Allow logrotate to manage nfs files
Determine whether mcelog can use all the user ttys.
Allow ncftool to read user content.
Control users use of ping and traceroute
Template for portage sandbox. Portage does all compiling in the sandbox.
This template creates a derived domain which is allowed to change the linux user id, to run shells as a different user.
This template creates a derived domain which is allowed to change the linux user id, to run commands as a different user.
Determine whether tmpreaper can use nfs file systems.
Determine whether tmpreaper can use samba_share files
Tripwire file integrity checker.
NOTE: Tripwire creates temp file in its current working directory. This policy does not allow write access to home directories, so users will need to either cd to a directory where they have write permission, or set the TEMPDIRECTORY variable in the tripwire config file. The latter is preferable, as then the file_type_auto_trans rules will kick in and label the files as private to tripwire.
Ignore vbetool mmap_zero errors.
Determine whether awstats can purge httpd log files.
Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
This template creates a derived domains which are used for execmem applications.
Allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files.
Allow gpg web domain to modify public files used for public file transfer services.
Allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port.
This template creates a derived domains which are used for java applications.
Allow java executable stack
Allow s-c-kdump to run bootloader in bootloader_t.
This template creates a derived domains which are used for mono applications.
Execute a mozilla_exec_t in the specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Control mozilla content access
Execute a mplayer_exec_t in the specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Allow mplayer executable stack
This template creates a derived domains which are used for nsplugin web browser.
This template is invoked automatically for each user, and generally does not need to be invoked directly by policy writers.
Execute a nsplugin_exec_t in the specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Allow nsplugin code to execmem/execstack
Allow nsplugin code to connect to unreserved ports
This template creates a derived domains which are used for java applications.
Execute a openoffice_exec_t in the specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This template creates a derived domains which are used for qemu web browser.
This template is invoked automatically for each user, and generally does not need to be invoked directly by policy writers.
Execute qemu_exec_t in the specified domain. This allows the specified domain to qemu programs on these filesystems in the specified domain.
Allow qemu to connect fully to the network
Allow qemu to use cifs/Samba file systems
Allow qemu to user serial/parallel communication ports
Allow qemu to use nfs file systems
Allow qemu to use usb devices
Allow the Telepathy connection managers to connect to any generic TCP port.
This template creates a derived domains which are used for consolehelper applications.
This template creates a derived domains which are used for wine applications.
This template creates a derived domains which are used for wine applications.
Ignore wine mmap_zero errors
This template creates a derived domains which are used for window manager applications.
Create a aliased type to generic bin files. (Deprecated)
This is added to support targeted policy. Its use should be limited. It has no effect on the strict policy.
Allow the specified domain to execute generic programs in system bin directories (/bin, /sbin, /usr/bin, /usr/sbin) a without domain transition.
Typically, this interface should be used when the domain executes general system progams within the privileges of the source domain. Some examples of these programs are ls, cp, sed, python, and tar. This does not include shells, such as bash.
Related interface:
Execute a file in a bin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle the userhelper policy.
Execute a file in a bin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle the ssh-agent policy.
Execute a file in a sbin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested. (Deprecated)
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle the ssh-agent policy.
Execute a file in a sbin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested. (Deprecated)
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle the userhelper policy.
Allow the specified domain to execute shells without a domain transition.
Typically, this interface should be used when the domain executes shells within the privileges of the source domain. Some examples of these programs are bash, tcsh, and zsh.
Related interface:
Execute a shell in the target domain. This is an explicit transition, requiring the caller to use setexeccon().
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Execute a shell in the specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Define type to be a network packet type
This is for supporting third party modules and its use is not allowed in upstream reference policy.
Define type to be a network port type
This is for supporting third party modules and its use is not allowed in upstream reference policy.
Define network type to be a reserved port (lt 1024)
This is for supporting third party modules and its use is not allowed in upstream reference policy.
Define network type to be a rpc port ( 512 lt PORT lt 1024)
This is for supporting third party modules and its use is not allowed in upstream reference policy.
Define type to be a network client packet type
This is for supporting third party modules and its use is not allowed in upstream reference policy.
Define type to be a network server packet type
This is for supporting third party modules and its use is not allowed in upstream reference policy.
Allow the specified domain to send and receive TCP network traffic on generic network interfaces.
Related interface:
Example client being able to connect to all ports over generic nodes, without labeled networking:
allow myclient_t self:tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_generic_if(myclient_t) corenet_tcp_sendrecv_generic_node(myclient_t) corenet_tcp_sendrecv_all_ports(myclient_t) corenet_tcp_connect_all_ports(myclient_t) corenet_all_recvfrom_unlabeled(myclient_t)
Allow the specified domain to send and receive UDP network traffic on generic network interfaces.
Related interface:
Example client being able to send to all ports over generic nodes, without labeled networking:
allow myclient_t self:udp_socket create_socket_perms; corenet_udp_sendrecv_generic_if(myclient_t) corenet_udp_sendrecv_generic_node(myclient_t) corenet_udp_sendrecv_all_ports(myclient_t) corenet_all_recvfrom_unlabeled(myclient_t)
Allow the specified domain to send and receive TCP network traffic to/from generic network nodes (hostnames/networks).
Related interface:
Example client being able to connect to all ports over generic nodes, without labeled networking:
allow myclient_t self:tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_generic_if(myclient_t) corenet_tcp_sendrecv_generic_node(myclient_t) corenet_tcp_sendrecv_all_ports(myclient_t) corenet_tcp_connect_all_ports(myclient_t) corenet_all_recvfrom_unlabeled(myclient_t)
Allow the specified domain to send and receive UDP network traffic to/from generic network nodes (hostnames/networks).
