[selinux-policy/f17] - Add files_dontaudit_read_all_sockets interface - Add gnome_dontaudit_rw_inherited_config interface
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Mar 5 13:59:25 UTC 2013
commit c489fb2ed8ebc6c8ba6e3d14e870cdccfd60d014
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Mar 5 14:58:21 2013 +0100
- Add files_dontaudit_read_all_sockets interface
- Add gnome_dontaudit_rw_inherited_config interface
- Allow httpd_collectd_script to read /etc/passwd
- Allow milter domains to read /dev/random
- Backport readahead fixes from F18
- Allow collectd to read utmp
- /usr/share/munin/plugins/plugin.sh should be labeled as bin_t
- Fix svnserve policy
- Add additional fixes for ecrypts
- Add additional interface for ecryptfs
- Dontaudit leak fd for mozilla_plugin_config
- Allow pppd to send signull
policy-F16.patch | 1100 +++++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 16 +-
2 files changed, 824 insertions(+), 292 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 6c559a0..03c047e 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -65877,7 +65877,7 @@ index 47c4723..64c8889 100644
+')
+
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
-index b4ac57e..ef944a4 100644
+index b4ac57e..4456700 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@@ -65916,7 +65916,7 @@ index b4ac57e..ef944a4 100644
dev_getattr_generic_chr_files(readahead_t)
dev_getattr_generic_blk_files(readahead_t)
dev_getattr_all_chr_files(readahead_t)
-@@ -53,10 +59,18 @@ domain_read_all_domains_state(readahead_t)
+@@ -53,10 +59,20 @@ domain_read_all_domains_state(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
@@ -65926,6 +65926,8 @@ index b4ac57e..ef944a4 100644
files_dontaudit_getattr_all_sockets(readahead_t)
files_dontaudit_getattr_non_security_blk_files(readahead_t)
+files_dontaudit_all_access_check(readahead_t)
++files_dontaudit_read_security_files(readahead_t)
++files_dontaudit_read_all_sockets(readahead_t)
+
+ifdef(`hide_broken_symptoms', `
+ files_dontaudit_write_all_files(readahead_t)
@@ -65935,7 +65937,7 @@ index b4ac57e..ef944a4 100644
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
-@@ -66,12 +80,14 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,12 +82,14 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
@@ -65950,7 +65952,7 @@ index b4ac57e..ef944a4 100644
storage_raw_read_fixed_disk(readahead_t)
-@@ -82,6 +98,8 @@ auth_dontaudit_read_shadow(readahead_t)
+@@ -82,6 +100,8 @@ auth_dontaudit_read_shadow(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
@@ -68347,10 +68349,10 @@ index 0000000..efebae7
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..a0f7ed7
+index 0000000..8295414
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,190 @@
+@@ -0,0 +1,196 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -68487,6 +68489,12 @@ index 0000000..a0f7ed7
+ fs_read_fusefs_symlinks(chrome_sandbox_t)
+')
+
++tunable_policy(`use_ecryptfs_home_dirs',`
++ fs_read_ecryptfs_files(chrome_sandbox_t)
++ fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t)
++ fs_read_ecryptfs_symlinks(chrome_sandbox_t)
++')
++
+optional_policy(`
+ sandbox_use_ptys(chrome_sandbox_t)
+')
@@ -68990,10 +68998,10 @@ index 00a19e3..17006fc 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..dbf40ce 100644
+index f5afe78..c675357 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,957 @@
+@@ -1,44 +1,975 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -69192,6 +69200,24 @@ index f5afe78..dbf40ce 100644
+
+########################################
+## <summary>
++## Dontaudit read gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`gnome_dontaudit_rw_inherited_config',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ dontaudit $1 gnome_home_type:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
+## Dontaudit search gnome homedir content (.config)
+## </summary>
+## <param name="domain">
@@ -69969,7 +69995,7 @@ index f5afe78..dbf40ce 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +959,74 @@ interface(`gnome_role',`
+@@ -46,37 +977,74 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -70055,7 +70081,7 @@ index f5afe78..dbf40ce 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +1034,53 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +1052,53 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -70120,7 +70146,7 @@ index f5afe78..dbf40ce 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1088,80 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1106,80 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -70205,7 +70231,7 @@ index f5afe78..dbf40ce 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1169,307 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1187,307 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -72393,7 +72419,7 @@ index fbb5c5a..b644095 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..1f50723 100644
+index 2e9318b..63839d5 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,11 +7,25 @@ policy_module(mozilla, 2.3.3)
@@ -72707,12 +72733,12 @@ index 2e9318b..1f50723 100644
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process { execmem execstack };
-')
-+userdom_home_manager(mozilla_plugin_t)
-
+-
-tunable_policy(`allow_execstack',`
- allow mozilla_plugin_t self:process { execstack };
-')
--
++userdom_home_manager(mozilla_plugin_t)
+
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
@@ -72768,18 +72794,18 @@ index 2e9318b..1f50723 100644
')
optional_policy(`
-@@ -446,10 +519,108 @@ optional_policy(`
+@@ -446,10 +519,112 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ pcscd_stream_connect(mozilla_plugin_t)
')
optional_policy(`
++ pcscd_stream_connect(mozilla_plugin_t)
++')
++
++optional_policy(`
+ rtkit_scheduled(mozilla_plugin_t)
+')
+
@@ -72858,6 +72884,10 @@ index 2e9318b..1f50723 100644
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
+
+optional_policy(`
++ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
++')
++
++optional_policy(`
+ xserver_use_user_fonts(mozilla_plugin_config_t)
+')
+ifdef(`distro_redhat',`
@@ -77613,7 +77643,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..4151c84 100644
+index 3fae11a..5120d22 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -77919,7 +77949,7 @@ index 3fae11a..4151c84 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +371,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +371,12 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -77928,10 +77958,11 @@ index 3fae11a..4151c84 100644
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/kde4/apps/kajongg/kajongg.py -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/munin/plugins/plugin\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,20 +417,22 @@ ifdef(`distro_redhat', `
+@@ -363,20 +418,22 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -77958,7 +77989,7 @@ index 3fae11a..4151c84 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +441,13 @@ ifdef(`distro_suse', `
+@@ -385,3 +442,13 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -82340,7 +82371,7 @@ index c19518a..145c899 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..3dec529 100644
+index ff006ea..0cdcd75 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -82505,7 +82536,32 @@ index ff006ea..3dec529 100644
