<interface name="usbmodules_run" lineno="40">
<summary>
-Execute a domain transition to run
-CG rules engine daemon.
-domain.
+Execute usbmodules in the usbmodules
+domain, and allow the specified
+role the usbmodules domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
-<interface name="cgroup_run_cgclear" lineno="121">
+</module>
+<module name="usermanage" filename="policy/modules/admin/usermanage.if">
+<summary>Policy for managing user accounts.</summary>
+<interface name="usermanage_domtrans_chfn" lineno="13">
<summary>
-Execute a domain transition to
-run CG Clear and allow the
-specified role the CG Clear
-domain.
+Execute chfn in the chfn domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="usermanage_run_chfn" lineno="42">
+<summary>
+Execute chfn in the chfn domain, and
+allow the specified role the chfn domain.
</summary>
<param name="domain">
<summary>
@@ -3862,27 +4195,25 @@ Domain allowed to transition.
Role allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="cgroup_stream_connect_cgred" lineno="141">
+<interface name="usermanage_domtrans_groupadd" lineno="61">
<summary>
-Connect to CG rules engine daemon
-over unix stream sockets.
+Execute groupadd in the groupadd domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="cgroup_admin" lineno="167">
+<interface name="usermanage_run_groupadd" lineno="91">
<summary>
-All of the rules required to administrate
-an cgroup environment.
+Execute groupadd in the groupadd domain, and
+allow the specified role the groupadd domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
<param name="role">
@@ -3892,12 +4223,9 @@ Role allowed access.
</param>
<rolecap/>
</interface>
-</module>
-<module name="chronyd" filename="policy/modules/contrib/chronyd.if">
-<summary>Chrony NTP background daemon</summary>
-<interface name="chronyd_domtrans" lineno="13">
+<interface name="usermanage_domtrans_passwd" lineno="110">
<summary>
-Execute chronyd in the chronyd domain.
+Execute passwd in the passwd domain.
</summary>
<param name="domain">
<summary>
@@ -3905,9 +4233,9 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="chronyd_exec" lineno="32">
+<interface name="usermanage_kill_passwd" lineno="133">
<summary>
-Execute chronyd
+Send sigkills to passwd.
</summary>
<param name="domain">
<summary>
@@ -3915,9 +4243,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="chronyd_read_log" lineno="50">
+<interface name="usermanage_check_exec_passwd" lineno="151">
<summary>
-Read chronyd logs.
+Check if the passwd binary is executable.
</summary>
<param name="domain">
<summary>
@@ -3925,32 +4253,26 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="chronyd_admin" lineno="76">
+<interface name="usermanage_run_passwd" lineno="175">
<summary>
-All of the rules required to administrate
-an chronyd environment
+Execute passwd in the passwd domain, and
+allow the specified role the passwd domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
-The role to be allowed to manage the chronyd domain.
+Role allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="cipe" filename="policy/modules/contrib/cipe.if">
-<summary>Encrypted tunnel daemon</summary>
-</module>
-<module name="clamav" filename="policy/modules/contrib/clamav.if">
-<summary>ClamAV Virus Scanner</summary>
-<interface name="clamav_domtrans" lineno="13">
+<interface name="usermanage_domtrans_admin_passwd" lineno="195">
<summary>
-Execute a domain transition to run clamd.
+Execute password admin functions in
+the admin passwd domain.
</summary>
<param name="domain">
<summary>
@@ -3958,40 +4280,47 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="clamav_stream_connect" lineno="31">
+<interface name="usermanage_run_admin_passwd" lineno="222">
<summary>
-Connect to run clamd.
+Execute passwd admin functions in the admin
+passwd domain, and allow the specified role
+the admin passwd domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="clamav_append_log" lineno="50">
+<interface name="usermanage_dontaudit_use_useradd_fds" lineno="241">
<summary>
-Allow the specified domain to append
-to clamav log files.
+Do not audit attempts to use useradd fds.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="clamav_read_config" lineno="70">
+<interface name="usermanage_domtrans_useradd" lineno="259">
<summary>
-Read clamav configuration files.
+Execute useradd in the useradd domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="clamav_search_lib" lineno="89">
+<interface name="usermanage_check_exec_useradd" lineno="282">
<summary>
-Search clamav libraries directories.
+Check if the useradd binaries are executable.
</summary>
<param name="domain">
<summary>
@@ -3999,19 +4328,26 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="clamav_domtrans_clamscan" lineno="108">
+<interface name="usermanage_run_useradd" lineno="307">
<summary>
-Execute a domain transition to run clamscan.
+Execute useradd in the useradd domain, and
+allow the specified role the useradd domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
-<interface name="clamav_exec_clamscan" lineno="126">
+<interface name="usermanage_read_crack_db" lineno="326">
<summary>
-Execute clamscan without a transition.
+Read the crack database.
</summary>
<param name="domain">
<summary>
@@ -4019,36 +4355,51 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="clamav_admin" lineno="151">
+</module>
+<module name="vbetool" filename="policy/modules/admin/vbetool.if">
+<summary>run real-mode video BIOS code to alter hardware state.</summary>
+<interface name="vbetool_domtrans" lineno="13">
<summary>
-All of the rules required to administrate
-an clamav environment
+Execute vbetool in the vbetool domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="vbetool_run" lineno="39">
+<summary>
+Execute vbetool in the vbetool
+domain, and allow the specified
+role the vbetool domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
-The role to be allowed to manage the clamav domain.
+Role allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<tunable name="clamd_use_jit" dftval="false">
+<tunable name="vbetool_mmap_zero_ignore" dftval="false">
<desc>
<p>
-Allow clamd to use JIT compiler
+Determine whether attempts by
+vbetool to mmap low regions should
+be silently blocked.
</p>
</desc>
</tunable>
</module>
-<module name="clockspeed" filename="policy/modules/contrib/clockspeed.if">
-<summary>Clockspeed simple network time protocol client</summary>
-<interface name="clockspeed_domtrans_cli" lineno="13">
+<module name="vpn" filename="policy/modules/admin/vpn.if">
+<summary>Virtual Private Networking client.</summary>
+<interface name="vpn_domtrans" lineno="13">
<summary>
-Execute clockspeed utilities in the clockspeed_cli domain.
+Execute vpn clients in the vpnc domain.
</summary>
<param name="domain">
<summary>
@@ -4056,9 +4407,11 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="clockspeed_run_cli" lineno="37">
+<interface name="vpn_run" lineno="40">
<summary>
-Allow the specified role the clockspeed_cli domain.
+Execute vpn clients in the vpnc
+domain, and allow the specified
+role the vpnc domain.
</summary>
<param name="domain">
<summary>
@@ -4072,23 +4425,29 @@ Role allowed access.
</param>
<rolecap/>
</interface>
-</module>
-<module name="clogd" filename="policy/modules/contrib/clogd.if">
-<summary>clogd - Clustered Mirror Log Server</summary>
-<interface name="clogd_domtrans" lineno="13">
+<interface name="vpn_kill" lineno="59">
<summary>
-Execute a domain transition to run clogd.
+Send kill signals to vpnc.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="clogd_stream_connect" lineno="33">
+<interface name="vpn_signal" lineno="77">
<summary>
-Connect to clogd over a unix domain
-stream socket.
+Send generic signals to vpnc.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="vpn_signull" lineno="95">
+<summary>
+Send null signals to vpnc.
</summary>
<param name="domain">
<summary>
@@ -4096,9 +4455,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="clogd_rw_semaphores" lineno="52">
+<interface name="vpn_dbus_chat" lineno="114">
<summary>
-Allow read and write access to clogd semaphores.
+Send and receive messages from
+vpnc over dbus.
</summary>
<param name="domain">
<summary>
@@ -4106,9 +4466,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="clogd_rw_shm" lineno="70">
+<interface name="vpn_relabelfrom_tun_socket" lineno="134">
<summary>
-Read and write to group shared memory.
+Relabelfrom from vpnc socket.
</summary>
<param name="domain">
<summary>
@@ -4117,11 +4477,14 @@ Domain allowed access.
</param>
</interface>
</module>
-<module name="cmirrord" filename="policy/modules/contrib/cmirrord.if">
-<summary>Cluster mirror log daemon</summary>
-<interface name="cmirrord_domtrans" lineno="13">
+</layer>
+<layer name="apps">
+<summary>Policy modules for applications</summary>
+<module name="ada" filename="policy/modules/apps/ada.if">
+<summary>GNAT Ada95 compiler.</summary>
+<interface name="ada_domtrans" lineno="13">
<summary>
-Execute a domain transition to run cmirrord.
+Execute the ada program in the ada domain.
</summary>
<param name="domain">
<summary>
@@ -4129,29 +4492,88 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="cmirrord_initrc_domtrans" lineno="31">
+<interface name="ada_run" lineno="38">
<summary>
-Execute cmirrord server in the cmirrord domain.
+Execute ada in the ada domain, and
+allow the specified role the ada domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
</interface>
-<interface name="cmirrord_read_pid_files" lineno="49">
+</module>
+<module name="awstats" filename="policy/modules/apps/awstats.if">
+<summary>Log file analyzer for advanced statistics.</summary>
+<interface name="awstats_domtrans" lineno="14">
<summary>
-Read cmirrord PID files.
+Execute the awstats program in
+the awstats domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="cmirrord_rw_shm" lineno="68">
+<tunable name="awstats_purge_apache_log_files" dftval="false">
+<desc>
+<p>
+Determine whether awstats can
+purge httpd log files.
+</p>
+</desc>
+</tunable>
+<tunable name="allow_httpd_awstats_script_anon_write" dftval="false">
+<desc>
+<p>
+Determine whether the script domain can
+modify public files used for public file
+transfer services. Directories/Files must
+be labeled public_content_rw_t.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="calamaris" filename="policy/modules/apps/calamaris.if">
+<summary>Squid log analysis.</summary>
+<interface name="calamaris_domtrans" lineno="14">
<summary>
-Read and write to cmirrord shared memory.
+Execute the calamaris in
+the calamaris domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="calamaris_run" lineno="40">
+<summary>
+Execute calamaris in the
+calamaris domain, and allow the
+specified role the calamaris domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="calamaris_read_www_files" lineno="59">
+<summary>
+Read calamaris www files.
</summary>
<param name="domain">
<summary>
@@ -4159,10 +4581,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cmirrord_admin" lineno="98">
+<interface name="calamaris_admin" lineno="86">
<summary>
-All of the rules required to administrate
-an cmirrord environment
+All of the rules required to
+administrate an calamaris environment.
</summary>
<param name="domain">
<summary>
@@ -4177,120 +4599,186 @@ Role allowed access.
<rolecap/>
</interface>
</module>
-<module name="cobbler" filename="policy/modules/contrib/cobbler.if">
-<summary>Cobbler installation server.</summary>
-<desc>
-<p>
-Cobbler is a Linux installation server that allows for
-rapid setup of network installation environments. It
-glues together and automates many associated Linux
-tasks so you do not have to hop between lots of various
-commands and applications when rolling out new systems,
-and, in some cases, changing existing ones.
-</p>
-</desc>
-<interface name="cobblerd_domtrans" lineno="23">
+<module name="cdrecord" filename="policy/modules/apps/cdrecord.if">
+<summary>Record audio or data Compact Discs from a master.</summary>
+<interface name="cdrecord_role" lineno="18">
<summary>
-Execute a domain transition to run cobblerd.
+Role access for cdrecord.
</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed to transition.
+User domain for the role.
</summary>
</param>
</interface>
-<interface name="cobblerd_initrc_domtrans" lineno="41">
+<interface name="cdrecord_exec" lineno="44">
<summary>
-Execute cobblerd server in the cobblerd domain.
+Execute cdrecord in the caller domain.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cobbler_read_config" lineno="59">
+<tunable name="cdrecord_read_content" dftval="false">
+<desc>
+<p>
+Determine whether cdrecord can read
+various content. nfs, samba, removable
+devices, user temp and untrusted
+content files
+</p>
+</desc>
+</tunable>
+</module>
+<module name="chromium" filename="policy/modules/apps/chromium.if">
+<summary>Chromium browser</summary>
+<interface name="chromium_role" lineno="18">
<summary>
-Read Cobbler content in /etc
+Role access for chromium
</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role
</summary>
</param>
</interface>
-<interface name="cobbler_dontaudit_rw_log" lineno="79">
+<interface name="chromium_rw_tmp_pipes" lineno="57">
<summary>
-Do not audit attempts to read and write
-Cobbler log files (leaked fd).
+Read-write access to Chromiums' temporary fifo files
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="cobbler_search_lib" lineno="97">
+<interface name="chromium_tmp_filetrans" lineno="86">
<summary>
-Search cobbler dirs in /var/lib
+Automatically use the specified type for resources created in chromium's
+temporary locations
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain that creates the resource(s)
</summary>
</param>
-</interface>
-<interface name="cobbler_read_lib_files" lineno="116">
+<param name="class">
<summary>
-Read cobbler files in /var/lib
+Type of the resource created
</summary>
-<param name="domain">
+</param>
+<param name="filename" optional="true">
<summary>
-Domain allowed access.
+The name of the resource being created
</summary>
</param>
</interface>
-<interface name="cobbler_manage_lib_files" lineno="135">
+<interface name="chromium_domtrans" lineno="105">
<summary>
-Manage cobbler files in /var/lib
+Execute a domain transition to the chromium domain (chromium_t)
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="cobblerd_admin" lineno="161">
+<interface name="chromium_run" lineno="130">
<summary>
-All of the rules required to administrate
-an cobblerd environment
+Execute chromium in the chromium domain and allow the specified role to access the chromium domain
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
<param name="role">
<summary>
-Role allowed access.
+Role allowed access
</summary>
</param>
-<rolecap/>
</interface>
-<tunable name="cobbler_anon_write" dftval="false">
+<tunable name="chromium_read_system_info" dftval="false">
<desc>
<p>
-Allow Cobbler to modify public files
-used for public file transfer services.
+Allow chromium to read system information
+</p>
+<p>
+Although not needed for regular browsing, this will allow chromium to update
+its own memory consumption based on system state, support additional
+debugging, detect specific devices, etc.
+</p>
+</desc>
+</tunable>
+<tunable name="chromium_bind_tcp_unreserved_ports" dftval="false">
+<desc>
+<p>
+Allow chromium to bind to tcp ports
+</p>
+<p>
+Although not needed for regular browsing, some chrome extensions need to
+bind to tcp ports and accept connections.
+</p>
+</desc>
+</tunable>
+<tunable name="chromium_rw_usb_dev" dftval="false">
+<desc>
+<p>
+Allow chromium to read/write USB devices
+</p>
+<p>
+Although not needed for regular browsing, used for debugging over usb
+or using FIDO U2F tokens.
+</p>
+</desc>
+</tunable>
+<tunable name="chromium_read_generic_user_content" dftval="true">
+<desc>
+<p>
+Grant the chromium domains read access to generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="chromium_read_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the chromium domains read access to all user content
+</p>
+</desc>
+</tunable>
+<tunable name="chromium_manage_generic_user_content" dftval="false">
+<desc>
+<p>
+Grant the chromium domains manage rights on generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="chromium_manage_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the chromium domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
-<module name="colord" filename="policy/modules/contrib/colord.if">
-<summary>GNOME color manager</summary>
-<interface name="colord_domtrans" lineno="13">
+<module name="cpufreqselector" filename="policy/modules/apps/cpufreqselector.if">
+<summary>Command-line CPU frequency settings.</summary>
+<interface name="cpufreqselector_dbus_chat" lineno="14">
<summary>
-Execute a domain transition to run colord.
+Send and receive messages from
+cpufreq-selector over dbus.
</summary>
<param name="domain">
<summary>
@@ -4298,47 +4786,53 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="colord_dbus_chat" lineno="32">
+</module>
+<module name="evolution" filename="policy/modules/apps/evolution.if">
+<summary>Evolution email client.</summary>
+<interface name="evolution_role" lineno="18">
<summary>
-Send and receive messages from
-colord over dbus.
+Role access for evolution.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role.
</summary>
</param>
</interface>
-<interface name="colord_read_lib_files" lineno="52">
+<interface name="evolution_home_filetrans" lineno="99">
<summary>
-Read colord lib files.
+Create objects in the evolution home
+directories with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-</interface>
-</module>
-<module name="comsat" filename="policy/modules/contrib/comsat.if">
-<summary>Comsat, a biff server.</summary>
-</module>
-<module name="consolekit" filename="policy/modules/contrib/consolekit.if">
-<summary>Framework for facilitating multiple user sessions on desktops.</summary>
-<interface name="consolekit_domtrans" lineno="13">
+<param name="private_type">
<summary>
-Execute a domain transition to run consolekit.
+Private file type.
</summary>
-<param name="domain">
+</param>
+<param name="object_class">
<summary>
-Domain allowed to transition.
+Class of the object being created.
+</summary>
+</param>
+<param name="name" optional="true">
+<summary>
+The name of the object being created.
</summary>
</param>
</interface>
-<interface name="consolekit_dbus_chat" lineno="32">
+<interface name="evolution_read_home_files" lineno="118">
<summary>
-Send and receive messages from
-consolekit over dbus.
+Read evolution home files.
</summary>
<param name="domain">
<summary>
@@ -4346,9 +4840,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="consolekit_read_log" lineno="52">
+<interface name="evolution_stream_connect" lineno="137">
<summary>
-Read consolekit log files.
+Connect to evolution using a unix
+domain stream socket.
</summary>
<param name="domain">
<summary>
@@ -4356,9 +4851,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="consolekit_manage_log" lineno="71">
+<interface name="evolution_read_orbit_tmp_files" lineno="158">
<summary>
-Manage consolekit log files.
+Read evolution orbit temporary
+files.
</summary>
<param name="domain">
<summary>
@@ -4366,9 +4862,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="consolekit_read_pid_files" lineno="90">
+<interface name="evolution_dbus_chat" lineno="179">
<summary>
-Read consolekit PID files.
+Send and receive messages from
+evolution over dbus.
</summary>
<param name="domain">
<summary>
@@ -4376,22 +4873,21 @@ Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="corosync" filename="policy/modules/contrib/corosync.if">
-<summary>Corosync Cluster Engine</summary>
-<interface name="corosync_domtrans" lineno="13">
+<interface name="evolution_alarm_dbus_chat" lineno="200">
<summary>
-Execute a domain transition to run corosync.
+Send and receive messages from
+evolution_alarm over dbus.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="corosync_read_log" lineno="31">
+<interface name="evolution_domtrans" lineno="221">
<summary>
-Allow the specified domain to read corosync's log files.
+Make a domain transition to the
+evolution target domain.
</summary>
<param name="domain">
<summary>
@@ -4399,10 +4895,50 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="corosync_stream_connect" lineno="52">
+<tunable name="evolution_manage_user_certs" dftval="false">
+<desc>
+<p>
+Allow evolution to create and write
+user certificates in addition to
+being able to read them
+</p>
+</desc>
+</tunable>
+<tunable name="evolution_read_generic_user_content" dftval="true">
+<desc>
+<p>
+Grant the evolution domains read access to generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="evolution_read_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the evolution domains read access to all user content
+</p>
+</desc>
+</tunable>
+<tunable name="evolution_manage_generic_user_content" dftval="false">
+<desc>
+<p>
+Grant the evolution domains manage rights on generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="evolution_manage_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the evolution domains manage rights on all user content
+</p>
+</desc>
+</tunable>
+</module>
+<module name="firewallgui" filename="policy/modules/apps/firewallgui.if">
+<summary>system-config-firewall dbus system service.</summary>
+<interface name="firewallgui_dbus_chat" lineno="14">
<summary>
-Connect to corosync over a unix domain
-stream socket.
+Send and receive messages from
+firewallgui over dbus.
</summary>
<param name="domain">
<summary>
@@ -4410,130 +4946,128 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="corosyncd_admin" lineno="78">
+<interface name="firewallgui_dontaudit_rw_pipes" lineno="35">
<summary>
-All of the rules required to administrate
-an corosync environment
+Do not audit attempts to read and
+write firewallgui unnamed pipes.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
-</summary>
-</param>
-<param name="role">
-<summary>
-The role to be allowed to manage the corosyncd domain.
+Domain to not audit.
</summary>
</param>
-<rolecap/>
</interface>
</module>
-<module name="courier" filename="policy/modules/contrib/courier.if">
-<summary>Courier IMAP and POP3 email servers</summary>
-<template name="courier_domain_template" lineno="13">
+<module name="games" filename="policy/modules/apps/games.if">
+<summary>Various games.</summary>
+<interface name="games_role" lineno="18">
<summary>
-Template for creating courier server processes.
+Role access for games.
</summary>
-<param name="prefix">
+<param name="role">
<summary>
-Prefix name of the server process.
+Role allowed access.
</summary>
</param>
-</template>
-<interface name="courier_domtrans_authdaemon" lineno="99">
-<summary>
-Execute the courier authentication daemon with
-a domain transition.
-</summary>
-<param name="prefix">
+<param name="domain">
<summary>
-Domain allowed to transition.
+User domain for the role.
</summary>
</param>
</interface>
-<interface name="courier_domtrans_pop" lineno="118">
+<interface name="games_rw_data" lineno="52">
<summary>
-Execute the courier POP3 and IMAP server with
-a domain transition.
+Read and write games data files.
</summary>
-<param name="prefix">
+<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="courier_read_config" lineno="136">
+<interface name="games_domtrans" lineno="71">
<summary>
-Read courier config files
+Run a game in the game domain.
</summary>
-<param name="prefix">
+<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="courier_manage_spool_dirs" lineno="155">
+<interface name="games_dbus_chat" lineno="91">
<summary>
-Create, read, write, and delete courier
-spool directories.
+Send and receive messages from
+games over dbus.
</summary>
-<param name="prefix">
+<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
-<interface name="courier_manage_spool_files" lineno="174">
+</module>
+<module name="gift" filename="policy/modules/apps/gift.if">
+<summary>Peer to peer file sharing tool.</summary>
+<interface name="gift_role" lineno="18">
<summary>
-Create, read, write, and delete courier
-spool files.
+Role access for gift.
</summary>
-<param name="prefix">
+<param name="role">
<summary>
-Domain allowed access.
+Role allowed access.
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role.
</summary>
</param>
</interface>
-<interface name="courier_read_spool" lineno="192">
+</module>
+<module name="gitosis" filename="policy/modules/apps/gitosis.if">
+<summary>Tools for managing and hosting git repositories.</summary>
+<interface name="gitosis_domtrans" lineno="13">
<summary>
-Read courier spool files.
+Execute a domain transition to run gitosis.
</summary>
-<param name="prefix">
+<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="courier_rw_spool_pipes" lineno="210">
+<interface name="gitosis_run" lineno="39">
<summary>
-Read and write to courier spool pipes.
+Execute gitosis-serve in the
+gitosis domain, and allow the
+specified role the gitosis domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="cpucontrol" filename="policy/modules/contrib/cpucontrol.if">
-<summary>Services for loading CPU microcode and CPU frequency scaling.</summary>
-<interface name="cpucontrol_stub" lineno="13">
+<interface name="gitosis_read_lib_files" lineno="58">
<summary>
-CPUcontrol stub interface. No access allowed.
+Read gitosis lib files.
</summary>
-<param name="domain" unused="true">
+<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="cpufreqselector" filename="policy/modules/contrib/cpufreqselector.if">
-<summary>Command-line CPU frequency settings.</summary>
-<interface name="cpufreqselector_dbus_chat" lineno="14">
+<interface name="gitosis_manage_lib_files" lineno="80">
<summary>
-Send and receive messages from
-cpufreq-selector over dbus.
+Create, read, write, and delete
+gitosis lib files.
</summary>
<param name="domain">
<summary>
@@ -4541,94 +5075,83 @@ Domain allowed access.
</summary>
</param>
</interface>
+<tunable name="gitosis_can_sendmail" dftval="false">
+<desc>
+<p>
+Determine whether Gitosis can send mail.
+</p>
+</desc>
+</tunable>
</module>
-<module name="cron" filename="policy/modules/contrib/cron.if">
-<summary>Periodic execution of scheduled commands.</summary>
-<template name="cron_common_crontab_template" lineno="14">
+<module name="gnome" filename="policy/modules/apps/gnome.if">
+<summary>GNU network object model environment.</summary>
+<template name="gnome_role_template" lineno="24">
<summary>
-The common rules for a crontab domain.
+The role template for gnome.
</summary>
-<param name="userdomain_prefix">
+<param name="role_prefix">
<summary>
The prefix of the user domain (e.g., user
is the prefix for user_t).
</summary>
</param>
-</template>
-<interface name="cron_role" lineno="105">
-<summary>
-Role access for cron
-</summary>
-<param name="role">
+<param name="user_role">
<summary>
-Role allowed access
+The role associated with the user domain.
</summary>
</param>
-<param name="domain">
+<param name="user_domain">
<summary>
-User domain for the role
+The type of the user domain.
</summary>
</param>
-</interface>
-<interface name="cron_unconfined_role" lineno="154">
-<summary>
-Role access for unconfined cronjobs
-</summary>
-<param name="role">
+</template>
+<interface name="gnome_exec_gconf" lineno="121">
<summary>
-Role allowed access
+Execute gconf in the caller domain.
</summary>
-</param>
<param name="domain">
<summary>
-User domain for the role
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cron_admin_role" lineno="203">
+<interface name="gnome_read_gconf_config" lineno="140">
<summary>
-Role access for cron
-</summary>
-<param name="role">
-<summary>
-Role allowed access
+Read gconf configuration content.
</summary>
-</param>
<param name="domain">
<summary>
-User domain for the role
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cron_system_entry" lineno="257">
+<interface name="gnome_dontaudit_read_inherited_gconf_config_files" lineno="162">
<summary>
-Make the specified program domain accessable
-from the system cron jobs.
+Do not audit attempts to read
+inherited gconf configuration files.
</summary>
<param name="domain">
<summary>
-The type of the process to transition to.
-</summary>
-</param>
-<param name="entrypoint">
-<summary>
-The type of the file used as an entrypoint to this domain.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="cron_domtrans" lineno="278">
+<interface name="gnome_manage_gconf_config" lineno="181">
<summary>
-Execute cron in the cron system domain.
+Create, read, write, and delete
+gconf configuration content.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cron_exec" lineno="296">
+<interface name="gnome_stream_connect_gconf" lineno="203">
<summary>
-Execute crond_exec_t
+Connect to gconf using a unix
+domain stream socket.
</summary>
<param name="domain">
<summary>
@@ -4636,9 +5159,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cron_initrc_domtrans" lineno="314">
+<interface name="gnome_domtrans_gconfd" lineno="222">
<summary>
-Execute crond server in the nscd domain.
+Run gconfd in gconfd domain.
</summary>
<param name="domain">
<summary>
@@ -4646,10 +5169,9 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="cron_use_fds" lineno="333">
+<interface name="gnome_create_generic_home_dirs" lineno="241">
<summary>
-Inherit and use a file descriptor
-from the cron daemon.
+Create generic gnome home directories.
</summary>
<param name="domain">
<summary>
@@ -4657,9 +5179,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cron_sigchld" lineno="351">
+<interface name="gnome_setattr_generic_home_dirs" lineno="260">
<summary>
-Send a SIGCHLD signal to the cron daemon.
+Set attributes of generic gnome
+user home directories.
</summary>
<param name="domain">
<summary>
@@ -4667,9 +5190,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cron_read_pipes" lineno="369">
+<interface name="gnome_read_generic_home_content" lineno="279">
<summary>
-Read a cron daemon unnamed pipe.
+Read generic gnome home content.
</summary>
<param name="domain">
<summary>
@@ -4677,19 +5200,20 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cron_dontaudit_write_pipes" lineno="387">
+<interface name="gnome_manage_generic_home_content" lineno="303">
<summary>
-Do not audit attempts to write cron daemon unnamed pipes.
+Create, read, write, and delete
+generic gnome home content.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cron_rw_pipes" lineno="405">
+<interface name="gnome_search_generic_home" lineno="326">
<summary>
-Read and write a cron daemon unnamed pipe.
+Search generic gnome home directories.
</summary>
<param name="domain">
<summary>
@@ -4697,29 +5221,35 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cron_rw_tcp_sockets" lineno="423">
+<interface name="gnome_home_filetrans" lineno="361">
<summary>
-Read, and write cron daemon TCP sockets.
+Create objects in gnome user home
+directories with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-</interface>
-<interface name="cron_dontaudit_rw_tcp_sockets" lineno="441">
+<param name="private_type">
<summary>
-Dontaudit Read, and write cron daemon TCP sockets.
+Private file type.
</summary>
-<param name="domain">
+</param>
+<param name="object_class">
<summary>
-Domain to not audit.
+Class of the object being created.
+</summary>
+</param>
+<param name="name" optional="true">
+<summary>
+The name of the object being created.
</summary>
</param>
</interface>
-<interface name="cron_search_spool" lineno="459">
+<interface name="gnome_create_generic_gconf_home_dirs" lineno="380">
<summary>
-Search the directory containing user cron tables.
+Create generic gconf home directories.
</summary>
<param name="domain">
<summary>
@@ -4727,9 +5257,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cron_manage_pid_files" lineno="478">
+<interface name="gnome_read_generic_gconf_home_content" lineno="398">
<summary>
-Manage pid files used by cron
+Read generic gconf home content.
</summary>
<param name="domain">
<summary>
@@ -4737,20 +5267,20 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cron_anacron_domtrans_system_job" lineno="496">
+<interface name="gnome_manage_generic_gconf_home_content" lineno="422">
<summary>
-Execute anacron in the cron system domain.
+Create, read, write, and delete
+generic gconf home content.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cron_use_system_job_fds" lineno="515">
+<interface name="gnome_search_generic_gconf_home" lineno="445">
<summary>
-Inherit and use a file descriptor
-from system cron jobs.
+Search generic gconf home directories.
</summary>
<param name="domain">
<summary>
@@ -4758,110 +5288,123 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cron_write_system_job_pipes" lineno="533">
+<interface name="gnome_home_filetrans_gconf_home" lineno="476">
<summary>
-Write a system cron job unnamed pipe.
+Create objects in user home
+directories with the generic gconf
+home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-</interface>
-<interface name="cron_rw_system_job_pipes" lineno="551">
+<param name="object_class">
<summary>
-Read and write a system cron job unnamed pipe.
+Class of the object being created.
</summary>
-<param name="domain">
+</param>
+<param name="name" optional="true">
<summary>
-Domain allowed access.
+The name of the object being created.
</summary>
</param>
</interface>
-<interface name="cron_rw_system_job_stream_sockets" lineno="569">
+<interface name="gnome_home_filetrans_gnome_home" lineno="506">
<summary>
-Allow read/write unix stream sockets from the system cron jobs.
+Create objects in user home
+directories with the generic gnome
+home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="object_class">
+<summary>
+Class of the object being created.
+</summary>
+</param>
+<param name="name" optional="true">
+<summary>
+The name of the object being created.
+</summary>
+</param>
</interface>
-<interface name="cron_read_system_job_tmp_files" lineno="587">
+<interface name="gnome_gconf_home_filetrans" lineno="540">
<summary>
-Read temporary files from the system cron jobs.
+Create objects in gnome gconf home
+directories with a private type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-</interface>
-<interface name="cron_dontaudit_append_system_job_tmp_files" lineno="607">
+<param name="private_type">
<summary>
-Do not audit attempts to append temporary
-files from the system cron jobs.
+Private file type.
</summary>
-<param name="domain">
+</param>
+<param name="object_class">
<summary>
-Domain to not audit.
+Class of the object being created.
+</summary>
+</param>
+<param name="name" optional="true">
+<summary>
+The name of the object being created.
</summary>
</param>
</interface>
-<interface name="cron_dontaudit_write_system_job_tmp_files" lineno="626">
+<interface name="gnome_user_home_dir_filetrans_gstreamer_orcexec" lineno="571">
<summary>
-Do not audit attempts to write temporary
-files from the system cron jobs.
+Create objects in user home
+directories with the gstreamer
+orcexec type.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
+</summary>
+</param>
+<param name="object_class">
+<summary>
+Class of the object being created.
+</summary>
+</param>
+<param name="name" optional="true">
+<summary>
+The name of the object being created.
</summary>
</param>
</interface>
-<tunable name="cron_can_relabel" dftval="false">
-<desc>
-<p>
-Allow system cron jobs to relabel filesystem
-for restoring file contexts.
-</p>
-</desc>
-</tunable>
-<tunable name="fcron_crond" dftval="false">
-<desc>
-<p>
-Enable extra rules in the cron domain
-to support fcron.
-</p>
-</desc>
-</tunable>
-</module>
-<module name="cups" filename="policy/modules/contrib/cups.if">
-<summary>Common UNIX printing system</summary>
-<interface name="cups_backend" lineno="13">
+<interface name="gnome_user_runtime_filetrans_gstreamer_orcexec" lineno="601">
<summary>
-Setup cups to transtion to the cups backend domain
+Create objects in the user
+runtime directories with the
+gstreamer orcexec type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-</interface>
-<interface name="cups_domtrans" lineno="40">
+<param name="object_class">
<summary>
-Execute cups in the cups domain.
+Class of the object being created.
</summary>
-<param name="domain">
+</param>
+<param name="name" optional="true">
<summary>
-Domain allowed to transition.
+The name of the object being created.
</summary>
</param>
</interface>
-<interface name="cups_stream_connect" lineno="58">
+<interface name="gnome_read_keyring_home_files" lineno="619">
<summary>
-Connect to cupsd over an unix domain stream socket.
+Read generic gnome keyring home files.
</summary>
<param name="domain">
<summary>
@@ -4869,30 +5412,45 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cups_tcp_connect" lineno="77">
+<interface name="gnome_dbus_chat_gconfd" lineno="646">
<summary>
-Connect to cups over TCP. (Deprecated)
+Send and receive messages from
+gnome configuration daemon over
+dbus.
</summary>
+<param name="role_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cups_dbus_chat" lineno="92">
+<interface name="gnome_dbus_chat_gkeyringd" lineno="673">
<summary>
Send and receive messages from
-cups over dbus.
+gnome keyring daemon over dbus.
</summary>
+<param name="role_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cups_read_pid_files" lineno="112">
+<interface name="gnome_dbus_chat_all_gkeyringd" lineno="694">
<summary>
-Read cups PID files.
+Send and receive messages from all
+gnome keyring daemon over dbus.
</summary>
<param name="domain">
<summary>
@@ -4900,9 +5458,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cups_domtrans_config" lineno="131">
+<interface name="gnome_spec_domtrans_all_gkeyringd" lineno="714">
<summary>
-Execute cups_config in the cups_config domain.
+Run all gkeyringd in gkeyringd domain.
</summary>
<param name="domain">
<summary>
@@ -4910,21 +5468,27 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="cups_signal_config" lineno="150">
+<interface name="gnome_stream_connect_gkeyringd" lineno="741">
<summary>
-Send generic signals to the cups
-configuration daemon.
+Connect to gnome keyring daemon
+with a unix stream socket.
</summary>
+<param name="role_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cups_dbus_chat_config" lineno="169">
+<interface name="gnome_stream_connect_all_gkeyringd" lineno="762">
<summary>
-Send and receive messages from
-cupsd_config over dbus.
+Connect to all gnome keyring daemon
+with a unix stream socket.
</summary>
<param name="domain">
<summary>
@@ -4932,52 +5496,59 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cups_read_config" lineno="190">
+<interface name="gnome_manage_gstreamer_orcexec" lineno="784">
<summary>
-Read cups configuration files.
+Manage gstreamer ORC optimized
+code.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="cups_read_rw_config" lineno="211">
+<interface name="gnome_mmap_gstreamer_orcexec" lineno="803">
<summary>
-Read cups-writable configuration files.
+Mmap gstreamer ORC optimized
+code.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="cups_read_log" lineno="231">
+</module>
+<module name="gpg" filename="policy/modules/apps/gpg.if">
+<summary>Policy for GNU Privacy Guard and related programs.</summary>
+<interface name="gpg_role" lineno="18">
<summary>
-Read cups log files.
