Allow ABRT to modify public files used for public file transfer services.
Allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts
Allow amavis to use JIT compiler
Allow antivirus programs to read non security files on a system
Determine whether can antivirus programs use JIT compiler.
Execute CGI in the specified domain.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_rw_content_t.
Allow Apache to use mod_auth_pam
Allow httpd scripts and modules execmem/execstack
Allow httpd processes to manage IPA content
Allow httpd to use built in scripting (usually php)
Allow HTTPD scripts and modules to connect to the network using TCP.
Allow HTTPD scripts and modules to connect to cobbler over the network.
Allow HTTPD scripts and modules to server cobbler files.
Allow HTTPD scripts and modules to connect to databases over the network.
Allow httpd to connect to memcache server
Allow httpd to act as a relay
Allow http daemon to send mail
Allow http daemon to check spam
Allow Apache to communicate with avahi service via dbus
Allow Apache to communicate with sssd service via dbus
Allow httpd cgi support
Allow httpd to act as a FTP server by listening on the ftp port.
Allow httpd to read home directories
Allow httpd to read user content
Allow httpd daemon to change system limits
Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
Allow Apache to execute tmp content.
Unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal.
Unify HTTPD handling of all content files.
Allow httpd to access openstack ports
Allow httpd to access cifs file systems
Allow httpd to access FUSE file systems
Allow httpd to run gpg in gpg-web domain
Allow httpd to access nfs file systems
Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
Allow Apache to run in stickshift mode, not transition to passenger
Allow Apache to run preupgrade
Allow Apache to query NS records
Allow Apache to use mod_auth_ntlm_winbind
Allow bacula to manage nfs files
Allow bacula to manage cifs files
Allow BIND to bind apache port.
Allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers.
Allow clamscan to non security files on a system
Allow clamd to use JIT compiler
Cobbler is a Linux installation server that allows for rapid setup of network installation environments. It glues together and automates many associated Linux tasks so you do not have to hop between lots of various commands and applications when rolling out new systems, and, in some cases, changing existing ones.
Allow Cobbler to modify public files used for public file transfer services.
Allow Cobbler to connect to the network using TCP.
Allow Cobbler to access cifs file systems.
Allow Cobbler to access nfs file systems.
Determine whether collectd can connect to the network using TCP.
Allow codnor domain to connect to the network using TCP.
Allow system cron jobs to relabel filesystem for restoring file contexts.
Enable extra rules in the cron domain to support fcron.
Allow cvs daemon to read shadow
DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).
Allow exim to connect to databases (postgres, mysql)
Allow exim to read unprivileged user files.
Allow exim to create, read, write, and delete unprivileged user files.
Allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t.
Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.
Allow ftp servers to use cifs used for public file transfer services.
Allow ftpd to use ntfs/fusefs volumes.
Allow ftp servers to use nfs used for public file transfer services.
Allow ftp servers to use connect to mysql database
Allow ftp to read and write files in the user home directories
Determine whether ftpd can bind to all unreserved ports for passive mode.
Determine whether Git CGI can search home directories.
Determine whether Git CGI can access cifs file systems.
Determine whether Git CGI can access nfs file systems.
Determine whether Git session daemon can bind TCP sockets to all unreserved ports.
Determine whether calling user domains can execute Git daemon in the git_session_t domain.
Determine whether Git system daemon can search home directories.
Determine whether Git system daemon can access cifs file systems.
Determine whether Git system daemon can access nfs file systems.
Allow glusterfsd to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.
Allow glusterfsd to share any file/directory read only.
Allow glusterfsd to share any file/directory read/write.
Determine whether icecast can listen on and connect to any TCP port.
Define the specified domain as a inetd service. The inetd_service_domain(), inetd_tcp_service_domain(), or inetd_udp_service_domain() interfaces should be used instead of this interface, as this interface only provides the common rules to these three interfaces.
This policy supports:
Servers:
Clients:
Allow confined applications to run with kerberos.
Likewise Open is a free, open source application that joins Linux, Unix, and Mac machines to Microsoft Active Directory to securely authenticate users with their domain credentials.
This template creates a domain to be used for a new likewise daemon.
Use lpd server instead of cups
Determine whether lsmd_plugin can connect to all TCP ports.
This template creates a domain to be used for a new mailman daemon.
This template creates a derived domain which is a email transfer agent, which sends mail on behalf of the user.
This is the basic types and rules, common to the system agent and user agents.
A modified MTA mail server interface for the sendmail program. It's design does not fit well with policy, and using the regular interface causes a type_transition conflict if direct running of init scripts is enabled.
This interface should most likely only be used by the sendmail policy.
Execute send mail in a specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Allow mysqld to connect to all ports
Allow nagios/nrpe to call sudo from NRPE utils scripts.
Use the ypbind service to access NIS services unconditionally.
This interface was added because of apache and spamassassin, to fix a nested conditionals problem. When that support is added, this should be removed, and the regular interface should be used.