Related interface:
Example client being able to send to all ports over generic nodes, without labeled networking:
allow myclient_t self:udp_socket create_socket_perms; corenet_udp_sendrecv_generic_if(myclient_t) corenet_udp_sendrecv_generic_node(myclient_t) corenet_udp_sendrecv_all_ports(myclient_t) corenet_all_recvfrom_unlabeled(myclient_t)
Bind TCP sockets to generic nodes. This is necessary for binding a socket so it can be used for servers to listen for incoming connections.
Related interface:
Bind UDP sockets to generic nodes. This is necessary for binding a socket so it can be used for servers to listen for incoming connections.
Related interface:
Send and receive TCP network traffic on all ports. Related interfaces:
Example client being able to connect to all ports over generic nodes, without labeled networking:
allow myclient_t self:tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_generic_if(myclient_t) corenet_tcp_sendrecv_generic_node(myclient_t) corenet_tcp_sendrecv_all_ports(myclient_t) corenet_tcp_connect_all_ports(myclient_t) corenet_all_recvfrom_unlabeled(myclient_t)
Send and receive UDP network traffic on all ports. Related interfaces:
Example client being able to send to all ports over generic nodes, without labeled networking:
allow myclient_t self:udp_socket create_socket_perms; corenet_udp_sendrecv_generic_if(myclient_t) corenet_udp_sendrecv_generic_node(myclient_t) corenet_udp_sendrecv_all_ports(myclient_t) corenet_all_recvfrom_unlabeled(myclient_t)
Connect TCP sockets to all ports
Related interfaces:
Example client being able to connect to all ports over generic nodes, without labeled networking:
allow myclient_t self:tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_generic_if(myclient_t) corenet_tcp_sendrecv_generic_node(myclient_t) corenet_tcp_sendrecv_all_ports(myclient_t) corenet_tcp_connect_all_ports(myclient_t) corenet_all_recvfrom_unlabeled(myclient_t)
Send and receive messages on a non-encrypted (no IPSEC) network session. (Deprecated)
The corenet_all_recvfrom_unlabeled() interface should be used instead of this one.
Do not audit attempts to send and receive messages on a non-encrypted (no IPSEC) network session.
The corenet_dontaudit_all_recvfrom_unlabeled() interface should be used instead of this one.
Allow the specified domain to receive packets from an unlabeled connection. On machines that do not utilize labeled networking, this will be required on all networking domains. On machines tha do utilize labeled networking, this will be required for any networking domain that is allowed to receive network traffic that does not have a label.
Allow the specified domain to receive NetLabel network traffic, which utilizes the Commercial IP Security Option (CIPSO) to set the MLS level of the network packets. This is required for all networking domains that receive NetLabel network traffic.
Allow unlabeled_packet_t to be used by all domains that use the network
Rules for receiving labeled TCP packets.
Due to the nature of TCP, this is bidirectional.
Rules for receiving labeled packets via TCP, UDP and raw IP.
Due to the nature of TCP, the rules (for TCP networking only) are bidirectional.
Send and receive unlabeled packets. These packets do not match any netfilter SECMARK rules.
This module creates the device node concept and provides the policy for many of the device files. Notable exceptions are the mass storage and terminal devices that are covered by other modules.
This module creates the concept of a device node. That is a char or block device file, usually in /dev. All types that are used to label device nodes should use the dev_node macro.
Additionally, this module controls access to three things:
Make the specified type usable for device nodes in a filesystem. Types used for device nodes that do not use this interface, or an interface that calls this one, will have unexpected behaviors while the system is running.
Example:
type mydev_t; dev_node(mydev_t) allow mydomain_t mydev_t:chr_file read_chr_file_perms;
Related interfaces:
Read the memory type range registers (MTRR). This interface has been deprecated, dev_rw_mtrr() should be used instead.
The MTRR device ioctls can be used for reading and writing; thus, read access to the device cannot be separated from write access.
Write the memory type range registers (MTRR). This interface has been deprecated, dev_rw_mtrr() should be used instead.
The MTRR device ioctls can be used for reading and writing; thus, write access to the device cannot be separated from read access.
Allow the specified domain to read from random number generator devices (e.g., /dev/random). Typically this is used in situations when a cryptographically secure random number is needed.
Related interface:
Allow the specified domain to read the contents of the sysfs filesystem. This filesystem contains information, parameters, and other settings on the hardware installed on the system.
Allow the specified domain to read from pseudo random number generator devices (e.g., /dev/urandom). Typically this is used in situations when a cryptographically secure random number is not necessarily needed. One example is the Stack Smashing Protector (SSP, formerly known as ProPolice) support that may be compiled into programs.
Related interface:
Related tunable:
Make the specified type usable as a basic domain.
This is primarily used for kernel threads; generally the domain_type() interface is more appropriate for userland processes.
Make the specified type usable as a domain. This, or an interface that calls this interface, must be used on all types that are used as domains.
Related interfaces:
Example:
type mydomain_t; domain_type(mydomain_t) type myfile_t; files_type(myfile_t) allow mydomain_t myfile_t:file read_file_perms;
Allow the specified domain to perform dynamic transitions.
This violates process tranquility, and it is strongly suggested that this not be used.
Make the specified domain the target of the user domain exception of the SELinux role and identity change constraints.
This interface is needed to decouple the user domains from the base module. It should not be used other than on user domains.