+Role access for gpg.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="cups_append_log" lineno="250">
+<interface name="gpg_domtrans" lineno="64">
<summary>
-Append cups log files.
+Execute the gpg in the gpg domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="cups_write_log" lineno="269">
+<interface name="gpg_exec" lineno="83">
<summary>
-Write cups log files.
+Execute the gpg in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -4985,9 +5556,34 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cups_stream_connect_ptal" lineno="288">
+<interface name="gpg_spec_domtrans" lineno="117">
+<summary>
+Execute gpg in a specified domain.
+</summary>
+<desc>
+<p>
+Execute gpg in a specified domain.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+</desc>
+<param name="source_domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+Domain to transition to.
+</summary>
+</param>
+</interface>
+<interface name="gpg_exec_agent" lineno="136">
<summary>
-Connect to ptal over an unix domain stream socket.
+Execute the gpg-agent in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -4995,29 +5591,30 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cups_admin" lineno="314">
+<interface name="gpg_entry_type" lineno="156">
<summary>
-All of the rules required to administrate
-an cups environment
+Make gpg executable files an
+entrypoint for the specified domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+The domain for which gpg_exec_t is an entrypoint.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="gpg_signal" lineno="174">
+<summary>
+Send generic signals to gpg.
+</summary>
+<param name="domain">
<summary>
-The role to be allowed to manage the cups domain.
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="cvs" filename="policy/modules/contrib/cvs.if">
-<summary>Concurrent versions system</summary>
-<interface name="cvs_read_data" lineno="13">
+<interface name="gpg_rw_agent_pipes" lineno="192">
<summary>
-Read the CVS data and metadata.
+Read and write gpg agent pipes.
</summary>
<param name="domain">
<summary>
@@ -5025,10 +5622,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cvs_exec" lineno="34">
+<interface name="gpg_stream_connect_agent" lineno="210">
<summary>
-Allow the specified domain to execute cvs
-in the caller domain.
+Connect to gpg agent socket
</summary>
<param name="domain">
<summary>
@@ -5036,50 +5632,39 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cvs_admin" lineno="59">
+<interface name="gpg_search_agent_tmp_dirs" lineno="232">
<summary>
-All of the rules required to administrate
-an cvs environment
+Search gpg agent dirs.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="gpg_agent_tmp_filetrans" lineno="250">
+<summary>
+filetrans in gpg_agent_tmp_t dirs
+</summary>
+<param name="domain">
<summary>
-The role to be allowed to manage the cvs domain.
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<tunable name="allow_cvs_read_shadow" dftval="false">
-<desc>
-<p>
-Allow cvs daemon to read shadow
-</p>
-</desc>
-</tunable>
-</module>
-<module name="cyphesis" filename="policy/modules/contrib/cyphesis.if">
-<summary>Cyphesis WorldForge game server</summary>
-<interface name="cyphesis_domtrans" lineno="13">
+<interface name="gpg_runtime_filetrans" lineno="269">
<summary>
-Execute a domain transition to run cyphesis.
+filetrans in gpg_runtime_t dirs
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="cyrus" filename="policy/modules/contrib/cyrus.if">
-<summary>Cyrus is an IMAP service intended to be run on sealed servers</summary>
-<interface name="cyrus_manage_data" lineno="14">
+<interface name="gpg_secret_filetrans" lineno="288">
<summary>
-Allow caller to create, read, write,
-and delete cyrus data files.
+filetrans in gpg_secret_t dirs
</summary>
<param name="domain">
<summary>
@@ -5087,9 +5672,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cyrus_stream_connect" lineno="33">
+<interface name="gpg_pinentry_dbus_chat" lineno="309">
<summary>
-Connect to Cyrus using a unix domain stream socket.
+Send messages to and from gpg
+pinentry over DBUS.
</summary>
<param name="domain">
<summary>
@@ -5097,86 +5683,191 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="cyrus_admin" lineno="59">
+<interface name="gpg_list_user_secrets" lineno="329">
<summary>
-All of the rules required to administrate
-an cyrus environment
+List gpg user secrets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+</interface>
+<tunable name="gpg_agent_env_file" dftval="false">
+<desc>
+<p>
+Determine whether GPG agent can manage
+generic user home content files. This is
+required by the --write-env-file option.
+</p>
+</desc>
+</tunable>
+<tunable name="gpg_agent_use_card" dftval="false">
+<desc>
+<p>
+Determine whether GPG agent can use OpenPGP
+cards or Yubikeys over USB
+</p>
+</desc>
+</tunable>
+<tunable name="gpg_read_generic_user_content" dftval="true">
+<desc>
+<p>
+Grant the gpg domains read access to generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="gpg_read_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the gpg domains read access to all user content
+</p>
+</desc>
+</tunable>
+<tunable name="gpg_manage_generic_user_content" dftval="false">
+<desc>
+<p>
+Grant the gpg domains manage rights on generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="gpg_manage_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the gpg domains manage rights on all user content
+</p>
+</desc>
+</tunable>
+</module>
+<module name="irc" filename="policy/modules/apps/irc.if">
+<summary>IRC client policy.</summary>
+<interface name="irc_role" lineno="18">
+<summary>
+Role access for IRC.
+</summary>
<param name="role">
<summary>
-The role to be allowed to manage the cyrus domain.
+Role allowed access.
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="daemontools" filename="policy/modules/contrib/daemontools.if">
-<summary>Collection of tools for managing UNIX services</summary>
+<tunable name="irc_use_any_tcp_ports" dftval="false">
<desc>
<p>
-Policy for DJB's daemontools
+Determine whether irc clients can
+listen on and connect to any
+unreserved TCP ports.
</p>
</desc>
-<interface name="daemontools_ipc_domain" lineno="18">
+</tunable>
+<tunable name="irc_read_generic_user_content" dftval="true">
+<desc>
+<p>
+Grant the irc domains read access to generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="irc_read_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the irc domains read access to all user content
+</p>
+</desc>
+</tunable>
+<tunable name="irc_manage_generic_user_content" dftval="false">
+<desc>
+<p>
+Grant the irc domains manage rights on generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="irc_manage_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the irc domains manage rights on all user content
+</p>
+</desc>
+</tunable>
+</module>
+<module name="java" filename="policy/modules/apps/java.if">
+<summary>Java virtual machine</summary>
+<interface name="java_role" lineno="18">
+<summary>
+Role access for java.
+</summary>
+<param name="role">
<summary>
-An ipc channel between the supervised domain and svc_start_t
+Role allowed access.
</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role.
</summary>
</param>
</interface>
-<interface name="daemontools_service_domain" lineno="44">
+<template name="java_role_template" lineno="90">
<summary>
-Define a specified domain as a supervised service.
+The role template for the java module.
</summary>
-<param name="domain">
+<desc>
+<p>
+This template creates a derived domains which are used
+for java applications.
+</p>
+</desc>
+<param name="role_prefix">
<summary>
-Domain allowed access.
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
</summary>
</param>
-<param name="entrypoint">
+<param name="user_role">
<summary>
-The type associated with the process program.
+The role associated with the user domain.
</summary>
</param>
-</interface>
-<interface name="daemontools_domtrans_start" lineno="66">
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</template>
+<template name="java_domtrans" lineno="148">
<summary>
-Execute in the svc_start_t domain.
+Execute the java program in the java domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
-</interface>
-<interface name="daemonstools_run_start" lineno="91">
+</template>
+<interface name="java_run" lineno="178">
<summary>
-Execute svc_start in the svc_start domain, and
-allow the specified role the svc_start domain.
+Execute java in the java domain, and
+allow the specified role the java domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
<param name="role">
<summary>
-The role to be allowed the svc_start domain.
+Role allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="daemontools_domtrans_run" lineno="110">
+<interface name="java_domtrans_unconfined" lineno="198">
<summary>
-Execute in the svc_run_t domain.
+Execute the java program in the
+unconfined java domain.
</summary>
<param name="domain">
<summary>
@@ -5184,29 +5875,38 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="daemontools_sigchld_run" lineno="128">
+<interface name="java_run_unconfined" lineno="224">
<summary>
-Send a SIGCHLD signal to svc_run domain.
+Execute the java program in the
+unconfined java domain and allow the
+specified role the java domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
</interface>
-<interface name="daemontools_domtrans_multilog" lineno="146">
+<interface name="java_exec" lineno="244">
<summary>
-Execute in the svc_multilog_t domain.
+Execute the java program in
+the callers domain.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="daemontools_search_svc_dir" lineno="164">
+<interface name="java_manage_generic_home_content" lineno="264">
<summary>
-Search svc_svc_t directory.
+Create, read, write, and delete
+generic java home content.
</summary>
<param name="domain">
<summary>
@@ -5214,153 +5914,226 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="daemontools_read_svc" lineno="183">
+<interface name="java_manage_java_tmp" lineno="285">
<summary>
-Allow a domain to read svc_svc_t files.
+Create, read, write, and delete
+temporary java content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="daemontools_manage_svc" lineno="203">
+<interface name="java_home_filetrans_java_home" lineno="316">
<summary>
-Allow a domain to create svc_svc_t files.
+Create specified objects in user home
+directories with the generic java
+home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
-</interface>
-</module>
-<module name="dante" filename="policy/modules/contrib/dante.if">
-<summary>Dante msproxy and socks4/5 proxy server</summary>
-</module>
-<module name="dbadm" filename="policy/modules/contrib/dbadm.if">
-<summary>Database administrator role</summary>
-<interface name="dbadm_role_change" lineno="14">
+<param name="object_class">
<summary>
-Change to the database administrator role.
+Class of the object being created.
</summary>
-<param name="role">
+</param>
+<param name="name" optional="true">
<summary>
-Role allowed access.
+The name of the object being created.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="dbadm_role_change_to" lineno="44">
+<template name="java_noatsecure_domtrans" lineno="341">
<summary>
-Change from the database administrator role.
+Run java in javaplugin domain and
+do not clean the environment (atsecure)
</summary>
<desc>
<p>
-Change from the database administrator role to
-the specified role.
+This is needed when java is called by an application with library
+settings (such as is the case when invoked as a browser plugin)
</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</template>
+<template name="java_domain_type" lineno="369">
+<summary>
+The template for using java in a domain.
+</summary>
+<desc>
<p>
-This is an interface to support third party modules
-and its use is not allowed in upstream reference
-policy.
+This template creates a derived domains which are used
+for java applications.
</p>
</desc>
-<param name="role">
+<param name="domain">
<summary>
-Role allowed access.
+The type of the domain to be given java privs.
</summary>
</param>
-<rolecap/>
-</interface>
-<tunable name="dbadm_manage_user_files" dftval="false">
+</template>
+<tunable name="allow_java_execstack" dftval="false">
<desc>
<p>
-Allow dbadm to manage files in users home directories
+Determine whether java can make
+its stack executable.
</p>
</desc>
</tunable>
-<tunable name="dbadm_read_user_files" dftval="false">
+<tunable name="java_read_generic_user_content" dftval="true">
<desc>
<p>
-Allow dbadm to read files in users home directories
+Grant the java domains read access to generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="java_read_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the java domains read access to all user content
+</p>
+</desc>
+</tunable>
+<tunable name="java_manage_generic_user_content" dftval="false">
+<desc>
+<p>
+Grant the java domains manage rights on generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="java_manage_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the java domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
-<module name="dbskk" filename="policy/modules/contrib/dbskk.if">
-<summary>Dictionary server for the SKK Japanese input method system.</summary>
-</module>
-<module name="dbus" filename="policy/modules/contrib/dbus.if">
-<summary>Desktop messaging bus</summary>
-<interface name="dbus_stub" lineno="13">
+<module name="libmtp" filename="policy/modules/apps/libmtp.if">
+<summary>libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP).</summary>
+<interface name="libmtp_role" lineno="18">
<summary>
-DBUS stub interface. No access allowed.
+Role access for libmtp.
</summary>
-<param name="domain" unused="true">
+<param name="role">
<summary>
-Domain allowed access
+Role allowed access.
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role.
</summary>
</param>
</interface>
-<template name="dbus_role_template" lineno="41">
+<tunable name="libmtp_enable_home_dirs" dftval="false">
+<desc>
+<p>
+Determine whether libmtp can read
+and manage the user home directories
+and files.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="lightsquid" filename="policy/modules/apps/lightsquid.if">
+<summary>Log analyzer for squid proxy.</summary>
+<interface name="lightsquid_domtrans" lineno="14">
<summary>
-Role access for dbus
+Execute the lightsquid program in
+the lightsquid domain.
</summary>
-<param name="role_prefix">
+<param name="domain">
<summary>
-The prefix of the user role (e.g., user
-is the prefix for user_r).
+Domain allowed to transition.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="lightsquid_run" lineno="40">
<summary>
-Role allowed access
+Execute lightsquid in the
+lightsquid domain, and allow the
+specified role the lightsquid domain.
</summary>
-</param>
<param name="domain">
<summary>
-User domain for the role
+Domain allowed to transition.
</summary>
</param>
-</template>
-<interface name="dbus_system_bus_client" lineno="179">
+<param name="role">
<summary>
-Template for creating connections to
-the system DBUS.
+Role allowed access.
+</summary>
+</param>
+</interface>
+<interface name="lightsquid_admin" lineno="66">
+<summary>
+All of the rules required to
+administrate an lightsquid environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
-<interface name="dbus_session_bus_client" lineno="210">
+<tunable name="allow_httpd_lightsquid_script_anon_write" dftval="false">
+<desc>
+<p>
+Determine whether the script domain can
+modify public files used for public file
+transfer services. Directories/Files must
+be labeled public_content_rw_t.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="livecd" filename="policy/modules/apps/livecd.if">
+<summary>Tool for building alternate livecd for different os and policy versions.</summary>
+<interface name="livecd_domtrans" lineno="13">
<summary>
-Template for creating connections to
-a user DBUS.
+Execute a domain transition to run livecd.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="dbus_send_session_bus" lineno="235">
+<interface name="livecd_run" lineno="39">
<summary>
-Send a message the session DBUS.
+Execute livecd in the livecd
+domain, and allow the specified
+role the livecd domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
</interface>
-<interface name="dbus_read_config" lineno="254">
+<interface name="livecd_read_tmp_files" lineno="58">
<summary>
-Read dbus configuration.
+Read livecd temporary files.
</summary>
<param name="domain">
<summary>
@@ -5368,9 +6141,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dbus_read_lib_files" lineno="273">
+<interface name="livecd_rw_tmp_files" lineno="77">
<summary>
-Read system dbus lib files.
+Read and write livecd temporary files.
</summary>
<param name="domain">
<summary>
@@ -5378,10 +6151,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dbus_manage_lib_files" lineno="293">
+<interface name="livecd_rw_semaphores" lineno="96">
<summary>
-Create, read, write, and delete
-system dbus lib files.
+Read and write livecd semaphores.
</summary>
<param name="domain">
<summary>
@@ -5389,38 +6161,41 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dbus_connect_session_bus" lineno="313">
+</module>
+<module name="loadkeys" filename="policy/modules/apps/loadkeys.if">
+<summary>Load keyboard mappings.</summary>
+<interface name="loadkeys_domtrans" lineno="14">
<summary>
-Connect to the system DBUS
-for service (acquire_svc).
+Execute the loadkeys program in
+the loadkeys domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="dbus_session_domain" lineno="339">
+<interface name="loadkeys_run" lineno="41">
<summary>
-Allow a application domain to be started
-by the session dbus.
+Execute the loadkeys program in
+the loadkeys domain, and allow the
+specified role the loadkeys domain.
</summary>
<param name="domain">
<summary>
-Type to be used as a domain.
+Domain allowed to transition.
</summary>
</param>
-<param name="entry_point">
+<param name="role">
<summary>
-Type of the program to be used as an
-entry point to this domain.
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="dbus_connect_system_bus" lineno="361">
+<interface name="loadkeys_exec" lineno="60">
<summary>
-Connect to the system DBUS
-for service (acquire_svc).
+Execute the loadkeys in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -5428,78 +6203,118 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dbus_send_system_bus" lineno="380">
+</module>
+<module name="lockdev" filename="policy/modules/apps/lockdev.if">
+<summary>Library for locking devices.</summary>
+<interface name="lockdev_role" lineno="18">
<summary>
-Send a message on the system DBUS.
+Role access for lockdev.
</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role.
</summary>
</param>
</interface>
-<interface name="dbus_system_bus_unconfined" lineno="399">
+</module>
+<module name="man2html" filename="policy/modules/apps/man2html.if">
+<summary>A Unix manpage-to-HTML converter.</summary>
+<tunable name="allow_httpd_man2html_script_anon_write" dftval="false">
+<desc>
+<p>
+Determine whether the script domain can
+modify public files used for public file
+transfer services. Directories/Files must
+be labeled public_content_rw_t.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="mandb" filename="policy/modules/apps/mandb.if">
+<summary>On-line manual database.</summary>
+<interface name="mandb_domtrans" lineno="14">
<summary>
-Allow unconfined access to the system DBUS.
+Execute the mandb program in
+the mandb domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="dbus_system_domain" lineno="424">
+<interface name="mandb_run" lineno="40">
<summary>
-Create a domain for processes
-which can be started by the system dbus
+Execute mandb in the mandb
+domain, and allow the specified
+role the mandb domain.
</summary>
<param name="domain">
<summary>
-Type to be used as a domain.
+Domain allowed to transition.
</summary>
</param>
-<param name="entry_point">
+<param name="role">
<summary>
-Type of the program to be used as an entry point to this domain.
+Role allowed access.
</summary>
</param>
</interface>
-<interface name="dbus_use_system_bus_fds" lineno="459">
+<interface name="mandb_admin" lineno="66">
<summary>
-Use and inherit system DBUS file descriptors.
+All of the rules required to
+administrate an mandb environment.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
-<interface name="dbus_dontaudit_system_bus_rw_tcp_sockets" lineno="477">
+</module>
+<module name="mono" filename="policy/modules/apps/mono.if">
+<summary>Run .NET server and client applications on Linux.</summary>
+<template name="mono_role_template" lineno="30">
<summary>
-Dontaudit Read, and write system dbus TCP sockets.
+The role template for the mono module.
</summary>
-<param name="domain">
+<desc>
+<p>
+This template creates a derived domains which are used
+for mono applications.
+</p>
+</desc>
+<param name="role_prefix">
<summary>
-Domain to not audit.
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
</summary>
</param>
-</interface>
-<interface name="dbus_unconfined" lineno="496">
+<param name="user_role">
<summary>
-Allow unconfined access to the system DBUS.
+The role associated with the user domain.
</summary>
-<param name="domain">
+</param>
+<param name="user_domain">
<summary>
-Domain allowed access.
+The type of the user domain.
</summary>
</param>
-</interface>
-</module>
-<module name="dcc" filename="policy/modules/contrib/dcc.if">
-<summary>Distributed checksum clearinghouse spam filtering</summary>
-<interface name="dcc_domtrans_cdcc" lineno="13">
+</template>
+<interface name="mono_domtrans" lineno="80">
<summary>
-Execute cdcc in the cdcc domain.
+Execute mono in the mono domain.
</summary>
<param name="domain">
<summary>
@@ -5507,10 +6322,10 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="dcc_run_cdcc" lineno="39">
+<interface name="mono_run" lineno="105">
<summary>
-Execute cdcc in the cdcc domain, and
-allow the specified role the cdcc domain.
+Execute mono in the mono domain, and
+allow the specified role the mono domain.
</summary>
<param name="domain">
<summary>
@@ -5522,21 +6337,20 @@ Domain allowed to transition.
Role allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="dcc_domtrans_client" lineno="58">
+<interface name="mono_exec" lineno="124">
<summary>
-Execute dcc_client in the dcc_client domain.
+Execute mono in the caller domain.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dcc_signal_client" lineno="77">
+<interface name="mono_rw_shm" lineno="143">
<summary>
-Send a signal to the dcc_client.
+Read and write mono shared memory.
</summary>
<param name="domain">
<summary>
@@ -5544,112 +6358,137 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dcc_run_client" lineno="102">
+</module>
+<module name="mozilla" filename="policy/modules/apps/mozilla.if">
+<summary>Policy for Mozilla and related web browsers.</summary>
+<interface name="mozilla_role" lineno="18">
<summary>
-Execute dcc_client in the dcc_client domain, and
-allow the specified role the dcc_client domain.
+Role access for mozilla.
</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed to transition.
+User domain for the role.
</summary>
</param>
+</interface>
+<interface name="mozilla_role_plugin" lineno="90">
+<summary>
+Role access for mozilla plugin.
+</summary>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
-<rolecap/>
+<param name="domain">
+<summary>
+User domain for the role.
+</summary>
+</param>
</interface>
-<interface name="dcc_domtrans_dbclean" lineno="121">
+<interface name="mozilla_read_user_home" lineno="151">
<summary>
-Execute dbclean in the dcc_dbclean domain.
+Read mozilla home directory content.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dcc_run_dbclean" lineno="147">
+<interface name="mozilla_read_user_home_files" lineno="172">
<summary>
-Execute dbclean in the dcc_dbclean domain, and
-allow the specified role the dcc_dbclean domain.
+Read mozilla home directory files
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="mozilla_write_user_home_files" lineno="193">
<summary>
-Role allowed access.
+Write mozilla home directory files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="dcc_stream_connect_dccifd" lineno="166">
+<interface name="mozilla_dontaudit_rw_user_home_files" lineno="213">
<summary>
-Connect to dccifd over a unix domain stream socket.
+Do not audit attempts to read and
+write mozilla home directory files.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-</module>
-<module name="ddclient" filename="policy/modules/contrib/ddclient.if">
-<summary>Update dynamic IP address at DynDNS.org</summary>
-<interface name="ddclient_domtrans" lineno="13">
+<interface name="mozilla_dontaudit_manage_user_home_files" lineno="233">
<summary>
-Execute ddclient in the ddclient domain.
+Do not audit attempt to Create,
+read, write, and delete mozilla
+home directory content.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="ddclient_run" lineno="38">
+<interface name="mozilla_exec_user_plugin_home_files" lineno="253">
<summary>
-Execute ddclient daemon on behalf of a user or staff type.
+Execute mozilla plugin home directory files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="mozilla_execmod_user_plugin_home_files" lineno="273">
<summary>
-Role allowed access.
+Mozilla plugin home directory file
+text relocation.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="ddclient_admin" lineno="64">
+<interface name="mozilla_read_tmp_files" lineno="291">
<summary>
-All of the rules required to administrate
-an ddclient environment
+Read temporary mozilla files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="mozilla_domtrans" lineno="309">
<summary>
-The role to be allowed to manage the ddclient domain.
+Run mozilla in the mozilla domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="ddcprobe" filename="policy/modules/contrib/ddcprobe.if">
-<summary>ddcprobe retrieves monitor and graphics card information</summary>
-<interface name="ddcprobe_domtrans" lineno="13">
+<interface name="mozilla_domtrans_plugin" lineno="329">
<summary>
-Execute ddcprobe in the ddcprobe domain.
+Execute a domain transition to
+run mozilla plugin.
</summary>
<param name="domain">
<summary>
@@ -5657,10 +6496,12 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="ddcprobe_run" lineno="38">
+<interface name="mozilla_run_plugin" lineno="356">
<summary>
-Execute ddcprobe in the ddcprobe domain, and
-allow the specified role the ddcprobe domain.
+Execute mozilla plugin in the
+mozilla plugin domain, and allow
+the specified role the mozilla
+plugin domain.
</summary>
<param name="domain">
<summary>
@@ -5669,25 +6510,14 @@ Domain allowed to transition.
</param>
<param name="role">
<summary>
-Role to be authenticated for ddcprobe domain.
+Role allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="denyhosts" filename="policy/modules/contrib/denyhosts.if">
-<summary>DenyHosts SSH dictionary attack mitigation</summary>
-<desc>
-<p>
-DenyHosts is a script intended to be run by Linux
-system administrators to help thwart SSH server attacks
-(also known as dictionary based attacks and brute force
-attacks).
-</p>
-</desc>
-<interface name="denyhosts_domtrans" lineno="21">
+<interface name="mozilla_domtrans_plugin_config" lineno="376">
<summary>
-Execute a domain transition to run denyhosts.
+Execute a domain transition to
+run mozilla plugin config.
</summary>
<param name="domain">
<summary>
@@ -5695,49 +6525,60 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="denyhosts_initrc_domtrans" lineno="39">
+<interface name="mozilla_run_plugin_config" lineno="403">
<summary>
-Execute denyhost server in the denyhost domain.
+Execute mozilla plugin config in
+the mozilla plugin config domain,
+and allow the specified role the
+mozilla plugin config domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
</interface>
-<interface name="denyhosts_admin" lineno="63">
+<interface name="mozilla_dbus_chat" lineno="423">
<summary>
-All of the rules required to administrate
-an denyhosts environment.
+Send and receive messages from
+mozilla over dbus.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="mozilla_dbus_chat_plugin" lineno="444">
<summary>
-Role allowed access.
+Send and receive messages from
+mozilla plugin over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="devicekit" filename="policy/modules/contrib/devicekit.if">
-<summary>Devicekit modular hardware abstraction layer</summary>
-<interface name="devicekit_domtrans" lineno="13">
+<interface name="mozilla_rw_tcp_sockets" lineno="464">
<summary>
-Execute a domain transition to run devicekit.
+Read and write mozilla TCP sockets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="devicekit_dgram_send" lineno="32">
+<interface name="mozilla_manage_plugin_rw_files" lineno="483">
<summary>
-Send to devicekit over a unix domain
-datagram socket.
+Create, read, write, and delete
+mozilla plugin rw files.
</summary>
<param name="domain">
<summary>
@@ -5745,10 +6586,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="devicekit_dbus_chat" lineno="51">
+<interface name="mozilla_plugin_read_tmpfs_files" lineno="502">
<summary>
-Send and receive messages from
-devicekit over dbus.
+Read mozilla_plugin tmpfs files.
</summary>
<param name="domain">
<summary>
@@ -5756,10 +6596,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="devicekit_dbus_chat_disk" lineno="72">
+<interface name="mozilla_plugin_delete_tmpfs_files" lineno="521">
<summary>
-Send and receive messages from
-devicekit disk over dbus.
+Delete mozilla_plugin tmpfs files.
</summary>
<param name="domain">
<summary>
@@ -5767,20 +6606,20 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="devicekit_signal_power" lineno="92">
+<interface name="mozilla_rw_tmp_pipes" lineno="540">
<summary>
-Send signal devicekit power
+Read/write to mozilla's tmp fifo files
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="devicekit_dbus_chat_power" lineno="111">
+<interface name="mozilla_manage_generic_plugin_home_content" lineno="559">
<summary>
-Send and receive messages from
-devicekit power over dbus.
+Create, read, write, and delete
+generic mozilla plugin home content.
</summary>
<param name="domain">
<summary>
@@ -5788,44 +6627,122 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="devicekit_read_pid_files" lineno="131">
+<interface name="mozilla_home_filetrans_plugin_home" lineno="594">
<summary>
-Read devicekit PID files.
+Create objects in user home
+directories with the generic mozilla
+plugin home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="object_class">
+<summary>
+Class of the object being created.
+</summary>
+</param>
+<param name="name" optional="true">
+<summary>
+The name of the object being created.
+</summary>
+</param>
</interface>
-<interface name="devicekit_admin" lineno="162">
+<interface name="mozilla_dontaudit_use_fds" lineno="614">
<summary>
-All of the rules required to administrate
-an devicekit environment
+Do not audit use of mozilla file descriptors
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to dont audit access from
</summary>
</param>
+</interface>
+<interface name="mozilla_send_dgram_plugin" lineno="632">
+<summary>
+Send messages to mozilla plugin unix datagram sockets
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access
+</summary>
+</param>
+</interface>
+<tunable name="mozilla_execstack" dftval="false">
+<desc>
+<p>
+Determine whether mozilla can
+make its stack executable.
+</p>
+</desc>
+</tunable>
+<tunable name="mozilla_read_generic_user_content" dftval="true">
+<desc>
+<p>
+Grant the mozilla domains read access to generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="mozilla_read_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the mozilla domains read access to all user content
+</p>
+</desc>
+</tunable>
+<tunable name="mozilla_manage_generic_user_content" dftval="false">
+<desc>
+<p>
+Grant the mozilla domains manage rights on generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="mozilla_manage_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the mozilla domains manage rights on all user content
+</p>
+</desc>
+</tunable>
+<tunable name="mozilla_bind_all_unreserved_ports" dftval="false">
+<desc>
+<p>
+Determine whether mozilla firefox can bind TCP sockets to all
+unreserved ports (for instance used with various Proxy
+management extensions).
+</p>
+</desc>
+</tunable>
+<tunable name="mozilla_plugin_connect_all_unreserved" dftval="false">
+<desc>
+<p>
+Determine whether mozilla firefox plugins can connect to
+unreserved ports (for instance when dealing with Google Talk)
+</p>
+</desc>
+</tunable>
+</module>
+<module name="mplayer" filename="policy/modules/apps/mplayer.if">
+<summary>Mplayer media player and encoder.</summary>
+<interface name="mplayer_role" lineno="18">
+<summary>
+Role access for mplayer
+</summary>
<param name="role">
<summary>
-The role to be allowed to manage the devicekit domain.
+Role allowed access
</summary>
</param>
-<param name="terminal">
+<param name="domain">
<summary>
-The type of the user terminal.
+User domain for the role
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="dhcp" filename="policy/modules/contrib/dhcp.if">
-<summary>Dynamic host configuration protocol (DHCP) server</summary>
-<interface name="dhcpd_domtrans" lineno="13">
+<interface name="mplayer_domtrans" lineno="65">
<summary>
-Transition to dhcpd.
+Run mplayer in mplayer domain.
</summary>
<param name="domain">
<summary>
@@ -5833,10 +6750,9 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="dhcpd_setattr_state_files" lineno="33">
+<interface name="mplayer_exec" lineno="85">
<summary>
-Set the attributes of the DCHP
-server state files.
+Execute mplayer in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -5844,91 +6760,168 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dhcpd_initrc_domtrans" lineno="53">
+<interface name="mplayer_read_user_home_files" lineno="104">
<summary>
-Execute dhcp server in the dhcp domain.
+Read mplayer user home content files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dhcpd_admin" lineno="78">
+<interface name="mplayer_manage_generic_home_content" lineno="124">
<summary>
-All of the rules required to administrate
-an dhcp environment
+Create, read, write, and delete
+generic mplayer home content.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="mplayer_home_filetrans_mplayer_home" lineno="157">
<summary>
-The role to be allowed to manage the dhcp domain.
+Create specified objects in user home
+directories with the generic mplayer
+home type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<param name="object_class">
+<summary>
+Class of the object being created.
+</summary>
+</param>
+<param name="name" optional="true">
+<summary>
+The name of the object being created.
</summary>
</param>
-<rolecap/>
</interface>
-<tunable name="dhcpd_use_ldap" dftval="false">
+<tunable name="allow_mplayer_execstack" dftval="false">
+<desc>
+<p>
+Determine whether mplayer can make
+its stack executable.
+</p>
+</desc>
+</tunable>
+<tunable name="mplayer_mencoder_read_generic_user_content" dftval="true">
+<desc>
+<p>
+Grant the mplayer_mencoder domains read access to generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="mplayer_mencoder_read_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the mplayer_mencoder domains read access to all user content
+</p>
+</desc>
+</tunable>
+<tunable name="mplayer_mencoder_manage_generic_user_content" dftval="false">
+<desc>
+<p>
+Grant the mplayer_mencoder domains manage rights on generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="mplayer_mencoder_manage_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the mplayer_mencoder domains manage rights on all user content
+</p>
+</desc>
+</tunable>
+<tunable name="mplayer_read_generic_user_content" dftval="true">
+<desc>
+<p>
+Grant the mplayer domains read access to generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="mplayer_read_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the mplayer domains read access to all user content
+</p>
+</desc>
+</tunable>
+<tunable name="mplayer_manage_generic_user_content" dftval="false">
+<desc>
+<p>
+Grant the mplayer domains manage rights on generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="mplayer_manage_all_user_content" dftval="false">
<desc>
<p>
-Allow DHCP daemon to use LDAP backends
+Grant the mplayer domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
-<module name="dictd" filename="policy/modules/contrib/dictd.if">
-<summary>Dictionary daemon</summary>
-<interface name="dictd_tcp_connect" lineno="14">
+<module name="openoffice" filename="policy/modules/apps/openoffice.if">
+<summary>Openoffice suite.</summary>
+<interface name="ooffice_role" lineno="18">
<summary>
-Use dictionary services by connecting
-over TCP. (Deprecated)
+Role access for openoffice.
</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role.
</summary>
</param>
</interface>
-<interface name="dictd_admin" lineno="35">
+<interface name="ooffice_domtrans" lineno="48">
<summary>
-All of the rules required to administrate
-an dictd environment
+Run openoffice in its own domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="ooffice_dontaudit_exec_tmp_files" lineno="67">
<summary>
-The role to be allowed to manage the dictd domain.
+Do not audit attempts to execute
+files in temporary directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="distcc" filename="policy/modules/contrib/distcc.if">
-<summary>Distributed compiler daemon</summary>
-</module>
-<module name="djbdns" filename="policy/modules/contrib/djbdns.if">
-<summary>small and secure DNS daemon</summary>
-<template name="djbdns_daemontools_domain_template" lineno="14">
+<interface name="ooffice_rw_tmp_files" lineno="86">
<summary>
-Create a set of derived types for djbdns
-components that are directly supervised by daemontools.
+Read and write temporary
+openoffice files.
</summary>
-<param name="prefix">
+<param name="domain">
<summary>
-The prefix to be used for deriving type names.
+Domain allowed access.
</summary>
</param>
-</template>
-<interface name="djbdns_search_tinydns_keys" lineno="66">
+</interface>
+<interface name="ooffice_dbus_chat" lineno="106">
<summary>
-Allow search the djbdns-tinydns key ring.
+Send and receive dbus messages
+from and to the openoffice
+domain.
</summary>
<param name="domain">
<summary>
@@ -5936,9 +6929,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="djbdns_link_tinydns_keys" lineno="84">
+<interface name="ooffice_stream_connect" lineno="127">
<summary>
-Allow link to the djbdns-tinydns key ring.
+Connect to openoffice using a
+unix domain stream socket.
</summary>
<param name="domain">
<summary>
@@ -5946,15 +6940,92 @@ Domain allowed access.
</summary>
</param>
</interface>
+<tunable name="openoffice_allow_update" dftval="true">
+<desc>
+<p>
+Determine whether openoffice can
+download software updates from the
+network (application and/or
+extensions).
+</p>
+</desc>
+</tunable>
+<tunable name="openoffice_allow_email" dftval="false">
+<desc>
+<p>
+Determine whether openoffice writer
+can send emails directly (print to
+email). This is different from the
+functionality of sending emails
+through external clients which is
+always enabled.
+</p>
+</desc>
+</tunable>
+<tunable name="openoffice_read_generic_user_content" dftval="true">
+<desc>
+<p>
+Grant the openoffice domains read access to generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="openoffice_read_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the openoffice domains read access to all user content
+</p>
+</desc>
+</tunable>
+<tunable name="openoffice_manage_generic_user_content" dftval="false">
+<desc>
+<p>
+Grant the openoffice domains manage rights on generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="openoffice_manage_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the openoffice domains manage rights on all user content
+</p>
+</desc>
+</tunable>
</module>
-<module name="dkim" filename="policy/modules/contrib/dkim.if">
-<summary>DomainKeys Identified Mail milter.</summary>
+<module name="podsleuth" filename="policy/modules/apps/podsleuth.if">
+<summary>Podsleuth is a tool to get information about an Apple (TM) iPod (TM).</summary>
+<interface name="podsleuth_domtrans" lineno="13">
+<summary>
+Execute a domain transition to run podsleuth.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<interface name="podsleuth_run" lineno="39">
+<summary>
+Execute podsleuth in the podsleuth
+domain, and allow the specified role
+the podsleuth domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+</interface>
</module>
-<module name="dmidecode" filename="policy/modules/contrib/dmidecode.if">
-<summary>Decode DMI data for x86/ia64 bioses.</summary>
-<interface name="dmidecode_domtrans" lineno="13">
+<module name="ptchown" filename="policy/modules/apps/ptchown.if">
+<summary>helper function for grantpt(3), changes ownship and permissions of pseudotty.</summary>
+<interface name="ptchown_domtrans" lineno="13">
<summary>
-Execute dmidecode in the dmidecode domain.