## Get the attributes of all named sockets.
## </summary>
## <param name="domain">
-@@ -1053,10 +1181,8 @@ interface(`files_relabel_all_files',`
+@@ -952,6 +1080,24 @@ interface(`files_getattr_all_sockets',`
+
+ ########################################
+ ## <summary>
++## Get the attributes of all named sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_read_all_sockets',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:sock_file read;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to get the attributes
+ ## of all named sockets.
+ ## </summary>
+@@ -1053,10 +1199,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -82518,7 +82574,7 @@ index ff006ea..3dec529 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1482,6 +1608,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1482,6 +1626,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -82561,7 +82617,7 @@ index ff006ea..3dec529 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1562,7 +1724,7 @@ interface(`files_root_filetrans',`
+@@ -1562,7 +1742,7 @@ interface(`files_root_filetrans',`
type root_t;
')
@@ -82570,7 +82626,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -1660,6 +1822,42 @@ interface(`files_delete_root_dir_entry',`
+@@ -1660,6 +1840,42 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -82613,7 +82669,7 @@ index ff006ea..3dec529 100644
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
-@@ -1678,6 +1876,24 @@ interface(`files_unmount_rootfs',`
+@@ -1678,6 +1894,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -82638,7 +82694,7 @@ index ff006ea..3dec529 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -1848,7 +2064,7 @@ interface(`files_boot_filetrans',`
+@@ -1848,7 +2082,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
@@ -82647,7 +82703,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -2372,6 +2588,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2372,6 +2606,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -82672,7 +82728,7 @@ index ff006ea..3dec529 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2451,7 +2685,7 @@ interface(`files_read_etc_files',`
+@@ -2451,7 +2703,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -82681,7 +82737,7 @@ index ff006ea..3dec529 100644
## </summary>
## </param>
#
-@@ -2507,6 +2741,25 @@ interface(`files_manage_etc_files',`
+@@ -2507,6 +2759,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -82707,7 +82763,7 @@ index ff006ea..3dec529 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2525,6 +2778,24 @@ interface(`files_delete_etc_files',`
+@@ -2525,6 +2796,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -82732,7 +82788,7 @@ index ff006ea..3dec529 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2624,7 +2895,7 @@ interface(`files_etc_filetrans',`
+@@ -2624,7 +2913,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
@@ -82741,7 +82797,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -2680,24 +2951,6 @@ interface(`files_delete_boot_flag',`
+@@ -2680,24 +2969,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -82766,11 +82822,66 @@ index ff006ea..3dec529 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2738,6 +2991,42 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,9 +3009,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
+-## Do not audit attempts to read files
+-## in /etc that are dynamically
+-## created on boot, such as mtab.
+## Do not audit attempts to set the attributes of the etc_runtime files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2748,41 +3017,80 @@ interface(`files_read_etc_runtime_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_read_etc_runtime_files',`
++interface(`files_dontaudit_setattr_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+- dontaudit $1 etc_runtime_t:file { getattr read };
++ dontaudit $1 etc_runtime_t:file setattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write files in /etc that are dynamically
+-## created on boot, such as mtab.
++## Do not audit attempts to write etc_runtime files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_rw_etc_runtime_files',`
++interface(`files_dontaudit_write_etc_runtime_files',`
+ gen_require(`
+- type etc_t, etc_runtime_t;
++ type etc_runtime_t;
+ ')
+
+- allow $1 etc_t:dir list_dir_perms;
+- rw_files_pattern($1, etc_t, etc_runtime_t)
++ dontaudit $1 etc_runtime_t:file write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete files in
+-## /etc that are dynamically created on boot,
+-## such as mtab.