Make the specified domain the source of the cron domain exception of the SELinux role and identity change constraints.
This interface is needed to decouple the cron domains from the base module. It should not be used other than on cron domains.
Make the specified domain the target of the cron domain exception of the SELinux role and identity change constraints.
This interface is needed to decouple the cron domains from the base module. It should not be used other than on user cron jobs.
Allow the specified domain to inherit and use file descriptors from domains with interactive programs. This does not allow access to the objects being referenced by the file descriptors.
Do not audit attempts to ptrace all domains.
Generally this needs to be suppressed because procps tries to access /proc/pid/environ and this now triggers a ptrace check in recent kernels (2.4 and 2.6).
Do not audit attempts to ptrace confined domains.
Generally this needs to be suppressed because procps tries to access /proc/pid/environ and this now triggers a ptrace check in recent kernels (2.4 and 2.6).
Get the attributes of all domains sockets, for all socket types.
This is commonly used for domains that can use lsof on all domains.
Do not audit attempts to get the attributes of all domains sockets, for all socket types.
This interface was added for PCMCIA cardmgr and is probably excessive.
Get the attributes of all domains unnamed pipes.
This is commonly used for domains that can use lsof on all domains.
Allow all domains to use other domains file descriptors
Allow all domains to have the kernel load modules
Allow all domains to execute in fips_mode
This module contains basic filesystem types and interfaces. This includes:
Make the specified type usable for files in a filesystem. Types used for files that do not use this interface, or an interface that calls this one, will have unexpected behaviors while the system is running. If the type is used for device nodes (character or block files), then the dev_node() interface is more appropriate.
Related interfaces:
Example:
type myfile_t; files_type(myfile_t) allow mydomain_t myfile_t:file read_file_perms;
Make the specified type usable for runtime process ID files, typically found in /var/run. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a PID file type may result in problems with starting or stopping services.
Related interfaces:
Example usage with a domain that can create and write its PID file with a private PID file type in the /var/run directory:
type mypidfile_t; files_pid_file(mypidfile_t) allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; files_pid_filetrans(mydomain_t, mypidfile_t, file)
Make the specified type usable for configuration files. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a temporary file may result in problems with configuration management tools.
Example usage with a domain that can read its configuration file /etc:
type myconffile_t; files_config_file(myconffile_t) allow mydomain_t myconffile_t:file read_file_perms; files_search_etc(mydomain_t)
Identify file type as base file type. Tools will use this attribute, to help users diagnose problems.
Make the specified type readable for all domains.
Make the specified type usable for temporary files. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a temporary file may result in problems with purging temporary files.
Related interfaces:
Example usage with a domain that can create and write its temporary file in the system temporary file directories (/tmp or /var/tmp):
type mytmpfile_t; files_tmp_file(mytmpfile_t) allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms }; files_tmp_filetrans(mydomain_t, mytmpfile_t, file)
Allow shared library text relocations in all files.
This is added to support WINE policy.
Allow the specified domain to read generic files in /etc. These files are typically general system configuration files that do not have more specific SELinux types. Some examples of these files are:
This interface does not include access to /etc/shadow.
Generally, it is safe for many domains to have this access. However, since this interface provides access to the /etc/passwd file, caution must be exercised, as user account names can be leaked through this access.
Related interfaces:
Create a boot flag, such as /.autorelabel and /.autofsck.
Allow the specified domain to read dynamically created configuration files in /etc. These files are typically general system configuration files that do not have more specific SELinux types. Some examples of these files are:
This interface does not include access to /etc/shadow.
Allow shared library text relocations in tmp files.
This is added to support java policy.
Allow the specified domain to read generic files in /usr. These files are various program files that do not have more specific SELinux types. Some examples of these files are:
Generally, it is safe for many domains to have this access.
Search the /var/lib directory. This is necessary to access files or directories under /var/lib that have a private type. For example, a domain accessing a private library file in the /var/lib directory:
allow mydomain_t mylibfile_t:file read_file_perms; files_search_var_lib(mydomain_t)
Create an object in the process ID directory (e.g., /var/run) with a private type. Typically this is used for creating private PID files in /var/run with the private type instead of the general PID file type. To accomplish this goal, either the program must be SELinux-aware, or use this interface.
Related interfaces:
Example usage with a domain that can create and write its PID file with a private PID file type in the /var/run directory:
type mypidfile_t; files_pid_file(mypidfile_t) allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; files_pid_filetrans(mydomain_t, mypidfile_t, file)
Create a core file in /,
Create a default_t direcrory
Allow the specified domain to get the attributes of a persistent filesystems which have extended attributes, such as ext3, JFS, or XFS. Example attributes:
Register an interpreter for new binary file types, using the kernel binfmt_misc support.
A common use for this is to register a JVM as an interpreter for Java byte code. Registered binaries can be directly executed on a command line without specifying the interpreter.
Execute a file on a CIFS or SMB filesystem in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle home directories on CIFS/SMB filesystems, in particular used by the ssh-agent policy.
Read eventpollfs files
This interface has been deprecated, and will be removed in the future.
Execute a file on a FUSE filesystem in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle home directories on FUSE filesystems, in particular used by the ssh-agent policy.
Execute a file on a NFS filesystem in the specified domain. This allows the specified domain to execute any file on a NFS filesystem in the specified domain. This is not suggested.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle home directories on NFS filesystems, in particular used by the ssh-agent policy.
Allow the specified domain to et the attributes of all filesystems. Example attributes:
Allow the specified domain to request that the kernel load a kernel module. An example of this is the auto-loading of network drivers when doing an ioctl() on a network interface.