+Execute a domain transition to run ptchown.
</summary>
<param name="domain">
<summary>
@@ -5962,10 +7033,21 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="dmidecode_run" lineno="43">
+<interface name="ptchown_exec" lineno="32">
+<summary>
+Execute ptchown in the caller domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="ptchown_run" lineno="58">
<summary>
-Execute dmidecode in the dmidecode domain, and
-allow the specified role the dmidecode domain.
+Execute ptchown in the ptchown
+domain, and allow the specified
+role the ptchown domain.
</summary>
<param name="domain">
<summary>
@@ -5977,14 +7059,28 @@ Domain allowed to transition.
Role allowed access.
</summary>
</param>
-<rolecap/>
</interface>
</module>
-<module name="dnsmasq" filename="policy/modules/contrib/dnsmasq.if">
-<summary>dnsmasq DNS forwarder and DHCP server</summary>
-<interface name="dnsmasq_domtrans" lineno="14">
+<module name="pulseaudio" filename="policy/modules/apps/pulseaudio.if">
+<summary>Pulseaudio network sound server.</summary>
+<interface name="pulseaudio_role" lineno="18">
<summary>
-Execute dnsmasq server in the dnsmasq domain.
+Role access for pulseaudio.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role.
+</summary>
+</param>
+</interface>
+<interface name="pulseaudio_domtrans" lineno="56">
+<summary>
+Execute a domain transition to run pulseaudio.
</summary>
<param name="domain">
<summary>
@@ -5992,19 +7088,26 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="dnsmasq_initrc_domtrans" lineno="34">
+<interface name="pulseaudio_run" lineno="85">
<summary>
-Execute the dnsmasq init script in the init script domain.
+Execute pulseaudio in the pulseaudio
+domain, and allow the specified role
+the pulseaudio domain.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
</interface>
-<interface name="dnsmasq_signal" lineno="53">
+<interface name="pulseaudio_exec" lineno="104">
<summary>
-Send dnsmasq a signal
+Execute pulseaudio in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -6012,19 +7115,20 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dnsmasq_signull" lineno="72">
+<interface name="pulseaudio_dontaudit_exec" lineno="123">
<summary>
-Send dnsmasq a signull
+Do not audit attempts to execute pulseaudio.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="dnsmasq_kill" lineno="91">
+<interface name="pulseaudio_signull" lineno="142">
<summary>
-Send dnsmasq a kill signal.
+Send null signals to pulseaudio.
+processes.
</summary>
<param name="domain">
<summary>
@@ -6032,9 +7136,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dnsmasq_read_config" lineno="109">
+<interface name="pulseaudio_use_fds" lineno="161">
<summary>
-Read dnsmasq config files.
+Use file descriptors for
+pulseaudio.
</summary>
<param name="domain">
<summary>
@@ -6042,9 +7147,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dnsmasq_write_config" lineno="128">
+<interface name="pulseaudio_dontaudit_use_fds" lineno="180">
<summary>
-Write to dnsmasq config files.
+Do not audit attempts to use the
+file descriptors for pulseaudio.
</summary>
<param name="domain">
<summary>
@@ -6052,9 +7158,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dnsmasq_delete_pid_files" lineno="148">
+<interface name="pulseaudio_stream_connect" lineno="199">
<summary>
-Delete dnsmasq pid files
+Connect to pulseaudio with a unix
+domain stream socket.
</summary>
<param name="domain">
<summary>
@@ -6062,9 +7169,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dnsmasq_read_pid_files" lineno="167">
+<interface name="pulseaudio_dbus_chat" lineno="219">
<summary>
-Read dnsmasq pid files
+Send and receive messages from
+pulseaudio over dbus.
</summary>
<param name="domain">
<summary>
@@ -6072,90 +7180,157 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dnsmasq_admin" lineno="192">
+<interface name="pulseaudio_setattr_home_dir" lineno="239">
<summary>
-All of the rules required to administrate
-an dnsmasq environment
+Set attributes of pulseaudio home directories.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="pulseaudio_read_home" lineno="257">
+<summary>
+Read pulseaudio home content.
+</summary>
+<param name="domain">
<summary>
-The role to be allowed to manage the dnsmasq domain.
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="dovecot" filename="policy/modules/contrib/dovecot.if">
-<summary>Dovecot POP and IMAP mail server</summary>
-<interface name="dovecot_stream_connect_auth" lineno="14">
+<interface name="pulseaudio_rw_home_files" lineno="278">
<summary>
-Connect to dovecot auth unix domain stream socket.
+Read and write Pulse Audio files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="dovecot_domtrans_deliver" lineno="32">
+<interface name="pulseaudio_manage_home" lineno="299">
<summary>
-Execute dovecot_deliver in the dovecot_deliver domain.
+Create, read, write, and delete
+pulseaudio home content.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dovecot_manage_spool" lineno="50">
+<interface name="pulseaudio_home_filetrans_pulseaudio_home" lineno="332">
<summary>
-Create, read, write, and delete the dovecot spool files.
+Create objects in user home
+directories with the pulseaudio
+home type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="object_class">
+<summary>
+Class of the object being created.
+</summary>
+</param>
+<param name="name" optional="true">
+<summary>
+The name of the object being created.
+</summary>
+</param>
</interface>
-<interface name="dovecot_dontaudit_unlink_lib_files" lineno="69">
+<interface name="pulseaudio_tmpfs_content" lineno="351">
+<summary>
+Make the specified tmpfs file type
+pulseaudio tmpfs content.
+</summary>
+<param name="file_type">
<summary>
-Do not audit attempts to delete dovecot lib files.
+File type to make pulseaudio tmpfs content.
+</summary>
+</param>
+</interface>
+<interface name="pulseaudio_read_tmpfs_files" lineno="369">
+<summary>
+Read pulseaudio tmpfs files.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dovecot_admin" lineno="94">
+<interface name="pulseaudio_rw_tmpfs_files" lineno="389">
<summary>
-All of the rules required to administrate
-an dovecot environment
+Read and write pulseaudio tmpfs
+files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="pulseaudio_client_domain" lineno="417">
+<summary>
+Mark the specified domain as a PulseAudio client domain
+and the related tmpfs file type as a (shared) PulseAudio tmpfs
+file type used for the shared memory access
+</summary>
+<param name="domain">
<summary>
-The role to be allowed to manage the dovecot domain.
+Domain to become a PulseAudio client domain
+</summary>
+</param>
+<param name="tmpfstype">
+<summary>
+Tmpfs type used for shared memory of the given domain
</summary>
</param>
-<rolecap/>
</interface>
+<tunable name="pulseaudio_execmem" dftval="false">
+<desc>
+<p>
+Allow pulseaudio to execute code in
+writable memory
+</p>
+</desc>
+</tunable>
</module>
-<module name="dpkg" filename="policy/modules/contrib/dpkg.if">
-<summary>Policy for the Debian package manager.</summary>
-<interface name="dpkg_domtrans" lineno="15">
+<module name="qemu" filename="policy/modules/apps/qemu.if">
+<summary>QEMU machine emulator and virtualizer.</summary>
+<template name="qemu_domain_template" lineno="13">
<summary>
-Execute dpkg programs in the dpkg domain.
+The template to define a qemu domain.
+</summary>
+<param name="domain_prefix">
+<summary>
+Domain prefix to be used.
+</summary>
+</param>
+</template>
+<template name="qemu_role" lineno="114">
+<summary>
+Role access for qemu.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role.
+</summary>
+</param>
+</template>
+<interface name="qemu_domtrans" lineno="135">
+<summary>
+Execute a domain transition to run qemu.
</summary>
<param name="domain">
<summary>
@@ -6163,19 +7338,21 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="dpkg_domtrans_script" lineno="35">
+<interface name="qemu_exec" lineno="154">
<summary>
-Execute dpkg_script programs in the dpkg_script domain.
+Execute a qemu in the caller domain.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dpkg_run" lineno="63">
+<interface name="qemu_run" lineno="181">
<summary>
-Execute dpkg programs in the dpkg domain.
+Execute qemu in the qemu domain,
+and allow the specified role the
+qemu domain.
</summary>
<param name="domain">
<summary>
@@ -6184,24 +7361,24 @@ Domain allowed to transition.
</param>
<param name="role">
<summary>
-The role to allow the dpkg domain.
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
-<interface name="dpkg_use_fds" lineno="82">
+<interface name="qemu_read_state" lineno="200">
<summary>
-Inherit and use file descriptors from dpkg.
+Read qemu process state files.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to allow access.
</summary>
</param>
</interface>
-<interface name="dpkg_read_pipes" lineno="100">
+<interface name="qemu_setsched" lineno="221">
<summary>
-Read from an unnamed dpkg pipe.
+Set qemu scheduler.
</summary>
<param name="domain">
<summary>
@@ -6209,9 +7386,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dpkg_rw_pipes" lineno="118">
+<interface name="qemu_signal" lineno="239">
<summary>
-Read and write an unnamed dpkg pipe.
+Send generic signals to qemu.
</summary>
<param name="domain">
<summary>
@@ -6219,9 +7396,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dpkg_use_script_fds" lineno="136">
+<interface name="qemu_kill" lineno="257">
<summary>
-Inherit and use file descriptors from dpkg scripts.
+Send kill signals to qemu.
</summary>
<param name="domain">
<summary>
@@ -6229,9 +7406,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dpkg_read_db" lineno="154">
+<interface name="qemu_stream_connect" lineno="276">
<summary>
-Read the dpkg package database.
+Connect to qemu with a unix
+domain stream socket.
</summary>
<param name="domain">
<summary>
@@ -6239,9 +7417,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dpkg_manage_db" lineno="175">
+<interface name="qemu_delete_pid_sock_file" lineno="295">
<summary>
-Create, read, write, and delete the dpkg package database.
+Unlink qemu socket
</summary>
<param name="domain">
<summary>
@@ -6249,20 +7427,21 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="dpkg_dontaudit_manage_db" lineno="196">
+<interface name="qemu_domtrans_unconfined" lineno="314">
<summary>
-Do not audit attempts to create, read,
-write, and delete the dpkg package database.
+Execute a domain transition to
+run qemu unconfined.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="dpkg_lock_db" lineno="216">
+<interface name="qemu_manage_tmp_dirs" lineno="334">
<summary>
-Lock the dpkg package database.
+Create, read, write, and delete
+qemu temporary directories.
</summary>
<param name="domain">
<summary>
@@ -6270,79 +7449,103 @@ Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="entropyd" filename="policy/modules/contrib/entropyd.if">
-<summary>Generate entropy from audio input</summary>
-<tunable name="entropyd_use_audio" dftval="false">
+<interface name="qemu_manage_tmp_files" lineno="354">
+<summary>
+Create, read, write, and delete
+qemu temporary files.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="qemu_spec_domtrans" lineno="388">
+<summary>
+Execute qemu in a specified domain.
+</summary>
<desc>
<p>
-Allow the use of the audio devices as the source for the entropy feeds
+Execute qemu in a specified domain.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
</p>
</desc>
-</tunable>
-</module>
-<module name="evolution" filename="policy/modules/contrib/evolution.if">
-<summary>Evolution email client</summary>
-<interface name="evolution_role" lineno="18">
+<param name="source_domain">
<summary>
-Role access for evolution
+Domain allowed to transition.
</summary>
-<param name="role">
+</param>
+<param name="target_domain">
<summary>
-Role allowed access
+Domain to transition to.
</summary>
</param>
+</interface>
+<interface name="qemu_entry_type" lineno="408">
+<summary>
+Make qemu executable files an
+entrypoint for the specified domain.
+</summary>
<param name="domain">
<summary>
-User domain for the role
+The domain for which qemu_exec_t is an entrypoint.
</summary>
</param>
</interface>
-<interface name="evolution_home_filetrans" lineno="85">
+<interface name="qemu_rw_pid_sock_files" lineno="428">
<summary>
-Create objects in users evolution home folders.
+Read/write to qemu socket files in /var/run
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="file_type">
+</interface>
+<tunable name="qemu_full_network" dftval="false">
+<desc>
+<p>
+Determine whether qemu has full
+access to the network.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="rssh" filename="policy/modules/apps/rssh.if">
+<summary>Restricted (scp/sftp) only shell.</summary>
+<interface name="rssh_role" lineno="18">
<summary>
-Private file type.
+Role access for rssh.
</summary>
-</param>
-<param name="class">
+<param name="role">
<summary>
-The object class of the object being created.
+Role allowed access.
</summary>
</param>
-</interface>
-<interface name="evolution_stream_connect" lineno="104">
-<summary>
-Connect to evolution unix stream socket.
-</summary>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role.
</summary>
</param>
</interface>
-<interface name="evolution_dbus_chat" lineno="124">
+<interface name="rssh_spec_domtrans" lineno="46">
<summary>
-Send and receive messages from
-evolution over dbus.
+Execute rssh in the rssh domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="evolution_alarm_dbus_chat" lineno="145">
+<interface name="rssh_exec" lineno="66">
<summary>
-Send and receive messages from
-evolution_alarm over dbus.
+Execute the rssh program
+in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -6350,12 +7553,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="exim" filename="policy/modules/contrib/exim.if">
-<summary>Exim mail transfer agent</summary>
-<interface name="exim_domtrans" lineno="13">
+<interface name="rssh_domtrans_chroot_helper" lineno="86">
<summary>
-Execute a domain transition to run exim.
+Execute a domain transition to
+run rssh chroot helper.
</summary>
<param name="domain">
<summary>
@@ -6363,84 +7564,111 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="exim_dontaudit_read_tmp_files" lineno="32">
+<interface name="rssh_read_ro_content" lineno="105">
<summary>
-Do not audit attempts to read,
-exim tmp files
+Read users rssh read-only content.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="exim_read_tmp_files" lineno="50">
+</module>
+<module name="sambagui" filename="policy/modules/apps/sambagui.if">
+<summary>system-config-samba dbus service.</summary>
+</module>
+<module name="screen" filename="policy/modules/apps/screen.if">
+<summary>GNU terminal multiplexer.</summary>
+<template name="screen_role_template" lineno="24">
<summary>
-Allow domain to read, exim tmp files
+The role template for the screen module.
</summary>
-<param name="domain">
+<param name="role_prefix">
<summary>
-Domain allowed access.
+The prefix of the user role (e.g., user
+is the prefix for user_r).
</summary>
</param>
-</interface>
-<interface name="exim_read_pid_files" lineno="69">
+<param name="user_role">
<summary>
-Read exim PID files.
+The role associated with the user domain.
</summary>
-<param name="domain">
+</param>
+<param name="user_domain">
<summary>
-Domain allowed access.
+The type of the user domain.
</summary>
</param>
-</interface>
-<interface name="exim_read_log" lineno="89">
+</template>
+</module>
+<module name="seunshare" filename="policy/modules/apps/seunshare.if">
+<summary>Filesystem namespacing/polyinstantiation application.</summary>
+<interface name="seunshare_domtrans" lineno="13">
<summary>
-Allow the specified domain to read exim's log files.
+Execute a domain transition to run seunshare.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="exim_append_log" lineno="109">
+<interface name="seunshare_run" lineno="37">
<summary>
-Allow the specified domain to append
-exim log files.
+Execute seunshare in the seunshare domain, and
+allow the specified role the seunshare domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
</interface>
-<interface name="exim_manage_log" lineno="129">
+<interface name="seunshare_role" lineno="69">
+<summary>
+Role access for seunshare
+</summary>
+<param name="role">
<summary>
-Allow the specified domain to manage exim's log files.
+Role allowed access.
</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="exim_manage_spool_dirs" lineno="149">
+</module>
+<module name="sigrok" filename="policy/modules/apps/sigrok.if">
+<summary>sigrok signal analysis software suite.</summary>
+<interface name="sigrok_run" lineno="18">
<summary>
-Create, read, write, and delete
-exim spool dirs.
+Execute sigrok in its domain.
</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role.
</summary>
</param>
</interface>
-<interface name="exim_read_spool_files" lineno="168">
+</module>
+<module name="slocate" filename="policy/modules/apps/slocate.if">
+<summary>Update database for mlocate.</summary>
+<interface name="locate_read_lib_files" lineno="13">
<summary>
-Read exim spool files.
+Read locate lib files.
</summary>
<param name="domain">
<summary>
@@ -6448,56 +7676,107 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="exim_manage_spool_files" lineno="189">
+</module>
+<module name="syncthing" filename="policy/modules/apps/syncthing.if">
+<summary>Application that lets you synchronize your files across multiple devices.</summary>
+<interface name="syncthing_role" lineno="18">
<summary>
-Create, read, write, and delete
-exim spool files.
+Role access for Syncthing
</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role
</summary>
</param>
</interface>
-<tunable name="exim_can_connect_db" dftval="false">
+<tunable name="syncthing_read_generic_user_content" dftval="true">
<desc>
<p>
-Allow exim to connect to databases (postgres, mysql)
+Grant the syncthing domains read access to generic user content
</p>
</desc>
</tunable>
-<tunable name="exim_read_user_files" dftval="false">
+<tunable name="syncthing_read_all_user_content" dftval="false">
<desc>
<p>
-Allow exim to read unprivileged user files.
+Grant the syncthing domains read access to all user content
</p>
</desc>
</tunable>
-<tunable name="exim_manage_user_files" dftval="false">
+<tunable name="syncthing_manage_generic_user_content" dftval="false">
+<desc>
+<p>
+Grant the syncthing domains manage rights on generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="syncthing_manage_all_user_content" dftval="false">
<desc>
<p>
-Allow exim to create, read, write, and delete
-unprivileged user files.
+Grant the syncthing domains manage rights on all user content
</p>
</desc>
</tunable>
</module>
-<module name="fail2ban" filename="policy/modules/contrib/fail2ban.if">
-<summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
-<interface name="fail2ban_domtrans" lineno="13">
+<module name="telepathy" filename="policy/modules/apps/telepathy.if">
+<summary>Telepathy communications framework.</summary>
+<template name="telepathy_domain_template" lineno="13">
<summary>
-Execute a domain transition to run fail2ban.
+The template to define a telepathy domain.
+</summary>
+<param name="domain_prefix">
+<summary>
+Domain prefix to be used.
+</summary>
+</param>
+</template>
+<template name="telepathy_role_template" lineno="59">
+<summary>
+The role template for the telepathy module.
+</summary>
+<desc>
+<p>
+This template creates a derived domains which are used
+for window manager applications.
+</p>
+</desc>
+<param name="role_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</template>
+<interface name="telepathy_gabble_stream_connect" lineno="137">
+<summary>
+Connect to gabble with a unix
+domain stream socket.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="fail2ban_stream_connect" lineno="32">
+<interface name="telepathy_gabble_dbus_chat" lineno="157">
<summary>
-Connect to fail2ban over a unix domain
-stream socket.
+Send dbus messages to and from
+gabble.
</summary>
<param name="domain">
<summary>
@@ -6505,9 +7784,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="fail2ban_rw_stream_sockets" lineno="51">
+<interface name="telepathy_mission_control_dbus_chat" lineno="178">
<summary>
-Read and write to an fail2ban unix stream socket.
+Send dbus messages to and from
+mission control.
</summary>
<param name="domain">
<summary>
@@ -6515,9 +7795,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="fail2ban_read_lib_files" lineno="69">
+<interface name="telepathy_mission_control_read_state" lineno="198">
<summary>
-Read fail2ban lib files.
+Read mission control process state files.
</summary>
<param name="domain">
<summary>
@@ -6525,21 +7805,21 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="fail2ban_read_log" lineno="89">
+<interface name="telepathy_msn_stream_connect" lineno="220">
<summary>
-Allow the specified domain to read fail2ban's log files.
+Connect to msn with a unix
+domain stream socket.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="fail2ban_append_log" lineno="110">
+<interface name="telepathy_salut_stream_connect" lineno="240">
<summary>
-Allow the specified domain to append
-fail2ban log files.
+Connect to salut with a unix
+domain stream socket.
</summary>
<param name="domain">
<summary>
@@ -6547,64 +7827,128 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="fail2ban_read_pid_files" lineno="130">
+<tunable name="telepathy_tcp_connect_generic_network_ports" dftval="false">
+<desc>
+<p>
+Determine whether telepathy connection
+managers can connect to generic tcp ports.
+</p>
+</desc>
+</tunable>
+<tunable name="telepathy_connect_all_ports" dftval="false">
+<desc>
+<p>
+Determine whether telepathy connection
+managers can connect to any port.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="thunderbird" filename="policy/modules/apps/thunderbird.if">
+<summary>Thunderbird email client.</summary>
+<interface name="thunderbird_role" lineno="18">
<summary>
-Read fail2ban PID files.
+Role access for thunderbird.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role.
</summary>
</param>
</interface>
-<interface name="fail2ban_admin" lineno="156">
+<interface name="thunderbird_domtrans" lineno="52">
<summary>
-All of the rules required to administrate
-an fail2ban environment
+Execute thunderbird in the thunderbird domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
+</interface>
+<tunable name="thunderbird_read_generic_user_content" dftval="true">
+<desc>
+<p>
+Grant the thunderbird domains read access to generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="thunderbird_read_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the thunderbird domains read access to all user content
+</p>
+</desc>
+</tunable>
+<tunable name="thunderbird_manage_generic_user_content" dftval="false">
+<desc>
+<p>
+Grant the thunderbird domains manage rights on generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="thunderbird_manage_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the thunderbird domains manage rights on all user content
+</p>
+</desc>
+</tunable>
+</module>
+<module name="tvtime" filename="policy/modules/apps/tvtime.if">
+<summary>High quality television application.</summary>
+<interface name="tvtime_role" lineno="18">
+<summary>
+Role access for tvtime
+</summary>
<param name="role">
<summary>
-The role to be allowed to manage the fail2ban domain.
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
</summary>
</param>
-<rolecap/>
</interface>
</module>
-<module name="fetchmail" filename="policy/modules/contrib/fetchmail.if">
-<summary>Remote-mail retrieval and forwarding utility</summary>
-<interface name="fetchmail_admin" lineno="15">
+<module name="uml" filename="policy/modules/apps/uml.if">
+<summary>User mode linux tools and services.</summary>
+<interface name="uml_role" lineno="18">
<summary>
-All of the rules required to administrate
-an fetchmail environment
+Role access for uml.
</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="finger" filename="policy/modules/contrib/finger.if">
-<summary>Finger user information service.</summary>
-<interface name="finger_domtrans" lineno="13">
+<interface name="uml_setattr_util_sockets" lineno="55">
<summary>
-Execute fingerd in the fingerd domain.
+Set attributes of uml pid sock files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="finger_tcp_connect" lineno="31">
+<interface name="uml_manage_util_files" lineno="74">
<summary>
-Allow the specified domain to connect to fingerd with a tcp socket. (Deprecated)
+Create, read, write, and delete
+uml pid files.
</summary>
<param name="domain">
<summary>
@@ -6613,40 +7957,64 @@ Domain allowed access.
</param>
</interface>
</module>
-<module name="firstboot" filename="policy/modules/contrib/firstboot.if">
+<module name="userhelper" filename="policy/modules/apps/userhelper.if">
+<summary>A wrapper that helps users run system programs.</summary>
+<template name="userhelper_role_template" lineno="24">
<summary>
-Final system configuration run during the first boot
-after installation of Red Hat/Fedora systems.
+The role template for the userhelper module.
</summary>
-<interface name="firstboot_domtrans" lineno="16">
+<param name="userrole_prefix">
<summary>
-Execute firstboot in the firstboot domain.
+The prefix of the user role (e.g., user
+is the prefix for user_r).
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The user role.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The user domain associated with the role.
+</summary>
+</param>
+</template>
+<interface name="userhelper_search_config" lineno="110">
+<summary>
+Search userhelper configuration directories.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="firstboot_run" lineno="40">
+<interface name="userhelper_dontaudit_search_config" lineno="129">
<summary>
-Execute firstboot in the firstboot domain, and
-allow the specified role the firstboot domain.
+Do not audit attempts to search
+userhelper configuration directories.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="userhelper_dbus_chat_all_consolehelper" lineno="148">
<summary>
-Role allowed access.
+Send and receive messages from
+consolehelper over dbus.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="firstboot_use_fds" lineno="59">
+<interface name="userhelper_use_fd" lineno="168">
<summary>
-Inherit and use a file descriptor from firstboot.
+Use userhelper all userhelper file descriptors.
</summary>
<param name="domain">
<summary>
@@ -6654,20 +8022,19 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="firstboot_dontaudit_use_fds" lineno="78">
+<interface name="userhelper_sigchld" lineno="186">
<summary>
-Do not audit attempts to inherit a
-file descriptor from firstboot.
+Send child terminated signals to all userhelper.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="firstboot_write_pipes" lineno="96">
+<interface name="userhelper_exec" lineno="204">
<summary>
-Write to a firstboot unnamed pipe.
+Execute the userhelper program in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -6675,9 +8042,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="firstboot_rw_pipes" lineno="114">
+<interface name="userhelper_exec_consolehelper" lineno="224">
<summary>
-Read and Write to a firstboot unnamed pipe.
+Execute the consolehelper program
+in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -6685,33 +8053,43 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="firstboot_dontaudit_rw_pipes" lineno="132">
+</module>
+<module name="usernetctl" filename="policy/modules/apps/usernetctl.if">
+<summary>User network interface configuration helper.</summary>
+<interface name="usernetctl_domtrans" lineno="13">
<summary>
-Do not audit attemps to read and write to a firstboot unnamed pipe.
+Execute usernetctl in the usernetctl domain.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="firstboot_dontaudit_rw_stream_sockets" lineno="151">
+<interface name="usernetctl_run" lineno="40">
<summary>
-Do not audit attemps to read and write to a firstboot
-unix domain stream socket.
+Execute usernetctl in the usernetctl
+domain, and allow the specified role
+the usernetctl domain.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
+<rolecap/>
</interface>
</module>
-<module name="fprintd" filename="policy/modules/contrib/fprintd.if">
-<summary>DBus fingerprint reader service</summary>
-<interface name="fprintd_domtrans" lineno="13">
+<module name="vlock" filename="policy/modules/apps/vlock.if">
+<summary>Lock one or more sessions on the Linux console.</summary>
+<interface name="vlock_domtrans" lineno="13">
<summary>
-Execute a domain transition to run fprintd.
+Execute vlock in the vlock domain.
</summary>
<param name="domain">
<summary>
@@ -6719,33 +8097,45 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="fprintd_dbus_chat" lineno="32">
+<interface name="vlock_run" lineno="40">
<summary>
-Send and receive messages from
-fprintd over dbus.
+Execute vlock in the vlock domain,
+and allow the specified role
+the vlock domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed to access.
</summary>
</param>
+<rolecap/>
</interface>
</module>
-<module name="ftp" filename="policy/modules/contrib/ftp.if">
-<summary>File transfer protocol service</summary>
-<interface name="ftp_dyntrans_anon_sftpd" lineno="13">
+<module name="vmware" filename="policy/modules/apps/vmware.if">
+<summary>VMWare Workstation virtual machines.</summary>
+<interface name="vmware_role" lineno="18">
<summary>
-Allow domain dyntransition to sftpd_anon domain.
+Role access for vmware.
</summary>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed to transition.
+User domain for the role.
</summary>
</param>
</interface>
-<interface name="ftp_tcp_connect" lineno="31">
+<interface name="vmware_exec_host" lineno="50">
<summary>
-Use ftp by connecting over TCP. (Deprecated)
+Execute vmware host executables
</summary>
<param name="domain">
<summary>
@@ -6753,9 +8143,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ftp_read_config" lineno="45">
+<interface name="vmware_read_system_config" lineno="69">
<summary>
-Read ftpd etc files
+Read vmware system configuration files.
</summary>
<param name="domain">
<summary>
@@ -6763,9 +8153,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ftp_check_exec" lineno="64">
+<interface name="vmware_append_system_config" lineno="88">
<summary>
-Execute FTP daemon entry point programs.
+Append vmware system configuration files.
</summary>
<param name="domain">
<summary>
@@ -6773,9 +8163,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ftp_read_log" lineno="83">
+<interface name="vmware_append_log" lineno="107">
<summary>
-Read FTP transfer logs
+Append vmware log files.
</summary>
<param name="domain">
<summary>
@@ -6783,9 +8173,12 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ftp_domtrans_ftpdctl" lineno="102">
+</module>
+<module name="webalizer" filename="policy/modules/apps/webalizer.if">
+<summary>Web server log analysis.</summary>
+<interface name="webalizer_domtrans" lineno="13">
<summary>
-Execute the ftpdctl program in the ftpdctl domain.
+Execute webalizer in the webalizer domain.
</summary>
<param name="domain">
<summary>
@@ -6793,9 +8186,11 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="ftp_run_ftpdctl" lineno="127">
+<interface name="webalizer_run" lineno="40">
<summary>
-Execute the ftpdctl program in the ftpdctl domain.
+Execute webalizer in the webalizer
+domain, and allow the specified
+role the webalizer domain.
</summary>
<param name="domain">
<summary>
@@ -6804,159 +8199,130 @@ Domain allowed to transition.
</param>
<param name="role">
<summary>
-The role to allow the ftpdctl domain.
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
-<interface name="ftp_dyntrans_sftpd" lineno="146">
+<interface name="manage_webalizer_var_lib" lineno="60">
<summary>
-Allow domain dyntransition to sftpd domain.
+Manage webalizer usage files
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed to manage webalizer usage files
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="ftp_admin" lineno="171">
+<tunable name="allow_httpd_webalizer_script_anon_write" dftval="false">
+<desc>
+<p>
+Determine whether the script domain can
+modify public files used for public file
+transfer services. Directories/Files must
+be labeled public_content_rw_t.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="wine" filename="policy/modules/apps/wine.if">
+<summary>Run Windows programs in Linux.</summary>
+<interface name="wine_role" lineno="18">
<summary>
-All of the rules required to administrate
-an ftp environment
+Role access for wine.
</summary>
-<param name="domain">
+<param name="role">
<summary>
-Domain allowed access.
+Role allowed access.
</summary>
</param>
-<param name="role">
+<param name="domain">
<summary>
-The role to be allowed to manage the ftp domain.
+User domain for the role.
</summary>
</param>
-<rolecap/>
</interface>
-<tunable name="allow_ftpd_anon_write" dftval="false">
-<desc>
-<p>
-Allow ftp servers to upload files, used for public file
-transfer services. Directories must be labeled
-public_content_rw_t.
-</p>
-</desc>
-</tunable>
-<tunable name="allow_ftpd_full_access" dftval="false">
-<desc>
-<p>
-Allow ftp servers to login to local users and
-read/write all files on the system, governed by DAC.
-</p>
-</desc>
-</tunable>
-<tunable name="allow_ftpd_use_cifs" dftval="false">
-<desc>
-<p>
-Allow ftp servers to use cifs
-used for public file transfer services.
-</p>
-</desc>
-</tunable>
-<tunable name="allow_ftpd_use_nfs" dftval="false">
-<desc>
-<p>
-Allow ftp servers to use nfs
-used for public file transfer services.
-</p>
-</desc>
-</tunable>
-<tunable name="ftp_home_dir" dftval="false">
-<desc>
-<p>
-Allow ftp to read and write files in the user home directories
-</p>
-</desc>
-</tunable>
-<tunable name="sftpd_anon_write" dftval="false">
-<desc>
-<p>
-Allow anon internal-sftp to upload files, used for
-public file transfer services. Directories must be labeled
-public_content_rw_t.
-</p>
-</desc>
-</tunable>
-<tunable name="sftpd_enable_homedirs" dftval="false">
-<desc>
-<p>
-Allow sftp-internal to read and write files
-in the user home directories
-</p>
-</desc>
-</tunable>
-<tunable name="sftpd_full_access" dftval="false">
+<template name="wine_role_template" lineno="73">
+<summary>
+The role template for the wine module.
+</summary>
<desc>
<p>
-Allow sftp-internal to login to local users and
-read/write all files on the system, governed by DAC.
+This template creates a derived domains which are used
+for wine applications.
</p>
</desc>
-</tunable>
-</module>
-<module name="games" filename="policy/modules/contrib/games.if">
-<summary>Games</summary>
-<interface name="games_role" lineno="18">
+<param name="role_prefix">
<summary>
-Role access for games
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
</summary>
-<param name="role">
+</param>
+<param name="user_role">
<summary>
-Role allowed access
+The role associated with the user domain.
</summary>
</param>
-<param name="domain">
+<param name="user_domain">
<summary>
-User domain for the role
+The type of the user domain.
</summary>
</param>
-</interface>
-<interface name="games_rw_data" lineno="45">
+</template>
+<interface name="wine_domtrans" lineno="114">
<summary>
-Allow the specified domain to read/write
-games data.
+Execute the wine program in the wine domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-</module>
-<module name="gatekeeper" filename="policy/modules/contrib/gatekeeper.if">
-<summary>OpenH.323 Voice-Over-IP Gatekeeper</summary>
-</module>
-<module name="gift" filename="policy/modules/contrib/gift.if">
-<summary>giFT peer to peer file sharing tool</summary>
-<interface name="gift_role" lineno="18">
+<interface name="wine_run" lineno="140">
<summary>
-Role access for gift
+Execute wine in the wine domain,
+and allow the specified role
+the wine domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
</summary>
+</param>
<param name="role">
<summary>
-Role allowed access
+Role allowed access.
</summary>
</param>
+</interface>
+<interface name="wine_rw_shm" lineno="160">
+<summary>
+Read and write wine Shared
+memory segments.
+</summary>
<param name="domain">
<summary>
-User domain for the role
+Domain allowed access.
</summary>
</param>
</interface>
+<tunable name="wine_mmap_zero_ignore" dftval="false">
+<desc>
+<p>
+Determine whether attempts by
+wine to mmap low regions should
+be silently blocked.
+</p>
+</desc>
+</tunable>
</module>
-<module name="git" filename="policy/modules/contrib/git.if">
-<summary>GIT revision control system.</summary>
-<template name="git_role" lineno="18">
+<module name="wireshark" filename="policy/modules/apps/wireshark.if">
+<summary>Wireshark packet capture tool.</summary>
+<interface name="wireshark_role" lineno="18">
<summary>
-Role access for Git session.
+Role access for wireshark.
</summary>
<param name="role">
<summary>
@@ -6968,117 +8334,169 @@ Role allowed access.
User domain for the role.
</summary>
</param>
-</template>
-<tunable name="git_cgi_enable_homedirs" dftval="false">
-<desc>
-<p>
-Determine whether Git CGI
-can search home directories.
-</p>
-</desc>
-</tunable>
-<tunable name="git_cgi_use_cifs" dftval="false">
-<desc>
-<p>
-Determine whether Git CGI
-can access cifs file systems.
-</p>
-</desc>
-</tunable>
-<tunable name="git_cgi_use_nfs" dftval="false">
-<desc>
-<p>
-Determine whether Git CGI
-can access nfs file systems.
-</p>
-</desc>
-</tunable>
-<tunable name="git_session_users" dftval="false">
+</interface>
+<interface name="wireshark_domtrans" lineno="50">
+<summary>
+Execute wireshark in wireshark domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+</interface>
+<tunable name="wireshark_read_generic_user_content" dftval="true">
<desc>
<p>
-Determine whether calling user domains
-can execute Git daemon in the
-git_session_t domain.
+Grant the wireshark domains read access to generic user content
</p>
</desc>
</tunable>
-<tunable name="git_session_send_syslog_msg" dftval="false">
+<tunable name="wireshark_read_all_user_content" dftval="false">
<desc>
<p>
-Determine whether Git session daemons
-can send syslog messages.
