<html> <head> <title> Security Enhanced Linux Reference Policy </title> <style type="text/css" media="all">@import "style.css";</style> </head> <body> <div id="Header">Security Enhanced Linux Reference Policy</div> <div id='Menu'> <a href="admin.html">+ admin</a></br/> <div id='subitem'> </div> <a href="apps.html">+ apps</a></br/> <div id='subitem'> </div> <a href="contrib.html">+ contrib</a></br/> <div id='subitem'> </div> <a href="kernel.html">+ kernel</a></br/> <div id='subitem'> - <a href='kernel_corecommands.html'> corecommands</a><br/> - <a href='kernel_corenetwork.html'> corenetwork</a><br/> - <a href='kernel_devices.html'> devices</a><br/> - <a href='kernel_domain.html'> domain</a><br/> - <a href='kernel_files.html'> files</a><br/> - <a href='kernel_filesystem.html'> filesystem</a><br/> - <a href='kernel_kernel.html'> kernel</a><br/> - <a href='kernel_mcs.html'> mcs</a><br/> - <a href='kernel_mls.html'> mls</a><br/> - <a href='kernel_selinux.html'> selinux</a><br/> - <a href='kernel_storage.html'> storage</a><br/> - <a href='kernel_terminal.html'> terminal</a><br/> - <a href='kernel_ubac.html'> ubac</a><br/> - <a href='kernel_unlabelednet.html'> unlabelednet</a><br/> </div> <a href="roles.html">+ roles</a></br/> <div id='subitem'> </div> <a href="services.html">+ services</a></br/> <div id='subitem'> </div> <a href="system.html">+ system</a></br/> <div id='subitem'> </div> <br/><p/> <a href="global_booleans.html">* Global Booleans </a> <br/><p/> <a href="global_tunables.html">* Global Tunables </a> <p/><br/><p/> <a href="index.html">* Layer Index</a> <br/><p/> <a href="booleans.html">* Boolean Index</a> <br/><p/> <a href="tunables.html">* Tunable Index</a> <br/><p/> <a href="interfaces.html">* Interface Index</a> <br/><p/> <a href="templates.html">* Template Index</a> </div> <div id="Content"> <a name="top":></a> <h1>Layer: kernel</h1><p/> <h2>Module: selinux</h2><p/> <a href=#booleans>Booleans</a> <a href=#interfaces>Interfaces</a> <h3>Description:</h3> <p><p> Policy for kernel security interface, in particular, selinuxfs. </p></p> <p>This module is required to be included in all policies.</p> <hr> <a name="booleans"></a> <h3>Booleans: </h3> <a name="link_secure_mode_policyload"></a> <div id="interface"> <div id="codeblock">secure_mode_policyload</div> <div id="description"> <h5>Default value</h5> <p>false</p> <h5>Description</h5> <p> </p><p> Boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back. </p><p> </p> </div></div> <a href=#top>Return</a> <a name="interfaces"></a> <h3>Interfaces: </h3> <a name="link_selinux_compute_access_vector"></a> <div id="interface"> <div id="codeblock"> <b>selinux_compute_access_vector</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allows caller to compute an access vector. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_compute_create_context"></a> <div id="interface"> <div id="codeblock"> <b>selinux_compute_create_context</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Calculate the default type for object creation. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_compute_member"></a> <div id="interface"> <div id="codeblock"> <b>selinux_compute_member</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allows caller to compute polyinstatntiated directory members. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_compute_relabel_context"></a> <div id="interface"> <div id="codeblock"> <b>selinux_compute_relabel_context</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Calculate the context for relabeling objects. </p> <h5>Description</h5> <p> </p><p> Calculate the context for relabeling objects. This is determined by using the type_change rules in the policy, and is generally used for determining the context for relabeling a terminal when a user logs in. </p><p> </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_compute_user_contexts"></a> <div id="interface"> <div id="codeblock"> <b>selinux_compute_user_contexts</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allows caller to compute possible contexts for a user. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_dontaudit_get_fs_mount"></a> <div id="interface"> <div id="codeblock"> <b>selinux_dontaudit_get_fs_mount</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Do not audit attempts to get the mountpoint of the selinuxfs filesystem. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain to not audit. </p> </td></tr> </table> </div> </div> <a name="link_selinux_dontaudit_getattr_dir"></a> <div id="interface"> <div id="codeblock"> <b>selinux_dontaudit_getattr_dir</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Do not audit attempts to get the attributes of the selinuxfs directory. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain to not audit. </p> </td></tr> </table> </div> </div> <a name="link_selinux_dontaudit_getattr_fs"></a> <div id="interface"> <div id="codeblock"> <b>selinux_dontaudit_getattr_fs</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Do not audit attempts to get the attributes of the selinuxfs filesystem </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain to not audit. </p> </td></tr> </table> </div> </div> <a name="link_selinux_dontaudit_read_fs"></a> <div id="interface"> <div id="codeblock"> <b>selinux_dontaudit_read_fs</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Do not audit attempts to read generic selinuxfs entries </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain to not audit. </p> </td></tr> </table> </div> </div> <a name="link_selinux_dontaudit_search_fs"></a> <div id="interface"> <div id="codeblock"> <b>selinux_dontaudit_search_fs</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Do not audit attempts to search selinuxfs. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain to not audit. </p> </td></tr> </table> </div> </div> <a name="link_selinux_dontaudit_validate_context"></a> <div id="interface"> <div id="codeblock"> <b>selinux_dontaudit_validate_context</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Do not audit attempts to validate security contexts. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain to not audit. </p> </td></tr> </table> </div> </div> <a name="link_selinux_genbool"></a> <div id="interface"> <div id="codeblock"> <b>selinux_genbool</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Generate a file context for a boolean type </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_get_enforce_mode"></a> <div id="interface"> <div id="codeblock"> <b>selinux_get_enforce_mode</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allows the caller to get the mode of policy enforcement (enforcing or permissive mode). </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_get_fs_mount"></a> <div id="interface"> <div id="codeblock"> <b>selinux_get_fs_mount</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Get the mountpoint of the selinuxfs filesystem. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_getattr_fs"></a> <div id="interface"> <div id="codeblock"> <b>selinux_getattr_fs</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Get the attributes of the selinuxfs filesystem </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_labeled_boolean"></a> <div id="interface"> <div id="codeblock"> <b>selinux_labeled_boolean</b>( type , boolean )<br> </div> <div id="description"> <h5>Summary</h5> <p> Make the specified type used for labeling SELinux Booleans. This interface is only usable in the base module. </p> <h5>Description</h5> <p> </p><p> Make the specified type used for labeling SELinux Booleans. </p><p> </p><p> This makes use of genfscon statements, which are only available in the base module. Thus any module which calls this interface must be included in the base module. </p><p> </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> type </td><td> <p> Type used for labeling a Boolean. </p> </td></tr> <tr><td> boolean </td><td> <p> Name of the Boolean. </p> </td></tr> </table> </div> </div> <a name="link_selinux_load_policy"></a> <div id="interface"> <div id="codeblock"> <b>selinux_load_policy</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow caller to load the policy into the kernel. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_mount_fs"></a> <div id="interface"> <div id="codeblock"> <b>selinux_mount_fs</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Mount the selinuxfs filesystem. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_mounton_fs"></a> <div id="interface"> <div id="codeblock"> <b>selinux_mounton_fs</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Mount on selinuxfs directories. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_read_policy"></a> <div id="interface"> <div id="codeblock"> <b>selinux_read_policy</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow caller to read the policy from the kernel. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_remount_fs"></a> <div id="interface"> <div id="codeblock"> <b>selinux_remount_fs</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Remount the selinuxfs filesystem. This allows some mount options to be changed. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_search_fs"></a> <div id="interface"> <div id="codeblock"> <b>selinux_search_fs</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Search selinuxfs. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_set_all_booleans"></a> <div id="interface"> <div id="codeblock"> <b>selinux_set_all_booleans</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow caller to set the state of all Booleans to enable or disable conditional portions of the policy. </p> <h5>Description</h5> <p> </p><p> Allow caller to set the state of all Booleans to enable or disable conditional portions of the policy. </p><p> </p><p> Since this is a security event, this action is always audited. </p><p> </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_set_boolean"></a> <div id="interface"> <div id="codeblock"> <b>selinux_set_boolean</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow caller to set the state of Booleans to enable or disable conditional portions of the policy. (Deprecated) </p> <h5>Description</h5> <p> </p><p> Allow caller to set the state of Booleans to enable or disable conditional portions of the policy. </p><p> </p><p> Since this is a security event, this action is always audited. </p><p> </p><p> This interface has been deprecated. Please use selinux_set_generic_booleans() or selinux_set_all_booleans() instead. </p><p> </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_set_enforce_mode"></a> <div id="interface"> <div id="codeblock"> <b>selinux_set_enforce_mode</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow caller to set the mode of policy enforcement (enforcing or permissive mode). </p> <h5>Description</h5> <p> </p><p> Allow caller to set the mode of policy enforcement (enforcing or permissive mode). </p><p> </p><p> Since this is a security event, this action is always audited. </p><p> </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_set_generic_booleans"></a> <div id="interface"> <div id="codeblock"> <b>selinux_set_generic_booleans</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow caller to set the state of generic Booleans to enable or disable conditional portions of the policy. </p> <h5>Description</h5> <p> </p><p> Allow caller to set the state of generic Booleans to enable or disable conditional portions of the policy. </p><p> </p><p> Since this is a security event, this action is always audited. </p><p> </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_set_parameters"></a> <div id="interface"> <div id="codeblock"> <b>selinux_set_parameters</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow caller to set SELinux access vector cache parameters. </p> <h5>Description</h5> <p> </p><p> Allow caller to set SELinux access vector cache parameters. The allows the domain to set performance related parameters of the AVC, such as cache threshold. </p><p> </p><p> Since this is a security event, this action is always audited. </p><p> </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_setcheckreqprot"></a> <div id="interface"> <div id="codeblock"> <b>selinux_setcheckreqprot</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allows caller to setcheckreqprot </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_unconfined"></a> <div id="interface"> <div id="codeblock"> <b>selinux_unconfined</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Unconfined access to the SELinux kernel security server. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_unmount_fs"></a> <div id="interface"> <div id="codeblock"> <b>selinux_unmount_fs</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Unmount the selinuxfs filesystem. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a name="link_selinux_validate_context"></a> <div id="interface"> <div id="codeblock"> <b>selinux_validate_context</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allows caller to validate security contexts. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="65%"> <tr><th >Parameter:</th><th >Description:</th></tr> <tr><td> domain </td><td> <p> Domain allowed access. </p> </td></tr> </table> </div> </div> <a href=#top>Return</a> </div> </body> </html>