In the specific case of a module loading request on a network interface, the domain will also need the net_admin capability.
Allow the specified domain to request that the kernel load a kernel module. An example of this is the auto-loading of network drivers when doing an ioctl() on a network interface.
In the specific case of a module loading request on a network interface, the domain will also need the net_admin capability.
Allow the specified domain to read (follow) generic symbolic links (symlinks) in the proc filesystem (/proc). This interface does not include access to the targets of these links. An example symlink is /proc/self.
Allow the specified domain to read general system state information from the proc filesystem (/proc).
Generally it should be safe to allow this access. Some example files that can be read based on this interface:
This does not allow access to sysctl entries (/proc/sys/*) nor process state information (/proc/pid).
Allow the specified domain to read the networking state information. This includes several pieces of networking information, such as network interface names, netfilter (iptables) statistics, protocol information, routes, and remote procedure call (RPC) information.
Allow the specified domain to read general kernel sysctl settings. These settings are typically read using the sysctl program. The settings that are included by this interface are prefixed with "kernel.", for example, kernel.sysrq.
This does not include access to the hotplug handler setting (kernel.hotplug) nor the module installer handler setting (kernel.modprobe).
Related interfaces:
Send and receive messages from an unlabeled IPSEC association. Network connections that are not protected by IPSEC have use an unlabeled assocation.
The corenetwork interface corenet_non_ipsec_sendrecv() should be used instead of this one.
Do not audit attempts to send and receive messages from an unlabeled IPSEC association. Network connections that are not protected by IPSEC have use an unlabeled assocation.
The corenetwork interface corenet_dontaudit_non_ipsec_sendrecv() should be used instead of this one.
Receive TCP packets from an unlabeled connection.
The corenetwork interface corenet_tcp_recv_unlabeled() should be used instead of this one.
Do not audit attempts to receive TCP packets from an unlabeled connection.
The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled() should be used instead of this one.
Receive UDP packets from an unlabeled connection.
The corenetwork interface corenet_udp_recv_unlabeled() should be used instead of this one.
Do not audit attempts to receive UDP packets from an unlabeled connection.
The corenetwork interface corenet_dontaudit_udp_recv_unlabeled() should be used instead of this one.
Receive Raw IP packets from an unlabeled connection.
The corenetwork interface corenet_raw_recv_unlabeled() should be used instead of this one.
Do not audit attempts to receive Raw IP packets from an unlabeled connection.
The corenetwork interface corenet_dontaudit_raw_recv_unlabeled() should be used instead of this one.
Receive Raw IP packets from an unlabeled connection.
The corenetwork interface corenet_raw_recv_unlabeled() should be used instead of this one.
Send and receive unlabeled packets. These packets do not match any netfilter SECMARK rules.
The corenetwork interface corenet_sendrecv_unlabeled_packets() should be used instead of this one.
Receive packets from an unlabeled peer, these packets do not have any peer labeling information present.
The corenetwork interface corenet_recvfrom_unlabeled_peer() should be used instead of this one.
Do not audit attempts to receive packets from an unlabeled peer, these packets do not have any peer labeling information present.
The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled() should be used instead of this one.
Make specified process type MCS untrusted. This prevents this process from sending signals to other processes with different mcs labels object.
This module contains interfaces for handling multilevel security. The interfaces allow the specified subjects and objects to be allowed certain privileges in the MLS rules.
Make specified domain MLS trusted for reading from files at all levels.
This interface has been deprecated, please use mls_file_read_all_levels() instead.
Make specified domain MLS trusted for writing to files at all levels.
This interface has been deprecated, please use mls_file_write_all_levels() instead.
Make specified domain MLS trusted for reading from processes at all levels.
This interface has been deprecated, please use mls_process_read_all_levels() instead.
Make specified domain MLS trusted for writing to processes at all levels.
This interface has been deprecated, please use mls_process_write_all_levels() instead.
Make specified object MLS trusted. This allows all levels to read and write the object.
This currently only applies to filesystem objects, for example, files and directories.
Make the specified type used for labeling SELinux Booleans.
This makes use of genfscon statements, which are only available in the base module. Thus any module which calls this interface must be included in the base module.
Allow caller to set the mode of policy enforcement (enforcing or permissive mode).
Since this is a security event, this action is always audited.
Allow caller to set the state of Booleans to enable or disable conditional portions of the policy.
Since this is a security event, this action is always audited.
This interface has been deprecated. Please use selinux_set_generic_booleans() or selinux_set_all_booleans() instead.
Allow caller to set the state of generic Booleans to enable or disable conditional portions of the policy.
Since this is a security event, this action is always audited.
Allow caller to set the state of all Booleans to enable or disable conditional portions of the policy.
Since this is a security event, this action is always audited.
Allow caller to set SELinux access vector cache parameters. The allows the domain to set performance related parameters of the AVC, such as cache threshold.
Since this is a security event, this action is always audited.
Calculate the context for relabeling objects. This is determined by using the type_change rules in the policy, and is generally used for determining the context for relabeling a terminal when a user logs in.
Constrain the specified type by user-based access control (UBAC). Typically, these are user processes or user files that need to be differentiated by SELinux user. Normally this does not include administrative or privileged programs. For the UBAC rules to be enforced, both the subject (source) type and the object (target) types must be UBAC constrained.
Change from the audit administrator role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Change from the web administrator role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Change from the guest role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Change from the log administrator role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Change from the security administrator role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Change from the staff role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Change from the system administrator role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Allow sysadm to execute all entrypoint files in a specified domain. This is an explicit transition, requiring the caller to use setexeccon().