+Grant the wireshark domains read access to all user content
</p>
</desc>
</tunable>
-<tunable name="git_system_enable_homedirs" dftval="false">
+<tunable name="wireshark_manage_generic_user_content" dftval="false">
<desc>
<p>
-Determine whether Git system daemon
-can search home directories.
+Grant the wireshark domains manage rights on generic user content
</p>
</desc>
</tunable>
-<tunable name="git_system_use_cifs" dftval="false">
+<tunable name="wireshark_manage_all_user_content" dftval="false">
<desc>
<p>
-Determine whether Git system daemon
-can access cifs file systems.
+Grant the wireshark domains manage rights on all user content
</p>
</desc>
</tunable>
-<tunable name="git_system_use_nfs" dftval="false">
+</module>
+<module name="wm" filename="policy/modules/apps/wm.if">
+<summary>X Window Managers.</summary>
+<template name="wm_role_template" lineno="30">
+<summary>
+The role template for the wm module.
+</summary>
<desc>
<p>
-Determine whether Git system daemon
-can access nfs file systems.
+This template creates a derived domains which are used
+for window manager applications.
</p>
</desc>
-</tunable>
-</module>
-<module name="gitosis" filename="policy/modules/contrib/gitosis.if">
-<summary>Tools for managing and hosting git repositories.</summary>
-<interface name="gitosis_domtrans" lineno="13">
+<param name="role_prefix">
<summary>
-Execute a domain transition to run gitosis.
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
+</summary>
+</param>
+</template>
+<interface name="wm_exec" lineno="112">
+<summary>
+Execute wm in the caller domain.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="gitosis_run" lineno="37">
+<interface name="wm_dbus_chat" lineno="138">
<summary>
-Execute gitosis-serve in the gitosis domain, and
-allow the specified role the gitosis domain.
+Send and receive messages from
+specified wm over dbus.
</summary>
+<param name="role_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access
+Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="wm_dontaudit_exec_tmp_files" lineno="159">
<summary>
-Role allowed access.
+Do not audit attempts to execute
+files in temporary directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="gitosis_read_lib_files" lineno="57">
+<interface name="wm_dontaudit_exec_tmpfs_files" lineno="178">
<summary>
-Allow the specified domain to read
-gitosis lib files.
+Do not audit attempts to execute
+files in temporary filesystems.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="gitosis_manage_lib_files" lineno="79">
+<interface name="wm_application_domain" lineno="221">
<summary>
-Allow the specified domain to manage
-gitosis lib files.
+Create a domain for applications
+that are launched by the window
+manager.
+</summary>
+<desc>
+<p>
+Create a domain for applications that are launched by the
+window manager (implying a domain transition). Typically
+these are graphical applications that are run interactively.
+</p>
+<p>
+The types will be made usable as a domain and file, making
+calls to domain_type() and files_type() redundant.
+</p>
+</desc>
+<param name="target_domain">
+<summary>
+Type to be used in the domain transition as the application
+domain.
</summary>
+</param>
+<param name="entry_point">
+<summary>
+Type of the program to be used as an entry point to this domain.
+</summary>
+</param>
+<param name="source_domain">
+<summary>
+Type to be used as the source window manager domain.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="wm_write_pipes" lineno="246">
+<summary>
+Write wm unnamed pipes.
+</summary>
+<param name="role_prefix">
+<summary>
+The prefix of the user domain (e.g., user
+is the prefix for user_t).
+</summary>
+</param>
<param name="domain">
<summary>
Domain allowed access.
@@ -7086,21 +8504,36 @@ Domain allowed access.
</param>
</interface>
</module>
-<module name="glance" filename="policy/modules/contrib/glance.if">
-<summary>policy for glance</summary>
-<interface name="glance_domtrans_registry" lineno="13">
+<module name="xscreensaver" filename="policy/modules/apps/xscreensaver.if">
+<summary>Modular screen saver and locker for X11.</summary>
+<interface name="xscreensaver_role" lineno="18">
<summary>
-Transition to glance registry.
+Role access for xscreensaver.
+</summary>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed to transition.
+User domain for the role.
</summary>
</param>
</interface>
-<interface name="glance_domtrans_api" lineno="32">
+<tunable name="xscreensaver_read_generic_user_content" dftval="true">
+<desc>
+<p>
+Grant the xscreensaver domains read access to generic user content
+</p>
+</desc>
+</tunable>
+</module>
+<module name="yam" filename="policy/modules/apps/yam.if">
+<summary>Yum/Apt Mirroring.</summary>
+<interface name="yam_domtrans" lineno="13">
<summary>
-Transition to glance api.
+Execute yam in the yam domain.
</summary>
<param name="domain">
<summary>
@@ -7108,20 +8541,26 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="glance_read_log" lineno="52">
+<interface name="yam_run" lineno="39">
<summary>
-Read glance's log files.
+Execute yam in the yam domain, and
+allow the specified role the yam domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
<rolecap/>
</interface>
-<interface name="glance_append_log" lineno="71">
+<interface name="yam_read_content" lineno="58">
<summary>
-Append to glance log files.
+Read yam content.
</summary>
<param name="domain">
<summary>
@@ -7129,19 +8568,31 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="glance_manage_log" lineno="90">
+</module>
+</layer>
+<layer name="contrib">
+<summary>Gentoo-specific policy modules</summary>
+<module name="android" filename="policy/modules/contrib/android.if">
+<summary>Android development tools - adb, fastboot, android studio</summary>
+<interface name="android_role" lineno="18">
<summary>
-Manage glance log files
+The role for using the android tools.
</summary>
+<param name="role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+The user domain.
</summary>
</param>
</interface>
-<interface name="glance_search_lib" lineno="111">
+<interface name="android_tools_domtrans" lineno="74">
<summary>
-Search glance lib directories.
+Execute the android tools commands in the
+android tools domain.
</summary>
<param name="domain">
<summary>
@@ -7149,9 +8600,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="glance_read_lib_files" lineno="130">
+<interface name="android_dbus_chat" lineno="95">
<summary>
-Read glance lib files.
+Send and receive messages from the android java
+domain over dbus.
</summary>
<param name="domain">
<summary>
@@ -7159,85 +8611,125 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="glance_manage_lib_files" lineno="149">
+</module>
+<module name="at" filename="policy/modules/contrib/at.if">
+<summary>At daemon for running a task a single time</summary>
+<interface name="at_role" lineno="18">
+<summary>
+Role access for at
+</summary>
+<param name="role">
<summary>
-Manage glance lib files.
+Role allowed access
</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed access.
+User domain for the role
</summary>
</param>
</interface>
-<interface name="glance_manage_lib_dirs" lineno="168">
+<interface name="at_rw_inherited_job_log_files" lineno="70">
<summary>
-Manage glance lib directories.
+Read from and write to the the inherited atd
+joblog file
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="glance_read_pid_files" lineno="187">
+</module>
+<module name="bitcoin" filename="policy/modules/contrib/bitcoin.if">
+<summary>Bitcoin software-based online payment system</summary>
+<interface name="bitcoin_admin" lineno="18">
<summary>
-Read glance PID files.
+Administer a bitcoin environment
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access
</summary>
</param>
</interface>
-<interface name="glance_manage_pid_files" lineno="206">
+<tunable name="bitcoin_bind_all_unreserved_ports" dftval="false">
+<desc>
+<p>
+Determine whether the bitcoin daemon can bind
+to all unreserved ports or not.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="ceph" filename="policy/modules/contrib/ceph.if">
+<summary>Ceph distributed object storage</summary>
+<template name="ceph_domain_template" lineno="13">
<summary>
-Manage glance PID files.
+Create the individual Ceph domains
</summary>
-<param name="domain">
+<param name="cephdaemon">
<summary>
-Domain allowed access.
+The daemon (osd, mds or mon) for which the rules are created
</summary>
</param>
-</interface>
-<interface name="glance_admin" lineno="232">
+</template>
+<interface name="ceph_admin" lineno="65">
<summary>
-All of the rules required to administrate
-an glance environment
+Administrative access for Ceph
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
<param name="role">
<summary>
-Role allowed access.
+Domain allowed access
+</summary>
+</param>
+</interface>
+<interface name="ceph_read_key" lineno="98">
+<summary>
+Read Ceph key files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access
</summary>
</param>
-<rolecap/>
</interface>
</module>
-<module name="gnome" filename="policy/modules/contrib/gnome.if">
-<summary>GNU network object model environment (GNOME)</summary>
-<interface name="gnome_role" lineno="18">
+<module name="dirsrv" filename="policy/modules/contrib/dirsrv.if">
+<summary>policy for dirsrv</summary>
+<interface name="dirsrv_domtrans" lineno="15">
<summary>
-Role access for gnome
+Execute a domain transition to run dirsrv.
</summary>
-<param name="role">
+<param name="domain">
<summary>
-Role allowed access
+Domain allowed to transition.
</summary>
</param>
+</interface>
+<interface name="dirsrv_signal" lineno="38">
+<summary>
+Allow caller to signal dirsrv.
+</summary>
<param name="domain">
<summary>
-User domain for the role
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="gnome_exec_gconf" lineno="49">
+<interface name="dirsrv_signull" lineno="57">
<summary>
-Execute gconf programs in
-in the caller domain.
+Send a null signal to dirsrv.
</summary>
<param name="domain">
<summary>
@@ -7245,19 +8737,19 @@ Domain allowed access.
</summary>
</param>
</interface>
-<template name="gnome_read_gconf_config" lineno="67">
+<interface name="dirsrv_manage_log" lineno="75">
<summary>
-Read gconf config files.
+Allow a domain to manage dirsrv logs.
</summary>
-<param name="user_domain">
+<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-</template>
-<interface name="gnome_manage_gconf_config" lineno="87">
+</interface>
+<interface name="dirsrv_manage_var_lib" lineno="95">
<summary>
-Create, read, write, and delete gconf config files.
+Allow a domain to manage dirsrv /var/lib files.
</summary>
<param name="domain">
<summary>
@@ -7265,19 +8757,19 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="gnome_stream_connect_gconf" lineno="106">
+<interface name="dirsrv_manage_var_run" lineno="113">
<summary>
-gconf connection template.
+Allow a domain to manage dirsrv /var/run files.
</summary>
-<param name="user_domain">
+<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
-<interface name="gnome_domtrans_gconfd" lineno="125">
+<interface name="dirsrv_pid_filetrans" lineno="132">
<summary>
-Run gconfd in gconfd domain.
+Allow a domain to create dirsrv pid directories.
</summary>
<param name="domain">
<summary>
@@ -7285,9 +8777,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="gnome_setattr_config_dirs" lineno="143">
+<interface name="dirsrv_read_var_run" lineno="150">
<summary>
-Set attributes of Gnome config dirs.
+Allow a domain to read dirsrv /var/run files.
</summary>
<param name="domain">
<summary>
@@ -7295,32 +8787,32 @@ Domain allowed access.
</summary>
</param>
</interface>
-<template name="gnome_read_config" lineno="162">
+<interface name="dirsrv_manage_config" lineno="168">
<summary>
-Read gnome homedir content (.config)
+Manage dirsrv configuration files.
</summary>
-<param name="user_domain">
+<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-</template>
-<interface name="gnome_manage_config" lineno="182">
+</interface>
+<interface name="dirsrv_read_share" lineno="187">
<summary>
-manage gnome homedir content (.config)
+Read dirsrv share files.
</summary>
-<param name="user_domain">
+<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
</module>
-<module name="gnomeclock" filename="policy/modules/contrib/gnomeclock.if">
-<summary>Gnome clock handler for setting the time.</summary>
-<interface name="gnomeclock_domtrans" lineno="13">
+<module name="dracut" filename="policy/modules/contrib/dracut.if">
+<summary>Dracut initramfs creation tool</summary>
+<interface name="dracut_domtrans" lineno="13">
<summary>
-Execute a domain transition to run gnomeclock.
+Execute the dracut program in the dracut domain.
</summary>
<param name="domain">
<summary>
@@ -7328,10 +8820,10 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="gnomeclock_run" lineno="37">
+<interface name="dracut_run" lineno="38">
<summary>
-Execute gnomeclock in the gnomeclock domain, and
-allow the specified role the gnomeclock domain.
+Execute dracut in the dracut domain, and
+allow the specified role the dracut domain.
</summary>
<param name="domain">
<summary>
@@ -7344,10 +8836,9 @@ Role allowed access.
</summary>
</param>
</interface>
-<interface name="gnomeclock_dbus_chat" lineno="57">
+<interface name="dracut_rw_tmp_files" lineno="57">
<summary>
-Send and receive messages from
-gnomeclock over dbus.
+Read/write dracut temporary files
</summary>
<param name="domain">
<summary>
@@ -7356,172 +8847,277 @@ Domain allowed access.
</param>
</interface>
</module>
-<module name="gpg" filename="policy/modules/contrib/gpg.if">
-<summary>Policy for GNU Privacy Guard and related programs.</summary>
-<interface name="gpg_role" lineno="18">
+<module name="dropbox" filename="policy/modules/contrib/dropbox.if">
+<summary>Dropbox client - Store, Sync and Share Files Online</summary>
+<interface name="dropbox_role" lineno="18">
<summary>
-Role access for gpg
+The role for using the dropbox client.
</summary>
<param name="role">
<summary>
-Role allowed access
+The role associated with the user domain.
</summary>
</param>
<param name="domain">
<summary>
-User domain for the role
+The user domain.
</summary>
</param>
</interface>
-<interface name="gpg_domtrans" lineno="80">
+<interface name="dropbox_dbus_chat" lineno="66">
<summary>
-Transition to a user gpg domain.
+Send and receive messages from the dropbox daemon
+over dbus.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="gpg_exec" lineno="98">
+<interface name="dropbox_read_content" lineno="86">
<summary>
-Execute the gpg application without transitioning
+Allow other domains to read dropbox's content files
</summary>
<param name="domain">
<summary>
-Domain allowed to execute gpg
+The domain that is allowed read access to the dropbox_content_t files
</summary>
</param>
</interface>
-<interface name="gpg_signal" lineno="116">
+<interface name="dropbox_manage_content" lineno="105">
<summary>
-Send generic signals to user gpg processes.
+Allow other domains to manage dropbox's content files
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+The domain that is allowed to manage the dropbox_content_t files and directories
+</summary>
+</param>
+</interface>
+<tunable name="dropbox_bind_port" dftval="false">
+<desc>
+<p>
+Determine whether dropbox can bind to
+local tcp and udp ports.
+Required for Dropbox' LAN Sync feature
+</p>
+</desc>
+</tunable>
+<tunable name="dropbox_read_generic_user_content" dftval="true">
+<desc>
+<p>
+Grant the dropbox domains read access to generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="dropbox_read_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the dropbox domains read access to all user content
+</p>
+</desc>
+</tunable>
+<tunable name="dropbox_manage_generic_user_content" dftval="false">
+<desc>
+<p>
+Grant the dropbox domains manage rights on generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="dropbox_manage_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the dropbox domains manage rights on all user content
+</p>
+</desc>
+</tunable>
+</module>
+<module name="flash" filename="policy/modules/contrib/flash.if">
+<summary>
+Flash player
+</summary>
+<interface name="flash_manage_home" lineno="15">
+<summary>
+Manage the Flash player home files
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="gpg_rw_agent_pipes" lineno="134">
+<interface name="flash_relabel_home" lineno="33">
<summary>
-Read and write GPG agent pipes.
+Relabel the flash home resources
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="gpg_pinentry_dbus_chat" lineno="154">
+</module>
+<module name="googletalk" filename="policy/modules/contrib/googletalk.if">
<summary>
-Send messages to and from GPG
-Pinentry over DBUS.
+Google Talk
+</summary>
+<interface name="googletalk_plugin_domain" lineno="17">
+<summary>
+Grant the plugin domain the needed privileges to launch and
+interact with the GoogleTalk application. Used for web browser
+plugin domains.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="gpg_list_user_secrets" lineno="174">
+<interface name="googletalk_domtrans_plugin" lineno="51">
<summary>
-List Gnu Privacy Guard user secrets.
+Execute Google talk plugin in the Google talk plugin domain
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition
</summary>
</param>
</interface>
-<tunable name="gpg_agent_env_file" dftval="false">
-<desc>
-<p>
-Allow usage of the gpg-agent --write-env-file option.
-This also allows gpg-agent to manage user files.
-</p>
-</desc>
-</tunable>
-</module>
-<module name="gpm" filename="policy/modules/contrib/gpm.if">
-<summary>General Purpose Mouse driver</summary>
-<interface name="gpm_stream_connect" lineno="14">
+<interface name="googletalk_run_plugin" lineno="76">
<summary>
-Connect to GPM over a unix domain
-stream socket.
+Execute Google talk plugin in the Google talk plugin domain,
+and allow the specified role the google talk plugin domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access
</summary>
</param>
</interface>
-<interface name="gpm_getattr_gpmctl" lineno="34">
+<interface name="googletalk_use_plugin_fds" lineno="95">
<summary>
-Get the attributes of the GPM
-control channel named socket.
+Use the file descriptor of googletalk plugin
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="gpm_dontaudit_getattr_gpmctl" lineno="55">
+<interface name="googletalk_rw_inherited_plugin_unix_stream_sockets" lineno="113">
<summary>
-Do not audit attempts to get the
-attributes of the GPM control channel
-named socket.
+Read and write to the google talk plugin inherited stream sockets
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="gpm_setattr_gpmctl" lineno="74">
+<interface name="googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config" lineno="143">
<summary>
-Set the attributes of the GPM
-control channel named socket.
+Create objects in the xdg config home location
+with an automatic type transition to the googletalk
+plugin xdg config home type
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="object_class">
+<summary>
+The class of the object to be created.
+</summary>
+</param>
+<param name="filename" optional="true">
+<summary>
+Name of the file or directory created
+</summary>
+</param>
+</interface>
+<interface name="googletalk_manage_plugin_xdg_config" lineno="161">
+<summary>
+Manage google talk plugin xdg configuration
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access
+</summary>
+</param>
</interface>
</module>
-<module name="gpsd" filename="policy/modules/contrib/gpsd.if">
-<summary>gpsd monitor daemon</summary>
-<interface name="gpsd_domtrans" lineno="13">
+<module name="gorg" filename="policy/modules/contrib/gorg.if">
+<summary>Policy for gorg</summary>
+<interface name="gorg_role" lineno="18">
<summary>
-Execute a domain transition to run gpsd.
+Role access for gorg
</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed to transition.
+User domain for the role
</summary>
</param>
</interface>
-<interface name="gpsd_run" lineno="37">
+</module>
+<module name="kdeconnect" filename="policy/modules/contrib/kdeconnect.if">
+<summary>policy for kdeconnect</summary>
+<interface name="kdeconnect_domtrans" lineno="13">
<summary>
-Execute gpsd in the gpsd domain, and
-allow the specified role the gpsd domain.
+Execute kdeconnect in the kdeconnect domin.
</summary>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
+</interface>
+<interface name="kdeconnect_run" lineno="38">
+<summary>
+Execute kdeconnect in the kdeconnect domain, and
+allow the specified role the kdeconnect domain.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed to transition
+</summary>
+</param>
<param name="role">
<summary>
-Role allowed access.
+The role to be allowed the kdeconnect domain.
</summary>
</param>
</interface>
-<interface name="gpsd_rw_shm" lineno="56">
+<interface name="kdeconnect_role" lineno="62">
<summary>
-Read and write gpsd shared memory.
+Role access for kdeconnect
+</summary>
+<param name="role">
+<summary>
+Role allowed access
+</summary>
+</param>
+<param name="domain">
+<summary>
+User domain for the role
+</summary>
+</param>
+</interface>
+<interface name="kdeconnect_dbus_chat" lineno="89">
+<summary>
+Send and receive messages from the kdeconnect daemon
+over dbus.
</summary>
<param name="domain">
<summary>
@@ -7529,98 +9125,143 @@ Domain allowed access.
</summary>
</param>
</interface>
+<tunable name="kdeconnect_read_user_files" dftval="true">
+<desc>
+<p>
+Allow KDEConnect to read user home files
+</p>
+</desc>
+</tunable>
</module>
-<module name="guest" filename="policy/modules/contrib/guest.if">
-<summary>Least privledge terminal user role</summary>
-<interface name="guest_role_change" lineno="14">
+<module name="links" filename="policy/modules/contrib/links.if">
+<summary>Links web browser</summary>
+<interface name="links_role" lineno="18">
<summary>
-Change to the guest role.
+The role interface for the links module.
</summary>
-<param name="role">
+<param name="user_role">
<summary>
-Role allowed access.
+The role associated with the user domain.
</summary>
</param>
-<rolecap/>
-</interface>
-<interface name="guest_role_change_to" lineno="44">
+<param name="user_domain">
<summary>
-Change from the guest role.
+The type of the user domain.
</summary>
+</param>
+</interface>
+<tunable name="links_manage_user_files" dftval="false">
<desc>
<p>
-Change from the guest role to
-the specified role.
-</p>
-<p>
-This is an interface to support third party modules
-and its use is not allowed in upstream reference
-policy.
+Allow links to manage files in users home directories (download files)
</p>
</desc>
+</tunable>
+</module>
+<module name="logsentry" filename="policy/modules/contrib/logsentry.if">
+<summary>Log file monitoring tool</summary>
+<interface name="logsentry_admin" lineno="19">
+<summary>
+All of the rules required to administrate
+a logsentry environment.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
<param name="role">
<summary>
Role allowed access.
</summary>
</param>
-<rolecap/>
</interface>
</module>
-<module name="hadoop" filename="policy/modules/contrib/hadoop.if">
-<summary>Software for reliable, scalable, distributed computing.</summary>
-<template name="hadoop_domain_template" lineno="13">
+<module name="makewhatis" filename="policy/modules/contrib/makewhatis.if">
+<summary>Build whatis database from man pages</summary>
+</module>
+<module name="mutt" filename="policy/modules/contrib/mutt.if">
+<summary>Mutt e-mail client</summary>
+<interface name="mutt_role" lineno="18">
<summary>
-The template to define a hadoop domain.
+The role for using the mutt application.
</summary>
-<param name="domain_prefix">
+<param name="role">
<summary>
-Domain prefix to be used.
+The role associated with the user domain.
</summary>
</param>
-</template>
-<interface name="hadoop_role" lineno="219">
+<param name="domain">
<summary>
-Role access for hadoop.
+The user domain.
</summary>
-<param name="role">
+</param>
+</interface>
+<interface name="mutt_read_home_files" lineno="58">
<summary>
-Role allowed access.
+Allow other domains to read mutt's home files
</summary>
-</param>
<param name="domain">
<summary>
-Domain allowed access.
+The domain that is allowed read access to the mutt_home_t files
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="hadoop_domtrans" lineno="248">
+<interface name="mutt_read_tmp_files" lineno="76">
<summary>
-Execute hadoop in the
-hadoop domain.
+Allow other domains to read mutt's temporary files
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+The domain that is allowed read access to the temporary files
</summary>
</param>
</interface>
-<interface name="hadoop_recvfrom" lineno="268">
+<interface name="mutt_rw_tmp_files" lineno="95">
<summary>
-Give permission to a domain to
-recvfrom hadoop_t
+Allow other domains to handle mutt's temporary files (used for instance
+for e-mail drafts)
</summary>
<param name="domain">
<summary>
-Domain needing recvfrom
-permission
+The domain that is allowed read/write access to the temporary files
</summary>
</param>
</interface>
-<interface name="hadoop_domtrans_zookeeper_client" lineno="287">
+<tunable name="mutt_read_generic_user_content" dftval="true">
+<desc>
+<p>
+Grant the mutt domains read access to generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="mutt_read_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the mutt domains read access to all user content
+</p>
+</desc>
+</tunable>
+<tunable name="mutt_manage_generic_user_content" dftval="false">
+<desc>
+<p>
+Grant the mutt domains manage rights on generic user content
+</p>
+</desc>
+</tunable>
+<tunable name="mutt_manage_all_user_content" dftval="false">
+<desc>
+<p>
+Grant the mutt domains manage rights on all user content
+</p>
+</desc>
+</tunable>
+</module>
+<module name="nginx" filename="policy/modules/contrib/nginx.if">
+<summary>policy for nginx</summary>
+<interface name="nginx_domtrans" lineno="55">
<summary>
-Execute zookeeper client in the
-zookeeper client domain.
+Execute a domain transition to run nginx.
</summary>
<param name="domain">
<summary>
@@ -7628,163 +9269,323 @@ Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="hadoop_recvfrom_zookeeper_client" lineno="308">
+<interface name="nginx_admin" lineno="82">
<summary>
-Give permission to a domain to
-recvfrom zookeeper_t
+Administer the nginx domain
</summary>
<param name="domain">
<summary>
-Domain needing recvfrom
-permission
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+The role to be allowed to manage the nginx domain.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="hadoop_domtrans_zookeeper_server" lineno="327">
+<tunable name="nginx_enable_http_server" dftval="false">
+<desc>
+<p>
+Allow nginx to serve HTTP content (act as an http server)
+</p>
+</desc>
+</tunable>
+<tunable name="nginx_enable_imap_server" dftval="false">
+<desc>
+<p>
+Allow nginx to act as an imap proxy server)
+</p>
+</desc>
+</tunable>
+<tunable name="nginx_enable_pop3_server" dftval="false">
+<desc>
+<p>
+Allow nginx to act as a pop3 server)
+</p>
+</desc>
+</tunable>
+<tunable name="nginx_enable_smtp_server" dftval="false">
+<desc>
+<p>
+Allow nginx to act as an smtp server)
+</p>
+</desc>
+</tunable>
+<tunable name="nginx_can_network_connect_http" dftval="false">
+<desc>
+<p>
+Allow nginx to connect to remote HTTP servers
+</p>
+</desc>
+</tunable>
+<tunable name="nginx_can_network_connect" dftval="false">
+<desc>
+<p>
+Allow nginx to connect to remote servers (regardless of protocol)
+</p>
+</desc>
+</tunable>
+</module>
+<module name="openrc" filename="policy/modules/contrib/openrc.if">
+<summary>OpenRC is an init system</summary>
+</module>
+<module name="pan" filename="policy/modules/contrib/pan.if">
+<summary>Pan news reader client</summary>
+<interface name="pan_role" lineno="18">
<summary>
-Execute zookeeper server in the
-zookeeper server domain.
+Role access for pan
+</summary>
+<param name="role">
+<summary>
+Role allowed access
</summary>
+</param>
<param name="domain">
<summary>
-Domain allowed to transition.
+User domain for the role
</summary>
</param>
</interface>
-<interface name="hadoop_recvfrom_zookeeper_server" lineno="348">
+<tunable name="pan_manage_user_content" dftval="false">
+<desc>
+<p>
+Be able to manage user files (needed to support sending and downloading
+attachments). Without this boolean set, only files marked as pan_home_t
+can be used for sending and receiving.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="phpfpm" filename="policy/modules/contrib/phpfpm.if">
+<summary>PHP FastCGI Process Manager</summary>
+<interface name="phpfpm_admin" lineno="13">
<summary>
-Give permission to a domain to
-recvfrom zookeeper_server_t
+Administrate a phpfpm environment
</summary>
<param name="domain">
<summary>
-Domain needing recvfrom
-permission
+Domain allowed access
</summary>
</param>
</interface>
-<interface name="hadoop_initrc_domtrans_zookeeper_server" lineno="367">
+<interface name="phpfpm_stream_connect" lineno="43">
<summary>
-Execute zookeeper server in the
-zookeeper domain.
+Connect to phpfpm using a unix domain stream socket.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="hadoop_recvfrom_datanode" lineno="387">
+<tunable name="phpfpm_use_ldap" dftval="false">
+<desc>
+<p>
+Allow phpfpm to use LDAP services
+</p>
+</desc>
+</tunable>
+</module>
+<module name="resolvconf" filename="policy/modules/contrib/resolvconf.if">
+<summary>OpenResolv network configuration management</summary>
+<interface name="resolvconf_client_domain" lineno="14">
<summary>
-Give permission to a domain to
-recvfrom hadoop_datanode_t
+Mark the domain as a resolvconf client, automatically granting
+the necessary privileges (execute resolvconf and type access).
</summary>
<param name="domain">
<summary>
-Domain needing recvfrom
-permission
+Domain to mark as a resolvconf client
</summary>
</param>
</interface>
-<interface name="hadoop_read_config" lineno="406">
+<interface name="resolvconf_client_domain_privs" lineno="33">
<summary>
-Give permission to a domain to read
-hadoop_etc_t
+Assign the proper permissions to the domain, such as
+executing resolvconf and accessing its types.
</summary>
<param name="domain">
<summary>
-Domain needing read permission
+Domain to assign proper permissions to
</summary>
</param>
</interface>
-<interface name="hadoop_exec_config" lineno="427">
+<interface name="resolvconf_domtrans" lineno="48">
<summary>
-Give permission to a domain to
-execute hadoop_etc_t
+Execute resolvconf and transition to the resolvconf_t domain
</summary>
<param name="domain">
<summary>
-Domain needing read and execute
-permission
+Domain allowed to transition
</summary>
</param>
</interface>
-<interface name="hadoop_recvfrom_jobtracker" lineno="448">
+<interface name="resolvconf_exec" lineno="67">
<summary>
-Give permission to a domain to
-recvfrom hadoop_jobtracker_t
+Execute resolvconf in the calling domain (no transition)
</summary>
<param name="domain">
<summary>
-Domain needing recvfrom
-permission
+Domain allowed to execute
</summary>
</param>
</interface>
-<interface name="hadoop_match_lan_spd" lineno="468">
+<interface name="resolvconf_generic_run_filetrans_run" lineno="96">
<summary>
-Give permission to a domain to
-polmatch on hadoop_lan_t
+Transition to resolvconf_run_t when creating resources
+inside the generic run directory
</summary>
<param name="domain">
<summary>
-Domain needing polmatch
-permission
+Domain allowed access
+</summary>
+</param>
+<param name="class">
+<summary>
+Class on which a file transition has to occur
+</summary>
+</param>
+<param name="filename" optional="true">
+<summary>
+Name of the resource on which a file transition has to occur
+</summary>
+</param>
+</interface>
+</module>
+<module name="rtorrent" filename="policy/modules/contrib/rtorrent.if">
+<summary>rtorrent torrent client</summary>
+<interface name="rtorrent_role" lineno="18">
+<summary>
+Role access for rtorrent
+</summary>
+<param name="user_role">
+<summary>
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The user domain.
</summary>
</param>
</interface>
-<interface name="hadoop_recvfrom_namenode" lineno="488">
+<interface name="rtorrent_admin" lineno="52">
<summary>
-Give permission to a domain to
-recvfrom hadoop_namenode_t
+Administer the rtorrent application.
</summary>
<param name="domain">
<summary>
-Domain needing recvfrom
-permission
+Domain allowed access.
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access.
</summary>
</param>
</interface>
-<interface name="hadoop_recvfrom_secondarynamenode" lineno="508">
+<tunable name="rtorrent_use_dht" dftval="true">
+<desc>
+<p>
+Allow rtorrent to use dht.
+The correspondig port must be rtorrent_udp_port_t.
+</p>
+</desc>
+</tunable>
+<tunable name="rtorrent_use_rsync" dftval="false">
+<desc>
+<p>
+Allow rtorrent to use rsync, for example in a hook.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="salt" filename="policy/modules/contrib/salt.if">
+<summary>Infrastructure management toolset</summary>
+<interface name="salt_admin_master" lineno="18">
<summary>
-Give permission to a domain to
-recvfrom hadoop_secondarynamenode_t
+All the rules required to administer a salt master environment
</summary>
<param name="domain">
<summary>
-Domain needing recvfrom
-permission
+Domain allowed access
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access
</summary>
</param>
</interface>
-<interface name="hadoop_recvfrom_tasktracker" lineno="528">
+<interface name="salt_admin_minion" lineno="62">
<summary>
-Give permission to a domain to
-recvfrom hadoop_tasktracker_t
+All the rules required to administer a salt minion environment
</summary>
<param name="domain">
<summary>
-Domain needing recvfrom
-permission
+Domain allowed access
+</summary>
+</param>
+<param name="role">
+<summary>
+Role allowed access
</summary>
</param>
</interface>
+<tunable name="salt_master_read_nfs" dftval="false">
+<desc>
+<p>
+Determine wether the salt master can read NFS files
+</p>
+</desc>
+</tunable>
+<tunable name="salt_minion_manage_nfs" dftval="false">
+<desc>
+<p>
+Determine wether the salt minion can manage NFS files
+</p>
+</desc>
+</tunable>
</module>
-<module name="hal" filename="policy/modules/contrib/hal.if">
-<summary>Hardware abstraction layer</summary>
-<interface name="hal_domtrans" lineno="13">
+<module name="skype" filename="policy/modules/contrib/skype.if">
+<summary>Skype softphone.</summary>
+<interface name="skype_role" lineno="18">
<summary>
-Execute hal in the hal domain.
+Role access for the skype module.
</summary>
-<param name="domain">
+<param name="role">
<summary>
-Domain allowed to transition.
+The role associated with the user domain.
+</summary>
+</param>
+<param name="user_domain">
+<summary>
+The type of the user domain.
</summary>
</param>
</interface>
-<interface name="hal_getattr" lineno="31">
+<tunable name="skype_manage_user_content" dftval="false">
+<desc>
+<p>
+Be able to manage user files (needed to support sending and receiving files).
+Without this boolean set, only files marked as skype_home_t can be used for
+sending and receiving.
+</p>
+</desc>
+</tunable>
+</module>
+<module name="subsonic" filename="policy/modules/contrib/subsonic.if">
+<summary>Subsonic Music Streaming Server</summary>
+</module>
+<module name="uwsgi" filename="policy/modules/contrib/uwsgi.if">
+<summary>uWSGI server for Python web applications</summary>
+<interface name="uwsgi_stream_connect" lineno="14">
<summary>
-Get the attributes of a hal process.
+Connect to uwsgi using a unix
+domain stream socket.
</summary>
<param name="domain">
<summary>
@@ -7792,9 +9593,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="hal_read_state" lineno="49">
+<interface name="uwsgi_manage_content" lineno="34">
<summary>
-Read hal system state
+Manage uwsgi content.
</summary>
<param name="domain">
<summary>
@@ -7802,19 +9603,19 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="hal_ptrace" lineno="67">
+<interface name="uwsgi_domtrans" lineno="62">
<summary>
-Allow ptrace of hal domain
+Execute uwsgi in the uwsgi domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
</summary>
</param>
</interface>
-<interface name="hal_use_fds" lineno="85">
+<interface name="uwsgi_content_exec" lineno="82">
<summary>
-Allow domain to use file descriptors from hal.
+Execute uwsgi in the callers domain.
</summary>
<param name="domain">
<summary>
@@ -7822,73 +9623,102 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="hal_dontaudit_use_fds" lineno="103">
+<interface name="uwsgi_admin" lineno="108">
<summary>
-Do not audit attempts to use file descriptors from hal.
+All of the rules required to
+administrate a uWSGI environment.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
+<param name="role">
+<summary>
+Role allowed access.
+</summary>
+</param>
+<rolecap/>
</interface>
-<interface name="hal_rw_pipes" lineno="122">
+</module>
+<module name="vde" filename="policy/modules/contrib/vde.if">
+<summary>Virtual Distributed Ethernet switch service</summary>
+<interface name="vde_role" lineno="19">
<summary>
-Allow attempts to read and write to
-hald unnamed pipes.
</summary>
+<param name="role">
+<summary>
+The role to be allowed to manage the vde domain.
+</summary>
+</param>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="hal_dontaudit_rw_pipes" lineno="141">
+<interface name="vde_connect" lineno="50">
<summary>
-Do not audit attempts to read and write to
-hald unnamed pipes.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="hal_dgram_send" lineno="160">
+</module>
+</layer>
+<layer name="kernel">
+<summary>Policy modules for kernel resources.</summary>
+<module name="corecommands" filename="policy/modules/kernel/corecommands.if">
<summary>
-Send to hal over a unix domain
-datagram socket.