+-## </summary>
++## Do not audit attempts to read files
++## in /etc that are dynamically
++## created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -82778,46 +82889,46 @@ index ff006ea..3dec529 100644
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_setattr_etc_runtime_files',`
++interface(`files_dontaudit_read_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
-+ dontaudit $1 etc_runtime_t:file setattr;
++ dontaudit $1 etc_runtime_t:file { getattr read };
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to write etc_runtime files
++## Read and write files in /etc that are dynamically
++## created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_dontaudit_write_etc_runtime_files',`
++interface(`files_rw_etc_runtime_files',`
+ gen_require(`
-+ type etc_runtime_t;
++ type etc_t, etc_runtime_t;
+ ')
+
-+ dontaudit $1 etc_runtime_t:file write;
++ allow $1 etc_t:dir list_dir_perms;
++ rw_files_pattern($1, etc_t, etc_runtime_t)
++ read_lnk_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
- ## Do not audit attempts to read files
- ## in /etc that are dynamically
- ## created on boot, such as mtab.
-@@ -2775,6 +3064,7 @@ interface(`files_rw_etc_runtime_files',`
-
- allow $1 etc_t:dir list_dir_perms;
- rw_files_pattern($1, etc_t, etc_runtime_t)
-+ read_lnk_files_pattern($1, etc_t, etc_t)
- ')
-
- ########################################
-@@ -2796,6 +3086,7 @@ interface(`files_manage_etc_runtime_files',`
++## Create, read, write, and delete files in
++## /etc that are dynamically created on boot,
++## such as mtab.
++## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+@@ -2796,6 +3104,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -82825,7 +82936,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -2819,7 +3110,7 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -2819,7 +3128,7 @@ interface(`files_etc_filetrans_etc_runtime',`
type etc_t, etc_runtime_t;
')
@@ -82834,7 +82945,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -3166,6 +3457,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3166,6 +3475,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -82860,7 +82971,7 @@ index ff006ea..3dec529 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3364,7 +3674,7 @@ interface(`files_home_filetrans',`
+@@ -3364,7 +3692,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -82869,7 +82980,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -3502,20 +3812,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3830,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -82913,7 +83024,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -3804,7 +4132,7 @@ interface(`files_kernel_modules_filetrans',`
+@@ -3804,7 +4150,7 @@ interface(`files_kernel_modules_filetrans',`
type modules_object_t;
')
@@ -82922,7 +83033,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -3900,6 +4228,127 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,6 +4246,127 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -83050,7 +83161,7 @@ index ff006ea..3dec529 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3922,6 +4371,26 @@ interface(`files_associate_tmp',`
+@@ -3922,6 +4389,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -83077,7 +83188,7 @@ index ff006ea..3dec529 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -3935,6 +4404,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3935,6 +4422,7 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -83085,7 +83196,7 @@ index ff006ea..3dec529 100644
allow $1 tmp_t:dir getattr;
')
-@@ -3945,7 +4415,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3945,7 +4433,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -83094,7 +83205,7 @@ index ff006ea..3dec529 100644
## </summary>
## </param>
#
-@@ -3972,6 +4442,7 @@ interface(`files_search_tmp',`
+@@ -3972,6 +4460,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -83102,7 +83213,7 @@ index ff006ea..3dec529 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4008,6 +4479,7 @@ interface(`files_list_tmp',`
+@@ -4008,6 +4497,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -83110,7 +83221,7 @@ index ff006ea..3dec529 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4017,7 +4489,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4507,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -83119,7 +83230,7 @@ index ff006ea..3dec529 100644
## </summary>
## </param>
#
-@@ -4029,6 +4501,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4519,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -83145,7 +83256,7 @@ index ff006ea..3dec529 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4044,6 +4535,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4044,6 +4553,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -83153,7 +83264,7 @@ index ff006ea..3dec529 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4085,6 +4577,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,6 +4595,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -83186,7 +83297,7 @@ index ff006ea..3dec529 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4139,6 +4657,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,6 +4675,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -83229,7 +83340,7 @@ index ff006ea..3dec529 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4155,6 +4709,24 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4155,6 +4727,24 @@ interface(`files_setattr_all_tmp_dirs',`
allow $1 tmpfile:dir { search_dir_perms setattr };
')
@@ -83254,7 +83365,7 @@ index ff006ea..3dec529 100644
########################################
## <summary>
## List all tmp directories.
-@@ -4202,7 +4774,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4792,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -83263,7 +83374,7 @@ index ff006ea..3dec529 100644
## </summary>
## </param>
#
-@@ -4262,7 +4834,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4852,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -83272,7 +83383,7 @@ index ff006ea..3dec529 100644
## </summary>
## </param>
#
-@@ -4318,7 +4890,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4908,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -83281,7 +83392,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -4342,6 +4914,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4932,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -83298,7 +83409,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -4681,7 +5263,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5281,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -83307,7 +83418,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -4914,6 +5496,24 @@ interface(`files_list_var',`
+@@ -4914,6 +5514,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -83332,7 +83443,7 @@ index ff006ea..3dec529 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5084,7 +5684,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5702,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -83341,7 +83452,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -5219,7 +5819,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5837,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -83350,7 +83461,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -5259,6 +5859,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5259,6 +5877,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -83376,10 +83487,11 @@ index ff006ea..3dec529 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5304,6 +5923,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,7 +5941,26 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
+-## Search the locks directory (/var/lock).
+## List generic lock directories.