This is a interface to support third party modules and its use is not allowed in upstream reference policy.
Allow sysadm to execute a generic bin program in a specified domain.
This is a interface to support third party modules and its use is not allowed in upstream reference policy.
Allow sysadm to debug or ptrace all processes.
Change from the unconfineduser role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Allow unconfined to execute the specified program in the specified domain.
This is a interface to support third party modules and its use is not allowed in upstream reference policy.
Allow unconfined to execute the specified program in the specified domain. Allow the specified domain the unconfined role and use of unconfined user terminals.
This is a interface to support third party modules and its use is not allowed in upstream reference policy.
Do not audit attempts to read or write unconfined domain tcp sockets.
This interface was added due to a broken symptom in ldconfig.
Do not audit attempts to read or write unconfined domain packet sockets.
This interface was added due to a broken symptom.
Transition to confined nsplugin domains from unconfined user
Allow a user to login as an unconfined domain
Ignore unconfined mmap_zero errors
Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
Change from the generic user role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Change from the web administrator role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Allow webadm to manage files in users home directories
Allow webadm to read files in users home directories
Change from the xguest role to the specified role.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Allow xguest users to mount removable media
Allow xguest to configure Network Manager and connect to apache ports
Allow xguest to use blue tooth devices
Allow ABRT to modify public files used for public file transfer services.
Allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts
Allow amavis to use JIT compiler
Allow antivirus programs to read non security files on a system
Determine whether can antivirus programs use JIT compiler.
Execute CGI in the specified domain.
This is an interface to support third party modules and its use is not allowed in upstream reference policy.
Allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_rw_content_t.
Allow Apache to use mod_auth_pam
Allow httpd scripts and modules execmem/execstack
Allow httpd processes to manage IPA content
Allow httpd to use built in scripting (usually php)
Allow HTTPD scripts and modules to connect to the network using TCP.
Allow HTTPD scripts and modules to connect to cobbler over the network.
Allow HTTPD scripts and modules to server cobbler files.
Allow HTTPD scripts and modules to connect to databases over the network.
Allow httpd to connect to memcache server
Allow httpd to act as a relay
Allow http daemon to send mail
Allow http daemon to check spam
Allow Apache to communicate with avahi service via dbus
Allow Apache to communicate with sssd service via dbus
Allow httpd cgi support
Allow httpd to act as a FTP server by listening on the ftp port.
Allow httpd to read home directories
Allow httpd to read user content
Allow httpd daemon to change system limits
Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
Allow Apache to execute tmp content.
Unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal.
Unify HTTPD handling of all content files.
Allow httpd to access openstack ports
Allow httpd to access cifs file systems
Allow httpd to access FUSE file systems
Allow httpd to run gpg in gpg-web domain
Allow httpd to access nfs file systems
Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
Allow Apache to run in stickshift mode, not transition to passenger
Allow Apache to run preupgrade
Allow Apache to query NS records
Allow Apache to use mod_auth_ntlm_winbind
Allow bacula to manage nfs files
Allow bacula to manage cifs files
Allow BIND to bind apache port.
Allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers.
Allow clamscan to non security files on a system
Allow clamd to use JIT compiler
Cobbler is a Linux installation server that allows for rapid setup of network installation environments. It glues together and automates many associated Linux tasks so you do not have to hop between lots of various commands and applications when rolling out new systems, and, in some cases, changing existing ones.
Allow Cobbler to modify public files used for public file transfer services.
Allow Cobbler to connect to the network using TCP.
Allow Cobbler to access cifs file systems.
Allow Cobbler to access nfs file systems.
Determine whether collectd can connect to the network using TCP.
Allow codnor domain to connect to the network using TCP.
Allow system cron jobs to relabel filesystem for restoring file contexts.
Enable extra rules in the cron domain to support fcron.
Allow cvs daemon to read shadow
DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).
Allow exim to connect to databases (postgres, mysql)
Allow exim to read unprivileged user files.
Allow exim to create, read, write, and delete unprivileged user files.
Allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t.
Allow ftp servers to login to local users and read/write all files on the system, governed by DAC.
Allow ftp servers to use cifs used for public file transfer services.
Allow ftpd to use ntfs/fusefs volumes.
Allow ftp servers to use nfs used for public file transfer services.
Allow ftp servers to use connect to mysql database
Allow ftp to read and write files in the user home directories
Determine whether ftpd can bind to all unreserved ports for passive mode.
Determine whether Git CGI can search home directories.
Determine whether Git CGI can access cifs file systems.
Determine whether Git CGI can access nfs file systems.
Determine whether Git session daemon can bind TCP sockets to all unreserved ports.
Determine whether calling user domains can execute Git daemon in the git_session_t domain.
Determine whether Git system daemon can search home directories.
Determine whether Git system daemon can access cifs file systems.
Determine whether Git system daemon can access nfs file systems.
Allow glusterfsd to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.
Allow glusterfsd to share any file/directory read only.
Allow glusterfsd to share any file/directory read/write.
Determine whether icecast can listen on and connect to any TCP port.
Define the specified domain as a inetd service. The inetd_service_domain(), inetd_tcp_service_domain(), or inetd_udp_service_domain() interfaces should be used instead of this interface, as this interface only provides the common rules to these three interfaces.
This policy supports:
Servers:
Clients:
Allow confined applications to run with kerberos.
Likewise Open is a free, open source application that joins Linux, Unix, and Mac machines to Microsoft Active Directory to securely authenticate users with their domain credentials.