+Core policy for shells, and generic programs
+in /bin, /sbin, /usr/bin, and /usr/sbin.
</summary>
-<param name="domain">
+<required val="true">
+Contains the base bin and sbin directory types
+which need to be searched for the kernel to
+run init.
+</required>
+<interface name="corecmd_executable_file" lineno="23">
<summary>
-Domain allowed access.
+Make the specified type usable for files
+that are exectuables, such as binary programs.
+This does not include shared libraries.
+</summary>
+<param name="type">
+<summary>
+Type to be used for files.
</summary>
</param>
</interface>
-<interface name="hal_stream_connect" lineno="179">
+<interface name="corecmd_bin_entry_type" lineno="44">
<summary>
-Send to hal over a unix domain
-stream socket.
+Make general progams in bin an entrypoint for
+the specified domain.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+The domain for which bin_t is an entrypoint.
</summary>
</param>
</interface>
-<interface name="hal_dontaudit_rw_dgram_sockets" lineno="197">
+<interface name="corecmd_shell_entry_type" lineno="62">
<summary>
-Dontaudit read/write to a hal unix datagram socket.
+Make the shell an entrypoint for the specified domain.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+The domain for which the shell is an entrypoint.
</summary>
</param>
</interface>
-<interface name="hal_dbus_send" lineno="215">
+<interface name="corecmd_search_bin" lineno="81">
<summary>
-Send a dbus message to hal.
+Search the contents of bin directories.
+Also allow to read a possible /bin->/usr/bin symlink.
</summary>
<param name="domain">
<summary>
@@ -7896,10 +9726,19 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="hal_dbus_chat" lineno="235">
+<interface name="corecmd_dontaudit_search_bin" lineno="100">
<summary>
-Send and receive messages from
-hal over dbus.
+Do not audit attempts to search the contents of bin directories.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corecmd_list_bin" lineno="118">
+<summary>
+List the contents of bin directories.
</summary>
<param name="domain">
<summary>
@@ -7907,20 +9746,19 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="hal_domtrans_mac" lineno="255">
+<interface name="corecmd_dontaudit_write_bin_dirs" lineno="137">
<summary>
-Execute hal mac in the hal mac domain.
+Do not audit attempts to write bin directories.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="hal_write_log" lineno="274">
+<interface name="corecmd_getattr_bin_files" lineno="155">
<summary>
-Allow attempts to write the hal
-log files.
+Get the attributes of files in bin directories.
</summary>
<param name="domain">
<summary>
@@ -7928,10 +9766,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="hal_dontaudit_write_log" lineno="294">
+<interface name="corecmd_dontaudit_getattr_bin_files" lineno="174">
<summary>
-Do not audit attempts to write the hal
-log files.
+Do not audit attempts to get the attributes of files in bin directories.
</summary>
<param name="domain">
<summary>
@@ -7939,9 +9776,9 @@ Domain to not audit.
</summary>
</param>
</interface>
-<interface name="hal_manage_log" lineno="312">
+<interface name="corecmd_check_exec_bin_files" lineno="193">
<summary>
-Manage hald log files.
+Check if files in bin directories are executable (DAC-wise)
</summary>
<param name="domain">
<summary>
@@ -7949,9 +9786,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="hal_read_tmp_files" lineno="332">
+<interface name="corecmd_read_bin_files" lineno="212">
<summary>
-Read hald tmp files.
+Read files in bin directories.
</summary>
<param name="domain">
<summary>
@@ -7959,10 +9796,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="hal_dontaudit_append_lib_files" lineno="351">
+<interface name="corecmd_dontaudit_write_bin_files" lineno="231">
<summary>
-Do not audit attempts to read or write
-HAL libraries files
+Do not audit attempts to write bin files.
</summary>
<param name="domain">
<summary>
@@ -7970,9 +9806,9 @@ Domain to not audit.
</summary>
</param>
</interface>
-<interface name="hal_read_pid_files" lineno="369">
+<interface name="corecmd_read_bin_symlinks" lineno="249">
<summary>
-Read hald PID files.
+Read symbolic links in bin directories.
</summary>
<param name="domain">
<summary>
@@ -7980,9 +9816,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="hal_rw_pid_files" lineno="388">
+<interface name="corecmd_read_bin_pipes" lineno="269">
<summary>
-Read/Write hald PID files.
+Read pipes in bin directories.
</summary>
<param name="domain">
<summary>
@@ -7990,9 +9826,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="hal_manage_pid_dirs" lineno="407">
+<interface name="corecmd_read_bin_sockets" lineno="288">
<summary>
-Manage hald PID dirs.
+Read named sockets in bin directories.
</summary>
<param name="domain">
<summary>
@@ -8000,32 +9836,50 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="hal_manage_pid_files" lineno="426">
+<interface name="corecmd_exec_bin" lineno="328">
<summary>
-Manage hald PID files.
+Execute generic programs in bin directories,
+in the caller domain.
</summary>
+<desc>
+<p>
+Allow the specified domain to execute generic programs
+in system bin directories (/bin, /sbin, /usr/bin,
+/usr/sbin) a without domain transition.
+</p>
+<p>
+Typically, this interface should be used when the domain
+executes general system progams within the privileges
+of the source domain. Some examples of these programs
+are ls, cp, sed, python, and tar. This does not include
+shells, such as bash.
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corecmd_exec_shell()</li>
+</ul>
+</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="hddtemp" filename="policy/modules/contrib/hddtemp.if">
-<summary>hddtemp hard disk temperature tool running as a daemon.</summary>
-<interface name="hddtemp_domtrans" lineno="13">
+<interface name="corecmd_manage_bin_files" lineno="347">
<summary>
-Execute a domain transition to run hddtemp.
+Create, read, write, and delete bin files.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="hddtemp_exec" lineno="32">
+<interface name="corecmd_relabel_bin_files" lineno="366">
<summary>
-Execute hddtemp.
+Relabel to and from the bin type.
</summary>
<param name="domain">
<summary>
@@ -8033,42 +9887,89 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="hddtemp_admin" lineno="58">
+<interface name="corecmd_mmap_bin_files" lineno="385">
<summary>
-All of the rules required to
-administrate an hddtemp environment.
+Mmap a bin file as executable.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corecmd_bin_spec_domtrans" lineno="430">
<summary>
-Role allowed access.
+Execute a file in a bin directory
+in the specified domain but do not
+do it automatically. This is an explicit
+transition, requiring the caller to use setexeccon().
+</summary>
+<desc>
+<p>
+Execute a file in a bin directory
+in the specified domain. This allows
+the specified domain to execute any file
+on these filesystems in the specified
+domain. This is not suggested.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+<p>
+This interface was added to handle
+the userhelper policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the new process.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="howl" filename="policy/modules/contrib/howl.if">
-<summary>Port of Apple Rendezvous multicast DNS</summary>
-<interface name="howl_signal" lineno="13">
+<interface name="corecmd_bin_domtrans" lineno="473">
<summary>
-Send generic signals to howl.
+Execute a file in a bin directory
+in the specified domain.
</summary>
+<desc>
+<p>
+Execute a file in a bin directory
+in the specified domain. This allows
+the specified domain to execute any file
+on these filesystems in the specified
+domain. This is not suggested.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+<p>
+This interface was added to handle
+the ssh-agent policy.
+</p>
+</desc>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the new process.
</summary>
</param>
</interface>
-</module>
-<module name="i18n_input" filename="policy/modules/contrib/i18n_input.if">
-<summary>IIIMF htt server</summary>
-<interface name="i18n_use" lineno="13">
+<interface name="corecmd_check_exec_shell" lineno="492">
<summary>
-Use i18n_input over a TCP connection. (Deprecated)
+Check if a shell is executable (DAC-wise).
</summary>
<param name="domain">
<summary>
@@ -8076,42 +9977,91 @@ Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="icecast" filename="policy/modules/contrib/icecast.if">
-<summary> ShoutCast compatible streaming media server</summary>
-<interface name="icecast_domtrans" lineno="13">
+<interface name="corecmd_exec_shell" lineno="529">
<summary>
-Execute a domain transition to run icecast.
+Execute shells in the caller domain.
</summary>
+<desc>
+<p>
+Allow the specified domain to execute shells without
+a domain transition.
+</p>
+<p>
+Typically, this interface should be used when the domain
+executes shells within the privileges
+of the source domain. Some examples of these programs
+are bash, tcsh, and zsh.
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corecmd_exec_bin()</li>
+</ul>
+</desc>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="icecast_signal" lineno="31">
+<interface name="corecmd_shell_spec_domtrans" lineno="567">
<summary>
-Allow domain signal icecast
+Execute a shell in the target domain. This
+is an explicit transition, requiring the
+caller to use setexeccon().
</summary>
+<desc>
+<p>
+Execute a shell in the target domain. This
+is an explicit transition, requiring the
+caller to use setexeccon().
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+</desc>
<param name="domain">
<summary>
-Domain allowed access.
+Domain allowed to transition.
+</summary>
+</param>
+<param name="target_domain">
+<summary>
+The type of the shell process.
</summary>
</param>
</interface>
-<interface name="icecast_initrc_domtrans" lineno="49">
+<interface name="corecmd_shell_domtrans" lineno="601">
<summary>
-Execute icecast server in the icecast domain.
+Execute a shell in the specified domain.
</summary>
+<desc>
+<p>
+Execute a shell in the specified domain.
+</p>
+<p>
+No interprocess communication (signals, pipes,
+etc.) is provided by this interface since
+the domains are not owned by this module.
+</p>
+</desc>
<param name="domain">
<summary>
Domain allowed to transition.
</summary>
</param>
+<param name="target_domain">
+<summary>
+The type of the shell process.
+</summary>
+</param>
</interface>
-<interface name="icecast_read_pid_files" lineno="67">
+<interface name="corecmd_exec_chroot" lineno="620">
<summary>
-Read icecast PID files.
+Execute chroot in the caller domain.
</summary>
<param name="domain">
<summary>
@@ -8119,19 +10069,20 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="icecast_manage_pid_files" lineno="86">
+<interface name="corecmd_getattr_all_executables" lineno="641">
<summary>
-Manage icecast pid files.
+Get the attributes of all executable files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="icecast_read_log" lineno="106">
+<interface name="corecmd_read_all_executables" lineno="662">
<summary>
-Allow the specified domain to read icecast's log files.
+Read all executable files.
</summary>
<param name="domain">
<summary>
@@ -8140,60 +10091,62 @@ Domain allowed access.
</param>
<rolecap/>
</interface>
-<interface name="icecast_append_log" lineno="126">
+<interface name="corecmd_exec_all_executables" lineno="682">
<summary>
-Allow the specified domain to append
-icecast log files.
+Execute all executable files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<rolecap/>
</interface>
-<interface name="icecast_manage_log" lineno="145">
+<interface name="corecmd_dontaudit_exec_all_executables" lineno="703">
<summary>
-Allow domain to manage icecast log files
+Do not audit attempts to execute all executables.
</summary>
<param name="domain">
<summary>
-Domain allow access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="icecast_admin" lineno="171">
+<interface name="corecmd_manage_all_executables" lineno="722">
<summary>
-All of the rules required to administrate
-an icecast environment
+Create, read, write, and all executable files.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+<rolecap/>
+</interface>
+<interface name="corecmd_relabel_all_executables" lineno="744">
<summary>
-Role allowed access.
+Relabel to and from the bin type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
<rolecap/>
</interface>
-</module>
-<module name="ifplugd" filename="policy/modules/contrib/ifplugd.if">
-<summary>Bring up/down ethernet interfaces based on cable detection.</summary>
-<interface name="ifplugd_domtrans" lineno="13">
+<interface name="corecmd_mmap_all_executables" lineno="764">
<summary>
-Execute a domain transition to run ifplugd.
+Mmap all executables as executable.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ifplugd_signal" lineno="31">
+<interface name="corecmd_relabel_bin_dirs" lineno="786">
<summary>
-Send a generic signal to ifplugd
+Relabel to and from the bin type.
</summary>
<param name="domain">
<summary>
@@ -8201,9 +10154,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ifplugd_read_config" lineno="49">
+<interface name="corecmd_relabel_bin_lnk_files" lineno="804">
<summary>
-Read ifplugd etc configuration files.
+Relabel to and from the bin type.
</summary>
<param name="domain">
<summary>
@@ -8211,131 +10164,256 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ifplugd_manage_config" lineno="68">
+</module>
+<module name="corenetwork" filename="policy/modules/kernel/corenetwork.if">
+<summary>Policy controlling access to network objects</summary>
+<required val="true">
+Contains the initial SIDs for network objects.
+</required>
+<interface name="corenet_port" lineno="29">
<summary>
-Manage ifplugd etc configuration files.
+Define type to be a network port type
</summary>
+<desc>
+<p>
+Define type to be a network port type
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
<param name="domain">
<summary>
-Domain allowed access.
+Type to be used for network ports.
</summary>
</param>
</interface>
-<interface name="ifplugd_read_pid_files" lineno="88">
+<interface name="corenet_reserved_port" lineno="56">
<summary>
-Read ifplugd PID files.
+Define network type to be a reserved port (lt 1024)
</summary>
+<desc>
+<p>
+Define network type to be a reserved port (lt 1024)
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
<param name="domain">
<summary>
-Domain allowed access.
+Type to be used for network ports.
</summary>
</param>
</interface>
-<interface name="ifplugd_admin" lineno="114">
+<interface name="corenet_rpc_port" lineno="83">
<summary>
-All of the rules required to administrate
-an ifplugd environment
+Define network type to be a rpc port ( 512 lt PORT lt 1024)
</summary>
+<desc>
+<p>
+Define network type to be a rpc port ( 512 lt PORT lt 1024)
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
<param name="domain">
<summary>
-Domain allowed access.
+Type to be used for network ports.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_node" lineno="110">
<summary>
-The role to be allowed to manage the ifplugd domain.
+Define type to be a network node type
+</summary>
+<desc>
+<p>
+Define type to be a network node type
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used for network nodes.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="imaze" filename="policy/modules/contrib/imaze.if">
-<summary>iMaze game server</summary>
-</module>
-<module name="inetd" filename="policy/modules/contrib/inetd.if">
-<summary>Internet services daemon.</summary>
-<interface name="inetd_core_service_domain" lineno="27">
+<interface name="corenet_packet" lineno="137">
<summary>
-Define the specified domain as a inetd service.
+Define type to be a network packet type
</summary>
<desc>
<p>
-Define the specified domain as a inetd service. The
-inetd_service_domain(), inetd_tcp_service_domain(),
-or inetd_udp_service_domain() interfaces should be used
-instead of this interface, as this interface only provides
-the common rules to these three interfaces.
+Define type to be a network packet type
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
</p>
</desc>
<param name="domain">
<summary>
-The type associated with the inetd service process.
+Type to be used for a network packet.
</summary>
</param>
-<param name="entrypoint">
+</interface>
+<interface name="corenet_client_packet" lineno="164">
<summary>
-The type associated with the process program.
+Define type to be a network client packet type
+</summary>
+<desc>
+<p>
+Define type to be a network client packet type
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used for a network client packet.
</summary>
</param>
</interface>
-<interface name="inetd_tcp_service_domain" lineno="57">
+<interface name="corenet_server_packet" lineno="191">
<summary>
-Define the specified domain as a TCP inetd service.
+Define type to be a network server packet type
</summary>
+<desc>
+<p>
+Define type to be a network server packet type
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
<param name="domain">
<summary>
-The type associated with the inetd service process.
+Type to be used for a network server packet.
</summary>
</param>
-<param name="entrypoint">
+</interface>
+<interface name="corenet_spd_type" lineno="210">
<summary>
-The type associated with the process program.
+Make the specified type usable
+for labeled ipsec.
+</summary>
+<param name="domain">
+<summary>
+Type to be used for labeled ipsec.
</summary>
</param>
</interface>
-<interface name="inetd_udp_service_domain" lineno="83">
+<interface name="corenet_ib_pkey" lineno="237">
<summary>
-Define the specified domain as a UDP inetd service.
+Define type to be an infiniband pkey type
</summary>
+<desc>
+<p>
+Define type to be an infiniband pkey type
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
<param name="domain">
<summary>
-The type associated with the inetd service process.
+Type to be used for infiniband pkeys.
</summary>
</param>
-<param name="entrypoint">
+</interface>
+<interface name="corenet_ib_endport" lineno="264">
<summary>
-The type associated with the process program.
+Define type to be an infiniband endport
+</summary>
+<desc>
+<p>
+Define type to be an infiniband endport
+</p>
+<p>
+This is for supporting third party modules and its
+use is not allowed in upstream reference policy.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Type to be used for infiniband endports.
</summary>
</param>
</interface>
-<interface name="inetd_service_domain" lineno="108">
+<interface name="corenet_tcp_sendrecv_generic_if" lineno="310">
<summary>
-Define the specified domain as a TCP and UDP inetd service.
+Send and receive TCP network traffic on generic interfaces.
</summary>
+<desc>
+<p>
+Allow the specified domain to send and receive TCP network
+traffic on generic network interfaces.
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corenet_all_recvfrom_unlabeled()</li>
+<li>corenet_tcp_sendrecv_generic_node()</li>
+<li>corenet_tcp_sendrecv_all_ports()</li>
+<li>corenet_tcp_connect_all_ports()</li>
+</ul>
+<p>
+Example client being able to connect to all ports over
+generic nodes, without labeled networking:
+</p>
+<p>
+allow myclient_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_sendrecv_generic_if(myclient_t)
+corenet_tcp_sendrecv_generic_node(myclient_t)
+corenet_tcp_sendrecv_all_ports(myclient_t)
+corenet_tcp_connect_all_ports(myclient_t)
+corenet_all_recvfrom_unlabeled(myclient_t)
+</p>
+</desc>
<param name="domain">
<summary>
-The type associated with the inetd service process.
+Domain allowed access.
</summary>
</param>
-<param name="entrypoint">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_generic_if" lineno="328">
<summary>
-The type associated with the process program.
+Send UDP network traffic on generic interfaces.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="inetd_use_fds" lineno="134">
+<interface name="corenet_dontaudit_udp_send_generic_if" lineno="347">
<summary>
-Inherit and use file descriptors from inetd.
+Dontaudit attempts to send UDP network traffic
+on generic interfaces.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="inetd_tcp_connect" lineno="152">
+<interface name="corenet_udp_receive_generic_if" lineno="365">
<summary>
-Connect to the inetd service using a TCP connection. (Deprecated)
+Receive UDP network traffic on generic interfaces.
</summary>
<param name="domain">
<summary>
@@ -8343,43 +10421,67 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="inetd_domtrans_child" lineno="166">
+<interface name="corenet_dontaudit_udp_receive_generic_if" lineno="384">
<summary>
-Run inetd child process in the inet child domain
+Do not audit attempts to receive UDP network
+traffic on generic interfaces.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="inetd_udp_send" lineno="185">
+<interface name="corenet_udp_sendrecv_generic_if" lineno="428">
<summary>
-Send UDP network traffic to inetd. (Deprecated)
+Send and receive UDP network traffic on generic interfaces.
</summary>
+<desc>
+<p>
+Allow the specified domain to send and receive UDP network
+traffic on generic network interfaces.
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corenet_all_recvfrom_unlabeled()</li>
+<li>corenet_udp_sendrecv_generic_node()</li>
+<li>corenet_udp_sendrecv_all_ports()</li>
+</ul>
+<p>
+Example client being able to send to all ports over
+generic nodes, without labeled networking:
+</p>
+<p>
+allow myclient_t self:udp_socket create_socket_perms;
+corenet_udp_sendrecv_generic_if(myclient_t)
+corenet_udp_sendrecv_generic_node(myclient_t)
+corenet_udp_sendrecv_all_ports(myclient_t)
+corenet_all_recvfrom_unlabeled(myclient_t)
+</p>
+</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="inetd_rw_tcp_sockets" lineno="199">
+<interface name="corenet_dontaudit_udp_sendrecv_generic_if" lineno="444">
<summary>
-Read and write inetd TCP sockets.
+Do not audit attempts to send and receive UDP network
+traffic on generic interfaces.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-</module>
-<module name="inn" filename="policy/modules/contrib/inn.if">
-<summary>Internet News NNTP server</summary>
-<interface name="inn_exec" lineno="14">
+<interface name="corenet_raw_send_generic_if" lineno="459">
<summary>
-Allow the specified domain to execute innd
-in the caller domain.
+Send raw IP packets on generic interfaces.
</summary>
<param name="domain">
<summary>
@@ -8387,10 +10489,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="inn_exec_config" lineno="33">
+<interface name="corenet_raw_receive_generic_if" lineno="477">
<summary>
-Allow the specified domain to execute
-inn configuration files in /etc.
+Receive raw IP packets on generic interfaces.
</summary>
<param name="domain">
<summary>
@@ -8398,9 +10499,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="inn_manage_log" lineno="51">
+<interface name="corenet_raw_sendrecv_generic_if" lineno="495">
<summary>
-Create, read, write, and delete the innd log.
+Send and receive raw IP packets on generic interfaces.
</summary>
<param name="domain">
<summary>
@@ -8408,29 +10509,42 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="inn_manage_pid" lineno="70">
+<interface name="corenet_out_generic_if" lineno="511">
<summary>
-Create, read, write, and delete the innd pid files.
+Allow outgoing network traffic on the generic interfaces.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+The peer label of the outgoing network traffic.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="inn_read_config" lineno="91">
+<interface name="corenet_in_generic_if" lineno="530">
<summary>
-Read innd configuration files.
+Allow incoming traffic on the generic interfaces.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+The peer label of the incoming network traffic.
</summary>
</param>
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_inout_generic_if" lineno="549">
+<summary>
+Allow incoming and outgoing network traffic on the generic interfaces.
+</summary>
+<param name="domain">
+<summary>
+The peer label of the network traffic.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="inn_read_news_lib" lineno="111">
+<interface name="corenet_tcp_sendrecv_all_if" lineno="564">
<summary>
-Read innd news library files.
+Send and receive TCP network traffic on all interfaces.
</summary>
<param name="domain">
<summary>
@@ -8438,9 +10552,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="inn_read_news_spool" lineno="131">
+<interface name="corenet_udp_send_all_if" lineno="582">
<summary>
-Read innd news library files.
+Send UDP network traffic on all interfaces.
</summary>
<param name="domain">
<summary>
@@ -8448,9 +10562,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="inn_dgram_send" lineno="151">
+<interface name="corenet_udp_receive_all_if" lineno="600">
<summary>
-Send to a innd unix dgram socket.
+Receive UDP network traffic on all interfaces.
</summary>
<param name="domain">
<summary>
@@ -8458,73 +10572,97 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="inn_domtrans" lineno="169">
+<interface name="corenet_udp_sendrecv_all_if" lineno="618">
<summary>
-Execute inn in the inn domain.
+Send and receive UDP network traffic on all interfaces.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="inn_admin" lineno="195">
+<interface name="corenet_raw_send_all_if" lineno="633">
<summary>
-All of the rules required to administrate
-an inn environment
+Send raw IP packets on all interfaces.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_sctp_sendrecv_generic_node" lineno="651">
<summary>
-The role to be allowed to manage the inn domain.
+Send and receive SCTP network traffic on generic nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="irc" filename="policy/modules/contrib/irc.if">
-<summary>IRC client policy</summary>
-<interface name="irc_role" lineno="18">
+<interface name="corenet_raw_receive_all_if" lineno="669">
<summary>
-Role access for IRC
+Receive raw IP packets on all interfaces.
</summary>
-<param name="role">
+<param name="domain">
<summary>
-Role allowed access
+Domain allowed access.
</summary>
</param>
+</interface>
+<interface name="corenet_raw_sendrecv_all_if" lineno="687">
+<summary>
+Send and receive raw IP packets on all interfaces.
+</summary>
<param name="domain">
<summary>
-User domain for the role
+Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="ircd" filename="policy/modules/contrib/ircd.if">
-<summary>IRC server</summary>
-</module>
-<module name="irqbalance" filename="policy/modules/contrib/irqbalance.if">
-<summary>IRQ balancing daemon</summary>
-</module>
-<module name="iscsi" filename="policy/modules/contrib/iscsi.if">
-<summary>Establish connections to iSCSI devices</summary>
-<interface name="iscsid_domtrans" lineno="13">
+<interface name="corenet_tcp_sendrecv_generic_node" lineno="730">
<summary>
-Execute a domain transition to run iscsid.
+Send and receive TCP network traffic on generic nodes.
</summary>
+<desc>
+<p>
+Allow the specified domain to send and receive TCP network
+traffic to/from generic network nodes (hostnames/networks).
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corenet_all_recvfrom_unlabeled()</li>
+<li>corenet_tcp_sendrecv_generic_if()</li>
+<li>corenet_tcp_sendrecv_all_ports()</li>
+<li>corenet_tcp_connect_all_ports()</li>
+</ul>
+<p>
+Example client being able to connect to all ports over
+generic nodes, without labeled networking:
+</p>
+<p>
+allow myclient_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_sendrecv_generic_if(myclient_t)
+corenet_tcp_sendrecv_generic_node(myclient_t)
+corenet_tcp_sendrecv_all_ports(myclient_t)
+corenet_tcp_connect_all_ports(myclient_t)
+corenet_all_recvfrom_unlabeled(myclient_t)
+</p>
+</desc>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="iscsi_manage_semaphores" lineno="31">
+<interface name="corenet_udp_send_generic_node" lineno="748">
<summary>
-Manage iscsid sempaphores.
+Send UDP network traffic on generic nodes.
</summary>
<param name="domain">
<summary>
@@ -8532,9 +10670,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="iscsi_stream_connect" lineno="49">
+<interface name="corenet_udp_receive_generic_node" lineno="766">
<summary>
-Connect to ISCSI using a unix domain stream socket.
+Receive UDP network traffic on generic nodes.
</summary>
<param name="domain">
<summary>
@@ -8542,22 +10680,45 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="iscsi_read_lib_files" lineno="68">
+<interface name="corenet_udp_sendrecv_generic_node" lineno="810">
<summary>
-Read iscsi lib files.
+Send and receive UDP network traffic on generic nodes.
</summary>
+<desc>
+<p>
+Allow the specified domain to send and receive UDP network
+traffic to/from generic network nodes (hostnames/networks).
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corenet_all_recvfrom_unlabeled()</li>
+<li>corenet_udp_sendrecv_generic_if()</li>
+<li>corenet_udp_sendrecv_all_ports()</li>
+</ul>
+<p>
+Example client being able to send to all ports over
+generic nodes, without labeled networking:
+</p>
+<p>
+allow myclient_t self:udp_socket create_socket_perms;
+corenet_udp_sendrecv_generic_if(myclient_t)
+corenet_udp_sendrecv_generic_node(myclient_t)
+corenet_udp_sendrecv_all_ports(myclient_t)
+corenet_all_recvfrom_unlabeled(myclient_t)
+</p>
+</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-</module>
-<module name="jabber" filename="policy/modules/contrib/jabber.if">
-<summary>Jabber instant messaging server</summary>
-<interface name="jabber_tcp_connect" lineno="13">
+<interface name="corenet_raw_send_generic_node" lineno="825">
<summary>
-Connect to jabber over a TCP socket (Deprecated)
+Send raw IP packets on generic nodes.
</summary>
<param name="domain">
<summary>
@@ -8565,122 +10726,173 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="jabber_admin" lineno="34">
+<interface name="corenet_raw_receive_generic_node" lineno="843">
<summary>
-All of the rules required to administrate
-an jabber environment
+Receive raw IP packets on generic nodes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_raw_sendrecv_generic_node" lineno="861">
<summary>
-The role to be allowed to manage the jabber domain.
+Send and receive raw IP packets on generic nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="java" filename="policy/modules/contrib/java.if">
-<summary>Java virtual machine</summary>
-<interface name="java_role" lineno="18">
+<interface name="corenet_sctp_bind_generic_node" lineno="876">
<summary>
-Role access for java
+Bind SCTP sockets to generic nodes.
</summary>
-<param name="role">
+<param name="domain">
<summary>
-Role allowed access
+Domain allowed access.
</summary>
</param>
+</interface>
+<interface name="corenet_tcp_bind_generic_node" lineno="909">
+<summary>
+Bind TCP sockets to generic nodes.
+</summary>
+<desc>
+<p>
+Bind TCP sockets to generic nodes. This is
+necessary for binding a socket so it
+can be used for servers to listen
+for incoming connections.
+</p>
+<p>
+Related interface:
+</p>
+<ul>
+<li>corenet_udp_bind_generic_node()</li>
+</ul>
+</desc>
<param name="domain">
<summary>
-User domain for the role
+Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="1"/>
</interface>
-<template name="java_role_template" lineno="63">
+<interface name="corenet_udp_bind_generic_node" lineno="942">
<summary>
-The role template for the java module.
+Bind UDP sockets to generic nodes.
</summary>
<desc>
<p>
-This template creates a derived domains which are used
-for java applications.
+Bind UDP sockets to generic nodes. This is
+necessary for binding a socket so it
+can be used for servers to listen
+for incoming connections.
+</p>
+<p>
+Related interface:
</p>
+<ul>
+<li>corenet_tcp_bind_generic_node()</li>
+</ul>
</desc>
-<param name="role_prefix">
+<param name="domain">
<summary>
-The prefix of the user domain (e.g., user
-is the prefix for user_t).
+Domain allowed access.
</summary>
</param>
-<param name="user_role">
+<infoflow type="read" weight="1"/>
+</interface>
+<interface name="corenet_raw_bind_generic_node" lineno="961">
<summary>
-The role associated with the user domain.
+Bind raw sockets to generic nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<param name="user_domain">
+</interface>
+<interface name="corenet_out_generic_node" lineno="980">
<summary>
-The type of the user domain.
+Allow outgoing network traffic to generic nodes.
+</summary>
+<param name="domain">
+<summary>
+The peer label of the outgoing network traffic.
</summary>
</param>
-</template>
-<template name="java_domtrans" lineno="108">
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_in_generic_node" lineno="999">
<summary>
-Run java in javaplugin domain.
+Allow incoming network traffic from generic nodes.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+The peer label of the incoming network traffic.
</summary>
</param>
-</template>
-<interface name="java_run" lineno="132">
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_inout_generic_node" lineno="1018">
<summary>
-Execute java in the java domain, and
-allow the specified role the java domain.
+Allow incoming and outgoing network traffic with generic nodes.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+The peer label of the network traffic.
</summary>
</param>
-<param name="role">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_tcp_sendrecv_all_nodes" lineno="1033">
<summary>
-Role allowed access.
+Send and receive TCP network traffic on all nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="java_domtrans_unconfined" lineno="151">
+<interface name="corenet_udp_send_all_nodes" lineno="1051">
<summary>
-Execute the java program in the unconfined java domain.
+Send UDP network traffic on all nodes.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="java_run_unconfined" lineno="175">
+<interface name="corenet_dontaudit_udp_send_all_nodes" lineno="1070">
<summary>
-Execute the java program in the unconfined java domain.
+Do not audit attempts to send UDP network
+traffic on any nodes.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_sctp_sendrecv_all_nodes" lineno="1088">
<summary>
-Role allowed access.
+Send and receive SCTP network traffic on all nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="java_exec" lineno="194">
+<interface name="corenet_udp_receive_all_nodes" lineno="1106">
<summary>
-Execute the java program in the java domain.
+Receive UDP network traffic on all nodes.
</summary>
<param name="domain">
<summary>
@@ -8688,39 +10900,41 @@ Domain allowed access.
</summary>
</param>
</interface>
-<tunable name="allow_java_execstack" dftval="false">
-<desc>
-<p>
-Allow java executable stack
-</p>
-</desc>
-</tunable>
-</module>
-<module name="kdump" filename="policy/modules/contrib/kdump.if">
-<summary>Kernel crash dumping mechanism</summary>
-<interface name="kdump_domtrans" lineno="13">
+<interface name="corenet_dontaudit_udp_receive_all_nodes" lineno="1125">
<summary>
-Execute kdump in the kdump domain.
+Do not audit attempts to receive UDP
+network traffic on all nodes.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="kdump_initrc_domtrans" lineno="32">
+<interface name="corenet_udp_sendrecv_all_nodes" lineno="1143">
<summary>
-Execute kdump in the kdump domain.
+Send and receive UDP network traffic on all nodes.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
+</summary>
+</param>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_all_nodes" lineno="1159">
+<summary>
+Do not audit attempts to send and receive UDP
+network traffic on any nodes nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="kdump_read_config" lineno="50">
+<interface name="corenet_raw_send_all_nodes" lineno="1174">
<summary>
-Read kdump configuration file.
+Send raw IP packets on all nodes.
</summary>
<param name="domain">
<summary>
@@ -8728,9 +10942,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kdump_manage_config" lineno="69">
+<interface name="corenet_raw_receive_all_nodes" lineno="1192">
<summary>
-Manage kdump configuration file.
+Receive raw IP packets on all nodes.
</summary>
<param name="domain">
<summary>
@@ -8738,53 +10952,29 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kdump_admin" lineno="95">
+<interface name="corenet_raw_sendrecv_all_nodes" lineno="1210">
<summary>
-All of the rules required to administrate
-an kdump environment
+Send and receive raw IP packets on all nodes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_tcp_bind_all_nodes" lineno="1225">
<summary>
-The role to be allowed to manage the kdump domain.
+Bind TCP sockets to all nodes.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="kdumpgui" filename="policy/modules/contrib/kdumpgui.if">
-<summary>system-config-kdump GUI</summary>
-</module>
-<module name="kerberos" filename="policy/modules/contrib/kerberos.if">
-<summary>MIT Kerberos admin and KDC</summary>
-<desc>
-<p>
-This policy supports:
-</p>
-<p>
-Servers:
-<ul>
-<li>kadmind</li>
-<li>krb5kdc</li>
-</ul>
-</p>
-<p>
-Clients:
-<ul>
-<li>kinit</li>
-<li>kdestroy</li>
-<li>klist</li>
-<li>ksu (incomplete)</li>
-</ul>
-</p>
-</desc>
-<interface name="kerberos_exec_kadmind" lineno="34">
+<interface name="corenet_udp_bind_all_nodes" lineno="1243">
<summary>
-Execute kadmind in the current domain
+Bind UDP sockets to all nodes.
</summary>
<param name="domain">
<summary>
@@ -8792,19 +10982,19 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kerberos_domtrans_kpropd" lineno="52">
+<interface name="corenet_raw_bind_all_nodes" lineno="1262">
<summary>
-Execute a domain transition to run kpropd.
+Bind raw sockets to all nodes.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kerberos_use" lineno="70">
+<interface name="corenet_tcp_sendrecv_generic_port" lineno="1280">
<summary>
-Use kerberos services
+Send and receive TCP network traffic on generic ports.
</summary>
<param name="domain">
<summary>
@@ -8812,53 +11002,49 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kerberos_read_config" lineno="131">
+<interface name="corenet_sctp_bind_all_nodes" lineno="1298">
<summary>
-Read the kerberos configuration file (/etc/krb5.conf).
+Bind SCTP sockets to all nodes.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="kerberos_dontaudit_write_config" lineno="152">
+<interface name="corenet_dontaudit_tcp_sendrecv_generic_port" lineno="1317">
<summary>
-Do not audit attempts to write the kerberos
-configuration file (/etc/krb5.conf).
+Do not audit send and receive TCP network traffic on generic ports.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kerberos_rw_config" lineno="171">
+<interface name="corenet_udp_send_generic_port" lineno="1335">
<summary>
-Read and write the kerberos configuration file (/etc/krb5.conf).
+Send UDP network traffic on generic ports.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="kerberos_read_keytab" lineno="191">
+<interface name="corenet_udp_receive_generic_port" lineno="1353">
<summary>
-Read the kerberos key table.
+Receive UDP network traffic on generic ports.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="kerberos_rw_keytab" lineno="210">
+<interface name="corenet_udp_sendrecv_generic_port" lineno="1371">
<summary>
-Read/Write the kerberos key table.