+## </summary>
+## <param name="domain">
@@ -83399,10 +83511,11 @@ index ff006ea..3dec529 100644
+
+########################################
+## <summary>
- ## Search the locks directory (/var/lock).
++## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5955,8 @@ interface(`files_search_locks',`
+ ## <summary>
+@@ -5317,6 +5973,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -83411,7 +83524,7 @@ index ff006ea..3dec529 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5976,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5994,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -83427,7 +83540,7 @@ index ff006ea..3dec529 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5991,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +6009,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -83460,7 +83573,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -5373,6 +6033,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +6051,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -83468,7 +83581,7 @@ index ff006ea..3dec529 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +6046,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +6064,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -83476,7 +83589,7 @@ index ff006ea..3dec529 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +6072,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +6090,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -83485,7 +83598,7 @@ index ff006ea..3dec529 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +6088,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +6106,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -83502,7 +83615,7 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -5452,7 +6112,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +6130,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -83511,7 +83624,7 @@ index ff006ea..3dec529 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +6153,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +6171,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -83520,7 +83633,7 @@ index ff006ea..3dec529 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +6175,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +6193,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -83529,7 +83642,7 @@ index ff006ea..3dec529 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +6207,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +6225,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -83540,20 +83653,15 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -5608,14 +6268,51 @@ interface(`files_search_pids',`
+@@ -5608,6 +6286,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
--########################################
+######################################
- ## <summary>
--## Do not audit attempts to search
--## the /var/run directory.
++## <summary>
+## Add and remove entries from pid directories.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
@@ -83586,18 +83694,10 @@ index ff006ea..3dec529 100644
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
-+########################################
-+## <summary>
-+## Do not audit attempts to search
-+## the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
-@@ -5629,6 +6326,25 @@ interface(`files_dontaudit_search_pids',`
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to search
+@@ -5629,6 +6344,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -83623,7 +83723,7 @@ index ff006ea..3dec529 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -5736,7 +6452,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6470,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -83632,29 +83732,431 @@ index ff006ea..3dec529 100644
')
########################################
-@@ -5815,6 +6531,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,29 +6549,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
+-## Read all process ID files.
+## Relable all pid directories
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_read_all_pids',`
++interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+- type var_t;
+ ')
+
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
++ relabel_dirs_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount filesystems on all polyinstantiation
+-## member directories.
++## Delete all pid sockets
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5845,42 +6575,35 @@ interface(`files_read_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_pid_sockets',`
+ gen_require(`
+- attribute polymember;
++ attribute pidfile;
+ ')
+
+- allow $1 polymember:dir mounton;
++ allow $1 pidfile:sock_file delete_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process IDs.
++## Create all pid sockets
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
++interface(`files_create_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ allow $1 pidfile:sock_file create_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process ID directories.
++## Create all pid named pipes
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5888,20 +6611,17 @@ interface(`files_delete_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
++interface(`files_create_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
+- type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:fifo_file create_fifo_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of generic spool
+-## directories (/var/spool).
++## Delete all pid named pipes
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5909,56 +6629,59 @@ interface(`files_delete_all_pid_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
++interface(`files_delete_all_pid_pipes',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- search_dirs_pattern($1, var_t, var_spool_t)
++ allow $1 pidfile:fifo_file delete_fifo_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search generic
+-## spool directories.
++## manage all pidfile directories
++## in the /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_spool',`
++interface(`files_manage_all_pid_dirs',`
+ gen_require(`
+- type var_spool_t;
++ attribute pidfile;
+ ')
+
+- dontaudit $1 var_spool_t:dir search_dir_perms;
++ manage_dirs_pattern($1,pidfile,pidfile)
+ ')
+
++
+ ########################################
+ ## <summary>
+-## List the contents of generic spool
+-## (/var/spool) directories.
++## Read all process ID files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_list_spool',`
++interface(`files_read_all_pids',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
++ type var_t;
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
++## Relable all pid files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5966,18 +6689,17 @@ interface(`files_list_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
++interface(`files_relabel_all_pid_files',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ relabel_files_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic spool files.
++## Execute generic programs in /var/run in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5985,19 +6707,18 @@ interface(`files_manage_generic_spool_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
++interface(`files_exec_generic_pid_files',`
+ gen_require(`
+- type var_t, var_spool_t;
++ type var_run_t;
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
++ exec_files_pattern($1, var_run_t, var_run_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool files.
++## manage all pidfiles
++## in the /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6005,104 +6726,61 @@ interface(`files_read_generic_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool',`
++interface(`files_manage_all_pids',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
++ manage_files_pattern($1,pidfile,pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the spool directory
+-## with a private type with a type transition.
++## Mount filesystems on all polyinstantiation
++## member directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file">
+-## <summary>
+-## Type to which the created node will be transitioned.
+-## </summary>
+-## </param>
+-## <param name="class">
+-## <summary>
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+-## </summary>
+-## </param>
+ #
+-interface(`files_spool_filetrans',`
++interface(`files_mounton_all_poly_members',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute polymember;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3)
++ allow $1 polymember:dir mounton;
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
++## Delete all process IDs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_polyinstantiate_all',`
++interface(`files_delete_all_pids',`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
++ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
+-
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
+- ')
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ ')
+
+ ########################################
+ ## <summary>
+-## Unconfined access to files.