This template creates a domain to be used for a new likewise daemon.
Use lpd server instead of cups
Determine whether lsmd_plugin can connect to all TCP ports.
This template creates a domain to be used for a new mailman daemon.
This template creates a derived domain which is a email transfer agent, which sends mail on behalf of the user.
This is the basic types and rules, common to the system agent and user agents.
A modified MTA mail server interface for the sendmail program. It's design does not fit well with policy, and using the regular interface causes a type_transition conflict if direct running of init scripts is enabled.
This interface should most likely only be used by the sendmail policy.
Execute send mail in a specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Allow mysqld to connect to all ports
Allow nagios/nrpe to call sudo from NRPE utils scripts.
Use the ypbind service to access NIS services unconditionally.
This interface was added because of apache and spamassassin, to fix a nested conditionals problem. When that support is added, this should be removed, and the regular interface should be used.
Allow the specified domain to use the ypbind service to access Network Information Service (NIS) services. Information that can be retreived from NIS includes usernames, passwords, home directories, and groups. If the network is configured to have a single sign-on using NIS, it is likely that any program that does authentication will need this access.
Allow confined applications to use nscd shared memory.
Oident daemon is a server that implements the TCP/IP standard IDENT user identification protocol as specified in the RFC 1413 document.
Allow openshift to access nfs file systems without labels
Allow openvpn to read home directories
Allow openvpn to run unconfined scripts
PADS is a libpcap based detection engine used to passively detect network assets. It is designed to complement IDS technology by providing context to IDS alerts.
Allow pcp to bind to all unreserved_ports
Allow piranha-lvs domain to connect to the network using TCP.
Allow postfix_local domain full write access to mail_spool directories
Allow postgresql to use ssh and rsync for point-in-time recovery
Allow unprivileged users to execute DDL statement
Allow database admins to execute DML statement
Allow pppd to load kernel modules for certain modems
Allow pppd to be run for a regular user
Allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports.
Puppet is a configuration management system written in Ruby. The client daemon is responsible for periodically requesting the desired system state from the server and ensuring the state of the client system matches.
Allow Puppet client to manage all file types.
Allow Puppet master to use connect to mysql and postgresql database
A distributed, collaborative, spam detection and filtering network.
This policy will work with either the ATrpms provided config file in /etc/razor, or with the default of dumping everything into $HOME/.razor.
Allow rgmanager domain to connect to the network using TCP.
Allow fenced domain to connect to the network using TCP.
Allow fenced domain to execute ssh.
Allow cluster administrative domains to connect to the network using TCP.
Allow cluster administrative domains to manage all files on a system.
Allow cluster administrative cluster domains memcheck-amd64- to use executable memory
This template creates a domain to be used for a new rpc daemon.
Allow gssd to read temp directory. For access to kerberos tgt.
Execute a rsync in a specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Execute a rsync in a specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Allow rsync to run as a client
Allow rsync to run as a server
Allow rsync to export any files/directories read only.
Allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.
Allow rsync servers to share cifs files systems
Allow rsync servers to share nfs files systems
Allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t.
Allow samba to create new home directories (e.g. via PAM)
Allow samba to act as the domain controller, add users, groups and change passwords.
Allow samba to act as a portmapper
Allow samba to share users home directories.
Allow samba to share any file/directory read only.
Allow samba to share any file/directory read/write.
Allow samba to run unconfined scripts
Allow samba to export NFS volumes.
Allow samba to export ntfs/fusefs volumes.
Allow smbd to load libgfapi from gluster.
Allow sanlock to manage nfs files
Allow sanlock to manage cifs files
Allow sanlock to read/write fuse files
Allow sasl to read shadow
Allow sge to access nfs file systems.
Allow sge to connect to the network using any TCP port
Enable additional permissions needed to support devices on 3ware controllers.
Allow user spamassassin clients to use the network.
Allow spamd to read/write user home directories.
Allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports.
Allow squid to run as a transparent proxy (TPROXY)
This template creates a derived domains which are used for ssh client sessions. A derived type is also created to protect the user ssh keys.
This template was added for NX.
This template creates a domains to be used for creating a ssh server. This is typically done to have multiple ssh servers of different sensitivities, such as for an internal network-facing ssh server, and a external network-facing ssh server.
allow host key based authentication
Allow ssh logins as sysadm_r:sysadm_t
Allow ssh with chroot env to read and write files in the user home directories
Allow ssh with chroot env to manage all files
Allow ssh with chroot env to apache content
Determine whether swift can connect to all TCP ports
Allow tftp to modify public files used for public file transfer services.
Allow tftp to read from a NFS store for public file transfer services.
Allow tftp to read from a CIFS store for public file transfer services.
Linux target framework (tgt) aims to simplify various SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation and maintenance. Our key goals are the clean integration into the scsi-mid layer and implementing a great portion of tgt in user space.
Allow tor daemon to bind tcp sockets to all unreserved ports.
Policy for DJB's ucspi-tcpd
Allow varnishd to connect to all ports, not just HTTP.
Allow virt to use serial/parallell communication ports
Allow virt to read fuse files
Allow virt to manage nfs files
Allow virt to manage cifs files
Allow virt to manage device configuration, (pci)
Allow confined virtual guests to interact with the sanlock
Allow virtual machine to interact with the xserver
Allow virt to use usb devices
Allow confined virtual guests to use executable memory and executable stack
Read user fonts, user font configuration, and manage the user font cache.
This is a templated interface, and should only be called from a per-userdomain template.