+Send and receive UDP network traffic on generic ports.
</summary>
<param name="domain">
<summary>
@@ -8866,46 +11052,85 @@ Domain allowed access.
</summary>
</param>
</interface>
-<template name="kerberos_keytab_template" lineno="234">
+<interface name="corenet_tcp_bind_generic_port" lineno="1386">
<summary>
-Create a derived type for kerberos keytab
+Bind TCP sockets to generic ports.
</summary>
-<param name="prefix">
+<param name="domain">
<summary>
-The prefix to be used for deriving type names.
+Domain allowed access.
</summary>
</param>
+</interface>
+<interface name="corenet_dontaudit_tcp_bind_generic_port" lineno="1406">
+<summary>
+Do not audit bind TCP sockets to generic ports.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+</interface>
+<interface name="corenet_udp_bind_generic_port" lineno="1424">
+<summary>
+Bind UDP sockets to generic ports.
+</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-</template>
-<interface name="kerberos_read_kdc_config" lineno="255">
+</interface>
+<interface name="corenet_tcp_connect_generic_port" lineno="1444">
<summary>
-Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+Connect TCP sockets to generic ports.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="kerberos_manage_host_rcache" lineno="275">
+<interface name="corenet_tcp_sendrecv_all_ports" lineno="1488">
<summary>
-Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+Send and receive TCP network traffic on all ports.
</summary>
+<desc>
+<p>
+Send and receive TCP network traffic on all ports.
+Related interfaces:
+</p>
+<ul>
+<li>corenet_all_recvfrom_unlabeled()</li>
+<li>corenet_tcp_sendrecv_generic_if()</li>
+<li>corenet_tcp_sendrecv_generic_node()</li>
+<li>corenet_tcp_connect_all_ports()</li>
+<li>corenet_tcp_bind_all_ports()</li>
+</ul>
+<p>
+Example client being able to connect to all ports over
+generic nodes, without labeled networking:
+</p>
+<p>
+allow myclient_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_sendrecv_generic_if(myclient_t)
+corenet_tcp_sendrecv_generic_node(myclient_t)
+corenet_tcp_sendrecv_all_ports(myclient_t)
+corenet_tcp_connect_all_ports(myclient_t)
+corenet_all_recvfrom_unlabeled(myclient_t)
+</p>
+</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="kerberos_connect_524" lineno="307">
+<interface name="corenet_udp_send_all_ports" lineno="1506">
<summary>
-Connect to krb524 service
+Send UDP network traffic on all ports.
</summary>
<param name="domain">
<summary>
@@ -8913,47 +11138,74 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kerberos_admin" lineno="336">
+<interface name="corenet_sctp_bind_generic_port" lineno="1524">
<summary>
-All of the rules required to administrate
-an kerberos environment
+Bind SCTP sockets to generic ports.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_udp_receive_all_ports" lineno="1544">
<summary>
-The role to be allowed to manage the kerberos domain.
+Receive UDP network traffic on all ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<tunable name="allow_kerberos" dftval="false">
+<interface name="corenet_udp_sendrecv_all_ports" lineno="1586">
+<summary>
+Send and receive UDP network traffic on all ports.
+</summary>
<desc>
<p>
-Allow confined applications to run with kerberos.
+Send and receive UDP network traffic on all ports.
+Related interfaces:
+</p>
+<ul>
+<li>corenet_all_recvfrom_unlabeled()</li>
+<li>corenet_udp_sendrecv_generic_if()</li>
+<li>corenet_udp_sendrecv_generic_node()</li>
+<li>corenet_udp_bind_all_ports()</li>
+</ul>
+<p>
+Example client being able to send to all ports over
+generic nodes, without labeled networking:
+</p>
+<p>
+allow myclient_t self:udp_socket create_socket_perms;
+corenet_udp_sendrecv_generic_if(myclient_t)
+corenet_udp_sendrecv_generic_node(myclient_t)
+corenet_udp_sendrecv_all_ports(myclient_t)
+corenet_all_recvfrom_unlabeled(myclient_t)
</p>
</desc>
-</tunable>
-</module>
-<module name="kerneloops" filename="policy/modules/contrib/kerneloops.if">
-<summary>Service for reporting kernel oopses to kerneloops.org</summary>
-<interface name="kerneloops_domtrans" lineno="13">
+<param name="domain">
<summary>
-Execute a domain transition to run kerneloops.
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sctp_bind_generic_port" lineno="1602">
+<summary>
+Do not audit attempts to bind SCTP
+sockets to generic ports.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="kerneloops_dbus_chat" lineno="33">
+<interface name="corenet_tcp_bind_all_ports" lineno="1620">
<summary>
-Send and receive messages from
-kerneloops over dbus.
+Bind TCP sockets to all ports.
</summary>
<param name="domain">
<summary>
@@ -8961,10 +11213,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kerneloops_dontaudit_dbus_chat" lineno="54">
+<interface name="corenet_dontaudit_tcp_bind_all_ports" lineno="1639">
<summary>
-dontaudit attempts to Send and receive messages from
-kerneloops over dbus.
+Do not audit attepts to bind TCP sockets to any ports.
</summary>
<param name="domain">
<summary>
@@ -8972,9 +11223,9 @@ Domain to not audit.
</summary>
</param>
</interface>
-<interface name="kerneloops_manage_tmp_files" lineno="74">
+<interface name="corenet_udp_bind_all_ports" lineno="1657">
<summary>
-Allow domain to manage kerneloops tmp files
+Bind UDP sockets to all ports.
</summary>
<param name="domain">
<summary>
@@ -8982,55 +11233,88 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kerneloops_admin" lineno="100">
+<interface name="corenet_sctp_connect_generic_port" lineno="1676">
<summary>
-All of the rules required to administrate
-an kerneloops environment
+Connect SCTP sockets to generic ports.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_dontaudit_udp_bind_all_ports" lineno="1694">
<summary>
-The role to be allowed to manage the kerneloops domain.
+Do not audit attepts to bind UDP sockets to any ports.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="kismet" filename="policy/modules/contrib/kismet.if">
-<summary>Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.</summary>
-<interface name="kismet_domtrans" lineno="13">
+<interface name="corenet_tcp_connect_all_ports" lineno="1740">
<summary>
-Execute a domain transition to run kismet.
+Connect TCP sockets to all ports.
</summary>
+<desc>
+<p>
+Connect TCP sockets to all ports
+</p>
+<p>
+Related interfaces:
+</p>
+<ul>
+<li>corenet_all_recvfrom_unlabeled()</li>
+<li>corenet_tcp_sendrecv_generic_if()</li>
+<li>corenet_tcp_sendrecv_generic_node()</li>
+<li>corenet_tcp_sendrecv_all_ports()</li>
+<li>corenet_tcp_bind_all_ports()</li>
+</ul>
+<p>
+Example client being able to connect to all ports over
+generic nodes, without labeled networking:
+</p>
+<p>
+allow myclient_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_sendrecv_generic_if(myclient_t)
+corenet_tcp_sendrecv_generic_node(myclient_t)
+corenet_tcp_sendrecv_all_ports(myclient_t)
+corenet_tcp_connect_all_ports(myclient_t)
+corenet_all_recvfrom_unlabeled(myclient_t)
+</p>
+</desc>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="1"/>
</interface>
-<interface name="kismet_run" lineno="38">
+<interface name="corenet_dontaudit_tcp_connect_all_ports" lineno="1759">
<summary>
-Execute kismet in the kismet domain, and
-allow the specified role the kismet domain.
+Do not audit attempts to connect TCP sockets
+to all ports.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_tcp_sendrecv_reserved_port" lineno="1777">
<summary>
-Role allowed access.
+Send and receive TCP network traffic on generic reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kismet_read_pid_files" lineno="57">
+<interface name="corenet_udp_send_reserved_port" lineno="1795">
<summary>
-Read kismet PID files.
+Send UDP network traffic on generic reserved ports.
</summary>
<param name="domain">
<summary>
@@ -9038,9 +11322,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kismet_manage_pid_files" lineno="76">
+<interface name="corenet_udp_receive_reserved_port" lineno="1813">
<summary>
-Manage kismet var_run files.
+Receive UDP network traffic on generic reserved ports.
</summary>
<param name="domain">
<summary>
@@ -9048,9 +11332,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kismet_search_lib" lineno="95">
+<interface name="corenet_udp_sendrecv_reserved_port" lineno="1831">
<summary>
-Search kismet lib directories.
+Send and receive UDP network traffic on generic reserved ports.
</summary>
<param name="domain">
<summary>
@@ -9058,9 +11342,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kismet_read_lib_files" lineno="114">
+<interface name="corenet_tcp_bind_reserved_port" lineno="1846">
<summary>
-Read kismet lib files.
+Bind TCP sockets to generic reserved ports.
</summary>
<param name="domain">
<summary>
@@ -9068,10 +11352,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kismet_manage_lib_files" lineno="135">
+<interface name="corenet_sctp_bind_all_ports" lineno="1865">
<summary>
-Create, read, write, and delete
-kismet lib files.
+Bind SCTP sockets to all ports.
</summary>
<param name="domain">
<summary>
@@ -9079,9 +11362,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kismet_manage_lib" lineno="154">
+<interface name="corenet_udp_bind_reserved_port" lineno="1884">
<summary>
-Manage kismet var_lib files.
+Bind UDP sockets to generic reserved ports.
</summary>
<param name="domain">
<summary>
@@ -9089,31 +11372,29 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kismet_read_log" lineno="175">
+<interface name="corenet_tcp_connect_reserved_port" lineno="1903">
<summary>
-Allow the specified domain to read kismet's log files.
+Connect TCP sockets to generic reserved ports.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="kismet_append_log" lineno="195">
+<interface name="corenet_dontaudit_sctp_bind_all_ports" lineno="1921">
<summary>
-Allow the specified domain to append
-kismet log files.
+Do not audit attempts to bind SCTP sockets to any ports.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="kismet_manage_log" lineno="214">
+<interface name="corenet_tcp_sendrecv_all_reserved_ports" lineno="1939">
<summary>
-Allow domain to manage kismet log files
+Send and receive TCP network traffic on all reserved ports.
</summary>
<param name="domain">
<summary>
@@ -9121,107 +11402,100 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="kismet_admin" lineno="236">
+<interface name="corenet_udp_send_all_reserved_ports" lineno="1957">
<summary>
-All of the rules required to administrate an kismet environment
+Send UDP network traffic on all reserved ports.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="ksmtuned" filename="policy/modules/contrib/ksmtuned.if">
-<summary>Kernel Samepage Merging (KSM) Tuning Daemon</summary>
-<interface name="ksmtuned_domtrans" lineno="13">
+<interface name="corenet_udp_receive_all_reserved_ports" lineno="1975">
<summary>
-Execute a domain transition to run ksmtuned.
+Receive UDP network traffic on all reserved ports.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ksmtuned_initrc_domtrans" lineno="31">
+<interface name="corenet_udp_sendrecv_all_reserved_ports" lineno="1993">
<summary>
-Execute ksmtuned server in the ksmtuned domain.
+Send and receive UDP network traffic on all reserved ports.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ksmtuned_admin" lineno="56">
+<interface name="corenet_sctp_connect_all_ports" lineno="2008">
<summary>
-All of the rules required to administrate
-an ksmtuned environment
+Connect SCTP sockets to all ports.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_tcp_bind_all_reserved_ports" lineno="2026">
<summary>
-Role allowed access.
+Bind TCP sockets to all reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="ktalk" filename="policy/modules/contrib/ktalk.if">
-<summary>KDE Talk daemon</summary>
-</module>
-<module name="kudzu" filename="policy/modules/contrib/kudzu.if">
-<summary>Hardware detection and configuration tools</summary>
-<interface name="kudzu_domtrans" lineno="13">
+<interface name="corenet_dontaudit_tcp_bind_all_reserved_ports" lineno="2045">
<summary>
-Execute kudzu in the kudzu domain.
+Do not audit attempts to bind TCP sockets to all reserved ports.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="kudzu_run" lineno="38">
+<interface name="corenet_udp_bind_all_reserved_ports" lineno="2063">
<summary>
-Execute kudzu in the kudzu domain, and
-allow the specified role the kudzu domain.
+Bind UDP sockets to all reserved ports.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_dontaudit_udp_bind_all_reserved_ports" lineno="2082">
<summary>
-Role allowed access.
+Do not audit attempts to bind UDP sockets to all reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="kudzu_getattr_exec_files" lineno="58">
+<interface name="corenet_dontaudit_sctp_connect_all_ports" lineno="2101">
<summary>
-Get attributes of kudzu executable.
+Do not audit attempts to connect SCTP sockets
+to all ports.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-</module>
-<module name="ldap" filename="policy/modules/contrib/ldap.if">
-<summary>OpenLDAP directory server</summary>
-<interface name="ldap_list_db" lineno="14">
+<interface name="corenet_tcp_bind_all_unreserved_ports" lineno="2119">
<summary>
-Read the contents of the OpenLDAP
-database directories.
+Bind TCP sockets to all ports > 1024.
</summary>
<param name="domain">
<summary>
@@ -9229,20 +11503,19 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ldap_read_config" lineno="33">
+<interface name="corenet_udp_bind_all_unreserved_ports" lineno="2137">
<summary>
-Read the OpenLDAP configuration files.
+Bind UDP sockets to all ports > 1024.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="ldap_use" lineno="52">
+<interface name="corenet_tcp_connect_all_reserved_ports" lineno="2155">
<summary>
-Use LDAP over TCP connection. (Deprecated)
+Connect TCP sockets to reserved ports.
</summary>
<param name="domain">
<summary>
@@ -9250,9 +11523,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ldap_stream_connect" lineno="66">
+<interface name="corenet_sctp_connect_all_unreserved_ports" lineno="2173">
<summary>
-Connect to slapd over an unix stream socket.
+Connect SCTP sockets to all ports > 1024.
</summary>
<param name="domain">
<summary>
@@ -9260,52 +11533,41 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="ldap_admin" lineno="92">
+<interface name="corenet_dontaudit_tcp_connect_all_unreserved_ports" lineno="2192">
<summary>
-All of the rules required to administrate
-an ldap environment
+Do not audit connect attempts to TCP sockets on
+ports greater than 1024.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain not to audit access to.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_tcp_connect_all_unreserved_ports" lineno="2210">
<summary>
-The role to be allowed to manage the ldap domain.
+Connect TCP sockets to all ports > 1024.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="likewise" filename="policy/modules/contrib/likewise.if">
-<summary>Likewise Active Directory support for UNIX.</summary>
-<desc>
-<p>
-Likewise Open is a free, open source application that joins Linux, Unix,
-and Mac machines to Microsoft Active Directory to securely authenticate
-users with their domain credentials.
-</p>
-</desc>
-<template name="likewise_domain_template" lineno="26">
+<interface name="corenet_dontaudit_tcp_connect_all_reserved_ports" lineno="2229">
<summary>
-The template to define a likewise domain.
+Do not audit attempts to connect TCP sockets
+all reserved ports.
</summary>
-<desc>
-<p>
-This template creates a domain to be used for
-a new likewise daemon.
-</p>
-</desc>
-<param name="userdomain_prefix">
+<param name="domain">
<summary>
-The type of daemon to be used.
+Domain to not audit.
</summary>
</param>
-</template>
-<interface name="likewise_stream_connect_lsassd" lineno="98">
+</interface>
+<interface name="corenet_tcp_connect_all_rpc_ports" lineno="2247">
<summary>
-Connect to lsassd.
+Connect TCP sockets to rpc ports.
</summary>
<param name="domain">
<summary>
@@ -9313,23 +11575,20 @@ Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="lircd" filename="policy/modules/contrib/lircd.if">
-<summary>Linux infared remote control daemon</summary>
-<interface name="lircd_domtrans" lineno="13">
+<interface name="corenet_dontaudit_tcp_connect_all_rpc_ports" lineno="2266">
<summary>
-Execute a domain transition to run lircd.
+Do not audit attempts to connect TCP sockets
+all rpc ports.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="lircd_stream_connect" lineno="33">
+<interface name="corenet_sctp_bind_reserved_port" lineno="2284">
<summary>
-Connect to lircd over a unix domain
-stream socket.
+Bind SCTP sockets to generic reserved ports.
</summary>
<param name="domain">
<summary>
@@ -9337,75 +11596,80 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="lircd_read_config" lineno="52">
+<interface name="corenet_read_tun_tap_dev" lineno="2303">
<summary>
-Read lircd etc file
+Read the TUN/TAP virtual network device.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+The domain read allowed access.
</summary>
</param>
</interface>
-<interface name="lircd_admin" lineno="77">
+<interface name="corenet_write_tun_tap_dev" lineno="2322">
<summary>
-All of the rules required to administrate
-a lircd environment
+Write the TUN/TAP virtual network device.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+The domain allowed write access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_rw_tun_tap_dev" lineno="2341">
<summary>
-The role to be allowed to manage the syslog domain.
+Read and write the TUN/TAP virtual network device.
+</summary>
+<param name="domain">
+<summary>
+The domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="livecd" filename="policy/modules/contrib/livecd.if">
-<summary>Livecd tool for building alternate livecd for different os and policy versions.</summary>
-<interface name="livecd_domtrans" lineno="13">
+<interface name="corenet_sctp_connect_reserved_port" lineno="2360">
<summary>
-Execute a domain transition to run livecd.
+Connect SCTP sockets to generic reserved ports.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="livecd_run" lineno="37">
+<interface name="corenet_dontaudit_rw_tun_tap_dev" lineno="2379">
<summary>
-Execute livecd in the livecd domain, and
-allow the specified role the livecd domain.
+Do not audit attempts to read or write the TUN/TAP
+virtual network device.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_getattr_ppp_dev" lineno="2397">
<summary>
-Role allowed access.
+Getattr the point-to-point device.
+</summary>
+<param name="domain">
+<summary>
+The domain allowed access.
</summary>
</param>
</interface>
-<interface name="livecd_read_tmp_files" lineno="56">
+<interface name="corenet_rw_ppp_dev" lineno="2415">
<summary>
-Read livecd temporary files.
+Read and write the point-to-point device.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+The domain allowed access.
</summary>
</param>
</interface>
-<interface name="livecd_rw_tmp_files" lineno="75">
+<interface name="corenet_tcp_bind_all_rpc_ports" lineno="2434">
<summary>
-Read and write livecd temporary files.
+Bind TCP sockets to all RPC ports.
</summary>
<param name="domain">
<summary>
@@ -9413,48 +11677,49 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="livecd_rw_semaphores" lineno="94">
+<interface name="corenet_dontaudit_tcp_bind_all_rpc_ports" lineno="2453">
<summary>
-Allow read and write access to livecd semaphores.
+Do not audit attempts to bind TCP sockets to all RPC ports.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-</module>
-<module name="loadkeys" filename="policy/modules/contrib/loadkeys.if">
-<summary>Load keyboard mappings.</summary>
-<interface name="loadkeys_domtrans" lineno="13">
+<interface name="corenet_udp_bind_all_rpc_ports" lineno="2471">
<summary>
-Execute the loadkeys program in the loadkeys domain.
+Bind UDP sockets to all RPC ports.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="loadkeys_run" lineno="42">
+<interface name="corenet_dontaudit_udp_bind_all_rpc_ports" lineno="2490">
<summary>
-Execute the loadkeys program in the loadkeys domain.
+Do not audit attempts to bind UDP sockets to all RPC ports.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_sctp_bind_all_reserved_ports" lineno="2508">
<summary>
-The role to allow the loadkeys domain.
+Bind SCTP sockets to all reserved ports.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="loadkeys_exec" lineno="61">
+<interface name="corenet_tcp_recvfrom_netlabel" lineno="2527">
<summary>
-Execute the loadkeys program in the caller domain.
+Receive TCP packets from a NetLabel connection.
</summary>
<param name="domain">
<summary>
@@ -9462,57 +11727,61 @@ Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="lockdev" filename="policy/modules/contrib/lockdev.if">
-<summary>device locking policy for lockdev</summary>
-<interface name="lockdev_role" lineno="18">
+<interface name="corenet_tcp_recvfrom_unlabeled" lineno="2546">
<summary>
-Role access for lockdev
+Receive TCP packets from an unlabled connection.
</summary>
-<param name="role">
+<param name="domain">
<summary>
-Role allowed access
+Domain allowed access.
</summary>
</param>
+</interface>
+<interface name="corenet_dontaudit_sctp_bind_all_reserved_ports" lineno="2566">
+<summary>
+Do not audit attempts to bind SCTP sockets to all reserved ports.
+</summary>
<param name="domain">
<summary>
-User domain for the role
+Domain to not audit.
</summary>
</param>
</interface>
-</module>
-<module name="logrotate" filename="policy/modules/contrib/logrotate.if">
-<summary>Rotate and archive system logs</summary>
-<interface name="logrotate_domtrans" lineno="13">
+<interface name="corenet_dontaudit_tcp_recvfrom_netlabel" lineno="2585">
<summary>
-Execute logrotate in the logrotate domain.
+Do not audit attempts to receive TCP packets from a NetLabel
+connection.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="logrotate_run" lineno="39">
+<interface name="corenet_dontaudit_tcp_recvfrom_unlabeled" lineno="2605">
<summary>
-Execute logrotate in the logrotate domain, and
-allow the specified role the logrotate domain.
+Do not audit attempts to receive TCP packets from an unlabeled
+connection.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_udp_recvfrom_netlabel" lineno="2625">
<summary>
-Role allowed access.
+Receive UDP packets from a NetLabel connection.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="logrotate_exec" lineno="58">
+<interface name="corenet_udp_recvfrom_unlabeled" lineno="2644">
<summary>
-Execute logrotate in the caller domain.
+Receive UDP packets from an unlabeled connection.
</summary>
<param name="domain">
<summary>
@@ -9520,9 +11789,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="logrotate_use_fds" lineno="77">
+<interface name="corenet_sctp_bind_all_unreserved_ports" lineno="2664">
<summary>
-Inherit and use logrotate file descriptors.
+Bind SCTP sockets to all ports > 1024.
</summary>
<param name="domain">
<summary>
@@ -9530,9 +11799,10 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="logrotate_dontaudit_use_fds" lineno="95">
+<interface name="corenet_dontaudit_udp_recvfrom_netlabel" lineno="2683">
<summary>
-Do not audit attempts to inherit logrotate file descriptors.
+Do not audit attempts to receive UDP packets from a NetLabel
+connection.
</summary>
<param name="domain">
<summary>
@@ -9540,22 +11810,20 @@ Domain to not audit.
</summary>
</param>
</interface>
-<interface name="logrotate_read_tmp_files" lineno="113">
+<interface name="corenet_dontaudit_udp_recvfrom_unlabeled" lineno="2703">
<summary>
-Read a logrotate temporary files.
+Do not audit attempts to receive UDP packets from an unlabeled
+connection.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-</module>
-<module name="logwatch" filename="policy/modules/contrib/logwatch.if">
-<summary>System log analyzer and reporter</summary>
-<interface name="logwatch_read_tmp_files" lineno="13">
+<interface name="corenet_raw_recvfrom_netlabel" lineno="2723">
<summary>
-Read logwatch temporary files.
+Receive Raw IP packets from a NetLabel connection.
</summary>
<param name="domain">
<summary>
@@ -9563,9 +11831,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="logwatch_search_cache_dir" lineno="32">
+<interface name="corenet_raw_recvfrom_unlabeled" lineno="2742">
<summary>
-Search logwatch cache directory.
+Receive Raw IP packets from an unlabeled connection.
</summary>
<param name="domain">
<summary>
@@ -9573,64 +11841,84 @@ Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="lpd" filename="policy/modules/contrib/lpd.if">
-<summary>Line printer daemon</summary>
-<interface name="lpd_role" lineno="18">
+<interface name="corenet_dontaudit_raw_recvfrom_netlabel" lineno="2763">
<summary>
-Role access for lpd
-</summary>
-<param name="role">
-<summary>
-Role allowed access
+Do not audit attempts to receive Raw IP packets from a NetLabel
+connection.
</summary>
-</param>
<param name="domain">
<summary>
-User domain for the role
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="lpd_domtrans_checkpc" lineno="47">
+<interface name="corenet_sctp_connect_all_reserved_ports" lineno="2782">
<summary>
-Execute lpd in the lpd domain.
+Connect SCTP sockets to reserved ports.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="lpd_run_checkpc" lineno="72">
+<interface name="corenet_dontaudit_raw_recvfrom_unlabeled" lineno="2801">
<summary>
-Execute amrecover in the lpd domain, and
-allow the specified role the lpd domain.
+Do not audit attempts to receive Raw IP packets from an unlabeled
+connection.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_all_recvfrom_unlabeled" lineno="2833">
<summary>
-Role allowed access.
+Receive packets from an unlabeled connection.
+</summary>
+<desc>
+<p>
+Allow the specified domain to receive packets from an
+unlabeled connection. On machines that do not utilize
+labeled networking, this will be required on all
+networking domains. On machines tha do utilize
+labeled networking, this will be required for any
+networking domain that is allowed to receive
+network traffic that does not have a label.
+</p>
+</desc>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="lpd_list_spool" lineno="91">
+<interface name="corenet_all_recvfrom_netlabel" lineno="2866">
<summary>
-List the contents of the printer spool directories.
+Receive packets from a NetLabel connection.
</summary>
+<desc>
+<p>
+Allow the specified domain to receive NetLabel
+network traffic, which utilizes the Commercial IP
+Security Option (CIPSO) to set the MLS level
+of the network packets. This is required for
+all networking domains that receive NetLabel
+network traffic.
+</p>
+</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="lpd_read_spool" lineno="110">
+<interface name="corenet_dontaudit_all_recvfrom_unlabeled" lineno="2885">
<summary>
-Read the printer spool files.
+Do not audit attempts to receive packets from an unlabeled connection.
</summary>
<param name="domain">
<summary>
@@ -9638,118 +11926,139 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="lpd_manage_spool" lineno="129">
+<interface name="corenet_dontaudit_sctp_connect_all_reserved_ports" lineno="2908">
<summary>
-Create, read, write, and delete printer spool files.
+Do not audit attempts to connect SCTP sockets
+all reserved ports.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="lpd_relabel_spool" lineno="150">
+<interface name="corenet_dontaudit_all_recvfrom_netlabel" lineno="2927">
<summary>
-Relabel from and to the spool files.
+Do not audit attempts to receive packets from a NetLabel
+connection.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
</interface>
-<interface name="lpd_read_config" lineno="170">
+<interface name="corenet_tcp_recvfrom_labeled" lineno="2959">
<summary>
-List the contents of the printer spool directories.
+Rules for receiving labeled TCP packets.
</summary>
+<desc>
+<p>
+Rules for receiving labeled TCP packets.
+</p>
+<p>
+Due to the nature of TCP, this is bidirectional.
+</p>
+</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
+<param name="peer_domain">
+<summary>
+Peer domain.
+</summary>
+</param>
</interface>
-<template name="lpd_domtrans_lpr" lineno="189">
+<interface name="corenet_udp_recvfrom_labeled" lineno="2987">
<summary>
-Transition to a user lpr domain.
+Rules for receiving labeled UDP packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
-</template>
-<interface name="lpd_exec_lpr" lineno="208">
+<param name="peer_domain">
<summary>
-Allow the specified domain to execute lpr
-in the caller domain.
+Peer domain.
+</summary>
+</param>
+</interface>
+<interface name="corenet_raw_recvfrom_labeled" lineno="3012">
+<summary>
+Rules for receiving labeled raw IP packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<param name="peer_domain">
+<summary>
+Peer domain.
+</summary>
+</param>
</interface>
-<tunable name="use_lpd_server" dftval="false">
-<desc>
-<p>
-Use lpd server instead of cups
-</p>
-</desc>
-</tunable>
-</module>
-<module name="mailman" filename="policy/modules/contrib/mailman.if">
-<summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
-<template name="mailman_domain_template" lineno="19">
+<interface name="corenet_all_recvfrom_labeled" lineno="3046">
<summary>
-The template to define a mailmain domain.
+Rules for receiving labeled packets via TCP, UDP and raw IP.
</summary>
<desc>
<p>
-This template creates a domain to be used for
-a new mailman daemon.
+Rules for receiving labeled packets via TCP, UDP and raw IP.
+</p>
+<p>
+Due to the nature of TCP, the rules (for TCP
+networking only) are bidirectional.
</p>
</desc>
-<param name="userdomain_prefix">
+<param name="domain">
<summary>
-The type of daemon to be used eg, cgi would give mailman_cgi_
+Domain allowed access.
</summary>
</param>
-</template>
-<interface name="mailman_domtrans" lineno="103">
+<param name="peer_domain">
<summary>
-Execute mailman in the mailman domain.
+Peer domain.
+</summary>
+</param>
+</interface>
+<interface name="corenet_setcontext_all_spds" lineno="3064">
+<summary>
+Allow specified type to set the context of
+a SPD entry for labeled ipsec associations.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mailman_domtrans_cgi" lineno="122">
+<interface name="corenet_send_generic_client_packets" lineno="3082">
<summary>
-Execute mailman CGI scripts in the
-mailman CGI domain.
+Send generic client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mailman_exec" lineno="140">
+<interface name="corenet_receive_generic_client_packets" lineno="3100">
<summary>
-Execute mailman in the caller domain.
+Receive generic client packets.
</summary>
<param name="domain">
<summary>
-Domain allowd access.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mailman_signal_cgi" lineno="158">
+<interface name="corenet_sendrecv_generic_client_packets" lineno="3118">
<summary>
-Send generic signals to the mailman cgi domain.
+Send and receive generic client packets.
</summary>
<param name="domain">
<summary>
@@ -9757,9 +12066,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mailman_search_data" lineno="176">
+<interface name="corenet_relabelto_generic_client_packets" lineno="3133">
<summary>
-Allow domain to search data directories.
+Relabel packets to the generic client packet type.
</summary>
<param name="domain">
<summary>
@@ -9767,9 +12076,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mailman_read_data_files" lineno="194">
+<interface name="corenet_send_generic_server_packets" lineno="3151">
<summary>
-Allow domain to to read mailman data files.
+Send generic server packets.
</summary>
<param name="domain">
<summary>
@@ -9777,10 +12086,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mailman_manage_data_files" lineno="215">
+<interface name="corenet_receive_generic_server_packets" lineno="3169">
<summary>
-Allow domain to to create mailman data files
-and write the directory.
+Receive generic server packets.
</summary>
<param name="domain">
<summary>
@@ -9788,9 +12096,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mailman_list_data" lineno="234">
+<interface name="corenet_sendrecv_generic_server_packets" lineno="3187">
<summary>
-List the contents of mailman data directories.
+Send and receive generic server packets.
</summary>
<param name="domain">
<summary>
@@ -9798,9 +12106,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mailman_read_data_symlinks" lineno="252">
+<interface name="corenet_relabelto_generic_server_packets" lineno="3202">
<summary>
-Allow read acces to mailman data symbolic links.
+Relabel packets to the generic server packet type.
</summary>
<param name="domain">
<summary>
@@ -9808,19 +12116,26 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mailman_read_log" lineno="270">
+<interface name="corenet_sendrecv_unlabeled_packets" lineno="3227">
<summary>
-Read mailman logs.
+Send and receive unlabeled packets.
</summary>
+<desc>
+<p>
+Send and receive unlabeled packets.
+These packets do not match any netfilter
+SECMARK rules.
+</p>
+</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mailman_append_log" lineno="288">
+<interface name="corenet_send_all_client_packets" lineno="3241">
<summary>
-Append to mailman logs.
+Send all client packets.
</summary>
<param name="domain">
<summary>
@@ -9828,10 +12143,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mailman_manage_log" lineno="307">
+<interface name="corenet_receive_all_client_packets" lineno="3259">
<summary>
-Create, read, write, and delete
-mailman logs.
+Receive all client packets.
</summary>
<param name="domain">
<summary>
@@ -9839,9 +12153,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mailman_read_archive" lineno="326">
+<interface name="corenet_sendrecv_all_client_packets" lineno="3277">
<summary>
-Allow domain to read mailman archive files.
+Send and receive all client packets.
</summary>
<param name="domain">
<summary>
@@ -9849,48 +12163,39 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mailman_domtrans_queue" lineno="346">
+<interface name="corenet_relabelto_all_client_packets" lineno="3292">
<summary>
-Execute mailman_queue in the mailman_queue domain.
+Relabel packets to any client packet type.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="mcelog" filename="policy/modules/contrib/mcelog.if">
-<summary>policy for mcelog</summary>
-<interface name="mcelog_domtrans" lineno="13">
+<interface name="corenet_send_all_server_packets" lineno="3310">
<summary>
-Execute a domain transition to run mcelog.
+Send all server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="mediawiki" filename="policy/modules/contrib/mediawiki.if">
-<summary>Mediawiki policy</summary>
-</module>
-<module name="memcached" filename="policy/modules/contrib/memcached.if">
-<summary>high-performance memory object caching system</summary>
-<interface name="memcached_domtrans" lineno="13">
+<interface name="corenet_sctp_recvfrom_netlabel" lineno="3328">
<summary>
-Execute a domain transition to run memcached.
+Receive SCTP packets from a NetLabel connection.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="memcached_read_pid_files" lineno="32">
+<interface name="corenet_receive_all_server_packets" lineno="3346">
<summary>
-Read memcached PID files.
+Receive all server packets.
</summary>
<param name="domain">
<summary>
@@ -9898,40 +12203,39 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="memcached_admin" lineno="58">
+<interface name="corenet_sendrecv_all_server_packets" lineno="3364">
<summary>
-All of the rules required to administrate
-an memcached environment
+Send and receive all server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_relabelto_all_server_packets" lineno="3379">
<summary>
-The role to be allowed to manage the memcached domain.
+Relabel packets to any server packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="milter" filename="policy/modules/contrib/milter.if">
-<summary>Milter mail filters</summary>
-<template name="milter_template" lineno="14">
+<interface name="corenet_sctp_recvfrom_unlabeled" lineno="3397">
<summary>
-Create a set of derived types for various
-mail filter applications using the milter interface.
+Receive SCTP packets from an unlabled connection.
</summary>
-<param name="milter_name">
+<param name="domain">
<summary>
-The name to be used for deriving type names.
+Domain allowed access.
</summary>
</param>
-</template>
-<interface name="milter_stream_connect_all" lineno="59">
+</interface>
+<interface name="corenet_send_all_packets" lineno="3418">
<summary>
-MTA communication with milter sockets
+Send all packets.
</summary>
<param name="domain">
<summary>
@@ -9939,9 +12243,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="milter_getattr_all_sockets" lineno="78">
+<interface name="corenet_receive_all_packets" lineno="3436">
<summary>
-Allow getattr of milter sockets
+Receive all packets.
</summary>
<param name="domain">
<summary>
@@ -9949,9 +12253,9 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="milter_manage_spamass_state" lineno="97">
+<interface name="corenet_sendrecv_all_packets" lineno="3454">
<summary>
-Manage spamassassin milter state
+Send and receive all packets.
</summary>
<param name="domain">
<summary>
@@ -9959,23 +12263,19 @@ Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="modemmanager" filename="policy/modules/contrib/modemmanager.if">
-<summary>Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.</summary>
-<interface name="modemmanager_domtrans" lineno="13">
+<interface name="corenet_relabelto_all_packets" lineno="3469">
<summary>
-Execute a domain transition to run modemmanager.
+Relabel packets to any packet type.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="modemmanager_dbus_chat" lineno="32">
+<interface name="corenet_ib_access_unlabeled_pkeys" lineno="3487">
<summary>
-Send and receive messages from
-modemmanager over dbus.
+Access unlabeled infiniband pkeys.
</summary>
<param name="domain">
<summary>
@@ -9983,223 +12283,240 @@ Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="mojomojo" filename="policy/modules/contrib/mojomojo.if">
-<summary>MojoMojo Wiki</summary>
-<interface name="mojomojo_admin" lineno="20">
+<interface name="corenet_ib_access_all_pkeys" lineno="3501">
<summary>
-All of the rules required to administrate
-an mojomojo environment
+Access all labeled infiniband pkeys.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_ib_manage_subnet_all_endports" lineno="3519">
<summary>
-Role allowed access.