++## Delete all process ID directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6110,10 +6788,657 @@ interface(`files_polyinstantiate_all',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_unconfined',`
++interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+- attribute files_unconfined_type;
++ attribute pidfile;
++ type var_t;
+ ')
+
+- typeattribute $1 files_unconfined_type;
++ allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++## Make the specified type a file
++## used for spool files.
+## </summary>
-+## <param name="domain">
++## <desc>
++## <p>
++## Make the specified type usable for spool files.
++## This will also make the type usable for files, making
++## calls to files_type() redundant. Failure to use this interface
++## for a spool file may result in problems with
++## purging spool files.
++## </p>
++## <p>
++## Related interfaces:
++## </p>
++## <ul>
++## <li>files_spool_filetrans()</li>
++## </ul>
++## <p>
++## Example usage with a domain that can create and
++## write its spool file in the system spool file
++## directories (/var/spool):
++## </p>
++## <p>
++## type myspoolfile_t;
++## files_spool_file(myfile_spool_t)
++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
++## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
++## </p>
++## </desc>
++## <param name="file_type">
+## <summary>
-+## Domain allowed access.
++## Type of the file to be used as a
++## spool file.
+## </summary>
+## </param>
++## <infoflow type="none"/>
+#
-+interface(`files_relabel_all_pid_dirs',`
++interface(`files_spool_file',`
+ gen_require(`
-+ attribute pidfile;
++ attribute spoolfile;
+ ')
+
-+ relabel_dirs_pattern($1, pidfile, pidfile)
++ files_type($1)
++ typeattribute $1 spoolfile;
+')
+
+########################################
+## <summary>
-+## Delete all pid sockets
++## Create all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
@@ -83662,17 +84164,17 @@ index ff006ea..3dec529 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_all_pid_sockets',`
++interface(`files_create_all_spool_sockets',`
+ gen_require(`
-+ attribute pidfile;
++ attribute spoolfile;
+ ')
+
-+ allow $1 pidfile:sock_file delete_sock_file_perms;
++ allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## Create all pid sockets
++## Delete all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
@@ -83680,17 +84182,18 @@ index ff006ea..3dec529 100644
+## </summary>
+## </param>
+#
-+interface(`files_create_all_pid_sockets',`
++interface(`files_delete_all_spool_sockets',`
+ gen_require(`
-+ attribute pidfile;
++ attribute spoolfile;
+ ')
+
-+ allow $1 pidfile:sock_file create_sock_file_perms;
++ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## Create all pid named pipes
++## Search the contents of generic spool
++## directories (/var/spool).
+## </summary>
+## <param name="domain">
+## <summary>
@@ -83698,36 +84201,37 @@ index ff006ea..3dec529 100644
+## </summary>
+## </param>
+#
-+interface(`files_create_all_pid_pipes',`
++interface(`files_search_spool',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ allow $1 pidfile:fifo_file create_fifo_file_perms;
++ search_dirs_pattern($1, var_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Delete all pid named pipes
++## Do not audit attempts to search generic
++## spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`files_delete_all_pid_pipes',`
++interface(`files_dontaudit_search_spool',`
+ gen_require(`
-+ attribute pidfile;
++ type var_spool_t;
+ ')
+
-+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
++ dontaudit $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
-+## manage all pidfile directories
-+## in the /var/run directory.
++## List the contents of generic spool
++## (/var/spool) directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -83735,30 +84239,18 @@ index ff006ea..3dec529 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_all_pid_dirs',`
++interface(`files_list_spool',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ manage_dirs_pattern($1,pidfile,pidfile)
++ list_dirs_pattern($1, var_t, var_spool_t)
+')
+
-+
+########################################
+## <summary>
- ## Read all process ID files.
- ## </summary>
- ## <param name="domain">
-@@ -5832,6 +6658,62 @@ interface(`files_read_all_pids',`
-
- list_dirs_pattern($1, var_t, pidfile)
- read_files_pattern($1, pidfile, pidfile)
-+ read_lnk_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
-+## Relable all pid files
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
+## </summary>
+## <param name="domain">
+## <summary>
@@ -83766,17 +84258,18 @@ index ff006ea..3dec529 100644
+## </summary>
+## </param>
+#
-+interface(`files_relabel_all_pid_files',`
++interface(`files_manage_generic_spool_dirs',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ relabel_files_pattern($1, pidfile, pidfile)
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Execute generic programs in /var/run in the caller domain.
++## Read generic spool files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -83784,18 +84277,19 @@ index ff006ea..3dec529 100644
+## </summary>
+## </param>
+#
-+interface(`files_exec_generic_pid_files',`
++interface(`files_read_generic_spool',`
+ gen_require(`
-+ type var_run_t;
++ type var_t, var_spool_t;
+ ')
+
-+ exec_files_pattern($1, var_run_t, var_run_t)
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## manage all pidfiles
-+## in the /var/run directory.