Execute an Xsession in the target domain. This is an explicit transition, requiring the caller to use setexeccon().
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Allows clients to write to the X server shared memory segments.
Allows XServer to execute writable memory
Allows xdm to execute bootloader
Allow xdm logins as sysadm
Support X userspace object manager
Allow regular users direct dri device access
Determine whether zabbix can connect to all TCP ports
Allow zebra daemon to write it configuration files
Create a domain for applications. Typically these are programs that are run interactively.
The types will be made usable as a domain and file, making calls to domain_type() and files_type() redundant.
Pass shadow assertion for reading. This should only be used with auth_tunable_read_shadow(), and only exists because typeattribute does not work in conditionals.
Pass shadow assertion for reading. This should only be used with auth_tunable_read_shadow(), and only exists because typeattribute does not work in conditionals.
Read the shadow password file. This should only be used in a conditional; it does not pass the reading shadow assertion.
Allow the specified domain to look up user, password, group, or host information using the name service. The most common use of this interface is for services that do host name resolution (usually DNS resolution).
Unconfined access to the authlogin module.
Currently, this only allows assertions for the shadow passwords file (/etc/shadow) to be passed. No access is granted yet.
Allow users to login using a radius server
Allow users login programs to access /etc/shadow.
Allow users to login using a yubikey OTP server or challenge response mode
Policy for DJB's daemontools
Create a file type used for init scripts. It can not be used in conjunction with init_script_domain(). These script files are typically stored in the /etc/init.d directory.
Typically this is used to constrain what services an admin can start/stop. For example, a policy writer may want to constrain a web administrator to only being able to restart the web server, not other services. This special type will help address that goal.
This also makes the type usable for files; thus an explicit call to files_type() is redundant.
Create a domain used for init scripts. Can not be used in conjunction with init_script_file().
Create a domain for long running processes (daemons/services) which are started by init scripts. Short running processes should use the init_system_domain() interface instead. Typically all long running processes started by an init script (usually in /etc/init.d) will need to use this interface.
The types will be made usable as a domain and file, making calls to domain_type() and files_type() redundant.
If the process must also run in a specific MLS/MCS level, the init_ranged_daemon_domain() should be used instead.
Create a domain for long running processes (daemons/services) which are started by init scripts, running at a specified MLS/MCS range. Short running processes should use the init_ranged_system_domain() interface instead. Typically all long running processes started by an init script (usually in /etc/init.d) will need to use this interface if they need to run in a specific MLS/MCS range.
The types will be made usable as a domain and file, making calls to domain_type() and files_type() redundant.
If the policy build option TYPE is standard (MLS and MCS disabled), this interface has the same behavior as init_daemon_domain().
Create a domain for long running processes (daemons/services) which are started by init scripts. These are generally applications that are used to initialize the system during boot. Long running processes should use the init_daemon_domain() interface instead. Typically all short running processes started by an init script (usually in /etc/init.d) will need to use this interface.
The types will be made usable as a domain and file, making calls to domain_type() and files_type() redundant.
If the process must also run in a specific MLS/MCS level, the init_ranged_system_domain() should be used instead.
Create a domain for long running processes (daemons/services) which are started by init scripts. These are generally applications that are used to initialize the system during boot. Long running processes should use the init_ranged_system_domain() interface instead. Typically all short running processes started by an init script (usually in /etc/init.d) will need to use this interface if they need to run in a specific MLS/MCS range.
The types will be made usable as a domain and file, making calls to domain_type() and files_type() redundant.
If the policy build option TYPE is standard (MLS and MCS disabled), this interface has the same behavior as init_system_domain().
Allow the specified domain to inherit file descriptors from the init program (process ID 1). Typically the only file descriptors to be inherited from init are for the console. This does not allow the domain any access to the object to which the file descriptors references.
Related interfaces:
Example usage:
init_use_fds(mydomain_t) term_use_console(mydomain_t)
Normally, processes that can inherit these file descriptors (usually services) write messages to the system log instead of writing to the console. Therefore, in many cases, this access should dontaudited instead.
Example dontaudit usage:
init_dontaudit_use_fds(mydomain_t) term_dontaudit_use_console(mydomain_t)
Execute a init script in a specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Start and stop daemon programs directly in the traditional "/etc/init.d/daemon start" style, and do not require run_init.
Read and write the init script pty. This pty is generally opened by the open_init_pty portion of the run_init program so that the daemon does not require direct access to the administrator terminal.
Execute a init script in a specified role
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Enable support for upstart as the init program.
Allow all daemons to use tcp wrappers.
Allow all daemons the ability to read/write terminals
Allow all daemons to write corefiles to /
Enable cluster mode for daemons.
Allow racoon to read shadow
Do not audit attempts to write to library directories. Typically this is used to quiet attempts to recompile python byte code.
Create an object in lib directories, with the shared libraries type using a type transition. (Deprecated)
lib_filetrans_shared_lib() should be used instead.
Make the specified type usable for log files in a filesystem. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a log file type may result in problems with log rotation, log analysis, and log monitoring programs.
Related interfaces:
Example usage with a domain that can create and append to a private log file stored in the general directories (e.g., /var/log):
type mylogfile_t; logging_log_file(mylogfile_t) allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; logging_log_filetrans(mydomain_t, mylogfile_t, file)
Allow the specified domain to create an object in the general system log directories (e.g., /var/log) with a private type. Typically this is used for creating private log files in /var/log with the private type instead of the general system log type. To accomplish this goal, either the program must be SELinux-aware, or use this interface.