+Manage subnets on all labeled Infiniband endports
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="mono" filename="policy/modules/contrib/mono.if">
-<summary>Run .NET server and client applications on Linux.</summary>
-<template name="mono_role_template" lineno="30">
+<interface name="corenet_ib_manage_subnet_unlabeled_endports" lineno="3537">
<summary>
-The role template for the mono module.
+Manage subnet on all unlabeled Infiniband endports
</summary>
-<desc>
-<p>
-This template creates a derived domains which are used
-for mono applications.
-</p>
-</desc>
-<param name="role_prefix">
+<param name="domain">
<summary>
-The prefix of the user domain (e.g., user
-is the prefix for user_t).
+Domain allowed access.
</summary>
</param>
-<param name="user_role">
+</interface>
+<interface name="corenet_sctp_recvfrom_labeled" lineno="3556">
<summary>
-The role associated with the user domain.
+Rules for receiving labeled SCTP packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<param name="user_domain">
+<param name="peer_domain">
<summary>
-The type of the user domain.
+Peer domain.
</summary>
</param>
-</template>
-<interface name="mono_domtrans" lineno="69">
+</interface>
+<interface name="corenet_unconfined" lineno="3579">
<summary>
-Execute the mono program in the mono domain.
+Unconfined access to network objects.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+The domain allowed access.
</summary>
</param>
</interface>
-<interface name="mono_run" lineno="94">
+<interface name="corenet_tcp_sendrecv_adb_port" lineno="3599">
<summary>
-Execute mono in the mono domain, and
-allow the specified role the mono domain.
+Send and receive TCP traffic on the adb port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_adb_port" lineno="3618">
<summary>
-Role allowed access.
+Send UDP traffic on the adb port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="mono_exec" lineno="113">
+<interface name="corenet_dontaudit_udp_send_adb_port" lineno="3637">
<summary>
-Execute the mono program in the caller domain.
+Do not audit attempts to send UDP traffic on the adb port.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mono_rw_shm" lineno="132">
+<interface name="corenet_udp_receive_adb_port" lineno="3656">
<summary>
-Read and write to mono shared memory.
+Receive UDP traffic on the adb port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-</module>
-<module name="monop" filename="policy/modules/contrib/monop.if">
-<summary>Monopoly daemon</summary>
-</module>
-<module name="mozilla" filename="policy/modules/contrib/mozilla.if">
-<summary>Policy for Mozilla and related web browsers</summary>
-<interface name="mozilla_role" lineno="18">
+<interface name="corenet_dontaudit_udp_receive_adb_port" lineno="3675">
<summary>
-Role access for mozilla
+Do not audit attempts to receive UDP traffic on the adb port.
</summary>
-<param name="role">
+<param name="domain">
<summary>
-Role allowed access
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_adb_port" lineno="3694">
+<summary>
+Send and receive UDP traffic on the adb port.
+</summary>
<param name="domain">
<summary>
-User domain for the role
+Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="mozilla_read_user_home_files" lineno="63">
+<interface name="corenet_dontaudit_udp_sendrecv_adb_port" lineno="3711">
<summary>
-Read mozilla home directory content
+Do not audit attempts to send and receive
+UDP traffic on the adb port.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mozilla_write_user_home_files" lineno="84">
+<interface name="corenet_tcp_bind_adb_port" lineno="3727">
<summary>
-Write mozilla home directory content
+Bind TCP sockets to the adb port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mozilla_dontaudit_rw_user_home_files" lineno="103">
+<interface name="corenet_udp_bind_adb_port" lineno="3747">
<summary>
-Dontaudit attempts to read/write mozilla home directory content
+Bind UDP sockets to the adb port.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mozilla_dontaudit_manage_user_home_files" lineno="121">
+<interface name="corenet_tcp_connect_adb_port" lineno="3766">
<summary>
-Dontaudit attempts to write mozilla home directory content
+Make a TCP connection to the adb port.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mozilla_exec_user_home_files" lineno="140">
+<interface name="corenet_send_adb_client_packets" lineno="3786">
<summary>
-Execute mozilla home directory content.
+Send adb_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="mozilla_execmod_user_home_files" lineno="158">
+<interface name="corenet_dontaudit_send_adb_client_packets" lineno="3805">
<summary>
-Execmod mozilla home directory content.
+Do not audit attempts to send adb_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mozilla_domtrans" lineno="176">
+<interface name="corenet_receive_adb_client_packets" lineno="3824">
<summary>
-Run mozilla in the mozilla domain.
+Receive adb_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="mozilla_domtrans_plugin" lineno="194">
+<interface name="corenet_dontaudit_receive_adb_client_packets" lineno="3843">
<summary>
-Execute a domain transition to run mozilla_plugin.
+Do not audit attempts to receive adb_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mozilla_run_plugin" lineno="220">
+<interface name="corenet_sendrecv_adb_client_packets" lineno="3862">
<summary>
-Execute mozilla_plugin in the mozilla_plugin domain, and
-allow the specified role the mozilla_plugin domain.
+Send and receive adb_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access
+Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_adb_client_packets" lineno="3878">
+<summary>
+Do not audit attempts to send and receive adb_client packets.
+</summary>
+<param name="domain">
<summary>
-The role to be allowed the mozilla_plugin domain.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mozilla_dbus_chat" lineno="240">
+<interface name="corenet_relabelto_adb_client_packets" lineno="3893">
<summary>
-Send and receive messages from
-mozilla over dbus.
+Relabel packets to adb_client the packet type.
</summary>
<param name="domain">
<summary>
@@ -10207,79 +12524,75 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mozilla_rw_tcp_sockets" lineno="260">
+<interface name="corenet_send_adb_server_packets" lineno="3913">
<summary>
-read/write mozilla per user tcp_socket
+Send adb_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="mozilla_plugin_read_tmpfs_files" lineno="278">
+<interface name="corenet_dontaudit_send_adb_server_packets" lineno="3932">
<summary>
-Read mozilla_plugin tmpfs files
+Do not audit attempts to send adb_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mozilla_plugin_delete_tmpfs_files" lineno="296">
+<interface name="corenet_receive_adb_server_packets" lineno="3951">
<summary>
-Delete mozilla_plugin tmpfs files
+Receive adb_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access
+Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<tunable name="mozilla_read_content" dftval="false">
-<desc>
-<p>
-Allow confined web browsers to read home directory content
-</p>
-</desc>
-</tunable>
-</module>
-<module name="mpd" filename="policy/modules/contrib/mpd.if">
-<summary>Music Player Daemon</summary>
-<interface name="mpd_domtrans" lineno="13">
+<interface name="corenet_dontaudit_receive_adb_server_packets" lineno="3970">
<summary>
-Execute a domain transition to run mpd.
+Do not audit attempts to receive adb_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mpd_initrc_domtrans" lineno="31">
+<interface name="corenet_sendrecv_adb_server_packets" lineno="3989">
<summary>
-Execute mpd server in the mpd domain.
+Send and receive adb_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="mpd_read_data_files" lineno="49">
+<interface name="corenet_dontaudit_sendrecv_adb_server_packets" lineno="4005">
<summary>
-Read mpd data files.
+Do not audit attempts to send and receive adb_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mpd_manage_data_files" lineno="68">
+<interface name="corenet_relabelto_adb_server_packets" lineno="4020">
<summary>
-Manage mpd data files.
+Relabel packets to adb_server the packet type.
</summary>
<param name="domain">
<summary>
@@ -10287,450 +12600,447 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mpd_read_tmpfs_files" lineno="87">
+<interface name="corenet_tcp_sendrecv_afs_bos_port" lineno="4042">
<summary>
-Read mpd tmpfs files.
+Send and receive TCP traffic on the afs_bos port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="mpd_manage_tmpfs_files" lineno="106">
+<interface name="corenet_udp_send_afs_bos_port" lineno="4061">
<summary>
-Manage mpd tmpfs files.
+Send UDP traffic on the afs_bos port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="mpd_search_lib" lineno="126">
+<interface name="corenet_dontaudit_udp_send_afs_bos_port" lineno="4080">
<summary>
-Search mpd lib directories.
+Do not audit attempts to send UDP traffic on the afs_bos port.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mpd_read_lib_files" lineno="145">
+<interface name="corenet_udp_receive_afs_bos_port" lineno="4099">
<summary>
-Read mpd lib files.
+Receive UDP traffic on the afs_bos port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="mpd_manage_lib_files" lineno="165">
+<interface name="corenet_dontaudit_udp_receive_afs_bos_port" lineno="4118">
<summary>
-Create, read, write, and delete
-mpd lib files.
+Do not audit attempts to receive UDP traffic on the afs_bos port.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mpd_var_lib_filetrans" lineno="195">
+<interface name="corenet_udp_sendrecv_afs_bos_port" lineno="4137">
<summary>
-Create an object in the root directory, with a private
-type using a type transition.
+Send and receive UDP traffic on the afs_bos port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="private type">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_afs_bos_port" lineno="4154">
<summary>
-The type of the object to be created.
+Do not audit attempts to send and receive
+UDP traffic on the afs_bos port.
</summary>
-</param>
-<param name="object">
+<param name="domain">
<summary>
-The object class of the object being created.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mpd_manage_lib_dirs" lineno="214">
+<interface name="corenet_tcp_bind_afs_bos_port" lineno="4170">
<summary>
-Manage mpd lib dirs files.
+Bind TCP sockets to the afs_bos port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mpd_admin" lineno="240">
+<interface name="corenet_udp_bind_afs_bos_port" lineno="4190">
<summary>
-All of the rules required to administrate
-an mpd environment
+Bind UDP sockets to the afs_bos port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_connect_afs_bos_port" lineno="4209">
<summary>
-Role allowed access.
+Make a TCP connection to the afs_bos port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="mplayer" filename="policy/modules/contrib/mplayer.if">
-<summary>Mplayer media player and encoder</summary>
-<interface name="mplayer_role" lineno="18">
+<interface name="corenet_send_afs_bos_client_packets" lineno="4229">
<summary>
-Role access for mplayer
+Send afs_bos_client packets.
</summary>
-<param name="role">
+<param name="domain">
<summary>
-Role allowed access
+Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_bos_client_packets" lineno="4248">
+<summary>
+Do not audit attempts to send afs_bos_client packets.
+</summary>
<param name="domain">
<summary>
-User domain for the role
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mplayer_domtrans" lineno="60">
+<interface name="corenet_receive_afs_bos_client_packets" lineno="4267">
<summary>
-Run mplayer in mplayer domain.
+Receive afs_bos_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="mplayer_exec" lineno="79">
+<interface name="corenet_dontaudit_receive_afs_bos_client_packets" lineno="4286">
<summary>
-Execute mplayer in the caller domain.
+Do not audit attempts to receive afs_bos_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mplayer_read_user_home_files" lineno="97">
+<interface name="corenet_sendrecv_afs_bos_client_packets" lineno="4305">
<summary>
-Read mplayer per user homedir
+Send and receive afs_bos_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<tunable name="allow_mplayer_execstack" dftval="false">
-<desc>
-<p>
-Allow mplayer executable stack
-</p>
-</desc>
-</tunable>
-</module>
-<module name="mrtg" filename="policy/modules/contrib/mrtg.if">
-<summary>Network traffic graphing</summary>
-<interface name="mrtg_append_create_logs" lineno="13">
+<interface name="corenet_dontaudit_sendrecv_afs_bos_client_packets" lineno="4321">
<summary>
-Create and append mrtg logs.
+Do not audit attempts to send and receive afs_bos_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-</module>
-<module name="mta" filename="policy/modules/contrib/mta.if">
-<summary>Policy common to all email tranfer agents.</summary>
-<interface name="mta_stub" lineno="13">
+<interface name="corenet_relabelto_afs_bos_client_packets" lineno="4336">
<summary>
-MTA stub interface. No access allowed.
+Relabel packets to afs_bos_client the packet type.
</summary>
-<param name="domain" unused="true">
+<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
-<template name="mta_base_mail_template" lineno="41">
+<interface name="corenet_send_afs_bos_server_packets" lineno="4356">
<summary>
-Basic mail transfer agent domain template.
+Send afs_bos_server packets.
</summary>
-<desc>
-<p>
-This template creates a derived domain which is
-a email transfer agent, which sends mail on
-behalf of the user.
-</p>
-<p>
-This is the basic types and rules, common
-to the system agent and user agents.
-</p>
-</desc>
-<param name="domain_prefix">
+<param name="domain">
<summary>
-The prefix of the domain (e.g., user
-is the prefix for user_t).
+Domain allowed access.
</summary>
</param>
-</template>
-<interface name="mta_role" lineno="162">
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_bos_server_packets" lineno="4375">
<summary>
-Role access for mta
+Do not audit attempts to send afs_bos_server packets.
</summary>
-<param name="role">
+<param name="domain">
<summary>
-Role allowed access
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs_bos_server_packets" lineno="4394">
+<summary>
+Receive afs_bos_server packets.
+</summary>
<param name="domain">
<summary>
-User domain for the role
+Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="mta_mailserver" lineno="194">
+<interface name="corenet_dontaudit_receive_afs_bos_server_packets" lineno="4413">
<summary>
-Make the specified domain usable for a mail server.
+Do not audit attempts to receive afs_bos_server packets.
</summary>
-<param name="type">
+<param name="domain">
<summary>
-Type to be used as a mail server domain.
+Domain allowed access.
</summary>
</param>
-<param name="entry_point">
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_sendrecv_afs_bos_server_packets" lineno="4432">
<summary>
-Type of the program to be used as an entry point to this domain.
+Send and receive afs_bos_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="mta_agent_executable" lineno="213">
+<interface name="corenet_dontaudit_sendrecv_afs_bos_server_packets" lineno="4448">
<summary>
-Make the specified type a MTA executable file.
+Do not audit attempts to send and receive afs_bos_server packets.
</summary>
-<param name="type">
+<param name="domain">
<summary>
-Type to be used as a mail client.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_system_content" lineno="233">
+<interface name="corenet_relabelto_afs_bos_server_packets" lineno="4463">
<summary>
-Make the specified type by a system MTA.
+Relabel packets to afs_bos_server the packet type.
</summary>
-<param name="type">
+<param name="domain">
<summary>
-Type to be used as a mail client.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mta_sendmail_mailserver" lineno="266">
+<interface name="corenet_tcp_sendrecv_afs_fs_port" lineno="4485">
<summary>
-Modified mailserver interface for
-sendmail daemon use.
+Send and receive TCP traffic on the afs_fs port.
</summary>
-<desc>
-<p>
-A modified MTA mail server interface for
-the sendmail program. It's design does
-not fit well with policy, and using the
-regular interface causes a type_transition
-conflict if direct running of init scripts
-is enabled.
-</p>
-<p>
-This interface should most likely only be used
-by the sendmail policy.
-</p>
-</desc>
<param name="domain">
<summary>
-The type to be used for the mail server.
+Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="mta_mailserver_sender" lineno="287">
+<interface name="corenet_udp_send_afs_fs_port" lineno="4504">
<summary>
-Make a type a mailserver type used
-for sending mail.
+Send UDP traffic on the afs_fs port.
</summary>
<param name="domain">
<summary>
-Mail server domain type used for sending mail.
+Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="mta_mailserver_delivery" lineno="306">
+<interface name="corenet_dontaudit_udp_send_afs_fs_port" lineno="4523">
<summary>
-Make a type a mailserver type used
-for delivering mail to local users.
+Do not audit attempts to send UDP traffic on the afs_fs port.
</summary>
<param name="domain">
<summary>
-Mail server domain type used for delivering mail.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_mailserver_user_agent" lineno="327">
+<interface name="corenet_udp_receive_afs_fs_port" lineno="4542">
<summary>
-Make a type a mailserver type used
-for sending mail on behalf of local
-users to the local mail spool.
+Receive UDP traffic on the afs_fs port.
</summary>
<param name="domain">
<summary>
-Mail server domain type used for sending local mail.
+Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="mta_send_mail" lineno="351">
+<interface name="corenet_dontaudit_udp_receive_afs_fs_port" lineno="4561">
<summary>
-Send mail from the system.
+Do not audit attempts to receive UDP traffic on the afs_fs port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_sendmail_domtrans" lineno="394">
+<interface name="corenet_udp_sendrecv_afs_fs_port" lineno="4580">
<summary>
-Execute send mail in a specified domain.
+Send and receive UDP traffic on the afs_fs port.
</summary>
-<desc>
-<p>
-Execute send mail in a specified domain.
-</p>
-<p>
-No interprocess communication (signals, pipes,
-etc.) is provided by this interface since
-the domains are not owned by this module.
-</p>
-</desc>
-<param name="source_domain">
+<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
-<param name="target_domain">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_afs_fs_port" lineno="4597">
<summary>
-Domain to transition to.
+Do not audit attempts to send and receive
+UDP traffic on the afs_fs port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_signal_system_mail" lineno="415">
+<interface name="corenet_tcp_bind_afs_fs_port" lineno="4613">
<summary>
-Send system mail client a signal
+Bind TCP sockets to the afs_fs port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_sendmail_exec" lineno="433">
+<interface name="corenet_udp_bind_afs_fs_port" lineno="4633">
<summary>
-Execute sendmail in the caller domain.
+Bind UDP sockets to the afs_fs port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_read_config" lineno="452">
+<interface name="corenet_tcp_connect_afs_fs_port" lineno="4652">
<summary>
-Read mail server configuration.
+Make a TCP connection to the afs_fs port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-<interface name="mta_write_config" lineno="474">
+<interface name="corenet_send_afs_fs_client_packets" lineno="4672">
<summary>
-write mail server configuration.
+Send afs_fs_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="mta_read_aliases" lineno="492">
+<interface name="corenet_dontaudit_send_afs_fs_client_packets" lineno="4691">
<summary>
-Read mail address aliases.
+Do not audit attempts to send afs_fs_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_manage_aliases" lineno="511">
+<interface name="corenet_receive_afs_fs_client_packets" lineno="4710">
<summary>
-Create, read, write, and delete mail address aliases.
+Receive afs_fs_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="mta_etc_filetrans_aliases" lineno="532">
+<interface name="corenet_dontaudit_receive_afs_fs_client_packets" lineno="4729">
<summary>
-Type transition files created in /etc
-to the mail address aliases type.
+Do not audit attempts to receive afs_fs_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_rw_aliases" lineno="551">
+<interface name="corenet_sendrecv_afs_fs_client_packets" lineno="4748">
<summary>
-Read and write mail aliases.
+Send and receive afs_fs_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="mta_dontaudit_rw_delivery_tcp_sockets" lineno="571">
+<interface name="corenet_dontaudit_sendrecv_afs_fs_client_packets" lineno="4764">
<summary>
-Do not audit attempts to read and write TCP
-sockets of mail delivery domains.
+Do not audit attempts to send and receive afs_fs_client packets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_tcp_connect_all_mailservers" lineno="589">
+<interface name="corenet_relabelto_afs_fs_client_packets" lineno="4779">
<summary>
-Connect to all mail servers over TCP. (Deprecated)
+Relabel packets to afs_fs_client the packet type.
</summary>
<param name="domain">
<summary>
@@ -10738,62 +13048,75 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mta_dontaudit_read_spool_symlinks" lineno="604">
+<interface name="corenet_send_afs_fs_server_packets" lineno="4799">
<summary>
-Do not audit attempts to read a symlink
-in the mail spool.
+Send afs_fs_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
+</summary>
+</param>
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_fs_server_packets" lineno="4818">
+<summary>
+Do not audit attempts to send afs_fs_server packets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_getattr_spool" lineno="622">
+<interface name="corenet_receive_afs_fs_server_packets" lineno="4837">
<summary>
-Get the attributes of mail spool files.
+Receive afs_fs_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="mta_dontaudit_getattr_spool_files" lineno="644">
+<interface name="corenet_dontaudit_receive_afs_fs_server_packets" lineno="4856">
<summary>
-Do not audit attempts to get the attributes
-of mail spool files.
+Do not audit attempts to receive afs_fs_server packets.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_spool_filetrans" lineno="676">
+<interface name="corenet_sendrecv_afs_fs_server_packets" lineno="4875">
<summary>
-Create private objects in the
-mail spool directory.
+Send and receive afs_fs_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="private type">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_afs_fs_server_packets" lineno="4891">
<summary>
-The type of the object to be created.
+Do not audit attempts to send and receive afs_fs_server packets.
</summary>
-</param>
-<param name="object">
+<param name="domain">
<summary>
-The object class of the object being created.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_rw_spool" lineno="695">
+<interface name="corenet_relabelto_afs_fs_server_packets" lineno="4906">
<summary>
-Read and write the mail spool.
+Relabel packets to afs_fs_server the packet type.
</summary>
<param name="domain">
<summary>
@@ -10801,102 +13124,109 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mta_append_spool" lineno="717">
+<interface name="corenet_tcp_sendrecv_afs_ka_port" lineno="4928">
<summary>
-Create, read, and write the mail spool.
+Send and receive TCP traffic on the afs_ka port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="mta_delete_spool" lineno="739">
+<interface name="corenet_udp_send_afs_ka_port" lineno="4947">
<summary>
-Delete from the mail spool.
+Send UDP traffic on the afs_ka port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="mta_manage_spool" lineno="758">
+<interface name="corenet_dontaudit_udp_send_afs_ka_port" lineno="4966">
<summary>
-Create, read, write, and delete mail spool files.
+Do not audit attempts to send UDP traffic on the afs_ka port.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_search_queue" lineno="779">
+<interface name="corenet_udp_receive_afs_ka_port" lineno="4985">
<summary>
-Search mail queue dirs.
+Receive UDP traffic on the afs_ka port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="mta_list_queue" lineno="798">
+<interface name="corenet_dontaudit_udp_receive_afs_ka_port" lineno="5004">
<summary>
-List the mail queue.
+Do not audit attempts to receive UDP traffic on the afs_ka port.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_read_queue" lineno="817">
+<interface name="corenet_udp_sendrecv_afs_ka_port" lineno="5023">
<summary>
-Read the mail queue.
+Send and receive UDP traffic on the afs_ka port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="mta_dontaudit_rw_queue" lineno="837">
+<interface name="corenet_dontaudit_udp_sendrecv_afs_ka_port" lineno="5040">
<summary>
-Do not audit attempts to read and
-write the mail queue.
+Do not audit attempts to send and receive
+UDP traffic on the afs_ka port.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_manage_queue" lineno="857">
+<interface name="corenet_tcp_bind_afs_ka_port" lineno="5056">
<summary>
-Create, read, write, and delete
-mail queue files.
+Bind TCP sockets to the afs_ka port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_read_sendmail_bin" lineno="878">
+<interface name="corenet_udp_bind_afs_ka_port" lineno="5076">
<summary>
-Read sendmail binary.
+Bind UDP sockets to the afs_ka port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mta_rw_user_mail_stream_sockets" lineno="897">
+<interface name="corenet_tcp_connect_afs_ka_port" lineno="5095">
<summary>
-Read and write unix domain stream sockets
-of user mail domains.
+Make a TCP connection to the afs_ka port.
</summary>
<param name="domain">
<summary>
@@ -10904,160 +13234,151 @@ Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="munin" filename="policy/modules/contrib/munin.if">
-<summary>Munin network-wide load graphing (formerly LRRD)</summary>
-<template name="munin_plugin_template" lineno="14">
+<interface name="corenet_send_afs_ka_client_packets" lineno="5115">
<summary>
-Create a set of derived types for various
-munin plugins,
+Send afs_ka_client packets.
</summary>
-<param name="prefix">
+<param name="domain">
<summary>
-The name to be used for deriving type names.
+Domain allowed access.
</summary>
</param>
-</template>
-<interface name="munin_stream_connect" lineno="63">
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_ka_client_packets" lineno="5134">
<summary>
-Connect to munin over a unix domain
-stream socket.
+Do not audit attempts to send afs_ka_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="munin_read_config" lineno="84">
+<interface name="corenet_receive_afs_ka_client_packets" lineno="5153">
<summary>
-Read munin configuration files.
+Receive afs_ka_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="munin_append_log" lineno="106">
+<interface name="corenet_dontaudit_receive_afs_ka_client_packets" lineno="5172">
<summary>
-Append to the munin log.
+Do not audit attempts to receive afs_ka_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-<interface name="munin_search_lib" lineno="126">
+<interface name="corenet_sendrecv_afs_ka_client_packets" lineno="5191">
<summary>
-Search munin library directories.
+Send and receive afs_ka_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="munin_dontaudit_search_lib" lineno="146">
+<interface name="corenet_dontaudit_sendrecv_afs_ka_client_packets" lineno="5207">
<summary>
-Do not audit attempts to search
-munin library directories.
+Do not audit attempts to send and receive afs_ka_client packets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="munin_admin" lineno="171">
+<interface name="corenet_relabelto_afs_ka_client_packets" lineno="5222">
<summary>
-All of the rules required to administrate
-an munin environment
+Relabel packets to afs_ka_client the packet type.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
-<summary>
-The role to be allowed to manage the munin domain.
-</summary>
-</param>
-<rolecap/>
</interface>
-</module>
-<module name="mysql" filename="policy/modules/contrib/mysql.if">
-<summary>Policy for MySQL</summary>
-<interface name="mysql_domtrans" lineno="13">
+<interface name="corenet_send_afs_ka_server_packets" lineno="5242">
<summary>
-Execute MySQL in the mysql domain.
+Send afs_ka_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="mysql_signal" lineno="31">
+<interface name="corenet_dontaudit_send_afs_ka_server_packets" lineno="5261">
<summary>
-Send a generic signal to MySQL.
+Do not audit attempts to send afs_ka_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mysql_tcp_connect" lineno="49">
+<interface name="corenet_receive_afs_ka_server_packets" lineno="5280">
<summary>
-Allow the specified domain to connect to postgresql with a tcp socket.
+Receive afs_ka_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="mysql_stream_connect" lineno="71">
+<interface name="corenet_dontaudit_receive_afs_ka_server_packets" lineno="5299">
<summary>
-Connect to MySQL using a unix domain stream socket.
+Do not audit attempts to receive afs_ka_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-<interface name="mysql_read_config" lineno="91">
+<interface name="corenet_sendrecv_afs_ka_server_packets" lineno="5318">
<summary>
-Read MySQL configuration files.
+Send and receive afs_ka_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="mysql_search_db" lineno="114">
+<interface name="corenet_dontaudit_sendrecv_afs_ka_server_packets" lineno="5334">
<summary>
-Search the directories that contain MySQL
-database storage.
+Do not audit attempts to send and receive afs_ka_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mysql_rw_db_dirs" lineno="133">
+<interface name="corenet_relabelto_afs_ka_server_packets" lineno="5349">
<summary>
-Read and write to the MySQL database directory.
+Relabel packets to afs_ka_server the packet type.
</summary>
<param name="domain">
<summary>
@@ -11065,182 +13386,185 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="mysql_manage_db_dirs" lineno="152">
+<interface name="corenet_tcp_sendrecv_afs_pt_port" lineno="5371">
<summary>
-Create, read, write, and delete MySQL database directories.
+Send and receive TCP traffic on the afs_pt port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="mysql_append_db_files" lineno="171">
+<interface name="corenet_udp_send_afs_pt_port" lineno="5390">
<summary>
-Append to the MySQL database directory.
+Send UDP traffic on the afs_pt port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="mysql_rw_db_files" lineno="190">
+<interface name="corenet_dontaudit_udp_send_afs_pt_port" lineno="5409">
<summary>
-Read and write to the MySQL database directory.
+Do not audit attempts to send UDP traffic on the afs_pt port.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mysql_manage_db_files" lineno="209">
+<interface name="corenet_udp_receive_afs_pt_port" lineno="5428">
<summary>
-Create, read, write, and delete MySQL database files.
+Receive UDP traffic on the afs_pt port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="mysql_rw_db_sockets" lineno="229">
+<interface name="corenet_dontaudit_udp_receive_afs_pt_port" lineno="5447">
<summary>
-Read and write to the MySQL database
-named socket.
+Do not audit attempts to receive UDP traffic on the afs_pt port.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mysql_write_log" lineno="249">
+<interface name="corenet_udp_sendrecv_afs_pt_port" lineno="5466">
<summary>
-Write to the MySQL log.
+Send and receive UDP traffic on the afs_pt port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="mysql_domtrans_mysql_safe" lineno="268">
+<interface name="corenet_dontaudit_udp_sendrecv_afs_pt_port" lineno="5483">
<summary>
-Execute MySQL server in the mysql domain.
+Do not audit attempts to send and receive
+UDP traffic on the afs_pt port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mysql_read_pid_files" lineno="286">
+<interface name="corenet_tcp_bind_afs_pt_port" lineno="5499">
<summary>
-Read MySQL PID files.
+Bind TCP sockets to the afs_pt port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="mysql_search_pid_files" lineno="306">
+<interface name="corenet_udp_bind_afs_pt_port" lineno="5519">
<summary>
-Search MySQL PID files.
+Bind UDP sockets to the afs_pt port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-
+<infoflow type="none"/>
</interface>
-<interface name="mysql_admin" lineno="330">
+<interface name="corenet_tcp_connect_afs_pt_port" lineno="5538">
<summary>
-All of the rules required to administrate an mysql environment
+Make a TCP connection to the afs_pt port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_send_afs_pt_client_packets" lineno="5558">
<summary>
-The role to be allowed to manage the mysql domain.
+Send afs_pt_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="write" weight="10"/>
</interface>
-<tunable name="mysql_connect_any" dftval="false">
-<desc>
-<p>
-Allow mysqld to connect to all ports
-</p>
-</desc>
-</tunable>
-</module>
-<module name="nagios" filename="policy/modules/contrib/nagios.if">
-<summary>Net Saint / NAGIOS - network monitoring server</summary>
-<template name="nagios_plugin_template" lineno="14">
+<interface name="corenet_dontaudit_send_afs_pt_client_packets" lineno="5577">
<summary>
-Create a set of derived types for various
-nagios plugins,
+Do not audit attempts to send afs_pt_client packets.
</summary>
-<param name="plugins_group_name">
+<param name="domain">
<summary>
-The name to be used for deriving type names.
+Domain to not audit.
</summary>
</param>
-</template>
-<interface name="nagios_dontaudit_rw_pipes" lineno="54">
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs_pt_client_packets" lineno="5596">
<summary>
-Do not audit attempts to read or write nagios
-unnamed pipes.
+Receive afs_pt_client packets.
</summary>
<param name="domain">
<summary>
-Domain to not audit.
+Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="nagios_read_config" lineno="74">
+<interface name="corenet_dontaudit_receive_afs_pt_client_packets" lineno="5615">
<summary>
-Allow the specified domain to read
-nagios configuration files.
+Do not audit attempts to receive afs_pt_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-<interface name="nagios_read_log" lineno="94">
+<interface name="corenet_sendrecv_afs_pt_client_packets" lineno="5634">
<summary>
-Read nagios logs.
+Send and receive afs_pt_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="nagios_dontaudit_rw_log" lineno="113">
+<interface name="corenet_dontaudit_sendrecv_afs_pt_client_packets" lineno="5650">
<summary>
-Do not audit attempts to read or write nagios logs.
+Do not audit attempts to send and receive afs_pt_client packets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nagios_search_spool" lineno="131">
+<interface name="corenet_relabelto_afs_pt_client_packets" lineno="5665">
<summary>
-Search nagios spool directories.
+Relabel packets to afs_pt_client the packet type.
</summary>
<param name="domain">
<summary>
@@ -11248,165 +13572,185 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="nagios_read_tmp_files" lineno="151">
+<interface name="corenet_send_afs_pt_server_packets" lineno="5685">
<summary>
-Allow the specified domain to read
-nagios temporary files.
+Send afs_pt_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="nagios_domtrans_nrpe" lineno="171">
+<interface name="corenet_dontaudit_send_afs_pt_server_packets" lineno="5704">
<summary>
-Execute the nagios NRPE with
-a domain transition.
+Do not audit attempts to send afs_pt_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nagios_admin" lineno="196">
+<interface name="corenet_receive_afs_pt_server_packets" lineno="5723">
<summary>
-All of the rules required to administrate
-an nagios environment
+Receive afs_pt_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_afs_pt_server_packets" lineno="5742">
+<summary>
+Do not audit attempts to receive afs_pt_server packets.
+</summary>
+<param name="domain">
<summary>
-The role to be allowed to manage the nagios domain.
+Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-</module>
-<module name="ncftool" filename="policy/modules/contrib/ncftool.if">
-<summary>Netcf network configuration tool (ncftool).</summary>
-<interface name="ncftool_domtrans" lineno="13">
+<interface name="corenet_sendrecv_afs_pt_server_packets" lineno="5761">
<summary>
-Execute a domain transition to run ncftool.
+Send and receive afs_pt_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="ncftool_run" lineno="37">
+<interface name="corenet_dontaudit_sendrecv_afs_pt_server_packets" lineno="5777">
<summary>
-Execute ncftool in the ncftool domain, and
-allow the specified role the ncftool domain.
+Do not audit attempts to send and receive afs_pt_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access
+Domain to not audit.
</summary>
</param>
-<param name="role">
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_afs_pt_server_packets" lineno="5792">
+<summary>
+Relabel packets to afs_pt_server the packet type.
+</summary>
+<param name="domain">
<summary>
-The role to be allowed the ncftool domain.
+Domain allowed access.
</summary>
</param>
</interface>
-</module>
-<module name="nessus" filename="policy/modules/contrib/nessus.if">
-<summary>Nessus network scanning daemon</summary>
-<interface name="nessus_tcp_connect" lineno="13">
+<interface name="corenet_tcp_sendrecv_afs_vl_port" lineno="5814">
<summary>
-Connect to nessus over a TCP socket (Deprecated)
+Send and receive TCP traffic on the afs_vl port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-</module>
-<module name="networkmanager" filename="policy/modules/contrib/networkmanager.if">
-<summary>Manager for dynamically switching between networks.</summary>
-<interface name="networkmanager_rw_udp_sockets" lineno="14">
+<interface name="corenet_udp_send_afs_vl_port" lineno="5833">
<summary>
-Read and write NetworkManager UDP sockets.
+Send UDP traffic on the afs_vl port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="networkmanager_rw_packet_sockets" lineno="33">
+<interface name="corenet_dontaudit_udp_send_afs_vl_port" lineno="5852">
<summary>
-Read and write NetworkManager packet sockets.
+Do not audit attempts to send UDP traffic on the afs_vl port.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="networkmanager_attach_tun_iface" lineno="51">
+<interface name="corenet_udp_receive_afs_vl_port" lineno="5871">
<summary>
-Allow caller to relabel tun_socket
+Receive UDP traffic on the afs_vl port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="networkmanager_rw_routing_sockets" lineno="72">
+<interface name="corenet_dontaudit_udp_receive_afs_vl_port" lineno="5890">
<summary>
-Read and write NetworkManager netlink
-routing sockets.
+Do not audit attempts to receive UDP traffic on the afs_vl port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_sendrecv_afs_vl_port" lineno="5909">
+<summary>
+Send and receive UDP traffic on the afs_vl port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="networkmanager_domtrans" lineno="90">
+<interface name="corenet_dontaudit_udp_sendrecv_afs_vl_port" lineno="5926">
<summary>
-Execute NetworkManager with a domain transition.
+Do not audit attempts to send and receive
+UDP traffic on the afs_vl port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="networkmanager_initrc_domtrans" lineno="109">
+<interface name="corenet_tcp_bind_afs_vl_port" lineno="5942">
<summary>
-Execute NetworkManager scripts with an automatic domain transition to initrc.
+Bind TCP sockets to the afs_vl port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="networkmanager_dbus_chat" lineno="128">
+<interface name="corenet_udp_bind_afs_vl_port" lineno="5962">
<summary>
-Send and receive messages from
-NetworkManager over dbus.
+Bind UDP sockets to the afs_vl port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="networkmanager_signal" lineno="148">
+<interface name="corenet_tcp_connect_afs_vl_port" lineno="5981">
<summary>
-Send a generic signal to NetworkManager
+Make a TCP connection to the afs_vl port.
