Table C-1 describes principal macros defined in the src/policy/macros subdirectory. The macros included in the table are those present in the Fedora Core 2 implementation of SELinux. Other implementations may define different macros or alter the operation of macros appearing in the table.
Macro
Description
admin_domain
Defines a domain for an administrative user.
append_logdir_domain
Authorizes a specified domain to create, read, and append to logfiles within its own specially labeled logging directory.
append_log_domain
Authorizes a specified domain to read and append to its own specially labeled logfiles.
application_domain
Authorizes a specified domain to perform operations common to simple applications.
base_file_read_access
Authorizes a specified domain to read and search several system file types.
base_pty_perms
Authorizes a specified domain to access the pty master multiplexer domain and to search /dev/pts.
base_user_domain
Defines a domain for a nonadministrative user.
can_create_other_pty
Authorizes a specified domain to create new ptys for another specified domain.
can_create_pty
Authorizes a specified domain to create new ptys.
can_exec
Authorizes a specified domain to execute files having a specified type (domain) without transitioning to a new domain.
can_exec_any
Authorizes a specified domain to execute a variety of executable types.
can_getcon
Authorizes a specified domain to obtain its execution context.
can_getsecurity
Authorizes a specified domain to query the security server.
can_loadpol
Authorizes a specified domain to load a policy.
can_network
Authorizes a specified domain to access the network.
can_ps
Authorizes a process in a specified domain to see /proc entries for processes in another specified domain.
can_ptrace
Authorizes a specified domain to trace processes executing in another specified domain.
can_setbool
Authorizes a specified domain to set a policy Boolean.
can_setenforce
Authorizes a specified domain to set the SELinux enforcement mode.
can_setexec
Authorizes a specified domain to set its exec context.
can_setfscreate
Authorizes a domain to set its fscreate context.
can_sysctl
Authorizes a specified domain to modify sysctl parameters.
can_tcp_connect
Authorizes a specified domain to establish a TCP connection with another specified domain.
can_udp_send
Authorizes a specified domain to send UDP datagrams to another specified domain.
can_unix_connect
Authorizes two specified domains to establish a Unix stream connection.
can_unix_send
Authorizes a specified domain to send Unix datagrams to another specified domain.
create_append_log_file
Authorizes a domain to read, write, and add names to directories and create and append to files.
create_dir_file
Authorizes a specified domain to create and use directories and files.
create_dir_notdevfile
Defines access-vector rules for creating and using directories and nondevice files.
create_dir_perms
Defines permissions needed to create and use directories.
create_file_perms
Defines permissions needed to create and use files.
create_msgq_perms
Defines permissions needed to create message queues and read and write message queues and their attributes.
create_sem_perms
Defines permissions needed to create semaphores and read and write semaphores and their attributes.
create_shm_perms
Defines permissions needed to create shared memory segments and read and write shared memory segments and their attributes.
create_socket_perms
Defines permissions needed to create, read, write, and otherwise use sockets.
create_stream_socket_perms
Defines permissions needed to create, read, write, and otherwise use stream sockets.
daemon_base_domain
Authorizes a specified domain to perform a variety of operations useful to daemons, including those authorized by daemon_core_rules .
daemon_core_rules
Authorizes a specified domain to access a variety of types useful to daemons.
daemon_domain
Authorizes a specified domain to use PID files.
daemon_sub_domain
Defines a child domain of a specified domain.
devfile_class_set
Defines a class that includes all device file classes.
dgram_socket_class_set
Defines a class that includes all datagram socket classes.
dir_file_class_set
Defines a class that includes all directory and file classes.
domain_auto_trans
Authorizes a specified domain to automatically transition to another specified domain.
domain_trans
Authorizes a specified domain to transition to another specified domain.
etcdir_domain
Authorizes a specified domain to read files within its own specially labeled configuration subdirectory of directories labeled etc_t .
etc_domain
Authorizes a specified domain to read its own specially labeled configuration files residing in directories labeled etc_t .
file_class_set
Defines a class including all nondirectory file classes.
file_type_auto_trans
Authorizes a specified domain to automatically label with a specified type files created within directories having another specified type.
file_type_trans
Authorizes a specified domain to label with a specified type files created within directories having another specified type.