Related interfaces:
Example usage with a domain that can create and append to a private log file stored in the general directories (e.g., /var/log):
type mylogfile_t; logging_log_file(mylogfile_t) allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; logging_log_filetrans(mydomain_t, mylogfile_t, file)
Allow the specified domain to connect to the system log service (syslog), to send messages be added to the system logs. Typically this is used by services that do not have their own log file in /var/log.
This does not allow messages to be sent to the auditing system.
Programs which use the libc function syslog() will require this access.
Related interfaces:
Allow syslogd daemon to send mail
Allow syslogd daemon to read user tmp content
Allow syslogd the ability to read/write terminals
Allow syslogd the ability to call nagios plugins. It is turned on by omprog rsyslog plugin.
Make the specified type usable for cert files. This will also make the type usable for files, making calls to files_type() redundant. Failure to use this interface for a temporary file may result in problems with cert management tools.
Related interfaces:
Example:
type mycertfile_t; cert_type(mycertfile_t) allow mydomain_t mycertfile_t:file read_file_perms; files_search_etc(mydomain_t)
Allow the specified domain to read the localization files. This is typically for time zone configuration files, such as /etc/localtime and files in /usr/share/zoneinfo. Typically, any domain which needs to know the GMT/UTC offset of the current timezone will need access to these files. Generally, it should be safe for any domain to read these files.
Allow the mount domain to send nfs requests for mounting network drives
This interface has been deprecated as these rules were a side effect of leaked mount file descriptors. This interface has no effect.
Allow the mount command to mount any directory or file.
Create, read, write, and delete the mdadm pid files.
Added for use in the init module.
Allow the specified domain to send a SIGCHLD signal to newrole. This signal is automatically sent from a process that is terminating to its parent. This may be needed by domains that are executed from newrole.
Execute init scripts in the run_init domain. This is used for the Gentoo integrated run_init.
Execute init scripts in the run_init domain, and allow the specified role the run_init domain, and use the caller's terminal.
This is used for the Gentoo integrated run_init.
Create, read, write, and delete the general selinux configuration files.
This interface has been deprecated, please use the seutil_manage_config() interface instead.
SELinux-enabled programs are typically linked to the libselinux library. This interface will allow access required for the libselinux constructor to function.
SELinux-enabled programs are typically linked to the libselinux library. This interface will dontaudit access required for the libselinux constructor to function.
Generally this should not be used on anything but simple SELinux-enabled programs that do not rely on data initialized by the libselinux constructor.
Allow the specified domain to read the general network configuration files. A common example of this is the /etc/resolv.conf file, which has domain name system (DNS) server IP addresses. Typically, most networking processes will require the access provided by this interface.
Higher-level interfaces which involve networking will generally call this interface, for example:
Create DHCP state data.
This is added for DHCP server, as the server and client put their state files in the same directory.
Execute dhclient script in a specified role
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Allow dhcpc client applications to execute iptables commands
Allow the specified domain to read the udev device table.
Make the specified domain unconfined and audit executable heap usage. With exception of memory protections, usage of this interface will result in the level of access the domain has is like SELinux was not being used.
Only completely trusted domains should use this interface.
Add an alias type to the unconfined domain. (Deprecated)
This is added to support targeted policy. Its use should be limited. It has no effect on the strict policy.
Add an alias type to the unconfined execmem program file type. (Deprecated)
This is added to support targeted policy. Its use should be limited. It has no effect on the strict policy.
The template containing the most basic rules common to all users.
This template creates a user domain, types, and rules for the user's tty and pty.
Allow a home directory for which the role has read-only access.
This does not allow execute access.
Allow a home directory for which the role has full access.
This does not allow execute access.
Role access for the user tmpfs type that the user has full access.
This does not allow execute access.
This template creates a user domain, types, and rules for the user's tty, pty, tmp, and tmpfs files.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
The template for creating a unprivileged xwindows login user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
The template for creating a unprivileged user roughly equivalent to a regular linux user.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
This template creates a user domain, types, and rules for the user's tty, pty, home directories, tmp, and tmpfs files.
The privileges given to administrative users are:
Create objects in a user home directory with an automatic type transition to a specified private type.
This is a templated interface, and should only be called from a per-userdomain template.
Do not audit attempts to search user home directories. This will supress SELinux denial messages when the specified domain is denied the permission to search these directories.
Do a domain transition to the specified domain when executing a program in the user home directory.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Allow the specified domain to read and write user TTYs and PTYs. This will allow the domain to interact with the user via the terminal. Typically all interactive applications will require this access.
However, this also allows the applications to spy on user sessions or inject information into the user session. Thus, this access should likely not be allowed for non-interactive domains.
Do not audit attempts to inherit the file descriptors from unprivileged user domains. This will supress SELinux denial messages when the specified domain is denied the permission to inherit these file descriptors.
Allow users to connect to mysql
Allow users to connect to PostgreSQL
Allow regular users direct mouse access
Allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY)
Allow user processes to change their priority
Allow w to display everyone
Allow xen to manage nfs files
Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla)
Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t)
Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla)
Enable polyinstantiated directory support.
Allow system to run with NIS
Enable reading of urandom for all domains.
This should be enabled when all programs are compiled with ProPolice/SSP stack smashing protection. All domains will be allowed to read from /dev/urandom.
Support NFS home directories
Support fusefs home directories
Support SAMBA home directories
Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols.
Allow direct login to the console device. Required for System 390
Allow certain domains to map low memory in the kernel
Enabling secure mode disallows programs, such as newrole, from transitioning to administrative user domains.
Disable transitions to insmod.
boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back