Allow the specified domain to use the ypbind service to access Network Information Service (NIS) services. Information that can be retreived from NIS includes usernames, passwords, home directories, and groups. If the network is configured to have a single sign-on using NIS, it is likely that any program that does authentication will need this access.
Allow confined applications to use nscd shared memory.
Oident daemon is a server that implements the TCP/IP standard IDENT user identification protocol as specified in the RFC 1413 document.
Allow openshift to access nfs file systems without labels
Allow openvpn to read home directories
Allow openvpn to run unconfined scripts
PADS is a libpcap based detection engine used to passively detect network assets. It is designed to complement IDS technology by providing context to IDS alerts.
Allow pcp to bind to all unreserved_ports
Allow piranha-lvs domain to connect to the network using TCP.
Allow postfix_local domain full write access to mail_spool directories
Allow postgresql to use ssh and rsync for point-in-time recovery
Allow unprivileged users to execute DDL statement
Allow database admins to execute DML statement
Allow pppd to load kernel modules for certain modems
Allow pppd to be run for a regular user
Allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports.
Puppet is a configuration management system written in Ruby. The client daemon is responsible for periodically requesting the desired system state from the server and ensuring the state of the client system matches.
Allow Puppet client to manage all file types.
Allow Puppet master to use connect to mysql and postgresql database
A distributed, collaborative, spam detection and filtering network.
This policy will work with either the ATrpms provided config file in /etc/razor, or with the default of dumping everything into $HOME/.razor.
Allow rgmanager domain to connect to the network using TCP.
Allow fenced domain to connect to the network using TCP.
Allow fenced domain to execute ssh.
Allow cluster administrative domains to connect to the network using TCP.
Allow cluster administrative domains to manage all files on a system.
Allow cluster administrative cluster domains memcheck-amd64- to use executable memory
This template creates a domain to be used for a new rpc daemon.
Allow gssd to read temp directory. For access to kerberos tgt.
Execute a rsync in a specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Execute a rsync in a specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Allow rsync to run as a client
Allow rsync to run as a server
Allow rsync to export any files/directories read only.
Allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.
Allow rsync servers to share cifs files systems
Allow rsync servers to share nfs files systems
Allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.
Allow samba to create new home directories (e.g. via PAM)
Allow samba to act as the domain controller, add users, groups and change passwords.
Allow samba to act as a portmapper
Allow samba to share users home directories.
Allow samba to share any file/directory read only.
Allow samba to share any file/directory read/write.
Allow samba to run unconfined scripts
Allow samba to export NFS volumes.
Allow samba to export ntfs/fusefs volumes.
Allow smbd to load libgfapi from gluster.
Allow sanlock to manage nfs files
Allow sanlock to manage cifs files
Allow sanlock to read/write fuse files
Allow sasl to read shadow
Allow sge to access nfs file systems.
Allow sge to connect to the network using any TCP port
Enable additional permissions needed to support devices on 3ware controllers.
Allow user spamassassin clients to use the network.
Allow spamd to read/write user home directories.
Allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports.
Allow squid to run as a transparent proxy (TPROXY)
This template creates a derived domains which are used for ssh client sessions. A derived type is also created to protect the user ssh keys.
This template was added for NX.
This template creates a domains to be used for creating a ssh server. This is typically done to have multiple ssh servers of different sensitivities, such as for an internal network-facing ssh server, and a external network-facing ssh server.
allow host key based authentication
Allow ssh logins as sysadm_r:sysadm_t
Allow ssh with chroot env to read and write files in the user home directories
Allow ssh with chroot env to manage all files
Allow ssh with chroot env to apache content
Determine whether swift can connect to all TCP ports
Allow tftp to modify public files used for public file transfer services.
Allow tftp to read from a NFS store for public file transfer services.
Allow tftp to read from a CIFS store for public file transfer services.
Linux target framework (tgt) aims to simplify various SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation and maintenance. Our key goals are the clean integration into the scsi-mid layer and implementing a great portion of tgt in user space.
Allow tor daemon to bind tcp sockets to all unreserved ports.
Policy for DJB's ucspi-tcpd
Allow varnishd to connect to all ports, not just HTTP.
Allow virt to use serial/parallell communication ports
Allow virt to read fuse files
Allow virt to manage nfs files
Allow virt to manage cifs files
Allow virt to manage device configuration, (pci)
Allow confined virtual guests to interact with the sanlock
Allow virtual machine to interact with the xserver
Allow virt to use usb devices
Allow confined virtual guests to use executable memory and executable stack
Read user fonts, user font configuration, and manage the user font cache.
This is a templated interface, and should only be called from a per-userdomain template.
Execute an Xsession in the target domain. This is an explicit transition, requiring the caller to use setexeccon().
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Allows clients to write to the X server shared memory segments.
Allows XServer to execute writable memory
Allows xdm to execute bootloader
Allow xdm logins as sysadm
Support X userspace object manager
Allow regular users direct dri device access
Determine whether zabbix can connect to all TCP ports
Allow zebra daemon to write it configuration files