++## Create, read, write, and delete generic
++## spool files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -83803,68 +84297,50 @@ index ff006ea..3dec529 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_all_pids',`
++interface(`files_manage_generic_spool',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t, var_spool_t;
+ ')
+
-+ manage_files_pattern($1,pidfile,pidfile)
- ')
-
- ########################################
-@@ -5900,6 +6782,90 @@ interface(`files_delete_all_pid_dirs',`
-
- ########################################
- ## <summary>
-+## Make the specified type a file
-+## used for spool files.
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Create objects in the spool directory
++## with a private type with a type transition.
+## </summary>
-+## <desc>
-+## <p>
-+## Make the specified type usable for spool files.
-+## This will also make the type usable for files, making
-+## calls to files_type() redundant. Failure to use this interface
-+## for a spool file may result in problems with
-+## purging spool files.
-+## </p>
-+## <p>
-+## Related interfaces:
-+## </p>
-+## <ul>
-+## <li>files_spool_filetrans()</li>
-+## </ul>
-+## <p>
-+## Example usage with a domain that can create and
-+## write its spool file in the system spool file
-+## directories (/var/spool):
-+## </p>
-+## <p>
-+## type myspoolfile_t;
-+## files_spool_file(myfile_spool_t)
-+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
-+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
-+## </p>
-+## </desc>
-+## <param name="file_type">
++## <param name="domain">
+## <summary>
-+## Type of the file to be used as a
-+## spool file.
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="file">
++## <summary>
++## Type to which the created node will be transitioned.
++## </summary>
++## </param>
++## <param name="class">
++## <summary>
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
+## </summary>
+## </param>
-+## <infoflow type="none"/>
+#
-+interface(`files_spool_file',`
++interface(`files_spool_filetrans',`
+ gen_require(`
-+ attribute spoolfile;
++ type var_t, var_spool_t;
+ ')
+
-+ files_type($1)
-+ typeattribute $1 spoolfile;
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
-+## Create all spool sockets
++## Allow access to manage all polyinstantiated
++## directories on the system.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -83872,17 +84348,53 @@ index ff006ea..3dec529 100644
+## </summary>
+## </param>
+#
-+interface(`files_create_all_spool_sockets',`
++interface(`files_polyinstantiate_all',`
+ gen_require(`
-+ attribute spoolfile;
++ attribute polydir, polymember, polyparent;
++ type poly_t;
+ ')
+
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
++ # Need to give access to /selinux/member
++ selinux_compute_member($1)
++
++ # Need sys_admin capability for mounting
++ allow $1 self:capability { chown fsetid sys_admin fowner };
++
++ # Need to give access to the directories to be polyinstantiated
++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++ # Need to give access to the polyinstantiated subdirectories
++ allow $1 polymember:dir search_dir_perms;
++
++ # Need to give access to parent directories where original
++ # is remounted for polyinstantiation aware programs (like gdm)
++ allow $1 polyparent:dir { getattr mounton };
++
++ # Need to give permission to create directories where applicable
++ allow $1 self:process setfscreate;
++ allow $1 polymember: dir { create setattr relabelto };
++ allow $1 polydir: dir { write add_name open };
++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++ # Default type for mountpoints
++ allow $1 poly_t:dir { create mounton };
++ fs_unmount_xattr_fs($1)
++
++ fs_mount_tmpfs($1)
++ fs_unmount_tmpfs($1)
++
++ ifdef(`distro_redhat',`
++ # namespace.init
++ files_search_tmp($1)
++ files_search_home($1)
++ corecmd_exec_bin($1)
++ seutil_domtrans_setfiles($1)
++ ')
+')
+
+########################################
+## <summary>
-+## Delete all spool sockets
++## Unconfined access to files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -83890,35 +84402,16 @@ index ff006ea..3dec529 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_all_spool_sockets',`
++interface(`files_unconfined',`
+ gen_require(`
-+ attribute spoolfile;
++ attribute files_unconfined_type;
+ ')
+
-+ allow $1 spoolfile:sock_file delete_sock_file_perms;
++ typeattribute $1 files_unconfined_type;
+')
+
+########################################
+## <summary>
- ## Search the contents of generic spool
- ## directories (/var/spool).
- ## </summary>
-@@ -6042,7 +7008,7 @@ interface(`files_spool_filetrans',`
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3)
-+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
- ')
-
- ########################################
-@@ -6117,3 +7083,344 @@ interface(`files_unconfined',`
-
- typeattribute $1 files_unconfined_type;
- ')
-+
-+########################################
-+## <summary>
+## Create a core files in /
+## </summary>
+## <desc>
@@ -84256,7 +84749,7 @@ index ff006ea..3dec529 100644
+ files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like")
+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
-+')
+ ')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 22821ff..ccadbc1 100644
--- a/policy/modules/kernel/files.te
@@ -84355,7 +84848,7 @@ index cda5588..91d1e25 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..41e214d 100644
+index 97fcdac..f3cef22 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -84663,7 +85156,7 @@ index 97fcdac..41e214d 100644
## Search dosfs filesystem.
## </summary>
## <param name="domain">
-@@ -1793,6 +1973,188 @@ interface(`fs_read_eventpollfs',`
+@@ -1793,6 +1973,205 @@ interface(`fs_read_eventpollfs',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -84787,6 +85280,23 @@ index 97fcdac..41e214d 100644
+ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
+')
+
++#######################################
++## <summary>
++## Dontaudit append files on ecrypt filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_append_ecryptfs_files',`
++ gen_require(`
++ type ecryptfs_t;
++ ')
++ dontaudit $1 ecryptfs_t:file append;
++')
++
+########################################
+## <summary>
+## Manage symbolic links on a FUSEFS filesystem.