full_user_role
Defines a role for a user who logs in to the system and has full user status.
general_domain_access
Authorizes a specified domain to access processes, PID files, file descriptors, pipes, Unix sockets, and IPC objects belonging to the domain.
general_proc_read_access
Authorizes a specified domain to access most nodes in the /proc filesystem.
init_service_domain
Authorizes a specified domain to perform operations useful to programs that are run from init.
in_user_role
Defines a type as accessible to the user_r and staff_r roles.
link_file_perms
Defines permissions needed to link, unlink, and rename files.
lock_domain
Authorizes a specified domain to use its own specially labeled lock files within directories labeled var_lock_t .
logdir_domain
Authorizes a specified domain to create private logfiles.
log_domain
Authorizes a specified domain to use files having type var_log_t .
mini_user_domain
Defines a simple domain for a nonadministrative user having minimal privileges.
mount_fs_perms
Defines permissions needed to mount and unmount filesystems.
notdevfile_class_set
Defines a class including all nondevice file classes.
packet_perms
Defines permissions needed to send and receive network packets.
pty_slave_label
Authorizes a specified domain to access a slave pty, but not to create new ptys.
r_dir_file
Authorizes a specified domain to read directories and files.
r_dir_perms
Defines permissions needed to read directories and directory attributes.
r_file_perms
Defines permissions needed to read files and file attributes.
r_msgq_perms
Defines permissions needed to read message queues and message queue attributes.
r_sem_perms
Defines permissions needed to read semaphores and semaphore attributes.
r_shm_perms
Defines permissions needed to read shared memory segments and shared memory segment attributes.
ra_dir_create_file
Defines access-vector rules for reading directories and files, creating and appending to files, and adding names to directories.
ra_dir_file
Defines access vector rules for reading directories and files, appending to files, and adding names to directories.
ra_dir_perms
Defines permissions needed to read directories and add names to directories.
ra_file_perms
Defines permissions needed to read and append to files.
read_locale
Authorizes a specified domain to read the locale data, /etc/localtime, and the file to which it links.
read_sysctl
Authorizes a specified domain to read sysctl variables.
rw_dir_create_file
Authorizes a specified domain to read and write directories and create and use files.
rw_dir_file
Defines access vector rules for reading and writing files and directories.
rw_dir_perms
Defines permissions needed to read and write directories and directory attributes.
rw_file_perms
Defines permissions needed to read and write files and file attributes.
rw_msgq_perms
Defines permissions needed to read and write message queues and their attributes.
rw_sem_perms
Defines permissions needed to read and write semaphores and their attributes.
rw_shm_perms
Defines permissions needed to read and write shared memory segments and their attributes.
rw_socket_perms
Defines permissions needed to read, write, and otherwise use (but not create) sockets.
rw_stream_socket_perms
Defines permissions needed to read, write, and otherwise use (but not create) stream sockets.
rx_file_perms
Defines permissions needed to read and execute files.
signal_perms
Defines permissions needed to send signals to processes.
socket_class_set
Defines a class including all socket classes.
stat_file_perms
Defines permissions needed to get file attributes.
stream_socket_class_set
Defines a class including all stream socket classes.
system_domain
Authorizes a specified domain to use shared libraries, the system log, access system administration files, and perform other operations common to system processes.
tmp_domain
Authorizes a specified domain to create and use files having type tmp_t .
tmpfs_domain
Authorizes a specified domain to create and use files having type tmpfs_t .
unconfined_domain
Authorize a domain to perform any operation permitted by Linux DAC, effectively bypassing all SELinux policy checks.
unpriv_socket_class_set
Defines a class including all nonprivileged socket classes (excludes rawip-, netlink-, and packet-related classes).
user_application_domain
Authorizes a specified domain to perform operations common to simple applications and defines the domain as a user domain.
user_domain
Defines a domain for a nonadministrative user.
uses_authbind
Authorizes a specified domain to use services provided by the authbind_t domain.
uses_shlib
Authorizes a specified domain to use shared libraries.
var_lib_domain
Authorizes a specified domain to use files having type var_lib_t .
var_run_domain
Authorizes a specified domain to create files in /var/run files and other directories created for the domain.
x_file_perms
Defines permissions needed to execute files.