</summary>
<param name="domain">
<summary>
@@ -11414,156 +13758,151 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="networkmanager_read_lib_files" lineno="166">
+<interface name="corenet_send_afs_vl_client_packets" lineno="6001">
<summary>
-Read NetworkManager lib files.
+Send afs_vl_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="networkmanager_read_pid_files" lineno="186">
+<interface name="corenet_dontaudit_send_afs_vl_client_packets" lineno="6020">
<summary>
-Read NetworkManager PID files.
+Do not audit attempts to send afs_vl_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs_vl_client_packets" lineno="6039">
+<summary>
+Receive afs_vl_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-</module>
-<module name="nis" filename="policy/modules/contrib/nis.if">
-<summary>Policy for NIS (YP) servers and clients</summary>
-<interface name="nis_use_ypbind_uncond" lineno="26">
+<interface name="corenet_dontaudit_receive_afs_vl_client_packets" lineno="6058">
<summary>
-Use the ypbind service to access NIS services
-unconditionally.
+Do not audit attempts to receive afs_vl_client packets.
</summary>
-<desc>
-<p>
-Use the ypbind service to access NIS services
-unconditionally.
-</p>
-<p>
-This interface was added because of apache and
-spamassassin, to fix a nested conditionals problem.
-When that support is added, this should be removed,
-and the regular interface should be used.
-</p>
-</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nis_use_ypbind" lineno="90">
+<interface name="corenet_sendrecv_afs_vl_client_packets" lineno="6077">
<summary>
-Use the ypbind service to access NIS services.
+Send and receive afs_vl_client packets.
</summary>
-<desc>
-<p>
-Allow the specified domain to use the ypbind service
-to access Network Information Service (NIS) services.
-Information that can be retreived from NIS includes
-usernames, passwords, home directories, and groups.
-If the network is configured to have a single sign-on
-using NIS, it is likely that any program that does
-authentication will need this access.
-</p>
-</desc>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
<infoflow type="both" weight="10"/>
-<rolecap/>
</interface>
-<interface name="nis_authenticate" lineno="107">
+<interface name="corenet_dontaudit_sendrecv_afs_vl_client_packets" lineno="6093">
<summary>
-Use the nis to authenticate passwords
+Do not audit attempts to send and receive afs_vl_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-<interface name="nis_domtrans_ypbind" lineno="125">
+<interface name="corenet_relabelto_afs_vl_client_packets" lineno="6108">
<summary>
-Execute ypbind in the ypbind domain.
+Relabel packets to afs_vl_client the packet type.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="nis_run_ypbind" lineno="151">
+<interface name="corenet_send_afs_vl_server_packets" lineno="6128">
<summary>
-Execute ypbind in the ypbind domain, and
-allow the specified role the ypbind domain.
+Send afs_vl_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="write" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_send_afs_vl_server_packets" lineno="6147">
<summary>
-Role allowed access.
+Do not audit attempts to send afs_vl_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-<interface name="nis_signal_ypbind" lineno="170">
+<interface name="corenet_receive_afs_vl_server_packets" lineno="6166">
<summary>
-Send generic signals to ypbind.
+Receive afs_vl_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="nis_list_var_yp" lineno="188">
+<interface name="corenet_dontaudit_receive_afs_vl_server_packets" lineno="6185">
<summary>
-List the contents of the NIS data directory.
+Do not audit attempts to receive afs_vl_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nis_udp_send_ypbind" lineno="207">
+<interface name="corenet_sendrecv_afs_vl_server_packets" lineno="6204">
<summary>
-Send UDP network traffic to NIS clients. (Deprecated)
+Send and receive afs_vl_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="nis_tcp_connect_ypbind" lineno="221">
+<interface name="corenet_dontaudit_sendrecv_afs_vl_server_packets" lineno="6220">
<summary>
-Connect to ypbind over TCP. (Deprecated)
+Do not audit attempts to send and receive afs_vl_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nis_read_ypbind_pid" lineno="235">
+<interface name="corenet_relabelto_afs_vl_server_packets" lineno="6235">
<summary>
-Read ypbind pid files.
+Relabel packets to afs_vl_server the packet type.
</summary>
<param name="domain">
<summary>
@@ -11571,99 +13910,109 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="nis_delete_ypbind_pid" lineno="254">
+<interface name="corenet_tcp_sendrecv_afs3_callback_port" lineno="6257">
<summary>
-Delete ypbind pid files.
+Send and receive TCP traffic on the afs3_callback port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="nis_read_ypserv_config" lineno="273">
+<interface name="corenet_udp_send_afs3_callback_port" lineno="6276">
<summary>
-Read ypserv configuration files.
+Send UDP traffic on the afs3_callback port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="nis_domtrans_ypxfr" lineno="292">
+<interface name="corenet_dontaudit_udp_send_afs3_callback_port" lineno="6295">
<summary>
-Execute ypxfr in the ypxfr domain.
+Do not audit attempts to send UDP traffic on the afs3_callback port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nis_initrc_domtrans" lineno="312">
+<interface name="corenet_udp_receive_afs3_callback_port" lineno="6314">
<summary>
-Execute nis server in the nis domain.
+Receive UDP traffic on the afs3_callback port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="nis_initrc_domtrans_ypbind" lineno="330">
+<interface name="corenet_dontaudit_udp_receive_afs3_callback_port" lineno="6333">
<summary>
-Execute nis server in the nis domain.
+Do not audit attempts to receive UDP traffic on the afs3_callback port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nis_admin" lineno="355">
+<interface name="corenet_udp_sendrecv_afs3_callback_port" lineno="6352">
<summary>
-All of the rules required to administrate
-an nis environment
+Send and receive UDP traffic on the afs3_callback port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_afs3_callback_port" lineno="6369">
<summary>
-Role allowed access.
+Do not audit attempts to send and receive
+UDP traffic on the afs3_callback port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-</module>
-<module name="nscd" filename="policy/modules/contrib/nscd.if">
-<summary>Name service cache daemon</summary>
-<interface name="nscd_signal" lineno="13">
+<interface name="corenet_tcp_bind_afs3_callback_port" lineno="6385">
<summary>
-Send generic signals to NSCD.
+Bind TCP sockets to the afs3_callback port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nscd_kill" lineno="31">
+<interface name="corenet_udp_bind_afs3_callback_port" lineno="6405">
<summary>
-Send NSCD the kill signal.
+Bind UDP sockets to the afs3_callback port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nscd_signull" lineno="49">
+<interface name="corenet_tcp_connect_afs3_callback_port" lineno="6424">
<summary>
-Send signulls to NSCD.
+Make a TCP connection to the afs3_callback port.
</summary>
<param name="domain">
<summary>
@@ -11671,62 +14020,75 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="nscd_domtrans" lineno="67">
+<interface name="corenet_send_afs3_callback_client_packets" lineno="6444">
<summary>
-Execute NSCD in the nscd domain.
+Send afs3_callback_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="nscd_exec" lineno="87">
+<interface name="corenet_dontaudit_send_afs3_callback_client_packets" lineno="6463">
<summary>
-Allow the specified domain to execute nscd
-in the caller domain.
+Do not audit attempts to send afs3_callback_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs3_callback_client_packets" lineno="6482">
+<summary>
+Receive afs3_callback_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="nscd_socket_use" lineno="106">
+<interface name="corenet_dontaudit_receive_afs3_callback_client_packets" lineno="6501">
<summary>
-Use NSCD services by connecting using
-a unix stream socket.
+Do not audit attempts to receive afs3_callback_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nscd_shm_use" lineno="133">
+<interface name="corenet_sendrecv_afs3_callback_client_packets" lineno="6520">
<summary>
-Use NSCD services by mapping the database from
-an inherited NSCD file descriptor.
+Send and receive afs3_callback_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="nscd_dontaudit_search_pid" lineno="166">
+<interface name="corenet_dontaudit_sendrecv_afs3_callback_client_packets" lineno="6536">
<summary>
-Do not audit attempts to search the NSCD pid directory.
+Do not audit attempts to send and receive afs3_callback_client packets.
</summary>
<param name="domain">
<summary>
Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nscd_read_pid" lineno="184">
+<interface name="corenet_relabelto_afs3_callback_client_packets" lineno="6551">
<summary>
-Read NSCD pid file.
+Relabel packets to afs3_callback_client the packet type.
</summary>
<param name="domain">
<summary>
@@ -11734,65 +14096,75 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="nscd_unconfined" lineno="203">
+<interface name="corenet_send_afs3_callback_server_packets" lineno="6571">
<summary>
-Unconfined access to NSCD services.
+Send afs3_callback_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="nscd_run" lineno="228">
+<interface name="corenet_dontaudit_send_afs3_callback_server_packets" lineno="6590">
<summary>
-Execute nscd in the nscd domain, and
-allow the specified role the nscd domain.
+Do not audit attempts to send afs3_callback_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
-<param name="role">
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_afs3_callback_server_packets" lineno="6609">
<summary>
-Role allowed access.
+Receive afs3_callback_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="nscd_initrc_domtrans" lineno="247">
+<interface name="corenet_dontaudit_receive_afs3_callback_server_packets" lineno="6628">
<summary>
-Execute the nscd server init script.
+Do not audit attempts to receive afs3_callback_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nscd_admin" lineno="272">
+<interface name="corenet_sendrecv_afs3_callback_server_packets" lineno="6647">
<summary>
-All of the rules required to administrate
-an nscd environment
+Send and receive afs3_callback_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_afs3_callback_server_packets" lineno="6663">
<summary>
-The role to be allowed to manage the nscd domain.
+Do not audit attempts to send and receive afs3_callback_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-</module>
-<module name="nsd" filename="policy/modules/contrib/nsd.if">
-<summary>Authoritative only name server</summary>
-<interface name="nsd_udp_chat" lineno="13">
+<interface name="corenet_relabelto_afs3_callback_server_packets" lineno="6678">
<summary>
-Send and receive datagrams from NSD. (Deprecated)
+Relabel packets to afs3_callback_server the packet type.
</summary>
<param name="domain">
<summary>
@@ -11800,348 +14172,371 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="nsd_tcp_connect" lineno="27">
+<interface name="corenet_tcp_sendrecv_agentx_port" lineno="6700">
<summary>
-Connect to NSD over a TCP socket (Deprecated)
+Send and receive TCP traffic on the agentx port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-</module>
-<module name="nslcd" filename="policy/modules/contrib/nslcd.if">
-<summary>nslcd - local LDAP name service daemon.</summary>
-<interface name="nslcd_domtrans" lineno="13">
+<interface name="corenet_udp_send_agentx_port" lineno="6719">
<summary>
-Execute a domain transition to run nslcd.
+Send UDP traffic on the agentx port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="nslcd_initrc_domtrans" lineno="31">
+<interface name="corenet_dontaudit_udp_send_agentx_port" lineno="6738">
<summary>
-Execute nslcd server in the nslcd domain.
+Do not audit attempts to send UDP traffic on the agentx port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nslcd_read_pid_files" lineno="49">
+<interface name="corenet_udp_receive_agentx_port" lineno="6757">
<summary>
-Read nslcd PID files.
+Receive UDP traffic on the agentx port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="nslcd_stream_connect" lineno="68">
+<interface name="corenet_dontaudit_udp_receive_agentx_port" lineno="6776">
<summary>
-Connect to nslcd over an unix stream socket.
+Do not audit attempts to receive UDP traffic on the agentx port.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nslcd_admin" lineno="94">
+<interface name="corenet_udp_sendrecv_agentx_port" lineno="6795">
<summary>
-All of the rules required to administrate
-an nslcd environment
+Send and receive UDP traffic on the agentx port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_agentx_port" lineno="6812">
<summary>
-Role allowed access.
+Do not audit attempts to send and receive
+UDP traffic on the agentx port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-</module>
-<module name="ntop" filename="policy/modules/contrib/ntop.if">
-<summary>Network Top</summary>
-</module>
-<module name="ntp" filename="policy/modules/contrib/ntp.if">
-<summary>Network time protocol daemon</summary>
-<interface name="ntp_stub" lineno="13">
+<interface name="corenet_tcp_bind_agentx_port" lineno="6828">
<summary>
-NTP stub interface. No access allowed.
+Bind TCP sockets to the agentx port.
</summary>
-<param name="domain" unused="true">
+<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="ntp_domtrans" lineno="29">
+<interface name="corenet_udp_bind_agentx_port" lineno="6848">
<summary>
-Execute ntp server in the ntpd domain.
+Bind UDP sockets to the agentx port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="ntp_run" lineno="55">
+<interface name="corenet_tcp_connect_agentx_port" lineno="6867">
<summary>
-Execute ntp in the ntp domain, and
-allow the specified role the ntp domain.
+Make a TCP connection to the agentx port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
-<param name="role">
+</interface>
+<interface name="corenet_send_agentx_client_packets" lineno="6887">
<summary>
-Role allowed access.
+Send agentx_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="ntp_domtrans_ntpdate" lineno="74">
+<interface name="corenet_dontaudit_send_agentx_client_packets" lineno="6906">
<summary>
-Execute ntp server in the ntpd domain.
+Do not audit attempts to send agentx_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="ntp_initrc_domtrans" lineno="93">
+<interface name="corenet_receive_agentx_client_packets" lineno="6925">
<summary>
-Execute ntp server in the ntpd domain.
+Receive agentx_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="ntp_rw_shm" lineno="111">
+<interface name="corenet_dontaudit_receive_agentx_client_packets" lineno="6944">
<summary>
-Read and write ntpd shared memory.
+Do not audit attempts to receive agentx_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="ntp_admin" lineno="140">
+<interface name="corenet_sendrecv_agentx_client_packets" lineno="6963">
<summary>
-All of the rules required to administrate
-an ntp environment
+Send and receive agentx_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_agentx_client_packets" lineno="6979">
+<summary>
+Do not audit attempts to send and receive agentx_client packets.
+</summary>
+<param name="domain">
<summary>
-The role to be allowed to manage the ntp domain.
+Domain to not audit.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-</module>
-<module name="nut" filename="policy/modules/contrib/nut.if">
-<summary>nut - Network UPS Tools </summary>
-</module>
-<module name="nx" filename="policy/modules/contrib/nx.if">
-<summary>NX remote desktop</summary>
-<interface name="nx_spec_domtrans_server" lineno="13">
+<interface name="corenet_relabelto_agentx_client_packets" lineno="6994">
<summary>
-Transition to NX server.
+Relabel packets to agentx_client the packet type.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
</interface>
-<interface name="nx_read_home_files" lineno="31">
+<interface name="corenet_send_agentx_server_packets" lineno="7014">
<summary>
-Read nx home directory content
+Send agentx_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="nx_search_var_lib" lineno="50">
+<interface name="corenet_dontaudit_send_agentx_server_packets" lineno="7033">
<summary>
-Read nx /var/lib content
+Do not audit attempts to send agentx_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="nx_var_lib_filetrans" lineno="79">
+<interface name="corenet_receive_agentx_server_packets" lineno="7052">
<summary>
-Create an object in the root directory, with a private
-type using a type transition.
+Receive agentx_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="private type">
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_agentx_server_packets" lineno="7071">
<summary>
-The type of the object to be created.
+Do not audit attempts to receive agentx_server packets.
</summary>
-</param>
-<param name="object">
+<param name="domain">
<summary>
-The object class of the object being created.
+Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-</module>
-<module name="oav" filename="policy/modules/contrib/oav.if">
-<summary>Open AntiVirus scannerdaemon and signature update</summary>
-<interface name="oav_domtrans_update" lineno="13">
+<interface name="corenet_sendrecv_agentx_server_packets" lineno="7090">
<summary>
-Execute oav_update in the oav_update domain.
+Send and receive agentx_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="oav_run_update" lineno="39">
+<interface name="corenet_dontaudit_sendrecv_agentx_server_packets" lineno="7106">
<summary>
-Execute oav_update in the oav_update domain, and
-allow the specified role the oav_update domain.
+Do not audit attempts to send and receive agentx_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
-<param name="role">
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_agentx_server_packets" lineno="7121">
<summary>
-Role allowed access.
+Relabel packets to agentx_server the packet type.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
</interface>
-</module>
-<module name="oddjob" filename="policy/modules/contrib/oddjob.if">
+<interface name="corenet_tcp_sendrecv_amanda_port" lineno="7143">
+<summary>
+Send and receive TCP traffic on the amanda port.
+</summary>
+<param name="domain">
<summary>
-Oddjob provides a mechanism by which unprivileged applications can
-request that specified privileged operations be performed on their
-behalf.
+Domain allowed access.
</summary>
-<interface name="oddjob_domtrans" lineno="17">
+</param>
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_udp_send_amanda_port" lineno="7162">
<summary>
-Execute a domain transition to run oddjob.
+Send UDP traffic on the amanda port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="oddjob_system_entry" lineno="41">
+<interface name="corenet_dontaudit_udp_send_amanda_port" lineno="7181">
<summary>
-Make the specified program domain accessable
-from the oddjob.
+Do not audit attempts to send UDP traffic on the amanda port.
</summary>
<param name="domain">
<summary>
-The type of the process to transition to.
+Domain to not audit.
</summary>
</param>
-<param name="entrypoint">
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_udp_receive_amanda_port" lineno="7200">
<summary>
-The type of the file used as an entrypoint to this domain.
+Receive UDP traffic on the amanda port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="oddjob_dbus_chat" lineno="60">
+<interface name="corenet_dontaudit_udp_receive_amanda_port" lineno="7219">
<summary>
-Send and receive messages from
-oddjob over dbus.
+Do not audit attempts to receive UDP traffic on the amanda port.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="oddjob_domtrans_mkhomedir" lineno="80">
+<interface name="corenet_udp_sendrecv_amanda_port" lineno="7238">
<summary>
-Execute a domain transition to run oddjob_mkhomedir.
+Send and receive UDP traffic on the amanda port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="oddjob_run_mkhomedir" lineno="104">
+<interface name="corenet_dontaudit_udp_sendrecv_amanda_port" lineno="7255">
<summary>
-Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
+Do not audit attempts to send and receive
+UDP traffic on the amanda port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
-<param name="role">
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_tcp_bind_amanda_port" lineno="7271">
<summary>
-Role allowed access.
+Bind TCP sockets to the amanda port.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-</module>
-<module name="oident" filename="policy/modules/contrib/oident.if">
-<summary>SELinux policy for Oident daemon.</summary>
-<desc>
-<p>
-Oident daemon is a server that implements the TCP/IP
-standard IDENT user identification protocol as
-specified in the RFC 1413 document.
-</p>
-</desc>
-<interface name="oident_read_user_content" lineno="21">
+<interface name="corenet_udp_bind_amanda_port" lineno="7291">
<summary>
-Allow the specified domain to read
-Oidentd personal configuration files.
+Bind UDP sockets to the amanda port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="oident_manage_user_content" lineno="41">
+<interface name="corenet_tcp_connect_amanda_port" lineno="7310">
<summary>
-Allow the specified domain to create, read, write, and delete
-Oidentd personal configuration files.
+Make a TCP connection to the amanda port.
</summary>
<param name="domain">
<summary>
@@ -12149,77 +14544,75 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="oident_relabel_user_content" lineno="61">
+<interface name="corenet_send_amanda_client_packets" lineno="7330">
<summary>
-Allow the specified domain to relabel
-Oidentd personal configuration files.
+Send amanda_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-</module>
-<module name="openca" filename="policy/modules/contrib/openca.if">
-<summary>OpenCA - Open Certificate Authority</summary>
-<interface name="openca_domtrans" lineno="14">
+<interface name="corenet_dontaudit_send_amanda_client_packets" lineno="7349">
<summary>
-Execute the OpenCA program with
-a domain transition.
+Do not audit attempts to send amanda_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="openca_signal" lineno="34">
+<interface name="corenet_receive_amanda_client_packets" lineno="7368">
<summary>
-Send OpenCA generic signals.
+Receive amanda_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="openca_sigstop" lineno="52">
+<interface name="corenet_dontaudit_receive_amanda_client_packets" lineno="7387">
<summary>
-Send OpenCA stop signals.
+Do not audit attempts to receive amanda_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="openca_kill" lineno="70">
+<interface name="corenet_sendrecv_amanda_client_packets" lineno="7406">
<summary>
-Kill OpenCA.
+Send and receive amanda_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-</module>
-<module name="openct" filename="policy/modules/contrib/openct.if">
-<summary>Service for handling smart card readers.</summary>
-<interface name="openct_signull" lineno="13">
+<interface name="corenet_dontaudit_sendrecv_amanda_client_packets" lineno="7422">
<summary>
-Send openct a null signal.
+Do not audit attempts to send and receive amanda_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="openct_exec" lineno="31">
+<interface name="corenet_relabelto_amanda_client_packets" lineno="7437">
<summary>
-Execute openct in the caller domain.
+Relabel packets to amanda_client the packet type.
</summary>
<param name="domain">
<summary>
@@ -12227,69 +14620,75 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="openct_domtrans" lineno="50">
+<interface name="corenet_send_amanda_server_packets" lineno="7457">
<summary>
-Execute a domain transition to run openct.
+Send amanda_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="openct_read_pid_files" lineno="69">
+<interface name="corenet_dontaudit_send_amanda_server_packets" lineno="7476">
<summary>
-Read openct PID files.
+Do not audit attempts to send amanda_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="openct_stream_connect" lineno="88">
+<interface name="corenet_receive_amanda_server_packets" lineno="7495">
<summary>
-Connect to openct over an unix stream socket.
+Receive amanda_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-</module>
-<module name="openvpn" filename="policy/modules/contrib/openvpn.if">
-<summary>full-featured SSL VPN solution</summary>
-<interface name="openvpn_domtrans" lineno="13">
+<interface name="corenet_dontaudit_receive_amanda_server_packets" lineno="7514">
<summary>
-Execute OPENVPN clients in the openvpn domain.
+Do not audit attempts to receive amanda_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="openvpn_run" lineno="38">
+<interface name="corenet_sendrecv_amanda_server_packets" lineno="7533">
<summary>
-Execute OPENVPN clients in the openvpn domain, and
-allow the specified role the openvpn domain.
+Send and receive amanda_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_amanda_server_packets" lineno="7549">
<summary>
-Role allowed access.
+Do not audit attempts to send and receive amanda_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-<interface name="openvpn_kill" lineno="57">
+<interface name="corenet_relabelto_amanda_server_packets" lineno="7564">
<summary>
-Send OPENVPN clients the kill signal.
+Relabel packets to amanda_server the packet type.
</summary>
<param name="domain">
<summary>
@@ -12297,176 +14696,185 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="openvpn_signal" lineno="75">
+<interface name="corenet_tcp_sendrecv_amavisd_recv_port" lineno="7586">
<summary>
-Send generic signals to OPENVPN clients.
+Send and receive TCP traffic on the amavisd_recv port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="openvpn_signull" lineno="93">
+<interface name="corenet_udp_send_amavisd_recv_port" lineno="7605">
<summary>
-Send signulls to OPENVPN clients.
+Send UDP traffic on the amavisd_recv port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="openvpn_read_config" lineno="113">
+<interface name="corenet_dontaudit_udp_send_amavisd_recv_port" lineno="7624">
<summary>
-Allow the specified domain to read
-OpenVPN configuration files.
+Do not audit attempts to send UDP traffic on the amavisd_recv port.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-<interface name="openvpn_admin" lineno="141">
+<interface name="corenet_udp_receive_amavisd_recv_port" lineno="7643">
<summary>
-All of the rules required to administrate
-an openvpn environment
+Receive UDP traffic on the amavisd_recv port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_receive_amavisd_recv_port" lineno="7662">
<summary>
-The role to be allowed to manage the openvpn domain.
+Do not audit attempts to receive UDP traffic on the amavisd_recv port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-<tunable name="openvpn_enable_homedirs" dftval="false">
-<desc>
-<p>
-Allow openvpn to read home directories
-</p>
-</desc>
-</tunable>
-</module>
-<module name="pads" filename="policy/modules/contrib/pads.if">
-<summary>Passive Asset Detection System</summary>
-<desc>
-<p>
-PADS is a libpcap based detection engine used to
-passively detect network assets. It is designed to
-complement IDS technology by providing context to IDS
-alerts.
-</p>
-</desc>
-<interface name="pads_admin" lineno="28">
+<interface name="corenet_udp_sendrecv_amavisd_recv_port" lineno="7681">
<summary>
-All of the rules required to administrate
-an pads environment
+Send and receive UDP traffic on the amavisd_recv port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_amavisd_recv_port" lineno="7698">
<summary>
-Role allowed access.
+Do not audit attempts to send and receive
+UDP traffic on the amavisd_recv port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-</module>
-<module name="passenger" filename="policy/modules/contrib/passenger.if">
-<summary>Ruby on rails deployment for Apache and Nginx servers.</summary>
-<interface name="passenger_domtrans" lineno="13">
+<interface name="corenet_tcp_bind_amavisd_recv_port" lineno="7714">
<summary>
-Execute passenger in the passenger domain.
+Bind TCP sockets to the amavisd_recv port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="passenger_read_lib_files" lineno="31">
+<interface name="corenet_udp_bind_amavisd_recv_port" lineno="7734">
<summary>
-Read passenger lib files
+Bind UDP sockets to the amavisd_recv port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-</module>
-<module name="pcmcia" filename="policy/modules/contrib/pcmcia.if">
-<summary>PCMCIA card management services</summary>
-<interface name="pcmcia_stub" lineno="13">
+<interface name="corenet_tcp_connect_amavisd_recv_port" lineno="7753">
<summary>
-PCMCIA stub interface. No access allowed.
+Make a TCP connection to the amavisd_recv port.
</summary>
-<param name="domain" unused="true">
+<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
</interface>
-<interface name="pcmcia_domtrans_cardmgr" lineno="29">
+<interface name="corenet_send_amavisd_recv_client_packets" lineno="7773">
<summary>
-Execute cardmgr in the cardmgr domain.
+Send amavisd_recv_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="pcmcia_use_cardmgr_fds" lineno="47">
+<interface name="corenet_dontaudit_send_amavisd_recv_client_packets" lineno="7792">
<summary>
-Inherit and use file descriptors from cardmgr.
+Do not audit attempts to send amavisd_recv_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_receive_amavisd_recv_client_packets" lineno="7811">
+<summary>
+Receive amavisd_recv_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="pcmcia_domtrans_cardctl" lineno="65">
+<interface name="corenet_dontaudit_receive_amavisd_recv_client_packets" lineno="7830">
<summary>
-Execute cardctl in the cardmgr domain.
+Do not audit attempts to receive amavisd_recv_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="pcmcia_run_cardctl" lineno="90">
+<interface name="corenet_sendrecv_amavisd_recv_client_packets" lineno="7849">
<summary>
-Execute cardmgr in the cardctl domain, and
-allow the specified role the cardmgr domain.
+Send and receive amavisd_recv_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_sendrecv_amavisd_recv_client_packets" lineno="7865">
<summary>
-Role allowed access.
+Do not audit attempts to send and receive amavisd_recv_client packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-<interface name="pcmcia_read_pid" lineno="109">
+<interface name="corenet_relabelto_amavisd_recv_client_packets" lineno="7880">
<summary>
-Read cardmgr pid files.
+Relabel packets to amavisd_recv_client the packet type.
</summary>
<param name="domain">
<summary>
@@ -12474,64 +14882,75 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="pcmcia_manage_pid" lineno="129">
+<interface name="corenet_send_amavisd_recv_server_packets" lineno="7900">
<summary>
-Create, read, write, and delete
-cardmgr pid files.
+Send amavisd_recv_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="pcmcia_manage_pid_chr_files" lineno="149">
+<interface name="corenet_dontaudit_send_amavisd_recv_server_packets" lineno="7919">
<summary>
-Create, read, write, and delete
-cardmgr runtime character nodes.
+Do not audit attempts to send amavisd_recv_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-</module>
-<module name="pcscd" filename="policy/modules/contrib/pcscd.if">
-<summary>PCSC smart card service</summary>
-<interface name="pcscd_domtrans" lineno="13">
+<interface name="corenet_receive_amavisd_recv_server_packets" lineno="7938">
<summary>
-Execute a domain transition to run pcscd.
+Receive amavisd_recv_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="pcscd_read_pub_files" lineno="31">
+<interface name="corenet_dontaudit_receive_amavisd_recv_server_packets" lineno="7957">
<summary>
-Read pcscd pub files.
+Do not audit attempts to receive amavisd_recv_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="pcscd_manage_pub_files" lineno="50">
+<interface name="corenet_sendrecv_amavisd_recv_server_packets" lineno="7976">
<summary>
-Manage pcscd pub files.
+Send and receive amavisd_recv_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="pcscd_manage_pub_pipes" lineno="69">
+<interface name="corenet_dontaudit_sendrecv_amavisd_recv_server_packets" lineno="7992">
<summary>
-Manage pcscd pub fifo files.
+Do not audit attempts to send and receive amavisd_recv_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
+</summary>
+</param>
+<infoflow type="none"/>
+</interface>
+<interface name="corenet_relabelto_amavisd_recv_server_packets" lineno="8007">
+<summary>
+Relabel packets to amavisd_recv_server the packet type.
</summary>
<param name="domain">
<summary>
@@ -12539,109 +14958,109 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="pcscd_stream_connect" lineno="88">
+<interface name="corenet_tcp_sendrecv_amavisd_send_port" lineno="8029">
<summary>
-Connect to pcscd over an unix stream socket.
+Send and receive TCP traffic on the amavisd_send port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-</module>
-<module name="pegasus" filename="policy/modules/contrib/pegasus.if">
-<summary>The Open Group Pegasus CIM/WBEM Server.</summary>
-</module>
-<module name="perdition" filename="policy/modules/contrib/perdition.if">
-<summary>Perdition POP and IMAP proxy</summary>
-<interface name="perdition_tcp_connect" lineno="13">
+<interface name="corenet_udp_send_amavisd_send_port" lineno="8048">
<summary>
-Connect to perdition over a TCP socket (Deprecated)
+Send UDP traffic on the amavisd_send port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-</module>
-<module name="pingd" filename="policy/modules/contrib/pingd.if">
-<summary>Pingd of the Whatsup cluster node up/down detection utility</summary>
-<interface name="pingd_domtrans" lineno="13">
+<interface name="corenet_dontaudit_udp_send_amavisd_send_port" lineno="8067">
<summary>
-Execute a domain transition to run pingd.
+Do not audit attempts to send UDP traffic on the amavisd_send port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="pingd_read_config" lineno="31">
+<interface name="corenet_udp_receive_amavisd_send_port" lineno="8086">
<summary>
-Read pingd etc configuration files.
+Receive UDP traffic on the amavisd_send port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="pingd_manage_config" lineno="50">
+<interface name="corenet_dontaudit_udp_receive_amavisd_send_port" lineno="8105">
<summary>
-Manage pingd etc configuration files.
+Do not audit attempts to receive UDP traffic on the amavisd_send port.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="pingd_admin" lineno="78">
+<interface name="corenet_udp_sendrecv_amavisd_send_port" lineno="8124">
<summary>
-All of the rules required to administrate
-an pingd environment
+Send and receive UDP traffic on the amavisd_send port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="both" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_udp_sendrecv_amavisd_send_port" lineno="8141">
<summary>
-The role to be allowed to manage the pingd domain.
+Do not audit attempts to send and receive
+UDP traffic on the amavisd_send port.
+</summary>
+<param name="domain">
+<summary>
+Domain to not audit.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-</module>
-<module name="plymouthd" filename="policy/modules/contrib/plymouthd.if">
-<summary>Plymouth graphical boot</summary>
-<interface name="plymouthd_domtrans" lineno="13">
+<interface name="corenet_tcp_bind_amavisd_send_port" lineno="8157">
<summary>
-Execute a domain transition to run plymouthd.
+Bind TCP sockets to the amavisd_send port.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="plymouthd_exec" lineno="31">
+<interface name="corenet_udp_bind_amavisd_send_port" lineno="8177">
<summary>
-Execute the plymoth daemon in the current domain
+Bind UDP sockets to the amavisd_send port.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="plymouthd_stream_connect" lineno="50">
+<interface name="corenet_tcp_connect_amavisd_send_port" lineno="8196">
<summary>
-Allow domain to Stream socket connect
-to Plymouth daemon.
+Make a TCP connection to the amavisd_send port.
</summary>
<param name="domain">
<summary>
@@ -12649,70 +15068,75 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="plymouthd_exec_plymouth" lineno="68">
+<interface name="corenet_send_amavisd_send_client_packets" lineno="8216">
<summary>
-Execute the plymoth command in the current domain
+Send amavisd_send_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="plymouthd_domtrans_plymouth" lineno="86">
+<interface name="corenet_dontaudit_send_amavisd_send_client_packets" lineno="8235">
<summary>
-Execute a domain transition to run plymouthd.
+Do not audit attempts to send amavisd_send_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed to transition.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="plymouthd_search_spool" lineno="104">
+<interface name="corenet_receive_amavisd_send_client_packets" lineno="8254">
<summary>
-Search plymouthd spool directories.
+Receive amavisd_send_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="read" weight="10"/>
</interface>
-<interface name="plymouthd_read_spool_files" lineno="123">
+<interface name="corenet_dontaudit_receive_amavisd_send_client_packets" lineno="8273">
<summary>
-Read plymouthd spool files.
+Do not audit attempts to receive amavisd_send_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="plymouthd_manage_spool_files" lineno="143">
+<interface name="corenet_sendrecv_amavisd_send_client_packets" lineno="8292">
<summary>
-Create, read, write, and delete
-plymouthd spool files.
+Send and receive amavisd_send_client packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="both" weight="10"/>
</interface>
-<interface name="plymouthd_search_lib" lineno="162">
+<interface name="corenet_dontaudit_sendrecv_amavisd_send_client_packets" lineno="8308">
<summary>
-Search plymouthd lib directories.
+Do not audit attempts to send and receive amavisd_send_client packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="plymouthd_read_lib_files" lineno="181">
+<interface name="corenet_relabelto_amavisd_send_client_packets" lineno="8323">
<summary>
-Read plymouthd lib files.
+Relabel packets to amavisd_send_client the packet type.
</summary>
<param name="domain">
<summary>
@@ -12720,565 +15144,599 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="plymouthd_manage_lib_files" lineno="201">
+<interface name="corenet_send_amavisd_send_server_packets" lineno="8343">
<summary>
-Create, read, write, and delete
-plymouthd lib files.
+Send amavisd_send_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
+<infoflow type="write" weight="10"/>
</interface>
-<interface name="plymouthd_read_pid_files" lineno="220">
+<interface name="corenet_dontaudit_send_amavisd_send_server_packets" lineno="8362">
<summary>
-Read plymouthd PID files.
+Do not audit attempts to send amavisd_send_server packets.
</summary>
<param name="domain">
<summary>
-Domain allowed access.
+Domain to not audit.
</summary>
</param>
+<infoflow type="none"/>
</interface>
-<interface name="plymouthd_admin" lineno="246">
+<interface name="corenet_receive_amavisd_send_server_packets" lineno="8381">
<summary>
-All of the rules required to administrate
-an plymouthd environment
+Receive amavisd_send_server packets.
</summary>
<param name="domain">
<summary>
Domain allowed access.
</summary>
</param>
-<param name="role">
+<infoflow type="read" weight="10"/>
+</interface>
+<interface name="corenet_dontaudit_receive_amavisd_send_server_packets" lineno="8400">
<summary>
-Role allowed access.
+Do not audit attempts to receive amavisd_send_server packets.
+</summary>
+<param name="domain">
+<summary>
+Domain allowed access.
</summary>
</param>
-<rolecap/>
+<infoflow type="none"/>
</interface>
-</module>
-<module name="podsleuth" filename="policy/modules/contrib/podsleuth.if">
-<summary>Podsleuth is a tool to get information about an Apple (TM) iPod (TM)</summary>
-<interface name="podsleuth_domtrans" lineno="13">
+<interface name="corenet_sendrecv_amavisd_send_server_packets" lineno="8419">
<summary>
-Execute a domain transition to run p