@@ -84852,7 +85362,7 @@ index 97fcdac..41e214d 100644
########################################
## <summary>
## Mount a FUSE filesystem.
-@@ -1811,6 +2173,25 @@ interface(`fs_mount_fusefs',`
+@@ -1811,6 +2190,25 @@ interface(`fs_mount_fusefs',`
allow $1 fusefs_t:filesystem mount;
')
@@ -84878,7 +85388,7 @@ index 97fcdac..41e214d 100644
########################################
## <summary>
## Unmount a FUSE filesystem.
-@@ -2006,21 +2387,83 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+@@ -2006,21 +2404,83 @@ interface(`fs_dontaudit_manage_fusefs_files',`
########################################
## <summary>
@@ -84967,7 +85477,7 @@ index 97fcdac..41e214d 100644
')
########################################
-@@ -2080,6 +2523,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2080,6 +2540,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
@@ -84992,7 +85502,7 @@ index 97fcdac..41e214d 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2148,11 +2609,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2626,12 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -85006,7 +85516,7 @@ index 97fcdac..41e214d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2480,6 +2942,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2959,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -85014,7 +85524,7 @@ index 97fcdac..41e214d 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,6 +2981,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2998,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -85022,7 +85532,7 @@ index 97fcdac..41e214d 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2544,6 +3008,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +3025,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -85048,7 +85558,7 @@ index 97fcdac..41e214d 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2564,7 +3047,7 @@ interface(`fs_append_nfs_files',`
+@@ -2564,7 +3064,7 @@ interface(`fs_append_nfs_files',`
########################################
## <summary>
@@ -85057,7 +85567,7 @@ index 97fcdac..41e214d 100644
## on a NFS filesystem.
## </summary>
## <param name="domain">
-@@ -2584,6 +3067,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +3084,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -85100,7 +85610,7 @@ index 97fcdac..41e214d 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2598,7 +3117,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +3134,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -85109,7 +85619,7 @@ index 97fcdac..41e214d 100644
')
########################################
-@@ -2622,7 +3141,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2622,7 +3158,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -85118,7 +85628,7 @@ index 97fcdac..41e214d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2736,7 +3255,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +3272,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -85127,7 +85637,7 @@ index 97fcdac..41e214d 100644
## </summary>
## </param>
#
-@@ -2772,7 +3291,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +3308,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -85136,7 +85646,7 @@ index 97fcdac..41e214d 100644
## </summary>
## </param>
#
-@@ -2965,6 +3484,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3501,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -85144,7 +85654,7 @@ index 97fcdac..41e214d 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3005,6 +3525,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3542,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -85152,7 +85662,7 @@ index 97fcdac..41e214d 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3045,6 +3566,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3583,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -85160,7 +85670,7 @@ index 97fcdac..41e214d 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3258,6 +3780,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3258,6 +3797,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -85185,7 +85695,7 @@ index 97fcdac..41e214d 100644
########################################
## <summary>
## Read and write NFS server files.
-@@ -3278,6 +3818,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3278,6 +3835,24 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@@ -85210,7 +85720,7 @@ index 97fcdac..41e214d 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
-@@ -3387,7 +3945,7 @@ interface(`fs_search_ramfs',`
+@@ -3387,7 +3962,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -85219,7 +85729,7 @@ index 97fcdac..41e214d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3424,7 +3982,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3424,7 +3999,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -85228,7 +85738,7 @@ index 97fcdac..41e214d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3442,7 +4000,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3442,7 +4017,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -85237,7 +85747,7 @@ index 97fcdac..41e214d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3810,6 +4368,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3810,6 +4385,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -85262,7 +85772,7 @@ index 97fcdac..41e214d 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3958,6 +4534,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4551,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -85305,7 +85815,7 @@ index 97fcdac..41e214d 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4059,7 +4671,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4059,7 +4688,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -85314,7 +85824,7 @@ index 97fcdac..41e214d 100644
')
########################################
-@@ -4119,6 +4731,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4119,6 +4748,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -85339,7 +85849,7 @@ index 97fcdac..41e214d 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4156,7 +4786,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4156,7 +4803,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -85348,7 +85858,7 @@ index 97fcdac..41e214d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4175,6 +4805,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4822,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -85391,7 +85901,7 @@ index 97fcdac..41e214d 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4232,6 +4898,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4232,6 +4915,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -85416,7 +85926,7 @@ index 97fcdac..41e214d 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4251,6 +4935,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4952,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -85442,7 +85952,7 @@ index 97fcdac..41e214d 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4457,6 +5160,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +5177,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -85451,7 +85961,7 @@ index 97fcdac..41e214d 100644
')
########################################
-@@ -4503,7 +5208,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +5225,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -85460,7 +85970,7 @@ index 97fcdac..41e214d 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5571,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5588,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -100085,10 +100595,10 @@ index 0000000..40415f8
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..6cefd75
+index 0000000..7d58fe5
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,96 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -100126,6 +100636,7 @@ index 0000000..6cefd75
+#
+
+allow collectd_t self:capability { ipc_lock sys_nice };
++dontaudit collectd_t self:capability { net_raw net_admin};
+allow collectd_t self:process { getsched setsched signal fork };
+
+allow collectd_t self:fifo_file rw_fifo_file_perms;
@@ -100156,6 +100667,8 @@ index 0000000..6cefd75
+
+fs_getattr_all_fs(collectd_t)
+
++init_read_utmp(collectd_t)
++
+miscfiles_read_localization(collectd_t)
+
+logging_send_syslog_msg(collectd_t)
@@ -100175,6 +100688,8 @@ index 0000000..6cefd75
+ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
++
++ auth_read_passwd(httpd_collectd_script_t)
+')
+
+optional_policy(`
@@ -116553,7 +117068,7 @@ index 55a3e2f..133f47b 100644
/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if
-index ed1af3c..ac7822b 100644
+index ed1af3c..aa411a1 100644
--- a/policy/modules/services/milter.if
+++ b/policy/modules/services/milter.if
@@ -24,7 +24,7 @@ template(`milter_template',`
@@ -116565,13 +117080,16 @@ index ed1af3c..ac7822b 100644
allow $1_milter_t self:fifo_file rw_fifo_file_perms;
-@@ -35,8 +35,13 @@ template(`milter_template',`
+@@ -35,8 +35,16 @@ template(`milter_template',`
# Create other data files and directories in the data directory
manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+ corenet_tcp_bind_generic_node($1_milter_t)
+ corenet_tcp_bind_milter_port($1_milter_t)
+
++ dev_read_rand($1_milter_t)
++ dev_read_urand($1_milter_t)
++
files_read_etc_files($1_milter_t)
+ kernel_dontaudit_read_system_state($1_milter_t)
@@ -116579,7 +117097,7 @@ index ed1af3c..ac7822b 100644
miscfiles_read_localization($1_milter_t)
logging_send_syslog_msg($1_milter_t)
-@@ -57,7 +62,7 @@ interface(`milter_stream_connect_all',`
+@@ -57,7 +65,7 @@ interface(`milter_stream_connect_all',`
attribute milter_data_type, milter_domains;
')
@@ -116588,7 +117106,7 @@ index ed1af3c..ac7822b 100644
stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
')
-@@ -76,12 +81,29 @@ interface(`milter_getattr_all_sockets',`
+@@ -76,12 +84,29 @@ interface(`milter_getattr_all_sockets',`
attribute milter_data_type;
')
@@ -116619,7 +117137,7 @@ index ed1af3c..ac7822b 100644
## Manage spamassassin milter state
## </summary>
## <param name="domain">
-@@ -100,3 +122,22 @@ interface(`milter_manage_spamass_state',`
+@@ -100,3 +125,22 @@ interface(`milter_manage_spamass_state',`
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
@@ -128684,7 +129202,7 @@ index b524673..1cca3d2 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..ff8abbe 100644
+index 2af42e7..5914c2b 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -128728,7 +129246,7 @@ index 2af42e7..ff8abbe 100644
+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched signal };
-+allow pppd_t self:process { getsched setsched signal };
++allow pppd_t self:process { getsched setsched signal_perms };
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
@@ -140512,7 +141030,7 @@ index 0000000..bab5617
+
diff --git a/policy/modules/services/svnserve.te b/policy/modules/services/svnserve.te
new file mode 100644
-index 0000000..51c9a04
+index 0000000..a9c3d0c
--- /dev/null
+++ b/policy/modules/services/svnserve.te
@@ -0,0 +1,55 @@
@@ -140556,9 +141074,9 @@ index 0000000..51c9a04
+files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
+
+corenet_udp_bind_generic_node(svnserve_t)
-+#corenet_tcp_connect_svn_port(svnserve_t)
-+#corenet_tcp_bind_svn_port(svnserve_t)
-+#corenet_udp_bind_svn_port(svnserve_t)
++corenet_tcp_connect_svn_port(svnserve_t)
++corenet_tcp_bind_svn_port(svnserve_t)
++corenet_udp_bind_svn_port(svnserve_t)
+
+domain_use_interactive_fds(svnserve_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3192b2b..18231b0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 167%{?dist}
+Release: 168%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Mar 5 2013 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-168
+- Add files_dontaudit_read_all_sockets interface
+- Add gnome_dontaudit_rw_inherited_config interface
+- Allow httpd_collectd_script to read /etc/passwd
+- Allow milter domains to read /dev/random
+- Backport readahead fixes from F18
+- Allow collectd to read utmp
+- /usr/share/munin/plugins/plugin.sh should be labeled as bin_t
+- Fix svnserve policy
+- Add additional fixes for ecrypts
+- Add additional interface for ecryptfs
+- Dontaudit leak fd for mozilla_plugin_config
+- Allow pppd to send signull
+
* Mon Feb 4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-167
- Fix dup decl for munin plugins
- Allow logwatch to domtrans to mdadm
More information about the scm-commits
mailing list